[webkit-changes] [200667] trunk/Source/JavaScriptCore

[keith_miller]

Title: [200667] trunk/Source/_javascript_Core

Revision

200667

Author

keith_mil...@apple.com

Date

2016-05-10 19:04:19 -0700 (Tue, 10 May 2016)

Log Message

TypedArray.prototype.slice should use the byteLength of passed array for memmove
https://bugs.webkit.org/show_bug.cgi?id=157551
<rdar://problem/26179914>

Reviewed by Michael Saboff.

The TypedArray.prototype.slice function would use the byteLength of the passed array
to determine the amount of data to copy. It should have been using the passed length
times the size of each element. This fixes a crash on JavaPoly.com

* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
* tests/stress/typedarray-slice.js:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h
• trunk/Source/_javascript_Core/tests/stress/typedarray-slice.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (200666 => 200667)

--- trunk/Source/_javascript_Core/ChangeLog	2016-05-11 01:56:00 UTC (rev 200666)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-05-11 02:04:19 UTC (rev 200667)
@@ -1,3 +1,19 @@
+2016-05-10  Keith Miller  <keith_mil...@apple.com>
+
+        TypedArray.prototype.slice should use the byteLength of passed array for memmove
+        https://bugs.webkit.org/show_bug.cgi?id=157551
+        <rdar://problem/26179914>
+
+        Reviewed by Michael Saboff.
+
+        The TypedArray.prototype.slice function would use the byteLength of the passed array
+        to determine the amount of data to copy. It should have been using the passed length
+        times the size of each element. This fixes a crash on JavaPoly.com
+
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::set):
+        * tests/stress/typedarray-slice.js:
+
 2016-05-10  Michael Saboff  <msab...@apple.com>
 
         REGRESSION(r200447): Unable to build C_LOOP with clang version 800.0.12 or higher

Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (200666 => 200667)

--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h	2016-05-11 01:56:00 UTC (rev 200666)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h	2016-05-11 02:04:19 UTC (rev 200667)
@@ -231,7 +231,7 @@
         if (!validateRange(exec, offset, length))
             return false;
 
-        memmove(typedVector() + offset, other->typedVector() + objectOffset, other->byteLength());
+        memmove(typedVector() + offset, other->typedVector() + objectOffset, length * elementSize);
         return true;
     }
     

Modified: trunk/Source/_javascript_Core/tests/stress/typedarray-slice.js (200666 => 200667)

--- trunk/Source/_javascript_Core/tests/stress/typedarray-slice.js	2016-05-11 01:56:00 UTC (rev 200666)
+++ trunk/Source/_javascript_Core/tests/stress/typedarray-slice.js	2016-05-11 02:04:19 UTC (rev 200667)
@@ -20,6 +20,7 @@
 shouldBeTrue("testPrototypeFunction('slice', '(-3, -2)', [12, 5, 8, 13, 44], [8])");
 shouldBeTrue("testPrototypeFunction('slice', '(4, 2)', [12, 5, 8, 13, 44], [])");
 shouldBeTrue("testPrototypeFunction('slice', '(-50, 50)', [12, 5, 8, 13, 44], [12, 5, 8, 13, 44])");
+shouldBeTrue("testPrototypeFunction('slice', '(0, 10)', 100000, [0,0,0,0,0,0,0,0,0,0])");
 debug("");
 
 debug("2.0 Preserve Underlying bits");

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes