Diff
Modified: trunk/JSTests/ChangeLog (267602 => 267603)
--- trunk/JSTests/ChangeLog 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/JSTests/ChangeLog 2020-09-25 22:54:55 UTC (rev 267603)
@@ -1,3 +1,16 @@
+2020-09-25 Ross Kirsling <ross.kirsl...@sony.com>
+
+ %TypedArray%.{from, of} no longer perform AllocateTypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=216991
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/typedarray-of.js:
+ Fix test.
+
+ * test262/expectations.yaml:
+ Mark twelve test cases as passing.
+
2020-09-25 Alexey Shvayka <shvaikal...@gmail.com>
DataView instances should not have own "byteLength" and "byteOffset" properties
Modified: trunk/JSTests/stress/typedarray-of.js (267602 => 267603)
--- trunk/JSTests/stress/typedarray-of.js 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/JSTests/stress/typedarray-of.js 2020-09-25 22:54:55 UTC (rev 267603)
@@ -14,8 +14,8 @@
shouldBeTrue("testConstructorFunction('of', '(1)', [1])");
shouldBeTrue("testConstructorFunction('of', '(1,2,3)', [1,2,3])");
-shouldThrow("testConstructorFunction('of', '.call(false)', false)", "'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor'");
-shouldThrow("testConstructorFunction('of', '.call({})', false)", "'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor'");
-shouldThrow("testConstructorFunction('of', '.call([])', false)", "'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor'");
+shouldThrow("testConstructorFunction('of', '.call(false)', false)", "'TypeError: TypedArray.of requires |this| to be a constructor'");
+shouldThrow("testConstructorFunction('of', '.call({})', false)", "'TypeError: TypedArray.of requires |this| to be a constructor'");
+shouldThrow("testConstructorFunction('of', '.call([])', false)", "'TypeError: TypedArray.of requires |this| to be a constructor'");
finishJSTest();
Modified: trunk/JSTests/test262/expectations.yaml (267602 => 267603)
--- trunk/JSTests/test262/expectations.yaml 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/JSTests/test262/expectations.yaml 2020-09-25 22:54:55 UTC (rev 267603)
@@ -1311,15 +1311,6 @@
test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-value-not-obj-throws.js:
default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/from/custom-ctor-returns-other-instance.js:
- default: 'TypeError: TypedArray.from requires its this argument subclass a TypedArray constructor (Testing with Float64Array.)'
- strict mode: 'TypeError: TypedArray.from requires its this argument subclass a TypedArray constructor (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/from/custom-ctor.js:
- default: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)'
- strict mode: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/from/new-instance-using-custom-ctor.js:
- default: 'TypeError: TypedArray.from requires its this argument subclass a TypedArray constructor (Testing with Float64Array.)'
- strict mode: 'TypeError: TypedArray.from requires its this argument subclass a TypedArray constructor (Testing with Float64Array.)'
test/built-ins/TypedArrayConstructors/from/set-value-abrupt-completion.js:
default: 'Test262Error: interrupted source iteration Expected SameValue(«1», «[object Object]») to be true (Testing with Float64Array.)'
strict mode: 'Test262Error: interrupted source iteration Expected SameValue(«1», «[object Object]») to be true (Testing with Float64Array.)'
@@ -1368,15 +1359,6 @@
test/built-ins/TypedArrayConstructors/internals/Set/tonumber-value-throws.js:
default: 'Test262Error: ToNumber runs before ToInteger(index) Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
strict mode: 'Test262Error: ToNumber runs before ToInteger(index) Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/of/custom-ctor-returns-other-instance.js:
- default: 'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor (Testing with Float64Array.)'
- strict mode: 'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/of/custom-ctor.js:
- default: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)'
- strict mode: 'Test262Error: Expected a Test262Error but got a TypeError (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/of/new-instance-using-custom-ctor.js:
- default: 'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor (Testing with Float64Array.)'
- strict mode: 'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor (Testing with Float64Array.)'
test/intl402/DateTimeFormat/prototype/formatRange/en-US.js:
default: 'Test262Error: Expected SameValue(«1/3/2019 – 1/5/2019», «1/3/2019 – 1/5/2019») to be true'
strict mode: 'Test262Error: Expected SameValue(«1/3/2019 – 1/5/2019», «1/3/2019 – 1/5/2019») to be true'
Modified: trunk/Source/_javascript_Core/ChangeLog (267602 => 267603)
--- trunk/Source/_javascript_Core/ChangeLog 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-09-25 22:54:55 UTC (rev 267603)
@@ -1,3 +1,37 @@
+2020-09-25 Ross Kirsling <ross.kirsl...@sony.com>
+
+ %TypedArray%.{from, of} no longer perform AllocateTypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=216991
+
+ Reviewed by Yusuke Suzuki.
+
+ Back in ES2015, %TypedArray%.of and %TypedArray%.from appear to have been based on the abstract operation
+ AllocateTypedArray, which involved crawling the prototype chain to find the appropriate constructor and
+ only permitted `this` to be a (derived) typed array.
+
+ This appears to have gone away as of ES2016 -- we simply expect `this` to be a constructor and verify that it
+ produced a typed array (of sufficient length).
+
+ * builtins/BuiltinNames.h:
+ * builtins/TypedArrayConstructor.js:
+ (of):
+ (from):
+ (allocateInt8Array): Deleted.
+ (allocateInt16Array): Deleted.
+ (allocateInt32Array): Deleted.
+ (allocateUint32Array): Deleted.
+ (allocateUint16Array): Deleted.
+ (allocateUint8Array): Deleted.
+ (allocateUint8ClampedArray): Deleted.
+ (allocateFloat32Array): Deleted.
+ (allocateFloat64Array): Deleted.
+ * runtime/JSGenericTypedArrayViewConstructor.h:
+ * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+ (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
+ (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::create):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+
2020-09-25 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Introduce JSC_DECLARE_HOST_FUNCTION / JSC_DEFINE_HOST_FUNCTION to make host function definition easy-to-scanned for JIT-caging
Modified: trunk/Source/_javascript_Core/builtins/BuiltinNames.h (267602 => 267603)
--- trunk/Source/_javascript_Core/builtins/BuiltinNames.h 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/Source/_javascript_Core/builtins/BuiltinNames.h 2020-09-25 22:54:55 UTC (rev 267603)
@@ -90,7 +90,6 @@
macro(get) \
macro(set) \
macro(shift) \
- macro(allocateTypedArray) \
macro(Int8Array) \
macro(Int16Array) \
macro(Int32Array) \
Modified: trunk/Source/_javascript_Core/builtins/TypedArrayConstructor.js (267602 => 267603)
--- trunk/Source/_javascript_Core/builtins/TypedArrayConstructor.js 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/Source/_javascript_Core/builtins/TypedArrayConstructor.js 2020-09-25 22:54:55 UTC (rev 267603)
@@ -23,21 +23,18 @@
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-// According to the spec we are supposed to crawl the prototype chain looking
-// for the a TypedArray constructor. The way we implement this is with a
-// private function, @alloctateTypedArray, on each of the prototypes.
-// This enables us to optimize this lookup in the inline cache.
-
function of(/* items... */)
{
"use strict";
var len = arguments.length;
- var constructFunction = @getByIdDirectPrivate(this, "allocateTypedArray");
- if (constructFunction === @undefined)
- @throwTypeError("TypedArray.of requires its this argument to subclass a TypedArray constructor");
- var result = constructFunction(len);
+ if (!@isConstructor(this))
+ @throwTypeError("TypedArray.of requires |this| to be a constructor");
+ var result = new this(len);
+ if (@typedArrayLength(result) < len)
+ @throwTypeError("TypedArray.of constructed typed array of insufficient length");
+
for (var i = 0; i < len; i++)
result[i] = arguments[i];
@@ -48,10 +45,11 @@
{
"use strict";
+ if (!@isConstructor(this))
+ @throwTypeError("TypedArray.from requires |this| to be a constructor");
+
var mapFn = @argument(1);
-
var thisArg;
-
if (mapFn !== @undefined) {
if (!@isCallable(mapFn))
@throwTypeError("TypedArray.from requires that the second argument, when provided, be a function");
@@ -85,27 +83,22 @@
k++;
}
- var constructFunction = @getByIdDirectPrivate(this, "allocateTypedArray");
- if (constructFunction === @undefined)
- @throwTypeError("TypedArray.from requires its this argument subclass a TypedArray constructor");
+ var result = new this(k);
+ if (@typedArrayLength(result) < k)
+ @throwTypeError("TypedArray.from constructed typed array of insufficient length");
- var result = constructFunction(k);
-
for (var i = 0; i < k; i++)
result[i] = accumulator[i];
-
return result;
}
var arrayLikeLength = @toLength(arrayLike.length);
- var constructFunction = @getByIdDirectPrivate(this, "allocateTypedArray");
- if (constructFunction === @undefined)
- @throwTypeError("this does not subclass a TypedArray constructor");
+ var result = new this(arrayLikeLength);
+ if (@typedArrayLength(result) < arrayLikeLength)
+ @throwTypeError("TypedArray.from constructed typed array of insufficient length");
- var result = constructFunction(arrayLikeLength);
-
var k = 0;
while (k < arrayLikeLength) {
var value = arrayLike[k];
@@ -118,48 +111,3 @@
return result;
}
-
-function allocateInt8Array(length)
-{
- return new @Int8Array(length);
-}
-
-function allocateInt16Array(length)
-{
- return new @Int16Array(length);
-}
-
-function allocateInt32Array(length)
-{
- return new @Int32Array(length);
-}
-
-function allocateUint32Array(length)
-{
- return new @Uint32Array(length);
-}
-
-function allocateUint16Array(length)
-{
- return new @Uint16Array(length);
-}
-
-function allocateUint8Array(length)
-{
- return new @Uint8Array(length);
-}
-
-function allocateUint8ClampedArray(length)
-{
- return new @Uint8ClampedArray(length);
-}
-
-function allocateFloat32Array(length)
-{
- return new @Float32Array(length);
-}
-
-function allocateFloat64Array(length)
-{
- return new @Float64Array(length);
-}
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructor.h (267602 => 267603)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructor.h 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructor.h 2020-09-25 22:54:55 UTC (rev 267603)
@@ -57,7 +57,7 @@
using Base = InternalFunction;
static JSGenericTypedArrayViewConstructor* create(
- VM&, JSGlobalObject*, Structure*, JSObject* prototype, const String& name, FunctionExecutable* privateAllocator);
+ VM&, JSGlobalObject*, Structure*, JSObject* prototype, const String& name);
// FIXME: We should fix the warnings for extern-template in JSObject template classes: https://bugs.webkit.org/show_bug.cgi?id=161979
IGNORE_CLANG_WARNINGS_BEGIN("undefined-var-template")
@@ -126,7 +126,7 @@
private:
JSGenericTypedArrayViewConstructor(VM&, Structure*);
- void finishCreation(VM&, JSGlobalObject*, JSObject* prototype, const String& name, FunctionExecutable* privateAllocator);
+ void finishCreation(VM&, JSGlobalObject*, JSObject* prototype, const String& name);
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h (267602 => 267603)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2020-09-25 22:54:55 UTC (rev 267603)
@@ -44,14 +44,11 @@
}
template<typename ViewClass>
-void JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation(VM& vm, JSGlobalObject* globalObject, JSObject* prototype, const String& name, FunctionExecutable* privateAllocator)
+void JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation(VM& vm, JSGlobalObject*, JSObject* prototype, const String& name)
{
Base::finishCreation(vm, ViewClass::TypedArrayStorageType == TypeDataView ? 1 : 3, name, PropertyAdditionMode::WithoutStructureTransition);
putDirectWithoutTransition(vm, vm.propertyNames->prototype, prototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
putDirectWithoutTransition(vm, vm.propertyNames->BYTES_PER_ELEMENT, jsNumber(ViewClass::elementSize), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly | PropertyAttribute::DontDelete);
-
- if (privateAllocator)
- putDirectBuiltinFunction(vm, globalObject, vm.propertyNames->builtinNames().allocateTypedArrayPrivateName(), privateAllocator, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
}
template<typename ViewClass>
@@ -58,12 +55,12 @@
JSGenericTypedArrayViewConstructor<ViewClass>*
JSGenericTypedArrayViewConstructor<ViewClass>::create(
VM& vm, JSGlobalObject* globalObject, Structure* structure, JSObject* prototype,
- const String& name, FunctionExecutable* privateAllocator)
+ const String& name)
{
JSGenericTypedArrayViewConstructor* result =
new (NotNull, allocateCell<JSGenericTypedArrayViewConstructor>(vm.heap))
JSGenericTypedArrayViewConstructor(vm, structure);
- result->finishCreation(vm, globalObject, prototype, name, privateAllocator);
+ result->finishCreation(vm, globalObject, prototype, name);
return result;
}
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (267602 => 267603)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2020-09-25 22:49:19 UTC (rev 267602)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2020-09-25 22:54:55 UTC (rev 267603)
@@ -706,7 +706,7 @@
[] (LazyClassStructure::Initializer& init) { \
init.setPrototype(JS ## type ## ArrayPrototype::create(init.vm, init.global, JS ## type ## ArrayPrototype::createStructure(init.vm, init.global, init.global->m_typedArrayProto.get(init.global)))); \
init.setStructure(JS ## type ## Array::createStructure(init.vm, init.global, init.prototype)); \
- init.setConstructor(JS ## type ## ArrayConstructor::create(init.vm, init.global, JS ## type ## ArrayConstructor::createStructure(init.vm, init.global, init.global->m_typedArraySuperConstructor.get(init.global)), init.prototype, #type "Array"_s, typedArrayConstructorAllocate ## type ## ArrayCodeGenerator(init.vm))); \
+ init.setConstructor(JS ## type ## ArrayConstructor::create(init.vm, init.global, JS ## type ## ArrayConstructor::createStructure(init.vm, init.global, init.global->m_typedArraySuperConstructor.get(init.global)), init.prototype, #type "Array"_s)); \
init.global->putDirect(init.vm, init.vm.propertyNames->builtinNames().type ## ArrayPrivateName(), init.constructor, static_cast<unsigned>(PropertyAttribute::DontEnum)); \
});
FOR_EACH_TYPED_ARRAY_TYPE_EXCLUDING_DATA_VIEW(INIT_TYPED_ARRAY_LATER)
@@ -716,7 +716,7 @@
[] (LazyClassStructure::Initializer& init) {
init.setPrototype(JSDataViewPrototype::create(init.vm, JSDataViewPrototype::createStructure(init.vm, init.global, init.global->m_objectPrototype.get())));
init.setStructure(JSDataView::createStructure(init.vm, init.global, init.prototype));
- init.setConstructor(JSDataViewConstructor::create(init.vm, init.global, JSDataViewConstructor::createStructure(init.vm, init.global, init.global->m_functionPrototype.get()), init.prototype, "DataView"_s, nullptr));
+ init.setConstructor(JSDataViewConstructor::create(init.vm, init.global, JSDataViewConstructor::createStructure(init.vm, init.global, init.global->m_functionPrototype.get()), init.prototype, "DataView"_s));
});
m_lexicalEnvironmentStructure.set(vm, this, JSLexicalEnvironment::createStructure(vm, this));
