Bug 187777
| Summary: | Unexpected behavior if object length property exceed 2³² | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | isol2 |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ashvayka, fpizlo, ggaren, ysuzuki |
| Priority: | P2 | ||
| Version: | Safari 11 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
isol2
Hi everyone,
I found an inconsistency on JSC when we try to push a new element into an Object that uses Array.prototype.push method.
Seems like a conversion ToUint32 on JSC while the others engines exceed this value.
In addiction, it was observed that JSC push the element in index 0 and index length-1.
OS: Ubuntu 16.04 x64
build version: 233840
Step to reproduce:
var o = { length : 2**32, push : Array.prototype.push };
print(o.push('A'));
print(o[0], o[o.length-1]);
Actual results:
1
A A
Expected results:
4294967297
undefined A
V8, SpiderMonkey, Chakra and XS works as expected.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
isol2
cinfuzz
Alexey Shvayka
Thank you for detailed report.
Apart from Array.prototype.push, other Array methods (mostly ones that are implemented in C++) are affected.
I am merging bug reports to fix all (observable) cases with a single patch.
*** This bug has been marked as a duplicate of bug 163417 ***