[webkit-changes] [WebKit/WebKit] fe4f0a: [JSC] Implement growable SharedArrayBuffer part 2

[Yusuke Suzuki]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fe4f0a4cc309e65e5bb51a15359235a52a7c8f6c
      
https://github.com/WebKit/WebKit/commit/fe4f0a4cc309e65e5bb51a15359235a52a7c8f6c
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2022-11-16 (Wed, 16 Nov 2022)

  Changed paths:
    M JSTests/stress/detached-typed-array-iteration.js
    A JSTests/stress/growable-typed-array.js
    M JSTests/stress/typed-array-from.js
    M JSTests/stress/typedarray-defineOwnProperty-error.js
    M JSTests/stress/typedarray-functions-with-neutered.js
    M JSTests/wasm/js-api/neutered-inputs.js
    M LayoutTests/fast/canvas/webgl/arraybuffer-transfer-of-control.html
    M Source/JavaScriptCore/API/JSTypedArray.cpp
    M Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/ArrayProfile.cpp
    M Source/JavaScriptCore/bytecode/ArrayProfile.h
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/bytecode/SpeculatedType.cpp
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGArrayMode.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/IntrinsicEmitter.cpp
    M Source/JavaScriptCore/jsc.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter.asm
    M Source/JavaScriptCore/runtime/ArrayBuffer.h
    M Source/JavaScriptCore/runtime/ArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/ArrayBufferView.h
    M Source/JavaScriptCore/runtime/AtomicsObject.cpp
    M Source/JavaScriptCore/runtime/ClassInfo.h
    M Source/JavaScriptCore/runtime/DataView.cpp
    M Source/JavaScriptCore/runtime/DataView.h
    M Source/JavaScriptCore/runtime/GenericTypedArrayView.h
    M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSArrayBuffer.h
    M Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferView.h
    M Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
    M Source/JavaScriptCore/runtime/JSCast.h
    M Source/JavaScriptCore/runtime/JSCell.h
    M Source/JavaScriptCore/runtime/JSDataView.cpp
    M Source/JavaScriptCore/runtime/JSDataView.h
    M Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSType.h
    M Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp
    M Source/JavaScriptCore/runtime/JSTypedArrays.cpp
    M Source/JavaScriptCore/runtime/JSTypedArrays.h
    M Source/JavaScriptCore/runtime/StructureInlines.h
    M Source/JavaScriptCore/runtime/TypedArrayAdaptors.h
    M Source/JavaScriptCore/runtime/TypedArrayType.h
    M Source/JavaScriptCore/testRegExp.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h
    M Source/WTF/wtf/StdLibExtras.h
    M Source/WebCore/Modules/webaudio/AudioBuffer.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

  Log Message:
  -----------
  [JSC] Implement growable SharedArrayBuffer part 2
https://bugs.webkit.org/show_bug.cgi?id=247921
rdar://102339939

Reviewed by Mark Lam.

This patch adds runtime support for growable SharedArrayBuffer, TypedArray, and 
DataView.
We are not supporting JIT optimization yet, but still this patch implements the 
basic mechanism to support it in a subsequent patch.

1. TypedArray / DataView has a mode flag which says ResizableNonShared / 
GrowableShared / AutoLength etc. And we use this flag to dispatch the 
implementation.
   For non resizable one, we use super simple implementation as before.
2. This patch implements "auto" length, which automatically changes length / 
byteLength of TypedArray based on backing storage's SharedArrayBuffer etc.
3. This patch does not implement JIT optimizations. They will be done in a 
subsequent patch.

* JSTests/stress/detached-typed-array-iteration.js:
(shouldThrow):
* JSTests/stress/typed-array-from.js:
(shouldBeArray):
* JSTests/stress/typedarray-defineOwnProperty-error.js:
* JSTests/stress/typedarray-functions-with-neutered.js:
(checkProtoFunc.throwsCorrectError):
(checkProtoFunc):
(callWithArgs):
* JSTests/wasm/js-api/neutered-inputs.js:
* Source/JavaScriptCore/API/JSTypedArray.cpp:
(createTypedArray):
(JSObjectMakeTypedArrayWithArrayBuffer):
* Source/JavaScriptCore/builtins/ArrayIteratorPrototype.js:
(next):
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* Source/JavaScriptCore/bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::computeUpdatedPrediction):
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* Source/JavaScriptCore/bytecode/ArrayProfile.h:
(JSC::ArrayProfile::mayBeResizableOrGrowableSharedTypedArray const):
(JSC::UnlinkedArrayProfile::update):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheArrayGetByVal):
(JSC::tryCacheArrayPutByVal):
* Source/JavaScriptCore/bytecode/SpeculatedType.cpp:
(JSC::speculationFromClassInfoInheritance):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::originalArrayStructure const):
(JSC::DFG::ArrayMode::dump const):
* Source/JavaScriptCore/dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::ArrayMode):
(JSC::DFG::ArrayMode::mayBeResizableOrGrowableSharedTypedArray const):
(JSC::DFG::ArrayMode::withType const):
(JSC::DFG::ArrayMode::withSpeculation const):
(JSC::DFG::ArrayMode::withConversion const):
(JSC::DFG::ArrayMode::withTypeAndConversion const):
(JSC::DFG::ArrayMode::withArrayClassAndSpeculation const):
(JSC::DFG::ArrayMode::withProfile const):
(JSC::DFG::ArrayMode::operator== const):
(JSC::DFG::ArrayMode::withArrayClassAndSpeculationAndMayBeLargeTypedArray 
const): Deleted.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
(JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsDetachedIfOutOfBounds):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithInt52Size):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayLengthAsInt52):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffsetAsInt52):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitGetTypedArrayByteOffsetExceptSettingResult):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayLengthAsInt52):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/llint/LowLevelInterpreter.asm:
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
(JSC::IdempotentArrayBufferByteLengthGetter::operator()):
(JSC::IdempotentArrayBufferByteLengthGetter::IdempotentArrayBufferByteLengthGetter):
 Deleted.
* Source/JavaScriptCore/runtime/ArrayBufferView.cpp:
(JSC::ArrayBufferView::ArrayBufferView):
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::baseAddress const):
(JSC::ArrayBufferView::byteOffset const):
(JSC::ArrayBufferView::byteLength const):
(JSC::ArrayBufferView::isResizableOrGrowableShared const):
(JSC::ArrayBufferView::isResizableNonShared const):
(JSC::ArrayBufferView::isGrowableShared const):
(JSC::ArrayBufferView::isAutoLength const):
(JSC::ArrayBufferView::clampOffsetAndNumElements):
(JSC::ArrayBufferView::setImpl):
(JSC::ArrayBufferView::setRangeImpl):
* Source/JavaScriptCore/runtime/AtomicsObject.cpp:
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::DataView):
(JSC::DataView::create):
(JSC::DataView::wrapImpl):
* Source/JavaScriptCore/runtime/DataView.h:
* Source/JavaScriptCore/runtime/GenericTypedArrayView.h:
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
(JSC::GenericTypedArrayView<Adaptor>::create):
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrapImpl):
* Source/JavaScriptCore/runtime/JSArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferSlice):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finishCreation):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::detach):
(JSC::JSArrayBufferView::slowDownAndWasteMemory):
(JSC::JSArrayBufferView::possiblySharedImpl):
(JSC::JSArrayBufferView::isIteratorProtocolFastAndNonObservable):
(WTF::printInternal):
(JSC::JSArrayBufferView::byteLength const): Deleted.
(JSC::isIntegerIndexedObjectOutOfBounds): Deleted.
(JSC::integerIndexedObjectLength): Deleted.
(JSC::integerIndexedObjectByteLength): Deleted.
(JSC::validateTypedArray): Deleted.
* Source/JavaScriptCore/runtime/JSArrayBufferView.h:
(JSC::hasArrayBuffer):
(JSC::isResizableOrGrowableShared):
(JSC::isGrowableShared):
(JSC::isResizableNonShared):
(JSC::isAutoLength):
(JSC::isWastefulTypedArray):
(JSC::JSArrayBufferView::ConstructionContext::vector const):
(JSC::JSArrayBufferView::ConstructionContext::byteOffset const):
(JSC::JSArrayBufferView::isResizableOrGrowableShared const):
(JSC::JSArrayBufferView::isGrowableShared const):
(JSC::JSArrayBufferView::isResizableNonShared const):
(JSC::JSArrayBufferView::isAutoLength const):
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::byteOffset const):
(JSC::JSArrayBufferView::byteOffsetRaw const):
(JSC::JSArrayBufferView::length const):
(JSC::JSArrayBufferView::lengthRaw const):
(JSC::JSArrayBufferView::byteLength const):
(JSC::JSArrayBufferView::byteLengthRaw const):
(JSC::JSArrayBufferView::offsetOfByteOffset):
(JSC::isResizable): Deleted.
(JSC::JSArrayBufferView::ConstructionContext::maxByteLength const): Deleted.
(JSC::JSArrayBufferView::ConstructionContext::maxByteLengthUnsafe const): 
Deleted.
(JSC::JSArrayBufferView::maxByteLength const): Deleted.
(JSC::JSArrayBufferView::offsetOfMaxByteLength): Deleted.
* Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::isShared):
(JSC::JSArrayBufferView::possiblySharedBufferImpl):
(JSC::JSArrayBufferView::existingBufferInButterfly):
(JSC::JSArrayBufferView::toWrapped):
(JSC::JSArrayBufferView::toWrappedAllowShared):
(JSC::isIntegerIndexedObjectOutOfBounds):
(JSC::integerIndexedObjectLength):
(JSC::integerIndexedObjectByteLength):
(JSC::validateTypedArray):
(JSC::JSArrayBufferView::byteOffsetImpl): Deleted.
(JSC::JSArrayBufferView::byteOffset): Deleted.
(JSC::JSArrayBufferView::byteOffsetConcurrently): Deleted.
* Source/JavaScriptCore/runtime/JSCast.h:
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
(JSC::JSDataView::setFromTypedArray):
(JSC::JSDataView::setFromArrayLike):
(JSC::JSDataView::set): Deleted.
* Source/JavaScriptCore/runtime/JSDataView.h:
* Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::byteLength const):
(JSC::JSGenericTypedArrayView::byteLengthRaw const):
(JSC::JSGenericTypedArrayView::inBounds const):
(JSC::JSGenericTypedArrayView::canSetIndexQuickly const):
(JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue const):
(JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
(JSC::JSGenericTypedArrayView::sort):
(JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
(JSC::JSGenericTypedArrayView::info):
(JSC::JSGenericTypedArrayView::sortFloat):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayViewImpl):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
(JSC::JSGenericTypedArrayView<Adaptor>::setFromTypedArray):
(JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike):
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildrenImpl):
(JSC::JSGenericTypedArrayView<Adaptor>::set): Deleted.
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncCopyWithin):
(JSC::genericTypedArrayViewProtoFuncIncludes):
(JSC::genericTypedArrayViewProtoFuncIndexOf):
(JSC::genericTypedArrayViewProtoFuncJoin):
(JSC::genericTypedArrayViewProtoFuncFill):
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):
(JSC::genericTypedArrayViewProtoFuncReverse):
(JSC::genericTypedArrayViewProtoFuncToReversed):
(JSC::genericTypedArrayViewPrivateFuncClone):
(JSC::genericTypedArrayViewPrivateFuncSort):
(JSC::genericTypedArrayViewPrivateFuncFromFast):
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewProtoFuncSubarray):
(JSC::validateIntegerIndex):
(JSC::genericTypedArrayViewProtoFuncWith):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::lazyResizableOrGrowableSharedTypedArrayStructure):
(JSC::JSGlobalObject::lazyResizableOrGrowableSharedTypedArrayStructure const):
(JSC::JSGlobalObject::typedArrayStructure const):
(JSC::JSGlobalObject::typedArrayStructureConcurrently const):
(JSC::JSGlobalObject::isOriginalTypedArrayStructure):
(JSC::JSGlobalObject::typedArrayStructureWithTypedArrayType const):
(JSC::JSGlobalObject::resizableOrGrowableSharedTypedArrayStructureWithTypedArrayType
 const):
* Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::createTypedArrayIteratorObject):
* Source/JavaScriptCore/runtime/JSTypedArrays.cpp:
(): Deleted.
* Source/JavaScriptCore/runtime/JSTypedArrays.h:
(JSC::isResizableOrGrowableSharedTypedArray):
* Source/JavaScriptCore/runtime/StructureInlines.h:
(JSC::Structure::hasIndexingHeader const):
* Source/JavaScriptCore/runtime/TypedArrayAdaptors.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
* Source/WTF/wtf/StdLibExtras.h:
(WTF::mask):
(WTF::roundDownToMultipleOf):
* Source/WebCore/Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::getChannelData):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::constructJSFloat32Array):

Canonical link: https://commits.webkit.org/256766@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes