test262 icon indicating copy to clipboard operation
test262 copied to clipboard
verified publisher icon tc39

Missing coverage: Resizable / Growable (Shared)ArrayBuffers: Object.defineProperty, Object.defineProperties, probably others

Open marjakh opened this issue 3 years ago • 0 comments

There was a bug in V8 where I hadn't modified Object.defineProperty / Object.defineProperties to deal with RAB / GSAB.

The repro is very simple:

const gsab = new SharedArrayBuffer(1024, {maxByteLength: 11337});
const ta = new Float64Array(gsab);
Object.defineProperty(ta, 0, {});

Unfortunately, test262 didn't catch this, because it's not passing resizable / growable (Shared)ArrayBuffers to Object.defineProperty.

-> Would be great to have tests for this, and basically, all other places which need to handle RAB / GSABs.

A hand-wavy way to identify such places might be to see which places do something special with the "length" property of an object. Possibly via IsValidIntegerIndex.

cc @syg @sarahghp

marjakh avatar Mar 23 '22 09:03 marjakh