[webkit-changes] [WebKit/WebKit] fe4f0a: [JSC] Implement growable SharedArrayBuffer part 2

Wed Nov 16 20:51:48 PST 2022

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fe4f0a4cc309e65e5bb51a15359235a52a7c8f6c
      https://github.com/WebKit/WebKit/commit/fe4f0a4cc309e65e5bb51a15359235a52a7c8f6c
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2022-11-16 (Wed, 16 Nov 2022)

  Changed paths:
    M JSTests/stress/detached-typed-array-iteration.js
    A JSTests/stress/growable-typed-array.js
    M JSTests/stress/typed-array-from.js
    M JSTests/stress/typedarray-defineOwnProperty-error.js
    M JSTests/stress/typedarray-functions-with-neutered.js
    M JSTests/wasm/js-api/neutered-inputs.js
    M LayoutTests/fast/canvas/webgl/arraybuffer-transfer-of-control.html
    M Source/JavaScriptCore/API/JSTypedArray.cpp
    M Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/ArrayProfile.cpp
    M Source/JavaScriptCore/bytecode/ArrayProfile.h
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/bytecode/SpeculatedType.cpp
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGArrayMode.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/IntrinsicEmitter.cpp
    M Source/JavaScriptCore/jsc.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter.asm
    M Source/JavaScriptCore/runtime/ArrayBuffer.h
    M Source/JavaScriptCore/runtime/ArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/ArrayBufferView.h
    M Source/JavaScriptCore/runtime/AtomicsObject.cpp
    M Source/JavaScriptCore/runtime/ClassInfo.h
    M Source/JavaScriptCore/runtime/DataView.cpp
    M Source/JavaScriptCore/runtime/DataView.h
    M Source/JavaScriptCore/runtime/GenericTypedArrayView.h
    M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSArrayBuffer.h
    M Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferView.h
    M Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
    M Source/JavaScriptCore/runtime/JSCast.h
    M Source/JavaScriptCore/runtime/JSCell.h
    M Source/JavaScriptCore/runtime/JSDataView.cpp
    M Source/JavaScriptCore/runtime/JSDataView.h
    M Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSType.h
    M Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp
    M Source/JavaScriptCore/runtime/JSTypedArrays.cpp
    M Source/JavaScriptCore/runtime/JSTypedArrays.h
    M Source/JavaScriptCore/runtime/StructureInlines.h
    M Source/JavaScriptCore/runtime/TypedArrayAdaptors.h
    M Source/JavaScriptCore/runtime/TypedArrayType.h
    M Source/JavaScriptCore/testRegExp.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h
    M Source/WTF/wtf/StdLibExtras.h
    M Source/WebCore/Modules/webaudio/AudioBuffer.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

  Log Message:
  -----------
  [JSC] Implement growable SharedArrayBuffer part 2
https://bugs.webkit.org/show_bug.cgi?id=247921
rdar://102339939

Reviewed by Mark Lam.

This patch adds runtime support for growable SharedArrayBuffer, TypedArray, and DataView.
We are not supporting JIT optimization yet, but still this patch implements the basic mechanism to support it in a subsequent patch.

1. TypedArray / DataView has a mode flag which says ResizableNonShared / GrowableShared / AutoLength etc. And we use this flag to dispatch the implementation.
   For non resizable one, we use super simple implementation as before.
2. This patch implements "auto" length, which automatically changes length / byteLength of TypedArray based on backing storage's SharedArrayBuffer etc.
3. This patch does not implement JIT optimizations. They will be done in a subsequent patch.

