[elements] Check if the backing store has been neutered for indexOf

BUG=691323 Change-Id: I84f2c90355982567c421639e115745eadd5fcb21 Reviewed-on: https://chromium-review.googlesource.com/441964Reviewed-by: Caitlin Potter <caitp@igalia.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#43279}

[elements] Check if the backing store has been neutered for indexOf
BUG=691323 Change-Id: I84f2c90355982567c421639e115745eadd5fcb21 Reviewed-on: https://chromium-review.googlesource.com/441964Reviewed-by: Caitlin Potter <caitp@igalia.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#43279}
3a43be9b · Camillo Bruni · Commit Bot · 3ee21f28 · 3a43be9b · 3a43be9b
Commit 3a43be9b authored Feb 16, 2017 by Camillo Bruni Committed by Commit Bot Feb 17, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 49 additions and 2 deletions

elements.cc src/elements.cc +14 -2

regress-crbug-691323.js test/mjsunit/regress/regress-crbug-691323.js +35 -0

No files found.
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -2766,10 +2766,14 @@ class TypedElementsAccessor
               : kMaxUInt32;
  }

+  static bool WasNeutered(JSObject* holder) {
+    JSArrayBufferView* view = JSArrayBufferView::cast(holder);
+    return view->WasNeutered();
+  }
+
  static uint32_t GetCapacityImpl(JSObject* holder,
                                  FixedArrayBase* backing_store) {
-    JSArrayBufferView* view = JSArrayBufferView::cast(holder);
-    if (view->WasNeutered()) return 0;
+    if (WasNeutered(holder)) return 0;
    return backing_store->length();
  }

@@ -2818,6 +2822,12 @@ class TypedElementsAccessor
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
    DisallowHeapAllocation no_gc;

+    // TODO(caitp): return Just(false) here when implementing strict throwing on
+    // neutered views.
+    if (WasNeutered(*receiver)) {
+      return Just(value->IsUndefined(isolate) && length > start_from);
+    }
+
    BackingStore* elements = BackingStore::cast(receiver->elements());
    if (value->IsUndefined(isolate) &&
        length > static_cast<uint32_t>(elements->length())) {
@@ -2867,6 +2877,8 @@ class TypedElementsAccessor
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
    DisallowHeapAllocation no_gc;

+    if (WasNeutered(*receiver)) return Just<int64_t>(-1);
+
    BackingStore* elements = BackingStore::cast(receiver->elements());
    if (!value->IsNumber()) return Just<int64_t>(-1);


--- a/test/mjsunit/regress/regress-crbug-691323.js
+++ b/test/mjsunit/regress/regress-crbug-691323.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+var buffer = new ArrayBuffer(0x100);
+var array = new Uint8Array(buffer).fill(55);
+var tmp = {};
+tmp[Symbol.toPrimitive] = function () {
+  %ArrayBufferNeuter(array.buffer)
+  return 0;
+};
+
+
+assertEquals(-1, Array.prototype.indexOf.call(array, 0x00, tmp));
+
+buffer = new ArrayBuffer(0x100);
+array = new Uint8Array(buffer).fill(55);
+tmp = {};
+tmp[Symbol.toPrimitive] = function () {
+  %ArrayBufferNeuter(array.buffer)
+  return 0;
+};
+
+
+assertEquals(false, Array.prototype.includes.call(array, 0x00, tmp));
+
+buffer = new ArrayBuffer(0x100);
+array = new Uint8Array(buffer).fill(55);
+tmp = {};
+tmp[Symbol.toPrimitive] = function () {
+  %ArrayBufferNeuter(array.buffer)
+  return 0;
+};
+assertEquals(true, Array.prototype.includes.call(array, undefined, tmp));