Skip to site navigation (Press enter)

[webkit-changes] [204868] trunk

keith_miller Tue, 23 Aug 2016 16:24:38 -0700

Title: [204868] trunk

Revision: 204868
Author: [email protected]
Date: 2016-08-23 16:24:47 -0700 (Tue, 23 Aug 2016)

Log Message

%TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
https://bugs.webkit.org/show_bug.cgi?id=161031
<rdar://problem/27937019>


Reviewed by Geoffrey Garen.

JSTests:

* stress/typedarray-slice.js:
(get let):
(get try):
(testSpeciesWithTransferring):

Source/_javascript_Core:

* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSlice):

Modified Paths

trunk/JSTests/ChangeLog
trunk/JSTests/stress/typedarray-slice.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

Diff

Modified: trunk/JSTests/ChangeLog (204867 => 204868)


--- trunk/JSTests/ChangeLog	2016-08-23 23:21:53 UTC (rev 204867)
+++ trunk/JSTests/ChangeLog	2016-08-23 23:24:47 UTC (rev 204868)
@@ -1,3 +1,16 @@
+2016-08-23  Keith Miller  <[email protected]>
+
+        %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
+        https://bugs.webkit.org/show_bug.cgi?id=161031
+        <rdar://problem/27937019>
+
+        Reviewed by Geoffrey Garen.
+
+        * stress/typedarray-slice.js:
+        (get let):
+        (get try):
+        (testSpeciesWithTransferring):
+
 2016-08-22  Filip Pizlo  <[email protected]>
 
         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression

Modified: trunk/JSTests/stress/typedarray-slice.js (204867 => 204868)


--- trunk/JSTests/stress/typedarray-slice.js	2016-08-23 23:21:53 UTC (rev 204867)
+++ trunk/JSTests/stress/typedarray-slice.js	2016-08-23 23:24:47 UTC (rev 204868)
@@ -135,8 +135,38 @@
         return false;
     });
 }
-
 shouldBeTrue("forEachTypedArray(subclasses, testSpeciesWithSameBuffer)");
 
+function testSpeciesWithTransferring(unused, constructor) {
 
+    let array = new constructor(10);
+    Object.defineProperty(constructor, Symbol.species, { get() {
+        transferArrayBuffer(array.buffer);
+        return undefined;
+    }, configurable: true });
+
+    try {
+        array.slice(0,1);
+        return false;
+    } catch (e) { }
+
+    array = new constructor(10);
+    Object.defineProperty(constructor, Symbol.species, { get() {
+        return function(len) {
+            let a = new constructor(len);
+            transferArrayBuffer(a.buffer);
+            return a;
+        }
+    }, configurable: true });
+
+    try {
+        array.slice(0,1);
+        return false;
+    } catch (e) { }
+
+    return true;
+}
+
+shouldBeTrue("forEachTypedArray(typedArrays, testSpeciesWithTransferring)");
+
 finishJSTest();

Modified: trunk/Source/_javascript_Core/ChangeLog (204867 => 204868)


--- trunk/Source/_javascript_Core/ChangeLog	2016-08-23 23:21:53 UTC (rev 204867)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-08-23 23:24:47 UTC (rev 204868)
@@ -1,3 +1,15 @@
+2016-08-23  Keith Miller  <[email protected]>
+
+        %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
+        https://bugs.webkit.org/show_bug.cgi?id=161031
+        <rdar://problem/27937019>
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::speciesConstruct):
+        (JSC::genericTypedArrayViewProtoFuncSlice):
+
 2016-08-23  Filip Pizlo  <[email protected]>
 
         REGRESSION(204854): ASan is unhappy

Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (204867 => 204868)


--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2016-08-23 23:21:53 UTC (rev 204867)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2016-08-23 23:24:47 UTC (rev 204868)
@@ -69,9 +69,14 @@
     if (exec->hadException())
         return nullptr;
 
-    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(result))
-        return view;
+    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(result)) {
+        if (!view->isNeutered())
+            return view;
 
+        throwTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+        return nullptr;
+    }
+
     throwTypeError(exec, ASCIILiteral("species constructor did not return a TypedArray View"));
     return nullptr;
 }
@@ -441,6 +446,10 @@
     if (exec->hadException())
         return JSValue::encode(JSValue());
 
+    ASSERT(!result->isNeutered());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+
     // We return early here since we don't allocate a backing store if length is 0 and memmove does not like nullptrs
     if (!length)
         return JSValue::encode(result);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes