Commit bd39d922 authored by Peter Marshall's avatar Peter Marshall Committed by Commit Bot

[typedarrays] Fix invalid optimization in From for detached arrays

We didn't check if the input typed array was neutered before going to
the fast path, so we hit a CHECK in this case.

Fix this by just checking if the buffer was neutered and then going to
the 'check iterator' case if it is. This will cause a TypeError via
IterableToList, which was the same as the behavior before the
optmization was landed.

Bug: chromium:899519
Change-Id: I09e6389ea2ab1e3bef01e616721b48a9b66c1b2a
Reviewed-on: https://chromium-review.googlesource.com/c/1307422
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57137}
parent e5e46858
...@@ -1701,6 +1701,10 @@ TF_BUILTIN(TypedArrayFrom, TypedArrayBuiltinsAssembler) { ...@@ -1701,6 +1701,10 @@ TF_BUILTIN(TypedArrayFrom, TypedArrayBuiltinsAssembler) {
// Check that the source is a TypedArray // Check that the source is a TypedArray
GotoIf(TaggedIsSmi(source), &check_iterator); GotoIf(TaggedIsSmi(source), &check_iterator);
GotoIfNot(IsJSTypedArray(CAST(source)), &check_iterator); GotoIfNot(IsJSTypedArray(CAST(source)), &check_iterator);
TNode<JSArrayBuffer> source_buffer =
LoadJSArrayBufferViewBuffer(CAST(source));
GotoIf(IsDetachedBuffer(source_buffer), &check_iterator);
// Check that the iterator function is Builtins::kTypedArrayPrototypeValues // Check that the iterator function is Builtins::kTypedArrayPrototypeValues
GotoIfNot(IsJSFunction(CAST(iterator_fn)), &check_iterator); GotoIfNot(IsJSFunction(CAST(iterator_fn)), &check_iterator);
TNode<SharedFunctionInfo> shared_info = LoadObjectField<SharedFunctionInfo>( TNode<SharedFunctionInfo> shared_info = LoadObjectField<SharedFunctionInfo>(
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var typedArrayConstructors = [
Uint8Array,
Int8Array,
Uint16Array,
Int16Array,
Uint32Array,
Int32Array,
Uint8ClampedArray,
Float32Array,
Float64Array
];
for (constructor of typedArrayConstructors) {
var ta = new constructor(10);
%ArrayBufferNeuter(ta.buffer);
assertThrows(() => constructor.from(ta), TypeError);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment