Closed Bug 741114 Opened 12 years ago Closed 11 years ago

JM: Typed array IC bug clamping strings to uint8

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: jandem, Assigned: jandem)

Details

Attachments

(1 file)

The testcase I added for bug 738277 fails with JM-without-TI. The problem is that stubs::ConvertToTypedInt converts strings to int32 instead of converting to double and clamping the double.

The typed array IC's are not used if TI is enabled, so this is not hugely important, but the fix is easy and necessary to get tbpl green again.
Attached patch PatchSplinter Review
Patch is based on setElementTail in jstypedarray.cpp. I'm not sure about the JS_ALWAYS_TRUE, as far as I can see StringToNumberType can fail if getChars returns false. This seems easy to fix in jstypedarray.cpp but it makes the JM fix more complicated since stubs::ConvertToTypedInt has to be fallible. I'm not sure if doing that is worth it since the IC is only used without TI. What do you think?
Attachment #611178 - Flags: review?(bhackett1024)
Adding complexity here definitely isn't worth it, but I don't think it's good to ignore an OOM under ToNumber --- we could end up executing code while there is a pending exception, which would confuse things.  (I don't know if reporting OOM normally sets a pending exception, but it looks like debugger hooks can post a catchable exception on OOM).  It might be simplest to just disable the typed array IC.
Attachment #611178 - Flags: review?(bhackett1024)
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.