[DataView] Throw TypeError when buffer is detached
Per spec, accesses to a DataView object must throw a TypeError if the underlying ArrayBuffer has been detached/neutered. Since that implies a length of 0, we used to detect this as an out-of-bounds access and throw a RangeError. Adding a separate check for buffer detachedness lets us distinguish both cases properly. Bug: v8:4895 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I1c1d4145dcd77dfb69f61062e14a6e8e538d45eb Reviewed-on: https://chromium-review.googlesource.com/947585 Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#51712}
This commit is contained in:
Jakob Kummerow
Commit Bot
parent
62d1f78245
commit
4534e8cc47
@ -173,7 +173,7 @@ MaybeHandle<Object> AllocateResult(Isolate* isolate, uint64_t value) {
|
||||
template <typename T>
|
||||
MaybeHandle<Object> GetViewValue(Isolate* isolate, Handle<JSDataView> data_view,
|
||||
Handle<Object> request_index,
|
||||
bool is_little_endian) {
|
||||
bool is_little_endian, const char* method) {
|
||||
ASSIGN_RETURN_ON_EXCEPTION(
|
||||
isolate, request_index,
|
||||
Object::ToIndex(isolate, request_index,
|
||||
@ -187,6 +187,13 @@ MaybeHandle<Object> GetViewValue(Isolate* isolate, Handle<JSDataView> data_view,
|
||||
}
|
||||
Handle<JSArrayBuffer> buffer(JSArrayBuffer::cast(data_view->buffer()),
|
||||
isolate);
|
||||
if (buffer->was_neutered()) {
|
||||
Handle<String> operation =
|
||||
isolate->factory()->NewStringFromAsciiChecked(method);
|
||||
THROW_NEW_ERROR(
|
||||
isolate, NewTypeError(MessageTemplate::kDetachedOperation, operation),
|
||||
Object);
|
||||
}
|
||||
size_t const data_view_byte_offset = NumberToSize(data_view->byte_offset());
|
||||
size_t const data_view_byte_length = NumberToSize(data_view->byte_length());
|
||||
if (get_index + sizeof(T) > data_view_byte_length ||
|
||||
@ -287,7 +294,8 @@ uint64_t DataViewConvertValue<uint64_t>(Handle<Object> value) {
|
||||
template <typename T>
|
||||
MaybeHandle<Object> SetViewValue(Isolate* isolate, Handle<JSDataView> data_view,
|
||||
Handle<Object> request_index,
|
||||
bool is_little_endian, Handle<Object> value) {
|
||||
bool is_little_endian, Handle<Object> value,
|
||||
const char* method) {
|
||||
ASSIGN_RETURN_ON_EXCEPTION(
|
||||
isolate, request_index,
|
||||
Object::ToIndex(isolate, request_index,
|
||||
@ -303,6 +311,13 @@ MaybeHandle<Object> SetViewValue(Isolate* isolate, Handle<JSDataView> data_view,
|
||||
}
|
||||
Handle<JSArrayBuffer> buffer(JSArrayBuffer::cast(data_view->buffer()),
|
||||
isolate);
|
||||
if (buffer->was_neutered()) {
|
||||
Handle<String> operation =
|
||||
isolate->factory()->NewStringFromAsciiChecked(method);
|
||||
THROW_NEW_ERROR(
|
||||
isolate, NewTypeError(MessageTemplate::kDetachedOperation, operation),
|
||||
Object);
|
||||
}
|
||||
size_t const data_view_byte_offset = NumberToSize(data_view->byte_offset());
|
||||
size_t const data_view_byte_length = NumberToSize(data_view->byte_length());
|
||||
if (get_index + sizeof(T) > data_view_byte_length ||
|
||||
@ -340,7 +355,8 @@ MaybeHandle<Object> SetViewValue(Isolate* isolate, Handle<JSDataView> data_view,
|
||||
ASSIGN_RETURN_FAILURE_ON_EXCEPTION( \
|
||||
isolate, result, \
|
||||
GetViewValue<type>(isolate, data_view, byte_offset, \
|
||||
is_little_endian->BooleanValue())); \
|
||||
is_little_endian->BooleanValue(), \
|
||||
"DataView.prototype.get" #Type)); \
|
||||
return *result; \
|
||||
}
|
||||
DATA_VIEW_PROTOTYPE_GET(Int8, int8_t)
|
||||
@ -366,7 +382,8 @@ DATA_VIEW_PROTOTYPE_GET(BigUint64, uint64_t)
|
||||
ASSIGN_RETURN_FAILURE_ON_EXCEPTION( \
|
||||
isolate, result, \
|
||||
SetViewValue<type>(isolate, data_view, byte_offset, \
|
||||
is_little_endian->BooleanValue(), value)); \
|
||||
is_little_endian->BooleanValue(), value, \
|
||||
"DataView.prototype.get" #Type)); \
|
||||
return *result; \
|
||||
}
|
||||
DATA_VIEW_PROTOTYPE_SET(Int8, int8_t)
|
||||
|
||||
@ -143,38 +143,6 @@
|
||||
'built-ins/DataView/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/byteLength/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/byteOffset/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getFloat32/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getFloat32/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/getFloat64/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getFloat64/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/getInt16/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getInt16/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/getInt32/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getInt32/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/getInt8/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getInt8/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/getUint16/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getUint16/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/getUint32/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getUint32/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/getUint8/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/getUint8/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setFloat32/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setFloat32/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setFloat64/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setFloat64/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setInt16/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setInt16/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setInt32/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setInt32/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setInt8/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setInt8/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setUint16/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setUint16/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setUint32/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setUint32/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
'built-ins/DataView/prototype/setUint8/detached-buffer': [FAIL],
|
||||
'built-ins/DataView/prototype/setUint8/detached-buffer-before-outofrange-byteoffset': [FAIL],
|
||||
|
||||
# https://bugs.chromium.org/p/v8/issues/detail?id=4231
|
||||
'language/eval-code/direct/var-env-lower-lex-catch-non-strict': [FAIL],
|
||||
@ -431,12 +399,6 @@
|
||||
'built-ins/Proxy/ownKeys/return-duplicate-entries-throws': [FAIL],
|
||||
'built-ins/Proxy/ownKeys/return-duplicate-symbol-entries-throws': [FAIL],
|
||||
|
||||
# https://bugs.chromium.org/p/v8/issues/detail?id=6791
|
||||
'built-ins/DataView/prototype/getBigInt64/*': [SKIP],
|
||||
'built-ins/DataView/prototype/getBigUint64/*': [SKIP],
|
||||
'built-ins/DataView/prototype/setBigInt64/*': [SKIP],
|
||||
'built-ins/DataView/prototype/setBigUint64/*': [SKIP],
|
||||
|
||||
# https://github.com/tc39/test262/issues/1467
|
||||
'built-ins/BigInt/prototype/Symbol.toStringTag': [FAIL],
|
||||
'built-ins/TypedArrays/ctors-bigint/typedarray-arg/typedarray-arg-other-ctor-returns-new-typedarray': [FAIL],
|
||||
|
||||
Loading…
Reference in New Issue
Block a user