Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: bc59681571095d4c238aab49e33c533532e96399
https://github.com/WebKit/WebKit/commit/bc59681571095d4c238aab49e33c533532e96399
Author: Tetsuharu Ohzeki <[email protected]>
Date: 2026-05-10 (Sun, 10 May 2026)
Changed paths:
A
JSTests/stress/dataview-constructor-bug-313230-weird-bytelength-detach-buffer-and-overrun.js
A
JSTests/stress/dataview-constructor-toindex-byteoffset-before-ordinarycreatefromctor-weird-byteoffset.js
A
JSTests/stress/dataview-constructor-toindex-length-before-ordinarycreatefromctor-weird-length.js
A
JSTests/stress/dataview-constructor-toindex-length-before-ordinarycreatefromctor.js
A
JSTests/stress/typedarray-constructor-bug-313230-weird-bytelength-detach-buffer-and-overrun.js
M Source/JavaScriptCore/runtime/JSDataView.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructor.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Log Message:
-----------
[JSC] `new DataView(buffer, byteOffset, byteLength)` should compliant the
step 9-b of `25.3.2.1 DataView` abstract operation in the spec
https://bugs.webkit.org/show_bug.cgi?id=313230
Reviewed by Yusuke Suzuki.
Accroding to the spec (April 24, 2026),
https://tc39.es/ecma262/#sec-dataview-buffer-byteoffset-bytelength defines as
the step 9-b that
we should throw RangeError rather even if ToIndex(byteLength) happens to detach
the buffer as:
As user observable behavior related to byteLength, the sequence would be:
9-a: Let viewByteLength be ? ToIndex(byteLength): the weird object can
detach the buffer at here.
9-b: If `(offset + viewByteLength) > bufferByteLength`, throw RangeError.
11: If the buffer is detached, throw TypeError.
On the other hand, %TypedArray%, which can take a similar form to `new
DataView(buffer, byteOffset, byteLength)`,
they have a bit different step sequence. We should not do RangeError check
immediately after ToIndex(byteLength).
The spec
- https://tc39.es/ecma262/#sec-initializetypedarrayfromarraybuffer
- https://tc39.es/ecma262/#sec-typedarray
defines the user observable behavior sequence related to byteLength as:
5-a: Let newLength be ? ToIndex(length): the weird object can detach the
buffer at here.
6: If the buffer is detached, throw TypeError.
...(there are some steps but it's not related to newLength)
9-b-ii: If `(offset + newLength) > bufferByteLength`, throw RangeError.
Tests:
JSTests/stress/dataview-constructor-bug-313230-weird-bytelength-detach-buffer-and-overrun.js
JSTests/stress/dataview-constructor-toindex-byteoffset-before-ordinarycreatefromctor-weird-byteoffset.js
JSTests/stress/dataview-constructor-toindex-length-before-ordinarycreatefromctor-weird-length.js
JSTests/stress/dataview-constructor-toindex-length-before-ordinarycreatefromctor.js
JSTests/stress/typedarray-constructor-bug-313230-weird-bytelength-detach-buffer-and-overrun.js
Canonical link: https://commits.webkit.org/312964@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
