Skip to content

Commit b9991bd

Browse files
CelluleCellule
committed
[MERGE chakra-core#919] Memset: Native arrays typecheck and missing item check
Merge pull request chakra-core#919 from Cellule:memset/float_type Memset with native float arrays needs to check the type of the source because we can do `nativearray[i] = var` and bailout after the fact if the source was not a float (ie: changes the type of array). Since memset will not change the type of the array, it needs to check before hand that the source is actually a float or int and bailout if not. Additionally, I added a check for `IsMissingItem` for native int and float arrays.
2 parents 8c6d96a + 30bd6a8 commit b9991bd

1 file changed

Lines changed: 20 additions & 2 deletions

File tree

lib/Runtime/Language/JavascriptOperators.cpp

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4685,11 +4685,29 @@ namespace Js
46854685
}
46864686
else if (instanceType == TypeIds_NativeIntArray)
46874687
{
4688-
returnValue = JavascriptArray::FromVar(instance)->DirectSetItemAtRange<int32>(start, length, JavascriptConversion::ToInt32(value, scriptContext));
4688+
// Only accept tagged int. Also covers case for MissingItem
4689+
if (!TaggedInt::Is(value))
4690+
{
4691+
return false;
4692+
}
4693+
int32 intValue = JavascriptConversion::ToInt32(value, scriptContext);
4694+
returnValue = JavascriptArray::FromVar(instance)->DirectSetItemAtRange<int32>(start, length, intValue);
46894695
}
46904696
else
46914697
{
4692-
returnValue = JavascriptArray::FromVar(instance)->DirectSetItemAtRange<double>(start, length, JavascriptConversion::ToNumber(value, scriptContext));
4698+
// For native float arrays, the jit doesn't check the type of the source so we have to do it here
4699+
if (!JavascriptNumber::Is(value) && !TaggedNumber::Is(value))
4700+
{
4701+
return false;
4702+
}
4703+
4704+
double doubleValue = JavascriptConversion::ToNumber(value, scriptContext);
4705+
// Special case for missing item
4706+
if (SparseArraySegment<double>::IsMissingItem(&doubleValue))
4707+
{
4708+
return false;
4709+
}
4710+
returnValue = JavascriptArray::FromVar(instance)->DirectSetItemAtRange<double>(start, length, doubleValue);
46934711
}
46944712
returnValue &= vt == VirtualTableInfoBase::GetVirtualTable(instance);
46954713
}

0 commit comments

Comments
 (0)