Changeset 246851 in webkit


Ignore:
Timestamp:
Jun 26, 2019 4:07:28 PM (5 years ago)
Author:
keith_miller@apple.com
Message:

speciesConstruct needs to throw if the result is a DataView
https://bugs.webkit.org/show_bug.cgi?id=199231

Reviewed by Mark Lam.

JSTests:

  • stress/typedarray-filter.js:

(subclasses.forEach):

  • stress/typedarray-map.js:

(subclasses.forEach):

  • stress/typedarray-slice.js:

(typedArrays.forEach):

  • stress/typedarray-subarray.js:

(subclasses.forEach):

Source/JavaScriptCore:

Previously, we only checked that the result was a
JSArrayBufferView, which can include DataViews. This is incorrect
as the result should be only be a TypedArray.

  • runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::speciesConstruct):

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r246780 r246851  
     12019-06-26  Keith Miller  <keith_miller@apple.com>
     2
     3        speciesConstruct needs to throw if the result is a DataView
     4        https://bugs.webkit.org/show_bug.cgi?id=199231
     5
     6        Reviewed by Mark Lam.
     7
     8        * stress/typedarray-filter.js:
     9        (subclasses.forEach):
     10        * stress/typedarray-map.js:
     11        (subclasses.forEach):
     12        * stress/typedarray-slice.js:
     13        (typedArrays.forEach):
     14        * stress/typedarray-subarray.js:
     15        (subclasses.forEach):
     16
    1172019-06-24  Commit Queue  <commit-queue@webkit.org>
    218

  • trunk/JSTests/stress/typedarray-filter.js

    r196950 r246851  
    9292shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)");
    9393
     94subclasses.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); });
     95function testSpeciesReturnsDataView(array, constructor) {
     96    try {
     97        array.filter(accept);
     98    } catch (e) {
     99        return e instanceof TypeError;
     100    }
     101    return false;
     102}
     103shouldBeTrue("forEachTypedArray(subclasses, testSpeciesReturnsDataView)");
     104
    94105subclasses = typedArrays.map(function(constructor) { return class extends constructor { } } );
    95106function testSpeciesRemoveConstructor(array, constructor) {
     
    101112
    102113shouldBeTrue("forEachTypedArray(subclasses, testSpeciesRemoveConstructor)");
     114
    103115finishJSTest();

  • trunk/JSTests/stress/typedarray-map.js

    r196950 r246851  
    9191shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)");
    9292
     93subclasses.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); });
     94function testSpeciesReturnsDataView(array, constructor) {
     95    try {
     96        array.map(id);
     97    } catch (e) {
     98        return e instanceof TypeError;
     99    }
     100    return false;
     101}
     102shouldBeTrue("forEachTypedArray(subclasses, testSpeciesReturnsDataView)");
     103
    93104subclasses = typedArrays.map(function(constructor) { return class extends constructor { } } );
    94105function testSpeciesRemoveConstructor(array, constructor) {

  • trunk/JSTests/stress/typedarray-slice.js

    r204868 r246851  
    170170shouldBeTrue("forEachTypedArray(typedArrays, testSpeciesWithTransferring)");
    171171
     172typedArrays.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); });
     173function testSpeciesReturnsDataView(array, constructor) {
     174    try {
     175        array.slice(0, 1);
     176    } catch (e) {
     177        return e instanceof TypeError;
     178    }
     179    return false;
     180}
     181shouldBeTrue("forEachTypedArray(typedArrays, testSpeciesReturnsDataView)");
     182
    172183finishJSTest();

  • trunk/JSTests/stress/typedarray-subarray.js

    r203351 r246851  
    4949shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)");
    5050
     51subclasses.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); });
     52function testSpeciesReturnsDataView(array, constructor) {
     53    try {
     54        array.subarray(0, 0);
     55    } catch (e) {
     56        return e instanceof TypeError;
     57    }
     58    return false;
     59}
     60shouldBeTrue("forEachTypedArray(subclasses, testSpeciesReturnsDataView)");
     61
    5162subclasses = typedArrays.map(function(constructor) { return class extends constructor { } } );
    5263function testSpeciesRemoveConstructor(array, constructor) {

  • trunk/Source/JavaScriptCore/ChangeLog

    r246850 r246851  
     12019-06-26  Keith Miller  <keith_miller@apple.com>
     2
     3        speciesConstruct needs to throw if the result is a DataView
     4        https://bugs.webkit.org/show_bug.cgi?id=199231
     5
     6        Reviewed by Mark Lam.
     7
     8        Previously, we only checked that the result was a
     9        JSArrayBufferView, which can include DataViews. This is incorrect
     10        as the result should be only be a TypedArray.
     11
     12        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
     13        (JSC::speciesConstruct):
     14
    1152019-06-26  Joseph Pecoraro  <pecoraro@apple.com>
    216

  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

    r243391 r246851  
    7171
    7272    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(vm, result)) {
     73        if (view->type() == DataViewType) {
     74            throwTypeError(exec, scope, "species constructor did not return a TypedArray View"_s);
     75            return nullptr;
     76        }
     77
    7378        if (!view->isNeutered())
    7479            return view;
Note: See TracChangeset for help on using the changeset viewer.