Array length property wrap-around
david.hopwood at industrial-designers.co.uk
Thu Nov 20 01:33:27 PST 2008
David-Sarah Hopwood wrote:
> Kent Hansen wrote:
>> What's supposed to happen when one of the built-in methods (e.g.
>> Array.prototype.push) tries to assign a value greater than 4294967295 to
>> the length property?
>> js> a = new Array(4294967295); a.push("foo")
>> i.e. the length becomes 0.
> This is a specification bug in the Array.prototype.push algorithm
> (section 220.127.116.11), due to the ToUint32 coercion in step 2.
Oh, but the length is initially less than 2**32 - 1, so this
coercion cannot make a difference in the case where 'this' is a
native Array object. There must be another implementation bug in
addition to the one that causes the array length invariant to be
violated in your tests.
The changes I suggested are still valid, and desirable in order
for non-(native arrays) to be handled correctly.
More information about the Es-discuss