[Webkit-unassigned] [Bug 199663] New: A defect of Array.prototype.lastIndexOf method
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 10 02:27:57 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=199663
Bug ID: 199663
Summary: A defect of Array.prototype.lastIndexOf method
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: yaohouyou at stumail.nwu.edu.cn
Version: <d940b47>
OS: <ubuntu 16.04>
#Testcase:
var foo = function () {
var targetObj = ['hello', 'world'];
var obj = {
0: targetObj,
1: 1234,
2: targetObj,
4294967294: targetObj,
4294967295: targetObj,
length: 4294967299
};
return Array.prototype.lastIndexOf.call(obj, targetObj);
};
var result = foo();
print(result);
#Command:
./webkit/WebKitBuild/Release/bin/jsc testcase.js
#Output:
2
#Expected output:
4294967295
#Description:
When using the above testcase, JSC outputs 2 which is the wrong result. This is caused by a defect of ES5.1. If the length of an object is more than 2^32, the result will be wrong because the ToUint32 method will let len%2^32 which makes the lastIndexOf method search the target object from index 2 in this testcase.
So we suggest that it's better to update the Array.prototype.lastIndexOf method according to ES2015.
The ECMAScript standard references are as follow:
http://www.ecma-international.org/ecma-262/5.1/index.html#sec-15.4.4.15
http://www.ecma-international.org/ecma-262/6.0/index.html#sec-array.prototype.lastindexof
Other more, the output of other engines is 4294967295, such as v8, spiderMonkey, chakra.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190710/671139f8/attachment-0001.html>
More information about the webkit-unassigned
mailing list