Changeset 191190 in webkit

Timestamp:

Oct 16, 2015 11:37:14 AM (9 years ago)

Author:

keith_miller@apple.com

Message:

Fix some issues with TypedArrays
​https://bugs.webkit.org/show_bug.cgi?id=150216

Reviewed by Michael Saboff.

This fixes a couple of issues:
1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.

Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
the two cases have been merged.

2) If the length property on an object was unset then the construction could crash.
3) The TypedArray.prototype.set function and the TypedArray constructor should not call Get? for the

length of the source object when the source object is a TypedArray.

4) The conditions that were used to decide if the iterator could be skipped were incorrect.

Instead of checking for have a bad time we should have checked the Indexing type did not allow for
indexed accessors.

• dfg/DFGOperations.cpp:

(JSC::DFG::newTypedArrayWithOneArgument): Deleted.

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithFirstArgument):
(JSC::constructGenericTypedArrayView):

• runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::genericTypedArrayViewProtoFuncSet):

• tests/stress/typedarray-construct-iterator.js: Added.

(iterator.return.next):
(iterator):
(body):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (10 diffs)
• runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (5 diffs)
• runtime/JSGenericTypedArrayViewPrototypeFunctions.h (modified) (3 diffs)
• tests/stress/typedarray-construct-iterator.js (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-10-16  Keith Miller  <keith_miller@apple.com>
+
+        Fix some issues with TypedArrays
+        https://bugs.webkit.org/show_bug.cgi?id=150216
+
+        Reviewed by Michael Saboff.
+
+        This fixes a couple of issues:
+        1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
+           Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
+           the two cases have been merged.
+        2) If the length property on an object was unset then the construction could crash.
+        3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
+           length of the source object when the source object is a TypedArray.
+        4) The conditions that were used to decide if the iterator could be skipped were incorrect.
+           Instead of checking for have a bad time we should have checked the Indexing type did not allow for
+           indexed accessors.
+
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::newTypedArrayWithOneArgument): Deleted.
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewFromIterator):
+        (JSC::constructGenericTypedArrayViewWithFirstArgument):
+        (JSC::constructGenericTypedArrayView):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewProtoFuncSet):
+        * tests/stress/typedarray-construct-iterator.js: Added.
+        (iterator.return.next):
+        (iterator):
+        (body):
+
 2015-10-15  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -143 +143 @@
 }
 
-template<typename ViewClass>
-char* newTypedArrayWithOneArgument(
-    ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    
-    JSValue value = JSValue::decode(encodedValue);
-    
-    if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(value)) {
-        RefPtr<ArrayBuffer> buffer = jsBuffer->impl();
-        
-        if (buffer->byteLength() % ViewClass::elementSize) {
-            vm.throwException(exec, createRangeError(exec, ASCIILiteral("ArrayBuffer length minus the byteOffset is not a multiple of the element size")));
-            return 0;
-        }
-        return bitwise_cast<char*>(
-            ViewClass::create(
-                exec, structure, buffer, 0, buffer->byteLength() / ViewClass::elementSize));
-    }
-    
-    if (JSObject* object = jsDynamicCast<JSObject*>(value)) {
-        unsigned length = object->get(exec, vm.propertyNames->length).toUInt32(exec);
-        if (exec->hadException())
-            return 0;
-        
-        ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
-        if (!result)
-            return 0;
-        
-        if (!result->set(exec, object, 0, length))
-            return 0;
-        
-        return bitwise_cast<char*>(result);
-    }
-    
-    int length;
-    if (value.isInt32())
-        length = value.asInt32();
-    else if (!value.isNumber()) {
-        vm.throwException(exec, createTypeError(exec, ASCIILiteral("Invalid array length argument")));
-        return 0;
-    } else {
-        length = static_cast<int>(value.asNumber());
-        if (length != value.asNumber()) {
-            vm.throwException(exec, createTypeError(exec, ASCIILiteral("Invalid array length argument (fractional lengths not allowed)")));
-            return 0;
-        }
-    }
-    
-    if (length < 0) {
-        vm.throwException(exec, createRangeError(exec, ASCIILiteral("Requested length is negative")));
-        return 0;
-    }
-    
-    return bitwise_cast<char*>(ViewClass::create(exec, structure, length));
-}
-
 extern "C" {
 
