test262 icon indicating copy to clipboard operation
test262 copied to clipboard
verified publisher icon tc39

Missing coverage: Resizable / GrowableSharedArrayBuffers: parameter conversion resizes the underlying buffer

Open marjakh opened this issue 4 years ago • 1 comments

In most TypedArray.prototype funcs, it's possible that the underlying ArrayBuffer gets resized when we're converting the parameters.

E.g., for TypedArray.prototype.fill:

  1. Let O be the this value.
  2. Perform ? ValidateTypedArray(O).
  3. Let len be O.[[ArrayLength]]. <<< Reading length here
  4. If O.[[ContentType]] is BigInt, set value to ? ToBigInt(value).
  5. Otherwise, set value to ? ToNumber(value).
  6. Let relativeStart be ? ToIntegerOrInfinity(start). <<<< This might resize the buffer

Further, some TypedArray.prototype funcs take a callback as a parameter and that callback might resize the AB.

v8 has tests for these cases here: https://source.chromium.org/chromium/chromium/src/+/main:v8/test/mjsunit/typedarray-resizablearraybuffer.js;l=1?ss=chromium

(Search for "ParameterConversionResizes" and "GrowMidIteration" / "ShrinkMidIteration".)

Getting this right is security critical, so would be great to have test262 tests.

cc @jugglinmike

marjakh avatar Oct 06 '21 11:10 marjakh

This also applies to things like SpeciesCreate resizing the buffer (in TypedArray.prototype functions which use it), or the "array-like" getter resizing the buffer in SetTypedArrayFromArrayLike.

Also cc @sarahghp

marjakh avatar Jan 24 '22 12:01 marjakh