/ecma262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent setting observable effects to [[ArrayLength]] #874

Closed
leobalter opened this Issue Apr 6, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@leobalter @anba
@leobalter
Member

leobalter commented Apr 6, 2017

While reviewing #870, I've got a question on whether we should define accessing [[ArrayLength]] right after an observable step.

For TypedArray#fill we should move the [[ArrayLength]] access to run before ToNumber(value)

1. Let O be the this value.
2. Perform ? ValidateTypedArray(O).
4. Let len be O.[[ArrayLength]].
3. Let value be ? ToNumber(value).
5. Let relativeStart be ? ToInteger(start).

The suggestion above allows a implementation to define what is done to [[ArrayLength]] if gets a detached buffer.

See that TypedArray#length returns 0 if it has a detached buffer:

If IsDetachedBuffer(buffer) is true, return 0.
Let length be O.[[ArrayLength]].

ValidateAtomicAccess is the other case in the specs we can verify [[ArrayLength]] being accessed after an observable step where we do not check for a detached buffer.

ValidateAtomicAccess( typedArray, requestIndex )

1. Assert: typedArray is an Object that has a [[ViewedArrayBuffer]] internal slot.
2. Let accessIndex be ? ToIndex(requestIndex).
3. Let length be typedArray.[[ArrayLength]].
...

This one is tricky. Because typedArray may already be detached before the observable ToIndex operation.

My suggestion is to access the length property for this case, while ValidateAtomicAccess is not a direct TypedArray operation and it can't protect it.

This way we have may minimize the chances for weird effects:

ValidateAtomicAccess( typedArray, requestIndex )

1. Assert: typedArray is an Object that has a [[ViewedArrayBuffer]] internal slot.
2. Let accessIndex be ? ToIndex(requestIndex).
3. Let length be ? Get(typedArray, "length").
...
@anba

This comment has been minimized.

Show comment
Hide comment
@anba

anba Apr 7, 2017

Contributor

For TypedArray#fill we should move the [[ArrayLength]] access to run before ToNumber(value)

Will be fixed in #866 (ae46560).

ValidateAtomicAccess is the other case in the specs we can verify [[ArrayLength]] being accessed after an observable step where we do not check for a detached buffer.

See #870 (comment).
Contributor

anba commented Apr 7, 2017

For TypedArray#fill we should move the [[ArrayLength]] access to run before ToNumber(value)

Will be fixed in #866 (ae46560).

ValidateAtomicAccess is the other case in the specs we can verify [[ArrayLength]] being accessed after an observable step where we do not check for a detached buffer.

See #870 (comment).
@leobalter

This comment has been minimized.

Show comment
Hide comment
@leobalter

leobalter Apr 7, 2017

Member

That's it, thanks!
Member

leobalter commented Apr 7, 2017

That's it, thanks!

@leobalter leobalter closed this Apr 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment