Title: [233718] trunk
- Revision
- 233718
- Author
- keith_mil...@apple.com
- Date
- 2018-07-10 18:28:35 -0700 (Tue, 10 Jul 2018)
Log Message
hasOwnProperty returns true for out of bounds property index on TypedArray
https://bugs.webkit.org/show_bug.cgi?id=187520
Reviewed by Saam Barati.
JSTests:
getOwnPropertySlot returns true on out of bounds indicies for
TypedArrays, which is incorrect.
* stress/typedarray-hasOwnProperty-out-of-bounds.js: Added.
(test):
Source/_javascript_Core:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (233717 => 233718)
--- trunk/JSTests/ChangeLog 2018-07-11 01:03:18 UTC (rev 233717)
+++ trunk/JSTests/ChangeLog 2018-07-11 01:28:35 UTC (rev 233718)
@@ -1,3 +1,16 @@
+2018-07-10 Keith Miller <keith_mil...@apple.com>
+
+ hasOwnProperty returns true for out of bounds property index on TypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=187520
+
+ Reviewed by Saam Barati.
+
+ getOwnPropertySlot returns true on out of bounds indicies for
+ TypedArrays, which is incorrect.
+
+ * stress/typedarray-hasOwnProperty-out-of-bounds.js: Added.
+ (test):
+
2018-07-10 Michael Saboff <msab...@apple.com>
DFG JIT: compileMathIC produces incorrect machine code
Added: trunk/JSTests/stress/typedarray-hasOwnProperty-out-of-bounds.js (0 => 233718)
--- trunk/JSTests/stress/typedarray-hasOwnProperty-out-of-bounds.js (rev 0)
+++ trunk/JSTests/stress/typedarray-hasOwnProperty-out-of-bounds.js 2018-07-11 01:28:35 UTC (rev 233718)
@@ -0,0 +1,20 @@
+
+let array = new Float32Array(10);
+
+function test(array, indicies, result) {
+ for (let i of indicies) {
+ if (array.hasOwnProperty(i) !== result)
+ throw new Error("wrong value for " + i);
+ if (array.hasOwnProperty(i.toString()) !== result)
+ throw new Error("wrong value for " + i + " (as String)");
+ }
+}
+noInline(test);
+
+let interestingIndicies = [0, 1, 2, 8, 9];
+for (let i = 0; i < 10000; i++)
+ test(array, interestingIndicies, true);
+
+interestingIndicies = [-1, 10, 100];
+for (let i = 0; i < 10000; i++)
+ test(array, interestingIndicies, false);
Modified: trunk/Source/_javascript_Core/ChangeLog (233717 => 233718)
--- trunk/Source/_javascript_Core/ChangeLog 2018-07-11 01:03:18 UTC (rev 233717)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-07-11 01:28:35 UTC (rev 233718)
@@ -1,3 +1,13 @@
+2018-07-10 Keith Miller <keith_mil...@apple.com>
+
+ hasOwnProperty returns true for out of bounds property index on TypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=187520
+
+ Reviewed by Saam Barati.
+
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
+
2018-07-10 Michael Saboff <msab...@apple.com>
DFG JIT: compileMathIC produces incorrect machine code
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (233717 => 233718)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2018-07-11 01:03:18 UTC (rev 233717)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2018-07-11 01:28:35 UTC (rev 233718)
@@ -359,11 +359,13 @@
return true;
}
- if (thisObject->canGetIndexQuickly(index.value()))
+ if (thisObject->canGetIndexQuickly(index.value())) {
slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, thisObject->getIndexQuickly(index.value()));
- else
- slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsUndefined());
- return true;
+ return true;
+ }
+
+ slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsUndefined());
+ return false;
}
return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
