144128 – Array.prototype methods must use ToLength

Bug 144128 - Array.prototype methods must use ToLength

Summary: Array.prototype methods must use ToLength

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Jordan Harband

URL:	https://people.mozilla.org/~jorendorf...
Keywords:

Depends on:
Blocks:	145107 145364
	Show dependency tree / graph

Reported:	2015-04-23 15:21 PDT by Jordan Harband
Modified:	2015-05-25 10:50 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (40.35 KB, patch) 2015-04-24 16:33 PDT, Jordan Harband	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews103 for mac-mavericks (687.55 KB, application/zip) 2015-04-25 01:02 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews107 for mac-mavericks-wk2 (567.87 KB, application/zip) 2015-04-25 01:37 PDT, Build Bot	no flags	Details
Patch (40.33 KB, patch) 2015-04-26 23:17 PDT, Jordan Harband	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews103 for mac-mavericks (539.24 KB, application/zip) 2015-04-27 00:08 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews104 for mac-mavericks-wk2 (578.61 KB, application/zip) 2015-04-27 00:40 PDT, Build Bot	no flags	Details
Patch (44.09 KB, patch) 2015-05-17 10:52 PDT, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews103 for mac-mavericks (542.80 KB, application/zip) 2015-05-17 11:27 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews104 for mac-mavericks-wk2 (592.68 KB, application/zip) 2015-05-17 11:48 PDT, Build Bot	no flags	Details
Patch (46.09 KB, patch) 2015-05-17 11:51 PDT, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jordan Harband 2015-04-23 15:21:14 PDT

Many of the Array.prototype methods have bugs in that they use `array.length >>> 0` to handle array-like objects. This violates https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength.

I'll be creating a `ToLength` C++ function, and exposing it to builtins as `@ToLength`, to correct this, along with adding tests.

Comment 1 Jordan Harband 2015-04-24 16:33:12 PDT

Created attachment 251589 [details]
Patch

Comment 2 Jordan Harband 2015-04-24 16:36:39 PDT

Benjamin raised a concern that replacing the `>>> 0` check with the ToLength call might have performance impacts.

My first priority was correctness - now that this patch is correct, I'd love to explore ways to determine if it's slow, and to speed it up if so.

Comment 3 Build Bot 2015-04-25 01:02:52 PDT

Comment on attachment 251589 [details]
Patch

Attachment 251589 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5841617894244352

New failing tests:
fast/profiler/built-in-function-calls-user-defined-function.html
fast/profiler/built-in-function-calls-anonymous.html

Comment 4 Build Bot 2015-04-25 01:02:55 PDT

Created attachment 251624 [details]
Archive of layout-test-results from ews103 for mac-mavericks

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-mavericks  Platform: Mac OS X 10.9.5

Comment 5 Build Bot 2015-04-25 01:37:24 PDT

Comment on attachment 251589 [details]
Patch

Attachment 251589 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5553607386595328

New failing tests:
fast/profiler/built-in-function-calls-user-defined-function.html
fast/profiler/built-in-function-calls-anonymous.html

Comment 6 Build Bot 2015-04-25 01:37:28 PDT

Created attachment 251625 [details]
Archive of layout-test-results from ews107 for mac-mavericks-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-mavericks-wk2  Platform: Mac OS X 10.9.5

Comment 7 Jordan Harband 2015-04-26 23:17:47 PDT

Created attachment 251724 [details]
Patch

Comment 8 Build Bot 2015-04-27 00:07:58 PDT

Comment on attachment 251724 [details]
Patch

Attachment 251724 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5508203139825664

New failing tests:
fast/profiler/built-in-function-calls-user-defined-function.html
fast/profiler/built-in-function-calls-anonymous.html

Comment 9 Build Bot 2015-04-27 00:08:02 PDT

Created attachment 251725 [details]
Archive of layout-test-results from ews103 for mac-mavericks

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-mavericks  Platform: Mac OS X 10.9.5

Comment 10 Build Bot 2015-04-27 00:40:33 PDT

Comment on attachment 251724 [details]
Patch

Attachment 251724 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/4687940286414848

New failing tests:
fast/profiler/built-in-function-calls-user-defined-function.html
fast/profiler/built-in-function-calls-anonymous.html

Comment 11 Build Bot 2015-04-27 00:40:38 PDT

Created attachment 251726 [details]
Archive of layout-test-results from ews104 for mac-mavericks-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-mavericks-wk2  Platform: Mac OS X 10.9.5

Comment 12 Yusuke Suzuki 2015-05-15 02:18:20 PDT

What do you think about implementing ToLength and ToInteger in JavaScript.
For example, the current `String.raw` and `Array.from` has its own ToLength/ToInteger implementation written in JS.

Comment 13 Jordan Harband 2015-05-15 10:08:01 PDT

That'd be fine - although, this patch is ready to go except that I can't get the tests to pass :-) Please feel free to help, or take it over if you prefer!

Comment 14 Yusuke Suzuki 2015-05-16 02:05:56 PDT

(In reply to comment #13)
> That'd be fine - although, this patch is ready to go except that I can't get
> the tests to pass :-) Please feel free to help, or take it over if you
> prefer!

Ah, ok. So based on your great patch, I'll change slightly to implement ToLength/ToInteger in JS.

Comment 15 Yusuke Suzuki 2015-05-17 10:52:49 PDT

Created attachment 253286 [details]
Patch

Comment 16 Build Bot 2015-05-17 11:27:01 PDT

Comment on attachment 253286 [details]
Patch

Attachment 253286 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5037208369102848

New failing tests:
fast/profiler/built-in-function-calls-user-defined-function.html
fast/profiler/built-in-function-calls-anonymous.html

Comment 17 Build Bot 2015-05-17 11:27:04 PDT

Created attachment 253287 [details]
Archive of layout-test-results from ews103 for mac-mavericks

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-mavericks  Platform: Mac OS X 10.9.5

Comment 18 Build Bot 2015-05-17 11:48:31 PDT

Comment on attachment 253286 [details]
Patch

Attachment 253286 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5369848754339840

New failing tests:
fast/profiler/built-in-function-calls-user-defined-function.html
fast/profiler/built-in-function-calls-anonymous.html

Comment 19 Build Bot 2015-05-17 11:48:35 PDT

Created attachment 253290 [details]
Archive of layout-test-results from ews104 for mac-mavericks-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-mavericks-wk2  Platform: Mac OS X 10.9.5

Comment 20 Yusuke Suzuki 2015-05-17 11:51:36 PDT

Created attachment 253291 [details]
Patch

Comment 21 Yusuke Suzuki 2015-05-19 11:44:43 PDT

Could anyone take a look?

Comment 22 Oliver Hunt 2015-05-19 11:50:46 PDT

Comment on attachment 253291 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=253291&action=review

> Source/JavaScriptCore/builtins/GlobalObject.js:38
> +    return (numberValue > 0 ? 1 : -1) * @floor(@abs(numberValue));

Just as a sanity question, what is the expected behavior of 1/ToInteger(-0)?

> Source/JavaScriptCore/builtins/GlobalObject.js:47
> +    return length > 0 ? (length < maxSafeInteger ? length : maxSafeInteger) : 0;

ditto

Comment 23 Yusuke Suzuki 2015-05-19 12:00:25 PDT

Comment on attachment 253291 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=253291&action=review

Thank you for your review!

>> Source/JavaScriptCore/builtins/GlobalObject.js:38
>> +    return (numberValue > 0 ? 1 : -1) * @floor(@abs(numberValue));
> 
> Just as a sanity question, what is the expected behavior of 1/ToInteger(-0)?

When -0 comes, `numberValue` becomes `-0` and `numberValue === 0` becomes true. So `ToInteger` returns `-0`.
It conforms the spec. http://people.mozilla.org/~jorendorff/es6-draft.html#sec-tointeger

"If number is +0, −0, +∞, or −∞, return number."

>> Source/JavaScriptCore/builtins/GlobalObject.js:47
>> +    return length > 0 ? (length < maxSafeInteger ? length : maxSafeInteger) : 0;
> 
> ditto

When `-0` comes, `length` becomes `-0` since `ToInteger(-0)` returns `-0`.
And after that, `length > 0` becomes `false`. So `ToLength(-0)` returns `+0`.
It conforms the spec. http://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength

"If len ≤ +0, return +0."

Comment 24 WebKit Commit Bot 2015-05-19 12:51:55 PDT

Comment on attachment 253291 [details]
Patch

Clearing flags on attachment: 253291

Committed r184582: <http://trac.webkit.org/changeset/184582>

Comment 25 WebKit Commit Bot 2015-05-19 12:52:02 PDT

All reviewed patches have been landed.  Closing bug.