Bug 212167 - Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Summary: Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Minor
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-05-20 14:08 PDT by Alexey Shvayka
Modified: 2020-05-21 01:42 PDT (History)
9 users (show)

See Also:

Attachments
Patch (6.86 KB, patch)
2020-05-20 14:13 PDT, Alexey Shvayka 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Shvayka 2020-05-20 14:08:26 PDT 
Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Comment 1 Alexey Shvayka 2020-05-20 14:13:58 PDT 
Created attachment 399892 [details]
Patch
Comment 2 Saam Barati 2020-05-20 15:24:44 PDT 
Comment on attachment 399892 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=399892&action=review

> Source/JavaScriptCore/builtins/ArrayConstructor.js:72
> +            if (k >= @MAX_SAFE_INTEGER)

should be >, no?
Comment 3 Alexey Shvayka 2020-05-21 01:29:25 PDT 
(In reply to Saam Barati from comment #2)

Thank you for review, Saam!

> > Source/JavaScriptCore/builtins/ArrayConstructor.js:72
> > +            if (k >= @MAX_SAFE_INTEGER)
> 
> should be >, no?

ECMA-262 is consistent to use > for length checks and >= for indices; `k` is an index here.
I've vetted all 2 ** 53 - 1 checks in JSC, we are spec-perfect with this patch.
Comment 4 EWS 2020-05-21 01:41:26 PDT 
Committed r261987: <https://trac.webkit.org/changeset/261987>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 399892 [details].
Comment 5 Radar WebKit Bug Importer 2020-05-21 01:42:16 PDT 
<rdar://problem/63484485>