[typedarrays] Check if the target is a typed array at TA.p.set entry

- Throw a TypeError exception if a given target argument is not a typed array before converting a given offset argument to an integer. - Add a testcase Bug: chromium:768775 Change-Id: Id132a0f154fcf930f211922fcbef6c66f9d6f285 Reviewed-on: https://chromium-review.googlesource.com/728120Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#48736}

[typedarrays] Check if the target is a typed array at TA.p.set entry
- Throw a TypeError exception if a given target argument is not a typed array before converting a given offset argument to an integer. - Add a testcase Bug: chromium:768775 Change-Id: Id132a0f154fcf930f211922fcbef6c66f9d6f285 Reviewed-on: https://chromium-review.googlesource.com/728120Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#48736}
f0db4d20 · Choongwoo Han · Commit Bot · cdf5f2b0 · f0db4d20 · f0db4d20
Commit f0db4d20 authored Oct 19, 2017 by Choongwoo Han Committed by Commit Bot Oct 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 5 deletions

builtins-typedarray.cc src/builtins/builtins-typedarray.cc +5 -5

typedarray.js test/mjsunit/es6/typedarray.js +11 -0

No files found.
--- a/src/builtins/builtins-typedarray.cc
+++ b/src/builtins/builtins-typedarray.cc
@@ -436,6 +436,11 @@ BUILTIN(TypedArrayPrototypeSet) {
  Handle<Object> offset = args.atOrUndefined(isolate, 2);
  const char* method = "%TypedArray%.prototype.set";
+  if (!target->IsJSTypedArray()) {
+    THROW_NEW_ERROR_RETURN_FAILURE(
+        isolate, NewTypeError(MessageTemplate::kNotTypedArray));
+  }
  if (offset->IsUndefined(isolate)) {
    offset = Handle<Object>(Smi::kZero, isolate);
  } else {
@@ -453,11 +458,6 @@ BUILTIN(TypedArrayPrototypeSet) {
        isolate, NewRangeError(MessageTemplate::kTypedArraySetSourceTooLarge));
  }
-  if (!target->IsJSTypedArray()) {
-    THROW_NEW_ERROR_RETURN_FAILURE(
-        isolate, NewTypeError(MessageTemplate::kNotTypedArray));
-  }
  Handle<JSTypedArray> target_array = Handle<JSTypedArray>::cast(target);
  if (V8_UNLIKELY(target_array->WasNeutered())) {
    const MessageTemplate::Template message =

--- a/test/mjsunit/es6/typedarray.js
+++ b/test/mjsunit/es6/typedarray.js
@@ -625,6 +625,17 @@ function TestTypedArraySet() {
  };
  assertThrows(() => a111.set(evilarr), TypeError);
  assertEquals(true, detached);
+  // Check if the target is a typed array before converting offset to integer
+  var tmp = {
+    [Symbol.toPrimitive]() {
+      assertUnreachable("Parameter should not be processed when " +
+                        "array.[[ViewedArrayBuffer]] is neutered.");
+      return 1;
+    }
+  };
+  assertThrows(() => Int8Array.prototype.set.call(1, tmp), TypeError);
+  assertThrows(() => Int8Array.prototype.set.call([], tmp), TypeError);
 }
 TestTypedArraySet();