Changeset 269574 in webkit

Timestamp:

Nov 8, 2020 9:02:22 PM (21 months ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Support @@species in ArrayBuffer / SharedArrayBuffer slice
​https://bugs.webkit.org/show_bug.cgi?id=218697

Reviewed by Ross Kirsling.

JSTests:

• test262/expectations.yaml:

Source/JavaScriptCore:

This patch adds support for @@species in ArrayBuffer/SharedArrayBuffer.prototype.slice.
We leverage the mechanism similar to Array's @@species handling: adding fast path with watchpoint.
When we found that some of critical properties (e.g. %Prototype%.constructor, %Constructor%[@@species])
are modified, watchpoint is fired and we go to the slow path. Until that, we use fast path that is
basically the same to the code before this patch.

• runtime/ArrayBuffer.cpp:

(JSC::ArrayBuffer::slice const):
(JSC::ArrayBuffer::sliceWithClampedIndex const):
(JSC::ArrayBuffer::sliceImpl const): Deleted.

• runtime/ArrayBuffer.h:
• runtime/ArrayBufferSharingMode.h:
• runtime/ArrayPrototype.cpp:

(JSC::speciesWatchpointIsValid):

• runtime/JSArrayBufferPrototype.cpp:

(JSC::speciesWatchpointIsValid):
(JSC::arrayBufferSlice):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::tryInstallSpeciesWatchpoint):
(JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
(JSC::JSGlobalObject::tryInstallArrayBufferSpeciesWatchpoint):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::arrayBufferSpeciesWatchpointSet):
(JSC::JSGlobalObject::arrayBufferPrototype const):
(JSC::JSGlobalObject::arrayBufferStructure const):
(JSC::JSGlobalObject::arrayBufferConstructor const):

Source/WTF:

Remove ENABLE(SHARED_ARRAY_BUFFER) flag. We use Options::useSharedArrayBuffer() runtime flag instead.

• wtf/PlatformEnable.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/test262/expectations.yaml (modified) (3 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayBuffer.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayBuffer.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ArrayBufferSharingMode.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (8 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (8 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/PlatformEnable.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-11-08  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Support @@species in ArrayBuffer / SharedArrayBuffer slice
+        https://bugs.webkit.org/show_bug.cgi?id=218697
+
+        Reviewed by Ross Kirsling.
+
+        * test262/expectations.yaml:
+
 2020-11-06  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
 

trunk/JSTests/test262/expectations.yaml

@@ -604 +604 @@
 test/annexB/language/global-code/switch-dflt-global-skip-early-err.js:
   default: "SyntaxError: Cannot declare a function that shadows a let/const/class/function variable 'f' in strict mode."
-test/built-ins/ArrayBuffer/prototype/slice/species-constructor-is-not-object.js:
-  default: 'Test262Error: `constructor` value is null Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: `constructor` value is null Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/ArrayBuffer/prototype/slice/species-is-not-constructor.js:
-  default: 'Test262Error: `constructor[Symbol.species]` value is Object Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: `constructor[Symbol.species]` value is Object Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/ArrayBuffer/prototype/slice/species-is-not-object.js:
-  default: 'Test262Error: `constructor[Symbol.species]` value is Boolean Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: `constructor[Symbol.species]` value is Boolean Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/ArrayBuffer/prototype/slice/species-returns-larger-arraybuffer.js:
-  default: 'Test262Error: Expected SameValue(«8», «10») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«8», «10») to be true'
-test/built-ins/ArrayBuffer/prototype/slice/species-returns-not-arraybuffer.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/ArrayBuffer/prototype/slice/species-returns-same-arraybuffer.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/ArrayBuffer/prototype/slice/species-returns-smaller-arraybuffer.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/ArrayBuffer/prototype/slice/species.js:
-  default: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «undefined») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «undefined») to be true'
 test/built-ins/Date/UTC/fp-evaluation-order.js:
   default: 'Test262Error: order of operations / precision in MakeTime Expected SameValue(«NaN», «29312») to be true'
@@ -848 +824 @@
   default: 'SyntaxError: Invalid regular expression: number too large in {} quantifier'
   strict mode: 'SyntaxError: Invalid regular expression: number too large in {} quantifier'
-test/built-ins/SharedArrayBuffer/prototype/slice/species-constructor-is-not-object.js:
-  default: 'Test262Error: `constructor` value is null Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: `constructor` value is null Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/SharedArrayBuffer/prototype/slice/species-is-not-constructor.js:
-  default: 'Test262Error: `constructor[Symbol.species]` value is Object Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: `constructor[Symbol.species]` value is Object Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/SharedArrayBuffer/prototype/slice/species-is-not-object.js:
-  default: 'Test262Error: `constructor[Symbol.species]` value is Boolean Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: `constructor[Symbol.species]` value is Boolean Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/SharedArrayBuffer/prototype/slice/species-returns-larger-arraybuffer.js:
-  default: 'Test262Error: Expected SameValue(«8», «10») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«8», «10») to be true'
-test/built-ins/SharedArrayBuffer/prototype/slice/species-returns-not-arraybuffer.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/SharedArrayBuffer/prototype/slice/species-returns-same-arraybuffer.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/SharedArrayBuffer/prototype/slice/species-returns-smaller-arraybuffer.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/SharedArrayBuffer/prototype/slice/species.js:
-  default: 'Test262Error: Expected SameValue(«[object SharedArrayBuffer]», «undefined») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object SharedArrayBuffer]», «undefined») to be true'
 test/built-ins/TypedArray/prototype/every/callbackfn-detachbuffer.js:
   default: 'Test262Error: Expected a TypeError but got a Test262Error (Testing with Float64Array.)'
@@ -2746 +2698 @@
 test/language/statements/class/method/forbidden-ext/b2/cls-decl-meth-forbidden-ext-indirect-access-prop-caller.js:
   default: 'TypeError: Function.caller used to retrieve strict caller'
-test/language/statements/class/subclass/builtin-objects/ArrayBuffer/regular-subclassing.js:
-  default: 'Test262Error: Expected true but got false'
-  strict mode: 'Test262Error: Expected true but got false'
 test/language/statements/const/dstr/ary-init-iter-get-err-array-prototype.js:
   default: 'TypeError: Spread syntax requires ...iterable[Symbol.iterator] to be a function'

