<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[203076] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/203076">203076</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2016-07-11 12:13:05 -0700 (Mon, 11 Jul 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>STP TypedArray.subarray 5x slowdown compared to 9.1
https://bugs.webkit.org/show_bug.cgi?id=156404
Source/JavaScriptCore:
<rdar://problem/26493032>
Reviewed by Geoffrey Garen.
This patch moves the species constructor work for
%TypedArray%.prototype.subarray to a js wrapper. By moving the
species constructor work to JS we are able to completely optimize
it out in DFG. The actual work of creating a TypedArray is still
done in C++ since we are able to avoid calling into the
constructor, which is expensive. This patch also changes the error
message when a %TypedArray%.prototype function is passed a non-typed
array this value. Finally, we used to check that the this value
had not been detached, however, this behavior was incorrect.
* builtins/BuiltinNames.h:
* builtins/TypedArrayPrototype.js:
(globalPrivate.typedArraySpeciesConstructor):
(subarray):
* runtime/ConstructData.cpp:
(JSC::construct):
* runtime/ConstructData.h:
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
(JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSTypedArrayViewPrototype.cpp:
(JSC::typedArrayViewPrivateFuncLength):
(JSC::typedArrayViewPrivateFuncSubarrayCreate):
(JSC::JSTypedArrayViewPrototype::finishCreation):
(JSC::typedArrayViewProtoFuncSubarray): Deleted.
* runtime/JSTypedArrayViewPrototype.h:
LayoutTests:
Reviewed by Geoffrey Garen.
Add new micro-benchmark for testing subarray performance with small subarray sizes.
* js/regress/script-tests/typed-array-subarray.js: Added.
(createManySubs):
(go):
* js/regress/typed-array-subarray-expected.txt: Added.
* js/regress/typed-array-subarray.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebuiltinsBuiltinNamesh">trunk/Source/JavaScriptCore/builtins/BuiltinNames.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebuiltinsTypedArrayPrototypejs">trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeConstructDatacpp">trunk/Source/JavaScriptCore/runtime/ConstructData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeConstructDatah">trunk/Source/JavaScriptCore/runtime/ConstructData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewPrototypeFunctionsh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypecpp">trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypeh">trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsregressscriptteststypedarraysubarrayjs">trunk/LayoutTests/js/regress/script-tests/typed-array-subarray.js</a></li>
<li><a href="#trunkLayoutTestsjsregresstypedarraysubarrayexpectedtxt">trunk/LayoutTests/js/regress/typed-array-subarray-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresstypedarraysubarrayhtml">trunk/LayoutTests/js/regress/typed-array-subarray.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/LayoutTests/ChangeLog 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2016-07-11 Keith Miller <keith_miller@apple.com>
+
+ STP TypedArray.subarray 5x slowdown compared to 9.1
+ https://bugs.webkit.org/show_bug.cgi?id=156404
+
+ Reviewed by Geoffrey Garen.
+
+ Add new micro-benchmark for testing subarray performance with small subarray sizes.
+
+ * js/regress/script-tests/typed-array-subarray.js: Added.
+ (createManySubs):
+ (go):
+ * js/regress/typed-array-subarray-expected.txt: Added.
+ * js/regress/typed-array-subarray.html: Added.
+
</ins><span class="cx"> 2016-07-11 Nan Wang <n_wang@apple.com>
</span><span class="cx">
</span><span class="cx"> AX: WKWebView should have API to prevent pinch-to-zoom always being allowed
</span></span></pre></div>
<a id="trunkLayoutTestsjsregressscriptteststypedarraysubarrayjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/typed-array-subarray.js (0 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/typed-array-subarray.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/typed-array-subarray.js 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+noInline(Float32Array.prototype.subarray);
+function createManySubs(howMany, a, b, c, d) {
+ var storage = new Float32Array(howMany * 4);
+ for (var k=0; k < howMany; ++k) {
+ var r = storage.subarray(k * 4, (k + 1) * 4);
+ r[0] = a; r[1] = b; r[2] = c; r[3] = d;
+
+ // some action
+ r[0] += 2.3; r[1] += 12; r[2] *= 3.14; r[3] -= 999.1;
+ }
+}
+
+function go() {
+ var subtt = [];
+
+ const iterationCount = 25;
+ const arrayCount = 20000;
+
+ var a, b, c, d;
+
+ for (var iter=0; iter < iterationCount; ++iter) {
+ a = Math.random() * 10;
+ b = Math.random() * 10;
+ c = Math.random() * 10;
+ d = Math.random() * 10;
+ createManySubs(arrayCount, a, b, c, d);
+ }
+
+}
+
+go();
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresstypedarraysubarrayexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/typed-array-subarray-expected.txt (0 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/typed-array-subarray-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/typed-array-subarray-expected.txt 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/typed-array-subarray
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresstypedarraysubarrayhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/typed-array-subarray.html (0 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/typed-array-subarray.html (rev 0)
+++ trunk/LayoutTests/js/regress/typed-array-subarray.html 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/typed-array-subarray.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -1,3 +1,40 @@
</span><ins>+2016-07-11 Keith Miller <keith_miller@apple.com>
+
+ STP TypedArray.subarray 5x slowdown compared to 9.1
+ https://bugs.webkit.org/show_bug.cgi?id=156404
+ <rdar://problem/26493032>
+
+ Reviewed by Geoffrey Garen.
+
+ This patch moves the species constructor work for
+ %TypedArray%.prototype.subarray to a js wrapper. By moving the
+ species constructor work to JS we are able to completely optimize
+ it out in DFG. The actual work of creating a TypedArray is still
+ done in C++ since we are able to avoid calling into the
+ constructor, which is expensive. This patch also changes the error
+ message when a %TypedArray%.prototype function is passed a non-typed
+ array this value. Finally, we used to check that the this value
+ had not been detached, however, this behavior was incorrect.
+
+ * builtins/BuiltinNames.h:
+ * builtins/TypedArrayPrototype.js:
+ (globalPrivate.typedArraySpeciesConstructor):
+ (subarray):
+ * runtime/ConstructData.cpp:
+ (JSC::construct):
+ * runtime/ConstructData.h:
+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+ (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+ (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ * runtime/JSTypedArrayViewPrototype.cpp:
+ (JSC::typedArrayViewPrivateFuncLength):
+ (JSC::typedArrayViewPrivateFuncSubarrayCreate):
+ (JSC::JSTypedArrayViewPrototype::finishCreation):
+ (JSC::typedArrayViewProtoFuncSubarray): Deleted.
+ * runtime/JSTypedArrayViewPrototype.h:
+
</ins><span class="cx"> 2016-07-11 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION(r202992): JSC varargs tests are broken
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebuiltinsBuiltinNamesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/builtins/BuiltinNames.h (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/builtins/BuiltinNames.h 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/builtins/BuiltinNames.h 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -76,6 +76,7 @@
</span><span class="cx"> macro(typedArrayLength) \
</span><span class="cx"> macro(typedArraySort) \
</span><span class="cx"> macro(typedArrayGetOriginalConstructor) \
</span><ins>+ macro(typedArraySubarrayCreate) \
</ins><span class="cx"> macro(BuiltinLog) \
</span><span class="cx"> macro(homeObject) \
</span><span class="cx"> macro(getTemplateObject) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebuiltinsTypedArrayPrototypejs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -26,6 +26,32 @@
</span><span class="cx"> // Note that the intrisic @typedArrayLength checks that the argument passed is a typed array
</span><span class="cx"> // and throws if it is not.
</span><span class="cx">
</span><ins>+
+// Typed Arrays have their own species constructor function since they need
+// to look up their default constructor, which is expensive. If we used the
+// normal speciesConstructor helper we would need to look up the default
+// constructor every time.
+@globalPrivate
+function typedArraySpeciesConstructor(value)
+{
+ "use strict";
+ let constructor = value.constructor;
+ if (constructor === @undefined)
+ return @typedArrayGetOriginalConstructor(value);
+
+ if (!@isObject(constructor))
+ throw new @TypeError("|this|.constructor is not an Object or undefined");
+
+ constructor = constructor.@speciesSymbol;
+ if (constructor == null)
+ return @typedArrayGetOriginalConstructor(value);
+ // The lack of an @isConstructor(constructor) check here is not observable because
+ // the first thing we will do with the value is attempt to construct the result with it.
+ // If any user of this function does not immediately construct the result they need to
+ // verify that the result is a constructor.
+ return constructor;
+}
+
</ins><span class="cx"> function values()
</span><span class="cx"> {
</span><span class="cx"> "use strict";
</span><span class="lines">@@ -193,6 +219,23 @@
</span><span class="cx"> return this;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+function subarray(begin, end)
+{
+ "use strict";
+
+ if (!@isTypedArrayView(this))
+ throw new @TypeError("|this| should be a typed array view");
+
+ let start = @toInteger(begin);
+ let finish;
+ if (end !== @undefined)
+ finish = @toInteger(end);
+
+ let constructor = @typedArraySpeciesConstructor(this);
+
+ return @typedArraySubarrayCreate.@call(this, start, finish, constructor);
+}
+
</ins><span class="cx"> function reduce(callback /* [, initialValue] */)
</span><span class="cx"> {
</span><span class="cx"> // 22.2.3.19
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeConstructDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ConstructData.cpp (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ConstructData.cpp 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/runtime/ConstructData.cpp 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -35,7 +35,7 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><del>-JSObject* construct(ExecState* exec, JSValue constructorObject, const ArgList& args, const String& errorMessage)
</del><ins>+JSObject* construct(ExecState* exec, JSValue constructorObject, const ArgList& args, const char* errorMessage)
</ins><span class="cx"> {
</span><span class="cx"> ConstructData constructData;
</span><span class="cx"> ConstructType constructType = getConstructData(constructorObject, constructData);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeConstructDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ConstructData.h (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ConstructData.h 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/runtime/ConstructData.h 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> // Convenience wrapper so you don't need to deal with CallData and CallType unless you are going to use them.
</span><del>-JSObject* construct(ExecState*, JSValue functionObject, const ArgList&, const String& errorMessage);
</del><ins>+JSObject* construct(ExecState*, JSValue functionObject, const ArgList&, const char* errorMessage);
</ins><span class="cx"> JS_EXPORT_PRIVATE JSObject* construct(ExecState*, JSValue constructor, ConstructType, const ConstructData&, const ArgList&, JSValue newTarget);
</span><span class="cx">
</span><span class="cx"> ALWAYS_INLINE JSObject* construct(ExecState* exec, JSValue constructorObject, ConstructType constructType, const ConstructData& constructData, const ArgList& args)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewPrototypeFunctionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -462,7 +462,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename ViewClass>
</span><del>-EncodedJSValue JSC_HOST_CALL genericTypedArrayViewProtoFuncSubarray(ExecState* exec)
</del><ins>+EncodedJSValue JSC_HOST_CALL genericTypedArrayViewPrivateFuncSubarrayCreate(ExecState* exec)
</ins><span class="cx"> {
</span><span class="cx"> // 22.2.3.23
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="lines">@@ -475,15 +475,14 @@
</span><span class="cx"> // Get the length here; later assert that the length didn't change.
</span><span class="cx"> unsigned thisLength = thisObject->length();
</span><span class="cx">
</span><ins>+ ASSERT(exec->argument(0).isAnyInt());
+ ASSERT(exec->argument(1).isUndefined() || exec->argument(1).isAnyInt());
</ins><span class="cx"> unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, thisLength);
</span><del>- if (vm.exception())
- return encodedJSValue();
</del><ins>+ ASSERT(!vm.exception());
</ins><span class="cx"> unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, thisLength, thisLength);
</span><del>- if (vm.exception())
- return encodedJSValue();
</del><ins>+ ASSERT(!vm.exception());
</ins><span class="cx">
</span><del>- if (thisObject->isNeutered())
- return throwVMTypeError(exec, typedArrayBufferHasBeenDetachedErrorMessage);
</del><ins>+ RELEASE_ASSERT(!thisObject->isNeutered());
</ins><span class="cx">
</span><span class="cx"> // Clamp end to begin.
