#version: dbae081 https://github.com/WebKit/webkit/tree/dbae081ad7e22d9ab61edf2f337f6c2bb593c7f8 #Testcase: var NISLFuzzingFunc = function(){ var e = '123'; A = new Uint8Array(5); A.set(e); print(A); }; NISLFuzzingFunc(); #Command: ./webkit/WebKitBuild/Release/bin/jsc testcase.js #Output: Exception: TypeError: First argument should be an object #Expected output: 1,2,3,0,0 #Description: According to ES2019 standard, the steps of `%TypedArray%.prototype.set` are as follows. > 22.2.3.23.1 %TypedArray%.prototype.set ( array [ , offset ] ) > > 1. Assert: array is any ECMAScript language value other than an Object with a [[TypedArrayName]] internal slot. If it is such an Object, the definition in 22.2.3.23.2 applies. > > ... > > 15. Let src be ? ToObject(array). In this testcase, `ToObject(e)` should not throw a TypeError. So I suspect it is a bug of javascriptcore. #Reference: http://ecma-international.org/ecma-262/10.0/#sec-%typedarray%.prototype.set-array-offset #Additional info: Contributor: QuXing
<rdar://problem/64095236>
In genericTypedArrayViewProtoFuncSet(), JSC casts an argument to JSObject* instead of performing toObject(). SpiderMonkey gets this right, while V8 handles all primitives per spec except for numbers. I will submit a patch as soon as test262 coverage (https://github.com/tc39/test262/pull/2651) is merged & synced.
*** Bug 188877 has been marked as a duplicate of this bug. ***
Created attachment 402161 [details] Patch
Comment on attachment 402161 [details] Patch r=me
Created attachment 402198 [details] Patch Adjust WebGL tests.
Committed r263216: <https://trac.webkit.org/changeset/263216> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402198 [details].