Diff
Modified: releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog 2019-05-17 11:24:40 UTC (rev 245445)
@@ -1,3 +1,31 @@
+2019-05-04 Tadeu Zagallo <[email protected]>
+
+ TypedArrays should not store properties that are canonical numeric indices
+ https://bugs.webkit.org/show_bug.cgi?id=197228
+ <rdar://problem/49557381>
+
+ Reviewed by Saam Barati.
+
+ * stress/array-species-config-array-constructor.js:
+ (test):
+ * stress/put-direct-index-broken-2.js:
+ * stress/typed-array-canonical-numeric-index-string.js: Added.
+ (makeTest.assert):
+ (makeTest):
+ (const.testInvalidIndices.makeTest.set assert):
+ (const.testInvalidIndices.makeTest):
+ (const.makeTestValidIndex.configurable.set assert):
+ (const.makeTestValidIndex.configurable):
+ * stress/typedarray-access-monomorphic-neutered.js:
+ (checkNoException):
+ (testNoException):
+ (testFTLNoException):
+ * stress/typedarray-access-neutered.js:
+ (testNoException):
+ * stress/typedarray-getownproperty-not-configurable.js:
+ (foo):
+ * test262/expectations.yaml:
+
2019-04-15 Saam barati <[email protected]>
SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
Modified: releases/WebKitGTK/webkit-2.24/JSTests/stress/array-species-config-array-constructor.js (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/stress/array-species-config-array-constructor.js 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/array-species-config-array-constructor.js 2019-05-17 11:24:40 UTC (rev 245445)
@@ -32,7 +32,7 @@
function test() {
const message = "TypeError: Attempting to configure non-configurable property on a typed array at index: 0";
- shouldThrow(() => foo.concat([1]), message);
+ foo.concat([1]);
foo = [1,2,3,4];
shouldThrow(() => foo.slice(0), message);
foo = [1,2,3,4];
Modified: releases/WebKitGTK/webkit-2.24/JSTests/stress/put-direct-index-broken-2.js (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/stress/put-direct-index-broken-2.js 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/put-direct-index-broken-2.js 2019-05-17 11:24:40 UTC (rev 245445)
@@ -57,7 +57,7 @@
} catch(e) {
err = e;
}
- assert(err.toString() === "TypeError: Attempting to configure non-configurable property on a typed array at index: 0");
+ assert(!err);
});
test(function() {
Added: releases/WebKitGTK/webkit-2.24/JSTests/stress/typed-array-canonical-numeric-index-string.js (0 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/stress/typed-array-canonical-numeric-index-string.js (rev 0)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/typed-array-canonical-numeric-index-string.js 2019-05-17 11:24:40 UTC (rev 245445)
@@ -0,0 +1,107 @@
+//@ requireOptions("--forceEagerCompilation=true", "--osrExitCountForReoptimization=10", "--useConcurrentJIT=0")
+
+const typedArrays = [
+ Uint8ClampedArray,
+ Uint8Array,
+ Uint16Array,
+ Uint32Array,
+ Int8Array,
+ Int16Array,
+ Int32Array,
+ Float32Array,
+ Float64Array,
+];
+
+const failures = new Set();
+
+let value = 0;
+function makeTest(test) {
+ noInline(test);
+
+ function assert(typedArray, condition, message) {
+ if (!condition)
+ failures.add(`${typedArray.name}: ${message}`);
+ }
+
+ function testFor(typedArray, key) {
+ return new Function('key', 'typedArray', 'test', 'assert', `
+ const value = ${value++} % 128;
+ const u8 = new typedArray(1);
+ u8[key] = value;
+ test(u8, key, value, assert);
+ `).bind(undefined, key, typedArray, test, assert.bind(undefined, typedArray));
+ };
+
+ return function(keys) {
+ for (let typedArray of typedArrays) {
+ for (let key of keys) {
+ const runTest = testFor(typedArray, key);
+ noInline(runTest);
+ for (let i = 0; i < 10; i++) {
+ runTest();
+ }
+ }
+ }
+ }
+}
+
+const testInvalidIndices = makeTest((array, key, value, assert) => {
+ assert(array[key] === undefined, `${key.toString()} should not be set`);
+ assert(!(key in array), `${key.toString()} should not be in array`);
+
+ const keys = Object.keys(array);
+ assert(keys.length === 1, `no new keys should be added`);
+ assert(keys[0] === '0', `'0' should be the only key`);
+ assert(array[0] === 0, `offset 0 should not have been modified`);
+
+ assert(array.hasOwnProperty(key) === false, `hasOwnProperty(${key.toString()}) should be false`);
+ assert(Object.getOwnPropertyDescriptor(array, key) === undefined, `Object.getOwnPropertyDescriptor(${key.toString()}) should be undefined`);
+});
+
+testInvalidIndices([
+ '-0',
+ '-1',
+ -1,
+ 1,
+ 'Infinity',
+ '-Infinity',
+ 'NaN',
+ '0.1',
+ '4294967294',
+ '4294967295',
+ '4294967296',
+]);
+
+const makeTestValidIndex = (configurable) =>
+ (array, key, value, assert) => {
+ assert(array[key] === value, `${key.toString()} should be set to ${value}`);
+ assert(key in array, `should contain key ${key.toString()}`);
+
+ assert(array.hasOwnProperty(key) === true, `hasOwnProperty(${key.toString()}) should be true`);
+ const descriptor = Object.getOwnPropertyDescriptor(array, key);
+ assert(typeof descriptor === 'object', `Object.getOwnPropertyDescriptor(${key.toString()}) return an object`);
+ assert(descriptor.value === value, `descriptor.value should be ${value}`);
+ assert(descriptor.writable === true, `descriptor.writable should be true`);
+ assert(descriptor.enumerable === true, `descriptor.enumerable should be true`);
+ assert(descriptor.configurable === configurable, `descriptor.configurable should be ${configurable}`);
+ };
+
+const testValidConfigurableIndices = makeTest(makeTestValidIndex(true));
+
+testValidConfigurableIndices([
+ '01',
+ '0.10',
+ '+Infinity',
+ '-NaN',
+ '-0.0',
+ Symbol('1'),
+]);
+
+testValidNonConfigurableIndices = makeTest(makeTestValidIndex(false))
+testValidNonConfigurableIndices([
+ '0',
+ 0,
+]);
+
+if (failures.size)
+ throw new Error(`Subtests failed:\n${Array.from(failures).join('\n')}`);
Modified: releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-access-monomorphic-neutered.js (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-access-monomorphic-neutered.js 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-access-monomorphic-neutered.js 2019-05-17 11:24:40 UTC (rev 245445)
@@ -28,7 +28,6 @@
test("array[0]", array);
test("delete array[0]", array);
test("Object.getOwnPropertyDescriptor(array, 0)", array);
- test("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array);
test("array[0] = 1", array);
test("array[i] = 1", array);
}
@@ -48,7 +47,39 @@
testFTL("array[0]", array, failArray);
testFTL("delete array[0]", array, failArray);
testFTL("Object.getOwnPropertyDescriptor(array, 0)", array, failArray);
- testFTL("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array, failArray);
testFTL("array[0] = 1", array, failArray);
testFTL("array[i] = 1", array, failArray);
}
+
+
+function checkNoException(array, thunk, count) {
+ thunk(array, count);
+}
+noInline(check);
+
+function testNoException(thunk, array) {
+ let fn = Function("array", "i", thunk);
+ noInline(fn);
+ for (let i = 0; i < 10000; i++)
+ checkNoException(array, fn, i);
+}
+
+for (let constructor of typedArrays) {
+ let array = new constructor(10);
+ transferArrayBuffer(array.buffer);
+ testNoException("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array);
+}
+
+function testFTLNoException(thunk, array, failArray) {
+ let fn = Function("array", "i", thunk);
+ noInline(fn);
+ for (let i = 0; i < 10000; i++)
+ fn(array, i)
+ checkNoException(failArray, fn, 10000);
+}
+for (let constructor of typedArrays) {
+ let array = new constructor(10);
+ let failArray = new constructor(10);
+ transferArrayBuffer(failArray.buffer);
+ testFTLNoException("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array, failArray);
+}
Modified: releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-access-neutered.js (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-access-neutered.js 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-access-neutered.js 2019-05-17 11:24:40 UTC (rev 245445)
@@ -25,6 +25,20 @@
test((array) => array[0], i);
test((array) => delete array[0], i);
test((array) => Object.getOwnPropertyDescriptor(array, 0), i);
- test((array) => Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true }), i)
test((array) => array[0] = 1, i);
}
+
+function checkNoException(thunk, count) {
+ let array = new constructor(10);
+ transferArrayBuffer(array.buffer);
+ thunk(array);
+}
+
+function testNoException(thunk, count) {
+ for (constructor of typedArrays)
