Fix Object.defineProperty with RAB typed arrays (#1067)

bnoordhuis · web-flow · commit d6d0a6df122b · 2025-05-25T20:23:35.000+02:00
Fix handling inside Object.defineProperty and Object.defineProperties of
length-tracking typed arrays whose backing resizable arraybuffers have
been shrunk. Check against the actual element count rather than the
original element count.

Not an OOB read or write because no memory is accessed, it just didn't
throw the expected TypeError exception.
diff --git a/quickjs.c b/quickjs.c
@@ -9726,7 +9726,7 @@ int JS_DefineProperty(JSContext *ctx, JSValueConst this_obj,
             }
             idx = __JS_AtomToUInt32(prop);
             /* if the typed array is detached, p->u.array.count = 0 */
-            if (idx >= typed_array_get_length(ctx, p)) {
+            if (idx >= p->u.array.count) {
             typed_array_oob:
                 return JS_ThrowTypeErrorOrFalse(ctx, flags, "out-of-bound index in typed array");
             }
diff --git a/test262_errors.txt b/test262_errors.txt
@@ -18,14 +18,6 @@ test262/test/built-ins/AsyncFromSyncIteratorPrototype/throw/throw-undefined-retu
 test262/test/built-ins/AsyncFromSyncIteratorPrototype/throw/throw-undefined-return-not-object.js:72: strict mode: TypeError: $DONE() not called
 test262/test/built-ins/AsyncFromSyncIteratorPrototype/throw/throw-undefined-return-object.js:66: TypeError: $DONE() not called
 test262/test/built-ins/AsyncFromSyncIteratorPrototype/throw/throw-undefined-return-object.js:66: strict mode: TypeError: $DONE() not called
-test262/test/built-ins/Object/defineProperties/typedarray-backed-by-resizable-buffer.js:20: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all
-test262/test/built-ins/Object/defineProperties/typedarray-backed-by-resizable-buffer.js:20: strict mode: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all
-test262/test/built-ins/Object/defineProperty/coerced-P-grow.js:45: TypeError: out-of-bound index in typed array
-test262/test/built-ins/Object/defineProperty/coerced-P-grow.js:45: strict mode: TypeError: out-of-bound index in typed array
-test262/test/built-ins/Object/defineProperty/coerced-P-shrink.js:16: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all
-test262/test/built-ins/Object/defineProperty/coerced-P-shrink.js:16: strict mode: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all
-test262/test/built-ins/Object/defineProperty/typedarray-backed-by-resizable-buffer.js:18: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all
-test262/test/built-ins/Object/defineProperty/typedarray-backed-by-resizable-buffer.js:18: strict mode: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all
 test262/test/built-ins/RegExp/prototype/exec/regexp-builtin-exec-v-u-flag.js:45: Test262Error: Actual argument shouldn't be nullish. Unicode property escapes with v flag
 test262/test/built-ins/RegExp/prototype/exec/regexp-builtin-exec-v-u-flag.js:45: strict mode: Test262Error: Actual argument shouldn't be nullish. Unicode property escapes with v flag
 test262/test/built-ins/RegExp/unicodeSets/generated/rgi-emoji-16.0.js:16: Test262Error: `\p{RGI_Emoji}` should match 🇨🇶 (U+01F1E8 U+01F1F6)

Original file line number	Diff line number	Diff line change
`@@ -9726,7 +9726,7 @@ int JS_DefineProperty(JSContext *ctx, JSValueConst this_obj,`
`9726`	`9726`	`}`
`9727`	`9727`	`idx = __JS_AtomToUInt32(prop);`
`9728`	`9728`	`/* if the typed array is detached, p->u.array.count = 0 */`
`9729`		`- if (idx >= typed_array_get_length(ctx, p)) {`
	`9729`	`+ if (idx >= p->u.array.count) {`
`9730`	`9730`	`typed_array_oob:`
`9731`	`9731`	`return JS_ThrowTypeErrorOrFalse(ctx, flags, "out-of-bound index in typed array");`
`9732`	`9732`	`}`