WebKit Bugzilla
Attachment 368929 Details for
Bug 197228
: TypedArrays should not store properties that are canonical numeric indices
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-197228-20190503174014.patch (text/plain), 29.42 KB, created by
Tadeu Zagallo
on 2019-05-03 08:40:20 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2019-05-03 08:40:20 PDT
Size:
29.42 KB
patch
obsolete
>Subversion Revision: 244875 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 2d4298f08d20dd98f883dbbfe618fde93d256207..5fbd0f6febf110d1ffdc88bb2f3ac9483539c74c 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,30 @@ >+2019-05-03 Tadeu Zagallo <tzagallo@apple.com> >+ >+ TypeArrays should not store properties that are canonical numeric indices >+ https://bugs.webkit.org/show_bug.cgi?id=197228 >+ <rdar://problem/49557381> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ According to the spec[1], TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty >+ if the index is a CanonicalNumericIndexString, but invalid according toIntegerIndexedElementGet >+ and similar functions. I.e., there are a few properties that should not be set in a TypedArray, >+ like NaN, Infinity and -0. Additionally, the out-of-bounds check should be performed before >+ validating the property descriptor when defining a property. >+ >+ [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc >+ >+ * CMakeLists.txt: >+ * JavaScriptCore.xcodeproj/project.pbxproj: >+ * runtime/JSGenericTypedArrayViewInlines.h: >+ (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot): >+ (JSC::JSGenericTypedArrayView<Adaptor>::put): >+ (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): >+ (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): >+ (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): >+ * runtime/PropertyName.h: >+ (JSC::canonicalNumericIndexString): >+ > 2019-05-02 Michael Saboff <msaboff@apple.com> > > Unreviewed rollout of r244862. >diff --git a/Source/JavaScriptCore/CMakeLists.txt b/Source/JavaScriptCore/CMakeLists.txt >index a12c0748d605f75cb2252aba91b8a10f8db19570..fb6210c3f7275e70440fe41fdbc898c6be64574d 100644 >--- a/Source/JavaScriptCore/CMakeLists.txt >+++ b/Source/JavaScriptCore/CMakeLists.txt >@@ -857,6 +857,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS > runtime/JSGenericTypedArrayViewPrototypeInlines.h > runtime/JSGlobalLexicalEnvironment.h > runtime/JSGlobalObject.h >+ runtime/JSGlobalObjectFunctions.h > runtime/JSGlobalObjectInlines.h > runtime/JSImmutableButterfly.h > runtime/JSInternalPromise.h >diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj >index d8b2aab3477dd928798c932573ec5a856113c61c..e7dc887b9aaf815bb3b80a7d42e8a07f894fdd03 100644 >--- a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj >+++ b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj >@@ -1669,7 +1669,7 @@ > BC18C52E0E16FCE100B34460 /* Lexer.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = BC18C52D0E16FCE100B34460 /* Lexer.lut.h */; }; > BC3046070E1F497F003232CF /* Error.h in Headers */ = {isa = PBXBuildFile; fileRef = BC3046060E1F497F003232CF /* Error.h */; settings = {ATTRIBUTES = (Private, ); }; }; > BC6AAAE50E1F426500AD87D8 /* ClassInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = BC6AAAE40E1F426500AD87D8 /* ClassInfo.h */; settings = {ATTRIBUTES = (Private, ); }; }; >- BC756FC90E2031B200DE7D12 /* JSGlobalObjectFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */; }; >+ BC756FC90E2031B200DE7D12 /* JSGlobalObjectFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */; settings = {ATTRIBUTES = (Private, ); }; }; > BC87CDB910712AD4000614CF /* JSONObject.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = BC87CDB810712ACA000614CF /* JSONObject.lut.h */; }; > BC9041480EB9250900FE26FA /* StructureTransitionTable.h in Headers */ = {isa = PBXBuildFile; fileRef = BC9041470EB9250900FE26FA /* StructureTransitionTable.h */; settings = {ATTRIBUTES = (Private, ); }; }; > BC95437D0EBA70FD0072B6D3 /* PropertyMapHashTable.h in Headers */ = {isa = PBXBuildFile; fileRef = BC95437C0EBA70FD0072B6D3 /* PropertyMapHashTable.h */; settings = {ATTRIBUTES = (Private, ); }; }; >diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h >index 1c5d5732a8be57f3390fa2f039e2b3e70dc873df..6caf98e050dac65832818cefb61a2a0920d66f7d 100644 >--- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h >+++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h >@@ -1,5 +1,5 @@ > /* >- * Copyright (C) 2013-2018 Apple Inc. All rights reserved. >+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -359,7 +359,17 @@ bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot( > slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsUndefined()); > return false; > } >- >+ >+ if (canonicalNumericIndexString(propertyName)) { >+ if (thisObject->isNeutered()) { >+ slot.setCustom(thisObject, static_cast<unsigned>(PropertyAttribute::None), throwNeuteredTypedArrayTypeError); >+ return true; >+ } >+ >+ slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsUndefined()); >+ return false; >+ } >+ > return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot); > } > >@@ -368,15 +378,24 @@ bool JSGenericTypedArrayView<Adaptor>::put( > JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, > PutPropertySlot& slot) > { >+ VM& vm = exec->vm(); >+ auto scope = DECLARE_THROW_SCOPE(vm); >+ > JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell); > > // https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-set-p-v-receiver > // Ignore the receiver even if the receiver is altered to non base value. > // 9.4.5.5-2-b-i Return ? IntegerIndexedElementSet(O, numericIndex, V). > if (Optional<uint32_t> index = parseIndex(propertyName)) >- return putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode()); >- >- return Base::put(thisObject, exec, propertyName, value, slot); >+ RELEASE_AND_RETURN(scope, putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode())); >+ >+ if (canonicalNumericIndexString(propertyName)) { >+ if (thisObject->isNeutered()) >+ throwTypeError(exec, scope, typedArrayBufferHasBeenDetachedErrorMessage); >+ return false; >+ } >+ >+ RELEASE_AND_RETURN(scope, Base::put(thisObject, exec, propertyName, value, slot)); > } > > template<typename Adaptor> >@@ -395,6 +414,9 @@ bool JSGenericTypedArrayView<Adaptor>::defineOwnProperty( > return false; > }; > >+ if (index.value() >= thisObject->m_length) >+ return false; >+ > if (descriptor.isAccessorDescriptor()) > return throwTypeErrorIfNeeded("Attempting to store accessor property on a typed array at index: "); > >@@ -404,13 +426,15 @@ bool JSGenericTypedArrayView<Adaptor>::defineOwnProperty( > if (!descriptor.enumerable() || !descriptor.writable()) > return throwTypeErrorIfNeeded("Attempting to store non-enumerable or non-writable property on a typed array at index: "); > >- if (descriptor.value()) { >- PutPropertySlot unused(JSValue(thisObject), shouldThrow); >- RELEASE_AND_RETURN(scope, thisObject->put(thisObject, exec, propertyName, descriptor.value(), unused)); >- } >+ if (descriptor.value()) >+ RELEASE_AND_RETURN(scope, thisObject->putByIndex(thisObject, exec, index.value(), descriptor.value(), shouldThrow)); >+ > return true; > } >- >+ >+ if (canonicalNumericIndexString(propertyName)) >+ return false; >+ > RELEASE_AND_RETURN(scope, Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow)); > } > >@@ -433,7 +457,7 @@ bool JSGenericTypedArrayView<Adaptor>::deleteProperty( > > template<typename Adaptor> > bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex( >- JSObject* object, ExecState* exec, unsigned propertyName, PropertySlot& slot) >+ JSObject* object, ExecState*, unsigned propertyName, PropertySlot& slot) > { > JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(object); > >@@ -442,11 +466,6 @@ bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex( > return true; > } > >- if (propertyName > MAX_ARRAY_INDEX) { >- return thisObject->methodTable(exec->vm())->getOwnPropertySlot( >- thisObject, exec, Identifier::from(exec, propertyName), slot); >- } >- > if (!thisObject->canGetIndexQuickly(propertyName)) > return false; > >@@ -456,15 +475,9 @@ bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex( > > template<typename Adaptor> > bool JSGenericTypedArrayView<Adaptor>::putByIndex( >- JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow) >+ JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool) > { > JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell); >- >- if (propertyName > MAX_ARRAY_INDEX) { >- PutPropertySlot slot(JSValue(thisObject), shouldThrow); >- return thisObject->methodTable(exec->vm())->put(thisObject, exec, Identifier::from(exec, propertyName), value, slot); >- } >- > return thisObject->setIndex(exec, propertyName, value); > } > >diff --git