Closed Bug 1216621 Opened 10 years ago Closed 9 years ago

Missing receiver checks for [[Get]] and [[Set]] on typed array

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: anba, Unassigned)

References

(Blocks 1 open bug)

Details

Test case for [[Get]]: --- Object.prototype[1] = "inherited"; assertEq(Reflect.get(new Int8Array([10]), 0), 10); assertEq(Reflect.get(new Int8Array([10]), 1), undefined); assertEq(Reflect.get(new Int8Array([10]), 0, {}), 10); assertEq(Reflect.get(new Int8Array([10]), 1, {}), "inherited"); --- Expected: No error thrown Actual: Error thrown 'Assertion failed: got (void 0), expected "inherited"' Test case for [[Set]]: --- Object.defineProperty(Object.prototype, 1, {set(v){ this.result = v }, configurable: true}); var obj = {}, ta = new Int8Array([10]); assertEq(Reflect.set(ta, 1, 20, obj), true); assertEq(obj.result, 20); --- Expected: No error thrown Actual: Error thrown 'Assertion failed: got (void 0), expected 20"' Spec: ES2015 9.4.5.4 [[Get]] and 9.4.5.5 [[Set]] check SameValue(O, Receiver) and only if that test passes all integer indexed accesses go directly to the typed array. A similar check is probably required in LookupOwnPropertyInline [1] (LookupOwnPropertyInline is called by NativeGetPropertyInline and NativeSetProperty)? [1] https://dxr.mozilla.org/mozilla-central/rev/9605da94e75d61598d3c00f01a12d1b6bc427a6c/js/src/vm/NativeObject-inl.h#450
https://github.com/tc39/ecma262/commit/a5af3a626160db63bda2cfd1e797269c3394e905
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.