Bug 163417 - ES6: Make Array.prototype.splice implement step 8 of its spec.
Summary: ES6: Make Array.prototype.splice implement step 8 of its spec.
Status: ASSIGNED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-13 16:13 PDT by Mark Lam
Modified: 2016-10-13 16:20 PDT (History)
7 users (show)

See Also:


Attachments
archiving test case for step 8 of the spec. (769 bytes, application/x-javascript)
2016-10-13 16:20 PDT, Mark Lam
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2016-10-13 16:13:59 PDT
Step 8 of the Array.prototype.splice spec (https://tc39.github.io/ecma262/#sec-array.prototype.splice) states that we should throw a TypeError if the spliced array's length will exceed 2^53-1.  This is gated on the JSArray getLength() convenience function being updated to return a length value that is greater than 32-bits.  This issue is only a compliance issue in a contrived example, e.g.

    var maxLength = (2 ** 53) - 1;
    Array.prototype.splice.call({ length: maxLength }, maxLength, 0, 1, 2, 3);

In real world code, the JSC runtime prevents us from creating arrays with a length that exceeds UINT_MAX.  We're also bounded on the number of args that we pass to Array.prototype.splice.  As a result, we can never splice together an array that gets anywhere near 2^53-1.  We'll get an OutOfMemoryError long before then.
Comment 1 Mark Lam 2016-10-13 16:20:40 PDT
Created attachment 291531 [details]
archiving test case for step 8 of the spec.