"substring of" used with potentially out of bounds end in String.prototype.split()

[linusg]

The phrase "the substring of S from inclusiveStart to exclusiveEnd" (where S is a String value or a sequence of code units and inclusiveStart and exclusiveEnd are integers) denotes the String value consisting of the consecutive code units of S beginning at index inclusiveStart and ending immediately before index exclusiveEnd (which is the empty String when inclusiveStart = exclusiveEnd). If the "to" suffix is omitted, the length of S is used as the value of exclusiveEnd.

String.prototype.split() does this:

4. If limit is undefined, let lim be 2**32 - 1; else let lim be ℝ(? ToUint32(limit)).
...
9. If separatorLength = 0, then
    a. Let head be the substring of S from 0 to lim.

String.prototype.substring() for example clamps the values beforehand:

...
6. Let finalStart be the result of clamping intStart between 0 and len.
7. Let finalEnd be the result of clamping intEnd between 0 and len.
8. Let from be min(finalStart, finalEnd).
9. Let to be max(finalStart, finalEnd).
10. Return the substring of S from from to to.