Bug 185495 - ArraySpeciesCreate not checking for max length on array like objects
Summary: ArraySpeciesCreate not checking for max length on array like objects
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-09 16:11 PDT by Leo Balter
Modified: 2018-05-09 16:11 PDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Leo Balter 2018-05-09 16:11:19 PDT 
I got a false positive from the test runner while working on Bug 185476. While the fix there is still fine, it doesn't solve the whole problem where a RangeError is not observed for non-array objects with the length property set to values > 2**32-1. 

`constructArrayWithSizeQuirk` in the Source/JavaScriptCore/runtime/ArrayConstructor.cpp file has a check for the length - code below - but I was unable to reach it. My first patch was calling it but it's still not successful.

```
    uint32_t n = length.toUInt32(exec);
    if (n != length.toNumber(exec))
        return throwException(exec, scope, createRangeError(exec, ASCIILiteral("Array size is not a small enough positive integer.")));
```

Yusuke, would you help me here, please?