Check whether a typed array was neutered before writing to it

As demanded by the spec. BUG=chromium:516251 R=jkummerow@chromium.org LOG=n Review URL: https://codereview.chromium.org/1261453004 Cr-Commit-Position: refs/heads/master@{#29981}

Check whether a typed array was neutered before writing to it
As demanded by the spec. BUG=chromium:516251 R=jkummerow@chromium.org LOG=n Review URL: https://codereview.chromium.org/1261453004 Cr-Commit-Position: refs/heads/master@{#29981}
ed3e5d1f · jochen · Commit bot · 565fe3f0 · ed3e5d1f
Commit ed3e5d1f authored Aug 03, 2015 by jochen Committed by Commit bot Aug 03, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

objects.cc src/objects.cc +6 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3426,6 +3426,12 @@ MaybeHandle<Object> Object::SetDataProperty(LookupIterator* it,
      // have been invalidated since typed array elements cannot be reconfigured
      // in any way.
      it->ReloadHolderMap();
+
+      // We have to recheck the length. However, it can only change if the
+      // underlying buffer was neutered, so just check that.
+      if (Handle<JSArrayBufferView>::cast(receiver)->WasNeutered()) {
+        return value;
+      }
    }
  }