Sharing of SharedArrayBuffer via PostMessage transfer

Source/bindings/core/v8/ScriptValueSerializer.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "bindings/core/v8/ScriptValueSerializer.h"
 
 #include "bindings/core/v8/V8ArrayBuffer.h"
 #include "bindings/core/v8/V8ArrayBufferView.h"
 #include "bindings/core/v8/V8Blob.h"
 #include "bindings/core/v8/V8CompositorProxy.h"
 #include "bindings/core/v8/V8File.h"
 #include "bindings/core/v8/V8FileList.h"
 #include "bindings/core/v8/V8ImageData.h"
 #include "bindings/core/v8/V8MessagePort.h"
+#include "bindings/core/v8/V8SharedArrayBuffer.h"
 #include "core/dom/CompositorProxy.h"
 #include "core/dom/DOMDataView.h"
+#include "core/dom/DOMSharedArrayBuffer.h"
+#include "core/dom/DOMTypedArray.h"
 #include "core/fileapi/Blob.h"
 #include "core/fileapi/File.h"
 #include "core/fileapi/FileList.h"
+#include "platform/RuntimeEnabledFeatures.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebBlobInfo.h"
 #include "wtf/DateMath.h"
 #include "wtf/text/StringHash.h"
 #include "wtf/text/StringUTF8Adaptor.h"
+#include <stdio.h>
 
 // FIXME: consider crashing in debug mode on deserialization errors
 // NOTE: be sure to change wireFormatVersion as necessary!
 
 namespace blink {
 
 // This code implements the HTML5 Structured Clone algorithm:
 // http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#safe-passing-of-structured-data
 
 // ZigZag encoding helps VarInt encoding stay small for negative
@@ skipping 204 matching lines @@
 void SerializedScriptValueWriter::writeArrayBuffer(const DOMArrayBuffer& arrayBuffer)
 {
     append(ArrayBufferTag);
     doWriteArrayBuffer(arrayBuffer);
 }
 
 void SerializedScriptValueWriter::writeArrayBufferView(const DOMArrayBufferView& arrayBufferView)
 {
     append(ArrayBufferViewTag);
 #if ENABLE(ASSERT)
-    const DOMArrayBuffer& arrayBuffer = *arrayBufferView.buffer();
-    ASSERT(static_cast<const uint8_t*>(arrayBuffer.data()) + arrayBufferView.byteOffset() ==
+    ASSERT(static_cast<const uint8_t*>(arrayBufferView.bufferBase()->data()) + arrayBufferView.byteOffset() ==
         static_cast<const uint8_t*>(arrayBufferView.baseAddress()));
 #endif
     DOMArrayBufferView::ViewType type = arrayBufferView.type();
 
     switch (type) {
     case DOMArrayBufferView::TypeInt8:
         append(ByteArrayTag);
         break;
     case DOMArrayBufferView::TypeUint8Clamped:
         append(UnsignedByteClampedArrayTag);
@@ skipping 51 matching lines @@
     append(MessagePortTag);
     doWriteUint32(index);
 }
 
 void SerializedScriptValueWriter::writeTransferredArrayBuffer(uint32_t index)
 {
     append(ArrayBufferTransferTag);
     doWriteUint32(index);
 }
 
+void SerializedScriptValueWriter::writeTransferredSharedArrayBuffer(uint32_t index)
+{
+    ASSERT(RuntimeEnabledFeatures::sharedArrayBufferEnabled());
+    append(SharedArrayBufferTransferTag);
+    doWriteUint32(index);
+}
+
 void SerializedScriptValueWriter::writeObjectReference(uint32_t reference)
 {
     append(ObjectReferenceTag);
     doWriteUint32(reference);
 }
 
 void SerializedScriptValueWriter::writeObject(uint32_t numProperties)
 {
     append(ObjectTag);
     doWriteUint32(numProperties);
@@ skipping 260 matching lines @@
 {
     if (!impl)
         return v8::Local<v8::ArrayBuffer>();
     v8::Local<v8::Value> wrapper = toV8(impl, creationContext, isolate);
     if (wrapper.IsEmpty())
         return v8::Local<v8::ArrayBuffer>();
     ASSERT(wrapper->IsArrayBuffer());
     return wrapper.As<v8::ArrayBuffer>();
 }
 
