Normative: throw whenever creating TA from OOB TA #58
Conversation
There was a problem hiding this comment.
It is an invariant, unfortunately unstated, that lengths on ABs should only be read after a detached check, so it's not right to read the length via IsIntegerIndexedObjectOutOfBounds before doing a detached check.
The right fix here is to also modify the CloneArrayBuffer AO to call IsIntegerIndexedObjectOutOfBounds after it checks IsDetachedBuffer.
Ah, I didn't know about that. Step 4 of InitializeTypedArrayFromTypedArray reads:
Does that not satisfy the invariant? Should we remove the corresponding "out of bounds" check from SetTypedArrayFromTypedArray?
That crossed my mind, but CloneArrayBuffer is currently agnostic of any particular view of the buffer. I think fully embracing this change would involve rewriting the signature to accept just the TypedArray instance and the "byteLength getter" closure since they make the existing parameters redundant. That's a little more drastic than simply adding a couple parameters, but then again, there are only two call sites in all of ECMA262. Does it sound correct to you? |
|
Oh, looks like CloneArrayBuffer will need to keep the cloneConstructor parameter |
Unfortunately no, because step 15.a, the species construction, can call arbitrary user code which could detach or resize the source buffer, thus the need for a second IsDetached check (and second, missed OOB check).
Yes, I think you are correct. The idea is to put IsDetached and OOB checks immediately before the buffer needs to be accessed, after all other calls that may end up executing arbitrary user code have already been made. Let me know if you're up for doing this PR, much appreciated if so. |
|
I wonder if we should just combine the detachedness and OOB checks into a single AO so we don't miss anything. Need to think through if that has adverse implications. |
I'm up for it! I'll push modifications to this pull request unless you'd prefer a new one.
Oh, good point. We should definitely have tests in Test262 which detach the buffer in the species constructor. I almost missed that!
Why is that an unstated invariant rather than a formally-enforced requirement via a normative step in ArrayBufferByteLength or MakeIdempotentArrayBufferByteLengthGetter? |
I spoke too soon--we already have tests for that:
Nice work as usual, @anba :) |
|
@syg Pinging in case you missed my previous comment. The answer to that question may help me make the change you have in mind. |
|
Thanks for the ping.
You mean why doesn't ArrayBufferByteLength do its own detach checks? Because we also want to minimize the number of detach checks. You only want to do a single detach check after each "might have called arbitrary user code" point, including the beginning. You can argue that it's fine to just do checks excessively in the spec, since it can be coalesced by the implementation if it's not observable. That's true, but I prefer the editorial direction of minimizing the number of detach checks and asserting when we expect a non-detached AB. Mainly, I don't want steps that can throw to be obviously omittable. Even if ArrayBufferByteLength did its own detach check, I'd want judicious uses of Does this give you enough info to make progress? |
|
Yes! I'm relieved to read your rationale because although I'm not an implementer, I appreciate the policy. And speaking as a test maintainer specifically, limiting uneccessary branches makes reasoning about coverage far easier. |
|
Relocating buffer attachedness checks inside the out-of-bounds operations is a little more nuanced than I expected, so I opened a separate pull request to demonstrate that: #66 |
|
Superseded by gh-72. |
No description provided.