Changeset 195360 in webkit

Timestamp:

Jan 20, 2016 11:32:30 AM (8 years ago)

Author:

keith_miller@apple.com

Message:

[ES6] Fix various issues with TypedArrays.
​https://bugs.webkit.org/show_bug.cgi?id=153245

Reviewed by Geoffrey Garen.

This patch fixes a couple of issues with TypedArrays:

1) We were not checking if a view had been neutered and throwing an error
if it had in the our TypedArray.prototype functions.

2) The TypedArray.prototype.set function had a couple of minor issues with
checking for the offset being negative.

3) The JSArrayBufferView class did not check if the backing store had
been neutered when computing the offset even though the view's vector
pointer had been set to NULL. This meant that under some conditions we
could, occasionally, return a garbage number as the offset. Now, we only
neuter views if the backing ArrayBuffer's view is actually transfered.

• jsc.cpp:

(GlobalObject::finishCreation):
(functionNeuterTypedArray):

• runtime/JSArrayBufferView.h:

(JSC::JSArrayBufferView::isNeutered):

• runtime/JSArrayBufferViewInlines.h:

(JSC::JSArrayBufferView::byteOffset):

• runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncEntries):
(JSC::genericTypedArrayViewProtoFuncCopyWithin):
(JSC::genericTypedArrayViewProtoFuncFill):
(JSC::genericTypedArrayViewProtoFuncIndexOf):
(JSC::genericTypedArrayViewProtoFuncJoin):
(JSC::genericTypedArrayViewProtoFuncKeys):
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):
(JSC::genericTypedArrayViewProtoFuncReverse):
(JSC::genericTypedArrayViewPrivateFuncSort):
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewProtoFuncSubarray):
(JSC::typedArrayViewProtoFuncValues):

• runtime/JSTypedArrayViewPrototype.cpp:

(JSC::typedArrayViewPrivateFuncLength):
(JSC::typedArrayViewPrivateFuncSort): Deleted.

• tests/stress/typedarray-functions-with-neutered.js: Added.

(getGetter):
(unit):
(args.new.Int32Array):
(arrays.typedArrays.map):
(checkProtoFunc.throwsCorrectError):
(checkProtoFunc):
(test):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/ArrayBuffer.cpp (modified) (1 diff)
• runtime/JSArrayBufferView.h (modified) (1 diff)
• runtime/JSArrayBufferViewInlines.h (modified) (1 diff)
• runtime/JSGenericTypedArrayViewPrototypeFunctions.h (modified) (15 diffs)
• runtime/JSTypedArrayViewPrototype.cpp (modified) (2 diffs)
• tests/stress/typedarray-functions-with-neutered.js (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-01-19  Keith Miller  <keith_miller@apple.com>
+
+        [ES6] Fix various issues with TypedArrays.
+        https://bugs.webkit.org/show_bug.cgi?id=153245
+
+        Reviewed by Geoffrey Garen.
+
+        This patch fixes a couple of issues with TypedArrays:
+
+        1) We were not checking if a view had been neutered and throwing an error
+        if it had in the our TypedArray.prototype functions.
+
+        2) The TypedArray.prototype.set function had a couple of minor issues with
+        checking for the offset being negative.
+
+        3) The JSArrayBufferView class did not check if the backing store had
+        been neutered when computing the offset even though the view's vector
+        pointer had been set to NULL. This meant that under some conditions we
+        could, occasionally, return a garbage number as the offset. Now, we only
+        neuter views if the backing ArrayBuffer's view is actually transfered.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionNeuterTypedArray):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::isNeutered):
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::byteOffset):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewProtoFuncSet):
+        (JSC::genericTypedArrayViewProtoFuncEntries):
+        (JSC::genericTypedArrayViewProtoFuncCopyWithin):
+        (JSC::genericTypedArrayViewProtoFuncFill):
+        (JSC::genericTypedArrayViewProtoFuncIndexOf):
+        (JSC::genericTypedArrayViewProtoFuncJoin):
+        (JSC::genericTypedArrayViewProtoFuncKeys):
+        (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
+        (JSC::genericTypedArrayViewProtoFuncReverse):
+        (JSC::genericTypedArrayViewPrivateFuncSort):
+        (JSC::genericTypedArrayViewProtoFuncSlice):
+        (JSC::genericTypedArrayViewProtoFuncSubarray):
+        (JSC::typedArrayViewProtoFuncValues):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::typedArrayViewPrivateFuncLength):
+        (JSC::typedArrayViewPrivateFuncSort): Deleted.
+        * tests/stress/typedarray-functions-with-neutered.js: Added.
+        (getGetter):
+        (unit):
+        (args.new.Int32Array):
+        (arrays.typedArrays.map):
+        (checkProtoFunc.throwsCorrectError):
+        (checkProtoFunc):
+        (test):
+
 2016-01-19  Andy VanWagoner  <thetalecrafter@gmail.com>
 

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp

@@ -45 +45 @@
     bool isNeuterable = !m_pinCount;
 
-    if (isNeuterable)
-        m_contents.transfer(result);
-    else {
+    if (!isNeuterable) {
         m_contents.copyTo(result);
         if (!result.m_data)
             return false;
+        return true;
     }
 
+    m_contents.transfer(result);
     for (size_t i = numberOfIncomingReferences(); i--;) {
         JSCell* cell = incomingReferenceAt(i);

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

@@ -160 +160 @@
     ArrayBuffer* buffer();
     PassRefPtr<ArrayBufferView> impl();
+    bool isNeutered() { return hasArrayBuffer() && !vector(); }
     void neuter();
     

trunk/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h

@@ -67 +67 @@
     if (!hasArrayBuffer())
         return 0;
-    
+
+    ASSERT(!vector() == !buffer()->data());
+
     ptrdiff_t delta =
         bitwise_cast<uint8_t*>(vector()) - static_cast<uint8_t*>(buffer()->data());

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

@@ -44 +44 @@
 namespace JSC {
 
+static const char* typedArrayBufferHasBeenDetachedErrorMessage = "Underlying ArrayBuffer has been detached from the view";
+
 inline unsigned argumentClampedIndexFromStartOrEnd(ExecState* exec, int argument, unsigned length, unsigned undefinedValue = 0)
 {
@@ -69 +71 @@
     unsigned offset;
     if (exec->argumentCount() >= 2) {
-        offset = exec->uncheckedArgument(1).toUInt32(exec);
+        double offsetNumber = exec->uncheckedArgument(1).toInteger(exec);
         if (exec->hadException())
             return JSValue::encode(jsUndefined());
+        if (offsetNumber < 0)
+            return throwVMRangeError(exec, "Offset should not be negative");
+        offset = offsetNumber;
     } else
         offset = 0;
+
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     JSObject* sourceArray = jsDynamicCast<JSObject*>(exec->uncheckedArgument(0));
@@ -80 +88 @@
 
     unsigned length;
-    if (isTypedView(sourceArray->classInfo()->typedArrayStorageType))
-        length = jsDynamicCast<JSArrayBufferView*>(sourceArray)->length();
-    else
+    if (isTypedView(sourceArray->classInfo()->typedArrayStorageType)) {
+        JSArrayBufferView* sourceView = jsCast<JSArrayBufferView*>(sourceArray);
+        if (sourceView->isNeutered())
+            return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+
+        length = jsCast<JSArrayBufferView*>(sourceArray)->length();
+    } else
         length = sourceArray->get(exec, exec->vm().propertyNames->length).toUInt32(exec);
 
@@ -97 +109 @@
     // 22.2.3.6
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKeyValue, thisObject));
@@ -106 +120 @@
     // 22.2.3.5
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     if (exec->argumentCount() < 2)
@@ -134 +150 @@
     // 22.2.3.8
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     JSValue valueToInsert = exec->argument(0);
@@ -157 +175 @@
     // 22.2.3.13
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     if (!exec->argumentCount())
@@ -182 +202 @@
 EncodedJSValue JSC_HOST_CALL genericTypedArrayViewProtoFuncJoin(ExecState* exec)
 {
+    ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
+
     // 22.2.3.14
     auto joinWithSeparator = [&] (StringView separator) -> EncodedJSValue {
@@ -215 +239 @@
     // 22.2.3.15
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKey, thisObject));
@@ -224 +250 @@
     // 22.2.3.16
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     if (!exec->argumentCount())
@@ -290 +318 @@
     // 22.2.3.21
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     typename ViewClass::ElementType* array = thisObject->typedVector();
@@ -302 +332 @@
     // 22.2.3.25
     ViewClass* thisObject = jsCast<ViewClass*>(exec->argument(0));
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     thisObject->sort();
@@ -315 +347 @@
 
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     if (!exec->argumentCount())
@@ -350 +384 @@
 
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     if (!exec->argumentCount())
@@ -386 +422 @@
     // 22.2.3.29
     ViewClass* thisObject = jsCast<ViewClass*>(exec->thisValue());
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
 
     return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateValue, thisObject));

trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp

@@ -69 +69 @@
     if (!thisObject)
         return throwVMError(exec, createTypeError(exec, "Receiver should be a typed array view"));
+    if (thisObject->isNeutered())
+        return throwVMTypeError(exec, "Underlying ArrayBuffer has been detached from the view");
 
     return JSValue::encode(jsNumber(thisObject->length()));
@@ -76 +78 @@
 {
     JSValue thisValue = exec->argument(0);
-    if (!thisValue.isObject())
-        return throwVMError(exec, createTypeError(exec, "Receiver should be a typed array view but was not an object"));
     CALL_GENERIC_TYPEDARRAY_PROTOTYPE_FUNCTION(genericTypedArrayViewPrivateFuncSort);
 }