[typedarrays] remove invalid optimization in NAMEConstructor()

Before, we were treating objects with the builtin ArrayValues iterator method as array-like, where the iterator would iterate through to the full length of the object. This optimization was not sound, because it does not ensure that the next method hasn't been modified. Even if it hasn't been modified, it's entirely possible to be modified during iteration. Thus, this optimization has been removed due to its observability. BUG=v8:5699 R=littledan@chromium.org, cbruni@chromium.org Review-Url: https://codereview.chromium.org/2544503002 Cr-Commit-Position: refs/heads/master@{#41394}

[typedarrays] remove invalid optimization in NAMEConstructor()
Before, we were treating objects with the builtin ArrayValues iterator method as array-like, where the iterator would iterate through to the full length of the object. This optimization was not sound, because it does not ensure that the next method hasn't been modified. Even if it hasn't been modified, it's entirely possible to be modified during iteration. Thus, this optimization has been removed due to its observability. BUG=v8:5699 R=littledan@chromium.org, cbruni@chromium.org Review-Url: https://codereview.chromium.org/2544503002 Cr-Commit-Position: refs/heads/master@{#41394}
77df8c67 · caitp · Commit bot · 80b92012 · 77df8c67 · 77df8c67
Commit 77df8c67 authored Nov 30, 2016 by caitp Committed by Commit bot Nov 30, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 1 deletion

typedarray.js src/js/typedarray.js +1 -1

typedarray.js test/mjsunit/es6/typedarray.js +25 -0

No files found.
--- a/src/js/typedarray.js
+++ b/src/js/typedarray.js
@@ -260,7 +260,7 @@ function NAMEConstructor(arg1, arg2, arg3) {
      NAMEConstructByTypedArray(this, arg1);
    } else if (IS_RECEIVER(arg1)) {
      var iteratorFn = arg1[iteratorSymbol];
-      if (IS_UNDEFINED(iteratorFn) || iteratorFn === ArrayValues) {
+      if (IS_UNDEFINED(iteratorFn)) {
        NAMEConstructByArrayLike(this, arg1, arg1.length);
      } else {
        NAMEConstructByIterable(this, arg1, iteratorFn);

--- a/test/mjsunit/es6/typedarray.js
+++ b/test/mjsunit/es6/typedarray.js
@@ -334,6 +334,31 @@ function TestTypedArray(constr, elementSize, typicalElement) {
  assertEquals(0, genArr[0]);
  assertEquals(9, genArr[9]);
  assertEquals(1, iteratorReadCount);
+
+  // Modified %ArrayIteratorPrototype%.next() method is honoured (v8:5699)
+  const ArrayIteratorPrototype = Object.getPrototypeOf([][Symbol.iterator]());
+  const ArrayIteratorPrototypeNext = ArrayIteratorPrototype.next;
+  ArrayIteratorPrototype.next = function() {
+    return { done: true };
+  };
+  genArr = new constr([1, 2, 3]);
+  assertEquals(0, genArr.length);
+  ArrayIteratorPrototype.next = ArrayIteratorPrototypeNext;
+
+  // Modified %ArrayIteratorPrototype%.next() during iteration is honoured as
+  // well.
+  genArr = new constr(Object.defineProperty([1, , 3], 1, {
+    get() {
+      ArrayIteratorPrototype.next = function() {
+        return { done: true };
+      }
+      return 2;
+    }
+  }));
+  assertEquals(2, genArr.length);
+  assertEquals(1, genArr[0]);
+  assertEquals(2, genArr[1]);
+  ArrayIteratorPrototype.next = ArrayIteratorPrototypeNext;
 }

 TestTypedArray(Uint8Array, 1, 0xFF);