JSC Builtins should use safe array methods
https://bugs.webkit.org/show_bug.cgi?id=151501
Reviewed by Darin Adler.
Source/JavaScriptCore:
Adding @push and @shift to Array prototype.
Using @push in TypedArray built-in.
Covered by added test in LayoutTests/js/builtins
- builtins/TypedArray.prototype.js:
(filter):
- runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
- runtime/CommonIdentifiers.h:
Source/WebCore:
Using @push and @shift in internal arrays in lieu of push and shift.
This cannot be disrupted by user scripts except if arrays are also made accessible to user scripts.
Covered by added tests for ReadableStream constructs.
- Modules/mediastream/RTCPeerConnectionInternals.js:
(runNext):
(enqueueOperation):
- Modules/streams/ReadableStreamInternals.js:
(enqueueInReadableStream):
(readFromReadableStreamReader):
- Modules/streams/StreamInternals.js:
(dequeueValue):
(enqueueValueWithSize):
LayoutTests:
Adding shielding test for TypedArray.prototype.filter and stream enqueuing of values and read promises.
- js/builtins/resources/shielding-typedarray.js: Added.
(Array.prototype.push):
(try.array.Int8Array.from.string_appeared_here.filter):
- js/builtins/shielding-typedarray-expected.txt: Added.
- js/builtins/shielding-typedarray.html: Added.
- streams/streams-promises-expected.txt:
- streams/streams-promises.html:
