#131 — 15.4.4.4 and 15.4.4.7 concat and push don't wrap at 2^32

bug_id: 131
creation_ts: 2011-07-14 09:01:00 -0700
short_desc: 15.4.4.4 and 15.4.4.7 concat and push don't wrap at 2^32
delta_ts: 2011-07-20 17:09:36 -0700
product: ECMA-262, Editions 5 and 5.1
component: technical content
version: Edition 5.1
rep_platform: All
op_sys: All
bug_status: CONFIRMED
priority: Normal
bug_severity: normal
blocked: 146
everconfirmed: true
reporter: Allen Wirfs-Brock
assigned_to: Allen Wirfs-Brock
cc: ["brendan", "jwalden+beo"]

commentid: 299
comment_count: 0
who: Allen Wirfs-Brock
bug_when: 2011-07-14 09:01:08 -0700

On Jul 14, 2011, at 5:21 AM, Andrew Oakley wrote:

The other complication I've spotted (I think it crops up elsewhere too)
is what to do if n becomes larger than the maximum array index. My
reading of ECMAScript 3 says that we *should* throw a RangeError but
nobody seems to do that.

Opera and Firefox seem to store n as a 32bit unsigned number - the
length wraps and they start putting properties at the beginning of the
array again. I'm not sure what Chrome is doing (I can't find my values
in the returned array), IE says "out of memory" and I got bored waiting
for Safari.

--
Andrew Oakley

commentid: 300
comment_count: 1
who: Allen Wirfs-Brock
bug_when: 2011-07-14 09:02:46 -0700

This appears to be a (possible) specification bug that first occurs in ES3 and which was not corrected in ES5.

I appears in concat and push. But no other algorithms. The problem occurs when when a length value is incremented and then used as an array index without first applying ToUint32 to the value. It only occurs concat and push because all the other algorithms are bounded by a length value that has had ToUint32 applied to it.

It is probably a bug, because array index based operations generally warp around to 0 at 2^32. I assume that the Firefox implementation was the initial one and it reflects that behavior. However, all array objects (ad generic array like objects) are permitted to have integer property names >= 2^32. These properties are not reflected in the value of the 'length' property (when set by generic array methods for array-like objects). So, there is a slim chance that the specified behavior was intentional in allowing concat and push to leak past the 2^32 element boundary.

We have to possible courses of action:
1) consider the specification to be correct as written.
2) consider this to be a spec. but that we correct in the errata and in future editions.

This is an edge case that probably never occurs in the real world so the choice probably has no real impact. #1 is most consistent with the rest of the ES spec. However, the 2^32 length wrap semantics of arrays is kind of bogus and it might be nice to try to eliminate it in the future. #2 would be a step away from that.

commentid: 301
comment_count: 2
who: Brendan Eich
bug_when: 2011-07-14 09:36:55 -0700

I think we should fix this.

/be

archives

#131 — 15.4.4.4 and 15.4.4.7 concat and push don't wrap at 2^32