Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ToLength suffers from off-by-one errors #2502

Open
gibson042 opened this issue Aug 26, 2021 · 4 comments
Open

ToLength suffers from off-by-one errors #2502

gibson042 opened this issue Aug 26, 2021 · 4 comments

Comments

@gibson042
Copy link
Contributor

(found when working through semantics for #2501)

ToLength is described as returning a value "suitable for use as the length of an array-like object", but its algorithm clamps that to 253 - 1, which is the maximum possible value of an integer index and therefore one less than the maximum possible length of an array-like object. And some uses of it correspond with the description (LengthOfArrayLike and StringPad), while others correspond with the algorithm (ToIndex and RegExp retrieval of lastIndex).

ToIndex itself seems to have a similar problem, with TypedArray and ArrayBuffer and SharedArrayBuffer and InitializeTypedArrayFromArrayBuffer using its output as a length.

I believe this concern does not yet manifest in practice due to the extremely large values in question, but it should still be addressed.
@bathos
Copy link
Contributor

bathos commented Aug 26, 2021
edited
Loading

Isn't the max integer index 253 - 2?

(Nm, I see it's ≤ there. Only for array indexes is the offset - 2)

@liannemarie

This comment has been minimized.

Sign in to view
@claudepache
Copy link
Contributor

Be careful that, in several cases, it is perfectly reasonable to have an “index” that is equal to the “length” of the corresponding string/array. This is the case for RegExp#lastIndex (where it means that the end of the string has been attained), or of Array#slice. (In fact, in those two examples, the “index” is better viewed as a position between two consecutive items, where 0 means “just before the first item” and length means “just after the last item”.)

@gibson042
Copy link
Contributor Author

gibson042 commented Sep 3, 2021
edited
Loading

That's a good point, but I think issues with lastIndex and slice are avoided by the maximum length of Strings and Arrays both being less than the maximum length of array-like objects. Maybe the fix is just to leave ToLength as it is and reduce the maximum value of integer index by one (to 253 - 2), updating ToIndex accordingly—and preserving the weirdness of Integer-Indexed exotic objects subjecting "9007199254740992" and other decimal representations of large numbers having exact Number values to the same special treatment as an integer index even though they cannot ever be a valid index.

@gibson042 gibson042 mentioned this issue Nov 15, 2021
Open
@gibson042 gibson042 mentioned this issue Jan 8, 2022
Merged
@gibson042 gibson042 mentioned this issue May 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gibson042 @claudepache @bathos @liannemarie