<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[203204] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/203204">203204</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2016-07-13 17:15:03 -0700 (Wed, 13 Jul 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crashes with detached ArrayBuffers
https://bugs.webkit.org/show_bug.cgi?id=157088
<rdar://problem/27327362>
Reviewed by Filip Pizlo.
TypedArray.prototype.fill was incorrect because it should perform
ToNumber coercion each time it tries to store the
object. Currently, we only perform the coercion once at the
beginning of the loop. If we find that we need to improve the
performance of this function, we can add a faster C++ path back
that only handles the primitive case.
This patch also moves the isNeutered() checks from put and
putByIndex into setIndex. This fixes an issue where setIndex might
store to a no longer valid offset.
* builtins/TypedArrayPrototype.js:
(globalPrivate.typedArrayClampArgumentToStartOrEnd):
(fill):
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::setIndexQuickly):
(JSC::JSGenericTypedArrayView::setIndex):
(JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
(JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncFill): Deleted.
* runtime/JSTypedArrayViewPrototype.cpp:
(JSC::JSTypedArrayViewPrototype::finishCreation):
(JSC::typedArrayViewProtoFuncFill): Deleted.
* tests/stress/typedarray-fill.js:
* tests/stress/typedarray-functions-with-neutered.js:
(defaultForArg):
(test2):
(checkArgumentsForType): Deleted.
(checkArguments): Deleted.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebuiltinsTypedArrayPrototypejs">trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewPrototypeFunctionsh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypecpp">trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstresstypedarrayfilljs">trunk/Source/JavaScriptCore/tests/stress/typedarray-fill.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstresstypedarrayfunctionswithneuteredjs">trunk/Source/JavaScriptCore/tests/stress/typedarray-functions-with-neutered.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2016-07-13 Keith Miller <keith_miller@apple.com>
+
+ Crashes with detached ArrayBuffers
+ https://bugs.webkit.org/show_bug.cgi?id=157088
+ <rdar://problem/27327362>
+
+ Reviewed by Filip Pizlo.
+
+ TypedArray.prototype.fill was incorrect because it should perform
+ ToNumber coercion each time it tries to store the
+ object. Currently, we only perform the coercion once at the
+ beginning of the loop. If we find that we need to improve the
+ performance of this function, we can add a faster C++ path back
+ that only handles the primitive case.
+
+ This patch also moves the isNeutered() checks from put and
+ putByIndex into setIndex. This fixes an issue where setIndex might
+ store to a no longer valid offset.
+
+ * builtins/TypedArrayPrototype.js:
+ (globalPrivate.typedArrayClampArgumentToStartOrEnd):
+ (fill):
+ * runtime/JSGenericTypedArrayView.h:
+ (JSC::JSGenericTypedArrayView::setIndexQuickly):
+ (JSC::JSGenericTypedArrayView::setIndex):
+ (JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
+ (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+ (JSC::genericTypedArrayViewProtoFuncFill): Deleted.
+ * runtime/JSTypedArrayViewPrototype.cpp:
+ (JSC::JSTypedArrayViewPrototype::finishCreation):
+ (JSC::typedArrayViewProtoFuncFill): Deleted.
+ * tests/stress/typedarray-fill.js:
+ * tests/stress/typedarray-functions-with-neutered.js:
+ (defaultForArg):
+ (test2):
+ (checkArgumentsForType): Deleted.
+ (checkArguments): Deleted.
+
</ins><span class="cx"> 2016-07-13 Michael Saboff <msaboff@apple.com>
</span><span class="cx">
</span><span class="cx"> Some bad unicode regex escapes aren't flagged as errors
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebuiltinsTypedArrayPrototypejs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -52,6 +52,22 @@
</span><span class="cx"> return constructor;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+@globalPrivate
+function typedArrayClampArgumentToStartOrEnd(value, length, undefinedValue)
+{
+ "use strict";
+
+ if (value === @undefined)
+ return undefinedValue;
+
+ let int = @toInteger(value);
+ if (int < 0) {
+ int += length;
+ return int < 0 ? 0 : int;
+ }
+ return int > length ? length : int;
+}
+
</ins><span class="cx"> function values()
</span><span class="cx"> {
</span><span class="cx"> "use strict";
</span><span class="lines">@@ -90,6 +106,29 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+function fill(value /* [, start [, end]] */)
+{
+ "use strict";
+
+ let length = @typedArrayLength(this);
+ let start;
+ let end;
+
+ if (arguments.length > 1) {
+ start = arguments[1];
+ if (arguments.length > 2) {
+ end = arguments[2];
+ }
+ }
+
+ start = @typedArrayClampArgumentToStartOrEnd(start, length, 0);
+ end = @typedArrayClampArgumentToStartOrEnd(end, length, length);
+
+ for (let i = start; i < end; i++)
+ this[i] = value;
+ return this;
+}
+
</ins><span class="cx"> function find(callback /* [, thisArg] */)
</span><span class="cx"> {
</span><span class="cx"> "use strict";
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -88,6 +88,8 @@
</span><span class="cx"> Unobservable,
</span><span class="cx"> };
</span><span class="cx">
</span><ins>+static const char* typedArrayBufferHasBeenDetachedErrorMessage = "Underlying ArrayBuffer has been detached from the view";
+
</ins><span class="cx"> template<typename Adaptor>
</span><span class="cx"> class JSGenericTypedArrayView : public JSArrayBufferView {
</span><span class="cx"> public:
</span><span class="lines">@@ -160,6 +162,7 @@
</span><span class="cx">
</span><span class="cx"> void setIndexQuickly(unsigned i, JSValue value)
</span><span class="cx"> {
</span><ins>+ ASSERT(!value.isObject());
</ins><span class="cx"> setIndexQuicklyToNativeValue(i, toNativeFromValue<Adaptor>(value));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -169,6 +172,11 @@
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return false;
</span><span class="cx">
</span><ins>+ if (isNeutered()) {
+ throwTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+ return false;
+ }
+
</ins><span class="cx"> if (i >= m_length)
</span><span class="cx"> return false;
</span><span class="cx">
</span><span class="lines">@@ -180,22 +188,6 @@
</span><span class="cx">
</span><span class="cx"> static bool toAdaptorNativeFromValue(ExecState* exec, JSValue jsValue, ElementType& result) { return toNativeFromValue<Adaptor>(exec, jsValue, result); }
</span><span class="cx">
</span><del>- bool setRangeToValue(ExecState* exec, unsigned start, unsigned end, JSValue jsValue)
- {
- ASSERT(0 <= start && start <= end && end <= m_length);
-
- typename Adaptor::Type value = toNativeFromValue<Adaptor>(exec, jsValue);
- if (exec->hadException())
- return false;
-
- // We might want to do something faster here (e.g. SIMD) if this is too slow.
- typename Adaptor::Type* array = typedVector();
- for (unsigned i = start; i < end; ++i)
- array[i] = value;
-
- return true;
- }
-
</del><span class="cx"> void sort()
</span><span class="cx"> {
</span><span class="cx"> switch (Adaptor::typeValue) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -37,8 +37,6 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><del>-static const char* typedArrayBufferHasBeenDetachedErrorMessage = "Underlying ArrayBuffer has been detached from the view";
-
</del><span class="cx"> template<typename Adaptor>
</span><span class="cx"> JSGenericTypedArrayView<Adaptor>::JSGenericTypedArrayView(
</span><span class="cx"> VM& vm, ConstructionContext& context)
</span><span class="lines">@@ -325,9 +323,6 @@
</span><span class="cx"> {
</span><span class="cx"> JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
</span><span class="cx">
</span><del>- if (thisObject->isNeutered())
- return reject(exec, true, typedArrayBufferHasBeenDetachedErrorMessage);
-
</del><span class="cx"> // https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-set-p-v-receiver
</span><span class="cx"> // Ignore the receiver even if the receiver is altered to non base value.
</span><span class="cx"> // 9.4.5.5-2-b-i Return ? IntegerIndexedElementSet(O, numericIndex, V).
</span><span class="lines">@@ -408,9 +403,6 @@
</span><span class="cx"> {
</span><span class="cx"> JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
</span><span class="cx">
</span><del>- if (thisObject->isNeutered())
- return reject(exec, true, typedArrayBufferHasBeenDetachedErrorMessage);
-
</del><span class="cx"> if (propertyName > MAX_ARRAY_INDEX) {
</span><span class="cx"> PutPropertySlot slot(JSValue(thisObject), shouldThrow);
</span><span class="cx"> return thisObject->methodTable()->put(thisObject, exec, Identifier::from(exec, propertyName), value, slot);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewPrototypeFunctionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -169,39 +169,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename ViewClass>
</span><del>-EncodedJSValue JSC_HOST_CALL genericTypedArrayViewProtoFuncFill(ExecState* exec)
-{
- // 22.2.3.8
- VM& vm = exec->vm();
- ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
- if (thisObject->isNeutered())
- return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
-
- JSValue valueToInsert = exec->argument(0);
- if (exec->hadException())
- return JSValue::encode(jsUndefined());
-
- unsigned length = thisObject->length();
- unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 1, length);
- if (vm.exception())
- return encodedJSValue();
- unsigned end = argumentClampedIndexFromStartOrEnd(exec, 2, length, length);
- if (vm.exception())
- return encodedJSValue();
-
- if (thisObject->isNeutered())
- return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
-
- if (end < begin)
- return JSValue::encode(exec->thisValue());
-
- if (!thisObject->setRangeToValue(exec, begin, end, valueToInsert))
- return JSValue::encode(jsUndefined());
-
- return JSValue::encode(exec->thisValue());
-}
-
-template<typename ViewClass>
</del><span class="cx"> EncodedJSValue JSC_HOST_CALL genericTypedArrayViewProtoFuncIncludes(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -114,14 +114,6 @@
</span><span class="cx"> CALL_GENERIC_TYPEDARRAY_PROTOTYPE_FUNCTION(genericTypedArrayViewProtoFuncCopyWithin);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static EncodedJSValue JSC_HOST_CALL typedArrayViewProtoFuncFill(ExecState* exec)
-{
- JSValue thisValue = exec->thisValue();
- if (!thisValue.isObject())
- return throwVMTypeError(exec, ASCIILiteral("Receiver should be a typed array view but was not an object"));
- CALL_GENERIC_TYPEDARRAY_PROTOTYPE_FUNCTION(genericTypedArrayViewProtoFuncFill);
-}
-
</del><span class="cx"> static EncodedJSValue JSC_HOST_CALL typedArrayViewProtoFuncIncludes(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSValue thisValue = exec->thisValue();
</span><span class="lines">@@ -267,8 +259,8 @@
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("filter", typedArrayPrototypeFilterCodeGenerator, DontEnum);
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("sort", typedArrayPrototypeSortCodeGenerator, DontEnum);
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().entriesPublicName(), typedArrayPrototypeEntriesCodeGenerator, DontEnum);
</span><del>- JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("fill", typedArrayViewProtoFuncFill, DontEnum, 1);
</del><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("includes", typedArrayViewProtoFuncIncludes, DontEnum, 1);
</span><ins>+ JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("fill", typedArrayPrototypeFillCodeGenerator, DontEnum);
</ins><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("find", typedArrayPrototypeFindCodeGenerator, DontEnum);
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("findIndex", typedArrayPrototypeFindIndexCodeGenerator, DontEnum);
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->forEach, typedArrayPrototypeForEachCodeGenerator, DontEnum);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresstypedarrayfilljs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/stress/typedarray-fill.js (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/typedarray-fill.js 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/tests/stress/typedarray-fill.js 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -32,4 +32,18 @@
</span><span class="cx"> shouldBeTrue("testPrototypeFunction('fill', '(4, NaN, 5)', [14, 15, 10, 13, 44], [4, 4, 4, 4, 4])");
</span><span class="cx"> shouldBeTrue("testPrototypeFunction('fill', '(4, -3, -2)', [14, 15, 10, 13, 44], [14, 15, 4, 13, 44])");
</span><span class="cx"> shouldBeTrue("testPrototypeFunction('fill', '(4, 5, 5)', [14, 15, 10, 13, 44], [14, 15, 10, 13, 44])");
</span><ins>+
+debug("4.0 Coercion Testing");
+for (constructor of typedArrays) {
+ count = 0;
+ let p = new Proxy({}, { get(target, name) {
+ count++;
+ return target[name];
+ }});
+ new constructor(10).fill(p);
+ shouldBeTrue("count === 40");
+}
+
+
+
</ins><span class="cx"> finishJSTest();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresstypedarrayfunctionswithneuteredjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/stress/typedarray-functions-with-neutered.js (203203 => 203204)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/typedarray-functions-with-neutered.js 2016-07-14 00:12:58 UTC (rev 203203)
+++ trunk/Source/JavaScriptCore/tests/stress/typedarray-functions-with-neutered.js 2016-07-14 00:15:03 UTC (rev 203204)
</span><span class="lines">@@ -77,7 +77,7 @@
</span><span class="cx"> prototypeFunctions = [
</span><span class="cx"> { func:proto.copyWithin, args:["prim", "prim", "prim"] },
</span><span class="cx"> { func:proto.every, args:["func"] },
</span><del>- { func:proto.fill, args:["ins", "prim", "prim"] },
</del><ins>+ { func:proto.fill, args:["prim", "prim", "prim"] },
</ins><span class="cx"> { func:proto.filter, args:["func"] },
</span><span class="cx"> { func:proto.find, args:["func"] },
</span><span class="cx"> { func:proto.findIndex, args:["func"] },
</span><span class="lines">@@ -95,12 +95,14 @@
</span><span class="cx"> { func:proto.subarray, args:["prim", "prim"] },
</span><span class="cx"> ];
</span><span class="cx">
</span><del>-function defaultForArg(arg)
</del><ins>+function defaultForArg(arg, argNum)
</ins><span class="cx"> {
</span><span class="cx"> if (arg === "func")
</span><del>- return () => { return 1; }
</del><ins>+ return () => { return argNum; }
+ if (arg === "array")
+ return [1,2];
</ins><span class="cx">
</span><del>- return 1;
</del><ins>+ return argNum;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> function callWithArgs(func, array, args) {
</span><span class="lines">@@ -127,34 +129,40 @@
</span><span class="cx"> if (arg === "na")
</span><span class="cx"> continue;
</span><span class="cx">
</span><del>- let len = 10;
</del><ins>+ let array = new constructor(10);
</ins><span class="cx"> if (arg === "func") {
</span><del>- let array = new constructor(len);
</del><span class="cx"> callArgs[argNum] = () => {
</span><span class="cx"> transferArrayBuffer(array.buffer);
</span><span class="cx"> return func === array.every ? 1 : 0;
</span><span class="cx"> };
</span><span class="cx"> callWithArgs(func, array, callArgs);
</span><del>- }
-
- if (arg === "prim") {
- let array = new constructor(len)
</del><ins>+ } else if (arg === "prim") {
</ins><span class="cx"> callArgs[argNum] = { [Symbol.toPrimitive]() {
</span><span class="cx"> transferArrayBuffer(array.buffer);
</span><ins>+ return argNum;
+ } };
+ callWithArgs(func, array, callArgs);
+ } else if (arg === "array") {
+ callArgs[argNum] = new Array(4);
+ callArgs[argNum].fill(2);
+ let desc = { get: () => {
+ transferArrayBuffer(array.buffer);
</ins><span class="cx"> return 1;
</span><span class="cx"> } };
</span><ins>+ Object.defineProperty(callArgs[argNum], 1, desc);
</ins><span class="cx"> callWithArgs(func, array, callArgs);
</span><del>- }
</del><ins>+ } else
+ throw new Error(arg);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> function checkArguments({func, args}) {
</span><span class="cx"> for (constructor of typedArrays)
</span><del>- checkArgumentsForType(func, args, constructor)
</del><ins>+ checkArgumentsForType(func, args, constructor);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-function test() {
</del><ins>+function test2() {
</ins><span class="cx"> prototypeFunctions.forEach(checkArguments);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-test();
</del><ins>+test2();
</ins></span></pre>
</div>
</div>
</body>
</html>