</span><span class="cx"> end = std::max(begin, end);
</span><span class="lines">@@ -497,23 +496,31 @@
</span><span class="cx">
</span><span class="cx"> unsigned newByteOffset = thisObject->byteOffset() + offset * ViewClass::elementSize;
</span><span class="cx">
</span><ins>+ JSObject* defaultConstructor = callee->globalObject()->typedArrayConstructor(ViewClass::TypedArrayStorageType);
+ JSValue species = exec->uncheckedArgument(2);
+ if (species == defaultConstructor) {
+ Structure* structure = callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
+
+ return JSValue::encode(ViewClass::create(
+ exec, structure, arrayBuffer,
+ thisObject->byteOffset() + offset * ViewClass::elementSize,
+ length));
+ }
+
</ins><span class="cx"> MarkedArgumentBuffer args;
</span><del>- args.append(exec->vm().m_typedArrayController->toJS(exec, thisObject->globalObject(), thisObject->buffer()));
</del><ins>+ args.append(vm.m_typedArrayController->toJS(exec, thisObject->globalObject(), thisObject->buffer()));
</ins><span class="cx"> args.append(jsNumber(newByteOffset));
</span><span class="cx"> args.append(jsNumber(length));
</span><span class="cx">
</span><del>- JSArrayBufferView* result = speciesConstruct(exec, thisObject, args, [&]() {
- Structure* structure = callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
-
- return ViewClass::create(
- exec, structure, arrayBuffer,
- thisObject->byteOffset() + offset * ViewClass::elementSize,
- length);
- });
</del><ins>+ JSObject* result = construct(exec, species, args, "species is not a constructor");
</ins><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(JSValue());
</span><span class="cx">
</span><del>- return JSValue::encode(result);
</del><ins>+ if (jsDynamicCast<JSArrayBufferView*>(result))
+ return JSValue::encode(result);
+
+ throwTypeError(exec, "species constructor did not return a TypedArray View");
+ return JSValue::encode(JSValue());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -657,6 +657,7 @@
</span><span class="cx"> JSFunction* privateFuncTypedArrayGetOriginalConstructor = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncGetOriginalConstructor);
</span><span class="cx"> JSFunction* privateFuncTypedArraySort = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncSort);
</span><span class="cx"> JSFunction* privateFuncIsTypedArrayView = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncIsTypedArrayView, IsTypedArrayViewIntrinsic);
</span><ins>+ JSFunction* privateFuncTypedArraySubarrayCreate = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncSubarrayCreate);
</ins><span class="cx"> JSFunction* privateFuncIsBoundFunction = JSFunction::create(vm, this, 0, String(), isBoundFunction);
</span><span class="cx"> JSFunction* privateFuncHasInstanceBoundFunction = JSFunction::create(vm, this, 0, String(), hasInstanceBoundFunction);
</span><span class="cx"> JSFunction* privateFuncInstanceOf = JSFunction::create(vm, this, 0, String(), objectPrivateFuncInstanceOf);
</span><span class="lines">@@ -706,6 +707,7 @@
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->builtinNames().typedArrayGetOriginalConstructorPrivateName(), privateFuncTypedArrayGetOriginalConstructor, DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->builtinNames().typedArraySortPrivateName(), privateFuncTypedArraySort, DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->builtinNames().isTypedArrayViewPrivateName(), privateFuncIsTypedArrayView, DontEnum | DontDelete | ReadOnly),
</span><ins>+ GlobalPropertyInfo(vm.propertyNames->builtinNames().typedArraySubarrayCreatePrivateName(), privateFuncTypedArraySubarrayCreate, DontEnum | DontDelete | ReadOnly),
</ins><span class="cx"> GlobalPropertyInfo(vm.propertyNames->builtinNames().isBoundFunctionPrivateName(), privateFuncIsBoundFunction, DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->builtinNames().hasInstanceBoundFunctionPrivateName(), privateFuncHasInstanceBoundFunction, DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->builtinNames().instanceOfPrivateName(), privateFuncInstanceOf, DontEnum | DontDelete | ReadOnly),
