Closed
Bug 1079853
Opened 11 years ago
Closed 5 years ago
Throw on indexing into detached ArrayBuffers instead of returning `undefined`
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INVALID
People
(Reporter: till, Unassigned)
References
(Blocks 1 open bug, )
Details
Attachments
(2 files)
|
1.22 KB,
patch
|
Details | Diff | Splinter Review | |
|
11.69 KB,
patch
|
Details | Diff | Splinter Review |
Section 9.4.5.8, step 5 now specifies that indexing should throw instead of failing silently on detached buffers.
I have my doubts regarding the web compatibility of this change. Ideally we should get telemetry data on this first.
Updated•10 years ago
|
Assignee: nobody → winter2718
Updated•9 years ago
|
Blocks: es6typedarray
Comment 1•8 years ago
|
||
Edge actually throws for at least [[Get]], [[Set]] and [[DefineProperty] on detached arrays. So it seems like this is something we could actually implement.
Updated•8 years ago
|
Assignee: nobody → evilpies
Updated•8 years ago
|
Updated•8 years ago
|
See Also: → https://github.com/tc39/ecma262/issues/678
Comment 2•8 years ago
|
||
So, this was basically my first idea, throwing for typed arrays lookups in LookupOwnPropertyInline. I think this would basically work, but is so far from how the spec works, so I am not sure if this will always be correct. I feel like it would be better to do this more explicitly. André what do you think?
In IonMonkey LoadTypedArrayElementHole and StoreTypedArrayElementHole need code on the OOB to fail when the array is detached.
In CacheIR at least StoreTypedElement, LoadTypedElementExistsResult.
Attachment #8989041 -
Flags: feedback?(andrebargull)
Updated•8 years ago
|
Attachment #8989041 -
Attachment is patch: true
Comment 3•7 years ago
|
||
This patch would violate the execution order defined in the spec, so we need to instead manually patch all the different operations.
Updated•7 years ago
|
Attachment #8989041 -
Flags: feedback?(andrebargull)
Comment 4•7 years ago
|
||
This is a new approach. I added special handling for typed arrays to Get, Set, Has, GetOwnPropertyDescriptor and disallowed typed array indexes in LookupOwnPropertyInline.
While this handles probably handles like 90% of the code, there is _a lot_ of code that ends up calling LookupOwnPropertyInline. For example direct callers of NativeLookupOwnProperty, like HasOwnProperty.
I am really not sure what the best way forward is here.
Updated•7 years ago
|
Attachment #8997606 -
Flags: feedback?(jorendorff)
Attachment #8997606 -
Flags: feedback?(andrebargull)
Comment 5•7 years ago
|
||
Comment on attachment 8997606 [details] [diff] [review]
Patch v2
Afte
Attachment #8997606 -
Flags: feedback?(jorendorff)
Attachment #8997606 -
Flags: feedback?(andrebargull)
Comment 6•7 years ago
|
||
After sleeping on this for a bit I realized we should actually be okay with throwing for detached buffers in LookupOwnProperty descriptor! Only [[Set]] and [[DefineOwnProperty]] don't check for IsDetachedBuffer in their first observable step. So in theory it should be ok to keep the custom implementation for those two and remove all the other ones and just start throwing.
Comment 7•7 years ago
|
||
I think I found another interesting difference between our implementation and the spec: Because we set [[ArrayLength]] to zero, stuff like Reflect.ownKeys() will return an empty array, but from my understanding the Spec wants those to still be returned.
Comment 8•7 years ago
|
||
Correct.
There are actually bad people who know and abuse this difference (bug 1381474, bug 1381469). :-) *goes away whistling*
Comment 9•7 years ago
|
||
Realistically I am not going to fix this soon, especially the zero length makes me extremely anxious about introducing security issues.
Comment 10•7 years ago
|
||
Note that fixing this also requires updating all IDL APIs that take a buffer or a view. Currently a detached buffer means that there's nothing to read (empty sequence) or write (no place), but with this those places would need to start throwing. WebSocket's send(), fetch(), XMLHttpRequest, WebGL, TextEncoder's decodeInto(), Web Audio, etc.
Talking with Henri it's pretty clear most of our code is not robust against this and doesn't see the need to throw when passed a view or buffer (no [Throws] annotation in IDL and no relevant code to handle this issue).
Updated•7 years ago
|
Assignee: evilpies → nobody
Comment 11•5 years ago
|
||
Seems like the spec was changed to allow this and bug 1672862 implemented most of the required related changes.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•