Bug 267494

Summary:	[JSC] Throw RangeError if Set methods are called on an object with negative "size" property
Product:	WebKit	Reporter:	zloirock <zloirock>
Component:	JavaScriptCore	Assignee:	Alexey Shvayka <ashvayka>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	ashvayka, keith_miller, mark.lam, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	All
OS:	All
See Also:	https://bugs.webkit.org/show_bug.cgi?id=251510
Bug Depends on:
Bug Blocks:	268026

zloirock

Reported 2024-01-13 03:34:06 PST

new Set([1, 2, 3]).difference({ size: -1, has() { return false; }, keys() { return { next() { return { done: true }; } }; }, }); should be a RangeError, GetSetRecord step 7.

Attachments
Add attachment proposed patch, testcase, etc.

zloirock

Comment 1 2024-01-13 03:49:56 PST

Similar V8 issue https://bugs.chromium.org/p/v8/issues/detail?id=14559

Radar WebKit Bug Importer

Comment 2 2024-01-20 03:35:13 PST

<rdar://problem/121310940>

Alexey Shvayka

Comment 3 2024-02-01 14:08:57 PST

Pull request: https://github.com/WebKit/WebKit/pull/23689

EWS

Comment 4 2024-02-02 12:53:13 PST

Committed 274009@main (eeda72823e71): <https://commits.webkit.org/274009@main> Reviewed commits have been landed. Closing PR #23689 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.