RESOLVED FIXED 57042
Float32Array(ArrayBuffer, index, length) constructor working incorrectly. 
https://bugs.webkit.org/show_bug.cgi?id=57042
Summary Float32Array(ArrayBuffer, index, length) constructor working incorrectly.
danceoffwithyourpantsoff
Reported 2011-03-24 12:17:32 PDT
new Float32Array(new ArrayBuffer(10), 0, 2) RangeError: ArrayBuffer length minus the byteOffset is not a multiple of the element size. Unless I am misunderstanding the spec, a Float32Array of length 2 should be 8 bytes, enough to fit, and everything should be aligned.
Attachments
Patch (8.63 KB, patch)
2011-07-26 17:27 PDT, Kenneth Russell 		jamesr: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kenneth Russell
Comment 1 2011-07-26 17:27:24 PDT
Created attachment 102080 [details] Patch
James Robinson
Comment 2 2011-07-26 17:38:27 PDT
Comment on attachment 102080 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=102080&action=review I think this is good, just have one question about signed-ness. > Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:65 > + length = (buf->byteLength() - offset) / sizeof(ElementType); What if offset is bigger than byteLength()?
Kenneth Russell
Comment 3 2011-07-26 17:49:52 PDT
(In reply to comment #2) > (From update of attachment 102080 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=102080&action=review > > I think this is good, just have one question about signed-ness. > > > Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:65 > > + length = (buf->byteLength() - offset) / sizeof(ElementType); > > What if offset is bigger than byteLength()? This will be caught by other checks in the C++ code. I'll expand the test case to explicitly check this.
Kenneth Russell
Comment 4 2011-07-26 17:53:40 PDT
Committed r91803: <http://trac.webkit.org/changeset/91803>
Note You need to log in before you can comment on or make changes to this bug.