- Revision
- 261987
- Author
- shvaikal...@gmail.com
- Date
- 2020-05-21 01:41:21 -0700 (Thu, 21 May 2020)
Log Message
Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
https://bugs.webkit.org/show_bug.cgi?id=212167
Reviewed by Saam Barati.
JSTests:
* stress/array-prototype-concat-of-long-spliced-arrays.js:
* stress/array-prototype-concat-of-long-spliced-arrays2.js:
* test262/expectations.yaml: Mark 4 test cases as passing.
Source/_javascript_Core:
This patch increases "length" limit of Array.prototype.concat result to @MAX_SAFE_INTEGER
and changes thrown error to TypeError, aligning JSC with the spec [1], V8, and SpiderMonkey.
Also, adds missing @MAX_SAFE_INTEGER overflow check in Array.from [2] (we implement similar
checks in other methods). SunSpider and microbenchmarks/concat-append-one.js are both neutral.
[1]: https://tc39.es/ecma262/#sec-array.prototype.concat (steps 5.c.iii, 5.d.ii)
[2]: https://tc39.es/ecma262/#sec-array.from (step 5.e.i)
* builtins/ArrayConstructor.js:
(from):
* builtins/ArrayPrototype.js:
(globalPrivate.concatSlowPath):
Modified Paths
Diff
Modified: trunk/JSTests/ChangeLog (261986 => 261987)
--- trunk/JSTests/ChangeLog 2020-05-21 07:47:05 UTC (rev 261986)
+++ trunk/JSTests/ChangeLog 2020-05-21 08:41:21 UTC (rev 261987)
@@ -1,3 +1,14 @@
+2020-05-21 Alexey Shvayka <shvaikal...@gmail.com>
+
+ Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
+ https://bugs.webkit.org/show_bug.cgi?id=212167
+
+ Reviewed by Saam Barati.
+
+ * stress/array-prototype-concat-of-long-spliced-arrays.js:
+ * stress/array-prototype-concat-of-long-spliced-arrays2.js:
+ * test262/expectations.yaml: Mark 4 test cases as passing.
+
2020-05-19 Michael Catanzaro <mcatanz...@gnome.org>
Fixups for r261689 "stress/array-buffer-view-watchpoint-can-be-fired-in-really-add-in-dfg.js failing on ppc64le and s390x"
Modified: trunk/JSTests/stress/array-prototype-concat-of-long-spliced-arrays.js (261986 => 261987)
--- trunk/JSTests/stress/array-prototype-concat-of-long-spliced-arrays.js 2020-05-21 07:47:05 UTC (rev 261986)
+++ trunk/JSTests/stress/array-prototype-concat-of-long-spliced-arrays.js 2020-05-21 08:41:21 UTC (rev 261987)
@@ -30,7 +30,7 @@
exception = e;
}
- shouldEqual(exception, "RangeError: Length exceeded the maximum array length");
+ shouldEqual(exception, "RangeError: Invalid array length");
}
test();
Modified: trunk/JSTests/stress/array-prototype-concat-of-long-spliced-arrays2.js (261986 => 261987)
--- trunk/JSTests/stress/array-prototype-concat-of-long-spliced-arrays2.js 2020-05-21 07:47:05 UTC (rev 261986)
+++ trunk/JSTests/stress/array-prototype-concat-of-long-spliced-arrays2.js 2020-05-21 08:41:21 UTC (rev 261987)
@@ -20,7 +20,7 @@
} catch (e) {
exception = e;
}
- shouldEqual(exception, "RangeError: Length exceeded the maximum array length");
+ shouldEqual(exception, "RangeError: Invalid array length");
}
test();
Modified: trunk/JSTests/test262/expectations.yaml (261986 => 261987)
--- trunk/JSTests/test262/expectations.yaml 2020-05-21 07:47:05 UTC (rev 261986)
+++ trunk/JSTests/test262/expectations.yaml 2020-05-21 08:41:21 UTC (rev 261987)
@@ -654,12 +654,6 @@
test/annexB/language/statements/function/default-parameters-emulates-undefined.js:
default: 'Test262Error: Expected SameValue(«undefined», «[object Function]») to be true'
strict mode: 'Test262Error: Expected SameValue(«undefined», «[object Function]») to be true'
-test/built-ins/Array/prototype/concat/arg-length-exceeding-integer-limit.js:
- default: 'Test262Error: Expected a TypeError but got a RangeError'
- strict mode: 'Test262Error: Expected a TypeError but got a RangeError'
-test/built-ins/Array/prototype/concat/arg-length-near-integer-limit.js:
- default: 'Test262Error: Expected a Test262Error but got a RangeError'
- strict mode: 'Test262Error: Expected a Test262Error but got a RangeError'
test/built-ins/Array/prototype/splice/property-traps-order-with-species.js:
default: 'Test262Error: Expected [defineProperty, defineProperty, set, getOwnPropertyDescriptor, defineProperty] and [defineProperty, defineProperty] to have the same contents. '
strict mode: 'Test262Error: Expected [defineProperty, defineProperty, set, getOwnPropertyDescriptor, defineProperty] and [defineProperty, defineProperty] to have the same contents. '
Modified: trunk/Source/_javascript_Core/ChangeLog (261986 => 261987)
--- trunk/Source/_javascript_Core/ChangeLog 2020-05-21 07:47:05 UTC (rev 261986)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-05-21 08:41:21 UTC (rev 261987)
@@ -1,3 +1,24 @@
+2020-05-21 Alexey Shvayka <shvaikal...@gmail.com>
+
+ Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
+ https://bugs.webkit.org/show_bug.cgi?id=212167
+
+ Reviewed by Saam Barati.
+
+ This patch increases "length" limit of Array.prototype.concat result to @MAX_SAFE_INTEGER
+ and changes thrown error to TypeError, aligning JSC with the spec [1], V8, and SpiderMonkey.
+
+ Also, adds missing @MAX_SAFE_INTEGER overflow check in Array.from [2] (we implement similar
+ checks in other methods). SunSpider and microbenchmarks/concat-append-one.js are both neutral.
+
+ [1]: https://tc39.es/ecma262/#sec-array.prototype.concat (steps 5.c.iii, 5.d.ii)
+ [2]: https://tc39.es/ecma262/#sec-array.from (step 5.e.i)
+
+ * builtins/ArrayConstructor.js:
+ (from):
+ * builtins/ArrayPrototype.js:
+ (globalPrivate.concatSlowPath):
+
2020-05-20 Michael Saboff <msab...@apple.com>
[Wasm] Limit the size of Wasm function we optimize in OMG mode
Modified: trunk/Source/_javascript_Core/builtins/ArrayConstructor.js (261986 => 261987)
--- trunk/Source/_javascript_Core/builtins/ArrayConstructor.js 2020-05-21 07:47:05 UTC (rev 261986)
+++ trunk/Source/_javascript_Core/builtins/ArrayConstructor.js 2020-05-21 08:41:21 UTC (rev 261987)
@@ -69,6 +69,8 @@
wrapper.@@iterator = function() { return iterator; };
for (var value of wrapper) {
+ if (k >= @MAX_SAFE_INTEGER)
+ @throwTypeError("Length exceeded the maximum array length");
if (mapFn)
@putByValDirect(result, k, thisArg === @undefined ? mapFn(value, k) : mapFn.@call(thisArg, value, k));
else
Modified: trunk/Source/_javascript_Core/builtins/ArrayPrototype.js (261986 => 261987)
--- trunk/Source/_javascript_Core/builtins/ArrayPrototype.js 2020-05-21 07:47:05 UTC (rev 261986)
+++ trunk/Source/_javascript_Core/builtins/ArrayPrototype.js 2020-05-21 08:41:21 UTC (rev 261987)
@@ -558,9 +558,9 @@
var spreadable = @isObject(currentElement) && currentElement.@@isConcatSpreadable;
if ((spreadable === @undefined && @isArray(currentElement)) || spreadable) {
var length = @toLength(currentElement.length);
- if (length + resultIndex > @MAX_ARRAY_INDEX)
- @throwRangeError("Length exceeded the maximum array length");
- if (resultIsArray && @isJSArray(currentElement)) {
+ if (length + resultIndex > @MAX_SAFE_INTEGER)
+ @throwTypeError("Length exceeded the maximum array length");
+ if (resultIsArray && @isJSArray(currentElement) && length + resultIndex <= @MAX_ARRAY_INDEX) {
@appendMemcpy(result, currentElement, resultIndex);
resultIndex += length;
} else {
@@ -571,8 +571,8 @@
}
}
} else {
- if (resultIndex >= @MAX_ARRAY_INDEX)
- @throwRangeError("Length exceeded the maximum array length");
+ if (resultIndex >= @MAX_SAFE_INTEGER)
+ @throwTypeError("Length exceeded the maximum array length");
@putByValDirect(result, resultIndex++, currentElement);
}
currentElement = arguments[argIndex];
