Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Normative: Recompute count in TA.p.slice #3255

Merged
merged 1 commit into from
Jan 11, 2024
Merged

Normative: Recompute count in TA.p.slice #3255

merged 1 commit into from
Jan 11, 2024

Conversation

syg
Copy link
Contributor

@syg syg commented Jan 11, 2024

Closes #3248.

The current algorithm has a bug that can result in OOB reads in the source TA, because count is not correctly recomputed when the source TA is resized during evaluation of the species constructor.

(It is currently bounded by len, which is recomputed, but this is incorrect because the bounds of the copy loop is not on the length, but instead on how many bytes need to be copied.)

@syg syg requested a review from a team January 11, 2024 00:58
@syg
Copy link
Contributor Author

syg commented Jan 11, 2024

This is a bug fix and so is normative, but does not need consensus since it is obviously a bug.

michaelficarra
michaelficarra approved these changes Jan 11, 2024
View reviewed changes
Copy link
Member

@michaelficarra michaelficarra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise

@syg syg added spec bug ready to merge Editors believe this PR needs no further reviews, and is ready to land. labels Jan 11, 2024
@ljharb ljharb added the normative change Affects behavior required to correctly evaluate some ECMAScript source text label Jan 11, 2024
@syg @ljharb
Normative: Recompute count in TA.p.slice (tc39#3255)
22de374 
Closes tc39#3248.

The current algorithm has a bug that can result in OOB reads in the
source TA, because _count_ is not correctly recomputed when the source
TA is resized during evaluation of the species constructor.

(It is currently bounded by _len_, which is recomputed, but this is
incorrect because the bounds of the copy loop is not on the length, but
instead on how many bytes need to be copied.)
@ljharb ljharb merged commit 22de374 into tc39:main Jan 11, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bakkot bakkot bakkot approved these changes

@michaelficarra michaelficarra michaelficarra approved these changes

Assignees
No one assigned
Labels
normative change Affects behavior required to correctly evaluate some ECMAScript source text ready to merge Editors believe this PR needs no further reviews, and is ready to land. spec bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

%TypedArray%.prototype.slice does not completely account for the original TA's size changing
4 participants
@syg @michaelficarra @bakkot @ljharb