Changeset 270552 in webkit

Timestamp:

Dec 8, 2020 1:02:48 PM (20 months ago)

Author:

Ross Kirsling

Message:

Align %TypedArray% constructor behavior with spec
​https://bugs.webkit.org/show_bug.cgi?id=219527

Reviewed by Yusuke Suzuki.

JSTests:

• test262/expectations.yaml:

Mark 40 test cases as passing.

• wasm/fuzz/memory.js:
• wasm/js-api/test_Data.js:

Fix non-conforming typed array usage.

Source/JavaScriptCore:

These should be the last JSC-side corrections for typed array behavior:
namely, fixes for the constructor itself.

Broadly speaking, there are three fixes here:

1. ArrayBuffer argument (​https://tc39.es/ecma262/#sec-initializetypedarrayfromarraybuffer): We need to throw if the input buffer gets detached.

2. Array-like argument (​https://tc39.es/ecma262/#sec-initializetypedarrayfromarraylike): length needs toLength, not toUInt32.

3. Typed array argument (​https://tc39.es/ecma262/#sec-initializetypedarrayfromtypedarray): We need to support the case where the input typed array uses a custom ArrayBuffer. This case is *extremely* strange -- we still create the same type of typed array with a normal ArrayBuffer, but we override the prototype of that ArrayBuffer to inputTypedArray.buffer.constructor[@@species].prototype.

• JavaScriptCore.xcodeproj/project.pbxproj:
• runtime/JSArrayBufferConstructor.cpp:
• runtime/JSArrayBufferPrototype.cpp:

(JSC::arrayBufferSpeciesConstructorSlow): Added.
(JSC::speciesWatchpointIsValid): Moved.

• runtime/JSArrayBufferPrototype.h:
• runtime/JSArrayBufferPrototypeInlines.h: Added.
• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructCustomArrayBufferIfNeeded): Added.
(JSC::constructGenericTypedArrayViewWithArguments):

• runtime/JSGlobalObject.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/test262/expectations.yaml (modified) (1 diff)
• JSTests/wasm/fuzz/memory.js (modified) (1 diff)
• JSTests/wasm/js-api/test_Data.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSArrayBufferPrototype.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayBufferPrototypeInlines.h (added)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-12-08  Ross Kirsling  <ross.kirsling@sony.com>
+
+        Align %TypedArray% constructor behavior with spec
+        https://bugs.webkit.org/show_bug.cgi?id=219527
+
+        Reviewed by Yusuke Suzuki.
+
+        * test262/expectations.yaml:
+        Mark 40 test cases as passing.
+
+        * wasm/fuzz/memory.js:
+        * wasm/js-api/test_Data.js:
+        Fix non-conforming typed array usage.
+
 2020-12-07  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
 

trunk/JSTests/test262/expectations.yaml

@@ -833 +833 @@
   default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
   strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/buffer-arg/byteoffset-to-number-detachbuffer.js:
-  default: 'Test262Error: Expected a TypeError but got a RangeError (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a TypeError but got a RangeError (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/buffer-arg/detachedbuffer.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/buffer-arg/length-to-number-detachbuffer.js:
-  default: 'Test262Error: Expected a TypeError but got a RangeError (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a TypeError but got a RangeError (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/object-arg/length-excessive-throws.js:
-  default: 'Test262Error: Expected a RangeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a RangeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/detached-when-species-retrieved-different-type.js:
-  default: 'Test262Error: TypeError thrown for detached source buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: TypeError thrown for detached source buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/detached-when-species-retrieved-same-type.js:
-  default: 'Test262Error: TypeError thrown for detached source buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: TypeError thrown for detached source buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/other-ctor-buffer-ctor-access-throws.js:
-  default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object ArrayBuffer]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object ArrayBuffer]») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/other-ctor-buffer-ctor-custom-species.js:
-  default: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object Object]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object Object]») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/other-ctor-buffer-ctor-not-object-throws.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/other-ctor-buffer-ctor-species-access-throws.js:
-  default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/other-ctor-buffer-ctor-species-not-ctor-throws.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/other-ctor-buffer-ctor-species-prototype-throws.js:
-  default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-access-throws.js:
-  default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object ArrayBuffer]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object ArrayBuffer]») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-species-custom.js:
-  default: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object Object]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object Object]») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-species-not-ctor.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-species-prototype-throws.js:
-  default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-species-throws.js:
-  default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-value-not-obj-throws.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
 test/built-ins/TypedArrayConstructors/internals/Set/key-is-minus-zero.js:
   default: 'Test262Error: Reflect.set(sample, "-0", 1) must return false Expected SameValue(«true», «false») to be true (Testing with Float64Array.)'

trunk/JSTests/wasm/fuzz/memory.js

@@ -102 +102 @@
             case 'memory': {
                 const current = instance.exports.current();
-                const buffer = new Uint32Array(instance.exports.memory.buffer);
-                assert.eq(buffer.byteLength, current * pageSize);
+                assert.eq(instance.exports.memory.buffer.byteLength, current * pageSize);
                 for (let access = tune.memoryGetCount; current && access; --access) {
                     const address = (Math.random() * (current * pageSize - 4)) | 0;

trunk/JSTests/wasm/js-api/test_Data.js

@@ -133 +133 @@
     const memory = new WebAssembly.Memory(emptyMemory);
     assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), WebAssembly.LinkError, `Invalid data segment initialization: segment of 0 bytes memory of 0 bytes, at offset 65536, segment writes outside of memory`);
-    assertMemoryAllZero(memory);
+    assert.eq(memory.buffer.byteLength, 0);
 })();
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-12-08  Ross Kirsling  <ross.kirsling@sony.com>
+
+        Align %TypedArray% constructor behavior with spec
+        https://bugs.webkit.org/show_bug.cgi?id=219527
+
+        Reviewed by Yusuke Suzuki.
+
+        These should be the last JSC-side corrections for typed array behavior:
+        namely, fixes for the constructor itself.
+
+        Broadly speaking, there are three fixes here:
+        1. ArrayBuffer argument (https://tc39.es/ecma262/#sec-initializetypedarrayfromarraybuffer):
+           We need to throw if the input buffer gets detached.
+
+        2. Array-like argument (https://tc39.es/ecma262/#sec-initializetypedarrayfromarraylike):
+           length needs toLength, not toUInt32.
+
+        3. Typed array argument (https://tc39.es/ecma262/#sec-initializetypedarrayfromtypedarray):
+           We need to support the case where the input typed array uses a custom ArrayBuffer.
+           This case is *extremely* strange -- we still create the same type of typed array with a normal ArrayBuffer,
+           but we override the prototype of that ArrayBuffer to inputTypedArray.buffer.constructor[@@species].prototype.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/JSArrayBufferConstructor.cpp:
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::arrayBufferSpeciesConstructorSlow): Added.
+        (JSC::speciesWatchpointIsValid): Moved.
+        * runtime/JSArrayBufferPrototype.h:
+        * runtime/JSArrayBufferPrototypeInlines.h: Added.
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructCustomArrayBufferIfNeeded): Added.
+        (JSC::constructGenericTypedArrayViewWithArguments):
+        * runtime/JSGlobalObject.h:
+
 2020-12-08  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1390 +1390 @@
                 A1D792FF1B43864B004516F5 /* IntlNumberFormatConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = A1D792F91B43864B004516F5 /* IntlNumberFormatConstructor.h */; };
                 A1D793011B43864B004516F5 /* IntlNumberFormatPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = A1D792FB1B43864B004516F5 /* IntlNumberFormatPrototype.h */; };
+                A38D250E25800D440042BFDD /* JSArrayBufferPrototypeInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = A38D250D25800D430042BFDD /* JSArrayBufferPrototypeInlines.h */; };
                 A3FF9BC72234749100B1A9AB /* YarrFlags.h in Headers */ = {isa = PBXBuildFile; fileRef = A3FF9BC52234746600B1A9AB /* YarrFlags.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A503FA1A188E0FB000110F14 /* JavaScriptCallFrame.h in Headers */ = {isa = PBXBuildFile; fileRef = A503FA14188E0FAF00110F14 /* JavaScriptCallFrame.h */; };
@@ -4377 +4378 @@
                 A1FE1EB01C2C537E00A289FF /* DatePrototype.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; path = DatePrototype.js; sourceTree = "<group>"; };
                 A27958D7FA1142B0AC9E364D /* WasmContextInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmContextInlines.h; sourceTree = "<group>"; };
+                A38D250D25800D430042BFDD /* JSArrayBufferPrototypeInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSArrayBufferPrototypeInlines.h; sourceTree = "<group>"; };
                 A3AFF92B245A3CF900C9BA3B /* IntlLocale.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IntlLocale.h; sourceTree = "<group>"; };
                 A3AFF92C245A3CFA00C9BA3B /* IntlLocaleConstructor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IntlLocaleConstructor.h; sourceTree = "<group>"; };
@@ -7412 +7414 @@
                                 0F2B66B817B6B5AB00A7AE3F /* JSArrayBufferPrototype.cpp */,
                                 0F2B66B917B6B5AB00A7AE3F /* JSArrayBufferPrototype.h */,
+                                A38D250D25800D430042BFDD /* JSArrayBufferPrototypeInlines.h */,
                                 0F2B66BA17B6B5AB00A7AE3F /* JSArrayBufferView.cpp */,
                                 0F2B66BB17B6B5AB00A7AE3F /* JSArrayBufferView.h */,
@@ -9951 +9954 @@
                                 0F2B66E517B6B5AB00A7AE3F /* JSArrayBufferConstructor.h in Headers */,
                                 0F2B66E717B6B5AB00A7AE3F /* JSArrayBufferPrototype.h in Headers */,
+                                A38D250E25800D440042BFDD /* JSArrayBufferPrototypeInlines.h in Headers */,
                                 0F2B66E917B6B5AB00A7AE3F /* JSArrayBufferView.h in Headers */,
                                 0F2B66EA17B6B5AB00A7AE3F /* JSArrayBufferViewInlines.h in Headers */,

trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp

@@ -29 +29 @@
 #include "BuiltinNames.h"
 #include "JSArrayBuffer.h"
+#include "JSArrayBufferPrototype.h"
 #include "JSArrayBufferView.h"
 #include "JSCInlines.h"

trunk/Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp

@@ -28 +28 @@
 
 #include "JSArrayBuffer.h"
+#include "JSArrayBufferPrototypeInlines.h"
 #include "JSCInlines.h"
 
 namespace JSC {
-namespace JSArrayBufferPrototypeInternal {
-static constexpr bool verbose = false;
-};
 
 static JSC_DECLARE_HOST_FUNCTION(arrayBufferProtoFuncSlice);
@@ -40 +38 @@
 static JSC_DECLARE_HOST_FUNCTION(sharedArrayBufferProtoGetterFuncByteLength);
 
-
-static ALWAYS_INLINE bool speciesWatchpointIsValid(VM& vm, JSObject* thisObject, ArrayBufferSharingMode mode)
-{
-    JSGlobalObject* globalObject = thisObject->globalObject(vm);
-    auto* prototype = globalObject->arrayBufferPrototype(mode);
-
-    if (globalObject->arrayBufferSpeciesWatchpointSet(mode).stateOnJSThread() == ClearWatchpoint) {
-        dataLogLnIf(JSArrayBufferPrototypeInternal::verbose, "Initializing ArrayBuffer species watchpoints for ArrayBuffer.prototype: ", pointerDump(prototype), " with structure: ", pointerDump(prototype->structure(vm)), "\nand ArrayBuffer: ", pointerDump(globalObject->arrayBufferConstructor(mode)), " with structure: ", pointerDump(globalObject->arrayBufferConstructor(mode)->structure(vm)));
-        globalObject->tryInstallArrayBufferSpeciesWatchpoint(mode);
-        ASSERT(globalObject->arrayBufferSpeciesWatchpointSet(mode).stateOnJSThread() != ClearWatchpoint);
-    }
-
-    return !thisObject->hasCustomProperties(vm)
-        && prototype == thisObject->getPrototypeDirect(vm)
-        && globalObject->arrayBufferSpeciesWatchpointSet(mode).stateOnJSThread() == IsWatched;
+Optional<JSValue> arrayBufferSpeciesConstructorSlow(JSGlobalObject* globalObject, JSArrayBuffer* thisObject, ArrayBufferSharingMode mode)
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    bool isValid = speciesWatchpointIsValid(vm, thisObject, mode);
+    scope.assertNoException();
+    if (LIKELY(isValid))
+        return WTF::nullopt;
+
+    JSValue constructor = thisObject->get(globalObject, vm.propertyNames->constructor);
+    RETURN_IF_EXCEPTION(scope, WTF::nullopt);
+    if (constructor.isConstructor(vm)) {
+        JSObject* constructorObject = jsCast<JSObject*>(constructor);
+        JSGlobalObject* globalObjectFromConstructor = constructorObject->globalObject(vm);
+        bool isArrayBufferConstructorFromAnotherRealm = globalObject != globalObjectFromConstructor
+            && constructorObject == globalObjectFromConstructor->arrayBufferConstructor(mode);
+        if (isArrayBufferConstructorFromAnotherRealm)
+            return WTF::nullopt;
+    }
+
+    if (constructor.isUndefined())
+        return WTF::nullopt;
+
+    if (!constructor.isObject()) {
+        throwTypeError(globalObject, scope, "constructor property should not be null"_s);
+        return WTF::nullopt;
+    }
+
+    JSValue species = constructor.get(globalObject, vm.propertyNames->speciesSymbol);
+    RETURN_IF_EXCEPTION(scope, WTF::nullopt);
+
+    return species.isUndefinedOrNull() ? WTF::nullopt : makeOptional(species);
 }
 
@@ -75 +91 @@
     // Fast path in the normal case where the user has not set an own constructor and the ArrayBuffer.prototype.constructor is normal.
     // We need prototype check for subclasses of ArrayBuffer, which are ArrayBuffer objects but have a different prototype by default.
-    bool isValid = speciesWatchpointIsValid(vm, thisObject, mode);
-    scope.assertNoException();
-    if (LIKELY(isValid))
-        return fastPathResult;
-
-    JSValue constructor = thisObject->get(globalObject, vm.propertyNames->constructor);
+    Optional<JSValue> species = arrayBufferSpeciesConstructor(globalObject, thisObject, mode);
     RETURN_IF_EXCEPTION(scope, errorResult);
-    if (constructor.isConstructor(vm)) {
-        JSObject* constructorObject = jsCast<JSObject*>(constructor);
-        JSGlobalObject* globalObjectFromConstructor = constructorObject->globalObject(vm);
-        bool isArrayBufferConstructorFromAnotherRealm = globalObject != globalObjectFromConstructor
-            && constructorObject == globalObjectFromConstructor->arrayBufferConstructor(mode);
-        if (isArrayBufferConstructorFromAnotherRealm)
-            return fastPathResult;
-    }
-    if (constructor.isObject()) {
-        constructor = constructor.get(globalObject, vm.propertyNames->speciesSymbol);
-        RETURN_IF_EXCEPTION(scope, errorResult);
-        if (constructor.isNull())
-            return fastPathResult;
-    }
-
-    if (constructor.isUndefined())
+    if (!species)
         return fastPathResult;
 
@@ -104 +100 @@
     args.append(jsNumber(length));
     ASSERT(!args.hasOverflowed());
-    JSObject* newObject = construct(globalObject, constructor, args, "Species construction did not get a valid constructor");
+    JSObject* newObject = construct(globalObject, species.value(), args, "Species construction did not get a valid constructor");
     RETURN_IF_EXCEPTION(scope, errorResult);
 

trunk/Source/JavaScriptCore/runtime/JSArrayBufferPrototype.h

@@ -52 +52 @@
 };
 
+Optional<JSValue> arrayBufferSpeciesConstructorSlow(JSGlobalObject*, JSArrayBuffer*, ArrayBufferSharingMode);
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2020 Sony Interactive Entertainment Inc.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +31 @@
 #include "IteratorOperations.h"
 #include "JSArrayBuffer.h"
+#include "JSArrayBufferPrototypeInlines.h"
 #include "JSCJSValueInlines.h"
 #include "JSDataView.h"
@@ -104 +106 @@
 }
 
+inline JSArrayBuffer* constructCustomArrayBufferIfNeeded(JSGlobalObject* globalObject, JSArrayBuffer* source)
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (source->isShared())
+        return nullptr;
+
+    Optional<JSValue> species = arrayBufferSpeciesConstructor(globalObject, source, ArrayBufferSharingMode::Default);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    if (!species)
+        return nullptr;
+
+    if (!species->isConstructor(vm)) {
+        throwTypeError(globalObject, scope, "species is not a constructor"_s);
+        return nullptr;
+    }
+
+    JSValue prototype = species->get(globalObject, vm.propertyNames->prototype);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+
+    auto buffer = ArrayBuffer::tryCreate(source->impl()->byteLength(), 1);
+    if (!buffer) {
+        throwOutOfMemoryError(globalObject, scope);
+        return nullptr;
+    }
+
+    auto result = JSArrayBuffer::create(vm, getFunctionRealm(vm, asObject(species.value()))->arrayBufferStructure(ArrayBufferSharingMode::Default), WTFMove(buffer));
+    if (prototype.isObject())
+        result->setPrototypeDirect(vm, prototype);
+    return result;
+}
+
 template<typename ViewClass>
 inline JSObject* constructGenericTypedArrayViewWithArguments(JSGlobalObject* globalObject, Structure* structure, EncodedJSValue firstArgument, unsigned offset, Optional<unsigned> lengthOpt)
@@ -114 +149 @@
     if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(vm, firstValue)) {
         RefPtr<ArrayBuffer> buffer = jsBuffer->impl();
+        if (buffer->isDetached()) {
+            throwTypeError(globalObject, scope, "Buffer is already detached"_s);
+            return nullptr;
+        }
+
         unsigned length = 0;
-
         if (lengthOpt)
             length = lengthOpt.value();
@@ -141 +180 @@
     if (JSObject* object = jsDynamicCast<JSObject*>(vm, firstValue)) {
         unsigned length;
-
-        if (isTypedView(object->classInfo(vm)->typedArrayStorageType))
-            length = jsCast<JSArrayBufferView*>(object)->length();
-        else {
+        JSArrayBuffer* customBuffer = nullptr;
+
+        if (isTypedView(object->classInfo(vm)->typedArrayStorageType)) {
+            auto* view = jsCast<JSArrayBufferView*>(object);
+            length = view->length();
+
+            customBuffer = constructCustomArrayBufferIfNeeded(globalObject, view->possiblySharedJSBuffer(globalObject));
+            RETURN_IF_EXCEPTION(scope, nullptr);
+
+            if (view->isDetached()) {
+                throwTypeError(globalObject, scope, "Underlying ArrayBuffer has been detached from the view"_s);
+                return nullptr;
+            }
+        } else {
             // This getPropertySlot operation should not be observed by the Proxy.
             // So we use VMInquiry. And purge the opaque object cases (proxy and namespace object) by isTaintedByOpaqueObject() guard.
@@ -174 +223 @@
                 JSValue value = lengthSlot.getValue(globalObject, vm.propertyNames->length);
                 RETURN_IF_EXCEPTION(scope, nullptr);
-                length = value.toUInt32(globalObject);
+                length = value.toLength(globalObject);
                 RETURN_IF_EXCEPTION(scope, nullptr);
             }
         }
 
-        
-        ViewClass* result = ViewClass::createUninitialized(globalObject, structure, length);
+        ViewClass* result = customBuffer
+            ? ViewClass::create(globalObject, structure, customBuffer->impl(), 0, length)
+            : ViewClass::createUninitialized(globalObject, structure, length);
         EXCEPTION_ASSERT(!!scope.exception() == !result);
         if (UNLIKELY(!result))
             return nullptr;
-        
+
         scope.release();
         if (!result->set(globalObject, 0, object, 0, length))

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -31 +31 @@
 #include "InternalFunction.h"
 #include "JSArray.h"
-#include "JSArrayBufferPrototype.h"
 #include "JSClassRef.h"
 #include "JSGlobalLexicalEnvironment.h"