Bug 1933727: Disallow preventExtensions for variable length typed arr…

…ays. r=jandem Adjust the error message, because it's now also used for non-proxy objects. Spec change: tc39/ecma262#3453 Test coverage: tc39/test262#4325 and tc39/test262#4324 Differential Revision: https://phabricator.services.mozilla.com/D230401
i3roly · Dec 2, 2024 · 7689cee · 7689cee
1 parent 6b6b1a4
commit 7689cee
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 1 deletion.
diff --git a/js/public/friend/ErrorNumbers.msg b/js/public/friend/ErrorNumbers.msg
@@ -752,7 +752,7 @@ MSG_DEF(JSMSG_CANT_DEFINE_WINDOW_ELEMENT, 0, JSEXN_TYPEERR, "can't define elemen
 MSG_DEF(JSMSG_CANT_DELETE_WINDOW_ELEMENT, 0, JSEXN_TYPEERR, "can't delete elements from a Window object")
 MSG_DEF(JSMSG_CANT_DEFINE_WINDOW_NAMED_PROPERTY, 1, JSEXN_TYPEERR, "can't define property {0} on window's named properties object")
 MSG_DEF(JSMSG_CANT_DELETE_WINDOW_NAMED_PROPERTY, 1, JSEXN_TYPEERR, "can't delete property {0} from window's named properties object")
-MSG_DEF(JSMSG_CANT_PREVENT_EXTENSIONS,   0, JSEXN_TYPEERR, "can't prevent extensions on this proxy object")
+MSG_DEF(JSMSG_CANT_PREVENT_EXTENSIONS,   0, JSEXN_TYPEERR, "can't prevent extensions on this object")
 MSG_DEF(JSMSG_CANT_DEFINE_WINDOW_NC,     0, JSEXN_TYPEERR, "can't define non-configurable property on WindowProxy")
 MSG_DEF(JSMSG_NO_NAMED_SETTER,           2, JSEXN_TYPEERR, "{0} doesn't have a named property setter for '{1}'")
 MSG_DEF(JSMSG_NO_INDEXED_SETTER,         2, JSEXN_TYPEERR, "{0} doesn't have an indexed property setter for '{1}'")

diff --git a/js/src/tests/jstests.list b/js/src/tests/jstests.list
@@ -671,6 +671,9 @@ skip script test262/staging/Intl402/Temporal/old/non-iso-calendars.js
 # https://github.com/tc39/test262/pull/4318
 skip script test262/intl402/DurationFormat/prototype/format/precision-exact-mathematical-values.js
 
+# https://github.com/tc39/test262/pull/4324
+skip script test262/built-ins/Object/freeze/typedarray-backed-by-resizable-buffer.js
+
 
 ##############################################
 # Enable Iterator Helpers tests in the shell #

diff --git a/js/src/vm/JSObject.cpp b/js/src/vm/JSObject.cpp
@@ -2019,6 +2019,23 @@ bool js::SetPrototype(JSContext* cx, HandleObject obj, HandleObject proto) {
   return SetPrototype(cx, obj, proto, result) && result.checkStrict(cx, obj);
 }
 
+/**
+ * IsTypedArrayFixedLength ( O )
+ *
+ * ES2025 draft rev 3e6f71c9402f91344ef9560425cc1e8fc45abf86
+ */
+static bool IsTypedArrayFixedLength(ResizableTypedArrayObject* obj) {
+  MOZ_ASSERT(obj->hasResizableBuffer());
+
+  // Step 1.
+  if (obj->isAutoLength()) {
+    return false;
+  }
+
+  // Steps 2-4.
+  return obj->isSharedMemory();
+}
+
 bool js::PreventExtensions(JSContext* cx, HandleObject obj,
                            ObjectOpResult& result) {
   if (obj->is<ProxyObject>()) {
@@ -2029,6 +2046,11 @@ bool js::PreventExtensions(JSContext* cx, HandleObject obj,
     return result.failCantPreventExtensions();
   }
 
+  if (obj->is<ResizableTypedArrayObject>() &&
+      !IsTypedArrayFixedLength(&obj->as<ResizableTypedArrayObject>())) {
+    return result.failCantPreventExtensions();
+  }
+
   if (!obj->nonProxyIsExtensible()) {
     // If the following assertion fails, there's somewhere else a missing
     // call to shrinkCapacityToInitializedLength() which needs to be found