Reviewers: rossberg,
Message:
Please take a look
Description:
Add type checks to typed array property getters.
R=rossb...@chromium.org
Please review this at https://codereview.chromium.org/14650014/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/messages.js
M src/runtime.cc
M test/mjsunit/harmony/typedarrays.js
Index: src/messages.js
diff --git a/src/messages.js b/src/messages.js
index
43400fa8e0f5658916efc443e15d3c27c8c20275..9131d816ab210d4b17decb425df62c9b9e3a1c08
100644
--- a/src/messages.js
+++ b/src/messages.js
@@ -103,6 +103,7 @@ var kMessages = {
proto_poison_pill: ["Generic use of __proto__ accessor not
allowed"],
parameterless_typed_array_constr:
["%0"," constructor should have at least
one argument."],
+ not_typed_array: ["this is not a typed array."],
// RangeError
invalid_array_length: ["Invalid array length"],
invalid_array_buffer_length: ["Invalid array buffer length"],
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
8cd2de21b6c7513752456a06b374a8246cc4cb8e..7e7254aa33e6f5bd3291ac3347540d808f4fa4b5
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -869,11 +869,15 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_TypedArrayInitialize) {
#define TYPED_ARRAY_GETTER(getter, accessor) \
- RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArrayGet##getter) { \
- HandleScope scope(isolate); \
- ASSERT(args.length() == 1); \
- CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, holder, 0); \
- return holder->accessor(); \
+ RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArrayGet##getter)
{ \
+ HandleScope
scope(isolate); \
+ ASSERT(args.length() ==
1); \
+ CONVERT_ARG_HANDLE_CHECKED(Object, holder,
0); \
+ if
(!holder->IsJSTypedArray()) \
+ return
isolate->Throw(*isolate->factory()->NewTypeError( \
+ "not_typed_array", HandleVector<Object>(NULL,
0))); \
+ Handle<JSTypedArray>
typed_array(JSTypedArray::cast(*holder)); \
+ return
typed_array->accessor(); \
}
TYPED_ARRAY_GETTER(Buffer, buffer)
Index: test/mjsunit/harmony/typedarrays.js
diff --git a/test/mjsunit/harmony/typedarrays.js
b/test/mjsunit/harmony/typedarrays.js
index
ca76fe7bdfdd6dfdb8b5f5f04b36eb461de91fb6..301577b78a4efea9ed46985675fd9a30ccee01d8
100644
--- a/test/mjsunit/harmony/typedarrays.js
+++ b/test/mjsunit/harmony/typedarrays.js
@@ -271,11 +271,33 @@ TestTypedArrayOutOfRange(Int16Array, 0x1FFFA, 0x7FFA
- 0x8000);
TestTypedArrayOutOfRange(Uint32Array, 0x1FFFFFFFA, 0xFFFFFFFA);
TestTypedArrayOutOfRange(Uint32Array, -1, 0xFFFFFFFF);
-TestTypedArrayOutOfRange(Int16Array, 0x1FFFFFFFA, 0x7FFFFFFA - 0x80000000);
+TestTypedArrayOutOfRange(Int32Array, 0x1FFFFFFFA, 0x7FFFFFFA - 0x80000000);
TestTypedArrayOutOfRange(Uint8ClampedArray, 0x1FA, 0xFF);
TestTypedArrayOutOfRange(Uint8ClampedArray, -1, 0);
+function TestPropertyTypeChecks(constructor) {
+ function CheckThrows(name) {
+ var d = Object.getOwnPropertyDescriptor(constructor.prototype, name);
+ var o = {}
+ assertThrows(function() {d.get.call(o);}, TypeError);
+ }
+
+ CheckThrows("buffer");
+ CheckThrows("byteOffset");
+ CheckThrows("byteLength");
+ CheckThrows("length");
+}
+
+TestPropertyTypeChecks(Uint8Array);
+TestPropertyTypeChecks(Int8Array);
+TestPropertyTypeChecks(Uint16Array);
+TestPropertyTypeChecks(Int16Array);
+TestPropertyTypeChecks(Uint32Array);
+TestPropertyTypeChecks(Int32Array);
+TestPropertyTypeChecks(Uint8ClampedArray);
+TestPropertyTypeChecks(Float32Array);
+TestPropertyTypeChecks(Float64Array);
// General tests for properties
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
