Do not consult Symbol.species when constructing TypedArray from TypedArrays

Bug: v8:12744 Change-Id: I3e356c16554e8bc19afc06b18f4afd7fed2f228e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3563540 Commit-Queue: Shu-yu Guo <syg@chromium.org> Auto-Submit: Shu-yu Guo <syg@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#79833}

Do not consult Symbol.species when constructing TypedArray from TypedArrays
Bug: v8:12744 Change-Id: I3e356c16554e8bc19afc06b18f4afd7fed2f228e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3563540 Commit-Queue: Shu-yu Guo <syg@chromium.org> Auto-Submit: Shu-yu Guo <syg@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#79833}
1ac9280d · Shu-yu Guo · V8 LUCI CQ · 9238afb0 · 1ac9280d · 1ac9280d
Commit 1ac9280d authored Apr 06, 2022 by Shu-yu Guo Committed by V8 LUCI CQ Apr 06, 2022
6 changed files
--- a/src/builtins/typed-array-createtypedarray.tq
+++ b/src/builtins/typed-array-createtypedarray.tq
@@ -77,8 +77,8 @@ transitioning macro AllocateTypedArray(implicit context: Context)(
 transitioning macro TypedArrayInitialize(implicit context: Context)(
    initialize: constexpr bool, map: Map, length: uintptr,
-    elementsInfo: typed_array::TypedArrayElementsInfo,
+    elementsInfo: typed_array::TypedArrayElementsInfo):
-    bufferConstructor: JSReceiver): JSTypedArray labels IfRangeError {
+    JSTypedArray labels IfRangeError {
  const byteLength = elementsInfo.CalculateByteLength(length)
      otherwise IfRangeError;
  const byteLengthNum = Convert<Number>(byteLength);
@@ -86,11 +86,6 @@ transitioning macro TypedArrayInitialize(implicit context: Context)(
  const byteOffset: uintptr = 0;
  try {
-    if (bufferConstructor != defaultConstructor) {
-      goto AttachOffHeapBuffer(ConstructWithTarget(
-          defaultConstructor, bufferConstructor, byteLengthNum));
-    }
    if (byteLength > kMaxTypedArrayInHeap) goto AllocateOffHeap;
    const buffer = AllocateEmptyOnHeapBuffer();
@@ -131,10 +126,8 @@ transitioning macro ConstructByLength(implicit context: Context)(
    elementsInfo: typed_array::TypedArrayElementsInfo): JSTypedArray {
  try {
    const length: uintptr = ToIndex(lengthObj) otherwise RangeError;
-    const defaultConstructor: Constructor = GetArrayBufferFunction();
    const initialize: constexpr bool = true;
-    return TypedArrayInitialize(
+    return TypedArrayInitialize(initialize, map, length, elementsInfo)
-        initialize, map, length, elementsInfo, defaultConstructor)
        otherwise RangeError;
  } label RangeError deferred {
    ThrowRangeError(MessageTemplate::kInvalidTypedArrayLength, lengthObj);
@@ -145,12 +138,11 @@ transitioning macro ConstructByLength(implicit context: Context)(
 // ES #sec-typedarray-object
 transitioning macro ConstructByArrayLike(implicit context: Context)(
    map: Map, arrayLike: HeapObject, length: uintptr,
-    elementsInfo: typed_array::TypedArrayElementsInfo,
+    elementsInfo: typed_array::TypedArrayElementsInfo): JSTypedArray {
-    bufferConstructor: JSReceiver): JSTypedArray {
  try {
    const initialize: constexpr bool = false;
-    const typedArray = TypedArrayInitialize(
+    const typedArray =
-        initialize, map, length, elementsInfo, bufferConstructor)
+        TypedArrayInitialize(initialize, map, length, elementsInfo)
        otherwise RangeError;
    try {
@@ -198,21 +190,18 @@ transitioning macro ConstructByArrayLike(implicit context: Context)(
 // ES #sec-typedarray-object
 transitioning macro ConstructByIterable(implicit context: Context)(
    iterable: JSReceiver, iteratorFn: Callable): never
-    labels IfConstructByArrayLike(JSArray, uintptr, JSReceiver) {
+    labels IfConstructByArrayLike(JSArray, uintptr) {
  const array: JSArray =
      IterableToListMayPreserveHoles(context, iterable, iteratorFn);
  // Max JSArray length is a valid JSTypedArray length so we just use it.
-  goto IfConstructByArrayLike(
+  goto IfConstructByArrayLike(array, array.length_uintptr);
-      array, array.length_uintptr, GetArrayBufferFunction());
 }
 // 22.2.4.3 TypedArray ( typedArray )
 // ES #sec-typedarray-typedarray
 transitioning macro ConstructByTypedArray(implicit context: Context)(
    srcTypedArray: JSTypedArray): never
-    labels IfConstructByArrayLike(JSTypedArray, uintptr, JSReceiver) {
+    labels IfConstructByArrayLike(JSTypedArray, uintptr) {
-  let bufferConstructor: JSReceiver = GetArrayBufferFunction();
-  const srcBuffer: JSArrayBuffer = srcTypedArray.buffer;
  let length: uintptr;
  try {
    // TODO(petermarshall): Throw on detached typedArray.
@@ -222,20 +211,7 @@ transitioning macro ConstructByTypedArray(implicit context: Context)(
    length = 0;
  }
-  // The spec requires that constructing a typed array using a SAB-backed
+  goto IfConstructByArrayLike(srcTypedArray, length);
-  // typed array use the ArrayBuffer constructor, not the species constructor.
-  // See https://tc39.github.io/ecma262/#sec-typedarray-typedarray.
-  if (!IsSharedArrayBuffer(srcBuffer)) {
-    bufferConstructor = SpeciesConstructor(srcBuffer, bufferConstructor);
-    try {
-      // TODO(petermarshall): Throw on detached typedArray.
-      length = LoadJSTypedArrayLengthAndCheckDetached(srcTypedArray)
-          otherwise DetachedOrOutOfBounds;
-    } label DetachedOrOutOfBounds {
-      length = 0;
-    }
-  }
-  goto IfConstructByArrayLike(srcTypedArray, length, bufferConstructor);
 }
 // 22.2.4.5 TypedArray ( buffer, byteOffset, length )
@@ -369,7 +345,7 @@ transitioning macro TypedArrayCreateByLength(implicit context: Context)(
 transitioning macro ConstructByJSReceiver(implicit context: Context)(
    obj: JSReceiver): never
-    labels IfConstructByArrayLike(JSReceiver, uintptr, JSReceiver) {
+    labels IfConstructByArrayLike(JSReceiver, uintptr) {
  try {
    // TODO(v8:8906): Use iterator::GetIteratorMethod() once it supports
    // labels.
@@ -385,7 +361,7 @@ transitioning macro ConstructByJSReceiver(implicit context: Context)(
    // anyway.
    const length: uintptr = ChangeSafeIntegerNumberToUintPtr(lengthNumber)
        otherwise goto IfInvalidLength(lengthNumber);
-    goto IfConstructByArrayLike(obj, length, GetArrayBufferFunction());
+    goto IfConstructByArrayLike(obj, length);
  } label IfInvalidLength(length: Number) {
    ThrowRangeError(MessageTemplate::kInvalidTypedArrayLength, length);
  } label IfIteratorNotCallable(_value: JSAny) deferred {
@@ -428,14 +404,12 @@ transitioning builtin CreateTypedArray(
    const elementsInfo = GetTypedArrayElementsInfo(map);
    return ConstructByLength(map, length, elementsInfo);
-  } label IfConstructByArrayLike(
+  } label IfConstructByArrayLike(arrayLike: JSReceiver, length: uintptr) {
-      arrayLike: JSReceiver, length: uintptr, bufferConstructor: JSReceiver) {
    const map = GetDerivedMap(target, newTarget);
    // 5. Let elementSize be the Number value of the Element Size value in Table
    // 56 for constructorName.
    const elementsInfo = GetTypedArrayElementsInfo(map);
-    return ConstructByArrayLike(
+    return ConstructByArrayLike(map, arrayLike, length, elementsInfo);
-        map, arrayLike, length, elementsInfo, bufferConstructor);
  }
 }

--- a/test/mjsunit/es6/typedarray-construct-by-array-like.js
+++ b/test/mjsunit/es6/typedarray-construct-by-array-like.js
@@ -175,42 +175,6 @@ tests.push(function TestConstructFromTypedArray(constr) {
  }
 });
-tests.push(function TestFromTypedArraySpecies(constr) {
-  var b = new ArrayBuffer(16);
-  var a1 = new constr(b);
-  var constructor_read = 0;
-  var cons = b.constructor;
-  Object.defineProperty(b, 'constructor', {
-    get: function() {
-      constructor_read++;
-      return cons;
-    }
-  });
-  var a2 = new constr(a1);
-  assertEquals(1, constructor_read);
-});
-tests.push(function TestFromTypedArraySpeciesDetachsBuffer(constr) {
-  var b = new ArrayBuffer(16);
-  var a1 = new constr(b);
-  var constructor_read = 0;
-  var cons = b.constructor;
-  Object.defineProperty(b, 'constructor', {
-    get: function() {
-      %ArrayBufferDetach(b);
-      return cons;
-    }
-  });
-  assertThrows(() => new constr(a1));
-});
 tests.push(function TestTypedArrayMaxLength(constr) {
  var myObject = { 0: 5, 1: 6, length: %TypedArrayMaxLength() + 1 };

--- a/test/mjsunit/regress/regress-840106.js
+++ b/test/mjsunit/regress/regress-840106.js
-// Copyright 2018 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-// Flags: --allow-natives-syntax
-var buffer = new ArrayBuffer(1024 * 1024);
-buffer.constructor = {
-  [Symbol.species]: new Proxy(function() {}, {
-    get: _ => {
-      %ArrayBufferDetach(buffer);
-    }
-  })
-};
-var array1 = new Uint8Array(buffer, 0, 1024);
-assertThrows(() => new Uint8Array(array1));
-assertThrows(() => new Int8Array(array1));
--- a/test/mjsunit/typedarray-resizablearraybuffer-detach.js
+++ b/test/mjsunit/typedarray-resizablearraybuffer-detach.js
@@ -38,57 +38,6 @@ d8.file.execute('test/mjsunit/typedarray-helpers.js');
  }
 })();
-(function ConstructFromTypedArraySpeciesConstructorDetaches() {
-  let rab;
-  class MyArrayBuffer extends ArrayBuffer {
-    constructor(...params) {
-      super(...params);
-    }
-    static get [Symbol.species]() {
-      %ArrayBufferDetach(rab);
-    }
-  };
-  function CreateRabForTest(ctor) {
-    const rab = new MyArrayBuffer(
-      4 * ctor.BYTES_PER_ELEMENT,
-      {maxByteLength: 8 * ctor.BYTES_PER_ELEMENT});
-    // Write some data into the array.
-    const taWrite = new ctor(rab);
-    for (let i = 0; i < 4; ++i) {
-      WriteToTypedArray(taWrite, i, 2 * i);
-    }
-    return rab;
-  }
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const fixedLength = new sourceCtor(rab, 0, 4);
-    assertThrows(() => { new targetCtor(fixedLength); }, TypeError);
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const fixedLengthWithOffset = new sourceCtor(
-        rab, 2 * sourceCtor.BYTES_PER_ELEMENT, 2);
-    assertThrows(() => { new targetCtor(fixedLengthWithOffset); }, TypeError);
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const lengthTracking = new sourceCtor(rab, 0);
-    assertThrows(() => { new targetCtor(lengthTracking); }, TypeError);
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const lengthTrackingWithOffset = new sourceCtor(
-      rab, 2 * sourceCtor.BYTES_PER_ELEMENT);
-    assertThrows(() => { new targetCtor(lengthTrackingWithOffset); },
-                 TypeError);
-  });
-})();
 (function AccessDetachedTypedArray() {
  const rab = CreateResizableArrayBuffer(16, 40);

--- a/test/mjsunit/typedarray-resizablearraybuffer.js
+++ b/test/mjsunit/typedarray-resizablearraybuffer.js
@@ -174,128 +174,6 @@ d8.file.execute('test/mjsunit/typedarray-helpers.js');
  });
 })();
-(function ConstructFromTypedArraySpeciesConstructorShrinks() {
-  let rab;
-  let resizeTo;
-  class MyArrayBuffer extends ArrayBuffer {
-    constructor(...params) {
-      super(...params);
-    }
-    static get [Symbol.species]() {
-      rab.resize(resizeTo);
-    }
-  };
-  function CreateRabForTest(ctor) {
-    const rab = new MyArrayBuffer(
-      4 * ctor.BYTES_PER_ELEMENT,
-      {maxByteLength: 8 * ctor.BYTES_PER_ELEMENT});
-    // Write some data into the array.
-    const taWrite = new ctor(rab);
-    for (let i = 0; i < 4; ++i) {
-      WriteToTypedArray(taWrite, i, 2 * i);
-    }
-    return rab;
-  }
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const fixedLength = new sourceCtor(rab, 0, 4);
-    resizeTo = 2 * sourceCtor.BYTES_PER_ELEMENT;
-    assertThrows(() => { new targetCtor(fixedLength); }, TypeError);
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const fixedLengthWithOffset = new sourceCtor(
-      rab, 2 * sourceCtor.BYTES_PER_ELEMENT, 2);
-    resizeTo = 2 * sourceCtor.BYTES_PER_ELEMENT;
-    assertThrows(() => { new targetCtor(fixedLengthWithOffset); }, TypeError);
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const lengthTracking = new sourceCtor(rab, 0);
-    resizeTo = 2 * sourceCtor.BYTES_PER_ELEMENT;
-    assertEquals([0, 2], ToNumbers(new targetCtor(lengthTracking)));
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const lengthTrackingWithOffset = new sourceCtor(
-      rab, 2 * sourceCtor.BYTES_PER_ELEMENT);
-    resizeTo = 3 * sourceCtor.BYTES_PER_ELEMENT;
-    assertEquals([4], ToNumbers(new targetCtor(lengthTrackingWithOffset)));
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const lengthTrackingWithOffset = new sourceCtor(
-      rab, 2 * sourceCtor.BYTES_PER_ELEMENT);
-    resizeTo = 1 * sourceCtor.BYTES_PER_ELEMENT;
-    assertThrows(() => { new targetCtor(lengthTrackingWithOffset); },
-                 TypeError);
-  });
-})();
-(function ConstructFromTypedArraySpeciesConstructorGrows() {
-  let rab;
-  let resizeTo;
-  class MyArrayBuffer extends ArrayBuffer {
-    constructor(...params) {
-      super(...params);
-    }
-    static get [Symbol.species]() {
-      rab.resize(resizeTo);
-    }
-  };
-  function CreateRabForTest(ctor) {
-    const rab = new MyArrayBuffer(
-      4 * ctor.BYTES_PER_ELEMENT,
-      {maxByteLength: 8 * ctor.BYTES_PER_ELEMENT});
-    // Write some data into the array.
-    const taWrite = new ctor(rab);
-    for (let i = 0; i < 4; ++i) {
-      WriteToTypedArray(taWrite, i, 2 * i);
-    }
-    return rab;
-  }
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const fixedLength = new sourceCtor(rab, 0, 4);
-    resizeTo = 6 * sourceCtor.BYTES_PER_ELEMENT;
-    // Fixed-length TA unaffected by growing.
-    assertEquals([0, 2, 4, 6], ToNumbers(new targetCtor(fixedLength)));
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const fixedLengthWithOffset = new sourceCtor(
-        rab, 2 * sourceCtor.BYTES_PER_ELEMENT, 2);
-    resizeTo = 6 * sourceCtor.BYTES_PER_ELEMENT;
-    // Fixed-length TA unaffected by growing.
-    assertEquals([4, 6], ToNumbers(new targetCtor(fixedLengthWithOffset)));
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const lengthTracking = new sourceCtor(rab, 0);
-    resizeTo = 6 * sourceCtor.BYTES_PER_ELEMENT;
-    assertEquals([0, 2, 4, 6, 0, 0],
-                 ToNumbers(new targetCtor(lengthTracking)));
-  });
-  AllBigIntMatchedCtorCombinations((targetCtor, sourceCtor) => {
-    rab = CreateRabForTest(sourceCtor);
-    const lengthTrackingWithOffset = new sourceCtor(
-      rab, 2 * sourceCtor.BYTES_PER_ELEMENT);
-    resizeTo = 6 * sourceCtor.BYTES_PER_ELEMENT;
-    assertEquals([4, 6, 0, 0],
-                 ToNumbers(new targetCtor(lengthTrackingWithOffset)));
-  });
-})();
 (function TypedArrayLengthWhenResizedOutOfBounds1() {
  const rab = CreateResizableArrayBuffer(16, 40);

--- a/test/test262/test262.status
+++ b/test/test262/test262.status
@@ -2880,9 +2880,6 @@
  # https://bugs.chromium.org/p/v8/issues/detail?id=12681
  'built-ins/Array/prototype/push/set-length-zero-array-length-is-non-writable': [FAIL],
-  # https://bugs.chromium.org/p/v8/issues/detail?id=12744
-  'built-ins/TypedArrayConstructors/ctors/no-species': [FAIL],
  ######################## NEEDS INVESTIGATION ###########################
  # https://bugs.chromium.org/p/v8/issues/detail?id=7833