Commit 75ca843c authored by peterwmwong's avatar peterwmwong Committed by Commit Bot

[typedarray] Check for a detached buffer before each iteration of TypedArray.p.join.

Bug: chromium:917980
Change-Id: Ia9b68f492bb9f0769dc6ee1706baf8b09de49968
Reviewed-on: https://chromium-review.googlesource.com/c/1392070
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58490}
parent e16f4a93
...@@ -58,6 +58,7 @@ namespace array { ...@@ -58,6 +58,7 @@ namespace array {
builtin LoadJoinTypedElement<T: type>( builtin LoadJoinTypedElement<T: type>(
context: Context, receiver: JSReceiver, k: Number): Object { context: Context, receiver: JSReceiver, k: Number): Object {
const typedArray: JSTypedArray = UnsafeCast<JSTypedArray>(receiver); const typedArray: JSTypedArray = UnsafeCast<JSTypedArray>(receiver);
assert(!IsDetachedBuffer(typedArray.buffer));
return typed_array::LoadFixedTypedArrayElementAsTagged( return typed_array::LoadFixedTypedArrayElementAsTagged(
typedArray.data_ptr, UnsafeCast<Smi>(k), typedArray.data_ptr, UnsafeCast<Smi>(k),
typed_array::KindForArrayType<T>(), SMI_PARAMETERS); typed_array::KindForArrayType<T>(), SMI_PARAMETERS);
...@@ -89,13 +90,13 @@ namespace array { ...@@ -89,13 +90,13 @@ namespace array {
// Verifies the current element JSArray accessor can still be safely used // Verifies the current element JSArray accessor can still be safely used
// (see LoadJoinElement<ElementsAccessor>). // (see LoadJoinElement<ElementsAccessor>).
macro CannotUseSameArrayAccessor<T: type>(implicit context: Context)( macro CannotUseSameArrayAccessor<T: type>(implicit context: Context)(
useToLocaleString: constexpr bool, loadFn: LoadJoinElementFn, loadFn: LoadJoinElementFn, receiver: JSReceiver, originalMap: Map,
receiver: JSReceiver, originalMap: Map, originalLen: Number): never originalLen: Number): never
labels Cannot, Can; labels Cannot, Can;
CannotUseSameArrayAccessor<JSArray>(implicit context: Context)( CannotUseSameArrayAccessor<JSArray>(implicit context: Context)(
useToLocaleString: constexpr bool, loadFn: LoadJoinElementFn, loadFn: LoadJoinElementFn, receiver: JSReceiver, originalMap: Map,
receiver: JSReceiver, originalMap: Map, originalLen: Number): never originalLen: Number): never
labels Cannot, Can { labels Cannot, Can {
if (loadFn == LoadJoinElement<GenericElementsAccessor>) goto Can; if (loadFn == LoadJoinElement<GenericElementsAccessor>) goto Can;
...@@ -107,17 +108,11 @@ namespace array { ...@@ -107,17 +108,11 @@ namespace array {
} }
CannotUseSameArrayAccessor<JSTypedArray>(implicit context: Context)( CannotUseSameArrayAccessor<JSTypedArray>(implicit context: Context)(
useToLocaleString: constexpr bool, loadFn: LoadJoinElementFn, loadFn: LoadJoinElementFn, receiver: JSReceiver, initialMap: Map,
receiver: JSReceiver, initialMap: Map, initialLen: Number): never initialLen: Number): never
labels Cannot, Can { labels Cannot, Can {
const typedArray: JSTypedArray = UnsafeCast<JSTypedArray>(receiver); const typedArray: JSTypedArray = UnsafeCast<JSTypedArray>(receiver);
// It is assumed that calling toLocaleString is the only possible source if (IsDetachedBuffer(typedArray.buffer)) goto Cannot;
// of side-effects. Otherwise, it is safe to use the initial LoadJoinElement
// specialization and it cannot change through out the join call.
if constexpr (useToLocaleString) {
if (IsDetachedBuffer(typedArray.buffer)) goto Cannot;
}
assert(!IsDetachedBuffer(typedArray.buffer));
goto Can; goto Can;
} }
...@@ -292,14 +287,15 @@ namespace array { ...@@ -292,14 +287,15 @@ namespace array {
// 7. Repeat, while k < len // 7. Repeat, while k < len
while (k < len) { while (k < len) {
if (CannotUseSameArrayAccessor<T>(
loadFn, receiver, initialMap, lengthNumber))
deferred {
loadFn = LoadJoinElement<GenericElementsAccessor>;
}
if (k > 0) { if (k > 0) {
// a. If k > 0, let R be the string-concatenation of R and sep. // a. If k > 0, let R be the string-concatenation of R and sep.
nofSeparators = nofSeparators + 1; nofSeparators = nofSeparators + 1;
if (CannotUseSameArrayAccessor<T>(
useToLocaleString, loadFn, receiver, initialMap, lengthNumber))
deferred {
loadFn = LoadJoinElement<GenericElementsAccessor>;
}
} }
// b. Let element be ? Get(O, ! ToString(k)). // b. Let element be ? Get(O, ! ToString(k)).
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const constructors = [
[Uint8Array, [0, 1]],
[Int8Array, [0, 1]],
[Uint16Array, [0, 1]],
[Int16Array, [0, 1]],
[Uint32Array, [0, 1]],
[Int32Array, [0, 1]],
[Float32Array, [0, 1]],
[Float64Array, [0, 1]],
[Uint8ClampedArray, [0, 1]],
[BigInt64Array, [0n, 1n]],
[BigUint64Array, [0n, 1n]]
];
let typedArray;
const separator = {
toString() {
%ArrayBufferDetach(typedArray.buffer);
return '*';
}
};
constructors.forEach(([constructor, arr]) => {
typedArray = new constructor(arr);
assertSame(typedArray.join(separator), '*');
});
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment