Changeset 197192 in webkit for trunk/Source/JavaScriptCore/runtime

Timestamp:

Feb 26, 2016, 12:25:42 PM (9 years ago)

Author:

[email protected]

Message:

Native Typed Array functions should use Symbol.species
​https://bugs.webkit.org/show_bug.cgi?id=154569

Reviewed by Michael Saboff.

This patch adds support for Symbol.species in the native Typed Array prototype
functions. Additionally, now that other types of typedarrays are creatable inside
the slice we use the JSGenericTypedArrayView::set function, which has been beefed
up, to put everything into the correct place.

• runtime/JSDataView.cpp:

(JSC::JSDataView::set):

• runtime/JSDataView.h:
• runtime/JSGenericTypedArrayView.h:
• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
(JSC::JSGenericTypedArrayView<Adaptor>::set):

• runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewProtoFuncSubarray):

• tests/stress/typedarray-slice.js:

(subclasses.typedArrays.map):
(testSpecies):
(forEach):
(subclasses.forEach):
(testSpeciesRemoveConstructor):
(testSpeciesWithSameBuffer):

• tests/stress/typedarray-subarray.js: Added.

(subclasses.typedArrays.map):
(testSpecies):
(forEach):
(subclasses.forEach):
(testSpeciesRemoveConstructor):

Location:

trunk/Source/JavaScriptCore/runtime

Files:

• JSDataView.cpp (modified) (1 diff)
• JSDataView.h (modified) (1 diff)
• JSGenericTypedArrayView.h (modified) (3 diffs)
• JSGenericTypedArrayViewConstructorInlines.h (modified) (4 diffs)
• JSGenericTypedArrayViewInlines.h (modified) (7 diffs)
• JSGenericTypedArrayViewPrototypeFunctions.h (modified) (4 diffs)

trunk/Source/JavaScriptCore/runtime/JSDataView.cpp

@@ -79 +79 @@
 }
 
-bool JSDataView::set(ExecState*, JSObject*, unsigned, unsigned)
+bool JSDataView::set(ExecState*, unsigned, JSObject*, unsigned, unsigned)
 {
     UNREACHABLE_FOR_PLATFORM();

trunk/Source/JavaScriptCore/runtime/JSDataView.h

@@ -49 +49 @@
     static JSDataView* createUninitialized(ExecState*, Structure*, unsigned length);
     static JSDataView* create(ExecState*, Structure*, unsigned length);
-    bool set(ExecState*, JSObject*, unsigned offset, unsigned length);
+    bool set(ExecState*, unsigned, JSObject*, unsigned, unsigned length);
     bool setIndex(ExecState*, unsigned, JSValue);
     

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h

@@ -84 +84 @@
 // };
 
+enum class CopyType {
+    LeftToRight,
+    Unobservable,
+};
+
 template<typename Adaptor>
 class JSGenericTypedArrayView : public JSArrayBufferView {
@@ -218 +223 @@
     // appropriate exception.
     bool validateRange(ExecState*, unsigned offset, unsigned length);
-    
+
     // Returns true if successful, and false on error; if it returns false
     // then it will have thrown an exception.
-    bool set(ExecState*, JSObject*, unsigned offset, unsigned length);
+    bool set(ExecState*, unsigned offset, JSObject*, unsigned objectOffset, unsigned length, CopyType type = CopyType::Unobservable);
     
     PassRefPtr<typename Adaptor::ViewType> typedImpl()
@@ -292 +297 @@
     template<typename OtherAdaptor>
     bool setWithSpecificType(
-        ExecState*, JSGenericTypedArrayView<OtherAdaptor>*,
-        unsigned offset, unsigned length);
+        ExecState*, unsigned offset, JSGenericTypedArrayView<OtherAdaptor>*,
+        unsigned objectOffset, unsigned length, CopyType);
 
     // The ECMA 6 spec states that floating point Typed Arrays should have the following ordering:

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

@@ -78 +78 @@
 
 template<typename ViewClass>
-static JSObject* constructGenericTypedArrayViewFromIterator(ExecState* exec, Structure* structure, JSValue iterator)
+inline JSObject* constructGenericTypedArrayViewFromIterator(ExecState* exec, Structure* structure, JSValue iterator)
 {
     if (!iterator.isObject())
@@ -116 +116 @@
 
 template<typename ViewClass>
-static JSObject* constructGenericTypedArrayViewWithArguments(ExecState* exec, Structure* structure, EncodedJSValue firstArgument, unsigned offset, Optional<unsigned> lengthOpt)
+inline JSObject* constructGenericTypedArrayViewWithArguments(ExecState* exec, Structure* structure, EncodedJSValue firstArgument, unsigned offset, Optional<unsigned> lengthOpt)
 {
     JSValue firstValue = JSValue::decode(firstArgument);
@@ -194 +194 @@
         }
         
-        if (!result->set(exec, object, 0, length))
+        if (!result->set(exec, 0, object, 0, length))
             return nullptr;
         
@@ -217 +217 @@
 
 template<typename ViewClass>
-static EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
+EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState*);
+
+template<typename ViewClass>
+EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
 {
     Structure* structure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType));

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

@@ -139 +139 @@
 template<typename OtherAdaptor>
 bool JSGenericTypedArrayView<Adaptor>::setWithSpecificType(
-    ExecState* exec, JSGenericTypedArrayView<OtherAdaptor>* other,
-    unsigned offset, unsigned length)
+    ExecState* exec, unsigned offset, JSGenericTypedArrayView<OtherAdaptor>* other,
+    unsigned otherOffset, unsigned length, CopyType type)
 {
     // Handle the hilarious case: the act of getting the length could have resulted
@@ -149 +149 @@
     // but we won't have a security vulnerability.
     length = std::min(length, other->length());
-    
+
+    RELEASE_ASSERT(other->canAccessRangeQuickly(otherOffset, length));
     if (!validateRange(exec, offset, length))
         return false;
-    
-    if (other->length() != length) {
-        exec->vm().throwException(exec, createRangeError(exec, "Length of incoming array changed unexpectedly."));
-        return false;
-    }
     
     // This method doesn't support copying between the same array. Note that
@@ -186 +182 @@
 
     unsigned otherElementSize = sizeof(typename OtherAdaptor::Type);
-    
-    // Handle cases (1) and (2B).
+
+    // Handle cases (1) and (2A).
     if (!hasArrayBuffer() || !other->hasArrayBuffer()
         || existingBuffer() != other->existingBuffer()
-        || (elementSize == otherElementSize && vector() > other->vector())) {
+        || (elementSize == otherElementSize && vector() <= other->vector())
+        || type == CopyType::LeftToRight) {
+        for (unsigned i = 0; i < length; ++i) {
+            setIndexQuicklyToNativeValue(
+                offset + i, OtherAdaptor::template convertTo<Adaptor>(
+                    other->getIndexQuicklyAsNativeValue(i + otherOffset)));
+        }
+        return true;
+    }
+
+    // Now we either have (2B) or (3) - so first we try to cover (2B).
+    if (elementSize == otherElementSize) {
         for (unsigned i = length; i--;) {
             setIndexQuicklyToNativeValue(
                 offset + i, OtherAdaptor::template convertTo<Adaptor>(
-                    other->getIndexQuicklyAsNativeValue(i)));
-        }
-        return true;
-    }
-    
-    // Now we either have (2A) or (3) - so first we try to cover (2A).
-    if (elementSize == otherElementSize) {
-        for (unsigned i = 0; i < length; ++i) {
-            setIndexQuicklyToNativeValue(
-                offset + i, OtherAdaptor::template convertTo<Adaptor>(
-                    other->getIndexQuicklyAsNativeValue(i)));
+                    other->getIndexQuicklyAsNativeValue(i + otherOffset)));
         }
         return true;
@@ -213 +210 @@
     for (unsigned i = length; i--;) {
         transferBuffer[i] = OtherAdaptor::template convertTo<Adaptor>(
-            other->getIndexQuicklyAsNativeValue(i));
+            other->getIndexQuicklyAsNativeValue(i + otherOffset));
     }
     for (unsigned i = length; i--;)
@@ -223 +220 @@
 template<typename Adaptor>
 bool JSGenericTypedArrayView<Adaptor>::set(
-    ExecState* exec, JSObject* object, unsigned offset, unsigned length)
+    ExecState* exec, unsigned offset, JSObject* object, unsigned objectOffset, unsigned length, CopyType type)
 {
     const ClassInfo* ci = object->classInfo();
@@ -231 +228 @@
         length = std::min(length, other->length());
         
+        RELEASE_ASSERT(other->canAccessRangeQuickly(objectOffset, length));
         if (!validateRange(exec, offset, length))
             return false;
-        
-        memmove(typedVector() + offset, other->typedVector(), other->byteLength());
+
+        memmove(typedVector() + offset, other->typedVector() + objectOffset, other->byteLength());
         return true;
     }
@@ -241 +239 @@
     case TypeInt8:
         return setWithSpecificType<Int8Adaptor>(
-            exec, jsCast<JSInt8Array*>(object), offset, length);
+            exec, offset, jsCast<JSInt8Array*>(object), objectOffset, length, type);
     case TypeInt16:
         return setWithSpecificType<Int16Adaptor>(
-            exec, jsCast<JSInt16Array*>(object), offset, length);
+            exec, offset, jsCast<JSInt16Array*>(object), objectOffset, length, type);
     case TypeInt32:
         return setWithSpecificType<Int32Adaptor>(
-            exec, jsCast<JSInt32Array*>(object), offset, length);
+            exec, offset, jsCast<JSInt32Array*>(object), objectOffset, length, type);
     case TypeUint8:
         return setWithSpecificType<Uint8Adaptor>(
-            exec, jsCast<JSUint8Array*>(object), offset, length);
+            exec, offset, jsCast<JSUint8Array*>(object), objectOffset, length, type);
     case TypeUint8Clamped:
         return setWithSpecificType<Uint8ClampedAdaptor>(
-            exec, jsCast<JSUint8ClampedArray*>(object), offset, length);
+            exec, offset, jsCast<JSUint8ClampedArray*>(object), objectOffset, length, type);
     case TypeUint16:
         return setWithSpecificType<Uint16Adaptor>(
-            exec, jsCast<JSUint16Array*>(object), offset, length);
+            exec, offset, jsCast<JSUint16Array*>(object), objectOffset, length, type);
     case TypeUint32:
         return setWithSpecificType<Uint32Adaptor>(
-            exec, jsCast<JSUint32Array*>(object), offset, length);
+            exec, offset, jsCast<JSUint32Array*>(object), objectOffset, length, type);
     case TypeFloat32:
         return setWithSpecificType<Float32Adaptor>(
-            exec, jsCast<JSFloat32Array*>(object), offset, length);
+            exec, offset, jsCast<JSFloat32Array*>(object), objectOffset, length, type);
     case TypeFloat64:
         return setWithSpecificType<Float64Adaptor>(
-            exec, jsCast<JSFloat64Array*>(object), offset, length);
+            exec, offset, jsCast<JSFloat64Array*>(object), objectOffset, length, type);
     case NotTypedArray:
     case TypeDataView: {
         if (!validateRange(exec, offset, length))
             return false;
+
         // We could optimize this case. But right now, we don't.
         for (unsigned i = 0; i < length; ++i) {
-            JSValue value = object->get(exec, i);
+            JSValue value = object->get(exec, i + objectOffset);
             if (!setIndex(exec, offset + i, value))
                 return false;

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

@@ -46 +46 @@
 static const char* typedArrayBufferHasBeenDetachedErrorMessage = "Underlying ArrayBuffer has been detached from the view";
 
