Allow pathological zero-length typed arrays. (issue 14857002)
0 views
Skip to first unread message
dsl...@chromium.org
May 2, 2013, 9:47:05 AM5/2/13
to ross...@chromium.org, v8-...@googlegroups.com
Reviewers: rossberg,
Message:
Apparently our current implementation allows this, although spec is unclear
(filed https://bugs.ecmascript.org/show_bug.cgi?id=1461)
Description:
Allow pathological zero-length typed arrays.
R=ross...@chromium.org
BUG=
Please review this at https://codereview.chromium.org/14857002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/typedarray.js
M test/mjsunit/harmony/typedarrays.js
Index: src/typedarray.js
diff --git a/src/typedarray.js b/src/typedarray.js
index
e105afc38e54799c8112320949232a008c835848..daade1328f22f6ae913285e823e0e3c7078cde53
100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -93,7 +93,7 @@ function CreateTypedArrayConstructor(name, elementSize,
arrayId, constructor) {
"start offset", name, elementSize);
}
var bufferByteLength = %ArrayBufferGetByteLength(buffer);
- if (offset >= bufferByteLength) {
+ if (offset > bufferByteLength) {
throw MakeRangeError("invalid_typed_array_offset");
}
Index: test/mjsunit/harmony/typedarrays.js
diff --git a/test/mjsunit/harmony/typedarrays.js
b/test/mjsunit/harmony/typedarrays.js
index
21c6054072a8f4875af75c9b34120133ff369285..ca76fe7bdfdd6dfdb8b5f5f04b36eb461de91fb6
100644
--- a/test/mjsunit/harmony/typedarrays.js
+++ b/test/mjsunit/harmony/typedarrays.js
@@ -191,7 +191,13 @@ function TestTypedArray(proto, elementSize,
typicalElement) {
assertSame(typicalElement, a4[i]);
}
- assertThrows(function () { new proto(ab, 256*elementSize); },
RangeError);
+ var aAtTheEnd = new proto(ab, 256*elementSize);
+ assertSame(elementSize, aAtTheEnd.BYTES_PER_ELEMENT);
+ assertSame(0, aAtTheEnd.length);
+ assertSame(0, aAtTheEnd.byteLength);
+ assertSame(256*elementSize, aAtTheEnd.byteOffset);
+
+ assertThrows(function () { new proto(ab, 257*elementSize); },
RangeError);
assertThrows(
function () { new proto(ab, 128*elementSize, 192); },
RangeError);
@@ -229,6 +235,14 @@ function TestTypedArray(proto, elementSize,
typicalElement) {
for (i = 0; i < 30; i++) {
assertSame(typicalElement, aFromArray[i]);
}
+
+ var abLen0 = new ArrayBuffer(0);
+ var aOverAbLen0 = new proto(abLen0);
+ assertSame(abLen0, aOverAbLen0.buffer);
+ assertSame(elementSize, aOverAbLen0.BYTES_PER_ELEMENT);
+ assertSame(0, aOverAbLen0.length);
+ assertSame(0, aOverAbLen0.byteLength);
+ assertSame(0, aOverAbLen0.byteOffset);
}
TestTypedArray(Uint8Array, 1, 0xFF);
Message:
Apparently our current implementation allows this, although spec is unclear
(filed https://bugs.ecmascript.org/show_bug.cgi?id=1461)
Description:
Allow pathological zero-length typed arrays.
R=ross...@chromium.org
BUG=
Please review this at https://codereview.chromium.org/14857002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/typedarray.js
M test/mjsunit/harmony/typedarrays.js
Index: src/typedarray.js
diff --git a/src/typedarray.js b/src/typedarray.js
index
e105afc38e54799c8112320949232a008c835848..daade1328f22f6ae913285e823e0e3c7078cde53
100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -93,7 +93,7 @@ function CreateTypedArrayConstructor(name, elementSize,
arrayId, constructor) {
"start offset", name, elementSize);
}
var bufferByteLength = %ArrayBufferGetByteLength(buffer);
- if (offset >= bufferByteLength) {
+ if (offset > bufferByteLength) {
throw MakeRangeError("invalid_typed_array_offset");
}
Index: test/mjsunit/harmony/typedarrays.js
diff --git a/test/mjsunit/harmony/typedarrays.js
b/test/mjsunit/harmony/typedarrays.js
index
21c6054072a8f4875af75c9b34120133ff369285..ca76fe7bdfdd6dfdb8b5f5f04b36eb461de91fb6
100644
--- a/test/mjsunit/harmony/typedarrays.js
+++ b/test/mjsunit/harmony/typedarrays.js
@@ -191,7 +191,13 @@ function TestTypedArray(proto, elementSize,
typicalElement) {
assertSame(typicalElement, a4[i]);
}
- assertThrows(function () { new proto(ab, 256*elementSize); },
RangeError);
+ var aAtTheEnd = new proto(ab, 256*elementSize);
+ assertSame(elementSize, aAtTheEnd.BYTES_PER_ELEMENT);
+ assertSame(0, aAtTheEnd.length);
+ assertSame(0, aAtTheEnd.byteLength);
+ assertSame(256*elementSize, aAtTheEnd.byteOffset);
+
+ assertThrows(function () { new proto(ab, 257*elementSize); },
RangeError);
assertThrows(
function () { new proto(ab, 128*elementSize, 192); },
RangeError);
@@ -229,6 +235,14 @@ function TestTypedArray(proto, elementSize,
typicalElement) {
for (i = 0; i < 30; i++) {
assertSame(typicalElement, aFromArray[i]);
}
+
+ var abLen0 = new ArrayBuffer(0);
+ var aOverAbLen0 = new proto(abLen0);
+ assertSame(abLen0, aOverAbLen0.buffer);
+ assertSame(elementSize, aOverAbLen0.BYTES_PER_ELEMENT);
+ assertSame(0, aOverAbLen0.length);
+ assertSame(0, aOverAbLen0.byteLength);
+ assertSame(0, aOverAbLen0.byteOffset);
}
TestTypedArray(Uint8Array, 1, 0xFF);
ross...@chromium.org
May 2, 2013, 9:48:33 AM5/2/13
to dsl...@chromium.org, v8-...@googlegroups.com
dsl...@chromium.org
May 2, 2013, 9:51:11 AM5/2/13
to ross...@chromium.org, v8-...@googlegroups.com
Committed patchset #1 manually as r14520 (presubmit successful).
https://codereview.chromium.org/14857002/
https://codereview.chromium.org/14857002/
Reply all
Reply to author
Forward
0 new messages