Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding explicit number conversion to %TypedArray%.prototype.sort #1000

Merged
merged 3 commits into from
Sep 13, 2017
Merged

Adding explicit number conversion to %TypedArray%.prototype.sort #1000

merged 3 commits into from
Sep 13, 2017

Conversation

natashenka
Copy link
Contributor

Clarifying that conversion to a number from comparefn should occur before the detachment check. This ambiguity led to this security problem: https://bugs.chromium.org/p/project-zero/issues/detail?id=983

@anba
Copy link
Contributor

anba commented Sep 13, 2017

Can you merge this into a single step:

Let v be ? ToNumber(? Call(comparefn, undefined, « x, y »)).

for consistency with the SortCompare algorithm in 22.1.3.25.1? Thanks!

ljharb
ljharb requested changes Sep 13, 2017
View reviewed changes
spec.html Outdated
@@ -33221,7 +33221,7 @@
<emu-alg>
1. Assert: Both Type(_x_) and Type(_y_) is Number.
1. If _comparefn_ is not *undefined*, then
1. Let _v_ be ? Call(_comparefn_, *undefined*, &laquo; _x_, _y_ &raquo;).
1. Let _v_ be ToNumber(? Call(_comparefn_, *undefined*, &laquo; _x_, _y_ &raquo;)).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the ToNumber needs a ? prefix as well, since it can throw

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@ljharb ljharb added the normative change Affects behavior required to correctly evaluate some ECMAScript source text label Sep 13, 2017
@ljharb
Copy link
Member

ljharb commented Sep 13, 2017

Does this need consensus?

@allenwb
Copy link
Member

allenwb commented Sep 13, 2017

shouldn't need consensus. It's pretty clearly a bug that Array sort has a ToNumber but TypedArray sort does not.

@bterlson
Copy link
Member

Yep, seems like a bug to me (and a bad one, at that). Thanks!

@bterlson bterlson merged commit a1d743e into tc39:master Sep 13, 2017
@bterlson
Copy link
Member

@natashenka Congratulations on your first commit to ECMA262! 👌👍

@leobalter leobalter mentioned this pull request Aug 27, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb ljharb approved these changes

Assignees
No one assigned
Labels
normative change Affects behavior required to correctly evaluate some ECMAScript source text
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@natashenka @anba @ljharb @allenwb @bterlson