267494 – [JSC] Throw RangeError if Set methods are called on an object with negative "size" property

Bug 267494 - [JSC] Throw RangeError if Set methods are called on an object with negative "size" property

Summary: [JSC] Throw RangeError if Set methods are called on an object with negative "...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Alexey Shvayka

URL:
Keywords:	InRadar

Depends on:
Blocks:	268026
	Show dependency tree / graph

Reported:	2024-01-13 03:34 PST by zloirock
Modified:	2024-02-04 13:19 PST (History)
CC List:	5 users (show)

See Also:	251510

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zloirock 2024-01-13 03:34:06 PST

new Set([1, 2, 3]).difference({
  size: -1,
  has() {
    return false;
  },
  keys() {
    return { next() { return { done: true }; } };
  },
});

should be a RangeError, GetSetRecord step 7.

Comment 1 zloirock 2024-01-13 03:49:56 PST

Similar V8 issue https://bugs.chromium.org/p/v8/issues/detail?id=14559

Comment 2 Radar WebKit Bug Importer 2024-01-20 03:35:13 PST

<rdar://problem/121310940>

Comment 3 Alexey Shvayka 2024-02-01 14:08:57 PST

Pull request: https://github.com/WebKit/WebKit/pull/23689

Comment 4 EWS 2024-02-02 12:53:13 PST

Committed 274009@main (eeda72823e71): <https://commits.webkit.org/274009@main>

Reviewed commits have been landed. Closing PR #23689 and removing active labels.