« Bugzilla Issues Index
#1854 — 8.4.2.2: Add ToUint32() to ensure array invariant
- bug_id:
1854
- creation_ts:
2013-08-29 05:56:00 -0700
- short_desc:
8.4.2.2: Add ToUint32() to ensure array invariant
- delta_ts:
2013-10-29 09:45:05 -0700
- product:
Draft for 6th Edition
- component:
technical issue
- version:
Rev 17: August 23, 2013 Draft
- rep_platform:
All
- op_sys:
All
- bug_status:
RESOLVED
- resolution:
FIXED
- priority:
Normal
- bug_severity:
normal
- everconfirmed:
true
- reporter:
André Bargull
- assigned_to:
Allen Wirfs-Brock
- commentid:
5263
- comment_count:
0
- who:
André Bargull
- bug_when:
2013-08-29 05:56:25 -0700
Arrays are currently still restricted to a maximum length of 2^32, but the ArrayCreate() method does not ensure that invariant. This is visible after the latest changes to introduce ToLength().
test case:
---
Array.prototype.map.call({length: 1 + Math.pow(2, 32)}, (x) => x)
---
This will call ArrayCreate() with a length of 1 + 2^32, and then set the "length" property to that value, violating the array invariant.
- commentid:
6009
- comment_count:
1
- who:
Allen Wirfs-Brock
- bug_when:
2013-10-28 12:10:12 -0700
fixed in rev20 editor's draft
- commentid:
6043
- comment_count:
2
- who:
Allen Wirfs-Brock
- bug_when:
2013-10-29 09:45:05 -0700
fixed in rev20 draft, Oct. 28, 2013