Diff
Modified: trunk/JSTests/ChangeLog (267518 => 267519)
--- trunk/JSTests/ChangeLog 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/JSTests/ChangeLog 2020-09-24 06:15:35 UTC (rev 267519)
@@ -1,3 +1,15 @@
+2020-09-23 Ross Kirsling <[email protected]>
+
+ %ArrayIteratorPrototype%.next must check for detached buffers
+ https://bugs.webkit.org/show_bug.cgi?id=216904
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/detach-buffer-during-iteration.js: Added.
+
+ * test262/expectations.yaml:
+ Mark two test cases as passing.
+
2020-09-23 Alexey Shvayka <[email protected]>
Update Array.prototype.sort to be consistent with tightened spec
Added: trunk/JSTests/stress/detach-buffer-during-iteration.js (0 => 267519)
--- trunk/JSTests/stress/detach-buffer-during-iteration.js (rev 0)
+++ trunk/JSTests/stress/detach-buffer-during-iteration.js 2020-09-24 06:15:35 UTC (rev 267519)
@@ -0,0 +1,14 @@
+function test() {
+ var ta = new Uint16Array(3);
+ try {
+ for (var n of ta)
+ transferArrayBuffer(ta.buffer);
+ } catch {
+ return;
+ }
+ throw 'oh no';
+}
+noInline(test);
+
+for (var i = 0; i < 1e6; i++)
+ test();
Modified: trunk/JSTests/test262/expectations.yaml (267518 => 267519)
--- trunk/JSTests/test262/expectations.yaml 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/JSTests/test262/expectations.yaml 2020-09-24 06:15:35 UTC (rev 267519)
@@ -630,9 +630,6 @@
test/built-ins/ArrayBuffer/prototype/slice/species.js:
default: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «undefined») to be true'
strict mode: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «undefined») to be true'
-test/built-ins/ArrayIteratorPrototype/next/detach-typedarray-in-progress.js:
- default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
- strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
test/built-ins/Function/call-bind-this-realm-undef.js:
default: 'Test262Error: implicit undefined Expected SameValue(«[object global]», «[object Undefined]») to be true'
strict mode: 'Test262Error: implicit undefined Expected SameValue(«[object global]», «[object Undefined]») to be true'
Modified: trunk/Source/_javascript_Core/ChangeLog (267518 => 267519)
--- trunk/Source/_javascript_Core/ChangeLog 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-09-24 06:15:35 UTC (rev 267519)
@@ -1,3 +1,24 @@
+2020-09-23 Ross Kirsling <[email protected]>
+
+ %ArrayIteratorPrototype%.next must check for detached buffers
+ https://bugs.webkit.org/show_bug.cgi?id=216904
+
+ Reviewed by Yusuke Suzuki.
+
+ Per https://tc39.es/ecma262/#sec-%arrayiteratorprototype%.next:
+ 8. If a has a [[TypedArrayName]] internal slot, then
+ a. If IsDetachedBuffer(a.[[ViewedArrayBuffer]]) is true, throw a TypeError exception.