@@ -665 +607 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSInt8Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSInt8Array>(exec, structure, encodedValue));
 }
 
@@ -677 +619 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSInt16Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSInt16Array>(exec, structure, encodedValue));
 }
 
@@ -689 +631 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSInt32Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSInt32Array>(exec, structure, encodedValue));
 }
 
@@ -701 +643 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSUint8Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint8Array>(exec, structure, encodedValue));
 }
 
@@ -713 +655 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSUint8ClampedArray>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint8ClampedArray>(exec, structure, encodedValue));
 }
 
@@ -725 +667 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSUint16Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint16Array>(exec, structure, encodedValue));
 }
 
@@ -737 +679 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSUint32Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint32Array>(exec, structure, encodedValue));
 }
 
@@ -749 +691 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSFloat32Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSFloat32Array>(exec, structure, encodedValue));
 }
 
@@ -761 +703 @@
     ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
 {
-    return newTypedArrayWithOneArgument<JSFloat64Array>(exec, structure, encodedValue);
+    return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSFloat64Array>(exec, structure, encodedValue));
 }
 

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

@@ -78 +78 @@
 
 template<typename ViewClass>
-static EncodedJSValue constructGenericTypedArrayViewFromIterator(ExecState* exec, Structure* structure, JSValue iterator)
+static JSObject* constructGenericTypedArrayViewFromIterator(ExecState* exec, Structure* structure, JSValue iterator)
 {
     if (!iterator.isObject())
-        return JSValue::encode(throwTypeError(exec, "Symbol.Iterator for the first argument did not return an object."));
+        return throwTypeError(exec, "Symbol.Iterator for the first argument did not return an object.");
 
     MarkedArgumentBuffer storage;
@@ -87 +87 @@
         JSValue next = iteratorStep(exec, iterator);
         if (exec->hadException())
-            return JSValue::encode(jsUndefined());
+            return nullptr;
 
         if (next.isFalse())
@@ -94 +94 @@
         JSValue nextItem = iteratorValue(exec, next);
         if (exec->hadException())
-            return JSValue::encode(jsUndefined());
+            return nullptr;
 
         storage.append(nextItem);
@@ -102 +102 @@
     if (!result) {
         ASSERT(exec->hadException());
-        return JSValue::encode(jsUndefined());
+        return nullptr;
     }
 
@@ -108 +108 @@
         if (!result->setIndex(exec, i, storage.at(i))) {
             ASSERT(exec->hadException());
-            return JSValue::encode(jsUndefined());
-        }
-    }
-
-    return JSValue::encode(result);
-}
-
-template<typename ViewClass>
-static EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
-{
-    Structure* structure =
-        asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(
-            ViewClass::TypedArrayStorageType);
-
+            return nullptr;
+        }
+    }
+
+    return result;
+}
+
+template<typename ViewClass, bool checkForOtherArguments = false>
+static JSObject* constructGenericTypedArrayViewWithFirstArgument(ExecState* exec, Structure* structure, EncodedJSValue firstArgument)
+{
+    JSValue firstValue = JSValue::decode(firstArgument);
     VM& vm = exec->vm();
 
-    if (!exec->argumentCount()) {
-        if (ViewClass::TypedArrayStorageType == TypeDataView)
-            return throwVMError(exec, createTypeError(exec, "DataView constructor requires at least one argument."));
-        
-        // Even though the documentation doesn't say so, it's correct to say
-        // "new Int8Array()". This is the same as allocating an array of zero
-        // length.
-        return JSValue::encode(ViewClass::create(exec, structure, 0));
-    }
-    
-    if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(exec->argument(0))) {
+    if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(firstValue)) {
         RefPtr<ArrayBuffer> buffer = jsBuffer->impl();
-        
-        unsigned offset = (exec->argumentCount() > 1) ? exec->uncheckedArgument(1).toUInt32(exec) : 0;
-        if (exec->hadException())
-            return JSValue::encode(jsUndefined());
+
+        unsigned offset = 0;
         unsigned length = 0;
-        if (exec->argumentCount() > 2) {
+        if (checkForOtherArguments && exec->argumentCount() > 1) {
+            offset = exec->uncheckedArgument(1).toUInt32(exec);
+            if (exec->hadException())
+                return nullptr;
+        }
+
+        if (checkForOtherArguments && exec->argumentCount() > 2) {
             length = exec->uncheckedArgument(2).toUInt32(exec);
             if (exec->hadException())
-                return JSValue::encode(jsUndefined());
+                return nullptr;
         } else {
             if ((buffer->byteLength() - offset) % ViewClass::elementSize)
-                return throwVMError(exec, createRangeError(exec, "ArrayBuffer length minus the byteOffset is not a multiple of the element size"));
+                return throwRangeError(exec, "ArrayBuffer length minus the byteOffset is not a multiple of the element size");
             length = (buffer->byteLength() - offset) / ViewClass::elementSize;
-        }
-        return JSValue::encode(ViewClass::create(exec, structure, buffer, offset, length));
+
+        }
+
+        return ViewClass::create(exec, structure, buffer, offset, length);
     }
     
     if (ViewClass::TypedArrayStorageType == TypeDataView)
-        return throwVMError(exec, createTypeError(exec, "Expected ArrayBuffer for the first argument."));
+        return throwTypeError(exec, "Expected ArrayBuffer for the first argument.");
     
     // For everything but DataView, we allow construction with any of:
     // - Another array. This creates a copy of the of that array.
     // - An integer. This creates a new typed array of that length and zero-initializes it.
-    
-    if (JSObject* object = jsDynamicCast<JSObject*>(exec->uncheckedArgument(0))) {
-        PropertySlot lengthSlot(object);
-        object->getPropertySlot(exec, vm.propertyNames->length, lengthSlot);
-
-        if (!isTypedView(object->classInfo()->typedArrayStorageType)) {
+
+    if (JSObject* object = jsDynamicCast<JSObject*>(firstValue)) {
+        unsigned length;
+
+        if (isTypedView(object->classInfo()->typedArrayStorageType))
+            length = jsCast<JSArrayBufferView*>(object)->length();
+        else {
+            PropertySlot lengthSlot(object);
+            object->getPropertySlot(exec, vm.propertyNames->length, lengthSlot);
+
             JSValue iteratorFunc = object->get(exec, vm.propertyNames->iteratorSymbol);
             if (exec->hadException())
-                return JSValue::encode(jsUndefined());
+                return nullptr;
 
             // We would like not use the iterator as it is painfully slow. Fortunately, unless
             // 1) The iterator is not a known iterator.
             // 2) The base object does not have a length getter.
-            // 3) Bad times are being had.
+            // 3) The base object might have indexed getters.
             // it should not be observable that we do not use the iterator.
 
             if (!iteratorFunc.isUndefined()
-                && (iteratorFunc != exec->lexicalGlobalObject()->arrayProtoValuesFunction()
+                && (iteratorFunc != object->globalObject()->arrayProtoValuesFunction()
                     || lengthSlot.isAccessor() || lengthSlot.isCustom()
-                    || exec->lexicalGlobalObject()->isHavingABadTime())) {
+                    || hasAnyArrayStorage(object->indexingType()))) {
 
                     CallData callData;
                     CallType callType = getCallData(iteratorFunc, callData);
                     if (callType == CallTypeNone)
-                        return JSValue::encode(throwTypeError(exec, "Symbol.Iterator for the first argument cannot be called."));
+                        return throwTypeError(exec, "Symbol.Iterator for the first argument cannot be called.");
 
                     ArgList arguments;
                     JSValue iterator = call(exec, iteratorFunc, callType, callData, object, arguments);
                     if (exec->hadException())
-                        return JSValue::encode(jsUndefined());
+                        return nullptr;
 
                     return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
-
             }
-        }
-
-        unsigned length = lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
-        if (exec->hadException())
-            return JSValue::encode(jsUndefined());
+
+            length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
+            if (exec->hadException())
+                return nullptr;
+        }
+
         
         ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
         if (!result) {
             ASSERT(exec->hadException());
-            return JSValue::encode(jsUndefined());
+            return nullptr;
         }
         
         if (!result->set(exec, object, 0, length))
-            return JSValue::encode(jsUndefined());
+            return nullptr;
         
-        return JSValue::encode(result);
+        return result;
     }
     
     int length;
-    if (exec->uncheckedArgument(0).isInt32())
-        length = exec->uncheckedArgument(0).asInt32();
-    else if (!exec->uncheckedArgument(0).isNumber())
-        return throwVMError(exec, createTypeError(exec, "Invalid array length argument"));
+    if (firstValue.isInt32())
+        length = firstValue.asInt32();
+    else if (!firstValue.isNumber())
+        return throwTypeError(exec, "Invalid array length argument");
     else {
-        length = static_cast<int>(exec->uncheckedArgument(0).asNumber());
-        if (length != exec->uncheckedArgument(0).asNumber())
-            return throwVMError(exec, createTypeError(exec, "Invalid array length argument (fractional lengths not allowed)"));
+        length = static_cast<int>(firstValue.asNumber());
+        if (length != firstValue.asNumber())
+            return throwTypeError(exec, "Invalid array length argument (fractional lengths not allowed)");
     }
 
     if (length < 0)
-        return throwVMError(exec, createRangeError(exec, "Requested length is negative"));
-    return JSValue::encode(ViewClass::create(exec, structure, length));
+        return throwRangeError(exec, "Requested length is negative");
+    return ViewClass::create(exec, structure, length);
+}
+
+template<typename ViewClass>
+static EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
+{
+    Structure* structure =
+        asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(
+            ViewClass::TypedArrayStorageType);
+
+    if (!exec->argumentCount()) {
+        if (ViewClass::TypedArrayStorageType == TypeDataView)
+            return throwVMError(exec, createTypeError(exec, "DataView constructor requires at least one argument."));
+
+        return JSValue::encode(ViewClass::create(exec, structure, 0));
+    }
+
+    return JSValue::encode(constructGenericTypedArrayViewWithFirstArgument<ViewClass, true>(exec, structure, JSValue::encode(exec->uncheckedArgument(0))));
 }
 

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

@@ -67 +67 @@
         return throwVMError(exec, createTypeError(exec, "Expected at least one argument"));
 
-    JSObject* sourceArray = jsDynamicCast<JSObject*>(exec->uncheckedArgument(0));
-    if (!sourceArray)
-        return throwVMError(exec, createTypeError(exec, "First argument should be an object"));
-
     unsigned offset;
     if (exec->argumentCount() >= 2) {
@@ -79 +75 @@
         offset = 0;
 
-    unsigned length = sourceArray->get(exec, exec->vm().propertyNames->length).toUInt32(exec);
+    JSObject* sourceArray = jsDynamicCast<JSObject*>(exec->uncheckedArgument(0));
+    if (!sourceArray)
+        return throwVMError(exec, createTypeError(exec, "First argument should be an object"));
+
+    unsigned length;
+    if (isTypedView(sourceArray->classInfo()->typedArrayStorageType))
+        length = jsDynamicCast<JSArrayBufferView*>(sourceArray)->length();
+    else
+        length = sourceArray->get(exec, exec->vm().propertyNames->length).toUInt32(exec);
+
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -284 +289 @@
 }
 
-
 template<typename ViewClass>
 EncodedJSValue JSC_HOST_CALL genericTypedArrayViewProtoFuncReverse(ExecState* exec)