[JSC] setLength in Array#push could get very large length
Created attachment 407422 [details] Patch
<rdar://problem/67859149>
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review r=me with nits. > Source/JavaScriptCore/ChangeLog:10 > + Before r266215, it was using putLength which throws an error. But it is replaced with setLength, Nit: But it *was* replaced. > Source/JavaScriptCore/ChangeLog:11 > + and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*.
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:10 >> + Before r266215, it was using putLength which throws an error. But it is replaced with setLength, > > Nit: But it *was* replaced. Fixed. >> Source/JavaScriptCore/ChangeLog:11 >> + and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it > > Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*. Fixed.
Committed r266257: <https://trac.webkit.org/changeset/266257>
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168 > + if (UNLIKELY(value > UINT32_MAX)) { Could this be an maxArrayLength constant instead of UINT32_MAX?
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168 >> + if (UNLIKELY(value > UINT32_MAX)) { > > Could this be an maxArrayLength constant instead of UINT32_MAX? Like maybe: constexpr uint32_t maxArrayLength = MAX_ARRAY_INDEX + 1;