Google Git
Sign in
chromium / v8 / v8 / 7d533b6a67cf7303f51f40e5ac90f5f49c4d0396 / . / src / builtins / builtins-typedarray.cc
blob: 48c7cd46e00dc7576aa48b1ed645d0eb9198339d [file] [log] [blame]
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "src/builtins/builtins-utils.h"
#include "src/builtins/builtins.h"
#include "src/counters.h"
#include "src/elements.h"
#include "src/objects-inl.h"
namespace v8 {
namespace internal {
// -----------------------------------------------------------------------------
// ES6 section 22.2 TypedArray Objects
// ES6 section 22.2.3.1 get %TypedArray%.prototype.buffer
BUILTIN(TypedArrayPrototypeBuffer) {
HandleScope scope(isolate);
CHECK_RECEIVER(JSTypedArray, typed_array,
"get %TypedArray%.prototype.buffer");
return *typed_array->GetBuffer();
}
namespace {
int64_t CapRelativeIndex(Handle<Object> num, int64_t minimum, int64_t maximum) {
int64_t relative;
if (V8_LIKELY(num->IsSmi())) {
relative = Smi::ToInt(*num);
} else {
DCHECK(num->IsHeapNumber());
double fp = HeapNumber::cast(*num)->value();
if (V8_UNLIKELY(!std::isfinite(fp))) {
// +Infinity / -Infinity
DCHECK(!std::isnan(fp));
return fp < 0 ? minimum : maximum;
}
relative = static_cast<int64_t>(fp);
}
return relative < 0 ? std::max<int64_t>(relative + maximum, minimum)
: std::min<int64_t>(relative, maximum);
}
MaybeHandle<JSTypedArray> TypedArraySpeciesCreateByLength(
Isolate* isolate, Handle<JSTypedArray> exemplar, const char* method_name,
int64_t length) {
const int argc = 1;
ScopedVector<Handle<Object>> argv(argc);
argv[0] = isolate->factory()->NewNumberFromInt64(length);
return JSTypedArray::SpeciesCreate(isolate, exemplar, argc, argv.start(),
method_name);
}
} // namespace
BUILTIN(TypedArrayPrototypeCopyWithin) {
HandleScope scope(isolate);
Handle<JSTypedArray> array;
const char* method = "%TypedArray%.prototype.copyWithin";
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, array, JSTypedArray::Validate(isolate, args.receiver(), method));
int64_t len = array->length_value();
int64_t to = 0;
int64_t from = 0;
int64_t final = len;
if (V8_LIKELY(args.length() > 1)) {
Handle<Object> num;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, num, Object::ToInteger(isolate, args.at<Object>(1)));
to = CapRelativeIndex(num, 0, len);
if (args.length() > 2) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, num, Object::ToInteger(isolate, args.at<Object>(2)));
from = CapRelativeIndex(num, 0, len);
Handle<Object> end = args.atOrUndefined(isolate, 3);
if (!end->IsUndefined(isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, num,
Object::ToInteger(isolate, end));
final = CapRelativeIndex(num, 0, len);
}
}
}
int64_t count = std::min<int64_t>(final - from, len - to);
if (count <= 0) return *array;
// TypedArray buffer may have been transferred/detached during parameter
// processing above. Return early in this case, to prevent potential UAF error
// TODO(caitp): throw here, as though the full algorithm were performed (the
// throw would have come from ecma262/#sec-integerindexedelementget)
// (see )
if (V8_UNLIKELY(array->WasNeutered())) return *array;
// Ensure processed indexes are within array bounds
DCHECK_GE(from, 0);
DCHECK_LT(from, len);
DCHECK_GE(to, 0);
DCHECK_LT(to, len);
DCHECK_GE(len - count, 0);
Handle<FixedTypedArrayBase> elements(
FixedTypedArrayBase::cast(array->elements()));
size_t element_size = array->element_size();
to = to * element_size;
from = from * element_size;
count = count * element_size;
uint8_t* data = static_cast<uint8_t*>(elements->DataPtr());
std::memmove(data + to, data + from, count);
return *array;
}
BUILTIN(TypedArrayPrototypeFill) {
HandleScope scope(isolate);
Handle<JSTypedArray> array;
const char* method = "%TypedArray%.prototype.fill";
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, array, JSTypedArray::Validate(isolate, args.receiver(), method));
Handle<Object> obj_value = args.atOrUndefined(isolate, 1);
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, obj_value, Object::ToNumber(obj_value));
int64_t len = array->length_value();
int64_t start = 0;
int64_t end = len;
if (args.length() > 2) {
Handle<Object> num = args.atOrUndefined(isolate, 2);
if (!num->IsUndefined(isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, num, Object::ToInteger(isolate, num));
start = CapRelativeIndex(num, 0, len);
num = args.atOrUndefined(isolate, 3);
if (!num->IsUndefined(isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, num, Object::ToInteger(isolate, num));
end = CapRelativeIndex(num, 0, len);
}
}
}
int64_t count = end - start;
if (count <= 0) return *array;
if (V8_UNLIKELY(array->WasNeutered())) return *array;
// Ensure processed indexes are within array bounds
DCHECK_GE(start, 0);
DCHECK_LT(start, len);
DCHECK_GE(end, 0);
DCHECK_LE(end, len);
DCHECK_LE(count, len);
return array->GetElementsAccessor()->Fill(isolate, array, obj_value,
static_cast<uint32_t>(start),
static_cast<uint32_t>(end));
}
BUILTIN(TypedArrayPrototypeIncludes) {
HandleScope scope(isolate);
Handle<JSTypedArray> array;
const char* method = "%TypedArray%.prototype.includes";
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, array, JSTypedArray::Validate(isolate, args.receiver(), method));
if (args.length() < 2) return isolate->heap()->false_value();
int64_t len = array->length_value();
if (len == 0) return isolate->heap()->false_value();
int64_t index = 0;
if (args.length() > 2) {
Handle<Object> num;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, num, Object::ToInteger(isolate, args.at<Object>(2)));
index = CapRelativeIndex(num, 0, len);
}
// TODO(cwhan.tunz): throw. See the above comment in CopyWithin.
if (V8_UNLIKELY(array->WasNeutered())) return isolate->heap()->false_value();
Handle<Object> search_element = args.atOrUndefined(isolate, 1);
ElementsAccessor* elements = array->GetElementsAccessor();
Maybe<bool> result = elements->IncludesValue(isolate, array, search_element,
static_cast<uint32_t>(index),
static_cast<uint32_t>(len));
MAYBE_RETURN(result, isolate->heap()->exception());
return *isolate->factory()->ToBoolean(result.FromJust());
}
BUILTIN(TypedArrayPrototypeIndexOf) {
HandleScope scope(isolate);
Handle<JSTypedArray> array;
const char* method = "%TypedArray%.prototype.indexOf";
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, array, JSTypedArray::Validate(isolate, args.receiver(), method));
int64_t len = array->length_value();
if (len == 0) return Smi::FromInt(-1);
int64_t index = 0;
if (args.length() > 2) {
Handle<Object> num;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, num, Object::ToInteger(isolate, args.at<Object>(2)));
index = CapRelativeIndex(num, 0, len);
}
// TODO(cwhan.tunz): throw. See the above comment in CopyWithin.
if (V8_UNLIKELY(array->WasNeutered())) return Smi::FromInt(-1);
Handle<Object> search_element = args.atOrUndefined(isolate, 1);
ElementsAccessor* elements = array->GetElementsAccessor();
Maybe<int64_t> result = elements->IndexOfValue(isolate, array, search_element,
static_cast<uint32_t>(index),
static_cast<uint32_t>(len));
MAYBE_RETURN(result, isolate->heap()->exception());
return *isolate->factory()->NewNumberFromInt64(result.FromJust());
}
BUILTIN(TypedArrayPrototypeLastIndexOf) {
HandleScope scope(isolate);
Handle<JSTypedArray> array;
const char* method = "%TypedArray%.prototype.lastIndexOf";
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, array, JSTypedArray::Validate(isolate, args.receiver(), method));
int64_t len = array->length_value();
if (len == 0) return Smi::FromInt(-1);
int64_t index = len - 1;
if (args.length() > 2) {
Handle<Object> num;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, num, Object::ToInteger(isolate, args.at<Object>(2)));
// Set a negative value (-1) for returning -1 if num is negative and
// len + num is still negative. Upper bound is len - 1.
