Bug 267494

Summary: [JSC] Throw RangeError if Set methods are called on an object with negative "size" property
Product: WebKit Reporter: zloirock <zloirock>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Normal CC: ashvayka, keith_miller, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=251510
Bug Depends on:    
Bug Blocks: 268026    

Description zloirock 2024-01-13 03:34:06 PST 
new Set([1, 2, 3]).difference({
  size: -1,
  has() {
    return false;
  },
  keys() {
    return { next() { return { done: true }; } };
  },
});

should be a RangeError, GetSetRecord step 7.
Comment 1 zloirock 2024-01-13 03:49:56 PST 
Similar V8 issue https://bugs.chromium.org/p/v8/issues/detail?id=14559
Comment 2 Radar WebKit Bug Importer 2024-01-20 03:35:13 PST 
<rdar://problem/121310940>
Comment 3 Alexey Shvayka 2024-02-01 14:08:57 PST 
Pull request: https://github.com/WebKit/WebKit/pull/23689
Comment 4 EWS 2024-02-02 12:53:13 PST 
Committed 274009@main (eeda72823e71): <https://commits.webkit.org/274009@main>

Reviewed commits have been landed. Closing PR #23689 and removing active labels.