Changeset 207204 in webkit

Timestamp:

Oct 12, 2016 1:41:25 AM (8 years ago)

Author:

matthew_hanson@apple.com

Message:

Merge r204868. rdar://problem/28216263

Location:

branches/safari-602-branch

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/typedarray-slice.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (modified) (2 diffs)

branches/safari-602-branch/JSTests/ChangeLog

@@ +1 @@
+2016-10-12  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r204868. rdar://problem/28216263
+
+    2016-08-23  Keith Miller  <keith_miller@apple.com>
+
+            %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
+            https://bugs.webkit.org/show_bug.cgi?id=161031
+            <rdar://problem/27937019>
+
+            Reviewed by Geoffrey Garen.
+
+            * stress/typedarray-slice.js:
+            (get let):
+            (get try):
+            (testSpeciesWithTransferring):
+
 2016-10-12  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602-branch/JSTests/stress/typedarray-slice.js

@@ -136 +136 @@
     });
 }
-
 shouldBeTrue("forEachTypedArray(subclasses, testSpeciesWithSameBuffer)");
 
+function testSpeciesWithTransferring(unused, constructor) {
+
+    let array = new constructor(10);
+    Object.defineProperty(constructor, Symbol.species, { get() {
+        transferArrayBuffer(array.buffer);
+        return undefined;
+    }, configurable: true });
+
+    try {
+        array.slice(0,1);
+        return false;
+    } catch (e) { }
+
+    array = new constructor(10);
+    Object.defineProperty(constructor, Symbol.species, { get() {
+        return function(len) {
+            let a = new constructor(len);
+            transferArrayBuffer(a.buffer);
+            return a;
+        }
+    }, configurable: true });
+
+    try {
+        array.slice(0,1);
+        return false;
+    } catch (e) { }
+
+    return true;
+}
+
+shouldBeTrue("forEachTypedArray(typedArrays, testSpeciesWithTransferring)");
 
 finishJSTest();

branches/safari-602-branch/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-10-12  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r204868. rdar://problem/28216263
+
+    2016-08-23  Keith Miller  <keith_miller@apple.com>
+
+            %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
+            https://bugs.webkit.org/show_bug.cgi?id=161031
+            <rdar://problem/27937019>
+
+            Reviewed by Geoffrey Garen.
+
+            * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+            (JSC::speciesConstruct):
+            (JSC::genericTypedArrayViewProtoFuncSlice):
+
 2016-10-12  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602-branch/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

@@ -70 +70 @@
         return nullptr;
 
-    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(result))
-        return view;
+    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(result)) {
+        if (!view->isNeutered())
+            return view;
+
+        throwTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+        return nullptr;
+    }
 
     throwTypeError(exec, ASCIILiteral("species constructor did not return a TypedArray View"));
@@ -442 +447 @@
         return JSValue::encode(JSValue());
 
+    ASSERT(!result->isNeutered());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+
     // We return early here since we don't allocate a backing store if length is 0 and memmove does not like nullptrs
     if (!length)