[webkit-changes] [WebKit/WebKit] 6e7e65: [JSC] Recompute length properly when resize happen...
Yusuke Suzuki
noreply at github.com
Mon Jul 31 11:20:48 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6e7e654417b61630d67f02b65798439cf3d6b0b5
https://github.com/WebKit/WebKit/commit/6e7e654417b61630d67f02b65798439cf3d6b0b5
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
A JSTests/stress/resizable-array-buffer-copy-within-length-update.js
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
Log Message:
-----------
[JSC] Recompute length properly when resize happens during TypedArray#copyWithin
https://bugs.webkit.org/show_bug.cgi?id=257387
rdar://109851495
Reviewed by Mark Lam.
copyWithin's side effectful operation can resize resizable ArrayBuffer. We have a code catching this and recompute the appropriate copy count
again, but it can overflow if `to` or `from` are larger than the newly updated `length`. This patch handles this case correctly: returning
since there is no copying content in this case.
* JSTests/stress/resizable-array-buffer-copy-within-length-update.js: Added.
(call_back):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncCopyWithin):
Originally-landed-as: 259548.785 at safari-7615-branch (f2a2820d312c). rdar://109851495
Canonical link: https://commits.webkit.org/266442@main
More information about the webkit-changes
mailing list