hasOwnProperty returns true for out of bounds property index on TypedArray
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 01:28:35 +0000 (01:28 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 01:28:35 +0000 (01:28 +0000)
https://bugs.webkit.org/show_bug.cgi?id=187520

Reviewed by Saam Barati.

JSTests:

getOwnPropertySlot returns true on out of bounds indicies for
TypedArrays, which is incorrect.

* stress/typedarray-hasOwnProperty-out-of-bounds.js: Added.
(test):

Source/JavaScriptCore:

* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233718 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/typedarray-hasOwnProperty-out-of-bounds.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

index 5930b6d..efa7784 100644 (file)
@@ -1,3 +1,16 @@
+2018-07-10  Keith Miller  <keith_miller@apple.com>
+
+        hasOwnProperty returns true for out of bounds property index on TypedArray
+        https://bugs.webkit.org/show_bug.cgi?id=187520
+
+        Reviewed by Saam Barati.
+
+        getOwnPropertySlot returns true on out of bounds indicies for
+        TypedArrays, which is incorrect.
+
+        * stress/typedarray-hasOwnProperty-out-of-bounds.js: Added.
+        (test):
+
 2018-07-10  Michael Saboff  <msaboff@apple.com>
 
         DFG JIT: compileMathIC produces incorrect machine code
diff --git a/JSTests/stress/typedarray-hasOwnProperty-out-of-bounds.js b/JSTests/stress/typedarray-hasOwnProperty-out-of-bounds.js
new file mode 100644 (file)
index 0000000..143fb6b
--- /dev/null
@@ -0,0 +1,20 @@
+
+let array = new Float32Array(10);
+
+function test(array, indicies, result) {
+    for (let i of indicies) {
+        if (array.hasOwnProperty(i) !== result)
+            throw new Error("wrong value for " + i);
+        if (array.hasOwnProperty(i.toString()) !== result)
+            throw new Error("wrong value for " + i + " (as String)");
+    }
+}
+noInline(test);
+
+let interestingIndicies = [0, 1, 2, 8, 9];
+for (let i = 0; i < 10000; i++)
+    test(array, interestingIndicies, true);
+
+interestingIndicies = [-1, 10, 100];
+for (let i = 0; i < 10000; i++)
+    test(array, interestingIndicies, false);
index 2a1eb35..112dde5 100644 (file)
@@ -1,3 +1,13 @@
+2018-07-10  Keith Miller  <keith_miller@apple.com>
+
+        hasOwnProperty returns true for out of bounds property index on TypedArray
+        https://bugs.webkit.org/show_bug.cgi?id=187520
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
+
 2018-07-10  Michael Saboff  <msaboff@apple.com>
 
         DFG JIT: compileMathIC produces incorrect machine code
index 55fdc05..fbafd88 100644 (file)
@@ -359,11 +359,13 @@ bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot(
             return true;
         }
 
-        if (thisObject->canGetIndexQuickly(index.value()))
+        if (thisObject->canGetIndexQuickly(index.value())) {
             slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, thisObject->getIndexQuickly(index.value()));
-        else
-            slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsUndefined());
-        return true;
+            return true;
+        }
+
+        slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsUndefined());
+        return false;
     }
     
     return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);