Fix Reflect typed array element conversion (#240)

This commit is contained in:
Ben Noordhuis 2023-12-30 10:45:33 +01:00 committed by GitHub
parent 05fb3d9dc8
commit b5d6cea20e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 14 deletions

View file

@ -8673,7 +8673,7 @@ static int JS_SetPropertyValue(JSContext *ctx, JSValue this_obj,
break;
case JS_CLASS_UINT8C_ARRAY:
if (JS_ToUint8ClampFree(ctx, &v, val))
return -1;
goto ta_cvt_fail;
/* Note: the conversion can detach the typed array, so the
array bound check must be done after */
if (unlikely(idx >= (uint32_t)p->u.array.count))
@ -8683,7 +8683,7 @@ static int JS_SetPropertyValue(JSContext *ctx, JSValue this_obj,
case JS_CLASS_INT8_ARRAY:
case JS_CLASS_UINT8_ARRAY:
if (JS_ToInt32Free(ctx, &v, val))
return -1;
goto ta_cvt_fail;
if (unlikely(idx >= (uint32_t)p->u.array.count))
goto ta_out_of_bound;
p->u.array.u.uint8_ptr[idx] = v;
@ -8691,7 +8691,7 @@ static int JS_SetPropertyValue(JSContext *ctx, JSValue this_obj,
case JS_CLASS_INT16_ARRAY:
case JS_CLASS_UINT16_ARRAY:
if (JS_ToInt32Free(ctx, &v, val))
return -1;
goto ta_cvt_fail;
if (unlikely(idx >= (uint32_t)p->u.array.count))
goto ta_out_of_bound;
p->u.array.u.uint16_ptr[idx] = v;
@ -8699,7 +8699,7 @@ static int JS_SetPropertyValue(JSContext *ctx, JSValue this_obj,
case JS_CLASS_INT32_ARRAY:
case JS_CLASS_UINT32_ARRAY:
if (JS_ToInt32Free(ctx, &v, val))
return -1;
goto ta_cvt_fail;
if (unlikely(idx >= (uint32_t)p->u.array.count))
goto ta_out_of_bound;
p->u.array.u.uint32_ptr[idx] = v;
@ -8710,7 +8710,7 @@ static int JS_SetPropertyValue(JSContext *ctx, JSValue this_obj,
{
int64_t v;
if (JS_ToBigInt64Free(ctx, &v, val))
return -1;
goto ta_cvt_fail;
if (unlikely(idx >= (uint32_t)p->u.array.count))
goto ta_out_of_bound;
p->u.array.u.uint64_ptr[idx] = v;
@ -8718,14 +8718,20 @@ static int JS_SetPropertyValue(JSContext *ctx, JSValue this_obj,
break;
case JS_CLASS_FLOAT32_ARRAY:
if (JS_ToFloat64Free(ctx, &d, val))
return -1;
goto ta_cvt_fail;
if (unlikely(idx >= (uint32_t)p->u.array.count))
goto ta_out_of_bound;
p->u.array.u.float_ptr[idx] = d;
break;
case JS_CLASS_FLOAT64_ARRAY:
if (JS_ToFloat64Free(ctx, &d, val))
if (JS_ToFloat64Free(ctx, &d, val)) {
ta_cvt_fail:
if (flags & JS_PROP_REFLECT_DEFINE_PROPERTY) {
JS_FreeValue(ctx, JS_GetException(ctx));
return FALSE;
}
return -1;
}
if (unlikely(idx >= (uint32_t)p->u.array.count)) {
ta_out_of_bound:
if (typed_array_is_detached(ctx, p))
@ -34718,9 +34724,9 @@ static JSValue js_object_defineProperty(JSContext *ctx, JSValue this_val,
atom = JS_ValueToAtom(ctx, prop);
if (unlikely(atom == JS_ATOM_NULL))
return JS_EXCEPTION;
flags = 0;
if (!magic)
flags = JS_PROP_THROW | JS_PROP_DEFINE_PROPERTY;
flags = JS_PROP_THROW | JS_PROP_DEFINE_PROPERTY;
if (magic)
flags = JS_PROP_REFLECT_DEFINE_PROPERTY;
ret = JS_DefinePropertyDesc(ctx, obj, atom, desc, flags);
JS_FreeAtom(ctx, atom);
if (ret < 0) {

View file

@ -247,6 +247,7 @@ static inline JS_BOOL JS_VALUE_IS_NAN(JSValue v)
#define JS_PROP_NO_ADD (1 << 16) /* internal use */
#define JS_PROP_NO_EXOTIC (1 << 17) /* internal use */
#define JS_PROP_DEFINE_PROPERTY (1 << 18) /* internal use */
#define JS_PROP_REFLECT_DEFINE_PROPERTY (1 << 19) /* internal use */
#define JS_DEFAULT_STACK_SIZE (256 * 1024)

View file

@ -1,10 +1,6 @@
test262/test/annexB/language/eval-code/direct/script-decl-lex-collision-in-sloppy-mode.js:13: Test262Error: Expected a SyntaxError to be thrown but no exception was thrown at all
test262/test/built-ins/RegExp/lookahead-quantifier-match-groups.js:27: Test262Error: Expected [a, abc] and [a, undefined] to have the same contents. ? quantifier
test262/test/built-ins/RegExp/lookahead-quantifier-match-groups.js:27: strict mode: Test262Error: Expected [a, abc] and [a, undefined] to have the same contents. ? quantifier
test262/test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/BigInt/detached-buffer.js:46: Test262Error: (Testing with BigInt64Array.)
test262/test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/BigInt/detached-buffer.js:46: strict mode: Test262Error: (Testing with BigInt64Array.)
test262/test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/detached-buffer.js:47: Test262Error: (Testing with Float64Array.)
test262/test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/detached-buffer.js:47: strict mode: Test262Error: (Testing with Float64Array.)
test262/test/language/expressions/arrow-function/static-init-await-reference.js:12: unexpected error type: Test262: This statement should not be evaluated.
test262/test/language/expressions/arrow-function/static-init-await-reference.js:12: strict mode: unexpected error type: Test262: This statement should not be evaluated.
test262/test/language/expressions/assignment/target-member-computed-reference-null.js:32: Test262Error: Expected a DummyError but got a TypeError