187777 – Unexpected behavior if object length property exceed 2³²

Bug 187777 - Unexpected behavior if object length property exceed 2³²

Summary: Unexpected behavior if object length property exceed 2³²

Status:	RESOLVED DUPLICATE of bug 163417

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Safari 11
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-18 11:47 PDT by isol2
Modified:	2020-03-24 09:42 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description isol2 2018-07-18 11:47:43 PDT

Hi everyone,

I found an inconsistency on JSC when we try to push a new element into an Object that uses Array.prototype.push method.
Seems like a conversion ToUint32 on JSC while the others engines exceed this value. 
In addiction, it was observed that JSC push the element in index 0 and index length-1.

OS: Ubuntu 16.04 x64
build version: 233840

Step to reproduce:
var o = { length : 2**32, push : Array.prototype.push };
print(o.push('A'));
print(o[0], o[o.length-1]);

Actual results:
1
A A

Expected results:
4294967297
undefined A

V8, SpiderMonkey, Chakra and XS works as expected.

Comment 1 isol2 2018-08-08 08:23:17 PDT

cinfuzz

Comment 2 Alexey Shvayka 2020-03-24 09:42:09 PDT

Thank you for detailed report.
Apart from Array.prototype.push, other Array methods (mostly ones that are implemented in C++) are affected.
I am merging bug reports to fix all (observable) cases with a single patch.

*** This bug has been marked as a duplicate of bug 163417 ***