index = std::min<int64_t>(CapRelativeIndex(num, -1, len), len - 1);
}
if (index < 0) return Smi::FromInt(-1);
// TODO(cwhan.tunz): throw. See the above comment in CopyWithin.
if (V8_UNLIKELY(array->WasNeutered())) return Smi::FromInt(-1);
Handle<Object> search_element = args.atOrUndefined(isolate, 1);
ElementsAccessor* elements = array->GetElementsAccessor();
Maybe<int64_t> result = elements->LastIndexOfValue(
isolate, array, search_element, static_cast<uint32_t>(index));
MAYBE_RETURN(result, isolate->heap()->exception());
return *isolate->factory()->NewNumberFromInt64(result.FromJust());
}
BUILTIN(TypedArrayPrototypeReverse) {
HandleScope scope(isolate);
Handle<JSTypedArray> array;
const char* method = "%TypedArray%.prototype.reverse";
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, array, JSTypedArray::Validate(isolate, args.receiver(), method));
ElementsAccessor* elements = array->GetElementsAccessor();
elements->Reverse(*array);
return *array;
}
namespace {
Object* TypedArrayCopyElements(Handle<JSTypedArray> target,
Handle<JSReceiver> source, uint32_t length,
uint32_t offset) {
ElementsAccessor* accessor = target->GetElementsAccessor();
return accessor->CopyElements(source, target, length, offset);
}
enum class TypedArraySetResultCodes {
// Set from typed array of the same type.
// This is processed by TypedArraySetFastCases
SAME_TYPE,
// Set from typed array of the different type, overlapping in memory.
OVERLAPPING,
// Set from typed array of the different type, non-overlapping.
NONOVERLAPPING,
// Set from non-typed array.
NON_TYPED_ARRAY
};
MaybeHandle<Object> TypedArraySetFromOverlapping(Isolate* isolate,
Handle<JSTypedArray> target,
Handle<JSTypedArray> source,
uint32_t offset) {
DCHECK_GE(offset, 0);
size_t sourceElementSize = source->element_size();
size_t targetElementSize = target->element_size();
uint32_t source_length = source->length_value();
if (source_length == 0) return target;
// Copy left part.
// First un-mutated byte after the next write
uint32_t target_ptr = 0;
CHECK(target->byte_offset()->ToUint32(&target_ptr));
target_ptr += (offset + 1) * targetElementSize;
// Next read at sourcePtr. We do not care for memory changing before
// sourcePtr - we have already copied it.
uint32_t source_ptr = 0;
CHECK(source->byte_offset()->ToUint32(&source_ptr));
ElementsAccessor* source_accessor = source->GetElementsAccessor();
ElementsAccessor* target_accessor = target->GetElementsAccessor();
uint32_t left_index;
for (left_index = 0; left_index < source_length && target_ptr <= source_ptr;
left_index++) {
Handle<Object> value = source_accessor->Get(source, left_index);
target_accessor->Set(target, offset + left_index, *value);
target_ptr += targetElementSize;
source_ptr += sourceElementSize;
}
// Copy right part;
// First unmutated byte before the next write
CHECK(target->byte_offset()->ToUint32(&target_ptr));
target_ptr += (offset + source_length - 1) * targetElementSize;
// Next read before sourcePtr. We do not care for memory changing after
// sourcePtr - we have already copied it.
