Closed
Bug 1344656
Opened 8 years ago
Closed 8 years ago
TypedArray constructor creates ArrayBuffer with prototype from wrong global
Categories
(Core :: JavaScript: Standard Library, enhancement)
Core
JavaScript: Standard Library
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: anba, Assigned: anba)
Details
Attachments
(1 file, 1 obsolete file)
10.08 KB,
patch
|
anba
:
review+
|
Details | Diff | Splinter Review |
Test case:
---
var otherGlobal = newGlobal();
var otherTA = otherGlobal.eval("new Int32Array(0)");
print(new Int32Array(otherTA).buffer.__proto__ === otherGlobal.ArrayBuffer.prototype);
print(new Int16Array(otherTA).buffer.__proto__ === otherGlobal.ArrayBuffer.prototype);
otherTA.buffer.constructor = undefined;
print(new Int32Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype);
print(new Int16Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype);
if (this.SharedArrayBuffer) {
var otherTA = otherGlobal.eval("new Int32Array(new SharedArrayBuffer(0))");
print(new Int32Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype);
print(new Int16Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype);
otherTA.buffer.constructor = undefined;
print(new Int32Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype);
print(new Int16Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype);
}
---
Expected: Prints "true" for every combination
Actual: Prints "false" for the last six calls
Assignee | ||
Comment 1•8 years ago
|
||
When calling the TypedArray constructor with a cross-compartment typed array, we need to stay in the current compartment when calling the self-hosted SpeciesConstructor function, otherwise we'd throw exceptions from the wrong global.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Attachment #8845492 -
Flags: review?(arai.unmht)
Comment 2•8 years ago
|
||
Comment on attachment 8845492 [details] [diff] [review]
bug1344656.patch
Review of attachment 8845492 [details] [diff] [review]:
-----------------------------------------------------------------
great :)
::: js/src/vm/TypedArrayObject.cpp
@@ +1104,4 @@
> if (!isWrapped) {
> + // Avoid calling into self-hosted code if |obj|'s constructor is the
> + // built-in ArrayBuffer and the constructor's species property is the
> + // original ArrayBuffer[@@species] function.
Can you clarify it's for performance reason?
Attachment #8845492 -
Flags: review?(arai.unmht) → review+
Assignee | ||
Comment 3•8 years ago
|
||
Addressed review comments, carrying r+ from arai.
Attachment #8845492 -
Attachment is obsolete: true
Attachment #8845806 -
Flags: review+
Assignee | ||
Comment 4•8 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=aac3cd66e81456a0784472ddabf18ca2a3373a1a
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/07e53fffedbb
Create ArrayBuffers with the correct prototype in TypedArray constructor with cross-realm TypedArray. r=arai
Keywords: checkin-needed
Comment 6•8 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•