From dbed7be3cb971af4dc822e8231b5db6c06377777 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Mon, 11 Dec 2023 09:22:02 +0100 Subject: [PATCH] Handle TypedArray detach during iteration (#201) Per spec: detaching the TA mid-iteration is allowed and should not not throw an exception. In the case of TypedArray.prototype.set, because iteration over the source array is observable, we cannot bail out early when the TA is first detached. --- quickjs.c | 8 +++++++- test262_errors.txt | 2 -- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/quickjs.c b/quickjs.c index 6454407..c2f299c 100644 --- a/quickjs.c +++ b/quickjs.c @@ -48337,8 +48337,14 @@ static JSValue js_typed_array_set_internal(JSContext *ctx, val = JS_GetPropertyUint32(ctx, src_obj, i); if (JS_IsException(val)) goto fail; - if (JS_SetPropertyUint32(ctx, dst, offset + i, val) < 0) + // Per spec: detaching the TA mid-iteration is allowed and should + // not throw an exception. Because iteration over the source array is + // observable, we cannot bail out early when the TA is first detached. + if (typed_array_is_detached(ctx, p)) { + JS_FreeValue(ctx, val); + } else if (JS_SetPropertyUint32(ctx, dst, offset + i, val) < 0) { goto fail; + } } done: JS_FreeValue(ctx, src_obj); diff --git a/test262_errors.txt b/test262_errors.txt index 40596b6..c6d68d0 100644 --- a/test262_errors.txt +++ b/test262_errors.txt @@ -3,8 +3,6 @@ test262/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedYield-brok test262/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedYield-broken-promise-try-catch.js:39: strict mode: TypeError: $DONE() not called test262/test/built-ins/RegExp/lookahead-quantifier-match-groups.js:27: Test262Error: Expected [a, abc] and [a, undefined] to have the same contents. ? quantifier test262/test/built-ins/RegExp/lookahead-quantifier-match-groups.js:27: strict mode: Test262Error: Expected [a, abc] and [a, undefined] to have the same contents. ? quantifier -test262/test/built-ins/TypedArray/prototype/set/array-arg-targetbuffer-detached-on-get-src-value-no-throw.js:30: TypeError: out-of-bound numeric index (Testing with Float64Array.) -test262/test/built-ins/TypedArray/prototype/set/array-arg-targetbuffer-detached-on-get-src-value-no-throw.js:30: strict mode: TypeError: out-of-bound numeric index (Testing with Float64Array.) test262/test/built-ins/TypedArray/prototype/sort/sort-tonumber.js:30: TypeError: ArrayBuffer is detached (Testing with Float64Array.) test262/test/built-ins/TypedArray/prototype/sort/sort-tonumber.js:30: strict mode: TypeError: ArrayBuffer is detached (Testing with Float64Array.) test262/test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/BigInt/detached-buffer.js:46: Test262Error: (Testing with BigInt64Array.)