RESOLVED DUPLICATE of bug 163417187777
Unexpected behavior if object length property exceed 2³² 
https://bugs.webkit.org/show_bug.cgi?id=187777
Summary Unexpected behavior if object length property exceed 2³²
isol2
Reported 2018-07-18 11:47:43 PDT
Hi everyone, I found an inconsistency on JSC when we try to push a new element into an Object that uses Array.prototype.push method. Seems like a conversion ToUint32 on JSC while the others engines exceed this value. In addiction, it was observed that JSC push the element in index 0 and index length-1. OS: Ubuntu 16.04 x64 build version: 233840 Step to reproduce: var o = { length : 2**32, push : Array.prototype.push }; print(o.push('A')); print(o[0], o[o.length-1]); Actual results: 1 A A Expected results: 4294967297 undefined A V8, SpiderMonkey, Chakra and XS works as expected.
Attachments
Add attachment proposed patch, testcase, etc.
isol2
Comment 1 2018-08-08 08:23:17 PDT
cinfuzz
Alexey Shvayka
Comment 2 2020-03-24 09:42:09 PDT
Thank you for detailed report. Apart from Array.prototype.push, other Array methods (mostly ones that are implemented in C++) are affected. I am merging bug reports to fix all (observable) cases with a single patch. *** This bug has been marked as a duplicate of bug 163417 ***
Note You need to log in before you can comment on or make changes to this bug.