Re: [Public WebGL] TypedArray constructors and zero length

On Fri, Jun 11, 2010 at 01:49, Kenneth Russell <kbr@google.com> wrote:
> On Thu, Jun 10, 2010 at 2:12 AM, Cedric Vivier <cedricv@neonux.com> wrote:
>> FWIW I wrote some tests on this today, Mozilla has the sane behavior
>> of throwing an exception ("invalid array size") when length is
>> negative while WebKit swaps like crazy attempting to allocate
>> memory... and in the end returns "undefined".
> After looking back at the JavaScript bindings in WebKit, the intended
> behavior is that this should throw an INDEX_SIZE_ERR exception. See
> http://trac.webkit.org/browser/trunk/WebCore/bindings/js/JSArrayBufferConstructor.cpp
> , line 61, and http://trac.webkit.org/browser/trunk/WebCore/bindings/v8/custom/V8ArrayBufferCustom.cpp
> , line 77. I'm not sure why this isn't happening. Feel free to file a
> bug on http://bugs.webkit.org/ .

Interesting, I guess in V8's case it setting DOM exception is not
enough as an exception object must be passed/returned to the runtime.

Looks like the behavior is inconsistent between the 2 WebKit bindings
even for some corner cases (NaN/+inf/-inf gives 0 on JSCore - as
WebIDL specifies - but throws on the V8 binding).

Mozilla does indeed treat the input as an int32 internally and
specifically check if the value is negative (which also means "too
big" >2^31 depending how you look at it sure, but in the end it just
works as intended by WebIDL's unsigned long... a signed value passed
as parameter will not work and won't have side-effects [like
attempting to allocate possibly huge chunk of memory]) :

I think reproducing Mozilla's behavior in both WebKit bindings would
make a lot of sense, for instance with this patch for V8's binding :

