Closed Bug 1247275 Opened 8 years ago Closed 8 years ago

LookupDtoaCache conflates 0 and -0, thus conflating property names "0" and "-0"

Tracking

()

Status:

RESOLVED INVALID

People

(Reporter: lth, Unassigned)

References

Details

Lars T Hansen [:lth]

Reporter

Description

•

8 years ago

LookupDtoaCache conflates 0 and -0.  So far as I can tell, this will affect the correctness of js::ToAtom and js::ValueToId.

This is in connection with the CanonicalNumericIndexString() algorithm in ES6, which handles -0 specially: http://www.ecma-international.org/ecma-262/6.0/#sec-canonicalnumericindexstring

We can see this in the current JS shell in several places, but here's one:

js> ["hi"].hasOwnProperty(0)
true
js> ["hi"].hasOwnProperty(0/-1)
true

The last uses the property name "-0".  I'm pretty sure the answer should be false, by 3.c.iv here: http://www.ecma-international.org/ecma-262/6.0/#sec-integer-indexed-exotic-objects-hasproperty-p

Lars T Hansen [:lth]

Reporter

Comment 1

•

8 years ago

Although I note that both Chrome 50 and Safari 9.0.3 also print "true" for the last case.

Lars T Hansen [:lth]

Reporter

Comment 2

•

8 years ago

Having looked at this some more I don't think this is a problem for ToAtom and ValueToId: for property names, -0 and 0 should be treated the same.

Status: NEW → RESOLVED

Closed: 8 years ago

Resolution: --- → INVALID

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

LookupDtoaCache conflates 0 and -0, thus conflating property names "0" and "-0"

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: lth, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2