Title: [220377] trunk
- Revision
- 220377
- Author
- commit-qu...@webkit.org
- Date
- 2017-08-07 19:29:42 -0700 (Mon, 07 Aug 2017)
Log Message
GetOwnProperty of TypedArray indexed fields is wrongly configurable
https://bugs.webkit.org/show_bug.cgi?id=175307
Patch by Robin Morisset <rmoris...@apple.com> on 2017-08-07
Reviewed by Saam Barati.
JSTests:
* stress/typedarray-getownproperty-not-configurable.js: Added.
(assert):
(foo):
Source/_javascript_Core:
```
let a = new Uint8Array(10);
let b = Object.getOwnPropertyDescriptor(a, 0);
assert(b.configurable === false);
```
should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p)
that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
that says that typed arrays are integer indexed exotic objects.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (220376 => 220377)
--- trunk/JSTests/ChangeLog 2017-08-08 02:28:25 UTC (rev 220376)
+++ trunk/JSTests/ChangeLog 2017-08-08 02:29:42 UTC (rev 220377)
@@ -1,3 +1,14 @@
+2017-08-07 Robin Morisset <rmoris...@apple.com>
+
+ GetOwnProperty of TypedArray indexed fields is wrongly configurable
+ https://bugs.webkit.org/show_bug.cgi?id=175307
+
+ Reviewed by Saam Barati.
+
+ * stress/typedarray-getownproperty-not-configurable.js: Added.
+ (assert):
+ (foo):
+
2017-08-06 Yusuke Suzuki <utatane....@gmail.com>
Promise resolve and reject function should have length = 1
Added: trunk/JSTests/stress/typedarray-getownproperty-not-configurable.js (0 => 220377)
--- trunk/JSTests/stress/typedarray-getownproperty-not-configurable.js (rev 0)
+++ trunk/JSTests/stress/typedarray-getownproperty-not-configurable.js 2017-08-08 02:29:42 UTC (rev 220377)
@@ -0,0 +1,20 @@
+typedArrays = [Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Uint16Array, Int32Array, Uint32Array, Float32Array, Float64Array];
+
+function assert(cond) {
+ if (!cond)
+ throw new Error("bad assertion!");
+}
+
+function foo() {
+ for (constructor of typedArrays) {
+ let a = new constructor(10);
+ let b = Object.getOwnPropertyDescriptor(a, 0);
+ assert(b.value === 0);
+ assert(b.writable === false);
+ assert(b.enumerable === true);
+ assert(b.configurable === false);
+ }
+}
+
+for (let i = 0; i < 100; i++)
+ foo();
Modified: trunk/Source/_javascript_Core/ChangeLog (220376 => 220377)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-08 02:28:25 UTC (rev 220376)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-08 02:29:42 UTC (rev 220377)
@@ -1,3 +1,22 @@
+2017-08-07 Robin Morisset <rmoris...@apple.com>
+
+ GetOwnProperty of TypedArray indexed fields is wrongly configurable
+ https://bugs.webkit.org/show_bug.cgi?id=175307
+
+ Reviewed by Saam Barati.
+
+ ```
+ let a = new Uint8Array(10);
+ let b = Object.getOwnPropertyDescriptor(a, 0);
+ assert(b.configurable === false);
+ ```
+ should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p)
+ that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
+ that says that typed arrays are integer indexed exotic objects.
+
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
+
2017-08-07 Filip Pizlo <fpi...@apple.com>
Baseline JIT should do caging
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (220376 => 220377)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2017-08-08 02:28:25 UTC (rev 220376)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2017-08-08 02:29:42 UTC (rev 220377)
@@ -458,7 +458,7 @@
if (!thisObject->canGetIndexQuickly(propertyName))
return false;
- slot.setValue(thisObject, None, thisObject->getIndexQuickly(propertyName));
+ slot.setValue(thisObject, DontDelete, thisObject->getIndexQuickly(propertyName));
return true;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
