archives

« Bugzilla Issues Index

#4004 — 22.2.3.22.1 %TypedArray%.prototype.set: Remove length integer validation and use ToLength ?

• bug_id: 4004
• creation_ts: 2015-02-18 15:07:00 -0800
• short_desc: 22.2.3.22.1 %TypedArray%.prototype.set: Remove length integer validation and use ToLength ?
• delta_ts: 2015-02-19 19:10:51 -0800
• product: Draft for 6th Edition
• component: technical issue
• version: Rev 33: February 12, 2015 Draft
• rep_platform: All
• op_sys: All
• bug_status: RESOLVED
• resolution: FIXED
• priority: Normal
• bug_severity: enhancement
• everconfirmed: true
• reporter: André Bargull
• assigned_to: Allen Wirfs-Brock

---

• commentid: 12932
• comment_count: 0
• who: André Bargull
• bug_when: 2015-02-18 15:07:30 -0800

22.2.3.22.1 %TypedArray%.prototype.set

Steps 18-22

Maybe change to:
---
Let srcLength be ToLength(Get(src, "length")).
ReturnIfAbrupt(srcLength).
---

for consistency with other %TypedArray% methods which access "length" on an input value.

---

• commentid: 12947
• comment_count: 1
• who: Allen Wirfs-Brock
• bug_when: 2015-02-18 16:09:40 -0800

ToLength would loose the <0 exception in step 22.

However, it does appear that the numerLength != srcLength isn't wanted, so I fixed that

---

• commentid: 12949
• comment_count: 2
• who: André Bargull
• bug_when: 2015-02-18 16:23:00 -0800

(In reply to Allen Wirfs-Brock from comment #1)
> ToLength would loose the <0 exception in step 22.

Why is it important to handle negative length values in this method? For example when you call `new Int8Array({length: -10})` the negative length is simply clamped to zero.

---

• commentid: 12952
• comment_count: 3
• who: Allen Wirfs-Brock
• bug_when: 2015-02-18 16:34:58 -0800

(In reply to André Bargull from comment #2)
> (In reply to Allen Wirfs-Brock from comment #1)
> > ToLength would loose the <0 exception in step 22.
>
> Why is it important to handle negative length values in this method? For
> example when you call `new Int8Array({length: -10})` the negative length is
> simply clamped to zero.

Here's what I get in FF:

new Int8Array({length: -10});
/*
Exception: size and count too large
@Scratchpad/1:1:2
*/

which suggests it is doing a ToUint32 conversion on length

If it really is interop crazy land out there WRT these things, maybe we can consistently use the ToLength conversion

---

• commentid: 12960
• comment_count: 4
• who: André Bargull
• bug_when: 2015-02-19 03:49:00 -0800

(In reply to Allen Wirfs-Brock from comment #3)
> If it really is interop crazy land out there WRT these things, maybe we can
> consistently use the ToLength conversion

JavaScriptCore and SpiderMonkey use ToUint32:
https://github.com/WebKit/webkit/blob/d8a2db3a06fee9ea133698eaad030f3a9d7b2cb2/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeInlines.h#L59
https://dxr.mozilla.org/mozilla-central/source/js/src/vm/TypedArrayCommon.h#695-697

V8 uses... err nothing?
https://github.com/v8/v8-git-mirror/blob/64a2717529e2197f3a789adabf86ca36f5eb764c/src/typedarray.js#L275-L288
https://github.com/v8/v8-git-mirror/blob/64a2717529e2197f3a789adabf86ca36f5eb764c/src/typedarray.js#L190-L201

From the v8 shell:
d8> new Int8Array(10).set({length: {valueOf: function(){ print("aah"); return 5; }}})
aah
aah
aah
aah
aah
aah
aah

---

• commentid: 12977
• comment_count: 5
• who: Allen Wirfs-Brock
• bug_when: 2015-02-19 11:47:27 -0800

in rev34 editor's draft

switched to ToLength.

---

• commentid: 13002
• comment_count: 6
• who: Allen Wirfs-Brock
• bug_when: 2015-02-19 19:10:51 -0800

fixed in rev34