From ba783aef9138c6a952b058e1a34ea7566f3ae74b Mon Sep 17 00:00:00 2001 From: Jeff Walden Date: Mon, 2 Apr 2018 15:19:13 -0700 Subject: [PATCH] Add a test verifying that the OrdinaryCreateFromConstructor call in the DataView constructor is checked for underlying-buffer detachedness before its result is used. --- .../custom-proto-access-detaches-buffer.js | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 test/built-ins/DataView/custom-proto-access-detaches-buffer.js diff --git a/test/built-ins/DataView/custom-proto-access-detaches-buffer.js b/test/built-ins/DataView/custom-proto-access-detaches-buffer.js new file mode 100644 index 00000000000..d1fa8f5bad3 --- /dev/null +++ b/test/built-ins/DataView/custom-proto-access-detaches-buffer.js @@ -0,0 +1,35 @@ +// Copyright (C) 2018 Mozilla Corporation. All rights reserved. +// This code is governed by the BSD license found in the LICENSE file. + +/*--- +author: Jeff Walden +esid: sec-dataview-buffer-byteoffset-bytelength +description: > + The `DataView` constructor shouldn't be able to return a `DataView` instance + backed by a detached `ArrayBuffer` when `OrdinaryCreateFromConstructor` + returns an instance so backed. +info: | + `OrdinaryCreateFromConstructor` has the potential to invoke user-defined code + that may detach the `ArrayBuffer` intended to underlie the fresh instance. + Verify that a final is-detached check is performed before the new instance is + returned. +features: [Reflect.construct] +---*/ + +var buffer = new ArrayBuffer(8); + +var called = false; +var byteOffset = { valueOf() { called = true; return 0; } }; + +var newTarget = function() {}.bind(null); +Object.defineProperty(newTarget, "prototype", { + get() { + $262.detachArrayBuffer(buffer); + return DataView.prototype; + } +}); + +assert.throws(TypeError, function() { + Reflect.construct(DataView, [buffer, byteOffset], newTarget); +}); +assert.sameValue(called, true);