[RAB/GSAB] Object.freeze: Support RAB / GSAB

Bug: v8:11111 Change-Id: I722702faa062e6083496d55cd96ee33d3952998b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3571809Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#79840}

[RAB/GSAB] Object.freeze: Support RAB / GSAB
Bug: v8:11111 Change-Id: I722702faa062e6083496d55cd96ee33d3952998b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3571809Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#79840}
a1ff9120 · Marja Hölttä · V8 LUCI CQ · 44023563 · a1ff9120 · a1ff9120
Commit a1ff9120 authored Apr 06, 2022 by Marja Hölttä Committed by V8 LUCI CQ Apr 07, 2022
4 changed files
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -4198,12 +4198,16 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
                   NewTypeError(MessageTemplate::kNoAccess));
  }

-  if (attrs == NONE && !object->map().is_extensible()) return Just(true);
+  if (attrs == NONE && !object->map().is_extensible()) {
+    return Just(true);
+  }
+
  {
    ElementsKind old_elements_kind = object->map().elements_kind();
    if (IsFrozenElementsKind(old_elements_kind)) return Just(true);
-    if (attrs != FROZEN && IsSealedElementsKind(old_elements_kind))
+    if (attrs != FROZEN && IsSealedElementsKind(old_elements_kind)) {
      return Just(true);
+    }
  }

  if (object->IsJSGlobalProxy()) {
@@ -4274,7 +4278,7 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
      TransitionsAccessor::SearchSpecial(isolate, old_map, *transition_marker);
  if (maybe_transition_map.ToHandle(&transition_map)) {
    DCHECK(transition_map->has_dictionary_elements() ||
-           transition_map->has_typed_array_elements() ||
+           transition_map->has_typed_array_or_rab_gsab_typed_array_elements() ||
           transition_map->elements_kind() == SLOW_STRING_WRAPPER_ELEMENTS ||
           transition_map->has_any_nonextensible_elements());
    DCHECK(!transition_map->is_extensible());
@@ -4340,8 +4344,8 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(

  // Both seal and preventExtensions always go through without modifications to
  // typed array elements. Freeze works only if there are no actual elements.
-  if (object->HasTypedArrayElements()) {
-    if (attrs == FROZEN && JSArrayBufferView::cast(*object).byte_length() > 0) {
+  if (object->HasTypedArrayOrRabGsabTypedArrayElements()) {
+    if (attrs == FROZEN && JSTypedArray::cast(*object).GetLength() > 0) {
      isolate->Throw(*isolate->factory()->NewTypeError(
          MessageTemplate::kCannotFreezeArrayBufferView));
      return Nothing<bool>();

--- a/src/objects/map.cc
+++ b/src/objects/map.cc
@@ -1698,7 +1698,7 @@ Handle<Map> Map::CopyForPreventExtensions(
      CopyReplaceDescriptors(isolate, map, new_desc, flag, transition_marker,
                             reason, SPECIAL_TRANSITION);
  new_map->set_is_extensible(false);
-  if (!IsTypedArrayElementsKind(map->elements_kind())) {
+  if (!IsTypedArrayOrRabGsabTypedArrayElementsKind(map->elements_kind())) {
    ElementsKind new_kind = IsStringWrapperElementsKind(map->elements_kind())
                                ? SLOW_STRING_WRAPPER_ELEMENTS
                                : DICTIONARY_ELEMENTS;

--- a/test/mjsunit/typedarray-growablesharedarraybuffer.js
+++ b/test/mjsunit/typedarray-growablesharedarraybuffer.js
@@ -3648,3 +3648,37 @@ function TestIterationAndGrow(ta, expected, gsab, grow_after,
    assertEquals([0, 0, 0, 0, 8, 0], ToNumbers(lengthTracking));
  }
 })();
+
+(function ObjectFreeze() {
+  // Freezing non-OOB non-zero-length TAs throws.
+  for (let ctor of ctors) {
+    const gsab = CreateGrowableSharedArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                                 8 * ctor.BYTES_PER_ELEMENT);
+    const fixedLength = new ctor(gsab, 0, 4);
+    const fixedLengthWithOffset = new ctor(
+        gsab, 2 * ctor.BYTES_PER_ELEMENT, 2);
+    const lengthTracking = new ctor(gsab, 0);
+    const lengthTrackingWithOffset = new ctor(
+        gsab, 2 * ctor.BYTES_PER_ELEMENT);
+
+    assertThrows(() => { Object.freeze(fixedLength); }, TypeError);
+    assertThrows(() => { Object.freeze(fixedLengthWithOffset); }, TypeError);
+    assertThrows(() => { Object.freeze(lengthTracking); }, TypeError);
+    assertThrows(() => { Object.freeze(lengthTrackingWithOffset); }, TypeError);
+  }
+  // Freezing zero-length TAs doesn't throw.
+  for (let ctor of ctors) {
+    const gsab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                           8 * ctor.BYTES_PER_ELEMENT);
+    const fixedLength = new ctor(gsab, 0, 0);
+    const fixedLengthWithOffset = new ctor(
+        gsab, 2 * ctor.BYTES_PER_ELEMENT, 0);
+    // Zero-length because the offset is at the end:
+    const lengthTrackingWithOffset = new ctor(
+        gsab, 4 * ctor.BYTES_PER_ELEMENT);
+
+    Object.freeze(fixedLength);
+    Object.freeze(fixedLengthWithOffset);
+    Object.freeze(lengthTrackingWithOffset);
+  }
+})();
--- a/test/mjsunit/typedarray-resizablearraybuffer.js
+++ b/test/mjsunit/typedarray-resizablearraybuffer.js
@@ -6702,3 +6702,52 @@ function TestIterationAndResize(ta, expected, rab, resize_after,
    assertEquals([0, 0, 0, 0, 8, 0], ToNumbers(lengthTracking));
  }
 })();
+
+(function ObjectFreeze() {
+  // Freezing non-OOB non-zero-length TAs throws.
+  for (let ctor of ctors) {
+    const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                           8 * ctor.BYTES_PER_ELEMENT);
+    const fixedLength = new ctor(rab, 0, 4);
+    const fixedLengthWithOffset = new ctor(
+        rab, 2 * ctor.BYTES_PER_ELEMENT, 2);
+    const lengthTracking = new ctor(rab, 0);
+    const lengthTrackingWithOffset = new ctor(
+        rab, 2 * ctor.BYTES_PER_ELEMENT);
+
+    assertThrows(() => { Object.freeze(fixedLength); }, TypeError);
+    assertThrows(() => { Object.freeze(fixedLengthWithOffset); }, TypeError);
+    assertThrows(() => { Object.freeze(lengthTracking); }, TypeError);
+    assertThrows(() => { Object.freeze(lengthTrackingWithOffset); }, TypeError);
+  }
+  // Freezing zero-length TAs doesn't throw.
+  for (let ctor of ctors) {
+    const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                           8 * ctor.BYTES_PER_ELEMENT);
+    const fixedLength = new ctor(rab, 0, 0);
+    const fixedLengthWithOffset = new ctor(
+        rab, 2 * ctor.BYTES_PER_ELEMENT, 0);
+    // Zero-length because the offset is at the end:
+    const lengthTrackingWithOffset = new ctor(
+        rab, 4 * ctor.BYTES_PER_ELEMENT);
+
+    Object.freeze(fixedLength);
+    Object.freeze(fixedLengthWithOffset);
+    Object.freeze(lengthTrackingWithOffset);
+  }
+  // If the buffer has been resized to make length-tracking TAs zero-length,
+  // freezing them also doesn't throw.
+  for (let ctor of ctors) {
+    const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                           8 * ctor.BYTES_PER_ELEMENT);
+    const lengthTracking = new ctor(rab, );
+    const lengthTrackingWithOffset = new ctor(
+        rab, 2 * ctor.BYTES_PER_ELEMENT);
+
+    rab.resize(2 * ctor.BYTES_PER_ELEMENT);
+    Object.freeze(lengthTrackingWithOffset);
+
+    rab.resize(0 * ctor.BYTES_PER_ELEMENT);
+    Object.freeze(lengthTracking);
+  }
+})();