* JSTests/stress/detached-typed-array-iteration.js:
(shouldThrow):
* JSTests/stress/typed-array-from.js:
(shouldBeArray):
* JSTests/stress/typedarray-defineOwnProperty-error.js:
* JSTests/stress/typedarray-functions-with-neutered.js:
(checkProtoFunc.throwsCorrectError):
(checkProtoFunc):
(callWithArgs):
* JSTests/wasm/js-api/neutered-inputs.js:
* Source/JavaScriptCore/API/JSTypedArray.cpp:
(createTypedArray):
(JSObjectMakeTypedArrayWithArrayBuffer):
* Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js:
(next):
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* Source/JavaScriptCore/bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::computeUpdatedPrediction):
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* Source/JavaScriptCore/bytecode/ArrayProfile.h:
(JSC::ArrayProfile::mayBeResizableOrGrowableSharedTypedArray const):
(JSC::UnlinkedArrayProfile::update):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheArrayGetByVal):
(JSC::tryCacheArrayPutByVal):
* Source/JavaScriptCore/bytecode/SpeculatedType.cpp:
(JSC::speculationFromClassInfoInheritance):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::originalArrayStructure const):
(JSC::DFG::ArrayMode::dump const):
* Source/JavaScriptCore/dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::ArrayMode):
(JSC::DFG::ArrayMode::mayBeResizableOrGrowableSharedTypedArray const):
(JSC::DFG::ArrayMode::withType const):
(JSC::DFG::ArrayMode::withSpeculation const):
(JSC::DFG::ArrayMode::withConversion const):
(JSC::DFG::ArrayMode::withTypeAndConversion const):
(JSC::DFG::ArrayMode::withArrayClassAndSpeculation const):
(JSC::DFG::ArrayMode::withProfile const):
(JSC::DFG::ArrayMode::operator== const):
(JSC::DFG::ArrayMode::withArrayClassAndSpeculationAndMayBeLargeTypedArray const): Deleted.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
(JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsDetachedIfOutOfBounds):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithInt52Size):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayLengthAsInt52):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffsetAsInt52):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitGetTypedArrayByteOffsetExceptSettingResult):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayLengthAsInt52):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/llint/LowLevelInterpreter.asm:
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
(JSC::IdempotentArrayBufferByteLengthGetter::operator()):
(JSC::IdempotentArrayBufferByteLengthGetter::IdempotentArrayBufferByteLengthGetter): Deleted.
* Source/JavaScriptCore/runtime/ArrayBufferView.cpp:
(JSC::ArrayBufferView::ArrayBufferView):
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::baseAddress const):
(JSC::ArrayBufferView::byteOffset const):
(JSC::ArrayBufferView::byteLength const):
(JSC::ArrayBufferView::isResizableOrGrowableShared const):
(JSC::ArrayBufferView::isResizableNonShared const):
(JSC::ArrayBufferView::isGrowableShared const):
(JSC::ArrayBufferView::isAutoLength const):
(JSC::ArrayBufferView::clampOffsetAndNumElements):
(JSC::ArrayBufferView::setImpl):
(JSC::ArrayBufferView::setRangeImpl):
* Source/JavaScriptCore/runtime/AtomicsObject.cpp:
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::DataView):
(JSC::DataView::create):
(JSC::DataView::wrapImpl):
* Source/JavaScriptCore/runtime/DataView.h:
* Source/JavaScriptCore/runtime/GenericTypedArrayView.h:
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
(JSC::GenericTypedArrayView<Adaptor>::create):
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrapImpl):
* Source/JavaScriptCore/runtime/JSArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferSlice):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finishCreation):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::detach):
(JSC::JSArrayBufferView::slowDownAndWasteMemory):
(JSC::JSArrayBufferView::possiblySharedImpl):
(JSC::JSArrayBufferView::isIteratorProtocolFastAndNonObservable):
(WTF::printInternal):
(JSC::JSArrayBufferView::byteLength const): Deleted.
(JSC::isIntegerIndexedObjectOutOfBounds): Deleted.
(JSC::integerIndexedObjectLength): Deleted.
(JSC::integerIndexedObjectByteLength): Deleted.
(JSC::validateTypedArray): Deleted.
* Source/JavaScriptCore/runtime/JSArrayBufferView.h:
(JSC::hasArrayBuffer):
(JSC::isResizableOrGrowableShared):
(JSC::isGrowableShared):
(JSC::isResizableNonShared):
(JSC::isAutoLength):
(JSC::isWastefulTypedArray):
(JSC::JSArrayBufferView::ConstructionContext::vector const):
(JSC::JSArrayBufferView::ConstructionContext::byteOffset const):
(JSC::JSArrayBufferView::isResizableOrGrowableShared const):
(JSC::JSArrayBufferView::isGrowableShared const):
(JSC::JSArrayBufferView::isResizableNonShared const):
(JSC::JSArrayBufferView::isAutoLength const):
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::byteOffset const):
(JSC::JSArrayBufferView::byteOffsetRaw const):
(JSC::JSArrayBufferView::length const):
(JSC::JSArrayBufferView::lengthRaw const):
(JSC::JSArrayBufferView::byteLength const):
(JSC::JSArrayBufferView::byteLengthRaw const):
(JSC::JSArrayBufferView::offsetOfByteOffset):
(JSC::isResizable): Deleted.
(JSC::JSArrayBufferView::ConstructionContext::maxByteLength const): Deleted.
(JSC::JSArrayBufferView::ConstructionContext::maxByteLengthUnsafe const): Deleted.
(JSC::JSArrayBufferView::maxByteLength const): Deleted.
(JSC::JSArrayBufferView::offsetOfMaxByteLength): Deleted.
* Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::isShared):
(JSC::JSArrayBufferView::possiblySharedBufferImpl):
(JSC::JSArrayBufferView::existingBufferInButterfly):
(JSC::JSArrayBufferView::toWrapped):
(JSC::JSArrayBufferView::toWrappedAllowShared):
(JSC::isIntegerIndexedObjectOutOfBounds):
(JSC::integerIndexedObjectLength):
(JSC::integerIndexedObjectByteLength):
(JSC::validateTypedArray):
(JSC::JSArrayBufferView::byteOffsetImpl): Deleted.
(JSC::JSArrayBufferView::byteOffset): Deleted.
(JSC::JSArrayBufferView::byteOffsetConcurrently): Deleted.
* Source/JavaScriptCore/runtime/JSCast.h:
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
(JSC::JSDataView::setFromTypedArray):
(JSC::JSDataView::setFromArrayLike):
(JSC::JSDataView::set): Deleted.
* Source/JavaScriptCore/runtime/JSDataView.h:
* Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::byteLength const):
(JSC::JSGenericTypedArrayView::byteLengthRaw const):
(JSC::JSGenericTypedArrayView::inBounds const):
(JSC::JSGenericTypedArrayView::canSetIndexQuickly const):
(JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue const):
(JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
(JSC::JSGenericTypedArrayView::sort):
(JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
(JSC::JSGenericTypedArrayView::info):
(JSC::JSGenericTypedArrayView::sortFloat):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayViewImpl):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
(JSC::JSGenericTypedArrayView<Adaptor>::setFromTypedArray):
(JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike):
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildrenImpl):
(JSC::JSGenericTypedArrayView<Adaptor>::set): Deleted.
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncCopyWithin):
(JSC::genericTypedArrayViewProtoFuncIncludes):
(JSC::genericTypedArrayViewProtoFuncIndexOf):
(JSC::genericTypedArrayViewProtoFuncJoin):
(JSC::genericTypedArrayViewProtoFuncFill):
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):
(JSC::genericTypedArrayViewProtoFuncReverse):
(JSC::genericTypedArrayViewProtoFuncToReversed):
(JSC::genericTypedArrayViewPrivateFuncClone):
(JSC::genericTypedArrayViewPrivateFuncSort):
(JSC::genericTypedArrayViewPrivateFuncFromFast):
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewProtoFuncSubarray):
(JSC::validateIntegerIndex):
(JSC::genericTypedArrayViewProtoFuncWith):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::lazyResizableOrGrowableSharedTypedArrayStructure):
(JSC::JSGlobalObject::lazyResizableOrGrowableSharedTypedArrayStructure const):
(JSC::JSGlobalObject::typedArrayStructure const):
(JSC::JSGlobalObject::typedArrayStructureConcurrently const):
(JSC::JSGlobalObject::isOriginalTypedArrayStructure):
(JSC::JSGlobalObject::typedArrayStructureWithTypedArrayType const):
(JSC::JSGlobalObject::resizableOrGrowableSharedTypedArrayStructureWithTypedArrayType const):
* Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::createTypedArrayIteratorObject):
* Source/JavaScriptCore/runtime/JSTypedArrays.cpp:
(): Deleted.
* Source/JavaScriptCore/runtime/JSTypedArrays.h:
(JSC::isResizableOrGrowableSharedTypedArray):
* Source/JavaScriptCore/runtime/StructureInlines.h:
(JSC::Structure::hasIndexingHeader const):
* Source/JavaScriptCore/runtime/TypedArrayAdaptors.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
* Source/WTF/wtf/StdLibExtras.h:
(WTF::mask):
(WTF::roundDownToMultipleOf):
* Source/WebCore/Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::getChannelData):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::constructJSFloat32Array):

Canonical link: https://commits.webkit.org/256766@main