Version: <d940b47> OS: <ubuntu 16.04> #Testcase: var foo = function () { var targetObj = ['hello', 'world']; var obj = { 0: targetObj, 1: 1234, 2: targetObj, 4294967294: targetObj, 4294967295: targetObj, length: 4294967299 }; return Array.prototype.lastIndexOf.call(obj, targetObj); }; var result = foo(); print(result); #Command: ./webkit/WebKitBuild/Release/bin/jsc testcase.js #Output: 2 #Expected output: 4294967295 #Description: When using the above testcase, JSC outputs 2 which is the wrong result. This is caused by a defect of ES5.1. If the length of an object is more than 2^32, the result will be wrong because the ToUint32 method will let len%2^32 which makes the lastIndexOf method search the target object from index 2 in this testcase. So we suggest that it's better to update the Array.prototype.lastIndexOf method according to ES2015. The ECMAScript standard references are as follow: http://www.ecma-international.org/ecma-262/5.1/index.html#sec-15.4.4.15 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-array.prototype.lastindexof Other more, the output of other engines is 4294967295, such as v8, spiderMonkey, chakra.
<rdar://problem/52894578>
Thank you for detailed report. Apart from Array.prototype.lastIndexOf, other Array methods (mostly ones that are implemented in C++) are affected. I am merging all bug reports to fix all (observable) cases with a single patch. *** This bug has been marked as a duplicate of bug 163417 ***