From a1e2f131c441a2e90a272fef7067b817b72c501b Mon Sep 17 00:00:00 2001
From: Timothy Flynn <trflynn89@pm.me>
Date: Sun, 24 Dec 2023 15:07:43 -0500
Subject: [PATCH] LibJS: Use existing AOs to validate bytecode/JIT TypedArray
 indices

The IsValidIntegerIndex AO performs the checks we are interested in. The
manual implementation we currently have will no longer compile once the
resizable ArrayBuffer spec is implemented. The AO will be updated with
the spec implementation, so let's use it now to avoid breakage.
---
 .../LibJS/Bytecode/CommonImplementations.cpp          | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/Userland/Libraries/LibJS/Bytecode/CommonImplementations.cpp b/Userland/Libraries/LibJS/Bytecode/CommonImplementations.cpp
index f702292752..49290978e1 100644
--- a/Userland/Libraries/LibJS/Bytecode/CommonImplementations.cpp
+++ b/Userland/Libraries/LibJS/Bytecode/CommonImplementations.cpp
@@ -117,7 +117,9 @@ ThrowCompletionOr<Value> get_by_value(VM& vm, Value base_value, Value property_k
         // For typed arrays:
         if (object.is_typed_array()) {
             auto& typed_array = static_cast<TypedArrayBase&>(object);
-            if (!typed_array.viewed_array_buffer()->is_detached() && index < typed_array.array_length()) {
+            auto canonical_index = CanonicalIndex { CanonicalIndex::Type::Index, index };
+
+            if (is_valid_integer_index(typed_array, canonical_index)) {
                 switch (typed_array.kind()) {
                 case TypedArrayBase::Kind::Uint8Array:
                     return fast_typed_array_get_element<u8>(typed_array, index);
@@ -139,7 +141,6 @@ ThrowCompletionOr<Value> get_by_value(VM& vm, Value base_value, Value property_k
                 }
             }
 
-            auto canonical_index = CanonicalIndex { CanonicalIndex::Type::Index, index };
             switch (typed_array.kind()) {
 #define __JS_ENUMERATE(ClassName, snake_name, PrototypeName, ConstructorName, Type) \
     case TypedArrayBase::Kind::ClassName:                                           \
@@ -395,7 +396,9 @@ ThrowCompletionOr<void> put_by_value(VM& vm, Value base, Value property_key_valu
         // For typed arrays:
         if (object.is_typed_array()) {
             auto& typed_array = static_cast<TypedArrayBase&>(object);
-            if (!typed_array.viewed_array_buffer()->is_detached() && index < typed_array.array_length() && value.is_int32()) {
+            auto canonical_index = CanonicalIndex { CanonicalIndex::Type::Index, index };
+
+            if (value.is_int32() && is_valid_integer_index(typed_array, canonical_index)) {
                 switch (typed_array.kind()) {
                 case TypedArrayBase::Kind::Uint8Array:
                     fast_typed_array_set_element<u8>(typed_array, index, static_cast<u8>(value.as_i32()));
@@ -423,7 +426,7 @@ ThrowCompletionOr<void> put_by_value(VM& vm, Value base, Value property_key_valu
                     break;
                 }
             }
-            auto canonical_index = CanonicalIndex { CanonicalIndex::Type::Index, index };
+
             switch (typed_array.kind()) {
 #define __JS_ENUMERATE(ClassName, snake_name, PrototypeName, ConstructorName, Type) \
     case TypedArrayBase::Kind::ClassName:                                           \