Closed Bug 1291003 Opened 3 years ago Closed 3 years ago

%TypedArray%.prototype.subarray: Move TypedArrayByteOffset before ToInteger

Categories

(Core :: JavaScript: Standard Library, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox51 --- affected
firefox52 --- fixed

People

(Reporter: anba, Assigned: anba)

Details

Attachments

(1 file)

Test case:
---
ta = new Int8Array(new ArrayBuffer(2), 1, 1);
ta.constructor = {
    [Symbol.species]: function(ab, offset, length) {
        print("offset", offset);
        return new Int8Array(1);
    }
};

ta.subarray({
  valueOf() {
    detachArrayBuffer(ta.buffer, "same-data")
    return 0;
  }
});
---

Expected: Prints "offset 1"
Actual: Prints "offset 0"

It's probably easier to move the TypedArrayByteOffset [1] call before the ToInteger [2] calls, compared to not zeroing [[ByteOffset]] when detaching the array buffer.

[1] http://hg.mozilla.org/mozilla-central/file/ffac2798999c/js/src/builtin/TypedArray.js#l1140
[2] https://dxr.mozilla.org/mozilla-central/source/js/src/builtin/TypedArray.js#1124
Attached patch bug1291003.patchSplinter Review
Just a silly spec compliance edge case. :-)
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Attachment #8806022 - Flags: review?(evilpies)
Comment on attachment 8806022 [details] [diff] [review]
bug1291003.patch

Review of attachment 8806022 [details] [diff] [review]:
-----------------------------------------------------------------

Ooookay
Attachment #8806022 - Flags: review?(evilpies) → review+
Keywords: checkin-needed
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d3041026a921
Compute byteOffset before calling ToInteger in  %TypedArray%.prototype.subarray. r=evilpie
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/d3041026a921
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.