+ checkNoException(thunk, count);
+}
+
+for (let i = 0; i < 10000; i++) {
+ testNoException((array) => Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true }), i)
+}
Modified: releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-getownproperty-not-configurable.js (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-getownproperty-not-configurable.js 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/typedarray-getownproperty-not-configurable.js 2019-05-17 11:24:40 UTC (rev 245445)
@@ -10,7 +10,7 @@
let a = new constructor(10);
let b = Object.getOwnPropertyDescriptor(a, 0);
assert(b.value === 0);
- assert(b.writable === false);
+ assert(b.writable === true);
assert(b.enumerable === true);
assert(b.configurable === false);
}
Modified: releases/WebKitGTK/webkit-2.24/JSTests/test262/expectations.yaml (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/JSTests/test262/expectations.yaml 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/JSTests/test262/expectations.yaml 2019-05-17 11:24:40 UTC (rev 245445)
@@ -1394,21 +1394,12 @@
test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/desc-value-throws.js:
default: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)'
strict mode: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)'
+test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/detached-buffer-realm.js:
+ default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
+ strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/detached-buffer.js:
- default: 'Test262Error: Return false before Detached Buffer check when value is a negative number Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: Return false before Detached Buffer check when value is a negative number Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-lower-than-zero.js:
- default: 'Test262Error: -1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: -1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-minus-zero.js:
- default: 'Test262Error: defineProperty returns false Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: defineProperty returns false Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-not-integer.js:
- default: 'Test262Error: 0.1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: 0.1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-numericindex.js:
- default: 'Test262Error: property is writable Expected SameValue(«false», «true») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: property is writable Expected SameValue(«false», «true») to be true (Testing with Float64Array.)'
+ default: 'Test262Error: Throws TypeError on valid numeric index if instance has a detached buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
+ strict mode: 'Test262Error: Throws TypeError on valid numeric index if instance has a detached buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/set-value.js:
default: 'Test262Error: set value for sample[0] returns true Expected SameValue(«false», «true») to be true (Testing with Float64Array.)'
strict mode: 'Test262Error: set value for sample[0] returns true Expected SameValue(«false», «true») to be true (Testing with Float64Array.)'
@@ -1415,12 +1406,6 @@
test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/tonumber-value-detached-buffer.js:
default: 'Test262Error: detaching a ArrayBuffer during defining an element of a typed array viewing it should throw Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
strict mode: 'Test262Error: detaching a ArrayBuffer during defining an element of a typed array viewing it should throw Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/Get/detached-buffer.js:
- default: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
- strict mode: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/Get/infinity-detached-buffer.js:
- default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
- strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
test/built-ins/TypedArrayConstructors/internals/Get/key-is-not-integer.js:
default: 'Test262Error: OrdinaryGet was called! Ref: 9.1.8.1 3.c (Testing with Float64Array.)'
strict mode: 'Test262Error: OrdinaryGet was called! Ref: 9.1.8.1 3.c (Testing with Float64Array.)'
