Fixed %TypedArray%.prototype.join() with detached buffer.

The TypedArray buffer may be detached while evaluating custom
"separator" argument.  The fix is to move the buffer check below this
point.

Found by Official ECMAScript Conformance Test Suite.

diff --git a/src/njs_typed_array.c b/src/njs_typed_array.c
index 7fb6cf1ce591adf92a7bd64c64196f4213a2199a..94dfd5e89c40edd824d04fdc2bdbc1105a699eba 100644 (file)
--- a/src/njs_typed_array.c
+++ b/src/njs_typed_array.c
@@ -2166,6 +2166,11 @@ njs_typed_array_prototype_join(njs_vm_t *vm, njs_value_t *args,
         return NJS_OK;
     }
 
+    if (njs_slow_path(njs_is_detached_buffer(array->buffer))) {
+        njs_type_error(vm, "detached buffer");
+        return NJS_ERROR;
+    }
+
     njs_chb_init(&chain, vm->mem_pool);
 
     length = njs_typed_array_to_chain(vm, &chain, array, separator);

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index f48e2e87d26ee91fb355f20996862b82ea41817f..facab4214baebb4c3d4241e58e76623196349316 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -6234,6 +6234,13 @@ static njs_unit_test_t  njs_test[] =
               "           return a.map(q=>q/2).join('|') === '3|2|1'})"),
       njs_str("true") },
 
+#ifdef NJS_TEST262
+    { njs_str("const arr = new Uint8Array([1,2,3]);"
+              "const sep = {toString(){$262.detachArrayBuffer(arr.buffer); return ','}};"
+              "arr.join(sep)"),
+      njs_str("TypeError: detached buffer") },
+#endif
+
     { njs_str("Uint8Array.prototype.reduce.call(1)"),
       njs_str("TypeError: this is not a typed array") },