Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Created attachment 399892 [details]
Comment on attachment 399892 [details]
View in context: https://bugs.webkit.org/attachment.cgi?id=399892&action=review
> + if (k >= @MAX_SAFE_INTEGER)
should be >, no?
(In reply to Saam Barati from comment #2)
Thank you for review, Saam!
> > + if (k >= @MAX_SAFE_INTEGER)
> should be >, no?
ECMA-262 is consistent to use > for length checks and >= for indices; `k` is an index here.
I've vetted all 2 ** 53 - 1 checks in JSC, we are spec-perfect with this patch.
Committed r261987: <https://trac.webkit.org/changeset/261987>
All reviewed patches have been landed. Closing bug and clearing flags on attachment 399892 [details].