CHECK(target->byte_offset()->ToUint32(&source_ptr));
source_ptr += source_length * sourceElementSize;
uint32_t right_index;
DCHECK_GE(source_length, 1);
for (right_index = source_length - 1;
right_index > left_index && target_ptr >= source_ptr; right_index--) {
Handle<Object> value = source_accessor->Get(source, right_index);
target_accessor->Set(target, offset + right_index, *value);
target_ptr -= targetElementSize;
source_ptr -= sourceElementSize;
}
std::vector<Handle<Object>> temp(right_index + 1 - left_index);
for (uint32_t i = left_index; i <= right_index; i++) {
temp[i - left_index] = source_accessor->Get(source, i);
}
for (uint32_t i = left_index; i <= right_index; i++) {
target_accessor->Set(target, offset + i, *temp[i - left_index]);
}
return target;
}
MaybeHandle<Smi> TypedArraySetFastCases(Isolate* isolate,
Handle<JSTypedArray> target,
Handle<Object> source_obj,
Handle<Object> offset_obj) {
if (!source_obj->IsJSTypedArray()) {
return MaybeHandle<Smi>(
Smi::FromEnum(TypedArraySetResultCodes::NON_TYPED_ARRAY), isolate);
}
Handle<JSTypedArray> source = Handle<JSTypedArray>::cast(source_obj);
size_t offset = 0;
CHECK(TryNumberToSize(*offset_obj, &offset));
size_t target_length = target->length_value();
size_t source_length = source->length_value();
size_t target_byte_length = NumberToSize(target->byte_length());
size_t source_byte_length = NumberToSize(source->byte_length());
if (offset > target_length || offset + source_length > target_length ||
offset + source_length < offset) { // overflow
THROW_NEW_ERROR(
isolate, NewRangeError(MessageTemplate::kTypedArraySetSourceTooLarge),
Smi);
}
size_t target_offset = NumberToSize(target->byte_offset());
size_t source_offset = NumberToSize(source->byte_offset());
uint8_t* target_base =
static_cast<uint8_t*>(target->GetBuffer()->backing_store()) +
target_offset;
uint8_t* source_base =
static_cast<uint8_t*>(source->GetBuffer()->backing_store()) +
source_offset;
// Typed arrays of the same type: use memmove.
if (target->type() == source->type()) {
memmove(target_base + offset * target->element_size(), source_base,
source_byte_length);
return MaybeHandle<Smi>(Smi::FromEnum(TypedArraySetResultCodes::SAME_TYPE),
isolate);
}
// Typed arrays of different types over the same backing store
if ((source_base <= target_base &&
source_base + source_byte_length > target_base) ||
(target_base <= source_base &&
target_base + target_byte_length > source_base)) {
// We do not support overlapping ArrayBuffers
DCHECK(target->GetBuffer()->backing_store() ==
source->GetBuffer()->backing_store());
return MaybeHandle<Smi>(
Smi::FromEnum(TypedArraySetResultCodes::OVERLAPPING), isolate);
} else { // Non-overlapping typed arrays
return MaybeHandle<Smi>(
Smi::FromEnum(TypedArraySetResultCodes::NONOVERLAPPING), isolate);
}
}
} // anonymous namespace
// 22.2.3.23%TypedArray%.prototype.set ( overloaded [ , offset ] )
BUILTIN(TypedArrayPrototypeSet) {
HandleScope scope(isolate);
Handle<Object> target = args.receiver();
Handle<Object> obj = args.atOrUndefined(isolate, 1);
Handle<Object> offset = args.atOrUndefined(isolate, 2);
const char* method = "%TypedArray%.prototype.set";
if (!target->IsJSTypedArray()) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate, NewTypeError(MessageTemplate::kNotTypedArray));
}
if (offset->IsUndefined(isolate)) {
offset = Handle<Object>(Smi::kZero, isolate);
} else {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, offset,
Object::ToInteger(isolate, offset));
}
if (offset->Number() < 0) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate, NewRangeError(MessageTemplate::kTypedArraySetNegativeOffset));
}
if (offset->Number() > Smi::kMaxValue) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate, NewRangeError(MessageTemplate::kTypedArraySetSourceTooLarge));
}
Handle<JSTypedArray> target_array = Handle<JSTypedArray>::cast(target);
if (V8_UNLIKELY(target_array->WasNeutered())) {
const MessageTemplate::Template message =
MessageTemplate::kDetachedOperation;
Handle<String> operation =
isolate->factory()->NewStringFromAsciiChecked(method);
THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(message, operation));
}
uint32_t uint_offset;
CHECK(offset->ToUint32(&uint_offset));
// TODO(cwhan.tunz): Implement CopyElements for overlapping cases, and use
// TypedArrayCopyElements for all case instead of this result code based
// branches
Handle<Smi> result_code;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, result_code,
TypedArraySetFastCases(isolate, target_array, obj, offset));
switch (static_cast<TypedArraySetResultCodes>(result_code->value())) {
case TypedArraySetResultCodes::SAME_TYPE: {
break;
}
case TypedArraySetResultCodes::OVERLAPPING: {
RETURN_FAILURE_ON_EXCEPTION(
isolate, TypedArraySetFromOverlapping(isolate, target_array,
Handle<JSTypedArray>::cast(obj),
uint_offset));
break;
}
case TypedArraySetResultCodes::NONOVERLAPPING: {
return TypedArrayCopyElements(
target_array, Handle<JSTypedArray>::cast(obj),
Handle<JSTypedArray>::cast(obj)->length_value(), uint_offset);
break;
}
case TypedArraySetResultCodes::NON_TYPED_ARRAY: {
if (obj->IsNumber()) {
// For number as a first argument, throw TypeError
// instead of silently ignoring the call, so that
// users know they did something wrong.
// (Consistent with Firefox and Blink/WebKit)
THROW_NEW_ERROR_RETURN_FAILURE(
isolate, NewTypeError(MessageTemplate::kInvalidArgument));
}
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, obj,
Object::ToObject(isolate, obj));
Handle<Object> len;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, len,
Object::GetProperty(obj, isolate->factory()->length_string()));
if (len->IsUndefined(isolate)) {
break;
}
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, len,
Object::ToLength(isolate, len));
DCHECK_GE(uint_offset, 0);
if (uint_offset + len->Number() > target_array->length_value()) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate,
NewRangeError(MessageTemplate::kTypedArraySetSourceTooLarge));
}
uint32_t int_l;
CHECK(DoubleToUint32IfEqualToSelf(len->Number(), &int_l));
return TypedArrayCopyElements(target_array, Handle<JSReceiver>::cast(obj),
int_l, uint_offset);
} break;
}
return *isolate->factory()->undefined_value();
}
BUILTIN(TypedArrayPrototypeSlice) {
HandleScope scope(isolate);
Handle<JSTypedArray> array;
const char* method = "%TypedArray%.prototype.slice";
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, array, JSTypedArray::Validate(isolate, args.receiver(), method));
int64_t len = array->length_value();
int64_t start = 0;
int64_t end = len;
{
Handle<Object> num = args.atOrUndefined(isolate, 1);
if (!num->IsUndefined(isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, num,
Object::ToInteger(isolate, num));
start = CapRelativeIndex(num, 0, len);
num = args.atOrUndefined(isolate, 2);
if (!num->IsUndefined(isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, num,
Object::ToInteger(isolate, num));
end = CapRelativeIndex(num, 0, len);
}
}
}
int64_t count = std::max<int64_t>(end - start, 0);
Handle<JSTypedArray> result_array;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, result_array,
TypedArraySpeciesCreateByLength(isolate, array, method, count));
// TODO(cwhan.tunz): should throw.
if (V8_UNLIKELY(array->WasNeutered())) return *result_array;
if (count == 0) return *result_array;
ElementsAccessor* accessor = array->GetElementsAccessor();
return *accessor->Slice(array, static_cast<uint32_t>(start),
static_cast<uint32_t>(end), result_array);
}
} // namespace internal
} // namespace v8