+static v8::Local<v8::SharedArrayBuffer> toV8Object(DOMSharedArrayBuffer* impl, v8::Local<v8::Object> creationContext, v8::Isolate* isolate)
+{
+    ASSERT(RuntimeEnabledFeatures::sharedArrayBufferEnabled());
+    if (!impl)
+        return v8::Local<v8::SharedArrayBuffer>();
+    v8::Local<v8::Value> wrapper = toV8(impl, creationContext, isolate);
+    ASSERT(wrapper->IsSharedArrayBuffer());
+    return wrapper.As<v8::SharedArrayBuffer>();
+}
+
 // Returns true if the provided object is to be considered a 'host object', as used in the
 // HTML5 structured clone algorithm.
 static bool isHostObject(v8::Local<v8::Object> object)
 {
     // If the object has any internal fields, then we won't be able to serialize or deserialize
     // them; conveniently, this is also a quick way to detect DOM wrapper objects, because
     // the mechanism for these relies on data stored in these fields. We should
     // catch external array data as a special case.
     return object->InternalFieldCount();
 }
 
-ScriptValueSerializer::ScriptValueSerializer(SerializedScriptValueWriter& writer, MessagePortArray* messagePorts, ArrayBufferArray* arrayBuffers, WebBlobInfoArray* blobInfo, BlobDataHandleMap& blobDataHandles, v8::TryCatch& tryCatch, ScriptState* scriptState)
+ScriptValueSerializer::ScriptValueSerializer(SerializedScriptValueWriter& writer, MessagePortArray* messagePorts, ArrayBufferArray* arrayBuffers, SharedArrayBufferArray* sharedArrayBuffers, WebBlobInfoArray* blobInfo, BlobDataHandleMap& blobDataHandles, v8::TryCatch& tryCatch, ScriptState* scriptState)
     : m_scriptState(scriptState)
     , m_writer(writer)
     , m_tryCatch(tryCatch)
     , m_depth(0)
     , m_status(Success)
     , m_nextObjectReference(0)
     , m_blobInfo(blobInfo)
     , m_blobDataHandles(blobDataHandles)
 {
     ASSERT(!tryCatch.HasCaught());
     v8::Local<v8::Object> creationContext = m_scriptState->context()->Global();
     if (messagePorts) {
         for (size_t i = 0; i < messagePorts->size(); i++)
             m_transferredMessagePorts.set(toV8Object(messagePorts->at(i).get(), creationContext, isolate()), i);
     }
     if (arrayBuffers) {
         for (size_t i = 0; i < arrayBuffers->size(); i++)  {
             v8::Local<v8::Object> v8ArrayBuffer = toV8Object(arrayBuffers->at(i).get(), creationContext, isolate());
             // Coalesce multiple occurences of the same buffer to the first index.
             if (!m_transferredArrayBuffers.contains(v8ArrayBuffer))
                 m_transferredArrayBuffers.set(v8ArrayBuffer, i);
         }
     }
+    if (sharedArrayBuffers) {
+        ASSERT(sharedArrayBuffers->size() == 0 || RuntimeEnabledFeatures::sharedArrayBufferEnabled());
+        for (size_t i = 0; i < sharedArrayBuffers->size(); i++)  {
+            v8::Local<v8::Object> v8SharedArrayBuffer = toV8Object(sharedArrayBuffers->at(i).get(), creationContext, isolate());
+            // Coalesce multiple occurences of the same buffer to the first index.
+            if (!m_transferredSharedArrayBuffers.contains(v8SharedArrayBuffer))
+                m_transferredSharedArrayBuffers.set(v8SharedArrayBuffer, i);
+        }
+    }
 }
 
 ScriptValueSerializer::Status ScriptValueSerializer::serialize(v8::Local<v8::Value> value)
 {
     v8::HandleScope scope(isolate());
     m_writer.writeVersion();
     StateBase* state = doSerialize(value, 0);
     while (state)
         state = state->advance(*this);
     return m_status;
@@ skipping 11 matching lines @@
         m_writer.writeObjectReference(objectReference);
     } else {
         return doSerializeValue(value, next);
     }
     return 0;
 }
 
 ScriptValueSerializer::StateBase* ScriptValueSerializer::doSerializeValue(v8::Local<v8::Value> value, ScriptValueSerializer::StateBase* next)
 {
     uint32_t arrayBufferIndex;
+    uint32_t sharedArrayBufferIndex;
     if (value.IsEmpty())
         return handleError(InputError, "The empty property name cannot be cloned.", next);
     if (value->IsUndefined()) {
         m_writer.writeUndefined();
     } else if (value->IsNull()) {
         m_writer.writeNull();
     } else if (value->IsTrue()) {
         m_writer.writeTrue();
     } else if (value->IsFalse()) {
         m_writer.writeFalse();
     } else if (value->IsInt32()) {
         m_writer.writeInt32(value.As<v8::Int32>()->Value());
     } else if (value->IsUint32()) {
         m_writer.writeUint32(value.As<v8::Uint32>()->Value());
     } else if (value->IsNumber()) {
         m_writer.writeNumber(value.As<v8::Number>()->Value());
     } else if (V8ArrayBufferView::hasInstance(value, isolate())) {
         return writeAndGreyArrayBufferView(value.As<v8::Object>(), next);
     } else if (value->IsString()) {
         writeString(value);
     } else if (V8MessagePort::hasInstance(value, isolate())) {
         uint32_t messagePortIndex;
         if (m_transferredMessagePorts.tryGet(value.As<v8::Object>(), &messagePortIndex)) {
             m_writer.writeTransferredMessagePort(messagePortIndex);
         } else {
             return handleError(DataCloneError, "A MessagePort could not be cloned.", next);
         }
     } else if (V8ArrayBuffer::hasInstance(value, isolate()) && m_transferredArrayBuffers.tryGet(value.As<v8::Object>(), &arrayBufferIndex)) {
         return writeTransferredArrayBuffer(value, arrayBufferIndex, next);
+    } else if (V8SharedArrayBuffer::hasInstance(value, isolate()) && m_transferredSharedArrayBuffers.tryGet(value.As<v8::Object>(), &sharedArrayBufferIndex)) {
+        return writeTransferredSharedArrayBuffer(value, sharedArrayBufferIndex, next);
     } else {
         v8::Local<v8::Object> jsObject = value.As<v8::Object>();
         if (jsObject.IsEmpty())
             return handleError(DataCloneError, "An object could not be cloned.", next);
         greyObject(jsObject);
         if (value->IsDate()) {
             m_writer.writeDate(value.As<v8::Date>()->ValueOf());
         } else if (value->IsStringObject()) {
             writeStringObject(value);
         } else if (value->IsNumberObject()) {
@@ skipping 196 matching lines @@
     v8::Local<v8::RegExp> regExp = value.As<v8::RegExp>();
     m_writer.writeRegExp(regExp->GetSource(), regExp->GetFlags());
 }
 
 ScriptValueSerializer::StateBase* ScriptValueSerializer::writeAndGreyArrayBufferView(v8::Local<v8::Object> object, ScriptValueSerializer::StateBase* next)
 {
     ASSERT(!object.IsEmpty());
     DOMArrayBufferView* arrayBufferView = V8ArrayBufferView::toImpl(object);
     if (!arrayBufferView)
         return 0;
-    if (!arrayBufferView->buffer())
-        return handleError(DataCloneError, "An ArrayBuffer could not be cloned.", next);
-    v8::Local<v8::Value> underlyingBuffer = toV8(arrayBufferView->buffer(), m_scriptState->context()->Global(), isolate());
+    v8::Local<v8::Value> underlyingBuffer;
+    if (arrayBufferView->isShared()) {
+        if (!arrayBufferView->bufferShared())
+            return handleError(DataCloneError, "A SharedArrayBuffer could not be cloned.", next);
+        underlyingBuffer = toV8(arrayBufferView->bufferShared(), m_scriptState->context()->Global(), isolate());
+    } else {
+        if (!arrayBufferView->buffer())
+            return handleError(DataCloneError, "An ArrayBuffer could not be cloned.", next);
+        underlyingBuffer = toV8(arrayBufferView->buffer(), m_scriptState->context()->Global(), isolate());
+    }
     if (underlyingBuffer.IsEmpty())
         return handleError(DataCloneError, "An ArrayBuffer could not be cloned.", next);
     StateBase* stateOut = doSerializeArrayBuffer(underlyingBuffer, next);
     if (stateOut)
         return stateOut;
     m_writer.writeArrayBufferView(*arrayBufferView);
     // This should be safe: we serialize something that we know to be a wrapper (see
     // the toV8 call above), so the call to doSerializeArrayBuffer should neither
     // cause the system stack to overflow nor should it have potential to reach
     // this ArrayBufferView again.
@@ skipping 23 matching lines @@
 {
     DOMArrayBuffer* arrayBuffer = V8ArrayBuffer::toImpl(value.As<v8::Object>());
     if (!arrayBuffer)
         return 0;
     if (arrayBuffer->isNeutered())
         return handleError(DataCloneError, "An ArrayBuffer is neutered and could not be cloned.", next);
     m_writer.writeTransferredArrayBuffer(index);
     return 0;
 }
 
+ScriptValueSerializer::StateBase* ScriptValueSerializer::writeTransferredSharedArrayBuffer(v8::Local<v8::Value> value, uint32_t index, ScriptValueSerializer::StateBase* next)
+{
+    ASSERT(RuntimeEnabledFeatures::sharedArrayBufferEnabled());
+    DOMSharedArrayBuffer* sharedArrayBuffer = V8SharedArrayBuffer::toImpl(value.As<v8::Object>());
+    if (!sharedArrayBuffer)
+        return 0;
+    m_writer.writeTransferredSharedArrayBuffer(index);
+    return 0;
+}
+
 bool ScriptValueSerializer::shouldSerializeDensely(uint32_t length, uint32_t propertyCount)
 {
     // Let K be the cost of serializing all property values that are there
     // Cost of serializing sparsely: 5*propertyCount + K (5 bytes per uint32_t key)
     // Cost of serializing densely: K + 1*(length - propertyCount) (1 byte for all properties that are not there)
     // so densely is better than sparsly whenever 6*propertyCount > length
     return 6 * propertyCount >= length;
 }
 
 ScriptValueSerializer::StateBase* ScriptValueSerializer::startArrayState(v8::Local<v8::Array> array, ScriptValueSerializer::StateBase* next)
@@ skipping 256 matching lines @@
     case ArrayBufferTransferTag: {
         if (!m_version)
             return false;
         uint32_t index;
         if (!doReadUint32(&index))
             return false;
         if (!creator.tryGetTransferredArrayBuffer(index, value))
             return false;
         break;
     }
+    case SharedArrayBufferTransferTag: {
+        if (!m_version)
+            return false;
+        uint32_t index;
+        if (!doReadUint32(&index))
+            return false;
+        if (!creator.tryGetTransferredSharedArrayBuffer(index, value))
+            return false;
+        break;
+    }
     case ObjectReferenceTag: {
         if (!m_version)
             return false;
         uint32_t reference;
         if (!doReadUint32(&reference))
             return false;
         if (!creator.tryGetObjectFromObjectReference(reference, value))
             return false;
         break;
     }
@@ skipping 201 matching lines @@
         return false;
     *value = toV8(arrayBuffer.release(), m_scriptState->context()->Global(), isolate());
     return !value->IsEmpty();
 }
 
 bool SerializedScriptValueReader::readArrayBufferView(v8::Local<v8::Value>* value, ScriptValueCompositeCreator& creator)
 {
     ArrayBufferViewSubTag subTag;
     uint32_t byteOffset;
     uint32_t byteLength;
-    RefPtr<DOMArrayBuffer> arrayBuffer;
+    RefPtr<DOMArrayBufferBase> arrayBuffer;
     v8::Local<v8::Value> arrayBufferV8Value;
     if (!readArrayBufferViewSubTag(&subTag))
         return false;
     if (!doReadUint32(&byteOffset))
         return false;
     if (!doReadUint32(&byteLength))
         return false;
     if (!creator.consumeTopOfStack(&arrayBufferV8Value))
         return false;
     if (arrayBufferV8Value.IsEmpty())
         return false;
-    arrayBuffer = V8ArrayBuffer::toImpl(arrayBufferV8Value.As<v8::Object>());
-    if (!arrayBuffer)
-        return false;
+    if (arrayBufferV8Value->IsArrayBuffer()) {
+        arrayBuffer = V8ArrayBuffer::toImpl(arrayBufferV8Value.As<v8::Object>());
+        if (!arrayBuffer)
+            return false;
+    } else if (arrayBufferV8Value->IsSharedArrayBuffer()) {
+        arrayBuffer = V8SharedArrayBuffer::toImpl(arrayBufferV8Value.As<v8::Object>());
+        if (!arrayBuffer)
+            return false;
+    } else {
+        ASSERT_NOT_REACHED();
+    }
 
     // Check the offset, length and alignment.
     int elementByteSize;
     switch (subTag) {
     case ByteArrayTag:
         elementByteSize = sizeof(DOMInt8Array::ValueType);
         break;
     case UnsignedByteArrayTag:
         elementByteSize = sizeof(DOMUint8Array::ValueType);
         break;
@@ skipping 386 matching lines @@
         v8::Local<v8::Object> creationContext = m_reader.scriptState()->context()->Global();
         result = toV8(buffer.get(), creationContext, isolate);
         if (result.IsEmpty())
             return false;
         m_arrayBuffers[index] = result;
     }
     *object = result;
     return true;
 }
 
+bool ScriptValueDeserializer::tryGetTransferredSharedArrayBuffer(uint32_t index, v8::Local<v8::Value>* object)
+{
+    ASSERT(RuntimeEnabledFeatures::sharedArrayBufferEnabled());
+    if (!m_arrayBufferContents)
+        return false;
+    if (index >= m_arrayBuffers.size())
+        return false;
+    v8::Local<v8::Value> result = m_arrayBuffers.at(index);
+    if (result.IsEmpty()) {
+        RefPtr<DOMSharedArrayBuffer> buffer = DOMSharedArrayBuffer::create(m_arrayBufferContents->at(index));
+        v8::Isolate* isolate = m_reader.scriptState()->isolate();
+        v8::Local<v8::Object> creationContext = m_reader.scriptState()->context()->Global();
+        result = toV8(buffer.get(), creationContext, isolate);
+        m_arrayBuffers[index] = result;
+    }
+    *object = result;
+    return true;
+}
+
 bool ScriptValueDeserializer::tryGetObjectFromObjectReference(uint32_t reference, v8::Local<v8::Value>* object)
 {
     if (reference >= m_objectPool.size())
         return false;
     *object = m_objectPool[reference];
     return object;
 }
 
 uint32_t ScriptValueDeserializer::objectReferenceCount()
 {
@@ skipping 52 matching lines @@
         return false;
     uint32_t objectReference = m_openCompositeReferenceStack[m_openCompositeReferenceStack.size() - 1];
     m_openCompositeReferenceStack.shrink(m_openCompositeReferenceStack.size() - 1);
     if (objectReference >= m_objectPool.size())
         return false;
     *object = m_objectPool[objectReference];
     return true;
 }
 
 } // namespace blink