RESOLVED DUPLICATE of bug 163417208639
an issue about Array.prototype.lastIndexOf 
https://bugs.webkit.org/show_bug.cgi?id=208639
Summary an issue about Array.prototype.lastIndexOf
Livy
Reported 2020-03-05 06:21:08 PST
Description: According to ES10, the method Array.prototype.lastIndexOf() returns the last index at which a given element can be found in the array, or -1 if it is not present.When the array's length is 4294967296, it will take a long time to find the element because the array is searched backwards. But the engine actually did not, it returned soonly. From ES6.0, the standard uses "ToLength" to deal with the property "length" not "ToUint32". JavaScriptCore doesn't meet this request. Version:b96bf75 https://github.com/WebKit/webkit/commit/b96bf7590bc090fa8161cff1189255ca3319c94b Build steps: Tools/Scripts/build-webkit --debug --jsc-only -j Testcase: var NISLFuzzingFunc = function() { var obj = { 0:12, length:4294967296 }; Array.prototype.lastIndexOf.call(obj, 12); }; NISLFuzzingFunc(); Execution steps: webkit/WebKitBuild/Debug/bin/jsc testcase.js
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-03-05 15:56:57 PST
<rdar://problem/60104993>
Alexey Shvayka
Comment 2 2020-03-24 09:40:32 PDT
Thank you for detailed report. Apart from Array.prototype.lastIndexOf, other Array methods (mostly ones that are implemented in C++) are affected. I am merging all bug reports to fix all (observable) cases with a single patch. *** This bug has been marked as a duplicate of bug 163417 ***
Note You need to log in before you can comment on or make changes to this bug.