RESOLVED FIXED 164450
test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex) 
https://bugs.webkit.org/show_bug.cgi?id=164450
Summary test262: DataView / TypedArray methods should throw RangeErrors for negative ...
Joseph Pecoraro
Reported 2016-11-05 09:04:46 PDT
Summary: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex) Steps to Reproduce: 1. jsc> new ArrayBuffer(-Infinity) 2. jsc> new DataView(new ArrayBuffer(128), -Infinity) ... The spec defines a ToIndex function that can throw a RangeError for negative numbers (after ToInteger has already truncated -0.999 to -0). > 7.1.17 ToIndex ( value ) > https://tc39.github.io/ecma262/#sec-toindex > > The abstract operation ToIndex returns value argument converted to a numeric value > if it is a valid integer index value. This abstract operation functions as follows: > > 1. If value is undefined, then > Let index be 0. > 2. Else, > Let integerIndex be ? ToInteger(value). > If integerIndex < 0, throw a RangeError exception. > Let index be ! ToLength(integerIndex). > If SameValueZero(integerIndex, index) is false, throw a RangeError exception. > 3. Return index. ToIndex is only used in DataView accessors and DataView / TypedArray construction.
Attachments
[PATCH] Proposed Fix (64.86 KB, patch)
2016-11-05 09:08 PDT, Joseph Pecoraro 		darin: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews113 for mac-yosemite (1.84 MB, application/zip)
2016-11-05 12:36 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews101 for mac-yosemite (1.02 MB, application/zip)
2016-11-07 13:27 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews107 for mac-yosemite-wk2 (1.09 MB, application/zip)
2016-11-07 13:30 PST, Build Bot 		no flags
Details
[PATCH] For Landing (78.88 KB, patch)
2016-11-10 13:04 PST, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1 2016-11-05 09:08:43 PDT
Created attachment 293995 [details] [PATCH] Proposed Fix
Build Bot
Comment 2 2016-11-05 12:36:20 PDT
Comment on attachment 293995 [details] [PATCH] Proposed Fix Attachment 293995 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2466668 New failing tests: fast/canvas/webgl/data-view-crash.html fast/canvas/webgl/array-unit-tests.html webgl/1.0.2/conformance/typedarrays/array-unit-tests.html fast/canvas/webgl/webgl-array-invalid-ranges.html fast/canvas/webgl/data-view-test.html
Build Bot
Comment 3 2016-11-05 12:36:22 PDT
Created attachment 294002 [details] Archive of layout-test-results from ews113 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews113 Port: mac-yosemite Platform: Mac OS X 10.10.5
Darin Adler
Comment 4 2016-11-05 16:49:13 PDT
Comment on attachment 293995 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=293995&action=review > Source/JavaScriptCore/runtime/JSCJSValueInlines.h:72 > + double d = toNumber(exec); > + > + if (d <= -1) { > + throwException(exec, scope, createRangeError(exec, makeString(errorName, " cannot be negative"))); > + return 0; > + } > + if (d > std::numeric_limits<unsigned>::max()) { > + throwException(exec, scope, createRangeError(exec, makeString(errorName, " too large"))); > + return 0; > + } > + > + if (isInt32()) > + return asInt32(); Since we are going to do the isInt32 check earlier, we should do that first; have a fast path for isInt32 before the path for other numbers. That does mean we will need an extra "cannot be negative" case, but the extra speed is possibly worth it. Might need a helper function to avoid repeating the throwException code, or not.
Build Bot
Comment 5 2016-11-07 13:27:17 PST
Comment on attachment 293995 [details] [PATCH] Proposed Fix Attachment 293995 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/2468903 New failing tests: fast/canvas/webgl/data-view-crash.html fast/canvas/webgl/array-unit-tests.html webgl/1.0.2/conformance/typedarrays/array-unit-tests.html fast/canvas/webgl/webgl-array-invalid-ranges.html fast/canvas/webgl/data-view-test.html
Build Bot
Comment 6 2016-11-07 13:27:20 PST
Created attachment 294078 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 7 2016-11-07 13:30:10 PST
Comment on attachment 293995 [details] [PATCH] Proposed Fix Attachment 293995 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/2468929 New failing tests: fast/canvas/webgl/data-view-crash.html fast/canvas/webgl/array-unit-tests.html webgl/1.0.2/conformance/typedarrays/array-unit-tests.html fast/canvas/webgl/webgl-array-invalid-ranges.html fast/canvas/webgl/data-view-test.html
Build Bot
Comment 8 2016-11-07 13:30:13 PST
Created attachment 294079 [details] Archive of layout-test-results from ews107 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Joseph Pecoraro
Comment 9 2016-11-10 13:04:35 PST
Created attachment 294399 [details] [PATCH] For Landing
Joseph Pecoraro
Comment 10 2016-11-10 13:10:18 PST
Comment on attachment 293995 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=293995&action=review >> Source/JavaScriptCore/runtime/JSCJSValueInlines.h:72 >> + return asInt32(); > > Since we are going to do the isInt32 check earlier, we should do that first; have a fast path for isInt32 before the path for other numbers. That does mean we will need an extra "cannot be negative" case, but the extra speed is possibly worth it. Might need a helper function to avoid repeating the throwException code, or not. I actually expect to make toIndex return a double eventually and move the >unsigned::max() check out to callers in order to satisfy other test262 tests that expect too large values to be handled later (at allocation of array time, instead of number conversion time). So leaving this as is for now.
WebKit Commit Bot
Comment 11 2016-11-10 14:06:30 PST
Comment on attachment 294399 [details] [PATCH] For Landing Clearing flags on attachment: 294399 Committed r208564: <http://trac.webkit.org/changeset/208564>
Note You need to log in before you can comment on or make changes to this bug.