Open Bug 1792151 Opened 2 years ago Updated 2 years ago

Reject creating tuple from array with indexed properties

Tracking

()

Status:

NEW

People

(Reporter: anba, Unassigned)

References

(Blocks 1 open bug)

Details

André Bargull [:anba]

Reporter

Description

•

2 years ago

var list = new Int32Array(1 << 28);
list[Symbol.iterator] = null;

// Probably takes some time. :-)
var tuple = Tuple.from(list);

assertEq(tuple.length, list.length);

Expected: No error thrown.
Actual: Throws Assertion failed: got 268435453, expected 268435456.

Note: 268435453 is MAX_DENSE_ELEMENTS_COUNT.

ArrayToTuple should probably have these extra checks:

NativeObject::isIndexed() should be false.
IsPackedArray() should be true.

Bryan Thrall [:bthrall]

Updated

•

2 years ago

Severity: -- → N/A

Priority: -- → P3

Steven DeTar [:sdetar]

Updated

•

2 years ago

Severity: N/A → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Reject creating tuple from array with indexed properties

Categories

(Core :: JavaScript Engine, defect, P3)

Tracking

()

People

(Reporter: anba, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated