lars-t-hansen
commented
7 years ago Not fixed in ecma262.
Closed lars-t-hansen closed 7 years ago
lars-t-hansen
commented
7 years ago Not fixed in ecma262.
lars-t-hansen
commented
7 years ago Moved to https://github.com/tc39/ecma262/issues/806. Closing here.
By (embedding-specific) means of transfering a SAB to another agent and back, it is possible to create a situation where two SAB objects reference the same memory in the same agent. Also, by means of manipulating the "constructor" property of an object, it is possible for a method that indirects via the constructor property, such as SAB.p.slice, to end up in a situation where the constructor returns an object that is not equal to the receiver of the method call but where the shared memory block is the same. In this case the call to CopyDataBlock from slice is not well-defined, as it requires the data blocks to be disjoint. There is a step in the algorithm for slice that intends to guard against that but it only compares the identities of the two objects, not the identities of the underlying buffers (their Shared Data Block IDs).
The algorithm's step 14 should therefore be modified to grab the Shared Data Block IDs and to compare those instead, as that test would subsume the identity test on the SAB objects.
(Thanks to @anba for digging this one up.)