Skip to site navigation (Press enter)

[webkit-changes] [207204] branches/safari-602-branch

matthew_hanson Wed, 12 Oct 2016 01:41:47 -0700

Title: [207204] branches/safari-602-branch

Revision: 207204
Author: matthew_han...@apple.com
Date: 2016-10-12 01:41:25 -0700 (Wed, 12 Oct 2016)

Log Message

Merge r204868. rdar://problem/28216263


Modified Paths

branches/safari-602-branch/JSTests/ChangeLog
branches/safari-602-branch/JSTests/stress/typedarray-slice.js
branches/safari-602-branch/Source/_javascript_Core/ChangeLog
branches/safari-602-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

Diff

Modified: branches/safari-602-branch/JSTests/ChangeLog (207203 => 207204)


--- branches/safari-602-branch/JSTests/ChangeLog	2016-10-12 08:41:21 UTC (rev 207203)
+++ branches/safari-602-branch/JSTests/ChangeLog	2016-10-12 08:41:25 UTC (rev 207204)
@@ -1,5 +1,22 @@
 2016-10-12  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r204868. rdar://problem/28216263
+
+    2016-08-23  Keith Miller  <keith_mil...@apple.com>
+
+            %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
+            https://bugs.webkit.org/show_bug.cgi?id=161031
+            <rdar://problem/27937019>
+
+            Reviewed by Geoffrey Garen.
+
+            * stress/typedarray-slice.js:
+            (get let):
+            (get try):
+            (testSpeciesWithTransferring):
+
+2016-10-12  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r204612. rdar://problem/28216278
 
     2016-08-18  Mark Lam  <mark....@apple.com>

Modified: branches/safari-602-branch/JSTests/stress/typedarray-slice.js (207203 => 207204)


--- branches/safari-602-branch/JSTests/stress/typedarray-slice.js	2016-10-12 08:41:21 UTC (rev 207203)
+++ branches/safari-602-branch/JSTests/stress/typedarray-slice.js	2016-10-12 08:41:25 UTC (rev 207204)
@@ -135,8 +135,38 @@
         return false;
     });
 }
-
 shouldBeTrue("forEachTypedArray(subclasses, testSpeciesWithSameBuffer)");
 
+function testSpeciesWithTransferring(unused, constructor) {
 
+    let array = new constructor(10);
+    Object.defineProperty(constructor, Symbol.species, { get() {
+        transferArrayBuffer(array.buffer);
+        return undefined;
+    }, configurable: true });
+
+    try {
+        array.slice(0,1);
+        return false;
+    } catch (e) { }
+
+    array = new constructor(10);
+    Object.defineProperty(constructor, Symbol.species, { get() {
+        return function(len) {
+            let a = new constructor(len);
+            transferArrayBuffer(a.buffer);
+            return a;
+        }
+    }, configurable: true });
+
+    try {
+        array.slice(0,1);
+        return false;
+    } catch (e) { }
+
+    return true;
+}
+
+shouldBeTrue("forEachTypedArray(typedArrays, testSpeciesWithTransferring)");
+
 finishJSTest();

Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (207203 => 207204)


--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-10-12 08:41:21 UTC (rev 207203)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-10-12 08:41:25 UTC (rev 207204)
@@ -1,5 +1,21 @@
 2016-10-12  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r204868. rdar://problem/28216263
+
+    2016-08-23  Keith Miller  <keith_mil...@apple.com>
+
+            %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
+            https://bugs.webkit.org/show_bug.cgi?id=161031
+            <rdar://problem/27937019>
+
+            Reviewed by Geoffrey Garen.
+
+            * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+            (JSC::speciesConstruct):
+            (JSC::genericTypedArrayViewProtoFuncSlice):
+
+2016-10-12  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r204612. rdar://problem/28216278
 
     2016-08-18  Mark Lam  <mark....@apple.com>

Modified: branches/safari-602-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (207203 => 207204)


--- branches/safari-602-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2016-10-12 08:41:21 UTC (rev 207203)
+++ branches/safari-602-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2016-10-12 08:41:25 UTC (rev 207204)
@@ -69,9 +69,14 @@
     if (exec->hadException())
         return nullptr;
 
-    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(result))
-        return view;
+    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(result)) {
+        if (!view->isNeutered())
+            return view;
 
+        throwTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+        return nullptr;
+    }
+
     throwTypeError(exec, ASCIILiteral("species constructor did not return a TypedArray View"));
     return nullptr;
 }
@@ -441,6 +446,10 @@
     if (exec->hadException())
         return JSValue::encode(JSValue());
 
+    ASSERT(!result->isNeutered());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+
     // We return early here since we don't allocate a backing store if length is 0 and memmove does not like nullptrs
     if (!length)
         return JSValue::encode(result);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes