[webkit-changes] [203351] trunk/Source/JavaScriptCore

[keith_miller]

Title: [203351] trunk/Source/_javascript_Core

Revision

203351

Author

keith_mil...@apple.com

Date

2016-07-18 11:38:42 -0700 (Mon, 18 Jul 2016)

Log Message

Fix bad assertions in genericTypedArrayViewPrivateFuncSubarrayCreate
https://bugs.webkit.org/show_bug.cgi?id=159882
<rdar://problem/27327111>

Reviewed by Mark Lam.

According the spec toInteger can return values we don't consider ints.
Such as, -0 and +/-Infinity. This broke some assertions in
genericTypedArrayViewPrivateFuncSubarrayCreate.

* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* tests/stress/typedarray-subarray.js:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
• trunk/Source/_javascript_Core/tests/stress/typedarray-subarray.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (203350 => 203351)

--- trunk/Source/_javascript_Core/ChangeLog	2016-07-18 18:32:52 UTC (rev 203350)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-07-18 18:38:42 UTC (rev 203351)
@@ -1,3 +1,19 @@
+2016-07-18  Keith Miller  <keith_mil...@apple.com>
+
+        Fix bad assertions in genericTypedArrayViewPrivateFuncSubarrayCreate
+        https://bugs.webkit.org/show_bug.cgi?id=159882
+        <rdar://problem/27327111>
+
+        Reviewed by Mark Lam.
+
+        According the spec toInteger can return values we don't consider ints.
+        Such as, -0 and +/-Infinity. This broke some assertions in
+        genericTypedArrayViewPrivateFuncSubarrayCreate.
+
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+        * tests/stress/typedarray-subarray.js:
+
 2016-07-16  Filip Pizlo  <fpi...@apple.com>
 
         DFG CSE is broken for MultiGetByOffset

Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (203350 => 203351)

--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2016-07-18 18:32:52 UTC (rev 203350)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2016-07-18 18:38:42 UTC (rev 203351)
@@ -496,8 +496,11 @@
     // Get the length here; later assert that the length didn't change.
     unsigned thisLength = thisObject->length();
 
-    ASSERT(exec->argument(0).isAnyInt());
-    ASSERT(exec->argument(1).isUndefined() || exec->argument(1).isAnyInt());
+    // I would assert that the arguments are integers here but that's not true since
+    // https://tc39.github.io/ecma262/#sec-tointeger allows the result of the operation
+    // to be +/- Infinity and -0.
+    ASSERT(exec->argument(0).isNumber());
+    ASSERT(exec->argument(1).isUndefined() || exec->argument(1).isNumber());
     unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, thisLength);
     ASSERT(!vm.exception());
     unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, thisLength, thisLength);

Modified: trunk/Source/_javascript_Core/tests/stress/typedarray-subarray.js (203350 => 203351)

--- trunk/Source/_javascript_Core/tests/stress/typedarray-subarray.js	2016-07-18 18:32:52 UTC (rev 203350)
+++ trunk/Source/_javascript_Core/tests/stress/typedarray-subarray.js	2016-07-18 18:38:42 UTC (rev 203351)
@@ -58,4 +58,21 @@
 
 shouldBeTrue("forEachTypedArray(subclasses, testSpeciesRemoveConstructor)");
 
+debug("5.0 Coercion First Argument");
+shouldBeTrue("testPrototypeFunction('subarray', '(true)', [1, 2, 3, 4], [2, 3, 4])");
+shouldBeTrue("testPrototypeFunction('subarray', '(\"abc\")', [1, 2, 3, 4], [1, 2, 3, 4])");
+shouldBeTrue("testPrototypeFunction('subarray', '({ valueOf() { return Infinity; } })', [1, 2, 3, 4], [])");
+shouldBeTrue("testPrototypeFunction('subarray', '({ valueOf() { return -0; } })', [1, 2, 3, 4], [1, 2, 3, 4])");
+shouldBeTrue("testPrototypeFunction('subarray', '(null)', [1, 2, 3, 4], [1, 2, 3, 4])");
+shouldBeTrue("testPrototypeFunction('subarray', '(undefined)', [1, 2, 3, 4], [1, 2, 3, 4])");
+
+debug("5.1 Coercion Second Argument");
+shouldBeTrue("testPrototypeFunction('subarray', '(0, true)', [1, 2, 3, 4], [1])");
+shouldBeTrue("testPrototypeFunction('subarray', '(0, \"abc\")', [1, 2, 3, 4], [])");
+shouldBeTrue("testPrototypeFunction('subarray', '(0, \"1\")', [1, 2, 3, 4], [1])");
+shouldBeTrue("testPrototypeFunction('subarray', '(0, undefined)', [1, 2, 3, 4], [1, 2, 3, 4])");
+shouldBeTrue("testPrototypeFunction('subarray', '(0, { valueOf() { return Infinity; } })', [1, 2, 3, 4], [1, 2, 3, 4])");
+shouldBeTrue("testPrototypeFunction('subarray', '(0, { valueOf() { return -0; } })', [1, 2, 3, 4], [])");
+shouldBeTrue("testPrototypeFunction('subarray', '(0, null)', [1, 2, 3, 4], [])");
+
 finishJSTest();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes