Closed Bug 1289392 Opened 6 years ago Closed 6 years ago

Detachment check in TypedArray.prototype.sort doesn't work for typed arrays with inline storage or cross-compartment

Categories

(Core :: JavaScript: Standard Library, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox50 --- affected
firefox52 --- fixed

People

(Reporter: anba, Assigned: anba)

References

Details

Attachments

(1 file)

Test case 1:
---
var detached = false;
var ta = new Int32Array(3);
ta.sort(function(a,b) {
    print("COMPARE");
    if (!detached) {
        detached = true;
        detachArrayBuffer(ta.buffer, "same-data");
    }
    return a - b;
});
---

Expected: Throws TypeError
Actual: No TypeError

Note: See comment in SetFromNonTypedArray (builtin/TypedArray.js) about inline storage.



Test case 2:
---
var ta = new Int32Array(30);

newGlobal().Int32Array.prototype.sort.call(ta, function(a,b) {
    print("COMPARE");
    return a - b;
});
---

Expected: No TypeError
Actual: Throws TypeError

Note: The detachment check uses the wrong `this` when calling CallTypedArrayMethodIfWrapped for "IsDetachedBuffer".
Blocks: 1291005
Attached patch bug1289392.patchSplinter Review
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Attachment #8802260 - Flags: review?(evilpies)
Comment on attachment 8802260 [details] [diff] [review]
bug1289392.patch

Review of attachment 8802260 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me, thank you for fixing this.
Attachment #8802260 - Flags: review?(evilpies) → review+
Keywords: checkin-needed
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/75faf4827dcf
Check for detached ArrayBuffers with inline or cross-compartment in TypedArray.prototype.sort. r=evilpie
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/75faf4827dcf
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.