Issue 5733 in v8: Out of bound array from BufferArray error message

[thomas.f… via monorail]

Status: Untriaged
Owner: ----

New issue 5733 by thomas.f...@gmail.com: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733

Version: 5.4.500.43
OS: Archlinux
Architecture: x64

What steps will reproduce the problem?
Run new Uint8Array(new ArrayBuffer(1),2) in node

What is the expected output?
RangeError : attempting to construct out-of-bounds TypedArray on ArrayBuffer

What do you see instead?
RangeError: byte length of Uint8Array should be a multiple of 1

I'm not sure if this is the correct place to create this issue, but I'll try.

The error given when you do this is really weird, especially when using Uint8Array since any integer is a multiple of 1...



--
You received this message because:
1. The project was configured to send all issue notifications to this address

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

[habl… via monorail]

Updates:
Cc: litt...@chromium.org ad...@chromium.org
Components: Language
Status: Available

Comment #1 on issue 5733 by hab...@chromium.org: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733#c1

(No comment was entered for this change.)

[cwhan.t… via monorail]

Comment #2 on issue 5733 by cwhan.t...@gmail.com: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733#c2

Can we make a new error message such as "The offset is out of range of the buffer" for this?
This error occurs because the new length is negative, but it does not mean that the new length is not a multiple of X.

[v… via monorail]

Updates:
Owner: va...@chromium.org
Status: Started

Comment #3 on issue 5733 by va...@chromium.org: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733#c3

https://cs.chromium.org/chromium/src/v8/src/js/typedarray.js?rcl=62f11c20143b979897170ec14c5f366a49f72f9c&l=164 should use kInvalidDataViewOffset instead of kInvalidTypedArrayAlignment, resulting in: "Start offset 2 is outside the bounds of the buffer".

Let me create a patch for that.

[v… via monorail]

Comment #4 on issue 5733 by va...@chromium.org: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733#c4

Looking at https://codereview.chromium.org/2090353003, which introduced the current code, the previously used RangeError variant was kInvalidTypedArrayOffset, which is currently missing from the list in messages.h. Because this is about typed arrays and not DataViews, kInvalidTypedArrayOffset will need to be introduced again. I'll do that and let the reviewer express potential concerns.

[v… via monorail]

Comment #5 on issue 5733 by va...@chromium.org: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733#c5

Patch in progress: https://codereview.chromium.org/2692753002/

[bugdro… via monorail]

Comment #6 on issue 5733 by bugd...@chromium.org: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733#c6

The following revision refers to this bug:
https://chromium.googlesource.com/v8/v8.git/+/1dd803f9d384cb33ac78aa3ddcb3faa811af892c

commit 1dd803f9d384cb33ac78aa3ddcb3faa811af892c
Author: vabr <va...@chromium.org>
Date: Mon Feb 13 10:28:34 2017

Fix error message for invalid buffer offset

The constructor for TypedArray in js/typedarray.js emitted
kInvalidTypedArrayAlignment if the array offset exceeded the size of the
underlying buffer. This seems like a typo introduced in
https://codereview.chromium.org/2090353003.

The error message to be emitted instead coincides with the already existing
kInvalidDataViewOffset. The message string is independent of whether the
object in question is a DataView or a typed array, so this CL:
(1) renames kInvalidDataViewOffset to just kInvalidOffset, and
(2) uses kInvalidOffset instead of kInvalidTypedArrayAlignment for cases
when the TypedArray is constructed with an offset exceeding the buffer
size.

BUG=v8:5733
TEST=Run d8, execute "new Uint8Array(new ArrayBuffer(1),2)", see the error message mention the invalid offset 2.

Review-Url: https://codereview.chromium.org/2692753002
Cr-Commit-Position: refs/heads/master@{#43151}

[modify] https://crrev.com/1dd803f9d384cb33ac78aa3ddcb3faa811af892c/src/builtins/builtins-dataview.cc
[modify] https://crrev.com/1dd803f9d384cb33ac78aa3ddcb3faa811af892c/src/js/typedarray.js
[modify] https://crrev.com/1dd803f9d384cb33ac78aa3ddcb3faa811af892c/src/messages.h
[modify] https://crrev.com/1dd803f9d384cb33ac78aa3ddcb3faa811af892c/test/mjsunit/messages.js

[v… via monorail]

Updates:
Status: Fixed

Comment #7 on issue 5733 by va...@chromium.org: Out of bound array from BufferArray error message
https://bugs.chromium.org/p/v8/issues/detail?id=5733#c7

(No comment was entered for this change.)