[Webkit-unassigned] [Bug 212730] New: An issue about %TypedArray%.prototype.set method

Wed Jun 3 23:01:03 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=212730

            Bug ID: 212730
           Summary: An issue about %TypedArray%.prototype.set method
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nisl_grammarly1 at 163.com

#version: dbae081
https://github.com/WebKit/webkit/tree/dbae081ad7e22d9ab61edf2f337f6c2bb593c7f8

#Testcase:
var NISLFuzzingFunc = function(){
        var e = '123';
        A = new Uint8Array(5);
        A.set(e);
        print(A);
};
NISLFuzzingFunc();

#Command:
./webkit/WebKitBuild/Release/bin/jsc testcase.js

#Output:
Exception: TypeError: First argument should be an object

#Expected output:
1,2,3,0,0

#Description:

According to ES2019 standard, the steps of `%TypedArray%.prototype.set` are as follows.

> 22.2.3.23.1 %TypedArray%.prototype.set ( array [ , offset ] )
>
> 1. Assert: array is any ECMAScript language value other than an Object with a [[TypedArrayName]] internal slot. If it is such an Object, the definition in 22.2.3.23.2 applies.
>
>    ...
>
> 15. Let src be ? ToObject(array).

In this testcase, `ToObject(e)` should not throw a TypeError. So I suspect it is a bug of javascriptcore.

#Reference:
http://ecma-international.org/ecma-262/10.0/#sec-%typedarray%.prototype.set-array-offset

#Additional info:
Contributor: QuXing

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200604/aba6d7ea/attachment.htm>