RESOLVED FIXED 212730
TypedArray.prototype.set is incorrect with primitives 
https://bugs.webkit.org/show_bug.cgi?id=212730
Summary TypedArray.prototype.set is incorrect with primitives
NWU_NISL
Reported 2020-06-03 23:01:03 PDT
#version: dbae081 https://github.com/WebKit/webkit/tree/dbae081ad7e22d9ab61edf2f337f6c2bb593c7f8 #Testcase: var NISLFuzzingFunc = function(){ var e = '123'; A = new Uint8Array(5); A.set(e); print(A); }; NISLFuzzingFunc(); #Command: ./webkit/WebKitBuild/Release/bin/jsc testcase.js #Output: Exception: TypeError: First argument should be an object #Expected output: 1,2,3,0,0 #Description: According to ES2019 standard, the steps of `%TypedArray%.prototype.set` are as follows. > 22.2.3.23.1 %TypedArray%.prototype.set ( array [ , offset ] ) > > 1. Assert: array is any ECMAScript language value other than an Object with a [[TypedArrayName]] internal slot. If it is such an Object, the definition in 22.2.3.23.2 applies. > > ... > > 15. Let src be ? ToObject(array). In this testcase, `ToObject(e)` should not throw a TypeError. So I suspect it is a bug of javascriptcore. #Reference: http://ecma-international.org/ecma-262/10.0/#sec-%typedarray%.prototype.set-array-offset #Additional info: Contributor: QuXing
Attachments
Patch (3.96 KB, patch)
2020-06-17 15:38 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (11.52 KB, patch)
2020-06-18 04:02 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-06-07 14:04:29 PDT
<rdar://problem/64095236>
Alexey Shvayka
Comment 2 2020-06-08 08:40:55 PDT
In genericTypedArrayViewProtoFuncSet(), JSC casts an argument to JSObject* instead of performing toObject(). SpiderMonkey gets this right, while V8 handles all primitives per spec except for numbers. I will submit a patch as soon as test262 coverage (https://github.com/tc39/test262/pull/2651) is merged & synced.
Alexey Shvayka
Comment 3 2020-06-08 08:41:43 PDT
*** Bug 188877 has been marked as a duplicate of this bug. ***
Alexey Shvayka
Comment 4 2020-06-17 15:38:39 PDT
Created attachment 402161 [details] Patch
Yusuke Suzuki
Comment 5 2020-06-17 15:45:06 PDT
Comment on attachment 402161 [details] Patch r=me
Alexey Shvayka
Comment 6 2020-06-18 04:02:24 PDT
Created attachment 402198 [details] Patch Adjust WebGL tests.
EWS
Comment 7 2020-06-18 10:10:35 PDT
Committed r263216: <https://trac.webkit.org/changeset/263216> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402198 [details].
Note You need to log in before you can comment on or make changes to this bug.