[Webkit-unassigned] [Bug 208639] New: an issue about Array.prototype.lastIndexOf
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 5 06:21:08 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208639
Bug ID: 208639
Summary: an issue about Array.prototype.lastIndexOf
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: 958268052 at qq.com
Description:
According to ES10, the method Array.prototype.lastIndexOf() returns the last index at which a given element can be found in the array, or -1 if it is not present.When the array's length is 4294967296, it will take a long time to find the element because the array is searched backwards. But the engine actually did not, it returned soonly. From ES6.0, the standard uses "ToLength" to deal with the property "length" not "ToUint32". JavaScriptCore doesn't meet this request.
Version:b96bf75
https://github.com/WebKit/webkit/commit/b96bf7590bc090fa8161cff1189255ca3319c94b
Build steps:
Tools/Scripts/build-webkit --debug --jsc-only -j
Testcase:
var NISLFuzzingFunc = function() {
var obj = {
0:12,
length:4294967296
};
Array.prototype.lastIndexOf.call(obj, 12);
};
NISLFuzzingFunc();
Execution steps:
webkit/WebKitBuild/Debug/bin/jsc testcase.js
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200305/3204b70d/attachment.htm>
More information about the webkit-unassigned
mailing list