Bug 212167 - Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Summary: Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Minor
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-05-20 14:08 PDT by Alexey Shvayka
Modified: 2020-05-21 01:42 PDT (History)
9 users (show)

See Also:


Attachments
Patch (6.86 KB, patch)
2020-05-20 14:13 PDT, Alexey Shvayka
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Shvayka 2020-05-20 14:08:26 PDT
Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Comment 1 Alexey Shvayka 2020-05-20 14:13:58 PDT
Created attachment 399892 [details]
Patch
Comment 2 Saam Barati 2020-05-20 15:24:44 PDT
Comment on attachment 399892 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=399892&action=review

> Source/JavaScriptCore/builtins/ArrayConstructor.js:72
> +            if (k >= @MAX_SAFE_INTEGER)

should be >, no?
Comment 3 Alexey Shvayka 2020-05-21 01:29:25 PDT
(In reply to Saam Barati from comment #2)

Thank you for review, Saam!

> > Source/JavaScriptCore/builtins/ArrayConstructor.js:72
> > +            if (k >= @MAX_SAFE_INTEGER)
> 
> should be >, no?

ECMA-262 is consistent to use > for length checks and >= for indices; `k` is an index here.
I've vetted all 2 ** 53 - 1 checks in JSC, we are spec-perfect with this patch.
Comment 4 EWS 2020-05-21 01:41:26 PDT
Committed r261987: <https://trac.webkit.org/changeset/261987>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 399892 [details].
Comment 5 Radar WebKit Bug Importer 2020-05-21 01:42:16 PDT
<rdar://problem/63484485>