Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JSC] Update resizable ArrayBuffer based on spec update #6956

Merged
merged 1 commit into from Nov 30, 2022
Merged

[JSC] Update resizable ArrayBuffer based on spec update #6956

merged 1 commit into from Nov 30, 2022

Conversation

Constellation
Copy link
Member

@Constellation Constellation commented Nov 30, 2022
edited by webkit-early-warning-system

ba8ba25

[JSC] Update resizable ArrayBuffer based on spec update
https://bugs.webkit.org/show_bug.cgi?id=248511
rdar://102793557

Reviewed by Ross Kirsling.

* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-expected.txt:
* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-explicit-length-expected.txt:
* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-explicit-length.html:
* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds.html:
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds-expected.txt: Added.
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds-explicit-length-expected.txt: Added.
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds-explicit-length.html: Copied from LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-explicit-length.html.
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds.html: Copied from LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds.html.
* Source/JavaScriptCore/runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::isDetached const):
(JSC::JSArrayBufferView::byteOffset const):
(JSC::JSArrayBufferView::isOutOfBounds const): Add isOutOfBounds, function aligned to spec's IsArrayBufferViewOutOfBounds. Used in SerializedScriptValue.
(JSC::JSArrayBufferView::isDetached): Deleted.
* Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:
(JSC::isArrayBufferViewOutOfBounds):
(JSC::isIntegerIndexedObjectOutOfBounds):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSet): This is not actually changing the behavior, but more aligned to the latest spec's change.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::dumpArrayBufferView): We reject OOB ArrayBuffer based on discussion in [1].

[1]: whatwg/html#8559

Canonical link: https://commits.webkit.org/257178@main

78558b5

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  πŸ§ͺ win
βœ… πŸ§ͺ bindings βœ… πŸ›  ios-sim βœ… πŸ›  mac-debug   πŸ›  gtk βœ… πŸ›  wincairo
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ›  mac-AS-debug ❌ πŸ§ͺ gtk-wk2
βœ… πŸ§ͺ api-ios   πŸ§ͺ api-mac   πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ jsc βœ… πŸ›  tv   πŸ§ͺ mac-wk1 βœ… πŸ›  jsc-armv7
βœ… πŸ›  tv-sim   πŸ§ͺ mac-wk2 βœ… πŸ§ͺ jsc-armv7-tests
βœ… πŸ›  watch   πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ›  jsc-mips
βœ… πŸ›  πŸ§ͺ unsafe-merge βœ… πŸ›  watch-sim βœ… πŸ§ͺ mac-wk2-stress βœ… πŸ§ͺ jsc-mips-tests

@Constellation Constellation requested review from cdumez and a team as code owners November 30, 2022 02:11
@Constellation Constellation self-assigned this Nov 30, 2022
@Constellation Constellation added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Nov 30, 2022
@webkit-early-warning-system
Copy link
Collaborator

EWS run on current version of this PR (hash 78558b5)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  πŸ§ͺ win
βœ… πŸ§ͺ bindings βœ… πŸ›  ios-sim βœ… πŸ›  mac-debug   πŸ›  gtk βœ… πŸ›  wincairo
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ›  mac-AS-debug ❌ πŸ§ͺ gtk-wk2
βœ… πŸ§ͺ api-ios   πŸ§ͺ api-mac   πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ jsc βœ… πŸ›  tv   πŸ§ͺ mac-wk1 βœ… πŸ›  jsc-armv7
βœ… πŸ›  tv-sim   πŸ§ͺ mac-wk2 βœ… πŸ§ͺ jsc-armv7-tests
βœ… πŸ›  watch   πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ›  jsc-mips
βœ… πŸ›  πŸ§ͺ unsafe-merge βœ… πŸ›  watch-sim βœ… πŸ§ͺ mac-wk2-stress βœ… πŸ§ͺ jsc-mips-tests

rkirsling
rkirsling approved these changes Nov 30, 2022
View reviewed changes
Copy link
Member

@rkirsling rkirsling left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r=me with a question

Source/JavaScriptCore/runtime/JSArrayBufferView.h
// https://tc39.es/proposal-resizablearraybuffer/#sec-isarraybufferviewoutofbounds
if (UNLIKELY(isDetached()))
return true;
if (LIKELY(!isResizableNonShared()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this is a SAB check in the spec textβ€”do we have some additional assumption at play?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are three arrays,

  1. resizable
  2. growable
  3. normal
    And only (1) can be OOB status. (2) is growing only, and (3) is valid or detached.

@Constellation Constellation added the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Nov 30, 2022
@Constellation
[JSC] Update resizable ArrayBuffer based on spec update
ba8ba25 
https://bugs.webkit.org/show_bug.cgi?id=248511
rdar://102793557

Reviewed by Ross Kirsling.

* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-expected.txt:
* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-explicit-length-expected.txt:
* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-explicit-length.html:
* LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds.html:
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds-expected.txt: Added.
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds-explicit-length-expected.txt: Added.
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds-explicit-length.html: Copied from LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds-explicit-length.html.
* LayoutTests/js/dom/resizable-data-view-serialization-out-of-bounds.html: Copied from LayoutTests/js/dom/resizable-array-buffer-view-serialization-out-of-bounds.html.
* Source/JavaScriptCore/runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::isDetached const):
(JSC::JSArrayBufferView::byteOffset const):
(JSC::JSArrayBufferView::isOutOfBounds const): Add isOutOfBounds, function aligned to spec's IsArrayBufferViewOutOfBounds. Used in SerializedScriptValue.
(JSC::JSArrayBufferView::isDetached): Deleted.
* Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:
(JSC::isArrayBufferViewOutOfBounds):
(JSC::isIntegerIndexedObjectOutOfBounds):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSet): This is not actually changing the behavior, but more aligned to the latest spec's change.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::dumpArrayBufferView): We reject OOB ArrayBuffer based on discussion in [1].

[1]: whatwg/html#8559

Canonical link: https://commits.webkit.org/257178@main
@webkit-early-warning-system webkit-early-warning-system force-pushed the eng/JSC-Update-resizable-ArrayBuffer-based-on-spec-update branch from 78558b5 to ba8ba25 Compare November 30, 2022 15:34
@webkit-commit-queue
Copy link
Collaborator

Committed 257178@main (ba8ba25): https://commits.webkit.org/257178@main

Reviewed commits have been landed. Closing PR #6956 and removing active labels.

@webkit-early-warning-system webkit-early-warning-system merged commit ba8ba25 into WebKit:main Nov 30, 2022
@webkit-commit-queue webkit-commit-queue removed the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Nov 30, 2022
@Constellation Constellation deleted the eng/JSC-Update-resizable-ArrayBuffer-based-on-spec-update branch November 30, 2022 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rkirsling rkirsling rkirsling approved these changes

@cdumez cdumez Awaiting requested review from cdumez cdumez is a code owner

Assignees

@Constellation Constellation

Labels
JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.
Projects
None yet
Milestone
No milestone
4 participants
@Constellation @webkit-early-warning-system @webkit-commit-queue @rkirsling