+// This implements 22.2.4.7 TypedArraySpeciesCreate
+// Note, that this function throws.
+template<typename Functor>
+inline JSArrayBufferView* speciesConstruct(ExecState* exec, JSObject* exemplar, MarkedArgumentBuffer& args, const Functor& defaultConstructor)
+{
+    JSValue constructor = exemplar->get(exec, exec->propertyNames().constructor);
+    if (exec->hadException())
+        return nullptr;
+
+    if (constructor.isUndefined())
+        return defaultConstructor();
+    if (!constructor.isObject()) {
+        throwTypeError(exec, "constructor Property should not be null");
+        return nullptr;
+    }
+
+    JSValue species = constructor.get(exec, exec->propertyNames().speciesSymbol);
+    if (exec->hadException())
+        return nullptr;
+
+    if (species.isUndefinedOrNull())
+        return defaultConstructor();
+
+    JSValue result = construct(exec, species, args, "species is not a constructor");
+    if (exec->hadException())
+        return nullptr;
+
+    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(result))
+        return view;
+
+    throwTypeError(exec, "species constructor did not return a TypedArray View");
+    return nullptr;
+}
+
 inline unsigned argumentClampedIndexFromStartOrEnd(ExecState* exec, int argument, unsigned length, unsigned undefinedValue = 0)
 {
@@ -100 +134 @@
         return JSValue::encode(jsUndefined());
 
-    thisObject->set(exec, sourceArray, offset, length);
+    thisObject->set(exec, offset, sourceArray, 0, length, CopyType::Unobservable);
     return JSValue::encode(jsUndefined());
 }
@@ -364 +398 @@
     unsigned length = end - begin;
 
-    typename ViewClass::ElementType* array = thisObject->typedVector();
-
-    Structure* structure =
-    callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
-
-    ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
-
-    // We can use memcpy since we know this a new buffer
-    memcpy(static_cast<void*>(result->typedVector()), static_cast<void*>(array + begin), length * thisObject->elementSize);
+    MarkedArgumentBuffer args;
+    args.append(jsNumber(length));
+
+    JSArrayBufferView* result = speciesConstruct(exec, thisObject, args, [&]() {
+        Structure* structure = callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
+        return ViewClass::createUninitialized(exec, structure, length);
+    });
+    if (exec->hadException())
+        return JSValue::encode(JSValue());
+
+    // We return early here since we don't allocate a backing store if length is 0 and memmove does not like nullptrs
+    if (!length)
+        return JSValue::encode(result);
+
+    // The species constructor may return an array with any arbitrary length.
+    length = std::min(length, result->length());
+    switch (result->classInfo()->typedArrayStorageType) {
+    case TypeInt8:
+        jsCast<JSInt8Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeInt16:
+        jsCast<JSInt16Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeInt32:
+        jsCast<JSInt32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeUint8:
+        jsCast<JSUint8Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeUint8Clamped:
+        jsCast<JSUint8ClampedArray*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeUint16:
+        jsCast<JSUint16Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeUint32:
+        jsCast<JSUint32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeFloat32:
+        jsCast<JSFloat32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    case TypeFloat64:
+        jsCast<JSFloat64Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
+        break;
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+    }
 
     return JSValue::encode(result);
@@ -406 +478 @@
     RELEASE_ASSERT(thisLength == thisObject->length());
 
-    Structure* structure =
-    callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
-
-    ViewClass* result = ViewClass::create(
-        exec, structure, arrayBuffer,
-        thisObject->byteOffset() + offset * ViewClass::elementSize,
-        length);
+    unsigned newByteOffset = thisObject->byteOffset() + offset * ViewClass::elementSize;
+
+    MarkedArgumentBuffer args;
+    args.append(exec->vm().m_typedArrayController->toJS(exec, thisObject->globalObject(), thisObject->buffer()));
+    args.append(jsNumber(newByteOffset));
+    args.append(jsNumber(length));
+
+    JSArrayBufferView* result = speciesConstruct(exec, thisObject, args, [&]() {
+        Structure* structure = callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
+
+        return ViewClass::create(
+            exec, structure, arrayBuffer,
+            thisObject->byteOffset() + offset * ViewClass::elementSize,
+            length);
+    });
+    if (exec->hadException())
+        return JSValue::encode(JSValue());
 
     return JSValue::encode(result);