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-11-08  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Support @@species in ArrayBuffer / SharedArrayBuffer slice
+        https://bugs.webkit.org/show_bug.cgi?id=218697
+
+        Reviewed by Ross Kirsling.
+
+        This patch adds support for @@species in ArrayBuffer/SharedArrayBuffer.prototype.slice.
+        We leverage the mechanism similar to Array's @@species handling: adding fast path with watchpoint.
+        When we found that some of critical properties (e.g. %Prototype%.constructor, %Constructor%[@@species])
+        are modified, watchpoint is fired and we go to the slow path. Until that, we use fast path that is
+        basically the same to the code before this patch.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::slice const):
+        (JSC::ArrayBuffer::sliceWithClampedIndex const):
+        (JSC::ArrayBuffer::sliceImpl const): Deleted.
+        * runtime/ArrayBuffer.h:
+        * runtime/ArrayBufferSharingMode.h:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::speciesWatchpointIsValid):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::speciesWatchpointIsValid):
+        (JSC::arrayBufferSlice):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        (JSC::JSGlobalObject::tryInstallSpeciesWatchpoint):
+        (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
+        (JSC::JSGlobalObject::tryInstallArrayBufferSpeciesWatchpoint):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::arrayBufferSpeciesWatchpointSet):
+        (JSC::JSGlobalObject::arrayBufferPrototype const):
+        (JSC::JSGlobalObject::arrayBufferStructure const):
+        (JSC::JSGlobalObject::arrayBufferConstructor const):
+
 2020-11-06  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
 

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp

@@ -312 +312 @@
 RefPtr<ArrayBuffer> ArrayBuffer::slice(double begin, double end) const
 {
-    return sliceImpl(clampIndex(begin), clampIndex(end));
+    return sliceWithClampedIndex(clampIndex(begin), clampIndex(end));
 }
 
 RefPtr<ArrayBuffer> ArrayBuffer::slice(double begin) const
 {
-    return sliceImpl(clampIndex(begin), byteLength());
-}
-
-RefPtr<ArrayBuffer> ArrayBuffer::sliceImpl(unsigned begin, unsigned end) const
+    return sliceWithClampedIndex(clampIndex(begin), byteLength());
+}
+
+RefPtr<ArrayBuffer> ArrayBuffer::sliceWithClampedIndex(unsigned begin, unsigned end) const
 {
     unsigned size = begin <= end ? end - begin : 0;

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.h

@@ -138 +138 @@
     JS_EXPORT_PRIVATE RefPtr<ArrayBuffer> slice(double begin, double end) const;
     JS_EXPORT_PRIVATE RefPtr<ArrayBuffer> slice(double begin) const;
+    JS_EXPORT_PRIVATE RefPtr<ArrayBuffer> sliceWithClampedIndex(unsigned begin, unsigned end) const;
     
     inline void pin();
@@ -165 +166 @@
     static RefPtr<ArrayBuffer> tryCreate(unsigned numElements, unsigned elementByteSize, ArrayBufferContents::InitializationPolicy);
     ArrayBuffer(ArrayBufferContents&&);
-    RefPtr<ArrayBuffer> sliceImpl(unsigned begin, unsigned end) const;
     inline unsigned clampIndex(double index) const;
     static inline unsigned clampValue(double x, unsigned left, unsigned right);

trunk/Source/JavaScriptCore/runtime/ArrayBufferSharingMode.h

@@ -31 +31 @@
 namespace JSC {
 
-enum class ArrayBufferSharingMode {
-    Default,
+enum class ArrayBufferSharingMode : uint8_t {
+    Default = 0,
     Shared
 };

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -187 +187 @@
 }
 
-ALWAYS_INLINE bool speciesWatchpointIsValid(VM& vm, JSObject* thisObject)
+static ALWAYS_INLINE bool speciesWatchpointIsValid(VM& vm, JSObject* thisObject)
 {
     JSGlobalObject* globalObject = thisObject->globalObject(vm);

trunk/Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp

@@ -31 +31 @@
 
 namespace JSC {
+namespace JSArrayBufferPrototypeInternal {
+static constexpr bool verbose = false;
+};
 
 static JSC_DECLARE_HOST_FUNCTION(arrayBufferProtoFuncSlice);
@@ -37 +40 @@
 static JSC_DECLARE_HOST_FUNCTION(sharedArrayBufferProtoGetterFuncByteLength);
 
-static EncodedJSValue arrayBufferSlice(JSGlobalObject* globalObject, JSValue arrayBufferValue, JSValue startValue, JSValue endValue, ArrayBufferSharingMode mode)
-{
+
+static ALWAYS_INLINE bool speciesWatchpointIsValid(VM& vm, JSObject* thisObject, ArrayBufferSharingMode mode)
+{
+    JSGlobalObject* globalObject = thisObject->globalObject(vm);
+    auto* prototype = globalObject->arrayBufferPrototype(mode);
+
+    if (globalObject->arrayBufferSpeciesWatchpointSet(mode).stateOnJSThread() == ClearWatchpoint) {
+        dataLogLnIf(JSArrayBufferPrototypeInternal::verbose, "Initializing ArrayBuffer species watchpoints for ArrayBuffer.prototype: ", pointerDump(prototype), " with structure: ", pointerDump(prototype->structure(vm)), "\nand ArrayBuffer: ", pointerDump(globalObject->arrayBufferConstructor(mode)), " with structure: ", pointerDump(globalObject->arrayBufferConstructor(mode)->structure(vm)));
+        globalObject->tryInstallArrayBufferSpeciesWatchpoint(mode);
+        ASSERT(globalObject->arrayBufferSpeciesWatchpointSet(mode).stateOnJSThread() != ClearWatchpoint);
+    }
+
+    return !thisObject->hasCustomProperties(vm)
+        && prototype == thisObject->getPrototypeDirect(vm)
+        && globalObject->arrayBufferSpeciesWatchpointSet(mode).stateOnJSThread() == IsWatched;
+}
+
+enum class SpeciesConstructResult : uint8_t {
+    FastPath,
+    Exception,
+    CreatedObject
+};
+
+static ALWAYS_INLINE std::pair<SpeciesConstructResult, JSArrayBuffer*> speciesConstructArrayBuffer(JSGlobalObject* globalObject, JSArrayBuffer* thisObject, unsigned length, ArrayBufferSharingMode mode)
+{
+    // This is optimized way of SpeciesConstruct invoked from {ArrayBuffer,SharedArrayBuffer}.prototype.slice.
+    // https://tc39.es/ecma262/#sec-arraybuffer.prototype.slice
+    // https://tc39.es/ecma262/#sec-sharedarraybuffer.prototype.slice
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
 
+    auto exceptionResult = [] () {
+        return std::make_pair(SpeciesConstructResult::Exception, nullptr);
+    };
+
+    // Fast path in the normal case where the user has not set an own constructor and the ArrayBuffer.prototype.constructor is normal.
+    // We need prototype check for subclasses of ArrayBuffer, which are ArrayBuffer objects but have a different prototype by default.
+    bool isValid = speciesWatchpointIsValid(vm, thisObject, mode);
+    scope.assertNoException();
+    if (LIKELY(isValid))
+        return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+
+    JSValue constructor = thisObject->get(globalObject, vm.propertyNames->constructor);
+    RETURN_IF_EXCEPTION(scope, exceptionResult());
+    if (constructor.isConstructor(vm)) {
+        JSObject* constructorObject = jsCast<JSObject*>(constructor);
+        JSGlobalObject* globalObjectFromConstructor = constructorObject->globalObject(vm);
+        bool isArrayBufferConstructorFromAnotherRealm = globalObject != globalObjectFromConstructor
+            && constructorObject == globalObjectFromConstructor->arrayBufferConstructor(mode);
+        if (isArrayBufferConstructorFromAnotherRealm)
+            return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+    }
+    if (constructor.isObject()) {
+        constructor = constructor.get(globalObject, vm.propertyNames->speciesSymbol);
+        RETURN_IF_EXCEPTION(scope, exceptionResult());
+        if (constructor.isNull())
+            return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+    }
+
+    if (constructor.isUndefined())
+        return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+
+    // 16. Let new be ? Construct(ctor, « 𝔽(newLen) »).
+    MarkedArgumentBuffer args;
+    args.append(jsNumber(length));
+    ASSERT(!args.hasOverflowed());
+    JSObject* newObject = construct(globalObject, constructor, args, "Species construction did not get a valid constructor");
+    RETURN_IF_EXCEPTION(scope, exceptionResult());
+
+    // 17. Perform ? RequireInternalSlot(new, [[ArrayBufferData]]).
+    JSArrayBuffer* result = jsDynamicCast<JSArrayBuffer*>(vm, newObject);
+    if (UNLIKELY(!result)) {
+        throwTypeError(globalObject, scope, "Species construction does not create ArrayBuffer"_s);
+        return exceptionResult();
+    }
+
+    if (mode == ArrayBufferSharingMode::Default) {
+        // 18. If IsSharedArrayBuffer(new) is true, throw a TypeError exception.
+        if (result->isShared()) {
+            throwTypeError(globalObject, scope, "ArrayBuffer.prototype.slice creates SharedArrayBuffer"_s);
+            return exceptionResult();
+        }
+        // 19. If IsDetachedBuffer(new) is true, throw a TypeError exception.
+        if (result->impl()->isDetached()) {
+            throwVMTypeError(globalObject, scope, "Created ArrayBuffer is detached"_s);
+            return exceptionResult();
+        }
+    } else {
+        // 17. If IsSharedArrayBuffer(new) is false, throw a TypeError exception.
+        if (!result->isShared()) {
+            throwTypeError(globalObject, scope, "SharedArrayBuffer.prototype.slice creates non-shared ArrayBuffer"_s);
+            return exceptionResult();
+        }
+    }
+
+    // 20. If SameValue(new, O) is true, throw a TypeError exception.
+    if (result == thisObject) {
+        throwVMTypeError(globalObject, scope, "Species construction returns same ArrayBuffer to a receiver"_s);
+        return exceptionResult();
+    }
+
+    // 21. If new.[[ArrayBufferByteLength]] < newLen, throw a TypeError exception.
+    if (result->impl()->byteLength() < length) {
+        throwVMTypeError(globalObject, scope, "Species construction returns ArrayBuffer which byteLength is less than requested"_s);
+        return exceptionResult();
+    }
+
+    return std::make_pair(SpeciesConstructResult::CreatedObject, result);
+}
+
+
+static EncodedJSValue arrayBufferSlice(JSGlobalObject* globalObject, JSValue arrayBufferValue, JSValue startValue, JSValue endValue, ArrayBufferSharingMode mode)
+{
+    // https://tc39.es/ecma262/#sec-arraybuffer.prototype.slice
+    // https://tc39.es/ecma262/#sec-sharedarraybuffer.prototype.slice
+
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    // 2. Perform ? RequireInternalSlot(O, [[ArrayBufferData]]).
+    // 3. If IsSharedArrayBuffer(O) is true, throw a TypeError exception.
     JSArrayBuffer* thisObject = jsDynamicCast<JSArrayBuffer*>(vm, arrayBufferValue);
     if (!thisObject || (mode != thisObject->impl()->sharingMode()))
         return throwVMTypeError(globalObject, scope, makeString("Receiver must be "_s, mode == ArrayBufferSharingMode::Default ? "ArrayBuffer"_s : "SharedArrayBuffer"_s));
 
+    // 4. If IsDetachedBuffer(O) is true, throw a TypeError exception.
     if (mode == ArrayBufferSharingMode::Default && thisObject->impl()->isDetached())
         return throwVMTypeError(globalObject, scope, "Receiver is detached"_s);
 
-    double begin = startValue.toIntegerOrInfinity(globalObject);
+    // 5. Let len be O.[[ArrayBufferByteLength]].
+    unsigned byteLength = thisObject->impl()->byteLength();
+    unsigned firstIndex = 0;
+    double relativeStart = startValue.toIntegerOrInfinity(globalObject);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
-
-    double end;
+    if (relativeStart < 0)
+        firstIndex = static_cast<unsigned>(std::max<double>(byteLength + relativeStart, 0));
+    else
+        firstIndex = static_cast<unsigned>(std::min<double>(relativeStart, byteLength));
+    ASSERT(firstIndex >= 0);
+    ASSERT(firstIndex <= byteLength);
+
+    unsigned finalIndex = 0;
     if (!endValue.isUndefined()) {
-        end = endValue.toIntegerOrInfinity(globalObject);
+        double relativeEnd = endValue.toIntegerOrInfinity(globalObject);
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        if (relativeEnd < 0)
+            finalIndex = static_cast<unsigned>(std::max<double>(byteLength + relativeEnd, 0));
+        else
+            finalIndex = static_cast<unsigned>(std::min<double>(relativeEnd, byteLength));
     } else
-        end = thisObject->impl()->byteLength();
+        finalIndex = thisObject->impl()->byteLength();
+    ASSERT(finalIndex >= 0);
+    ASSERT(finalIndex <= byteLength);
+
+    // 14. Let newLen be max(final - first, 0).
+    unsigned newLength = (finalIndex >= firstIndex) ? finalIndex - firstIndex : 0;
+
+    // 15. Let ctor be ? SpeciesConstructor(O, %ArrayBuffer%).
+    auto speciesResult = speciesConstructArrayBuffer(globalObject, thisObject, newLength, mode);
+    // We can only get an exception if we call some user function.
+    EXCEPTION_ASSERT(!!scope.exception() == (speciesResult.first == SpeciesConstructResult::Exception));
+    if (UNLIKELY(speciesResult.first == SpeciesConstructResult::Exception))
+        return { };
 
     // 23. If IsDetachedBuffer(O) is true, throw a TypeError exception.
-    // Check detach status again since toIntegerOrInfinity can have side effect.
     if (mode == ArrayBufferSharingMode::Default && thisObject->impl()->isDetached())
         return throwVMTypeError(globalObject, scope, "Receiver is detached"_s);
 
-    auto newBuffer = thisObject->impl()->slice(begin, end);
-    if (!newBuffer)
-        return JSValue::encode(throwOutOfMemoryError(globalObject, scope));
-
-    Structure* structure = globalObject->arrayBufferStructure(newBuffer->sharingMode());
-
-    JSArrayBuffer* result = JSArrayBuffer::create(vm, structure, WTFMove(newBuffer));
-
-    return JSValue::encode(result);
+    if (LIKELY(speciesResult.first == SpeciesConstructResult::FastPath)) {
+        ASSERT(!thisObject->impl()->isDetached());
+        auto newBuffer = thisObject->impl()->sliceWithClampedIndex(firstIndex, finalIndex);
+        if (!newBuffer)
+            return JSValue::encode(throwOutOfMemoryError(globalObject, scope));
+        Structure* structure = globalObject->arrayBufferStructure(newBuffer->sharingMode());
+        JSArrayBuffer* result = JSArrayBuffer::create(vm, structure, WTFMove(newBuffer));
+        return JSValue::encode(result);
+    }
+
+    // 24. Let fromBuf be O.[[ArrayBufferData]].
+    // 25. Let toBuf be new.[[ArrayBufferData]].
+    // 26. Perform CopyDataBlockBytes(toBuf, 0, fromBuf, first, newLen).
+    JSArrayBuffer* newObject = speciesResult.second;
+    ASSERT(!thisObject->impl()->isDetached());
+    ASSERT(!newObject->impl()->isDetached());
+    ASSERT(newObject->impl()->byteLength() >= newLength);
+    memcpy(newObject->impl()->data(), static_cast<const char*>(thisObject->impl()->data()) + firstIndex, newLength);
+    return JSValue::encode(newObject);
 }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -500 +500 @@
     , m_mapSetWatchpointSet(IsWatched)
     , m_setAddWatchpointSet(IsWatched)
-    , m_arraySpeciesWatchpointSet(ClearWatchpoint)
     , m_arrayJoinWatchpointSet(IsWatched)
     , m_numberToStringWatchpointSet(IsWatched)
@@ -831 +830 @@
         });
 
-#if ENABLE(SHARED_ARRAY_BUFFER)
     if (Options::useSharedArrayBuffer()) {
-        m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
-        m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get()));
-    }
-#endif
+        m_sharedArrayBufferStructure.initLater(
+            [] (LazyClassStructure::Initializer& init) {
+                init.setPrototype(JSArrayBufferPrototype::create(init.vm, init.global, JSArrayBufferPrototype::createStructure(init.vm, init.global, init.global->m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
+                init.setStructure(JSArrayBuffer::createStructure(init.vm, init.global, init.prototype));
+                init.setConstructor(JSSharedArrayBufferConstructor::create(init.vm, JSSharedArrayBufferConstructor::createStructure(init.vm, init.global, init.global->m_functionPrototype.get()), jsCast<JSArrayBufferPrototype*>(init.prototype), init.global->m_speciesGetterSetter.get()));
+            });
+    }
 
     m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
@@ -901 +902 @@
     m_regExpGlobalData.cachedResult().record(vm, this, nullptr, jsEmptyString(vm), MatchResult(0, 0));
     
-#if ENABLE(SHARED_ARRAY_BUFFER)
-    JSSharedArrayBufferConstructor* sharedArrayBufferConstructor = nullptr;
     AtomicsObject* atomicsObject = nullptr;
-    if (Options::useSharedArrayBuffer()) {
-        sharedArrayBufferConstructor = JSSharedArrayBufferConstructor::create(vm, JSSharedArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get());
-        m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
-
+    if (Options::useSharedArrayBuffer())
         atomicsObject = AtomicsObject::create(vm, this, AtomicsObject::createStructure(vm, this, m_objectPrototype.get()));
-    }
-#endif
 
 #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
@@ -988 +982 @@
     putDirectWithoutTransition(vm, vm.propertyNames->RegExp, regExpConstructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
 
-#if ENABLE(SHARED_ARRAY_BUFFER)
     if (Options::useSharedArrayBuffer()) {
-        putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
+        putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, m_sharedArrayBufferStructure.constructor(this), static_cast<unsigned>(PropertyAttribute::DontEnum));
         putDirectWithoutTransition(vm, vm.propertyNames->Atomics, atomicsObject, static_cast<unsigned>(PropertyAttribute::DontEnum));
     }
-#endif
 
 #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
@@ -2034 +2026 @@
     thisObject->m_callableProxyObjectStructure.visit(visitor);
     thisObject->m_proxyRevokeStructure.visit(visitor);
+    thisObject->m_sharedArrayBufferStructure.visit(visitor);
 
     for (auto& property : thisObject->m_linkTimeConstants)
         property.visit(visitor);
-    
-#if ENABLE(SHARED_ARRAY_BUFFER)
-    visitor.append(thisObject->m_sharedArrayBufferPrototype);
-    visitor.append(thisObject->m_sharedArrayBufferStructure);
-#endif
 
 #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) if (featureFlag) { \
@@ -2137 +2125 @@
 }
 
-void JSGlobalObject::tryInstallArraySpeciesWatchpoint()
-{
-    RELEASE_ASSERT(!m_arrayPrototypeConstructorWatchpoint);
-    RELEASE_ASSERT(!m_arrayConstructorSpeciesWatchpoint);
+void JSGlobalObject::tryInstallSpeciesWatchpoint(JSObject* prototype, JSObject* constructor, std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>& constructorWatchpoint, std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>& speciesWatchpoint, InlineWatchpointSet& speciesWatchpointSet)
+{
+    RELEASE_ASSERT(!constructorWatchpoint);
+    RELEASE_ASSERT(!speciesWatchpoint);
 
     VM& vm = this->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    // First we need to make sure that the Array.prototype.constructor property points to Array
-    // and that Array[Symbol.species] is the primordial GetterSetter.
-    ArrayPrototype* arrayPrototype = this->arrayPrototype();
+    // First we need to make sure that the %prototype%.constructor property points to a %constructor%
+    // and that %constructor%[Symbol.species] is the primordial GetterSetter.
 
     // We only initialize once so flattening the structures does not have any real cost.
-    Structure* prototypeStructure = arrayPrototype->structure(vm);
+    Structure* prototypeStructure = prototype->structure(vm);
     if (prototypeStructure->isDictionary())
-        prototypeStructure = prototypeStructure->flattenDictionaryStructure(vm, arrayPrototype);
+        prototypeStructure = prototypeStructure->flattenDictionaryStructure(vm, prototype);
     RELEASE_ASSERT(!prototypeStructure->isDictionary());
 
-    ArrayConstructor* arrayConstructor = this->arrayConstructor();
-
     auto invalidateWatchpoint = [&] {
-        m_arraySpeciesWatchpointSet.invalidate(vm, StringFireDetail("Was not able to set up array species watchpoint."));
+        speciesWatchpointSet.invalidate(vm, StringFireDetail("Was not able to set up species watchpoint."));
     };
 
-    PropertySlot constructorSlot(arrayPrototype, PropertySlot::InternalMethodType::VMInquiry, &vm);
-    arrayPrototype->getOwnPropertySlot(arrayPrototype, this, vm.propertyNames->constructor, constructorSlot);
+    PropertySlot constructorSlot(prototype, PropertySlot::InternalMethodType::VMInquiry, &vm);
+    prototype->getOwnPropertySlot(prototype, this, vm.propertyNames->constructor, constructorSlot);
     scope.assertNoException();
-    if (constructorSlot.slotBase() != arrayPrototype
+    if (constructorSlot.slotBase() != prototype
         || !constructorSlot.isCacheableValue()
-        || constructorSlot.getValue(this, vm.propertyNames->constructor) != arrayConstructor) {
+        || constructorSlot.getValue(this, vm.propertyNames->constructor) != constructor) {
         invalidateWatchpoint();
         return;
     }
 
-    Structure* constructorStructure = arrayConstructor->structure(vm);
+    Structure* constructorStructure = constructor->structure(vm);
     if (constructorStructure->isDictionary())
-        constructorStructure = constructorStructure->flattenDictionaryStructure(vm, arrayConstructor);
-
-    PropertySlot speciesSlot(arrayConstructor, PropertySlot::InternalMethodType::VMInquiry, &vm);
-    arrayConstructor->getOwnPropertySlot(arrayConstructor, this, vm.propertyNames->speciesSymbol, speciesSlot);
+        constructorStructure = constructorStructure->flattenDictionaryStructure(vm, constructor);
+
+    PropertySlot speciesSlot(constructor, PropertySlot::InternalMethodType::VMInquiry, &vm);
+    constructor->getOwnPropertySlot(constructor, this, vm.propertyNames->speciesSymbol, speciesSlot);
     scope.assertNoException();
-    if (speciesSlot.slotBase() != arrayConstructor
+    if (speciesSlot.slotBase() != constructor
         || !speciesSlot.isCacheableGetter()
         || speciesSlot.getterSetter() != speciesGetterSetter()) {
@@ -2189 +2174 @@
     constructorStructure->startWatchingPropertyForReplacements(vm, speciesSlot.cachedOffset());
 
-    ObjectPropertyCondition constructorCondition = ObjectPropertyCondition::equivalence(vm, arrayPrototype, arrayPrototype, vm.propertyNames->constructor.impl(), arrayConstructor);
-    ObjectPropertyCondition speciesCondition = ObjectPropertyCondition::equivalence(vm, arrayPrototype, arrayConstructor, vm.propertyNames->speciesSymbol.impl(), speciesGetterSetter());
+    ObjectPropertyCondition constructorCondition = ObjectPropertyCondition::equivalence(vm, prototype, prototype, vm.propertyNames->constructor.impl(), constructor);
+    ObjectPropertyCondition speciesCondition = ObjectPropertyCondition::equivalence(vm, prototype, constructor, vm.propertyNames->speciesSymbol.impl(), speciesGetterSetter());
 
     if (!constructorCondition.isWatchable() || !speciesCondition.isWatchable()) {
@@ -2198 +2183 @@
 
     // We only watch this from the DFG, and the DFG makes sure to only start watching if the watchpoint is in the IsWatched state.
-    RELEASE_ASSERT(!m_arraySpeciesWatchpointSet.isBeingWatched());
-    m_arraySpeciesWatchpointSet.touch(vm, "Set up array species watchpoint.");
-
-    m_arrayPrototypeConstructorWatchpoint = makeUnique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, constructorCondition, m_arraySpeciesWatchpointSet);
-    m_arrayPrototypeConstructorWatchpoint->install(vm);
-
-    m_arrayConstructorSpeciesWatchpoint = makeUnique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, speciesCondition, m_arraySpeciesWatchpointSet);
-    m_arrayConstructorSpeciesWatchpoint->install(vm);
+    RELEASE_ASSERT(!speciesWatchpointSet.isBeingWatched());
+    speciesWatchpointSet.touch(vm, "Set up species watchpoint.");
+
+    constructorWatchpoint = makeUnique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, constructorCondition, speciesWatchpointSet);
+    constructorWatchpoint->install(vm);
+
+    speciesWatchpoint = makeUnique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, speciesCondition, speciesWatchpointSet);
+    speciesWatchpoint->install(vm);
+}
+
+void JSGlobalObject::tryInstallArraySpeciesWatchpoint()
+{
+    RELEASE_ASSERT(!m_arrayPrototypeConstructorWatchpoint);
+    RELEASE_ASSERT(!m_arrayConstructorSpeciesWatchpoint);
+
+    tryInstallSpeciesWatchpoint(arrayPrototype(), arrayConstructor(), m_arrayPrototypeConstructorWatchpoint, m_arrayConstructorSpeciesWatchpoint, m_arraySpeciesWatchpointSet);
+}
+
+void JSGlobalObject::tryInstallArrayBufferSpeciesWatchpoint(ArrayBufferSharingMode sharingMode)
+{
+    static_assert(static_cast<unsigned>(ArrayBufferSharingMode::Default) == 0);
+    static_assert(static_cast<unsigned>(ArrayBufferSharingMode::Shared) == 1);
+    unsigned index = static_cast<unsigned>(sharingMode);
+    tryInstallSpeciesWatchpoint(arrayBufferPrototype(sharingMode), arrayBufferConstructor(sharingMode), m_arrayBufferPrototypeConstructorWatchpoints[index], m_arrayBufferConstructorSpeciesWatchpoints[index], arrayBufferSpeciesWatchpointSet(sharingMode));
 }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -421 +421 @@
     LazyProperty<JSGlobalObject, Structure> m_callableProxyObjectStructure;
     LazyProperty<JSGlobalObject, Structure> m_proxyRevokeStructure;
-#if ENABLE(SHARED_ARRAY_BUFFER)
-    WriteBarrier<JSArrayBufferPrototype> m_sharedArrayBufferPrototype;
-    WriteBarrier<Structure> m_sharedArrayBufferStructure;
-#endif
+    LazyClassStructure m_sharedArrayBufferStructure;
 
