Closed
Bug 1232265
Opened 10 years ago
Closed 9 years ago
ArrayBuffer constructor should throw for non-integer byte sizes
Categories
(Core :: JavaScript: Standard Library, defect)
Core
JavaScript: Standard Library
Tracking
()
RESOLVED
DUPLICATE
of bug 1255128
| Tracking | Status | |
|---|---|---|
| firefox45 | --- | affected |
People
(Reporter: anba, Assigned: gweng)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 2 obsolete files)
|
5.60 KB,
patch
|
Details | Diff | Splinter Review |
The ArrayBuffer constructor should validate the input parameter to catch misuses like [1].
ES2015, 24.1.2.1 ArrayBuffer( length ), steps 2-4 [2].
[1] http://hg.mozilla.org/mozilla-central/file/tip/js/src/tests/ecma_6/DataView/detach-after-construction.js#l4
[2] http://ecma-international.org/ecma-262/6.0/#sec-arraybuffer-length
|
Assignee | |
Comment 1•9 years ago
|
||
I'm patching this, but from the spec I don't know if I need to throw the error inside the virtual |ToNumber| (which now is actually |ToInt32| in the |class_constructor|), or I can just check the value before send it to the converter. Because the spec only describes the |length| need to be converted by |ToNumber| first, and mention nothing about the check. However, since I don't see things like the |ToNumber| in the constructor, to change the implementation just for an error message looks not a good idea.
Another concern is that I don't know will it break lots of tests and websites use the API in the wrong way (although they shouldn't). Beside that, I noticed that Node.js also allow the misuse without throwing.
Assignee: nobody → gweng
|
|
Assignee | |
Comment 2•9 years ago
|
||
The patch passed try tests:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=325412d42276
I don't know if it's good enough, but I need a reviewer to address the possible issues first.
|
|
Assignee | |
Comment 3•9 years ago
|
||
|
|
Assignee | |
Comment 4•9 years ago
|
||
Oh I need to rebase first.
|
|
Assignee | |
Comment 5•9 years ago
|
||
Attachment #8744545 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 6•9 years ago
|
||
Well, I don't know who should be the reviewer.
(In reply to Greg Weng [:snowmantw][:gweng][:λ] from comment #6)
> Well, I don't know who should be the reviewer.
If you are not sure, set needinfo? from the module owners of SpiderMonkey/JIT, they will know who should take this on.
https://wiki.mozilla.org/Modules/All#JavaScript
Jason, Jan, not sure who should review this, so setting needinfo? as a start.
If you would like to request fuzzing later, feel free to set feedback? from me or :decoder on your rollup patch (if multiple patches), listing the m-c rev it applies on.
Flags: needinfo?(jorendorff)
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 8•9 years ago
|
||
Thanks for help!
|
||
Comment 9•9 years ago
|
||
Jason or Waldo are probably good reviewers for this.
Greg: a few things I noticed glancing at your patch:
* toInt32 is not a great test when testing whether a Value is int32, as integer values can also be represented as doubles (JS doesn't have an int32 type, it's just an internal optimization).
* We should follow the steps in the spec:
http://ecma-international.org/ecma-262/6.0/#sec-arraybuffer-length
So first do ToNumber, then do ToLength, then do the SameValueZero thing :)
Flags: needinfo?(jdemooij)
|
|
||
Comment 10•9 years ago
|
||
In particular, I think the following tests will throw with your patch, but should still pass:
assertEq(new ArrayBuffer({valueOf: () => 123}).byteLength, 123);
assertEq(new ArrayBuffer(true).byteLength, 1);
|
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #9)
> Jason or Waldo are probably good reviewers for this.
>
> Greg: a few things I noticed glancing at your patch:
>
> * toInt32 is not a great test when testing whether a Value is int32, as
> integer values can also be represented as doubles (JS doesn't have an int32
> type, it's just an internal optimization).
>
> * We should follow the steps in the spec:
>
> http://ecma-international.org/ecma-262/6.0/#sec-arraybuffer-length
>
> So first do ToNumber, then do ToLength, then do the SameValueZero thing :)
Okay I will try to implement that, although ToLength is already an issue at bug 924058 and bug 1064000, so I may try to resolve them first.
|
|
Assignee | |
Comment 12•9 years ago
|
||
Or maybe I can use the existing API in this bug first, and take a look at those related bugs if I encountered any further issue.
|
|
Assignee | |
Comment 13•9 years ago
|
||
Okay. I updated my patch and it works well except one issue: in the spec, the step of |ToNumber| actually cannot prevent user give an empty Array or one single-element Array, like:
var ab0 = new ArrayBuffer([])
var ab90 = new ArrayBuffer([90])
var ab0x10 = new ArrayBuffer([0x10])
var abs90 = new ArrayBuffer(["90"])
var abs0x10 = new ArrayBuffer(["0x10"])
This is because |ToNumber| will pick up the only element and turn it as a Number, which seems legit for the |ToNumber| API and I've tested with a customed JS_FN binding function. As a result, for this bug we indeed need to rewrite tests like
var abIncorrect = new ArrayBuffer([1,2])
But we may need to guarantee the code like
var abCorrect = new ArrayBuffer(["2"])
works, if to follow the spec is the most critical requirement.
|
|
||
Comment 14•9 years ago
|
||
(In reply to Greg Weng [:snowmantw][:gweng][:λ] from comment #13)
> But we may need to guarantee the code like
>
> var abCorrect = new ArrayBuffer(["2"])
>
> works,
Yup, good find. We should add tests for these cases.
> if to follow the spec is the most critical requirement.
It is :)
|
|
Assignee | |
Comment 15•9 years ago
|
||
Uploaded the new patch and set the review. I'm not sure if I need to check the overflow case: if there is an overflow, the |SameValue(number_length, byte_length)| won't be the same. So to check it looks redundant.
Attachment #8745181 -
Flags: review?(jwalden+bmo)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8744546 -
Attachment is obsolete: true
|
||
Comment 16•9 years ago
|
||
Comment on attachment 8745181 [details] [diff] [review]
Patch ver.2
Review of attachment 8745181 [details] [diff] [review]:
-----------------------------------------------------------------
This conflicts with my patch in bug 1255128; they're pretty much the same bug, except I'm also capping ArrayBuffer allocations at 1GB.
I'm going to try merging the test changes here with my code changes and see how it goes...
|
|
||
Comment 17•9 years ago
|
||
Comment on attachment 8745181 [details] [diff] [review]
Patch ver.2
Review of attachment 8745181 [details] [diff] [review]:
-----------------------------------------------------------------
Clearing r? in favor of the patch in bug 1255128.
Note that there was also a web-platform test that expected the old behavior that I had to change.
Attachment #8745181 -
Flags: review?(jwalden+bmo)
|
|
Assignee | |
Comment 18•9 years ago
|
||
Okay I see. Does this means you will implement the |ToNumber| and |SameValue| parts in the spec for ArrayBuffer, or would you leave that so this bug is still valid and I need to patch those steps? If you will implement that, maybe this bug should be closed as a duplicated?
Flags: needinfo?(jorendorff)
|
|
Assignee | |
Comment 20•9 years ago
|
||
Okay I double-checked the patch in Bug 1255128. There is a |ToNumber|, and maybe you already check the case of |!SameValueZero(numberLength, byteLength)| in the lines of |length != byteLength| and the over-sized case. If I read it correctly, maybe this should be closed.
|
|
||
Comment 21•9 years ago
|
||
Merging. Thanks for the tests, Greg.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•