Re: Array length property wrap-around [nitpicking]
I wrote: ToArrayLength(V) 1. Call ToNumber(V). 2. If Result(1) is not a nonnegative integer less than or equal to ArrayLengthLimit, then throw a RangeError. ... then throw a RangeError exception. [...] The resulting 'concat', 'push', and 'unshift' methods can throw a RangeError because the length of the array they create would be greater than ArrayLengthLimit; the others (excluding 'splice') can only throw a RangeError when they operate on an object that is not a native array and has an invalid length property. ... will only throw a RangeError from ToArrayLength ... (It is possible that something else they call may throw a RangeError.) -- David-Sarah Hopwood ___ Es-discuss mailing list Es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Array length property wrap-around
David-Sarah Hopwood wrote: Kent Hansen wrote: Hi, What's supposed to happen when one of the built-in methods (e.g. Array.prototype.push) tries to assign a value greater than 4294967295 to the length property? js a = new Array(4294967295); a.push(foo) 0 i.e. the length becomes 0. This is a specification bug in the Array.prototype.push algorithm (section 15.4.4.7), due to the ToUint32 coercion in step 2. Oh, but the length is initially less than 2**32 - 1, so this coercion cannot make a difference in the case where 'this' is a native Array object. There must be another implementation bug in addition to the one that causes the array length invariant to be violated in your tests. The changes I suggested are still valid, and desirable in order for non-(native arrays) to be handled correctly. -- David-Sarah Hopwood ___ Es-discuss mailing list Es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Array length property wrap-around
Kent Hansen wrote: David-Sarah Hopwood wrote: Kent Hansen wrote: Hi, What's supposed to happen when one of the built-in methods (e.g. Array.prototype.push) tries to assign a value greater than 4294967295 to the length property? js a = new Array(4294967295); a.push(foo) 0 i.e. the length becomes 0. This is a specification bug in the Array.prototype.push algorithm (section 15.4.4.7), due to the ToUint32 coercion in step 2. Just tried it with V8: V8 version 0.3.4 a = new Array(4294967295); a.push(foo) native array.js:237: RangeError: Invalid array length this.length = n + m; ^ Kudos, V8 gets it right. Regards, Kent ___ Es-discuss mailing list Es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
