Inconsistent treatment with long negative number #4978

igor-simoes · 2018-04-12T17:20:56Z

Hello everyone,
I found a bug that could be one case of "inconsistent treatment/check of pre-conditions" with long negative number.

Chakra version: 1.9.0.0
OS: Ubuntu 16.04 x64

Steps to reproduce:

Run this code

var buffer = new ArrayBuffer(64);
var view = new DataView(buffer);
view.setInt8(0,0x80);
print(view.getInt8(-1770523502845470856862803727694) === -0x80);

Expected output:
An exception with an invalid or out-of-range index

Actual results:
true

V8, SpiderMonkey and JavascriptCore shows expected results. Chakra always returns the value -128 for a long negative number on getInt8 function, note that converting -0x80 to decimal value we obtain -128 too.

cinfuzz

The text was updated successfully, but these errors were encountered:

rhuanjl · 2018-04-12T17:54:38Z

All the get and set methods in DataView.cpp seem to use ToUInt32 on the offset argument they're provided, per spec looks like they should use toIndex https://tc39.github.io/ecma262/#sec-toindex which would throw range errors for any negative.

I'll make a PR to fix this.

rhuanjl mentioned this issue Apr 12, 2018

Dataview set/get negative index throw RangeError Fixes: #4978 #4981

Merged

dilijev added Bug Severity: 2 labels Apr 14, 2018

chakrabot closed this as completed in 39e92ca Apr 20, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Inconsistent treatment with long negative number #4978

Inconsistent treatment with long negative number #4978

igor-simoes commented Apr 12, 2018 •

edited

rhuanjl commented Apr 12, 2018 •

edited

Inconsistent treatment with long negative number #4978

Inconsistent treatment with long negative number #4978

Comments

igor-simoes commented Apr 12, 2018 • edited

rhuanjl commented Apr 12, 2018 • edited

igor-simoes commented Apr 12, 2018 •

edited

rhuanjl commented Apr 12, 2018 •

edited