Array length property wrap-around

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Thu Nov 20 01:33:27 PST 2008


David-Sarah Hopwood wrote:
> Kent Hansen wrote:
>> Hi,
>> What's supposed to happen when one of the built-in methods (e.g.
>> Array.prototype.push) tries to assign a value greater than 4294967295 to
>> the length property?
>>
>> js> a = new Array(4294967295); a.push("foo")
>> 0
>>
>> i.e. the length becomes 0.
> 
> This is a specification bug in the Array.prototype.push algorithm
> (section 15.4.4.7), due to the ToUint32 coercion in step 2.

Oh, but the length is initially less than 2**32 - 1, so this
coercion cannot make a difference in the case where 'this' is a
native Array object. There must be another implementation bug in
addition to the one that causes the array length invariant to be
violated in your tests.

The changes I suggested are still valid, and desirable in order
for non-(native arrays) to be handled correctly.

-- 
David-Sarah Hopwood


More information about the Es-discuss mailing list