a/Source/JavaScriptCore/runtime/PropertyName.h b/Source/JavaScriptCore/runtime/PropertyName.h >index c035fa68a18d1be04c5cc8d29566f5337adc541e..e4e412e876968b421c7c81c3636670b2684e25d5 100644 >--- a/Source/JavaScriptCore/runtime/PropertyName.h >+++ b/Source/JavaScriptCore/runtime/PropertyName.h >@@ -26,8 +26,10 @@ > #pragma once > > #include "Identifier.h" >+#include "JSGlobalObjectFunctions.h" > #include "PrivateName.h" > #include <wtf/Optional.h> >+#include <wtf/dtoa.h> > > namespace JSC { > >@@ -130,4 +132,22 @@ ALWAYS_INLINE Optional<uint32_t> parseIndex(PropertyName propertyName) > return parseIndex(*uid); > } > >+// https://www.ecma-international.org/ecma-262/9.0/index.html#sec-canonicalnumericindexstring >+ALWAYS_INLINE Optional<double> canonicalNumericIndexString(const PropertyName& propertyName) >+{ >+ StringImpl* property = propertyName.uid(); >+ if (!property) >+ return WTF::nullopt; >+ if (property->isSymbol()) >+ return WTF::nullopt; >+ if (equal(property, "-0")) >+ return { -0.0 }; >+ double index = jsToNumber(property); >+ NumberToStringBuffer buffer; >+ const char* indexString = WTF::numberToString(index, buffer); >+ if (!equal(property, indexString)) >+ return WTF::nullopt; >+ return { index }; >+} >+ > } // namespace JSC >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index d011e04042985fb5ee6bf7a301bfda6a4ec18ee2..1413a845e55298cf73d42bc5266ab009d0ca9e42 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,14 @@ >+2019-05-03 Tadeu Zagallo <tzagallo@apple.com> >+ >+ TypeArrays should not store properties that are canonical numeric indices >+ https://bugs.webkit.org/show_bug.cgi?id=197228 >+ <rdar://problem/49557381> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * fast/canvas/canvas-ImageData-behaviour-expected.txt: >+ * fast/canvas/canvas-ImageData-behaviour.js: >+ > 2019-05-02 Miguel Gomez <magomez@igalia.com> > > Unreviewed GTK+ gardening after r244868. >diff --git a/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt b/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt >index dbddf8f58a432c70e897283aebdf51d3b1a11efd..cea50d8321827e586b05295d3374328424b7585b 100644 >--- a/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt >+++ b/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt >@@ -43,7 +43,7 @@ PASS imageData.data[0] = 256, imageData.data[0] is 255 > PASS imageData.data[0] = null, imageData.data[0] is 0 > PASS imageData.data[0] = undefined, imageData.data[0] is 0 > PASS imageData.data['foo']='garbage',imageData.data['foo'] is 'garbage' >-PASS imageData.data[-1]='garbage',imageData.data[-1] is 'garbage' >+PASS imageData.data[-1]='garbage',imageData.data[-1] is undefined > PASS imageData.data[17]='garbage',imageData.data[17] is undefined > PASS successfullyParsed is true > >diff --git a/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js b/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js >index acfc2fb89b02236f89e729642caec0b1f803efb5..dacd9436a10e136e0d7c4b8676b626aa0bf9a185 100644 >--- a/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js >+++ b/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js >@@ -21,5 +21,5 @@ for (var i = 0; i < testValues.length; i++) { > } > > shouldBe("imageData.data['foo']='garbage',imageData.data['foo']", "'garbage'"); >-shouldBe("imageData.data[-1]='garbage',imageData.data[-1]", "'garbage'"); >+shouldBe("imageData.data[-1]='garbage',imageData.data[-1]", "undefined"); > shouldBe("imageData.data[17]='garbage',imageData.data[17]", "undefined"); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 37b413a12d5abd87da0cccc770619be5ccd2f496..97a8df531cb9f3d6c6f526e4ed3c8bd85c43e949 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,29 @@ >+2019-05-03 Tadeu Zagallo <tzagallo@apple.com> >+ >+ TypeArrays should not store properties that are canonical numeric indices >+ https://bugs.webkit.org/show_bug.cgi?id=197228 >+ <rdar://problem/49557381> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/array-species-config-array-constructor.js: >+ (test): >+ * stress/put-direct-index-broken-2.js: >+ * stress/typed-array-canonical-numeric-index-string.js: Added. >+ (makeTest.assert): >+ (makeTest): >+ (const.testInvalidIndices.makeTest.set assert): >+ (const.testInvalidIndices.makeTest): >+ (const.testValidIndices.makeTest.set assert): >+ (const.testValidIndices.makeTest): >+ * stress/typedarray-access-monomorphic-neutered.js: >+ (checkNoException): >+ (testNoException): >+ (testFTLNoException): >+ * stress/typedarray-access-neutered.js: >+ (testNoException): >+ * test262/expectations.yaml: >+ > 2019-05-02 Michael Saboff <msaboff@apple.com> > > Unreviewed rollout of r244862. >diff --git a/JSTests/stress/array-species-config-array-constructor.js b/JSTests/stress/array-species-config-array-constructor.js >index ddc3ff2175f01dffec1326ea8073a065261a7480..d929f74bad18c0d43e145ff0c72de2f2e97a219d 100644 >--- a/JSTests/stress/array-species-config-array-constructor.js >+++ b/JSTests/stress/array-species-config-array-constructor.js >@@ -32,7 +32,7 @@ function shouldThrow(f, m) { > > function test() { > const message = "TypeError: Attempting to configure non-configurable property on a typed array at index: 0"; >- shouldThrow(() => foo.concat([1]), message); >+ foo.concat([1]); > foo = [1,2,3,4]; > shouldThrow(() => foo.slice(0), message); > foo = [1,2,3,4]; >diff --git a/JSTests/stress/put-direct-index-broken-2.js b/JSTests/stress/put-direct-index-broken-2.js >index ee6da71b41a3c0d025b0d445714020b483e7b982..71b2ccc1ee3914a5ba1824d54d16d1c9cbd6514d 100644 >--- a/JSTests/stress/put-direct-index-broken-2.js >+++ b/JSTests/stress/put-direct-index-broken-2.js >@@ -57,7 +57,7 @@ test(function() { > } catch(e) { > err = e; > } >- assert(err.toString() === "TypeError: Attempting to configure non-configurable property on a typed array at index: 0"); >+ assert(!err); > }); > > test(function() { >diff --git a/JSTests/stress/typed-array-canonical-numeric-index-string.js b/JSTests/stress/typed-array-canonical-numeric-index-string.js >new file mode 100644 >index 0000000000000000000000000000000000000000..83f41a221520b916647fa298b7caaef6570a3185 >--- /dev/null >+++ b/JSTests/stress/typed-array-canonical-numeric-index-string.js >@@ -0,0 +1,89 @@ >+//@ requireOptions("--forceEagerCompilation=true", "--osrExitCountForReoptimization=10", "--useConcurrentJIT=0") >+ >+const typedArrays = [ >+ Uint8ClampedArray, >+ Uint8Array, >+ Uint16Array, >+ Uint32Array, >+ Int8Array, >+ Int16Array, >+ Int32Array, >+ Float32Array, >+ Float64Array, >+]; >+ >+const failures = new Set(); >+ >+let value = 0; >+function makeTest(test) { >+ noInline(test); >+ >+ function assert(typedArray, condition, message) { >+ if (!condition) >+ failures.add(`${typedArray.name}: ${message}`); >+ } >+ >+ function testFor(typedArray, key) { >+ return new Function('key', 'typedArray', 'test', 'assert', ` >+ const value = ${value++} % 128; >+ const u8 = new typedArray(1); >+ u8[key] = value; >+ test(u8, key, value, assert); >+ `).bind(undefined, key, typedArray, test, assert.bind(undefined, typedArray)); >+ }; >+ >+ return function(keys) { >+ for (let typedArray of typedArrays) { >+ for (let key of keys) { >+ const runTest = testFor(typedArray, key); >+ noInline(runTest); >+ for (let i = 0; i < 10; i++) { >+ runTest(); >+ } >+ } >+ } >+ } >+} >+ >+const testInvalidIndices = makeTest((array, key, value, assert) => { >+ assert(array[key] === undefined, `${key} should not be set`); >+ assert(!(key in array), `${key} should not be in array`); >+ >+ const keys = Object.keys(array); >+ assert(keys.length === 1, `no new keys should be added`); >+ assert(keys[0] === '0', `'0' should be the only key`); >+ assert(array[0] === 0, `offset 0 should not have been modified`); >+}); >+ >+testInvalidIndices([ >+ '-0', >+ '-1', >+ -1, >+ 1, >+ 'Infinity', >+ '-Infinity', >+ 'NaN', >+ '0.1', >+ '4294967294', >+ '4294967295', >+ '4294967296', >+]); >+ >+const testValidIndices = makeTest((array, key, value, assert) => { >+ assert(array[key] === value, `${key.toString()} should be set to ${value}`); >+ assert(key in array, `should contain key ${key.toString()}`); >+}); >+ >+testValidIndices([ >+ '01', >+ '0.10', >+ '+Infinity', >+ '-NaN', >+ '-0.0', >+ '0', >+ 0, >+ Symbol('1'), >+]); >+ >+if (failures.size) >+ throw new Error(`Subtests failed:\n${Array.from(failures).join('\n')}`); >diff --git a/JSTests/stress/typedarray-access-monomorphic-neutered.js b/JSTests/stress/typedarray-access-monomorphic-neutered.js >index 009e5bf29f48a4ac7ef7267cef461b8a5eee8feb..81d7c3bd278c9e6f4c517d58c2fc7a786520671c 100644 >--- a/JSTests/stress/typedarray-access-monomorphic-neutered.js >+++ b/JSTests/stress/typedarray-access-monomorphic-neutered.js >@@ -28,7 +28,6 @@ for (let constructor of typedArrays) { > test("array[0]", array); > test("delete array[0]", array); > test("Object.getOwnPropertyDescriptor(array, 0)", array); >- test("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array); > test("array[0] = 1", array); > test("array[i] = 1", array); > } >@@ -48,7 +47,39 @@ for (let constructor of typedArrays) { > testFTL("array[0]", array, failArray); > testFTL("delete array[0]", array, failArray); > testFTL("Object.getOwnPropertyDescriptor(array, 0)", array, failArray); >- testFTL("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array, failArray); > testFTL("array[0] = 1", array, failArray); > testFTL("array[i] = 1", array, failArray); > } >+ >+ >+function checkNoException(array, thunk, count) { >+ thunk(array, count); >+} >+noInline(check); >+ >+function testNoException(thunk, array) { >+ let fn = Function("array", "i", thunk); >+ noInline(fn); >+ for (let i = 0; i < 10000; i++) >+ checkNoException(array, fn, i); >+} >+ >+for (let constructor of typedArrays) { >+ let array = new constructor(10); >+ transferArrayBuffer(array.buffer); >+ testNoException("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array); >+} >+ >+function testFTLNoException(thunk, array, failArray) { >+ let fn = Function("array", "i", thunk); >+ noInline(fn); >+ for (let i = 0; i < 10000; i++) >+ fn(array, i) >+ checkNoException(failArray, fn, 10000); >+} >+for (let constructor of typedArrays) { >+ let array = new constructor(10); >+ let failArray = new constructor(10); >+ transferArrayBuffer(failArray.buffer); >+ testFTLNoException("Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true })", array, failArray); >+} >diff --git a/JSTests/stress/typedarray-access-neutered.js b/JSTests/stress/typedarray-access-neutered.js >index 7a64211b7722126f357963dc6f566f8f4078a530..c52152fbbf1af82441a4369691e456b8be2db514 100644 >--- a/JSTests/stress/typedarray-access-neutered.js >+++ b/JSTests/stress/typedarray-access-neutered.js >@@ -25,6 +25,20 @@ for (let i = 0; i < 10000; i++) { > test((array) => array[0], i); > test((array) => delete array[0], i); > test((array) => Object.getOwnPropertyDescriptor(array, 0), i); >- test((array) => Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true }), i) > test((array) => array[0] = 1, i); > } >+ >+function checkNoException(thunk, count) { >+ let array = new constructor(10); >+ transferArrayBuffer(array.buffer); >+ thunk(array); >+} >+ >+function testNoException(thunk, count) { >+ for (constructor of typedArrays) >+ checkNoException(thunk, count); >+} >+ >+for (let i = 0; i < 10000; i++) { >+ testNoException((array) => Object.defineProperty(array, 0, { value: 1, writable: true, configurable: false, enumerable: true }), i) >+} >diff --git a/JSTests/test262/expectations.yaml b/JSTests/test262/expectations.yaml >index c321a3d8d82602734255d1c7331bbcc4d9d4df48..7c21398a425c36e83105d18a121b0acc4e30227e 100644 >--- a/JSTests/test262/expectations.yaml >+++ b/JSTests/test262/expectations.yaml >@@ -1394,18 +1394,12 @@ test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/conversion-ope > test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/desc-value-throws.js: > default: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)' > strict mode: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)' >+test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/detached-buffer-realm.js: >+ default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >+ strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' > test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/detached-buffer.js: >- default: 'Test262Error: Return false before Detached Buffer check when value is a negative number Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >- strict mode: 'Test262Error: Return false before Detached Buffer check when value is a negative number Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-lower-than-zero.js: >- default: 'Test262Error: -1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >- strict mode: 'Test262Error: -1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-minus-zero.js: >- default: 'Test262Error: defineProperty returns false Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >- strict mode: 'Test262Error: defineProperty returns false Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-not-integer.js: >- default: 'Test262Error: 0.1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >- strict mode: 'Test262Error: 0.1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >+ default: 'Test262Error: Throws TypeError on valid numeric index if instance has a detached buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >+ strict mode: 'Test262Error: Throws TypeError on valid numeric index if instance has a detached buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' > test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/key-is-numericindex.js: > default: 'Test262Error: property is writable Expected SameValue(ëfalseû, ëtrueû) to be true (Testing with Float64Array.)' > strict mode: 'Test262Error: property is writable Expected SameValue(ëfalseû, ëtrueû) to be true (Testing with Float64Array.)' >@@ -1415,12 +1409,6 @@ test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/set-value.js: > test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/tonumber-value-detached-buffer.js: > default: 'Test262Error: detaching a ArrayBuffer during defining an element of a typed array viewing it should throw Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' > strict mode: 'Test262Error: detaching a ArrayBuffer during defining an element of a typed array viewing it should throw Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/Get/detached-buffer.js: >- default: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >- strict mode: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/Get/infinity-detached-buffer.js: >- default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >- strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' > test/built-ins/TypedArrayConstructors/internals/Get/key-is-not-integer.js: > default: 'Test262Error: OrdinaryGet was called! Ref: 9.1.8.1 3.c (Testing with Float64Array.)' > strict mode: 'Test262Error: OrdinaryGet was called! Ref: 9.1.8.1 3.c (Testing with Float64Array.)' >@@ -1445,8 +1433,6 @@ test/built-ins/TypedArrayConstructors/internals/HasProperty/detached-buffer-real > test/built-ins/TypedArrayConstructors/internals/HasProperty/detached-buffer.js: > default: 'Test262Error: 0 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' > strict mode: 'Test262Error: 0 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/HasProperty/infinity-with-detached-buffer.js: >- default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' > test/built-ins/TypedArrayConstructors/internals/HasProperty/inherited-property.js: > default: 'Test262Error: 42 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' > strict mode: 'Test262Error: 42 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >@@ -1462,18 +1448,6 @@ test/built-ins/TypedArrayConstructors/internals/HasProperty/key-is-minus-zero.js > test/built-ins/TypedArrayConstructors/internals/HasProperty/key-is-not-integer.js: > default: 'Test262Error: 1.1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' > strict mode: 'Test262Error: 1.1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/Set/detached-buffer.js: >- default: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >- strict mode: 'Test262Error: detach buffer runs before checking for 1.1 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/Set/key-is-minus-zero.js: >- default: 'Test262Error: -0 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >- strict mode: 'Test262Error: -0 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/Set/key-is-not-integer.js: >- default: 'Test262Error: 1.1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >- strict mode: 'Test262Error: 1.1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >-test/built-ins/TypedArrayConstructors/internals/Set/key-is-out-of-bounds.js: >- default: 'Test262Error: -1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' >- strict mode: 'Test262Error: -1 Expected SameValue(ëtrueû, ëfalseû) to be true (Testing with Float64Array.)' > test/built-ins/TypedArrayConstructors/internals/Set/tonumber-value-throws.js: > default: 'Test262Error: ToNumber runs before ToInteger(index) Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)' > strict mode: 'Test262Error: ToNumber runs before ToInteger(index) Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=368929">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197228
:
368115
|
368126
|
368140
|
368153
|
368156
|
368157
|
368160
|
368163
|
368245
|
368262
|
368404
|
368444
|
368615
|
368687
|
368696
|
368929
|
368959
|
368977
|
368999
|
369064
|
369072