Array length property wrap-around
khansen at trolltech.com
Thu Nov 20 07:57:16 PST 2008
Kent Hansen wrote:
> David-Sarah Hopwood wrote:
>> Kent Hansen wrote:
>>> What's supposed to happen when one of the built-in methods (e.g.
>>> Array.prototype.push) tries to assign a value greater than
>>> 4294967295 to
>>> the length property?
>>> js> a = new Array(4294967295); a.push("foo")
>>> i.e. the length becomes 0.
>> This is a specification bug in the Array.prototype.push algorithm
>> (section 184.108.40.206), due to the ToUint32 coercion in step 2.
Just tried it with V8:
V8 version 0.3.4
> a = new Array(4294967295); a.push("foo")
native array.js:237: RangeError: Invalid array length
this.length = n + m;
Kudos, V8 gets it right.
More information about the Es-discuss