%TypedArray%.prototype.indexOf is coercing non-integers or non-floats to numbers...
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Jul 2016 20:58:52 +0000 (20:58 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Jul 2016 20:58:52 +0000 (20:58 +0000)
commit153f23aefdf29b103407c0ace326b1d8af4590ad
tree531a4d1f25c3190de4e035a8da70b322f52da588
parente6e7fa4f70c9d014a79c9a365d7252ad0e045ec3
%TypedArray%.prototype.indexOf is coercing non-integers or non-floats to numbers wrongly
https://bugs.webkit.org/show_bug.cgi?id=159400

Reviewed by Geoffrey Garen.

This patch fixes coercion of non-numbers in indexOf/lastIndexOf.
Additionally, this patch fixes an issue with includes where it
would not check that the buffer remained non-neutered after
calling the toInteger() function. Lastly, some extra release
asserts have been added in some places to inform us of any issues
in the future.

Additionally, this patch changes bool toNativeFromDouble to
Optional<Type> toNativeFromDoubleWithoutCoercion. This makes it a
little clearer what the function does and also removes the return
argument. The only behavior change is that the function no longer
coerces non-numbers into numbers. That behavior was unused (maybe
unintended), however.

* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
(JSC::JSGenericTypedArrayView::sort):
(JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncCopyWithin):
(JSC::genericTypedArrayViewProtoFuncIncludes):
(JSC::genericTypedArrayViewProtoFuncIndexOf):
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):
* runtime/ToNativeFromValue.h:
(JSC::toNativeFromValueWithoutCoercion):
(JSC::toNativeFromValue): Deleted.
* runtime/TypedArrayAdaptors.h:
(JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
(JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
(JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
(JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
(JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
(JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
(JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
(JSC::IntegralTypedArrayAdaptor::toNativeFromInt32): Deleted.
(JSC::IntegralTypedArrayAdaptor::toNativeFromUint32): Deleted.
(JSC::IntegralTypedArrayAdaptor::toNativeFromDouble): Deleted.
(JSC::FloatTypedArrayAdaptor::toNativeFromInt32): Deleted.
(JSC::FloatTypedArrayAdaptor::toNativeFromDouble): Deleted.
(JSC::Uint8ClampedAdaptor::toNativeFromInt32): Deleted.
(JSC::Uint8ClampedAdaptor::toNativeFromDouble): Deleted.
* tests/stress/resources/typedarray-test-helper-functions.js:
* tests/stress/typedarray-functions-with-neutered.js:
(callWithArgs):
* tests/stress/typedarray-includes.js: Added.
* tests/stress/typedarray-indexOf.js:
* tests/stress/typedarray-lastIndexOf.js:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@203297 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
Source/JavaScriptCore/runtime/ToNativeFromValue.h
Source/JavaScriptCore/runtime/TypedArrayAdaptors.h
Source/JavaScriptCore/tests/stress/resources/typedarray-test-helper-functions.js
Source/JavaScriptCore/tests/stress/typedarray-functions-with-neutered.js
Source/JavaScriptCore/tests/stress/typedarray-includes.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/typedarray-indexOf.js
Source/JavaScriptCore/tests/stress/typedarray-lastIndexOf.js