[typedarrays] Throw on construction of a detached typed array.

Bug: chromium:840106 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I0090cdecaf9194f3ed2d716c6f5f698e33cbdf0d Reviewed-on: https://chromium-review.googlesource.com/1046827 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53029}

[typedarrays] Throw on construction of a detached typed array.
Bug: chromium:840106 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I0090cdecaf9194f3ed2d716c6f5f698e33cbdf0d Reviewed-on: https://chromium-review.googlesource.com/1046827 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53029}
645efbfd · Peter Marshall · Commit Bot · 5e22e397 · 645efbfd · 645efbfd
Commit 645efbfd authored May 07, 2018 by Peter Marshall Committed by Commit Bot May 07, 2018
6 changed files
--- a/src/builtins/builtins-typed-array-gen.cc
+++ b/src/builtins/builtins-typed-array-gen.cc
@@ -565,7 +565,8 @@ void TypedArrayBuiltinsAssembler::ConstructByArrayLike(
    TNode<Context> context, TNode<JSTypedArray> holder,
    TNode<HeapObject> array_like, TNode<Object> initial_length,
    TNode<Smi> element_size, TNode<JSReceiver> buffer_constructor) {
-  Label invalid_length(this), fill(this), fast_copy(this), done(this);
+  Label invalid_length(this, Label::kDeferred), fill(this), fast_copy(this),
+      detached_check(this), done(this), detached_error(this, Label::kDeferred);

  // The caller has looked up length on array_like, which is observable.
  TNode<Smi> length = ToSmiLength(initial_length, context, &invalid_length);
@@ -574,10 +575,17 @@ void TypedArrayBuiltinsAssembler::ConstructByArrayLike(
  CallBuiltin(Builtins::kTypedArrayInitialize, context, holder, length,
              element_size, initialize, buffer_constructor);

-  GotoIf(SmiNotEqual(length, SmiConstant(0)), &fill);
-  Goto(&done);
+  GotoIf(IsJSTypedArray(array_like), &detached_check);
+  Goto(&fill);
+
+  BIND(&detached_check);
+  GotoIf(IsDetachedBuffer(
+             LoadObjectField(array_like, JSTypedArray::kBufferOffset)),
+         &detached_error);
+  Goto(&fill);

  BIND(&fill);
+  GotoIf(SmiEqual(length, SmiConstant(0)), &done);
  TNode<Int32T> holder_kind = LoadMapElementsKind(LoadMap(holder));
  TNode<Int32T> source_kind = LoadMapElementsKind(LoadMap(array_like));
  GotoIf(Word32Equal(holder_kind, source_kind), &fast_copy);
@@ -614,6 +622,9 @@ void TypedArrayBuiltinsAssembler::ConstructByArrayLike(
    Goto(&done);
  }

+  BIND(&detached_error);
+  { ThrowTypeError(context, MessageTemplate::kDetachedOperation, "Construct"); }
+
  BIND(&invalid_length);
  {
    ThrowRangeError(context, MessageTemplate::kInvalidTypedArrayLength,

--- a/src/elements.cc
+++ b/src/elements.cc
@@ -3540,6 +3540,7 @@ class TypedElementsAccessor
      // If we have to copy more elements than we have in the source, we need to
      // do special handling and conversion; that happens in the slow case.
      if (length + offset <= source_ta->length_value()) {
+        DCHECK(length == 0 || !source_ta->WasNeutered());
        CopyElementsFromTypedArray(*source_ta, *destination_ta, length, offset);
        return *isolate->factory()->undefined_value();
      }

--- a/test/mjsunit/es6/typedarray-construct-by-array-like.js
+++ b/test/mjsunit/es6/typedarray-construct-by-array-like.js
@@ -208,9 +208,7 @@ tests.push(function TestFromTypedArraySpeciesNeutersBuffer(constr) {
    }
  });

-  var a2 = new constr(a1);
-
-  assertArrayEquals([], a2);
+  assertThrows(() => new constr(a1));
 });

 tests.push(function TestLengthIsMaxSmi(constr) {

--- a/test/mjsunit/regress/regress-707410.js
+++ b/test/mjsunit/regress/regress-707410.js
@@ -6,5 +6,4 @@

 var a = new Uint8Array(1024*1024);
 %ArrayBufferNeuter(a.buffer);
-var b = new Uint8Array(a);
-assertEquals(0, b.length);
+assertThrows(() => new Uint8Array(a));
--- a/test/mjsunit/regress/regress-840106.js
+++ b/test/mjsunit/regress/regress-840106.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var buffer = new ArrayBuffer(1024 * 1024);
+buffer.constructor = {
+  [Symbol.species]: new Proxy(function() {}, {
+    get: _ => {
+      %ArrayBufferNeuter(buffer);
+    }
+  })
+};
+var array1 = new Uint8Array(buffer, 0, 1024);
+assertThrows(() => new Uint8Array(array1));
+assertThrows(() => new Int8Array(array1));
--- a/test/test262/test262.status
+++ b/test/test262/test262.status
@@ -85,10 +85,6 @@
  'language/statements/variable/binding-resolution': [FAIL],

  # https://bugs.chromium.org/p/v8/issues/detail?id=4895
-  'built-ins/TypedArrays/ctors/typedarray-arg/typedarray-arg-detached-when-species-retrieved-different-type': [FAIL],
-  'built-ins/TypedArrays/ctors-bigint/typedarray-arg/typedarray-arg-detached-when-species-retrieved-different-type': [FAIL],
-  'built-ins/TypedArrays/ctors/typedarray-arg/typedarray-arg-detached-when-species-retrieved-same-type': [FAIL],
-  'built-ins/TypedArrays/ctors-bigint/typedarray-arg/typedarray-arg-detached-when-species-retrieved-same-type': [FAIL],
  'built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer': [FAIL],
  'built-ins/TypedArrays/internals/DefineOwnProperty/BigInt/detached-buffer': [FAIL],
  'built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm': [FAIL],