JSC should throw an exception when BigUint64Array copy value from Int…

…32Array https://bugs.webkit.org/show_bug.cgi?id=263954 rdar://117816146 Reviewed by Yusuke Suzuki. BigInt array set for non-BigInt typed array should throw exceptions. So, we shouldn't copy non-BigInt values from other typed array to BigInt for TypedArray.prototype.set. * JSTests/stress/bigint-array-set.js: Added. (i.catch): * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::copyFromInt32ShapeArray): (JSC::JSGenericTypedArrayView<Adaptor>::copyFromDoubleShapeArray): (JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike): Canonical link: https://commits.webkit.org/270133@main
WebKit · Nov 2, 2023 · 0e57459 · 0e57459
1 parent 813aa28
commit 0e57459
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/JSTests/stress/bigint-array-set.js b/JSTests/stress/bigint-array-set.js
@@ -0,0 +1,14 @@
+//@ runDefault("--jitPolicyScale=0")
+for (let i = 1; i < 1e3; i++) {
+    const v2 = [1000];
+    const v4 = new BigUint64Array(i);
+    let thrown = false;
+    try {
+        v4.set(v2);
+    } catch (e6) {
+        thrown = true;
+    }
+    if (!thrown)
+        throw new Error("bad");
+    Object.defineProperty(v2, 10, { writable: true, value: 10 });
+}
diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
@@ -347,7 +347,7 @@ void JSGenericTypedArrayView<Adaptor>::copyFromInt32ShapeArray(size_t offset, JS
 {
     ASSERT(canAccessRangeQuickly(offset, length));
     ASSERT((array->indexingType() & IndexingShapeMask) == Int32Shape);
-    ASSERT(Adaptor::typeValue != TypeBigInt64 || Adaptor::typeValue != TypeBigUint64);
+    ASSERT(Adaptor::typeValue != TypeBigInt64 && Adaptor::typeValue != TypeBigUint64);
     ASSERT((length + objectOffset) <= array->length());
     ASSERT(array->isIteratorProtocolFastAndNonObservable());
 
@@ -380,7 +380,7 @@ void JSGenericTypedArrayView<Adaptor>::copyFromDoubleShapeArray(size_t offset, J
 {
     ASSERT(canAccessRangeQuickly(offset, length));
     ASSERT((array->indexingType() & IndexingShapeMask) == DoubleShape);
-    ASSERT(Adaptor::typeValue != TypeBigInt64 || Adaptor::typeValue != TypeBigUint64);
+    ASSERT(Adaptor::typeValue != TypeBigInt64 && Adaptor::typeValue != TypeBigUint64);
     ASSERT((length + objectOffset) <= array->length());
     ASSERT(array->isIteratorProtocolFastAndNonObservable());
 
@@ -411,7 +411,7 @@ bool JSGenericTypedArrayView<Adaptor>::setFromArrayLike(JSGlobalObject* globalOb
     size_t safeUnadjustedLength = std::min(length, static_cast<size_t>(MAX_ARRAY_INDEX) + 1);
     size_t safeLength = objectOffset <= safeUnadjustedLength ? safeUnadjustedLength - objectOffset : 0;
 
-    if constexpr (TypedArrayStorageType != TypeBigInt64 || TypedArrayStorageType != TypeBigUint64) {
+    if constexpr (TypedArrayStorageType != TypeBigInt64 && TypedArrayStorageType != TypeBigUint64) {
         if (JSArray* array = jsDynamicCast<JSArray*>(object); LIKELY(array && isJSArray(array))) {
             if (safeLength == length && (safeLength + objectOffset) <= array->length() && array->isIteratorProtocolFastAndNonObservable()) {
                 IndexingType indexingType = array->indexingType() & IndexingShapeMask;