Changeset 266529 in webkit for trunk/Source/JavaScriptCore/runtime/JSDataView.cpp

Timestamp:

Sep 3, 2020, 10:04:09 AM (5 years ago)

Author:

Ross Kirsling

Message:

[JSC] Add missing detached buffer errors for DataView
​https://bugs.webkit.org/show_bug.cgi?id=216062

Reviewed by Yusuke Suzuki.

JSTests:

• stress/detached-buffer-typeerror.js:

Add new test.

• stress/dataview-jit-neuter.js:
• stress/native-constructors-length.js:

Update existing tests.

• test262/expectations.yaml:

Mark 74 test cases as passing.

Source/JavaScriptCore:

DataView methods are often expected to throw a TypeError if the underlying ArrayBuffer is detached
(or neutered, in older terminology) -- this patch adds a slew of missing cases from the following spec section:

• ​https://tc39.es/ecma262/#sec-properties-of-the-dataview-prototype-object

At the same time:

• get rid of JSDataView::getOwnPropertySlot, which was turning dataViewProtoGetterByte{Length,Offset} into mostly unreachable code and erroneously causing byte{Length,Offset} to have property descriptors
• perform some simple cleanup of neighboring error calls / messages
• fix value of DataView.length (our only other DataView spec bug)

• runtime/JSDataView.cpp:

(JSC::JSDataView::create):
(JSC::JSDataView::getOwnPropertySlot): Deleted.

• runtime/JSDataView.h:
• runtime/JSDataViewPrototype.cpp:

(JSC::getData):
(JSC::setData):
(JSC::dataViewProtoGetterByteLength):
(JSC::dataViewProtoGetterByteOffset):

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):

LayoutTests:

• fast/canvas/webgl/arraybuffer-transfer-of-control.html:
• js/dom/constructor-length.html:
• js/script-tests/typedarray-constructors.js:
• js/typedarray-constructors-expected.txt:
• platform/glib/js/dom/constructor-length-expected.txt:
• platform/ios/js/dom/constructor-length-expected.txt:
• platform/mac/js/dom/constructor-length-expected.txt:
• platform/win/js/dom/constructor-length-expected.txt:
• platform/wincairo/js/dom/constructor-length-expected.txt:

Update tests and expectations.

File:

• trunk/Source/JavaScriptCore/runtime/JSDataView.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/runtime/JSDataView.cpp

@@ -49 +49 @@
 
     ASSERT(buffer);
+    if (buffer->isNeutered()) {
+        throwTypeError(globalObject, scope, "Buffer is already detached"_s);
+        return nullptr;
+    }
     if (!ArrayBufferView::verifySubRangeLength(*buffer, byteOffset, byteLength, sizeof(uint8_t))) {
-        throwVMError(globalObject, scope, createRangeError(globalObject, "Length out of range of buffer"_s));
+        throwRangeError(globalObject, scope, "Length out of range of buffer"_s);
         return nullptr;
     }
     if (!ArrayBufferView::verifyByteOffsetAlignment(byteOffset, sizeof(uint8_t))) {
-        throwException(globalObject, scope, createRangeError(globalObject, "Byte offset is not aligned"_s));
+        throwRangeError(globalObject, scope, "Byte offset is not aligned"_s);
         return nullptr;
     }
+
     ConstructionContext context(
         structure, buffer.copyRef(), byteOffset, byteLength, ConstructionContext::DataView);
@@ -98 +103 @@
 {
     return DataView::create(unsharedBuffer(), byteOffset(), length());
-}
-
-bool JSDataView::getOwnPropertySlot(
-    JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot)
-{
-    VM& vm = globalObject->vm();
-    JSDataView* thisObject = jsCast<JSDataView*>(object);
-    if (propertyName == vm.propertyNames->byteLength) {
-        slot.setValue(thisObject, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly, jsNumber(thisObject->m_length));
-        return true;
-    }
-    if (propertyName == vm.propertyNames->byteOffset) {
-        slot.setValue(thisObject, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly, jsNumber(thisObject->byteOffset()));
-        return true;
-    }
-
-    return Base::getOwnPropertySlot(thisObject, globalObject, propertyName, slot);
 }