<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[191190] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/191190">191190</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2015-10-16 11:37:14 -0700 (Fri, 16 Oct 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Fix some issues with TypedArrays
https://bugs.webkit.org/show_bug.cgi?id=150216
Reviewed by Michael Saboff.
This fixes a couple of issues:
1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
the two cases have been merged.
2) If the length property on an object was unset then the construction could crash.
3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
length of the source object when the source object is a TypedArray.
4) The conditions that were used to decide if the iterator could be skipped were incorrect.
Instead of checking for have a bad time we should have checked the Indexing type did not allow for
indexed accessors.
* dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithOneArgument): Deleted.
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithFirstArgument):
(JSC::constructGenericTypedArrayView):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSet):
* tests/stress/typedarray-construct-iterator.js: Added.
(iterator.return.next):
(iterator):
(body):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewConstructorInlinesh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewPrototypeFunctionsh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstresstypedarrayconstructiteratorjs">trunk/Source/JavaScriptCore/tests/stress/typedarray-construct-iterator.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (191189 => 191190)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-10-16 18:30:23 UTC (rev 191189)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-10-16 18:37:14 UTC (rev 191190)
</span><span class="lines">@@ -1,3 +1,34 @@
</span><ins>+2015-10-16 Keith Miller <keith_miller@apple.com>
+
+ Fix some issues with TypedArrays
+ https://bugs.webkit.org/show_bug.cgi?id=150216
+
+ Reviewed by Michael Saboff.
+
+ This fixes a couple of issues:
+ 1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
+ Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
+ the two cases have been merged.
+ 2) If the length property on an object was unset then the construction could crash.
+ 3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
+ length of the source object when the source object is a TypedArray.
+ 4) The conditions that were used to decide if the iterator could be skipped were incorrect.
+ Instead of checking for have a bad time we should have checked the Indexing type did not allow for
+ indexed accessors.
+
+ * dfg/DFGOperations.cpp:
+ (JSC::DFG::newTypedArrayWithOneArgument): Deleted.
+ * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+ (JSC::constructGenericTypedArrayViewFromIterator):
+ (JSC::constructGenericTypedArrayViewWithFirstArgument):
+ (JSC::constructGenericTypedArrayView):
+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+ (JSC::genericTypedArrayViewProtoFuncSet):
+ * tests/stress/typedarray-construct-iterator.js: Added.
+ (iterator.return.next):
+ (iterator):
+ (body):
+
</ins><span class="cx"> 2015-10-15 Michael Saboff <msaboff@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (r190289): Repro crash clicking back button on netflix.com
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (191189 => 191190)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2015-10-16 18:30:23 UTC (rev 191189)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2015-10-16 18:37:14 UTC (rev 191190)
</span><span class="lines">@@ -142,64 +142,6 @@
</span><span class="cx"> return bitwise_cast<char*>(ViewClass::create(exec, structure, size));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-template<typename ViewClass>
-char* newTypedArrayWithOneArgument(
- ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
-{
- VM& vm = exec->vm();
- NativeCallFrameTracer tracer(&vm, exec);
-
- JSValue value = JSValue::decode(encodedValue);
-
- if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(value)) {
- RefPtr<ArrayBuffer> buffer = jsBuffer->impl();
-
- if (buffer->byteLength() % ViewClass::elementSize) {
- vm.throwException(exec, createRangeError(exec, ASCIILiteral("ArrayBuffer length minus the byteOffset is not a multiple of the element size")));
- return 0;
- }
- return bitwise_cast<char*>(
- ViewClass::create(
- exec, structure, buffer, 0, buffer->byteLength() / ViewClass::elementSize));
- }
-
- if (JSObject* object = jsDynamicCast<JSObject*>(value)) {
- unsigned length = object->get(exec, vm.propertyNames->length).toUInt32(exec);
- if (exec->hadException())
- return 0;
-
- ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
- if (!result)
- return 0;
-
- if (!result->set(exec, object, 0, length))
- return 0;
-
- return bitwise_cast<char*>(result);
- }
-
- int length;
- if (value.isInt32())
- length = value.asInt32();
- else if (!value.isNumber()) {
- vm.throwException(exec, createTypeError(exec, ASCIILiteral("Invalid array length argument")));
- return 0;
- } else {
- length = static_cast<int>(value.asNumber());
- if (length != value.asNumber()) {
- vm.throwException(exec, createTypeError(exec, ASCIILiteral("Invalid array length argument (fractional lengths not allowed)")));
- return 0;
- }
- }
-
- if (length < 0) {
- vm.throwException(exec, createRangeError(exec, ASCIILiteral("Requested length is negative")));
- return 0;
- }
-
- return bitwise_cast<char*>(ViewClass::create(exec, structure, length));
-}
-
</del><span class="cx"> extern "C" {
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationToThis(ExecState* exec, EncodedJSValue encodedOp)
</span><span class="lines">@@ -664,7 +606,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewInt8ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSInt8Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSInt8Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt16ArrayWithSize(
</span><span class="lines">@@ -676,7 +618,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewInt16ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSInt16Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSInt16Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt32ArrayWithSize(
</span><span class="lines">@@ -688,7 +630,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewInt32ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSInt32Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSInt32Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ArrayWithSize(
</span><span class="lines">@@ -700,7 +642,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSUint8Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint8Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ClampedArrayWithSize(
</span><span class="lines">@@ -712,7 +654,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ClampedArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSUint8ClampedArray>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint8ClampedArray>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint16ArrayWithSize(
</span><span class="lines">@@ -724,7 +666,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewUint16ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSUint16Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint16Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint32ArrayWithSize(
</span><span class="lines">@@ -736,7 +678,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewUint32ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSUint32Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSUint32Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewFloat32ArrayWithSize(
</span><span class="lines">@@ -748,7 +690,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewFloat32ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSFloat32Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSFloat32Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewFloat64ArrayWithSize(
</span><span class="lines">@@ -760,7 +702,7 @@
</span><span class="cx"> char* JIT_OPERATION operationNewFloat64ArrayWithOneArgument(
</span><span class="cx"> ExecState* exec, Structure* structure, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>- return newTypedArrayWithOneArgument<JSFloat64Array>(exec, structure, encodedValue);
</del><ins>+ return bitwise_cast<char*>(constructGenericTypedArrayViewWithFirstArgument<JSFloat64Array>(exec, structure, encodedValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSCell* JIT_OPERATION operationCreateActivationDirect(ExecState* exec, Structure* structure, JSScope* scope, SymbolTable* table, EncodedJSValue initialValueEncoded)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewConstructorInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (191189 => 191190)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h 2015-10-16 18:30:23 UTC (rev 191189)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h 2015-10-16 18:37:14 UTC (rev 191190)
</span><span class="lines">@@ -77,23 +77,23 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename ViewClass>
</span><del>-static EncodedJSValue constructGenericTypedArrayViewFromIterator(ExecState* exec, Structure* structure, JSValue iterator)
</del><ins>+static JSObject* constructGenericTypedArrayViewFromIterator(ExecState* exec, Structure* structure, JSValue iterator)
</ins><span class="cx"> {
</span><span class="cx"> if (!iterator.isObject())
</span><del>- return JSValue::encode(throwTypeError(exec, "Symbol.Iterator for the first argument did not return an object."));
</del><ins>+ return throwTypeError(exec, "Symbol.Iterator for the first argument did not return an object.");
</ins><span class="cx">
</span><span class="cx"> MarkedArgumentBuffer storage;
</span><span class="cx"> while (true) {
</span><span class="cx"> JSValue next = iteratorStep(exec, iterator);
</span><span class="cx"> if (exec->hadException())
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> if (next.isFalse())
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> JSValue nextItem = iteratorValue(exec, next);
</span><span class="cx"> if (exec->hadException())
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> storage.append(nextItem);
</span><span class="cx"> }
</span><span class="lines">@@ -101,132 +101,146 @@
</span><span class="cx"> ViewClass* result = ViewClass::createUninitialized(exec, structure, storage.size());
</span><span class="cx"> if (!result) {
</span><span class="cx"> ASSERT(exec->hadException());
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> for (unsigned i = 0; i < storage.size(); ++i) {
</span><span class="cx"> if (!result->setIndex(exec, i, storage.at(i))) {
</span><span class="cx"> ASSERT(exec->hadException());
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- return JSValue::encode(result);
</del><ins>+ return result;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-template<typename ViewClass>
-static EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
</del><ins>+template<typename ViewClass, bool checkForOtherArguments = false>
+static JSObject* constructGenericTypedArrayViewWithFirstArgument(ExecState* exec, Structure* structure, EncodedJSValue firstArgument)
</ins><span class="cx"> {
</span><del>- Structure* structure =
- asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(
- ViewClass::TypedArrayStorageType);
-
</del><ins>+ JSValue firstValue = JSValue::decode(firstArgument);
</ins><span class="cx"> VM& vm = exec->vm();
</span><span class="cx">
</span><del>- if (!exec->argumentCount()) {
- if (ViewClass::TypedArrayStorageType == TypeDataView)
- return throwVMError(exec, createTypeError(exec, "DataView constructor requires at least one argument."));
-
- // Even though the documentation doesn't say so, it's correct to say
- // "new Int8Array()". This is the same as allocating an array of zero
- // length.
