[Webkit-unassigned] [Bug 187777] New: Unexpected behavior if object length property exceed 2³²

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=187777

            Bug ID: 187777
           Summary: Unexpected behavior if object length property exceed
                    2³²
           Product: WebKit
           Version: Safari 11
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: isol2 at cin.ufpe.br

Hi everyone,

I found an inconsistency on JSC when we try to push a new element into an Object that uses Array.prototype.push method.
Seems like a conversion ToUint32 on JSC while the others engines exceed this value. 
In addiction, it was observed that JSC push the element in index 0 and index length-1.

OS: Ubuntu 16.04 x64
build version: 233840

Step to reproduce:
var o = { length : 2**32, push : Array.prototype.push };
print(o.push('A'));
print(o[0], o[o.length-1]);

Actual results:
1
A A

Expected results:
4294967297
undefined A

V8, SpiderMonkey, Chakra and XS works as expected.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180718/c30a4a60/attachment.html>