diff options
| author | Linus Groh <mail@linusgroh.de> | 2022-07-03 16:39:12 +0200 |
|---|---|---|
| committer | Linus Groh <mail@linusgroh.de> | 2022-07-04 10:10:11 +0200 |
| commit | 4b70ddf5a035141a6ee33e0145d6da7f89aa0a4d (patch) | |
| tree | 38a323a569331d0934f08d2f09c90b4df4b54b70 /Userland/Libraries/LibJS | |
| parent | 5927cdd9c5a4a9e4f7698fa4318b69b8da6241b2 (diff) | |
| download | serenity-4b70ddf5a035141a6ee33e0145d6da7f89aa0a4d.zip | |
LibJS: Let Array.prototype.toSpliced throw RangeError for len <= 2^53-1
This aligns it with the spec again, it was clarified that the additional
range check before ArrayCreate is intentional:
https://github.com/tc39/proposal-change-array-by-copy/issues/94
Also cast the final variable to an u64 instead of size_t after we have
determined that it is safe to do so, as that's what Array::create()
takes now.
Diffstat (limited to 'Userland/Libraries/LibJS')
| -rw-r--r-- | Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp | 7 | ||||
| -rw-r--r-- | Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js | 7 |
2 files changed, 9 insertions, 5 deletions
diff --git a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp index 7147115c3b..6d7e198348 100644 --- a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp +++ b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp @@ -1924,13 +1924,10 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::to_spliced) auto new_length_double = static_cast<double>(length) + static_cast<double>(insert_count) - static_cast<double>(actual_delete_count); // 12. If newLen > 2^53 - 1, throw a TypeError exception. - // FIXME: ArrayCreate throws for any length > 2^32 - 1, so there's no point in letting - // values up to 2^53 - 1 through (spec issue). This also prevents a potential - // overflow when casting from double to size_t, which is 32 bits on x86. - if (new_length_double > NumericLimits<u32>::max()) + if (new_length_double > MAX_ARRAY_LIKE_INDEX) return vm.throw_completion<TypeError>(global_object, ErrorType::ArrayMaxSize); - auto new_length = static_cast<size_t>(new_length_double); + auto new_length = static_cast<u64>(new_length_double); // 13. Let A be ? ArrayCreate(𝔽(newLen)). auto* array = TRY(Array::create(global_object, new_length)); diff --git a/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js b/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js index 231ee425af..3575e50148 100644 --- a/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js +++ b/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js @@ -97,4 +97,11 @@ describe("errors", () => { Array.prototype.toSpliced.call(a, 0, 0, "foo"); }).toThrowWithMessage(TypeError, "Maximum array size exceeded"); }); + + test("invalid array length", () => { + const a = { length: 2 ** 32 - 1 }; + expect(() => { + Array.prototype.toSpliced.call(a, 0, 0, "foo"); + }).toThrowWithMessage(RangeError, "Invalid array length"); + }); }); |