@@ -1433,9 +1418,6 @@
test/built-ins/TypedArrayConstructors/internals/GetOwnProperty/enumerate-detached-buffer.js:
default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/GetOwnProperty/index-prop-desc.js:
- default: 'Test262Error: index descriptor is writable [0] Expected SameValue(«false», «true») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: index descriptor is writable [0] Expected SameValue(«false», «true») to be true (Testing with Float64Array.)'
test/built-ins/TypedArrayConstructors/internals/HasProperty/abrupt-from-ordinary-has-parent-hasproperty.js:
default: 'Test262Error: (Testing with Float64Array.)'
strict mode: 'Test262Error: (Testing with Float64Array.)'
@@ -1445,8 +1427,6 @@
test/built-ins/TypedArrayConstructors/internals/HasProperty/detached-buffer.js:
default: 'Test262Error: 0 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
strict mode: 'Test262Error: 0 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/HasProperty/infinity-with-detached-buffer.js:
- default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
test/built-ins/TypedArrayConstructors/internals/HasProperty/inherited-property.js:
default: 'Test262Error: 42 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
strict mode: 'Test262Error: 42 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
@@ -1462,18 +1442,6 @@
test/built-ins/TypedArrayConstructors/internals/HasProperty/key-is-not-integer.js:
default: 'Test262Error: 1.1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
strict mode: 'Test262Error: 1.1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/Set/detached-buffer.js:
- default: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
- strict mode: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/Set/key-is-minus-zero.js:
- default: 'Test262Error: -0 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: -0 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/Set/key-is-not-integer.js:
- default: 'Test262Error: 1.1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: 1.1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/internals/Set/key-is-out-of-bounds.js:
- default: 'Test262Error: -1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
- strict mode: 'Test262Error: -1 Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
test/built-ins/TypedArrayConstructors/internals/Set/tonumber-value-throws.js:
default: 'Test262Error: ToNumber runs before ToInteger(index) Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
strict mode: 'Test262Error: ToNumber runs before ToInteger(index) Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-05-17 11:24:40 UTC (rev 245445)
@@ -1,3 +1,14 @@
+2019-05-04 Tadeu Zagallo <[email protected]>
+
+ TypedArrays should not store properties that are canonical numeric indices
+ https://bugs.webkit.org/show_bug.cgi?id=197228
+ <rdar://problem/49557381>
+
+ Reviewed by Saam Barati.
+
+ * fast/canvas/canvas-ImageData-behaviour-expected.txt:
+ * fast/canvas/canvas-ImageData-behaviour.js:
+
2019-05-02 Chris Dumez <[email protected]>
Setting a frame's src to a _javascript_ URL should not run it synchronously
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt 2019-05-17 11:24:40 UTC (rev 245445)
@@ -43,7 +43,7 @@
PASS imageData.data[0] = null, imageData.data[0] is 0
PASS imageData.data[0] = undefined, imageData.data[0] is 0
PASS imageData.data['foo']='garbage',imageData.data['foo'] is 'garbage'
-PASS imageData.data[-1]='garbage',imageData.data[-1] is 'garbage'
+PASS imageData.data[-1]='garbage',imageData.data[-1] is undefined
PASS imageData.data[17]='garbage',imageData.data[17] is undefined
PASS successfullyParsed is true
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js 2019-05-17 11:24:40 UTC (rev 245445)
@@ -21,5 +21,5 @@
}
shouldBe("imageData.data['foo']='garbage',imageData.data['foo']", "'garbage'");
-shouldBe("imageData.data[-1]='garbage',imageData.data[-1]", "'garbage'");
+shouldBe("imageData.data[-1]='garbage',imageData.data[-1]", "undefined");
shouldBe("imageData.data[17]='garbage',imageData.data[17]", "undefined");
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/CMakeLists.txt (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/CMakeLists.txt 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/CMakeLists.txt 2019-05-17 11:24:40 UTC (rev 245445)
@@ -847,6 +847,7 @@
runtime/JSGenericTypedArrayViewPrototypeInlines.h
runtime/JSGlobalLexicalEnvironment.h
runtime/JSGlobalObject.h
+ runtime/JSGlobalObjectFunctions.h
runtime/JSGlobalObjectInlines.h
runtime/JSImmutableButterfly.h
runtime/JSInternalPromise.h
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog 2019-05-17 11:24:40 UTC (rev 245445)
@@ -1,3 +1,33 @@
+2019-05-04 Tadeu Zagallo <[email protected]>
+
+ TypedArrays should not store properties that are canonical numeric indices
+ https://bugs.webkit.org/show_bug.cgi?id=197228
+ <rdar://problem/49557381>
+
+ Reviewed by Saam Barati.
