[typedarrays] Check detached buffer at start of typed array methods

src/js/typedarray.js

Index: src/js/typedarray.js
diff --git a/src/js/typedarray.js b/src/js/typedarray.js
index 36cb28919b7ce33acd6a451ecaf0578fb6704ee8..b60e42b2e3f6dcdfb82e344c28efeb646d803c1c 100644
--- a/src/js/typedarray.js
+++ b/src/js/typedarray.js
@@ -13,7 +13,6 @@
 
 // array.js has to come before typedarray.js for this to work
 var ArrayToString = utils.ImportNow("ArrayToString");
-var ArrayValues;
 var GetIterator;
 var GetMethod;
 var GlobalArray = global.Array;
@@ -57,7 +56,6 @@ TYPED_ARRAYS(DECLARE_GLOBALS)
 var GlobalTypedArray = %object_get_prototype_of(GlobalUint8Array);
 
 utils.Import(function(from) {
-  ArrayValues = from.ArrayValues;
   GetIterator = from.GetIterator;
   GetMethod = from.GetMethod;
   InnerArrayFilter = from.InnerArrayFilter;
@@ -95,20 +93,16 @@ function TypedArrayCreate(constructor, arg0, arg1, arg2) {
   } else {
     var newTypedArray = new constructor(arg0, arg1, arg2);
   }
-  if (!IS_TYPEDARRAY(newTypedArray)) throw %make_type_error(kNotTypedArray);
-  // TODO(littledan): Check for being detached, here and elsewhere
-  // All callers where the first argument is a Number have no additional
-  // arguments.
+  %ValidateTypedArray(newTypedArray, "TypedArrayCreate");

[adamk, 2017/03/27 19:48:20]

I'm worried that adding a runtime call here might slow down construction. Is
there any perf testing you've done on this change?

[Choongwoo Han, 2017/03/28 09:50:58]

Actually this function is not related with default construction (new
TypedArray(..)), but is called from subarray, .of, .from.

   if (IS_NUMBER(arg0) && %_TypedArrayGetLength(newTypedArray) < arg0) {
     throw %make_type_error(kTypedArrayTooShort);
   }
   return newTypedArray;
 }
 
-function TypedArraySpeciesCreate(exemplar, arg0, arg1, arg2, conservative) {
+function TypedArraySpeciesCreate(exemplar, arg0, arg1, arg2) {
   var defaultConstructor = TypedArrayDefaultConstructor(exemplar);
-  var constructor = SpeciesConstructor(exemplar, defaultConstructor,
-                                       conservative);
+  var constructor = SpeciesConstructor(exemplar, defaultConstructor);
   return TypedArrayCreate(constructor, arg0, arg1, arg2);
 }
 
@@ -201,10 +195,8 @@ function NAMESubArray(begin, end) {
   var newLength = endInt - beginInt;
   var beginByteOffset =
       %_ArrayBufferViewGetByteOffset(this) + beginInt * ELEMENT_SIZE;
-  // BUG(v8:4665): For web compatibility, subarray needs to always build an
-  // instance of the default constructor.
-  // TODO(littledan): Switch to the standard or standardize the fix
-  return new GlobalNAME(%TypedArrayGetBuffer(this), beginByteOffset, newLength);
+  return TypedArraySpeciesCreate(this, %TypedArrayGetBuffer(this),
+                                 beginByteOffset, newLength);
 }
 endmacro
 
@@ -351,7 +343,7 @@ function InnerTypedArrayEvery(f, receiver, array, length) {
 
 // ES6 draft 05-05-15, section 22.2.3.7
 function TypedArrayEvery(f, receiver) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.every");

[adamk, 2017/03/27 19:48:20]

Hmm, again this is likely to be much more expensive than the previous check.

[Choongwoo Han, 2017/03/28 09:50:58]

Yes, it was too expensive than my expectation (2x overhead). So, I updated to
keep using the inline typed array check, and additional neutered checks through
runtime call. this is 5% overhead when I run the following minimal benchmark in
my machine.

```test.js
var arr = new Uint8Array(1024);

var t = performance.now();
for (var i = 0; i < 10000000; i++) {
  arr.every((v) => false)
}
print(performance.now() - t);
```
before: 896.7108000000001 (on average)
after: 939.5634 (on average)
939.5634 / 896.7108000000001 = 1.0477886515920183

 
   var length = %_TypedArrayGetLength(this);
 
@@ -381,7 +373,7 @@ function InnerTypedArrayForEach(f, receiver, array, length) {
 
 // ES6 draft 08-24-14, section 22.2.3.12
 function TypedArrayForEach(f, receiver) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.forEach");
 
   var length = %_TypedArrayGetLength(this);
 
@@ -392,7 +384,7 @@ function TypedArrayForEach(f, receiver) {
 
 // ES6 draft 07-15-13, section 22.2.3.9
 function TypedArrayFilter(f, thisArg) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypeArray.prototype.filter");
 
   var length = %_TypedArrayGetLength(this);
   if (!IS_CALLABLE(f)) throw %make_type_error(kCalledNonCallable, f);
@@ -410,7 +402,7 @@ function TypedArrayFilter(f, thisArg) {
 
 // ES6 draft 07-15-13, section 22.2.3.10
 function TypedArrayFind(predicate, thisArg) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.find");
 
   var length = %_TypedArrayGetLength(this);
 
@@ -421,7 +413,7 @@ function TypedArrayFind(predicate, thisArg) {
 
 // ES6 draft 07-15-13, section 22.2.3.11
 function TypedArrayFindIndex(predicate, thisArg) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.findIndex");
 
   var length = %_TypedArrayGetLength(this);
 
@@ -432,7 +424,7 @@ function TypedArrayFindIndex(predicate, thisArg) {
 
 // ES6 draft 05-18-15, section 22.2.3.25
 function TypedArraySort(comparefn) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.sort");
 
   var length = %_TypedArrayGetLength(this);
 
@@ -446,7 +438,7 @@ function TypedArraySort(comparefn) {
 
 // ES6 draft 07-15-13, section 22.2.3.18
 function TypedArrayMap(f, thisArg) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.map");
 
   var length = %_TypedArrayGetLength(this);
   var result = TypedArraySpeciesCreate(this, length);
@@ -473,7 +465,7 @@ function InnerTypedArraySome(f, receiver, array, length) {
 
 // ES6 draft 05-05-15, section 22.2.3.24
 function TypedArraySome(f, receiver) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.some");
 
   var length = %_TypedArrayGetLength(this);
 
@@ -484,7 +476,7 @@ function TypedArraySome(f, receiver) {
 
 // ES6 section 22.2.3.27
 function TypedArrayToLocaleString() {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.toLocaleString");
 
   var length = %_TypedArrayGetLength(this);
 
@@ -494,7 +486,7 @@ function TypedArrayToLocaleString() {
 
 // ES6 section 22.2.3.14
 function TypedArrayJoin(separator) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.join");
 
   var length = %_TypedArrayGetLength(this);
 
@@ -529,7 +521,7 @@ function InnerTypedArrayReduce(
 
 // ES6 draft 07-15-13, section 22.2.3.19
 function TypedArrayReduce(callback, current) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.reduce");
 
   var length = %_TypedArrayGetLength(this);
   return InnerTypedArrayReduce(
@@ -565,7 +557,7 @@ function InnerArrayReduceRight(callback, current, array, length,
 
 // ES6 draft 07-15-13, section 22.2.3.19
 function TypedArrayReduceRight(callback, current) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.reduceRight");
 
   var length = %_TypedArrayGetLength(this);
   return InnerArrayReduceRight(callback, current, this, length,
@@ -575,7 +567,8 @@ function TypedArrayReduceRight(callback, current) {
 
 
 function TypedArraySlice(start, end) {
-  if (!IS_TYPEDARRAY(this)) throw %make_type_error(kNotTypedArray);
+  %ValidateTypedArray(this, "TypedArray.prototype.slice");
+
   var len = %_TypedArrayGetLength(this);
 
   var relativeStart = TO_INTEGER(start);