%ArrayIteratorPrototype%.next must check for detached buffers
Created attachment 409513 [details] Patch
Comment on attachment 409513 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409513&action=review > Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js:37 > + if (@isTypedArrayView(array) && @isNeutered(array)) > + @throwTypeError("Underlying ArrayBuffer has been detached from the view"); > + JSC has fast path for array iteration in all tiers. Can you check whether this is correctly handled in this iteration protocol? For example, DFG has inlined DFG codes for this next function in DFGByteCodeParser.
Created attachment 409521 [details] Patch
(In reply to Yusuke Suzuki from comment #2) > Comment on attachment 409513 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=409513&action=review > > > Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js:37 > > + if (@isTypedArrayView(array) && @isNeutered(array)) > > + @throwTypeError("Underlying ArrayBuffer has been detached from the view"); > > + > > JSC has fast path for array iteration in all tiers. Can you check whether > this is correctly handled in this iteration protocol? > For example, DFG has inlined DFG codes for this next function in > DFGByteCodeParser. Seems like this isn't an issue after all, but I've added a test to demonstrate / ensure it.
Committed r267519: <https://trac.webkit.org/changeset/267519> All reviewed patches have been landed. Closing bug and clearing flags on attachment 409521 [details].
<rdar://problem/69482891>