hasOwnProperty returns true for out of bounds property index on TypedArray
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 01:28:35 +0000 (01:28 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 01:28:35 +0000 (01:28 +0000)
commit5c436b3c4efe8ecdd6ad48618fecc9c9b8dbfafb
treed47a4917a09366c55bede25e46bd74216b067194
parent7b3368def21ef591fa2d5ca8ff7a38b6c8322866
hasOwnProperty returns true for out of bounds property index on TypedArray
https://bugs.webkit.org/show_bug.cgi?id=187520

Reviewed by Saam Barati.

JSTests:

getOwnPropertySlot returns true on out of bounds indicies for
TypedArrays, which is incorrect.

* stress/typedarray-hasOwnProperty-out-of-bounds.js: Added.
(test):

Source/JavaScriptCore:

* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233718 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/typedarray-hasOwnProperty-out-of-bounds.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h