RESOLVED FIXED185127
Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero 
https://bugs.webkit.org/show_bug.cgi?id=185127
Summary Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLen...
Arthur Lapprand
Reported 2018-04-29 20:55:07 PDT
Hi there, There's seems to be an inconsistence when slicing an ArrayBuffer with a long number. Tag: 606.1.9.4 OS: Ubuntu 16.04 x86_64 Steps to reproduce the problem: var a = new ArrayBuffer(5); var b = a.slice (3, 4294967297); if(b.byteLength !== 0) throw new Error("Test failed"); Expected results: Error: Test failed Actual results: Pass without failures The end result is that the test should fail as the slice for range (3, 4294967297) should return the value 2. In JavaScriptCore it returns zero, making the test pass. Other JavaScript engines such as V8, SpiderMonkey and Chakra failed the test as expected.
Attachments
Patch (11.72 KB, patch)
2018-08-10 15:05 PDT, Keith Miller 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
isol2
Comment 1 2018-08-08 08:38:58 PDT
cinfuzz
Keith Miller
Comment 2 2018-08-10 15:05:57 PDT
Created attachment 346933 [details] Patch
Saam Barati
Comment 3 2018-08-10 15:16:11 PDT
Comment on attachment 346933 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=346933&action=review > Source/JavaScriptCore/runtime/ArrayBuffer.cpp:284 > + index = currentLength + index; What if the magnitude of index is > currentLength? > JSTests/test262/expectations.yaml:711 > +test/built-ins/ArrayBuffer/prototype/slice/species-constructor-is-not-object.js: How am I supposed to be reading this? Are these all new failures?
Keith Miller
Comment 4 2018-08-10 15:20:25 PDT
Comment on attachment 346933 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=346933&action=review >> Source/JavaScriptCore/runtime/ArrayBuffer.cpp:284 >> + index = currentLength + index; > > What if the magnitude of index is > currentLength? It will get clamped to zero in clampValue. >> JSTests/test262/expectations.yaml:711 >> +test/built-ins/ArrayBuffer/prototype/slice/species-constructor-is-not-object.js: > > How am I supposed to be reading this? Are these all new failures? Yeah, because we would throw a type error about not enough arguments. Which isn't really the right error. Since I removed that code we no longer throw an error since we don't do the species stuff.
Keith Miller
Comment 5 2018-08-10 16:31:57 PDT
Committed r234777: <https://trac.webkit.org/changeset/234777>
Radar WebKit Bug Importer
Comment 6 2018-08-10 16:33:26 PDT
<rdar://problem/43162095>
Note You need to log in before you can comment on or make changes to this bug.