Array length property wrap-around

Kent Hansen khansen at trolltech.com
Thu Nov 20 07:57:16 PST 2008


Kent Hansen wrote:
> David-Sarah Hopwood wrote:
>> Kent Hansen wrote:
>>  
>>> Hi,
>>> What's supposed to happen when one of the built-in methods (e.g.
>>> Array.prototype.push) tries to assign a value greater than 
>>> 4294967295 to
>>> the length property?
>>>
>>> js> a = new Array(4294967295); a.push("foo")
>>> 0
>>>
>>> i.e. the length becomes 0.
>>>     
>>
>> This is a specification bug in the Array.prototype.push algorithm
>> (section 15.4.4.7), due to the ToUint32 coercion in step 2.

Just tried it with V8:

V8 version 0.3.4
 > a = new Array(4294967295); a.push("foo")
native array.js:237: RangeError: Invalid array length
  this.length = n + m;
      ^

Kudos, V8 gets it right.

Regards,
Kent


More information about the Es-discuss mailing list