RESOLVED FIXED 216904
%ArrayIteratorPrototype%.next must check for detached buffers 
https://bugs.webkit.org/show_bug.cgi?id=216904
Summary %ArrayIteratorPrototype%.next must check for detached buffers
Ross Kirsling
Reported 2020-09-23 16:00:46 PDT
%ArrayIteratorPrototype%.next must check for detached buffers
Attachments
Patch (8.34 KB, patch)
2020-09-23 16:05 PDT, Ross Kirsling 		no flags
DetailsFormatted DiffDiff
Patch (8.93 KB, patch)
2020-09-23 18:47 PDT, Ross Kirsling 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ross Kirsling
Comment 1 2020-09-23 16:05:30 PDT
Created attachment 409513 [details] Patch
Yusuke Suzuki
Comment 2 2020-09-23 16:31:55 PDT
Comment on attachment 409513 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409513&action=review > Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js:37 > + if (@isTypedArrayView(array) && @isNeutered(array)) > + @throwTypeError("Underlying ArrayBuffer has been detached from the view"); > + JSC has fast path for array iteration in all tiers. Can you check whether this is correctly handled in this iteration protocol? For example, DFG has inlined DFG codes for this next function in DFGByteCodeParser.
Ross Kirsling
Comment 3 2020-09-23 18:47:04 PDT
Created attachment 409521 [details] Patch
Ross Kirsling
Comment 4 2020-09-23 18:48:12 PDT
(In reply to Yusuke Suzuki from comment #2) > Comment on attachment 409513 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=409513&action=review > > > Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js:37 > > + if (@isTypedArrayView(array) && @isNeutered(array)) > > + @throwTypeError("Underlying ArrayBuffer has been detached from the view"); > > + > > JSC has fast path for array iteration in all tiers. Can you check whether > this is correctly handled in this iteration protocol? > For example, DFG has inlined DFG codes for this next function in > DFGByteCodeParser. Seems like this isn't an issue after all, but I've added a test to demonstrate / ensure it.
EWS
Comment 5 2020-09-23 23:15:40 PDT
Committed r267519: <https://trac.webkit.org/changeset/267519> All reviewed patches have been landed. Closing bug and clearing flags on attachment 409521 [details].
Radar WebKit Bug Importer
Comment 6 2020-09-23 23:16:19 PDT
<rdar://problem/69482891>
Note You need to log in before you can comment on or make changes to this bug.