Bug 199141
| Summary: | Wrong Realization of TypedArray.prototype.fill | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | sunlili |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ashvayka, fpizlo, keith_miller, mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=138218 | ||
sunlili
The implementation of ‘TypedArray.prototype.fill’ in the engine is not correct. According to Ecma-262 standard, it should get the value of 'p1' firstly, and then calculate the start and end index to fill the value at corresponding items. But the actual order of implementation is reversed. The following code demonstrate our guess. The proxy ‘get’ function doesn’t run at all. JS engines like v8 & spidermonkey have different output.
The code:
let array = new Uint32Array(5);
let arg1 = [1, 2, 3];
let start = {
valueOf: () => {
return 5;
}
};
let end = {
valueOf: () => {
return -3;
}
};
let p1 = new Proxy(arg1, {
get: function(oTarget, sKey) {
if (sKey.toString() == 'valueOf') {
print('call valueOf');
arg1[0] = 0;
}
return Reflect.get(oTarget, sKey);
}
});
arr2 = Uint32Array.prototype.fill.call(array, p1, start, end);
print(arg1);
The output:
1,2,3
BT group
2019.06.24
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/52044197>
Alexey Shvayka
(In reply to sunlili from comment #0)
> The output:
> 1,2,3
Thank you for detailed report!
r267522 aligned our %TypedArray%.prototype.fill implementation with the spec.
Provided sample output is now consistent with other runtimes:
call valueOf
[0, 2, 3]
*** This bug has been marked as a duplicate of bug 216912 ***