[rab/gsab] Fix: handle the case where parameter processing resizes the rab

See https://github.com/tc39/proposal-resizablearraybuffer/issues/67 Bug: v8:11111 Change-Id: I43cc61797387a021e9bf752284b917f77662354d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3062559 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#76018}

[rab/gsab] Fix: handle the case where parameter processing resizes the rab
See https://github.com/tc39/proposal-resizablearraybuffer/issues/67 Bug: v8:11111 Change-Id: I43cc61797387a021e9bf752284b917f77662354d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3062559 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#76018}
6ca9684f · Marja Hölttä · V8 LUCI CQ · cace2f53 · 6ca9684f · 6ca9684f
Commit 6ca9684f authored Jul 30, 2021 by Marja Hölttä Committed by V8 LUCI CQ Jul 30, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 2 deletions

builtins-typed-array.cc src/builtins/builtins-typed-array.cc +13 -2

typedarray-resizablearraybuffer.js test/mjsunit/typedarray-resizablearraybuffer.js +15 -0

No files found.
--- a/src/builtins/builtins-typed-array.cc
+++ b/src/builtins/builtins-typed-array.cc
@@ -147,11 +147,22 @@ BUILTIN(TypedArrayPrototypeFill) {
    }
  }

+  if (V8_UNLIKELY(array->IsVariableLength())) {
+    bool out_of_bounds = false;
+    array->GetLengthOrOutOfBounds(out_of_bounds);
+    if (out_of_bounds) {
+      const MessageTemplate message = MessageTemplate::kDetachedOperation;
+      Handle<String> operation =
+          isolate->factory()->NewStringFromAsciiChecked(method);
+      THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(message, operation));
+    }
+  } else if (V8_UNLIKELY(array->WasDetached())) {
+    return *array;
+  }
+
  int64_t count = end - start;
  if (count <= 0) return *array;

-  if (V8_UNLIKELY(array->WasDetached())) return *array;
-
  // Ensure processed indexes are within array bounds
  DCHECK_GE(start, 0);
  DCHECK_LT(start, len);

--- a/test/mjsunit/typedarray-resizablearraybuffer.js
+++ b/test/mjsunit/typedarray-resizablearraybuffer.js
@@ -1141,3 +1141,18 @@ function TestIterationAndResize(ta, expected, rab, resize_after,
    assertEquals([15, 19, 19, 20, 16, 16], ReadDataFromBuffer(rab, ctor));
  }
 })();
+
+(function FillParameterConversionResizes() {
+  for (let ctor of ctors) {
+    const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                           8 * ctor.BYTES_PER_ELEMENT);
+    const fixedLength = new ctor(rab, 0, 4);
+
+    let evil = { valueOf: () => { rab.resize(2); return 0;}};
+    assertThrows(() => { FillHelper(fixedLength, evil, 1, 2); }, TypeError);
+    rab.resize(4 * ctor.BYTES_PER_ELEMENT);
+    assertThrows(() => { FillHelper(fixedLength, 3, evil, 2); }, TypeError);
+    rab.resize(4 * ctor.BYTES_PER_ELEMENT);
+    assertThrows(() => { FillHelper(fixedLength, 3, 1, evil); }, TypeError);
+  }
+})();