WebKit Bugzilla
Attachment 372944 Details for
Bug 199231
: speciesConstruct needs to throw if the result is a DataView
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-199231-20190626133125.patch (text/plain), 6.74 KB, created by
Keith Miller
on 2019-06-26 13:31:26 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-06-26 13:31:26 PDT
Size:
6.74 KB
patch
obsolete
>Subversion Revision: 246837 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index c974eedc160131db94f427c18dac7291ff3c28e2..16b9da340bf6ea2283e64e34dd56ab3774e1f256 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,17 @@ >+2019-06-26 Keith Miller <keith_miller@apple.com> >+ >+ speciesConstruct needs to throw if the result is a DataView >+ https://bugs.webkit.org/show_bug.cgi?id=199231 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Previously, we only checked that the result was a >+ JSArrayBufferView, which can include DataViews. This is incorrect >+ as the result should be only be a TypedArray. >+ >+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: >+ (JSC::speciesConstruct): >+ > 2019-06-26 Keith Miller <keith_miller@apple.com> > > remove unneeded didBecomePrototype() calls >diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h >index 89a9717232ec21a4d89bd632803ca4d88f8f7698..adb32793b92c7d7779f79e01829590e08a9ea16e 100644 >--- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h >+++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h >@@ -70,6 +70,11 @@ inline JSArrayBufferView* speciesConstruct(ExecState* exec, JSObject* exemplar, > RETURN_IF_EXCEPTION(scope, nullptr); > > if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(vm, result)) { >+ if (view->type() == DataViewType) { >+ throwTypeError(exec, scope, "species constructor did not return a TypedArray View"_s); >+ return nullptr; >+ } >+ > if (!view->isNeutered()) > return view; > >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index aaf13ec3d085577230fe27679d434b77ec502671..186f5db80f1f7525b744579ee8cb1078c25e7cd9 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,19 @@ >+2019-06-26 Keith Miller <keith_miller@apple.com> >+ >+ speciesConstruct needs to throw if the result is a DataView >+ https://bugs.webkit.org/show_bug.cgi?id=199231 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/typedarray-filter.js: >+ (subclasses.forEach): >+ * stress/typedarray-map.js: >+ (subclasses.forEach): >+ * stress/typedarray-slice.js: >+ (typedArrays.forEach): >+ * stress/typedarray-subarray.js: >+ (subclasses.forEach): >+ > 2019-06-24 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r246714. >diff --git a/JSTests/stress/typedarray-filter.js b/JSTests/stress/typedarray-filter.js >index 5e8592381708c368792a7c6e253e6b6bd410bb34..7ce7bbf636797bfde13535ac4f48187c5b0a4506 100644 >--- a/JSTests/stress/typedarray-filter.js >+++ b/JSTests/stress/typedarray-filter.js >@@ -91,6 +91,17 @@ shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)"); > subclasses.forEach(function(constructor) { constructor[Symbol.species] = undefined; }); > shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)"); > >+subclasses.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); }); >+function testSpeciesReturnsDataView(array, constructor) { >+ try { >+ array.filter(accept); >+ } catch (e) { >+ return e instanceof TypeError; >+ } >+ return false; >+} >+shouldBeTrue("forEachTypedArray(subclasses, testSpeciesReturnsDataView)"); >+ > subclasses = typedArrays.map(function(constructor) { return class extends constructor { } } ); > function testSpeciesRemoveConstructor(array, constructor) { > array.constructor = undefined; >@@ -100,4 +111,5 @@ function testSpeciesRemoveConstructor(array, constructor) { > } > > shouldBeTrue("forEachTypedArray(subclasses, testSpeciesRemoveConstructor)"); >+ > finishJSTest(); >diff --git a/JSTests/stress/typedarray-map.js b/JSTests/stress/typedarray-map.js >index 1d9a890d22c32fa95ffde5281ae15b6283faafa6..8dad222ccf5019a3af093866af93add67c065c12 100644 >--- a/JSTests/stress/typedarray-map.js >+++ b/JSTests/stress/typedarray-map.js >@@ -90,6 +90,17 @@ shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)"); > subclasses.forEach(function(constructor) { constructor[Symbol.species] = undefined; }); > shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)"); > >+subclasses.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); }); >+function testSpeciesReturnsDataView(array, constructor) { >+ try { >+ array.map(id); >+ } catch (e) { >+ return e instanceof TypeError; >+ } >+ return false; >+} >+shouldBeTrue("forEachTypedArray(subclasses, testSpeciesReturnsDataView)"); >+ > subclasses = typedArrays.map(function(constructor) { return class extends constructor { } } ); > function testSpeciesRemoveConstructor(array, constructor) { > array.constructor = undefined; >diff --git a/JSTests/stress/typedarray-slice.js b/JSTests/stress/typedarray-slice.js >index 99cbba6f6ab205c28c00f0fc160716193044fe1f..fbcb1f8b15d4d8084fde64501ea7f50c4e5a489e 100644 >--- a/JSTests/stress/typedarray-slice.js >+++ b/JSTests/stress/typedarray-slice.js >@@ -169,4 +169,15 @@ function testSpeciesWithTransferring(unused, constructor) { > > shouldBeTrue("forEachTypedArray(typedArrays, testSpeciesWithTransferring)"); > >+typedArrays.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); }); >+function testSpeciesReturnsDataView(array, constructor) { >+ try { >+ array.slice(0, 1); >+ } catch (e) { >+ return e instanceof TypeError; >+ } >+ return false; >+} >+shouldBeTrue("forEachTypedArray(typedArrays, testSpeciesReturnsDataView)"); >+ > finishJSTest(); >diff --git a/JSTests/stress/typedarray-subarray.js b/JSTests/stress/typedarray-subarray.js >index eb730e4ba457d924c560ee2d8be712232f9b490d..8f3295f01f52129b2b83512d27a40e86c7de98f6 100644 >--- a/JSTests/stress/typedarray-subarray.js >+++ b/JSTests/stress/typedarray-subarray.js >@@ -48,6 +48,17 @@ shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)"); > subclasses.forEach(function(constructor) { constructor[Symbol.species] = undefined; }); > shouldBeTrue("forEachTypedArray(subclasses, testSpeciesIsDefault)"); > >+subclasses.forEach(function(constructor) { constructor[Symbol.species] = () => new DataView(new ArrayBuffer()); }); >+function testSpeciesReturnsDataView(array, constructor) { >+ try { >+ array.subarray(0, 0); >+ } catch (e) { >+ return e instanceof TypeError; >+ } >+ return false; >+} >+shouldBeTrue("forEachTypedArray(subclasses, testSpeciesReturnsDataView)"); >+ > subclasses = typedArrays.map(function(constructor) { return class extends constructor { } } ); > function testSpeciesRemoveConstructor(array, constructor) { > array.constructor = undefined;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=372944">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 199231
: 372944