Bug 208639 - an issue about Array.prototype.lastIndexOf
Summary: an issue about Array.prototype.lastIndexOf
Status: RESOLVED DUPLICATE of bug 163417
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-05 06:21 PST by Livy
Modified: 2020-03-24 09:40 PDT (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Livy 2020-03-05 06:21:08 PST 
Description:
According to ES10, the method Array.prototype.lastIndexOf() returns the last index at which a given element can be found in the array, or -1 if it is not present.When the array's length is 4294967296, it will take a long time to find the element because the array is searched backwards. But the engine actually did not, it returned soonly. From ES6.0, the standard uses "ToLength" to deal with the property "length" not "ToUint32". JavaScriptCore doesn't meet this request.

Version:b96bf75
https://github.com/WebKit/webkit/commit/b96bf7590bc090fa8161cff1189255ca3319c94b

Build steps:
Tools/Scripts/build-webkit --debug --jsc-only -j

Testcase:
var NISLFuzzingFunc = function() {
    var obj = {
        0:12,
        length:4294967296
    };
    Array.prototype.lastIndexOf.call(obj, 12);
};
NISLFuzzingFunc();

Execution steps:
webkit/WebKitBuild/Debug/bin/jsc testcase.js
Comment 1 Radar WebKit Bug Importer 2020-03-05 15:56:57 PST 
<rdar://problem/60104993>
Comment 2 Alexey Shvayka 2020-03-24 09:40:32 PDT 
Thank you for detailed report.
Apart from Array.prototype.lastIndexOf, other Array methods (mostly ones that are implemented in C++) are affected.
I am merging all bug reports to fix all (observable) cases with a single patch.

*** This bug has been marked as a duplicate of bug 163417 ***