Fix incorrect side-effect ordering in TypedArray constructor.

We should throw a RangeError for offset % elementSize before length.toPrimitive is observable. Adds a test that checks this, too. BUG=v8:6037 Change-Id: Ie9f2551c8e8fb0018b508762ac93cdc470e15dde Reviewed-on: https://chromium-review.googlesource.com/449792Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#43582}

Fix incorrect side-effect ordering in TypedArray constructor.
We should throw a RangeError for offset % elementSize before length.toPrimitive is observable. Adds a test that checks this, too. BUG=v8:6037 Change-Id: Ie9f2551c8e8fb0018b508762ac93cdc470e15dde Reviewed-on: https://chromium-review.googlesource.com/449792Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#43582}
1a6487fd · Peter Marshall · Commit Bot · c41e20fc · 1a6487fd · 1a6487fd
Commit 1a6487fd authored Mar 03, 2017 by Peter Marshall Committed by Commit Bot Mar 03, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 12 deletions

typedarray.js src/js/typedarray.js +8 -12

typedarray-construct-by-buffer-ordering.js test/mjsunit/es6/typedarray-construct-by-buffer-ordering.js +31 -0

No files found.
--- a/src/js/typedarray.js
+++ b/src/js/typedarray.js
@@ -128,8 +128,15 @@ function TypedArraySpeciesCreate(exemplar, arg0, arg1, arg2, conservative) {

 macro TYPED_ARRAY_CONSTRUCTOR(ARRAY_ID, NAME, ELEMENT_SIZE)
 function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
+  var offset;
  if (!IS_UNDEFINED(byteOffset)) {
-    byteOffset = ToIndex(byteOffset, kInvalidTypedArrayLength);
+    offset = ToIndex(byteOffset, kInvalidTypedArrayLength);
+    if (offset % ELEMENT_SIZE !== 0) {
+      throw %make_range_error(kInvalidTypedArrayAlignment,
+                           "start offset", "NAME", ELEMENT_SIZE);
+    }
+  } else {
+    offset = 0;
  }
  if (!IS_UNDEFINED(length)) {
    length = ToIndex(length, kInvalidTypedArrayLength);
@@ -141,17 +148,6 @@ function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
  }

  var bufferByteLength = %_ArrayBufferGetByteLength(buffer);
-  var offset;
-  if (IS_UNDEFINED(byteOffset)) {
-    offset = 0;
-  } else {
-    offset = byteOffset;
-
-    if (offset % ELEMENT_SIZE !== 0) {
-      throw %make_range_error(kInvalidTypedArrayAlignment,
-                           "start offset", "NAME", ELEMENT_SIZE);
-    }
-  }

  var newByteLength;
  if (IS_UNDEFINED(length)) {

--- a/test/mjsunit/es6/typedarray-construct-by-buffer-ordering.js
+++ b/test/mjsunit/es6/typedarray-construct-by-buffer-ordering.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function TestThrowBeforeLengthToPrimitive() {
+  // From 22.2.4.5 TypedArray ( buffer [ , byteOffset [ , length ] ] ), check
+  // that step 7:
+  //    If offset modulo elementSize ≠ 0, throw a RangeError exception.
+  // happens before step 11:
+  //    Let newLength be ? ToIndex(length).
+  var expected = ["offset.toPrimitive"];
+  var actual = [];
+  var offset = {};
+  offset[Symbol.toPrimitive] = function() {
+    actual.push("offset.toPrimitive");
+    return 1;
+  };
+
+  var length = {};
+  length[Symbol.toPrimitive] = function() {
+    actual.push("length.toPrimitive");
+    return 1;
+  };
+
+  var buffer = new ArrayBuffer(16);
+
+  assertThrows(function() {
+    new Uint32Array(buffer, offset, length)
+  }, RangeError);
+  assertEquals(expected, actual);
+})();