+
+ * builtins/ArrayIteratorPrototype.js:
+ (next):
+ * builtins/BuiltinNames.h:
+ * bytecode/LinkTimeConstant.h:
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ * runtime/JSTypedArrayViewPrototype.cpp:
+ (JSC::typedArrayViewPrivateFuncIsNeutered):
+ * runtime/JSTypedArrayViewPrototype.h:
+
2020-09-23 Yusuke Suzuki <[email protected]>
[JSC] Simply some of template-specialized host functions by defining each function
Modified: trunk/Source/_javascript_Core/builtins/ArrayIteratorPrototype.js (267518 => 267519)
--- trunk/Source/_javascript_Core/builtins/ArrayIteratorPrototype.js 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/Source/_javascript_Core/builtins/ArrayIteratorPrototype.js 2020-09-24 06:15:35 UTC (rev 267519)
@@ -32,6 +32,9 @@
@throwTypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
var array = @getArrayIteratorInternalField(this, @arrayIteratorFieldIteratedObject);
+ if (@isTypedArrayView(array) && @isNeutered(array))
+ @throwTypeError("Underlying ArrayBuffer has been detached from the view");
+
var kind = @getArrayIteratorInternalField(this, @arrayIteratorFieldKind);
return @arrayIteratorNextHelper.@call(this, array, kind);
}
Modified: trunk/Source/_javascript_Core/builtins/BuiltinNames.h (267518 => 267519)
--- trunk/Source/_javascript_Core/builtins/BuiltinNames.h 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/Source/_javascript_Core/builtins/BuiltinNames.h 2020-09-24 06:15:35 UTC (rev 267519)
@@ -117,6 +117,7 @@
macro(newTargetLocal) \
macro(derivedConstructor) \
macro(isTypedArrayView) \
+ macro(isNeutered) \
macro(isBoundFunction) \
macro(hasInstanceBoundFunction) \
macro(instanceOf) \
Modified: trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h (267518 => 267519)
--- trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h 2020-09-24 06:15:35 UTC (rev 267519)
@@ -53,6 +53,7 @@
v(typedArrayGetOriginalConstructor, nullptr) \
v(typedArraySort, nullptr) \
v(isTypedArrayView, nullptr) \
+ v(isNeutered, nullptr) \
v(typedArraySubarrayCreate, nullptr) \
v(isBoundFunction, nullptr) \
v(hasInstanceBoundFunction, nullptr) \
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (267518 => 267519)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2020-09-24 06:15:35 UTC (rev 267519)
@@ -1190,6 +1190,9 @@
m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::isTypedArrayView)].initLater([] (const Initializer<JSCell>& init) {
init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 0, String(), typedArrayViewPrivateFuncIsTypedArrayView, IsTypedArrayViewIntrinsic));
});
+ m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::isNeutered)].initLater([] (const Initializer<JSCell>& init) {
+ init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 1, String(), typedArrayViewPrivateFuncIsNeutered));
+ });
m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::typedArraySubarrayCreate)].initLater([] (const Initializer<JSCell>& init) {
init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 0, String(), typedArrayViewPrivateFuncSubarrayCreate));
});
Modified: trunk/Source/_javascript_Core/runtime/JSTypedArrayViewPrototype.cpp (267518 => 267519)
--- trunk/Source/_javascript_Core/runtime/JSTypedArrayViewPrototype.cpp 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/Source/_javascript_Core/runtime/JSTypedArrayViewPrototype.cpp 2020-09-24 06:15:35 UTC (rev 267519)
@@ -68,6 +68,13 @@
return JSValue::encode(jsBoolean(value.isCell() && isTypedView(value.asCell()->classInfo(globalObject->vm())->typedArrayStorageType)));
}
+EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncIsNeutered(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+ JSValue argument = callFrame->uncheckedArgument(0);
+ ASSERT_UNUSED(globalObject, argument.isCell() && isTypedView(argument.asCell()->classInfo(globalObject->vm())->typedArrayStorageType));
+ return JSValue::encode(jsBoolean(jsCast<JSArrayBufferView*>(argument)->isNeutered()));
+}
+
EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncLength(JSGlobalObject* globalObject, CallFrame* callFrame)
{
VM& vm = globalObject->vm();
Modified: trunk/Source/_javascript_Core/runtime/JSTypedArrayViewPrototype.h (267518 => 267519)
--- trunk/Source/_javascript_Core/runtime/JSTypedArrayViewPrototype.h 2020-09-24 05:59:46 UTC (rev 267518)
+++ trunk/Source/_javascript_Core/runtime/JSTypedArrayViewPrototype.h 2020-09-24 06:15:35 UTC (rev 267519)
@@ -52,6 +52,7 @@
};
EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncIsTypedArrayView(JSGlobalObject*, CallFrame*);
+EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncIsNeutered(JSGlobalObject*, CallFrame*);
EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncSort(JSGlobalObject*, CallFrame*);
EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncLength(JSGlobalObject*, CallFrame*);
EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncGetOriginalConstructor(JSGlobalObject*, CallFrame*);
