[rab/gsab] Fix TA.p.slice even more

The previous fix was using the wrong getter for accessing the length. It also threw an error when the created TA was length-tracking but in bounds. Bug: v8:11111,chromium:1399799 Change-Id: I5a94b1b49b2e30cf33999be7ff0ee8e4f5323849 Fixed: chromium:1399799 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4090984 Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#84771}
2022-12-09 15:53:45 +01:00 · 2022-12-09 15:53:45 +01:00 · bf998bdf47
commit bf998bdf47
parent c9ab4a47ce
4 changed files with 57 additions and 5 deletions
--- a/src/builtins/typed-array-createtypedarray.tq
+++ b/src/builtins/typed-array-createtypedarray.tq
@ -478,9 +478,16 @@ transitioning macro TypedArraySpeciesCreateByLength(implicit context: Context)(
  const typedArray: JSTypedArray = TypedArraySpeciesCreate(
      methodName, numArgs, exemplar, Convert<Number>(length), Undefined,
      Undefined);
-  if (LoadJSTypedArrayLength(typedArray) < length) deferred {
-      ThrowTypeError(MessageTemplate::kTypedArrayTooShort);
-    }
+  try {
+    const createdArrayLength =
+        LoadJSTypedArrayLengthAndCheckDetached(typedArray)
+        otherwise DetachedOrOutOfBounds;
+    if (createdArrayLength < length) deferred {
+        ThrowTypeError(MessageTemplate::kTypedArrayTooShort);
+      }
+  } label DetachedOrOutOfBounds {
+    ThrowTypeError(MessageTemplate::kTypedArrayTooShort);
+  }
  return typedArray;
 }

--- a/test/mjsunit/regress-crbug-1359991.js
+++ b/test/mjsunit/regress-crbug-1359991.js
@ -13,7 +13,7 @@ class MyFloat64Array extends Float64Array {
    super(rab);
    if (callSlice) {
      callSlice = false;  // Prevent recursion
-      assertThrows(() => { super.slice(); }, TypeError);
+      super.slice();
    }
  }
 };
--- a/test/mjsunit/regress/regress-crbug-1362487.js
+++ b/test/mjsunit/regress/regress-crbug-1362487.js
@ -13,4 +13,4 @@ class MyInt8Array extends Int8Array {
 const rab2 = new ArrayBuffer(1000, {'maxByteLength': 4000});
 const ta = new Int8Array(rab2);
 ta.constructor = MyInt8Array;
-assertThrows(() => { ta.slice(); }, TypeError);
+ta.slice();
--- a/test/mjsunit/regress/regress-crbug-1399799.js
+++ b/test/mjsunit/regress/regress-crbug-1399799.js
@ -0,0 +1,45 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --harmony-rab-gsab --allow-natives-syntax
+
+const ab = new ArrayBuffer(3000);
+const ta = new Uint16Array(ab);
+
+function createOOBTA() {
+    const rab = new ArrayBuffer(3000, {"maxByteLength": 4000});
+    const ta = new Uint8Array(rab, 0, 3000);
+    rab.resize(0);
+    return ta;
+}
+
+Object.defineProperty(Uint16Array, Symbol.species,
+                      { configurable: true, enumerable: true,
+                        get: () => { return createOOBTA; }});
+assertThrows(() => { ta.slice(); }, TypeError);
+
+function createDetachedTA() {
+    const rab = new ArrayBuffer(3000, {"maxByteLength": 4000});
+    const ta = new Uint8Array(rab, 0, 3000);
+    %ArrayBufferDetach(rab);
+    return ta;
+}
+
+Object.defineProperty(Uint16Array, Symbol.species,
+                      { configurable: true, enumerable: true,
+                        get: () => { return createDetachedTA; }});
+assertThrows(() => { ta.slice(); }, TypeError);
+
+// But this works:
+function createLengthTrackingTA() {
+    const rab = new ArrayBuffer(3000, {"maxByteLength": 4000});
+    const ta = new Uint16Array(rab, 0);
+    return ta;
+}
+
+Object.defineProperty(Uint16Array, Symbol.species,
+    { configurable: true, enumerable: true,
+      get: () => { return createLengthTrackingTA; }});
+
+ta.slice();