Changeset 244806 in webkit


Ignore:
Timestamp:
Apr 30, 2019 3:25:09 PM (5 years ago)
Author:
Tadeu Zagallo
Message:

TypeArrays should not store properties that are canonical numeric indices
https://bugs.webkit.org/show_bug.cgi?id=197228
<rdar://problem/49557381>

Reviewed by Darin Adler.

JSTests:

  • stress/typed-array-canonical-numeric-index-string.js: Added.

(makeTest.assert):
(makeTest):
(const.testInvalidIndices.makeTest.set assert):
(const.testInvalidIndices.makeTest):
(const.testValidIndices.makeTest.set assert):
(const.testValidIndices.makeTest):

Source/JavaScriptCore:

According to the spec[1], TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty
if the index is a CanonicalNumericIndexString, but invalid according toIntegerIndexedElementGet
and similar functions. I.e., there are a few properties that should not be set in a TypedArray,
like NaN, Infinity and -0.

[1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc

  • CMakeLists.txt:
  • JavaScriptCore.xcodeproj/project.pbxproj:
  • runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
(JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):

  • runtime/JSTypedArrays.cpp:
  • runtime/PropertyName.h:

(JSC::canonicalNumericIndexString):

LayoutTests:

  • fast/canvas/canvas-ImageData-behaviour-expected.txt:
  • fast/canvas/canvas-ImageData-behaviour.js:
Location:
trunk
Files:
1 added
10 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r244760 r244806  
     12019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
     2
     3        TypeArrays should not store properties that are canonical numeric indices
     4        https://bugs.webkit.org/show_bug.cgi?id=197228
     5        <rdar://problem/49557381>
     6
     7        Reviewed by Darin Adler.
     8
     9        * stress/typed-array-canonical-numeric-index-string.js: Added.
     10        (makeTest.assert):
     11        (makeTest):
     12        (const.testInvalidIndices.makeTest.set assert):
     13        (const.testInvalidIndices.makeTest):
     14        (const.testValidIndices.makeTest.set assert):
     15        (const.testValidIndices.makeTest):
     16
    1172019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
    218

  • trunk/LayoutTests/ChangeLog

    r244800 r244806  
     12019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
     2
     3        TypeArrays should not store properties that are canonical numeric indices
     4        https://bugs.webkit.org/show_bug.cgi?id=197228
     5        <rdar://problem/49557381>
     6
     7        Reviewed by Darin Adler.
     8
     9        * fast/canvas/canvas-ImageData-behaviour-expected.txt:
     10        * fast/canvas/canvas-ImageData-behaviour.js:
     11
    1122019-04-30  Commit Queue  <commit-queue@webkit.org>
    213

  • trunk/LayoutTests/fast/canvas/canvas-ImageData-behaviour-expected.txt

    r126023 r244806  
    4444PASS imageData.data[0] = undefined, imageData.data[0] is 0
    4545PASS imageData.data['foo']='garbage',imageData.data['foo'] is 'garbage'
    46 PASS imageData.data[-1]='garbage',imageData.data[-1] is 'garbage'
     46PASS imageData.data[-1]='garbage',imageData.data[-1] is undefined
    4747PASS imageData.data[17]='garbage',imageData.data[17] is undefined
    4848PASS successfullyParsed is true

  • trunk/LayoutTests/fast/canvas/canvas-ImageData-behaviour.js

    r126023 r244806  
    2222
    2323shouldBe("imageData.data['foo']='garbage',imageData.data['foo']", "'garbage'");
    24 shouldBe("imageData.data[-1]='garbage',imageData.data[-1]", "'garbage'");
     24shouldBe("imageData.data[-1]='garbage',imageData.data[-1]", "undefined");
    2525shouldBe("imageData.data[17]='garbage',imageData.data[17]", "undefined");

  • trunk/Source/JavaScriptCore/CMakeLists.txt

    r244741 r244806  
    858858    runtime/JSGlobalLexicalEnvironment.h
    859859    runtime/JSGlobalObject.h
     860    runtime/JSGlobalObjectFunctions.h
    860861    runtime/JSGlobalObjectInlines.h
    861862    runtime/JSImmutableButterfly.h

  • trunk/Source/JavaScriptCore/ChangeLog

    r244791 r244806  
     12019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
     2
     3        TypeArrays should not store properties that are canonical numeric indices
     4        https://bugs.webkit.org/show_bug.cgi?id=197228
     5        <rdar://problem/49557381>
     6
     7        Reviewed by Darin Adler.
     8
     9        According to the spec[1], TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty
     10        if the index is a CanonicalNumericIndexString, but invalid according toIntegerIndexedElementGet
     11        and similar functions. I.e., there are a few properties that should not be set in a TypedArray,
     12        like NaN, Infinity and -0.
     13
     14        [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
     15
     16        * CMakeLists.txt:
     17        * JavaScriptCore.xcodeproj/project.pbxproj:
     18        * runtime/JSGenericTypedArrayViewInlines.h:
     19        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
     20        (JSC::JSGenericTypedArrayView<Adaptor>::put):
     21        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
     22        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
     23        (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
     24        * runtime/JSTypedArrays.cpp:
     25        * runtime/PropertyName.h:
     26        (JSC::canonicalNumericIndexString):
     27
    1282019-04-30  Brian Burg  <bburg@apple.com>
    229

  • trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

    r244652 r244806  
    16701670                BC3046070E1F497F003232CF /* Error.h in Headers */ = {isa = PBXBuildFile; fileRef = BC3046060E1F497F003232CF /* Error.h */; settings = {ATTRIBUTES = (Private, ); }; };
    16711671                BC6AAAE50E1F426500AD87D8 /* ClassInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = BC6AAAE40E1F426500AD87D8 /* ClassInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
    1672                 BC756FC90E2031B200DE7D12 /* JSGlobalObjectFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */; };
     1672                BC756FC90E2031B200DE7D12 /* JSGlobalObjectFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */; settings = {ATTRIBUTES = (Private, ); }; };
    16731673                BC87CDB910712AD4000614CF /* JSONObject.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = BC87CDB810712ACA000614CF /* JSONObject.lut.h */; };
    16741674                BC9041480EB9250900FE26FA /* StructureTransitionTable.h in Headers */ = {isa = PBXBuildFile; fileRef = BC9041470EB9250900FE26FA /* StructureTransitionTable.h */; settings = {ATTRIBUTES = (Private, ); }; };

  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

    r241244 r244806  
    11/*
    2  * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    360360        return false;
    361361    }
    362    
     362
     363    if (canonicalNumericIndexString(propertyName))
     364        return false;
     365
    363366    return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
    364367}
     
    376379    if (Optional<uint32_t> index = parseIndex(propertyName))
    377380        return putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode());
    378    
     381
     382    if (canonicalNumericIndexString(propertyName))
     383        return false;
     384
    379385    return Base::put(thisObject, exec, propertyName, value, slot);
    380386}
     
    411417        return true;
    412418    }
    413    
     419
     420    if (canonicalNumericIndexString(propertyName))
     421        return false;
     422
    414423    RELEASE_AND_RETURN(scope, Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow));
    415424}
     
    434443template<typename Adaptor>
    435444bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex(
    436     JSObject* object, ExecState* exec, unsigned propertyName, PropertySlot& slot)
     445    JSObject* object, ExecState*, unsigned propertyName, PropertySlot& slot)
    437446{
    438447    JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(object);
     
    443452    }
    444453
    445     if (propertyName > MAX_ARRAY_INDEX) {
    446         return thisObject->methodTable(exec->vm())->getOwnPropertySlot(
    447             thisObject, exec, Identifier::from(exec, propertyName), slot);
    448     }
     454    if (propertyName > MAX_ARRAY_INDEX)
     455        return false;
    449456   
    450457    if (!thisObject->canGetIndexQuickly(propertyName))
     
    457464template<typename Adaptor>
    458465bool JSGenericTypedArrayView<Adaptor>::putByIndex(
    459     JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
     466    JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool)
    460467{
    461468    JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
    462469
    463     if (propertyName > MAX_ARRAY_INDEX) {
    464         PutPropertySlot slot(JSValue(thisObject), shouldThrow);
    465         return thisObject->methodTable(exec->vm())->put(thisObject, exec, Identifier::from(exec, propertyName), value, slot);
    466     }
     470    if (propertyName > MAX_ARRAY_INDEX)
     471        return false;
    467472   
    468473    return thisObject->setIndex(exec, propertyName, value);

  • trunk/Source/JavaScriptCore/runtime/JSTypedArrays.cpp

    r221954 r244806  
    5656}
    5757
    58 
    5958} // namespace JSC
    6059

  • trunk/Source/JavaScriptCore/runtime/PropertyName.h

    r239427 r244806  
    2727
    2828#include "Identifier.h"
     29#include "JSGlobalObjectFunctions.h"
    2930#include "PrivateName.h"
    3031#include <wtf/Optional.h>
     32#include <wtf/dtoa.h>
    3133
    3234namespace JSC {
     
    131133}
    132134
     135// https://www.ecma-international.org/ecma-262/9.0/index.html#sec-canonicalnumericindexstring
     136ALWAYS_INLINE Optional<double> canonicalNumericIndexString(const PropertyName& propertyName)
     137{
     138    StringImpl* property = propertyName.uid();
     139    if (equal(property, "-0"))
     140        return { -0.0 };
     141    double index = jsToNumber(property);
     142    NumberToStringBuffer buffer;
     143    const char* indexString = WTF::numberToString(index, buffer);
     144    if (!equal(property, indexString))
     145        return WTF::nullopt;
     146    return { index };
     147}
     148
    133149} // namespace JSC
Note: See TracChangeset for help on using the changeset viewer.