+
+ According to the spec[1]:
+ - TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty if the index is a
+ CanonicalNumericIndexString, but invalid according to IntegerIndexedElementGet and similar
+ functions. I.e., there are a few properties that should not be set in a TypedArray, like NaN,
+ Infinity and -0.
+ - On DefineOwnProperty, the out-of-bounds check should be performed before validating the property
+ descriptor.
+ - On GetOwnProperty, the returned descriptor for numeric properties should have writable set to true.
+
+ [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
+
+ * CMakeLists.txt:
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
+ (JSC::JSGenericTypedArrayView<Adaptor>::put):
+ (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
+ (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
+ (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
+ * runtime/PropertyName.h:
+ (JSC::isCanonicalNumericIndexString):
+
2019-04-15 Saam barati <[email protected]>
SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2019-05-17 11:24:40 UTC (rev 245445)
@@ -1656,7 +1656,7 @@
BC18C52E0E16FCE100B34460 /* Lexer.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = BC18C52D0E16FCE100B34460 /* Lexer.lut.h */; };
BC3046070E1F497F003232CF /* Error.h in Headers */ = {isa = PBXBuildFile; fileRef = BC3046060E1F497F003232CF /* Error.h */; settings = {ATTRIBUTES = (Private, ); }; };
BC6AAAE50E1F426500AD87D8 /* ClassInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = BC6AAAE40E1F426500AD87D8 /* ClassInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
- BC756FC90E2031B200DE7D12 /* JSGlobalObjectFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */; };
+ BC756FC90E2031B200DE7D12 /* JSGlobalObjectFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */; settings = {ATTRIBUTES = (Private, ); }; };
BC87CDB910712AD4000614CF /* JSONObject.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = BC87CDB810712ACA000614CF /* JSONObject.lut.h */; };
BC9041480EB9250900FE26FA /* StructureTransitionTable.h in Headers */ = {isa = PBXBuildFile; fileRef = BC9041470EB9250900FE26FA /* StructureTransitionTable.h */; settings = {ATTRIBUTES = (Private, ); }; };
BC95437D0EBA70FD0072B6D3 /* PropertyMapHashTable.h in Headers */ = {isa = PBXBuildFile; fileRef = BC95437C0EBA70FD0072B6D3 /* PropertyMapHashTable.h */; settings = {ATTRIBUTES = (Private, ); }; };
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2019-05-17 11:24:40 UTC (rev 245445)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -352,14 +352,22 @@
}
if (thisObject->canGetIndexQuickly(index.value())) {
- slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, thisObject->getIndexQuickly(index.value()));
+ slot.setValue(thisObject, static_cast<unsigned>(PropertyAttribute::DontDelete), thisObject->getIndexQuickly(index.value()));
return true;
}
- slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsUndefined());
return false;
}
-
+
+ if (isCanonicalNumericIndexString(propertyName)) {
+ if (thisObject->isNeutered()) {
+ slot.setCustom(thisObject, static_cast<unsigned>(PropertyAttribute::None), throwNeuteredTypedArrayTypeError);
+ return true;
+ }
+
+ return false;
+ }
+
return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
}
@@ -368,6 +376,9 @@
JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value,
PutPropertySlot& slot)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
// https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-set-p-v-receiver
@@ -374,9 +385,15 @@
// Ignore the receiver even if the receiver is altered to non base value.
