From ceade351c5c7eae38cb4f9e0353320281256cbd4 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Sun, 10 Dec 2023 21:40:44 +0100 Subject: [PATCH] Handle TypedArray detach during iteration Per spec: detaching the TA mid-iteration is allowed and should not not throw an exception. In the case of TypedArray.prototype.set, because iteration over the source array is observable, we cannot bail out early when the TA is first detached. --- quickjs.c | 8 +++++++- test262_errors.txt | 2 -- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/quickjs.c b/quickjs.c index 645440748..c2f299c48 100644 --- a/quickjs.c +++ b/quickjs.c @@ -48337,8 +48337,14 @@ static JSValue js_typed_array_set_internal(JSContext *ctx, val = JS_GetPropertyUint32(ctx, src_obj, i); if (JS_IsException(val)) goto fail; - if (JS_SetPropertyUint32(ctx, dst, offset + i, val) < 0) + // Per spec: detaching the TA mid-iteration is allowed and should + // not throw an exception. Because iteration over the source array is + // observable, we cannot bail out early when the TA is first detached. + if (typed_array_is_detached(ctx, p)) { + JS_FreeValue(ctx, val); + } else if (JS_SetPropertyUint32(ctx, dst, offset + i, val) < 0) { goto fail; + } } done: JS_FreeValue(ctx, src_obj); diff --git a/test262_errors.txt b/test262_errors.txt index 40596b6c5..c6d68d0fe 100644 --- a/test262_errors.txt +++ b/test262_errors.txt @@ -3,8 +3,6 @@ test262/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedYield-brok test262/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedYield-broken-promise-try-catch.js:39: strict mode: TypeError: $DONE() not called test262/test/built-ins/RegExp/lookahead-quantifier-match-groups.js:27: Test262Error: Expected [a, abc] and [a, undefined] to have the same contents. ? quantifier test262/test/built-ins/RegExp/lookahead-quantifier-match-groups.js:27: strict mode: Test262Error: Expected [a, abc] and [a, undefined] to have the same contents. ? quantifier -test262/test/built-ins/TypedArray/prototype/set/array-arg-targetbuffer-detached-on-get-src-value-no-throw.js:30: TypeError: out-of-bound numeric index (Testing with Float64Array.) -test262/test/built-ins/TypedArray/prototype/set/array-arg-targetbuffer-detached-on-get-src-value-no-throw.js:30: strict mode: TypeError: out-of-bound numeric index (Testing with Float64Array.) test262/test/built-ins/TypedArray/prototype/sort/sort-tonumber.js:30: TypeError: ArrayBuffer is detached (Testing with Float64Array.) test262/test/built-ins/TypedArray/prototype/sort/sort-tonumber.js:30: strict mode: TypeError: ArrayBuffer is detached (Testing with Float64Array.) test262/test/built-ins/TypedArrayConstructors/internals/DefineOwnProperty/BigInt/detached-buffer.js:46: Test262Error: (Testing with BigInt64Array.)