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -74,13 +74,12 @@
</span><span class="cx"> {
</span><span class="cx"> JSValue argument = exec->argument(0);
</span><span class="cx"> if (!argument.isCell() || !isTypedView(argument.asCell()->classInfo()->typedArrayStorageType))
</span><del>- return throwVMTypeError(exec, "Receiver should be a typed array view");
</del><ins>+ return throwVMTypeError(exec, ASCIILiteral("Receiver should be a typed array view"));
</ins><span class="cx">
</span><span class="cx"> JSArrayBufferView* thisObject = jsCast<JSArrayBufferView*>(argument);
</span><del>- if (!thisObject || thisObject->mode() == DataViewMode)
- return throwVMTypeError(exec, ASCIILiteral("Receiver should be a typed array view"));
</del><ins>+
</ins><span class="cx"> if (thisObject->isNeutered())
</span><del>- return throwVMTypeError(exec, "Underlying ArrayBuffer has been detached from the view");
</del><ins>+ return throwVMTypeError(exec, ASCIILiteral("Underlying ArrayBuffer has been detached from the view"));
</ins><span class="cx">
</span><span class="cx"> return JSValue::encode(jsNumber(thisObject->length()));
</span><span class="cx"> }
</span><span class="lines">@@ -187,12 +186,12 @@
</span><span class="cx"> CALL_GENERIC_TYPEDARRAY_PROTOTYPE_FUNCTION(genericTypedArrayViewProtoFuncReverse);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static EncodedJSValue JSC_HOST_CALL typedArrayViewProtoFuncSubarray(ExecState* exec)
</del><ins>+EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncSubarrayCreate(ExecState* exec)
</ins><span class="cx"> {
</span><span class="cx"> JSValue thisValue = exec->thisValue();
</span><span class="cx"> if (!thisValue.isObject())
</span><span class="cx"> return throwVMTypeError(exec, ASCIILiteral("Receiver should be a typed array view but was not an object"));
</span><del>- CALL_GENERIC_TYPEDARRAY_PROTOTYPE_FUNCTION(genericTypedArrayViewProtoFuncSubarray);
</del><ins>+ CALL_GENERIC_TYPEDARRAY_PROTOTYPE_FUNCTION(genericTypedArrayViewPrivateFuncSubarrayCreate);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL typedArrayViewProtoFuncSlice(ExecState* exec)
</span><span class="lines">@@ -276,7 +275,7 @@
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->set, typedArrayViewProtoFuncSet, DontEnum, 1);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->slice, typedArrayViewProtoFuncSlice, DontEnum, 2);
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("some", typedArrayPrototypeSomeCodeGenerator, DontEnum);
</span><del>- JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->subarray, typedArrayViewProtoFuncSubarray, DontEnum, 2);
</del><ins>+ JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->subarray, typedArrayPrototypeSubarrayCodeGenerator, DontEnum);
</ins><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toLocaleString, typedArrayPrototypeToLocaleStringCodeGenerator, DontEnum);
</span><span class="cx">
</span><span class="cx"> JSFunction* toStringTagFunction = JSFunction::create(vm, globalObject, 0, ASCIILiteral("get [Symbol.toStringTag]"), typedArrayViewProtoGetterFuncToStringTag, NoIntrinsic);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.h (203075 => 203076)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.h 2016-07-11 19:08:24 UTC (rev 203075)
+++ trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.h 2016-07-11 19:13:05 UTC (rev 203076)
</span><span class="lines">@@ -50,6 +50,7 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncSort(ExecState*);
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncLength(ExecState*);
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncGetOriginalConstructor(ExecState*);
</span><ins>+EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncSubarrayCreate(ExecState*);
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre>
</div>
</div>
</body>
</html>