[Webkit-unassigned] [Bug 199141] New: Wrong Realization of TypedArray.prototype.fill

Sun Jun 23 21:51:23 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=199141

            Bug ID: 199141
           Summary: Wrong Realization of TypedArray.prototype.fill
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sunlili at ict.ac.cn

The implementation of ‘TypedArray.prototype.fill’ in the engine is not correct. According to Ecma-262 standard, it should get the value of 'p1' firstly, and then calculate the start and end index to fill the value at corresponding items. But the actual order of implementation is reversed. The following code demonstrate our guess. The proxy ‘get’ function doesn’t run at all. JS engines like v8 & spidermonkey have different output.

The code:

let array = new Uint32Array(5);
let arg1 = [1, 2, 3];
let start = {
    valueOf: () => {
        return 5;
    }
};
let end = {
    valueOf: () => {
        return -3;
    }
};

let p1 = new Proxy(arg1, {
    get: function(oTarget, sKey) {
        if (sKey.toString() == 'valueOf') {
            print('call valueOf');
            arg1[0] = 0;
        }
        return Reflect.get(oTarget, sKey);
    }
});

arr2 = Uint32Array.prototype.fill.call(array, p1, start, end);
print(arg1);

The output:
1,2,3

BT group
2019.06.24

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190624/da1a7720/attachment.html>