mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-11-22 23:50:19 +00:00
LibJS: Let Array.prototype.toSpliced throw RangeError for len <= 2^53-1
This aligns it with the spec again, it was clarified that the additional range check before ArrayCreate is intentional: https://github.com/tc39/proposal-change-array-by-copy/issues/94 Also cast the final variable to an u64 instead of size_t after we have determined that it is safe to do so, as that's what Array::create() takes now.
This commit is contained in:
parent
5927cdd9c5
commit
4b70ddf5a0
Notes:
sideshowbarker
2024-07-17 09:44:57 +09:00
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/4b70ddf5a0 Pull-request: https://github.com/SerenityOS/serenity/pull/14469 Reviewed-by: https://github.com/IdanHo
2 changed files with 9 additions and 5 deletions
|
@ -1924,13 +1924,10 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::to_spliced)
|
|||
auto new_length_double = static_cast<double>(length) + static_cast<double>(insert_count) - static_cast<double>(actual_delete_count);
|
||||
|
||||
// 12. If newLen > 2^53 - 1, throw a TypeError exception.
|
||||
// FIXME: ArrayCreate throws for any length > 2^32 - 1, so there's no point in letting
|
||||
// values up to 2^53 - 1 through (spec issue). This also prevents a potential
|
||||
// overflow when casting from double to size_t, which is 32 bits on x86.
|
||||
if (new_length_double > NumericLimits<u32>::max())
|
||||
if (new_length_double > MAX_ARRAY_LIKE_INDEX)
|
||||
return vm.throw_completion<TypeError>(global_object, ErrorType::ArrayMaxSize);
|
||||
|
||||
auto new_length = static_cast<size_t>(new_length_double);
|
||||
auto new_length = static_cast<u64>(new_length_double);
|
||||
|
||||
// 13. Let A be ? ArrayCreate(𝔽(newLen)).
|
||||
auto* array = TRY(Array::create(global_object, new_length));
|
||||
|
|
|
@ -97,4 +97,11 @@ describe("errors", () => {
|
|||
Array.prototype.toSpliced.call(a, 0, 0, "foo");
|
||||
}).toThrowWithMessage(TypeError, "Maximum array size exceeded");
|
||||
});
|
||||
|
||||
test("invalid array length", () => {
|
||||
const a = { length: 2 ** 32 - 1 };
|
||||
expect(() => {
|
||||
Array.prototype.toSpliced.call(a, 0, 0, "foo");
|
||||
}).toThrowWithMessage(RangeError, "Invalid array length");
|
||||
});
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue