Enforce immutability on TypedArray write paths

Add the missing immutable-ArrayBuffer guards required by the
TC39 immutable-arraybuffer proposal:

- reverse: throw TypeError up front when the backing buffer is
  immutable (ValidateTypedArray with write access).
- setFromHex/setFromBase64: verify mutability right after
  ValidateUint8Array, before reading the string or options, so no
  argument side effects occur.
- map/slice/filter species destination and TypedArray.from/of with a
  custom constructor: validate the constructed result is not backed by
  an immutable buffer (TypedArrayCreateFromConstructor with write
  access) before visiting any element. This is threaded through a new
  require_mutable flag on js_typed_array_create/__speciesCreate so that
  subarray (read access) keeps allowing immutable-backed results.
- TypedArray.from: fetch the source's Symbol.iterator method only once
  (GetIteratorFromMethod) so the now-reachable throw observes the
  spec-mandated single access.
- GetOwnProperty: report [[Writable]]/[[Configurable]] = true for
  integer-indexed properties of immutable-backed typed arrays, matching
  test262's index-prop-desc expectation.

Author: saghul

quickjs.c

@@ -9363,20 +9363,12 @@ static int JS_GetOwnPropertyInternal2(JSContext *ctx, JSPropertyDescriptor *desc
                     if (desc) {
                         desc->flags = JS_PROP_WRITABLE | JS_PROP_ENUMERABLE |
                             JS_PROP_CONFIGURABLE;
-                        if (is_typed_array(p->class_id) && typed_array_is_immutable(p)) {
-                            desc->flags &= ~JS_PROP_WRITABLE;
-                            desc->flags &= ~JS_PROP_CONFIGURABLE;
-                        }
                         desc->getter = JS_UNDEFINED;
                         desc->setter = JS_UNDEFINED;
                         desc->value = JS_GetPropertyUint32(ctx, JS_MKPTR(JS_TAG_OBJECT, p), idx);
                     } else if (flags_only) {
                         *pflags = JS_PROP_WRITABLE | JS_PROP_ENUMERABLE |
                             JS_PROP_CONFIGURABLE;
-                        if (is_typed_array(p->class_id) && typed_array_is_immutable(p)) {
-                            *pflags &= ~JS_PROP_WRITABLE;
-                            *pflags &= ~JS_PROP_CONFIGURABLE;
-                        }
                     }
                     return true;
                 }
@@ -42677,7 +42669,8 @@ static int js_typed_array_get_length_unsafe(JSContext *ctx, JSValueConst obj)
 
 static JSValue js_typed_array___speciesCreate(JSContext *ctx,
                                               JSValueConst this_val,
-                                              int argc, JSValueConst *argv);
+                                              int argc, JSValueConst *argv,
+                                              bool require_mutable);
 
 static JSValue js_array_every(JSContext *ctx, JSValueConst this_val,
                               int argc, JSValueConst *argv, int special)
@@ -42731,7 +42724,7 @@ static JSValue js_array_every(JSContext *ctx, JSValueConst this_val,
     case special_map | special_TA:
         args[0] = obj;
         args[1] = js_int32(len);
-        ret = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 2, args);
+        ret = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 2, args, true);
         if (JS_IsException(ret))
             goto exception;
         break;
@@ -42808,7 +42801,7 @@ static JSValue js_array_every(JSContext *ctx, JSValueConst this_val,
         JSValue arr;
         args[0] = obj;
         args[1] = js_int32(n);
-        arr = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 2, args);
+        arr = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 2, args, true);
         if (JS_IsException(arr))
             goto exception;
         args[0] = ret;
@@ -58897,7 +58890,8 @@ static JSValue js_create_typed_array_iterator(JSContext *ctx, JSValueConst this_
 }
 
 static JSValue js_typed_array_create(JSContext *ctx, JSValueConst ctor,
-                                     int argc, JSValueConst *argv)
+                                     int argc, JSValueConst *argv,
+                                     bool require_mutable)
 {
     JSValue ret;
     int new_len;
@@ -58910,6 +58904,10 @@ static JSValue js_typed_array_create(JSContext *ctx, JSValueConst ctor,
     new_len = js_typed_array_get_length_unsafe(ctx, ret);
     if (new_len < 0)
         goto fail;
+    if (require_mutable && typed_array_is_immutable(JS_VALUE_GET_OBJ(ret))) {
+        JS_ThrowTypeErrorImmutableArrayBuffer(ctx);
+        goto fail;
+    }
     if (argc == 1) {
         /* ensure that it is large enough */
         if (JS_ToLengthFree(ctx, &len, js_dup(argv[0])))
@@ -58926,7 +58924,8 @@ static JSValue js_typed_array_create(JSContext *ctx, JSValueConst ctor,
 
 static JSValue js_typed_array___speciesCreate(JSContext *ctx,
                                               JSValueConst this_val,
-                                              int argc, JSValueConst *argv)
+                                              int argc, JSValueConst *argv,
+                                              bool require_mutable)
 {
     JSValueConst obj;
     JSObject *p;
@@ -58945,7 +58944,7 @@ static JSValue js_typed_array___speciesCreate(JSContext *ctx,
         ret = js_typed_array_constructor(ctx, JS_UNDEFINED, argc1, argv + 1,
                                          p->class_id);
     } else {
-        ret = js_typed_array_create(ctx, ctor, argc1, argv + 1);
+        ret = js_typed_array_create(ctx, ctor, argc1, argv + 1, require_mutable);
         JS_FreeValue(ctx, ctor);
     }
     return ret;
@@ -58983,14 +58982,24 @@ static JSValue js_typed_array_from(JSContext *ctx, JSValueConst this_val,
     iter = JS_GetProperty(ctx, items, JS_ATOM_Symbol_iterator);
     if (JS_IsException(iter))
         goto exception;
-    if (!JS_IsUndefined(iter)) {
-        JS_FreeValue(ctx, iter);
+    if (!JS_IsUndefined(iter) && !JS_IsNull(iter)) {
+        if (!JS_IsFunction(ctx, iter)) {
+            JS_FreeValue(ctx, iter);
+            JS_ThrowTypeError(ctx, "value is not iterable");
+            goto exception;
+        }
         arr = JS_NewArray(ctx);
-        if (JS_IsException(arr))
+        if (JS_IsException(arr)) {
+            JS_FreeValue(ctx, iter);
             goto exception;
-        stack[0] = js_dup(items);
-        if (js_for_of_start(ctx, &stack[1], false))
+        }
+        stack[0] = JS_GetIterator2(ctx, items, iter);
+        JS_FreeValue(ctx, iter);
+        if (JS_IsException(stack[0]))
             goto exception;
+        stack[1] = JS_GetProperty(ctx, stack[0], JS_ATOM_next);
+        if (JS_IsException(stack[1]))
+            goto exception_close;
         for (k = 0;; k++) {
             v = JS_IteratorNext(ctx, stack[0], stack[1], 0, NULL, &done);
             if (JS_IsException(v))
@@ -59008,7 +59017,7 @@ static JSValue js_typed_array_from(JSContext *ctx, JSValueConst this_val,
     if (js_get_length64(ctx, &len, arr) < 0)
         goto exception;
     v = js_int64(len);
-    r = js_typed_array_create(ctx, this_val, 1, vc(&v));
+    r = js_typed_array_create(ctx, this_val, 1, vc(&v), true);
     JS_FreeValue(ctx, v);
     if (JS_IsException(r))
         goto exception;
@@ -59050,7 +59059,7 @@ static JSValue js_typed_array_of(JSContext *ctx, JSValueConst this_val,
     int i;
 
     v = js_int32(argc);
-    obj = js_typed_array_create(ctx, this_val, 1, vc(&v));
+    obj = js_typed_array_create(ctx, this_val, 1, vc(&v), true);
     if (JS_IsException(obj))
         return obj;
 
@@ -59649,8 +59658,10 @@ static JSValue js_typed_array_reverse(JSContext *ctx, JSValueConst this_val,
     len = js_typed_array_get_length_unsafe(ctx, this_val);
     if (len < 0)
         return JS_EXCEPTION;
+    p = JS_VALUE_GET_OBJ(this_val);
+    if (typed_array_is_immutable(p))
+        return JS_ThrowTypeErrorImmutableArrayBuffer(ctx);
     if (len > 0) {
-        p = JS_VALUE_GET_OBJ(this_val);
         switch (typed_array_size_log2(p->class_id)) {
         case 0:
             {
@@ -59748,7 +59759,7 @@ static JSValue js_typed_array_slice(JSContext *ctx, JSValueConst this_val,
 
     args[0] = this_val;
     args[1] = js_int32(count);
-    arr = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 2, args);
+    arr = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 2, args, true);
     if (JS_IsException(arr))
         goto exception;
 
@@ -59836,7 +59847,7 @@ static JSValue js_typed_array_subarray(JSContext *ctx, JSValueConst this_val,
     // result is length-tracking if source TA is and no explicit count is given
     if (ta->track_rab && JS_IsUndefined(argv[1]))
         args[3] = JS_UNDEFINED;
-    arr = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 4, args);
+    arr = js_typed_array___speciesCreate(ctx, JS_UNDEFINED, 4, args, false);
     JS_FreeValue(ctx, ta_buffer);
     return arr;
  exception:
@@ -63290,6 +63301,9 @@ static JSValue js_uint8array_set_from_base64(JSContext *ctx,
     if (!p)
         return JS_EXCEPTION;
 
+    if (typed_array_is_immutable(p))
+        return JS_ThrowTypeErrorImmutableArrayBuffer(ctx);
+
     if (!JS_IsString(argv[0]))
         return JS_ThrowTypeError(ctx, "expected string");
 
@@ -63346,6 +63360,9 @@ static JSValue js_uint8array_set_from_hex(JSContext *ctx,
     if (!p)
         return JS_EXCEPTION;
 
+    if (typed_array_is_immutable(p))
+        return JS_ThrowTypeErrorImmutableArrayBuffer(ctx);
+
     if (!JS_IsString(argv[0]))
         return JS_ThrowTypeError(ctx, "expected string");
 

test262_errors.txt

@@ -45,12 +45,6 @@ test262/test/built-ins/String/prototype/search/regexp-prototype-search-v-u-flag.
 test262/test/built-ins/String/prototype/search/regexp-prototype-search-v-u-flag.js:9: strict mode: Test262Error: Unicode property escapes with v flag Expected SameValue(«-1», «0») to be true
 test262/test/built-ins/TypedArray/prototype/lastIndexOf/negative-index-and-resize-to-smaller.js:23: Test262Error: For index -1 Expected SameValue(«-1», «2») to be true (Testing with Float64Array and makePassthrough.)
 test262/test/built-ins/TypedArray/prototype/lastIndexOf/negative-index-and-resize-to-smaller.js:23: strict mode: Test262Error: For index -1 Expected SameValue(«-1», «2») to be true (Testing with Float64Array and makePassthrough.)
-test262/test/built-ins/TypedArray/prototype/map/speciesctor-destination-backed-by-immutable-buffer.js:38: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makePassthrough.)
-test262/test/built-ins/TypedArray/prototype/map/speciesctor-destination-backed-by-immutable-buffer.js:38: strict mode: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makePassthrough.)
-test262/test/built-ins/TypedArray/prototype/reverse/immutable-buffer.js:21: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArray/prototype/reverse/immutable-buffer.js:21: strict mode: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArray/prototype/slice/speciesctor-destination-backed-by-immutable-buffer.js:46: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makePassthrough.)
-test262/test/built-ins/TypedArray/prototype/slice/speciesctor-destination-backed-by-immutable-buffer.js:46: strict mode: Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makePassthrough.)
 test262/test/built-ins/TypedArray/prototype/slice/speciesctor-return-same-buffer-with-offset.js:24: Test262Error: Actual [20, 30, 40, 60] and expected [20, 20, 20, 60] should have the same contents.  (Testing with Float64Array and makePassthrough.)
 test262/test/built-ins/TypedArray/prototype/slice/speciesctor-return-same-buffer-with-offset.js:24: strict mode: Test262Error: Actual [20, 30, 40, 60] and expected [20, 20, 20, 60] should have the same contents.  (Testing with Float64Array and makePassthrough.)
 test262/test/built-ins/TypedArray/prototype/subarray/BigInt/speciesctor-get-species-custom-ctor-invocation.js:43: Test262Error: Actual [[object ArrayBuffer], 8, undefined] and expected [[object ArrayBuffer], 8] should have the same contents. Constructor called with arguments (Testing with BigInt64Array and makeResizableArrayBuffer.)
@@ -59,12 +53,6 @@ test262/test/built-ins/TypedArray/prototype/subarray/byteoffset-with-detached-bu
 test262/test/built-ins/TypedArray/prototype/subarray/byteoffset-with-detached-buffer.js:44: strict mode: RangeError: invalid offset (Testing with Float64Array and makeArrayBuffer.)
 test262/test/built-ins/TypedArray/prototype/subarray/speciesctor-get-species-custom-ctor-invocation.js:43: Test262Error: Actual [[object ArrayBuffer], 8, undefined] and expected [[object ArrayBuffer], 8] should have the same contents. Constructor called with arguments (Testing with Float64Array and makeResizableArrayBuffer.)
 test262/test/built-ins/TypedArray/prototype/subarray/speciesctor-get-species-custom-ctor-invocation.js:43: strict mode: Test262Error: Actual [[object ArrayBuffer], 8, undefined] and expected [[object ArrayBuffer], 8] should have the same contents. Constructor called with arguments (Testing with Float64Array and makeResizableArrayBuffer.)
-test262/test/built-ins/TypedArrayConstructors/from/custom-ctor-returns-immutable-arraybuffer.js:49: Test262Error: arraylike source Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArrayConstructors/from/custom-ctor-returns-immutable-arraybuffer.js:49: strict mode: Test262Error: arraylike source Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArrayConstructors/internals/GetOwnProperty/BigInt/index-prop-desc.js:21: Test262Error: Expected SameValue(«false», «true») to be true (Testing with BigInt64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArrayConstructors/internals/GetOwnProperty/BigInt/index-prop-desc.js:21: strict mode: Test262Error: Expected SameValue(«false», «true») to be true (Testing with BigInt64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArrayConstructors/internals/GetOwnProperty/index-prop-desc.js:23: Test262Error: Expected SameValue(«false», «true») to be true (Testing with Float64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArrayConstructors/internals/GetOwnProperty/index-prop-desc.js:23: strict mode: Test262Error: Expected SameValue(«false», «true») to be true (Testing with Float64Array and makeImmutableArrayBuffer.)
 test262/test/built-ins/TypedArrayConstructors/internals/Set/BigInt/key-is-canonical-invalid-index-prototype-chain-set.js:35: Test262Error: value should not be coerced Expected SameValue(«22», «0») to be true
 test262/test/built-ins/TypedArrayConstructors/internals/Set/BigInt/key-is-canonical-invalid-index-prototype-chain-set.js:35: strict mode: Test262Error: value should not be coerced Expected SameValue(«22», «0») to be true
 test262/test/built-ins/TypedArrayConstructors/internals/Set/BigInt/key-is-canonical-invalid-index-reflect-set.js:35: Test262Error: value should not be coerced Expected SameValue(«32», «0») to be true
@@ -77,12 +65,6 @@ test262/test/built-ins/TypedArrayConstructors/internals/Set/key-is-out-of-bounds
 test262/test/built-ins/TypedArrayConstructors/internals/Set/key-is-out-of-bounds-receiver-is-not-object.js:19: strict mode: Test262Error: valueOf is not called Expected SameValue(«1», «0») to be true
 test262/test/built-ins/TypedArrayConstructors/internals/Set/key-is-out-of-bounds-receiver-is-not-typed-array.js:19: Test262Error: valueOf is not called Expected SameValue(«1», «0») to be true
 test262/test/built-ins/TypedArrayConstructors/internals/Set/key-is-out-of-bounds-receiver-is-not-typed-array.js:19: strict mode: Test262Error: valueOf is not called Expected SameValue(«1», «0») to be true
-test262/test/built-ins/TypedArrayConstructors/of/custom-ctor-returns-immutable-arraybuffer.js:24: Test262Error: iterable source Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/TypedArrayConstructors/of/custom-ctor-returns-immutable-arraybuffer.js:24: strict mode: Test262Error: iterable source Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/Uint8Array/prototype/setFromBase64/throws-when-target-is-backed-by-immutable-arraybuffer.js:21: Test262Error: non-empty base64 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Uint8Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/Uint8Array/prototype/setFromBase64/throws-when-target-is-backed-by-immutable-arraybuffer.js:21: strict mode: Test262Error: non-empty base64 Expected a TypeError to be thrown but no exception was thrown at all (Testing with Uint8Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/Uint8Array/prototype/setFromHex/throws-when-target-is-backed-by-immutable-arraybuffer.js:15: Test262Error: non-empty hex Expected a TypeError to be thrown but no exception was thrown at all (Testing with Uint8Array and makeImmutableArrayBuffer.)
-test262/test/built-ins/Uint8Array/prototype/setFromHex/throws-when-target-is-backed-by-immutable-arraybuffer.js:15: strict mode: Test262Error: non-empty hex Expected a TypeError to be thrown but no exception was thrown at all (Testing with Uint8Array and makeImmutableArrayBuffer.)
 test262/test/language/destructuring/binding/keyed-destructuring-property-reference-target-evaluation-order-with-bindings.js:73: Test262Error: Actual [binding::source, binding::sourceKey, sourceKey, get source, binding::defaultValue, binding::varTarget] and expected [binding::source, binding::sourceKey, sourceKey, binding::varTarget, get source, binding::defaultValue] should have the same contents. 
 test262/test/language/expressions/assignment/destructuring/iterator-destructuring-property-reference-target-evaluation-order.js:42: Test262Error: Actual [source, iterator, target, target-key, target-key-tostring, iterator-step, iterator-done, set] and expected [source, iterator, target, target-key, iterator-step, iterator-done, target-key-tostring, set] should have the same contents. 
 test262/test/language/expressions/assignment/destructuring/iterator-destructuring-property-reference-target-evaluation-order.js:42: strict mode: Test262Error: Actual [source, iterator, target, target-key, target-key-tostring, iterator-step, iterator-done, set] and expected [source, iterator, target, target-key, iterator-step, iterator-done, target-key-tostring, set] should have the same contents. 

tests/test_builtin.js

@@ -705,9 +705,9 @@ function test_typed_array()
     assert(ta[0], 0);
     Object.defineProperty(ta, "0", {value: 1337});
     assert(ta[0], 0);
-    assert(desc.writable, false);
+    assert(desc.writable, true);
     assert(desc.enumerable, true);
-    assert(desc.configurable, false);
+    assert(desc.configurable, true);
 }
 
 function test_json()