Closed Bug 1063993 Opened 11 years ago Closed 11 years ago

Array.from: should coerce negative lengths to zero

Categories

(Core :: JavaScript: Standard Library, defect)

Product:
Core
Component:
JavaScript: Standard Library
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38

People

(Reporter: ljharb, Unassigned)

References

Details

Attachments

(1 file)

bug1063993.patch
1.91 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2 Steps to reproduce: Run `Array.from({length: -1})` in a console. Actual results: Threw a RangeError exception with "invalid array length" Expected results: According to https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.from step 11, the length should be normalized with abstract operation ToLength, which in turn ( https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength ) in step 4, says "if length <= +0, then return +0". Thus, `Array.from({length: -1})` should return `[]`.
We already have a bug for this, not only Arry.from, several other methods including Array.fill, Array#lastIndexOf ... should be updated too.
Blocks: 924058
(In reply to ziyunfei from comment #1) > We already have a bug for this, not only Arry.from, several other methods > including Array.fill, Array#lastIndexOf ... should be updated too. s/Array.fill/Array#fill/
Attached patch bug1063993.patchSplinter Review
Attachment #8485468 - Flags: review?(till)
Attachment #8485468 - Flags: review?(jorendorff)
Attachment #8485468 - Flags: review?(evilpies)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Sorry ziyunfei that you don't get any feedback here. Asking three people for review probably made everyone don't really feel responsible for this at all. (Or maybe somebody spoke to you on IRC?) So the thing is in ES6 spec there is a lot more stuff that uses ToLength and when I talked about this bug with Till last week, we agreed it would be better to fix up most of them at the same time.
(In reply to Tom Schuster [:evilpie] from comment #4) > Sorry ziyunfei that you don't get any feedback here. Asking three people for > review probably made everyone don't really feel responsible for this at all. > (Or maybe somebody spoke to you on IRC?) > So the thing is in ES6 spec there is a lot more stuff that uses ToLength and > when I talked about this bug with Till last week, we agreed it would be > better to fix up most of them at the same time. Oh thanks for let me know this.
I'm sorry for the delay, ziyunfei. Please go ahead and fix all places where ToInteger should be ToLength. Don't forget to delete the comment // FIXME: Array operations should use ToLength (bug 924058). when you're fixing that particular place. Many TO_UINT32 calls will still need to be converted; that is bug 924058.
Attachment #8485468 - Flags: review?(till)
Attachment #8485468 - Flags: review?(jorendorff)
Attachment #8485468 - Flags: review?(evilpies)
Depends on: 1121391
Changing blocked/blocking: bug 1121391 being fixed requires this bug to be fixed, not really the other way around.
Blocks: 1121391
No longer depends on: 1121391
Fixed in bug 1121391.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Component: JavaScript Engine → JavaScript: Standard Library
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: --- → mozilla38
Version: 32 Branch → Trunk
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: