[typedarray] Fix a spec violation in the constructor.

Implement the new spec behavior that says construction from a neutered buffer should throw after the ToIndex call on the length argument. Bug: v8:6216 Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng Change-Id: I219a107730b53fca639bc813f68f7ddc27e79017 Reviewed-on: https://chromium-review.googlesource.com/789847 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#49639}

[typedarray] Fix a spec violation in the constructor.
Implement the new spec behavior that says construction from a neutered buffer should throw after the ToIndex call on the length argument. Bug: v8:6216 Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng Change-Id: I219a107730b53fca639bc813f68f7ddc27e79017 Reviewed-on: https://chromium-review.googlesource.com/789847 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#49639}
9d906310 · Peter Marshall · Commit Bot · dd2b5b19 · 9d906310 · 9d906310
Commit 9d906310 authored Nov 27, 2017 by Peter Marshall Committed by Commit Bot Nov 27, 2017
Showing with 26 additions and 14 deletions

builtins-typedarray-gen.cc src/builtins/builtins-typedarray-gen.cc +6 -2

regress-353004.js test/mjsunit/regress/regress-353004.js +20 -7

test262.status test/test262/test262.status +0 -5

No files found.
--- a/src/builtins/builtins-typedarray-gen.cc
+++ b/src/builtins/builtins-typedarray-gen.cc
@@ -429,7 +429,7 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
      invalid_offset_error(this, Label::kDeferred);
  Label offset_is_smi(this), offset_not_smi(this, Label::kDeferred),
      check_length(this), call_init(this), invalid_length(this),
-      length_undefined(this), length_defined(this);
+      length_undefined(this), length_defined(this), detached_error(this);

  GotoIf(IsUndefined(byte_offset), &check_length);

@@ -460,11 +460,11 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
  }

  BIND(&check_length);
-  // TODO(petermarshall): Throw on detached typedArray.
  Branch(IsUndefined(length), &length_undefined, &length_defined);

  BIND(&length_undefined);
  {
+    GotoIf(IsDetachedBuffer(buffer), &detached_error);
    Node* buffer_byte_length =
        LoadObjectField(buffer, JSArrayBuffer::kByteLengthOffset);

@@ -486,6 +486,7 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
  BIND(&length_defined);
  {
    Node* new_length = ToSmiIndex(length, context, &invalid_length);
+    GotoIf(IsDetachedBuffer(buffer), &detached_error);
    new_byte_length.Bind(SmiMul(new_length, element_size));
    // Reading the byte length must come after the ToIndex operation, which
    // could cause the buffer to become detached.
@@ -545,6 +546,9 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
                SmiConstant(MessageTemplate::kInvalidTypedArrayLength), length);
    Unreachable();
  }
+
+  BIND(&detached_error);
+  { ThrowTypeError(context, MessageTemplate::kDetachedOperation, "Construct"); }
 }

 Node* TypedArrayBuiltinsAssembler::LoadDataPtr(Node* typed_array) {

--- a/test/mjsunit/regress/regress-353004.js
+++ b/test/mjsunit/regress/regress-353004.js
@@ -6,12 +6,12 @@

 var buffer1 = new ArrayBuffer(100 * 1024);

-var array1 = new Uint8Array(buffer1, {valueOf : function() {
-  %ArrayBufferNeuter(buffer1);
-  return 0;
-}});
-
-assertEquals(0, array1.length);
+assertThrows(function() {
+  var array1 = new Uint8Array(buffer1, {valueOf : function() {
+    %ArrayBufferNeuter(buffer1);
+    return 0;
+  }});
+}, TypeError);

 var buffer2 = new ArrayBuffer(100 * 1024);

@@ -20,8 +20,21 @@ assertThrows(function() {
      %ArrayBufferNeuter(buffer2);
      return 100 * 1024;
  }});
-}, RangeError);
+}, TypeError);

+let convertedOffset = false;
+let convertedLength = false;
+assertThrows(() =>
+  new Uint8Array(buffer1, {valueOf : function() {
+      convertedOffset = true;
+      return 0;
+    }}, {valueOf : function() {
+      convertedLength = true;
+      %ArrayBufferNeuter(buffer1);
+      return 0;
+  }}), TypeError);
+assertTrue(convertedOffset);
+assertTrue(convertedLength);

 var buffer3 = new ArrayBuffer(100 * 1024 * 1024);
 var dataView1 = new DataView(buffer3, {valueOf : function() {

--- a/test/test262/test262.status
+++ b/test/test262/test262.status
@@ -84,11 +84,6 @@
  'language/expressions/prefix-increment/S11.4.4_A5_*': [FAIL],
  'language/statements/variable/binding-resolution': [FAIL],

-  # https://bugs.chromium.org/p/v8/issues/detail?id=6216
-  'built-ins/TypedArrays/buffer-arg-byteoffset-to-number-detachbuffer': [FAIL],
-  'built-ins/TypedArrays/buffer-arg-length-to-number-detachbuffer': [FAIL],
-  'built-ins/TypedArrays/buffer-arg-detachedbuffer': [FAIL],
-
  # https://bugs.chromium.org/p/v8/issues/detail?id=4895
  'built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer': [FAIL],
  'built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm': [FAIL],