All users were logged out of Bugzilla on October 13th, 2018

Detachment check in TypedArray.prototype.sort doesn't work for typed arrays with inline storage or cross-compartment

RESOLVED FIXED in Firefox 52

Status

()

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: anba, Assigned: anba)

Tracking

(Blocks: 1 bug)

Trunk
mozilla52
Points:
---

Firefox Tracking Flags

(firefox50 affected, firefox52 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
Test case 1:
---
var detached = false;
var ta = new Int32Array(3);
ta.sort(function(a,b) {
    print("COMPARE");
    if (!detached) {
        detached = true;
        detachArrayBuffer(ta.buffer, "same-data");
    }
    return a - b;
});
---

Expected: Throws TypeError
Actual: No TypeError

Note: See comment in SetFromNonTypedArray (builtin/TypedArray.js) about inline storage.



Test case 2:
---
var ta = new Int32Array(30);

newGlobal().Int32Array.prototype.sort.call(ta, function(a,b) {
    print("COMPARE");
    return a - b;
});
---

Expected: No TypeError
Actual: Throws TypeError

Note: The detachment check uses the wrong `this` when calling CallTypedArrayMethodIfWrapped for "IsDetachedBuffer".
(Assignee)

Updated

2 years ago
Blocks: 1291005
(Assignee)

Comment 1

2 years ago
Created attachment 8802260 [details] [diff] [review]
bug1289392.patch
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Attachment #8802260 - Flags: review?(evilpies)
Comment on attachment 8802260 [details] [diff] [review]
bug1289392.patch

Review of attachment 8802260 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me, thank you for fixing this.
Attachment #8802260 - Flags: review?(evilpies) → review+
(Assignee)

Updated

2 years ago
Keywords: checkin-needed

Comment 4

2 years ago
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/75faf4827dcf
Check for detached ArrayBuffers with inline or cross-compartment in TypedArray.prototype.sort. r=evilpie
Keywords: checkin-needed

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/75faf4827dcf
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.