 #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
@@ -488 +485 @@
     InlineWatchpointSet m_mapSetWatchpointSet;
     InlineWatchpointSet m_setAddWatchpointSet;
-    InlineWatchpointSet m_arraySpeciesWatchpointSet;
+    InlineWatchpointSet m_arraySpeciesWatchpointSet { ClearWatchpoint };
     InlineWatchpointSet m_arrayJoinWatchpointSet;
     InlineWatchpointSet m_numberToStringWatchpointSet;
+    InlineWatchpointSet m_arrayBufferSpeciesWatchpointSet { ClearWatchpoint };
+    InlineWatchpointSet m_sharedArrayBufferSpeciesWatchpointSet { ClearWatchpoint };
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayConstructorSpeciesWatchpoint;
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayPrototypeConstructorWatchpoint;
@@ -505 +504 @@
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_numberPrototypeToStringWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayBufferConstructorSpeciesWatchpoints[2];
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayBufferPrototypeConstructorWatchpoints[2];
 
 public:
@@ -521 +522 @@
         RELEASE_ASSERT(Options::useJIT());
         return m_numberToStringWatchpointSet;
+    }
+    InlineWatchpointSet& arrayBufferSpeciesWatchpointSet(ArrayBufferSharingMode sharingMode)
+    {
+        switch (sharingMode) {
+        case ArrayBufferSharingMode::Default:
+            return m_arrayBufferSpeciesWatchpointSet;
+        case ArrayBufferSharingMode::Shared:
+            return m_sharedArrayBufferSpeciesWatchpointSet;
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+        return m_arrayBufferSpeciesWatchpointSet;
     }
 
@@ -872 +884 @@
     static ScriptExecutionStatus scriptExecutionStatus(JSGlobalObject*, JSObject*) { return ScriptExecutionStatus::Running; }
 
-    JSObject* arrayBufferConstructor() const { return m_arrayBufferStructure.constructor(this); }
-
     JSObject* arrayBufferPrototype(ArrayBufferSharingMode sharingMode) const
     {
@@ -879 +889 @@
         case ArrayBufferSharingMode::Default:
             return m_arrayBufferStructure.prototype(this);
-#if ENABLE(SHARED_ARRAY_BUFFER)
         case ArrayBufferSharingMode::Shared:
-            return m_sharedArrayBufferPrototype.get();
-#else
-        default:
-            return m_arrayBufferStructure.prototype(this);
-#endif
+            return m_sharedArrayBufferStructure.prototype(this);
         }
+        RELEASE_ASSERT_NOT_REACHED();
+        return nullptr;
     }
     Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const
@@ -893 +900 @@
         case ArrayBufferSharingMode::Default:
             return m_arrayBufferStructure.get(this);
-#if ENABLE(SHARED_ARRAY_BUFFER)
         case ArrayBufferSharingMode::Shared:
-            return m_sharedArrayBufferStructure.get();
-#else
-        default:
-            return m_arrayBufferStructure.get(this);
-#endif
+            return m_sharedArrayBufferStructure.get(this);
         }
         RELEASE_ASSERT_NOT_REACHED();
         return nullptr;
     }
+    JSObject* arrayBufferConstructor(ArrayBufferSharingMode sharingMode) const
+    {
+        switch (sharingMode) {
+        case ArrayBufferSharingMode::Default:
+            return m_arrayBufferStructure.constructor(this);
+        case ArrayBufferSharingMode::Shared:
+            return m_sharedArrayBufferStructure.constructor(this);
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+        return nullptr;
+    }
+
 
 #define DEFINE_ACCESSORS_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
@@ -1079 +1093 @@
     void installMapPrototypeWatchpoint(MapPrototype*);
     void installSetPrototypeWatchpoint(SetPrototype*);
+    void tryInstallArrayBufferSpeciesWatchpoint(ArrayBufferSharingMode);
 
 protected:
+    void tryInstallSpeciesWatchpoint(JSObject* prototype, JSObject* constructor, std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>& constructorWatchpoint, std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>& speciesWatchpoint, InlineWatchpointSet& speciesWatchpointSet);
+
     struct GlobalPropertyInfo {
         GlobalPropertyInfo(const Identifier& i, JSValue v, unsigned a)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-11-08  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Support @@species in ArrayBuffer / SharedArrayBuffer slice
+        https://bugs.webkit.org/show_bug.cgi?id=218697
+
+        Reviewed by Ross Kirsling.
+
+        Remove ENABLE(SHARED_ARRAY_BUFFER) flag. We use Options::useSharedArrayBuffer() runtime flag instead.
+
+        * wtf/PlatformEnable.h:
+
 2020-11-06  Sam Weinig  <weinig@apple.com>
 

trunk/Source/WTF/wtf/PlatformEnable.h

@@ -830 +830 @@
 #endif
 
-/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */
-#define ENABLE_SHARED_ARRAY_BUFFER 1
-
-
 #if ((PLATFORM(COCOA) || PLATFORM(PLAYSTATION) || PLATFORM(WPE)) && ENABLE(ASYNC_SCROLLING)) || PLATFORM(GTK)
 #define ENABLE_KINETIC_SCROLLING 1