Closed Bug 1344656 Opened 8 years ago Closed 8 years ago

TypedArray constructor creates ArrayBuffer with prototype from wrong global

Categories

(Core :: JavaScript: Standard Library, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: anba, Assigned: anba)

Details

Attachments

(1 file, 1 obsolete file)

Test case: --- var otherGlobal = newGlobal(); var otherTA = otherGlobal.eval("new Int32Array(0)"); print(new Int32Array(otherTA).buffer.__proto__ === otherGlobal.ArrayBuffer.prototype); print(new Int16Array(otherTA).buffer.__proto__ === otherGlobal.ArrayBuffer.prototype); otherTA.buffer.constructor = undefined; print(new Int32Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype); print(new Int16Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype); if (this.SharedArrayBuffer) { var otherTA = otherGlobal.eval("new Int32Array(new SharedArrayBuffer(0))"); print(new Int32Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype); print(new Int16Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype); otherTA.buffer.constructor = undefined; print(new Int32Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype); print(new Int16Array(otherTA).buffer.__proto__ === ArrayBuffer.prototype); } --- Expected: Prints "true" for every combination Actual: Prints "false" for the last six calls
Attached patch bug1344656.patch (obsolete) — Splinter Review
When calling the TypedArray constructor with a cross-compartment typed array, we need to stay in the current compartment when calling the self-hosted SpeciesConstructor function, otherwise we'd throw exceptions from the wrong global.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Attachment #8845492 - Flags: review?(arai.unmht)
Comment on attachment 8845492 [details] [diff] [review] bug1344656.patch Review of attachment 8845492 [details] [diff] [review]: ----------------------------------------------------------------- great :) ::: js/src/vm/TypedArrayObject.cpp @@ +1104,4 @@ > if (!isWrapped) { > + // Avoid calling into self-hosted code if |obj|'s constructor is the > + // built-in ArrayBuffer and the constructor's species property is the > + // original ArrayBuffer[@@species] function. Can you clarify it's for performance reason?
Attachment #8845492 - Flags: review?(arai.unmht) → review+
Attached patch bug1344656.patchSplinter Review
Addressed review comments, carrying r+ from arai.
Attachment #8845492 - Attachment is obsolete: true
Attachment #8845806 - Flags: review+
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/07e53fffedbb Create ArrayBuffers with the correct prototype in TypedArray constructor with cross-realm TypedArray. r=arai
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: