Chromium Code Reviews Chromium Code Reviews
Issue 2697593002:
Reland [typedarrays] move %TypedArray%.prototype.copyWithin to C++ (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/builtins/builtins-utils.h" | 5 #include "src/builtins/builtins-utils.h" |
| 6 #include "src/builtins/builtins.h" | 6 #include "src/builtins/builtins.h" |
| 7 #include "src/code-stub-assembler.h" | 7 #include "src/code-stub-assembler.h" |
| 8 | 8 |
| 9 namespace v8 { | 9 namespace v8 { |
| 10 namespace internal { | 10 namespace internal { |
| (...skipping 149 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 160 Generate_TypedArrayPrototypeIterationMethod<IterationKind::kEntries>( | 160 Generate_TypedArrayPrototypeIterationMethod<IterationKind::kEntries>( |
| 161 state, "%TypedArray%.prototype.entries()"); | 161 state, "%TypedArray%.prototype.entries()"); |
| 162 } | 162 } |
| 163 | 163 |
| 164 void Builtins::Generate_TypedArrayPrototypeKeys( | 164 void Builtins::Generate_TypedArrayPrototypeKeys( |
| 165 compiler::CodeAssemblerState* state) { | 165 compiler::CodeAssemblerState* state) { |
| 166 Generate_TypedArrayPrototypeIterationMethod<IterationKind::kKeys>( | 166 Generate_TypedArrayPrototypeIterationMethod<IterationKind::kKeys>( |
| 167 state, "%TypedArray%.prototype.keys()"); | 167 state, "%TypedArray%.prototype.keys()"); |
| 168 } | 168 } |
| 169 | 169 |
| 170 namespace { | |
| 171 | |
| 172 MaybeHandle<JSTypedArray> ValidateTypedArray(Isolate* isolate, | |
| 173 Handle<Object> receiver, | |
| 174 const char* method_name) { | |
| 175 if (V8_UNLIKELY(!receiver->IsJSTypedArray())) { | |
| 176 const MessageTemplate::Template message = MessageTemplate::kNotTypedArray; | |
| 177 THROW_NEW_ERROR(isolate, NewTypeError(message), JSTypedArray); | |
| 178 } | |
| 179 | |
| 180 Handle<JSTypedArray> array = Handle<JSTypedArray>::cast(receiver); | |
| 181 if (V8_UNLIKELY(array->WasNeutered())) { | |
| 182 const MessageTemplate::Template message = MessageTemplate::kNotTypedArray; | |
| 183 Handle<String> operation = | |
| 184 isolate->factory()->NewStringFromAsciiChecked(method_name); | |
| 185 THROW_NEW_ERROR(isolate, NewTypeError(message, operation), JSTypedArray); | |
|
Dan Ehrenberg
2017/02/13 19:56:44
This is also a change vs current behavior.
Camillo Bruni
2017/02/13 20:18:56
I fear that we have quite a few other places where
| |
| 186 } | |
| 187 | |
| 188 return array; | |
| 189 } | |
| 190 | |
| 191 int64_t CapRelativeIndex(Handle<Object> num, int64_t minimum, int64_t maximum) { | |
| 192 int64_t relative; | |
| 193 if (V8_LIKELY(num->IsSmi())) { | |
| 194 relative = Smi::cast(*num)->value(); | |
| 195 } else { | |
| 196 DCHECK(num->IsHeapNumber()); | |
| 197 double fp = HeapNumber::cast(*num)->value(); | |
| 198 if (V8_UNLIKELY(!std::isfinite(fp))) { | |
| 199 // +Infinity / -Infinity | |
| 200 DCHECK(!std::isnan(fp)); | |
| 201 return fp < 0 ? minimum : maximum; | |
| 202 } | |
| 203 relative = static_cast<int64_t>(fp); | |
| 204 } | |
| 205 return relative < 0 ? std::max<int64_t>(relative + maximum, minimum) | |
| 206 : std::min<int64_t>(relative, maximum); | |
| 207 } | |
| 208 | |
| 209 } // namespace | |
| 210 | |
| 211 BUILTIN(TypedArrayPrototypeCopyWithin) { | |
| 212 HandleScope scope(isolate); | |
| 213 | |
| 214 Handle<JSTypedArray> array; | |
| 215 const char* method = "%TypedArray%.prototype.copyWithin"; | |
| 216 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( | |
| 217 isolate, array, ValidateTypedArray(isolate, args.receiver(), method)); | |
| 218 | |
| 219 int64_t len = array->length_value(); | |
| 220 int64_t to = 0; | |
| 221 int64_t from = 0; | |
| 222 int64_t final = len; | |
| 223 | |
| 224 if (V8_LIKELY(args.length() > 1)) { | |
| 225 Handle<Object> num; | |
| 226 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( | |
| 227 isolate, num, Object::ToInteger(isolate, args.at<Object>(1))); | |
| 228 to = CapRelativeIndex(num, 0, len); | |
| 229 | |
| 230 if (args.length() > 2) { | |
| 231 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( | |
| 232 isolate, num, Object::ToInteger(isolate, args.at<Object>(2))); | |
| 233 from = CapRelativeIndex(num, 0, len); | |
| 234 | |
| 235 Handle<Object> end = args.atOrUndefined(isolate, 3); | |
| 236 if (!end->IsUndefined(isolate)) { | |
| 237 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, num, | |
| 238 Object::ToInteger(isolate, end)); | |
| 239 final = CapRelativeIndex(num, 0, len); | |
| 240 } | |
| 241 } | |
| 242 } | |
| 243 | |
| 244 int64_t count = std::min<int64_t>(final - from, len - to); | |
| 245 if (count <= 0) return *array; | |
| 246 | |
| 247 // TypedArray buffer may have been transferred/detached during parameter | |
| 248 // processing above. Return early in this case, to prevent potential UAF error | |
| 249 if (V8_UNLIKELY(array->WasNeutered())) return *array; | |
|
Camillo Bruni
2017/02/13 20:18:56
I think you have to throw here according to the sp
| |
| 250 | |
| 251 Handle<FixedTypedArrayBase> elements( | |
| 252 FixedTypedArrayBase::cast(array->elements())); | |
| 253 size_t element_size = array->element_size(); | |
| 254 to = to * element_size; | |
| 255 from = from * element_size; | |
| 256 count = count * element_size; | |
| 257 | |
| 258 uint8_t* data = static_cast<uint8_t*>(elements->DataPtr()); | |
| 259 std::memmove(data + to, data + from, count); | |
| 260 | |
| 261 return *array; | |
| 262 } | |
| 263 | |
| 170 } // namespace internal | 264 } // namespace internal |
| 171 } // namespace v8 | 265 } // namespace v8 |
| OLD | NEW |