// 9.4.5.5-2-b-i Return ? IntegerIndexedElementSet(O, numericIndex, V).
if (Optional<uint32_t> index = parseIndex(propertyName))
- return putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode());
-
- return Base::put(thisObject, exec, propertyName, value, slot);
+ RELEASE_AND_RETURN(scope, putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode()));
+
+ if (isCanonicalNumericIndexString(propertyName)) {
+ if (thisObject->isNeutered())
+ throwTypeError(exec, scope, typedArrayBufferHasBeenDetachedErrorMessage);
+ return false;
+ }
+
+ RELEASE_AND_RETURN(scope, Base::put(thisObject, exec, propertyName, value, slot));
}
template<typename Adaptor>
@@ -395,6 +412,9 @@
return false;
};
+ if (index.value() >= thisObject->m_length)
+ return false;
+
if (descriptor.isAccessorDescriptor())
return throwTypeErrorIfNeeded("Attempting to store accessor property on a typed array at index: ");
@@ -404,13 +424,15 @@
if (!descriptor.enumerable() || !descriptor.writable())
return throwTypeErrorIfNeeded("Attempting to store non-enumerable or non-writable property on a typed array at index: ");
- if (descriptor.value()) {
- PutPropertySlot unused(JSValue(thisObject), shouldThrow);
- RELEASE_AND_RETURN(scope, thisObject->put(thisObject, exec, propertyName, descriptor.value(), unused));
- }
+ if (descriptor.value())
+ RELEASE_AND_RETURN(scope, thisObject->putByIndex(thisObject, exec, index.value(), descriptor.value(), shouldThrow));
+
return true;
}
-
+
+ if (isCanonicalNumericIndexString(propertyName))
+ return false;
+
RELEASE_AND_RETURN(scope, Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow));
}
@@ -433,7 +455,7 @@
template<typename Adaptor>
bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex(
- JSObject* object, ExecState* exec, unsigned propertyName, PropertySlot& slot)
+ JSObject* object, ExecState*, unsigned propertyName, PropertySlot& slot)
{
JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(object);
@@ -442,11 +464,6 @@
return true;
}
- if (propertyName > MAX_ARRAY_INDEX) {
- return thisObject->methodTable(exec->vm())->getOwnPropertySlot(
- thisObject, exec, Identifier::from(exec, propertyName), slot);
- }
-
if (!thisObject->canGetIndexQuickly(propertyName))
return false;
@@ -456,15 +473,9 @@
template<typename Adaptor>
bool JSGenericTypedArrayView<Adaptor>::putByIndex(
- JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
+ JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool)
{
JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
-
- if (propertyName > MAX_ARRAY_INDEX) {
- PutPropertySlot slot(JSValue(thisObject), shouldThrow);
- return thisObject->methodTable(exec->vm())->put(thisObject, exec, Identifier::from(exec, propertyName), value, slot);
- }
-
return thisObject->setIndex(exec, propertyName, value);
}
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/PropertyName.h (245444 => 245445)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/PropertyName.h 2019-05-17 10:15:15 UTC (rev 245444)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/PropertyName.h 2019-05-17 11:24:40 UTC (rev 245445)
@@ -26,8 +26,10 @@
#pragma once
#include "Identifier.h"
+#include "JSGlobalObjectFunctions.h"
#include "PrivateName.h"
#include <wtf/Optional.h>
+#include <wtf/dtoa.h>
namespace JSC {
@@ -130,4 +132,22 @@
return parseIndex(*uid);
}
+// https://www.ecma-international.org/ecma-262/9.0/index.html#sec-canonicalnumericindexstring
+ALWAYS_INLINE bool isCanonicalNumericIndexString(const PropertyName& propertyName)
+{
+ StringImpl* property = propertyName.uid();
+ if (!property)
+ return false;
+ if (property->isSymbol())
+ return false;
+ if (equal(property, "-0"))
+ return true;
+ double index = jsToNumber(property);
+ NumberToStringBuffer buffer;
+ const char* indexString = WTF::numberToString(index, buffer);
+ if (!equal(property, indexString))
+ return false;
+ return true;
+}
+
} // namespace JSC
