[webkit-changes] [WebKit/WebKit] 435d83: [JSC] test262 failure: test/staging/sm/extensions/...

Tue, 14 Apr 2026 03:27:58 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 435d83ec987a57aacab20ec49c92ae840245c1b0
      
https://github.com/WebKit/WebKit/commit/435d83ec987a57aacab20ec49c92ae840245c1b0
  Author: Tetsuharu Ohzeki <[email protected]>
  Date:   2026-04-14 (Tue, 14 Apr 2026)

  Changed paths:
    A 
JSTests/stress/dataview-constructor-bug-311903-weird-bytelength-detach-buffer.js
    A 
JSTests/stress/dataview-constructor-bug-311903-weird-byteoffset-detach-buffer.js
    A 
JSTests/stress/typedarray-constructor-bug-311903-weird-bytelength-detach-buffer.js
    A 
JSTests/stress/typedarray-constructor-bug-311903-weird-byteoffset-detach-buffer.js
    M JSTests/test262/expectations.yaml
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

  Log Message:
  -----------
  [JSC] test262 failure: 
test/staging/sm/extensions/DataView-construct-arguments-detaching.js
https://bugs.webkit.org/show_bug.cgi?id=311903

Reviewed by Yusuke Suzuki.

By the spec (ECMA-262/April 10, 2026),
on invoking `new DataView(buffer, byteOffset)`,
if the 2nd argument `byteOffset` detachs `buffer` in `ToIndex(byteOffset)` step,
it should throw TypeError caused by buffer *first* is detached rather than 
RangeError
about `offset > bufferByteLength`.

This corresponds to step 3 & 4 of the section _25.3.2.1_ of the spec.
https://tc39.es/ecma262/#sec-dataview-buffer-byteoffset-bytelength

-----

`DataView` and other TypedArrays's constructors behave different spec mechanism,
but they behave similarly and we share a part of underlying implementations.
This patch adds some tests:

1. `new DataView(buffer, byteOffset)` but `ToIndex(byteOffset)` detach the 
`buffer`.
    This fix this test's result. Without this change, JSC fails this test.

2. `new DataView(buffer, byteOffset, byteLength)` but `ToIndex(byteOffset)` 
detach the `buffer`.
    This is a later part of 
test/staging/sm/extensions/DataView-construct-arguments-detaching.js.
    as a regression test.
    JSC passes this test without this fix

3. `new SomeTypedArray(buffer, byteOffset)` but `ToIndex(byteOffset)` detach 
the `buffer`.
    This is just for regression test to keep the exist implementation which 
shares many parts with `DataView`'s one.
    JSC passes this test without this fix

4. `new SomeTypedArray(buffer, byteOffset, byteLength)` but 
`ToIndex(byteLength)` detach the `buffer`.
    This is just for regression test to keep the exist implementation which 
shares many parts with `DataView`'s one.
    JSC passes this test without this fix.

Tests: 
JSTests/stress/dataview-constructor-bug-311903-weird-bytelength-detach-buffer.js
       
JSTests/stress/dataview-constructor-bug-311903-weird-byteoffset-detach-buffer.js
       
JSTests/stress/typedarray-constructor-bug-311903-weird-bytelength-detach-buffer.js
       
JSTests/stress/typedarray-constructor-bug-311903-weird-byteoffset-detach-buffer.js

Canonical link: https://commits.webkit.org/311188@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to