Closed
Bug 1216621
Opened 9 years ago
Closed 8 years ago
Missing receiver checks for [[Get]] and [[Set]] on typed array
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INVALID
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | affected |
People
(Reporter: anba, Unassigned)
References
(Blocks 1 open bug)
Details
Test case for [[Get]]:
---
Object.prototype[1] = "inherited";
assertEq(Reflect.get(new Int8Array([10]), 0), 10);
assertEq(Reflect.get(new Int8Array([10]), 1), undefined);
assertEq(Reflect.get(new Int8Array([10]), 0, {}), 10);
assertEq(Reflect.get(new Int8Array([10]), 1, {}), "inherited");
---
Expected: No error thrown
Actual: Error thrown 'Assertion failed: got (void 0), expected "inherited"'
Test case for [[Set]]:
---
Object.defineProperty(Object.prototype, 1, {set(v){ this.result = v }, configurable: true});
var obj = {}, ta = new Int8Array([10]);
assertEq(Reflect.set(ta, 1, 20, obj), true);
assertEq(obj.result, 20);
---
Expected: No error thrown
Actual: Error thrown 'Assertion failed: got (void 0), expected 20"'
Spec:
ES2015 9.4.5.4 [[Get]] and 9.4.5.5 [[Set]] check SameValue(O, Receiver) and only if that test passes all integer indexed accesses go directly to the typed array. A similar check is probably required in LookupOwnPropertyInline [1] (LookupOwnPropertyInline is called by NativeGetPropertyInline and NativeSetProperty)?
[1] https://dxr.mozilla.org/mozilla-central/rev/9605da94e75d61598d3c00f01a12d1b6bc427a6c/js/src/vm/NativeObject-inl.h#450
|
||
Comment 1•8 years ago
|
||
https://github.com/tc39/ecma262/commit/a5af3a626160db63bda2cfd1e797269c3394e905
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•