- return JSValue::encode(ViewClass::create(exec, structure, 0));
- }
-
- if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(exec->argument(0))) {
</del><ins>+ if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(firstValue)) {
</ins><span class="cx"> RefPtr<ArrayBuffer> buffer = jsBuffer->impl();
</span><del>-
- unsigned offset = (exec->argumentCount() > 1) ? exec->uncheckedArgument(1).toUInt32(exec) : 0;
- if (exec->hadException())
- return JSValue::encode(jsUndefined());
</del><ins>+
+ unsigned offset = 0;
</ins><span class="cx"> unsigned length = 0;
</span><del>- if (exec->argumentCount() > 2) {
</del><ins>+ if (checkForOtherArguments && exec->argumentCount() > 1) {
+ offset = exec->uncheckedArgument(1).toUInt32(exec);
+ if (exec->hadException())
+ return nullptr;
+ }
+
+ if (checkForOtherArguments && exec->argumentCount() > 2) {
</ins><span class="cx"> length = exec->uncheckedArgument(2).toUInt32(exec);
</span><span class="cx"> if (exec->hadException())
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx"> } else {
</span><span class="cx"> if ((buffer->byteLength() - offset) % ViewClass::elementSize)
</span><del>- return throwVMError(exec, createRangeError(exec, "ArrayBuffer length minus the byteOffset is not a multiple of the element size"));
</del><ins>+ return throwRangeError(exec, "ArrayBuffer length minus the byteOffset is not a multiple of the element size");
</ins><span class="cx"> length = (buffer->byteLength() - offset) / ViewClass::elementSize;
</span><ins>+
</ins><span class="cx"> }
</span><del>- return JSValue::encode(ViewClass::create(exec, structure, buffer, offset, length));
</del><ins>+
+ return ViewClass::create(exec, structure, buffer, offset, length);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (ViewClass::TypedArrayStorageType == TypeDataView)
</span><del>- return throwVMError(exec, createTypeError(exec, "Expected ArrayBuffer for the first argument."));
</del><ins>+ return throwTypeError(exec, "Expected ArrayBuffer for the first argument.");
</ins><span class="cx">
</span><span class="cx"> // For everything but DataView, we allow construction with any of:
</span><span class="cx"> // - Another array. This creates a copy of the of that array.
</span><span class="cx"> // - An integer. This creates a new typed array of that length and zero-initializes it.
</span><del>-
- if (JSObject* object = jsDynamicCast<JSObject*>(exec->uncheckedArgument(0))) {
- PropertySlot lengthSlot(object);
- object->getPropertySlot(exec, vm.propertyNames->length, lengthSlot);
</del><span class="cx">
</span><del>- if (!isTypedView(object->classInfo()->typedArrayStorageType)) {
</del><ins>+ if (JSObject* object = jsDynamicCast<JSObject*>(firstValue)) {
+ unsigned length;
+
+ if (isTypedView(object->classInfo()->typedArrayStorageType))
+ length = jsCast<JSArrayBufferView*>(object)->length();
+ else {
+ PropertySlot lengthSlot(object);
+ object->getPropertySlot(exec, vm.propertyNames->length, lengthSlot);
+
</ins><span class="cx"> JSValue iteratorFunc = object->get(exec, vm.propertyNames->iteratorSymbol);
</span><span class="cx"> if (exec->hadException())
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> // We would like not use the iterator as it is painfully slow. Fortunately, unless
</span><span class="cx"> // 1) The iterator is not a known iterator.
</span><span class="cx"> // 2) The base object does not have a length getter.
</span><del>- // 3) Bad times are being had.
</del><ins>+ // 3) The base object might have indexed getters.
</ins><span class="cx"> // it should not be observable that we do not use the iterator.
</span><span class="cx">
</span><span class="cx"> if (!iteratorFunc.isUndefined()
</span><del>- && (iteratorFunc != exec->lexicalGlobalObject()->arrayProtoValuesFunction()
</del><ins>+ && (iteratorFunc != object->globalObject()->arrayProtoValuesFunction()
</ins><span class="cx"> || lengthSlot.isAccessor() || lengthSlot.isCustom()
</span><del>- || exec->lexicalGlobalObject()->isHavingABadTime())) {
</del><ins>+ || hasAnyArrayStorage(object->indexingType()))) {
</ins><span class="cx">
</span><span class="cx"> CallData callData;
</span><span class="cx"> CallType callType = getCallData(iteratorFunc, callData);
</span><span class="cx"> if (callType == CallTypeNone)
</span><del>- return JSValue::encode(throwTypeError(exec, "Symbol.Iterator for the first argument cannot be called."));
</del><ins>+ return throwTypeError(exec, "Symbol.Iterator for the first argument cannot be called.");
</ins><span class="cx">
</span><span class="cx"> ArgList arguments;
</span><span class="cx"> JSValue iterator = call(exec, iteratorFunc, callType, callData, object, arguments);
</span><span class="cx"> if (exec->hadException())
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
</span><ins>+ }
</ins><span class="cx">
</span><del>- }
</del><ins>+ length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
+ if (exec->hadException())
+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- unsigned length = lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
- if (exec->hadException())
- return JSValue::encode(jsUndefined());
</del><span class="cx">
</span><span class="cx"> ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
</span><span class="cx"> if (!result) {
</span><span class="cx"> ASSERT(exec->hadException());
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (!result->set(exec, object, 0, length))
</span><del>- return JSValue::encode(jsUndefined());
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><del>- return JSValue::encode(result);
</del><ins>+ return result;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> int length;
</span><del>- if (exec->uncheckedArgument(0).isInt32())
- length = exec->uncheckedArgument(0).asInt32();
- else if (!exec->uncheckedArgument(0).isNumber())
- return throwVMError(exec, createTypeError(exec, "Invalid array length argument"));
</del><ins>+ if (firstValue.isInt32())
+ length = firstValue.asInt32();
+ else if (!firstValue.isNumber())
+ return throwTypeError(exec, "Invalid array length argument");
</ins><span class="cx"> else {
</span><del>- length = static_cast<int>(exec->uncheckedArgument(0).asNumber());
- if (length != exec->uncheckedArgument(0).asNumber())
- return throwVMError(exec, createTypeError(exec, "Invalid array length argument (fractional lengths not allowed)"));
</del><ins>+ length = static_cast<int>(firstValue.asNumber());
+ if (length != firstValue.asNumber())
+ return throwTypeError(exec, "Invalid array length argument (fractional lengths not allowed)");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (length < 0)
</span><del>- return throwVMError(exec, createRangeError(exec, "Requested length is negative"));
- return JSValue::encode(ViewClass::create(exec, structure, length));
</del><ins>+ return throwRangeError(exec, "Requested length is negative");
+ return ViewClass::create(exec, structure, length);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename ViewClass>
</span><ins>+static EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
+{
+ Structure* structure =
+ asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(
+ ViewClass::TypedArrayStorageType);
+
+ if (!exec->argumentCount()) {
+ if (ViewClass::TypedArrayStorageType == TypeDataView)
+ return throwVMError(exec, createTypeError(exec, "DataView constructor requires at least one argument."));
+
+ return JSValue::encode(ViewClass::create(exec, structure, 0));
+ }
+
+ return JSValue::encode(constructGenericTypedArrayViewWithFirstArgument<ViewClass, true>(exec, structure, JSValue::encode(exec->uncheckedArgument(0))));
+}
+
+template<typename ViewClass>
</ins><span class="cx"> ConstructType JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData(JSCell*, ConstructData& constructData)
</span><span class="cx"> {
</span><span class="cx"> constructData.native.function = constructGenericTypedArrayView<ViewClass>;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewPrototypeFunctionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (191189 => 191190)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2015-10-16 18:30:23 UTC (rev 191189)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2015-10-16 18:37:14 UTC (rev 191190)
</span><span class="lines">@@ -66,10 +66,6 @@
</span><span class="cx"> if (!exec->argumentCount())
</span><span class="cx"> return throwVMError(exec, createTypeError(exec, "Expected at least one argument"));
</span><span class="cx">
</span><del>- JSObject* sourceArray = jsDynamicCast<JSObject*>(exec->uncheckedArgument(0));
- if (!sourceArray)
- return throwVMError(exec, createTypeError(exec, "First argument should be an object"));
-
</del><span class="cx"> unsigned offset;
</span><span class="cx"> if (exec->argumentCount() >= 2) {
</span><span class="cx"> offset = exec->uncheckedArgument(1).toUInt32(exec);
</span><span class="lines">@@ -78,7 +74,16 @@
</span><span class="cx"> } else
</span><span class="cx"> offset = 0;
</span><span class="cx">
</span><del>- unsigned length = sourceArray->get(exec, exec->vm().propertyNames->length).toUInt32(exec);
</del><ins>+ JSObject* sourceArray = jsDynamicCast<JSObject*>(exec->uncheckedArgument(0));
+ if (!sourceArray)
+ return throwVMError(exec, createTypeError(exec, "First argument should be an object"));
+
+ unsigned length;
+ if (isTypedView(sourceArray->classInfo()->typedArrayStorageType))
+ length = jsDynamicCast<JSArrayBufferView*>(sourceArray)->length();
+ else
+ length = sourceArray->get(exec, exec->vm().propertyNames->length).toUInt32(exec);
+
</ins><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx">
</span><span class="lines">@@ -283,7 +288,6 @@
</span><span class="cx"> return JSValue::encode(jsNumber(thisObject->byteOffset()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-
</del><span class="cx"> template<typename ViewClass>
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL genericTypedArrayViewProtoFuncReverse(ExecState* exec)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresstypedarrayconstructiteratorjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/typedarray-construct-iterator.js (0 => 191190)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/typedarray-construct-iterator.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/typedarray-construct-iterator.js 2015-10-16 18:37:14 UTC (rev 191190)
</span><span class="lines">@@ -0,0 +1,66 @@
</span><ins>+// Test a bunch of things about typed array constructors with iterators.
+
+// Test that the dfg actually respects iterators.
+let foo = [1,2,3,4];
+
+function iterator() {
+ return { i: 0,
+ next: function() {
+ if (this.i < foo.length/2) {
+ return { done: false,
+ value: foo[this.i++]
+ };
+ }
+ return { done: true };
+ }
+ };
+}
+
+foo[Symbol.iterator] = iterator;
+
+(function body() {
+
+ for (var i = 1; i < 100000; i++) {
+ if (new Int32Array(foo).length !== 2)
+ throw "iterator did not run";
+ }
+
+})();
+
+// Test that the optimizations used for iterators during construction is valid.
+
+foo = { 0:0, 1:1, 2:2, 3:3 };
+count = 4;
+foo.__defineGetter__("length", function() {
+ return count--;
+});
+
+foo[Symbol.iterator] = Array.prototype[Symbol.iterator];
+
+if (new Int32Array(foo).length !== 2)
+ throw "iterator did not run";
+
+// Test that we handle length is unset... whoops.
+
+foo = { 0:0, 2:2, 3:3 };
+
+if (new Int32Array(foo).length !== 0)
+ throw "did not handle object with unset length";
+
+// Test that we handle prototypes with accessors.
+
+foo = { 0:0, 2:2, 3:3 };
+foo[Symbol.iterator] = Array.prototype[Symbol.iterator];
+foo.length = 4;
+bar = { };
+
+bar.__defineGetter__("1", function() {
+ foo.length = 0;
+ return 1;
+});
+
+
+foo.__proto__ = bar;
+
+if (new Int32Array(foo).length !== 2)
+ throw "did not handle object with accessor on prototype";
</ins></span></pre>
</div>
</div>
</body>
</html>