[JSC] Fix %TypedArray%.prototype.includes to Align with ECMA-262 Part2

Gumichocopengin8 · Ahmad Saleem · commit 4a8356428b41 · 2025-12-25T14:30:10.000-08:00
https://bugs.webkit.org/show_bug.cgi?id=304569 Reviewed by Yusuke Suzuki. This patch fixes `%TypedArray%.prototype.includes` by adding range check to ensure the `index` is less than the array length, aligning the behavior with ECMA-262[1]. [1]: https://tc39.es/ecma262/#sec-%typedarray%.prototype.includes * JSTests/stress/typedarray-resize-includes.js: (throw.new.Error): * JSTests/test262/expectations.yaml: * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h: (JSC::genericTypedArrayViewProtoFuncIncludes): Canonical link: https://commits.webkit.org/304940@main
diff --git a/JSTests/stress/typedarray-resize-includes.js b/JSTests/stress/typedarray-resize-includes.js
@@ -4,6 +4,21 @@ function shouldBe(actual, expected) {
     }
 }
 
+{
+    var arraybuffer = new ArrayBuffer(4, { maxByteLength: 20 });
+    var int8array = new Int8Array(arraybuffer);
+    var index = {
+        valueOf() {
+            arraybuffer.resize(0);
+            return 10;
+        },
+    };
+    shouldBe(int8array.length, 4);
+    var result = int8array.includes(undefined, index);
+    shouldBe(int8array.length, 0);
+    shouldBe(result, false);
+}
+
 {
     var arraybuffer = new ArrayBuffer(4, { maxByteLength: 20 });
     var byteOffset = 1; // Uses byteOffset to make typed array out-of-bounds when shrinking size to zero.
diff --git a/JSTests/test262/expectations.yaml b/JSTests/test262/expectations.yaml
@@ -409,12 +409,6 @@ test/built-ins/Temporal/PlainTime/prototype/until/order-of-operations.js:
 test/built-ins/Temporal/getOwnPropertyNames.js:
   default: 'Test262Error: ZonedDateTime'
   strict mode: 'Test262Error: ZonedDateTime'
-test/built-ins/TypedArray/prototype/includes/index-compared-against-initial-length.js:
-  default: 'Test262Error: Expected SameValue(«true», «false») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«true», «false») to be true'
-test/built-ins/TypedArray/prototype/includes/search-undefined-after-shrinking-buffer-index-is-oob.js:
-  default: 'Test262Error: Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'
 test/built-ins/TypedArray/prototype/set/array-arg-value-conversion-resizes-array-buffer.js:
   default: 'Test262Error: Actual [shrink, shrink, shrink] and expected [shrink, shrink, shrink, grow, grow] should have the same contents. '
   strict mode: 'Test262Error: Actual [shrink, shrink, shrink] and expected [shrink, shrink, shrink, grow, grow] should have the same contents. '
diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
@@ -465,7 +465,7 @@ ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncIncludes(VM& vm, JSGl
     if (!targetOption) {
         // Even though our TypedArray's length is updated, we iterate up to `length`.
         // So, if `updatedLength` is smaller than `length`, we will see undefined after that.
-        return JSValue::encode(jsBoolean(valueToFind.isUndefined() && length > updatedLength));
+        return JSValue::encode(jsBoolean(index < length && updatedLength < length && valueToFind.isUndefined()));
     }
 
     scope.assertNoExceptionExceptTermination();

Original file line number	Diff line number	Diff line change
`@@ -465,7 +465,7 @@ ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncIncludes(VM& vm, JSGl`
`465`	`465`	`if (!targetOption) {`
`466`	`466`	// Even though our TypedArray's length is updated, we iterate up to `length`.
`467`	`467`	// So, if `updatedLength` is smaller than `length`, we will see undefined after that.
`468`		`- return JSValue::encode(jsBoolean(valueToFind.isUndefined() && length > updatedLength));`
	`468`	`+ return JSValue::encode(jsBoolean(index < length && updatedLength < length && valueToFind.isUndefined()));`
`469`	`469`	`}`
`470`	`470`
`471`	`471`	`scope.assertNoExceptionExceptTermination();`