Bug 1966355 - Part 17: Handle immutable typed arrays in Atomics. r=sfink,jandem

Disallow immutable typed arrays for all `Atomics` methods except `Atomics.load`.

Differential Revision: https://phabricator.services.mozilla.com/D249410

Author: anba

js/src/builtin/AtomicsObject.cpp

@@ -51,6 +51,12 @@ static bool ReportDetachedArrayBuffer(JSContext* cx) {
   return false;
 }
 
+static bool ReportImmutableBuffer(JSContext* cx) {
+  JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+                            JSMSG_ARRAYBUFFER_IMMUTABLE);
+  return false;
+}
+
 static bool ReportResizedArrayBuffer(JSContext* cx) {
   JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
                             JSMSG_TYPED_ARRAY_RESIZED_BOUNDS);
@@ -64,15 +70,15 @@ static bool ReportOutOfRange(JSContext* cx) {
   return false;
 }
 
-// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56
-// Plus: https://github.com/tc39/ecma262/pull/1908
-// 24.4.1.1 ValidateIntegerTypedArray ( typedArray [ , waitable ] )
+enum class AccessMode { Read, Write };
+
+// ES2026 draft rev affcec07523a45d40fb668689c07657412e772ac
+// Plus: https://tc39.es/proposal-immutable-arraybuffer/
+// 25.4.3.1 ValidateIntegerTypedArray ( typedArray, waitable )
 static bool ValidateIntegerTypedArray(
-    JSContext* cx, HandleValue typedArray, bool waitable,
+    JSContext* cx, HandleValue typedArray, bool waitable, AccessMode accessMode,
     MutableHandle<TypedArrayObject*> unwrappedTypedArray) {
-  // Step 1 (implicit).
-
-  // Step 2.
+  // Steps 1-2.
   auto* unwrapped = UnwrapAndTypeCheckValue<TypedArrayObject>(
       cx, typedArray, [cx]() { ReportBadArrayType(cx); });
   if (!unwrapped) {
@@ -83,7 +89,12 @@ static bool ValidateIntegerTypedArray(
     return ReportDetachedArrayBuffer(cx);
   }
 
-  // Steps 3-6.
+  if (accessMode == AccessMode::Write &&
+      unwrapped->is<ImmutableTypedArrayObject>()) {
+    return ReportImmutableBuffer(cx);
+  }
+
+  // Steps 3-4.
   if (waitable) {
     switch (unwrapped->type()) {
       case Scalar::Int32:
@@ -108,7 +119,7 @@ static bool ValidateIntegerTypedArray(
     }
   }
 
-  // Steps 7-9 (modified to return the TypedArray).
+  // Step 5 (modified to return the TypedArray).
   unwrappedTypedArray.set(unwrapped);
   return true;
 }
@@ -253,10 +264,12 @@ struct ArrayOps<uint64_t> {
 // 24.4.4 Atomics.compareExchange ( typedArray, index, ... ), steps 1-2.
 // 24.4.9 Atomics.store ( typedArray, index, value ), steps 1-2.
 template <typename Op>
-bool AtomicAccess(JSContext* cx, HandleValue obj, HandleValue index, Op op) {
+static bool AtomicAccess(JSContext* cx, HandleValue obj, HandleValue index,
+                         AccessMode accessMode, Op op) {
   // Step 1.
   Rooted<TypedArrayObject*> unwrappedTypedArray(cx);
-  if (!ValidateIntegerTypedArray(cx, obj, false, &unwrappedTypedArray)) {
+  if (!ValidateIntegerTypedArray(cx, obj, false, accessMode,
+                                 &unwrappedTypedArray)) {
     return false;
   }
 
@@ -326,7 +339,7 @@ static bool atomics_compareExchange(JSContext* cx, unsigned argc, Value* vp) {
   HandleValue index = args.get(1);
 
   return AtomicAccess(
-      cx, typedArray, index,
+      cx, typedArray, index, AccessMode::Write,
       [cx, &args](auto ops, Handle<TypedArrayObject*> unwrappedTypedArray,
                   size_t index) {
         using T = typename decltype(ops)::Type;
@@ -363,7 +376,7 @@ static bool atomics_load(JSContext* cx, unsigned argc, Value* vp) {
   HandleValue index = args.get(1);
 
   return AtomicAccess(
-      cx, typedArray, index,
+      cx, typedArray, index, AccessMode::Read,
       [cx, &args](auto ops, Handle<TypedArrayObject*> unwrappedTypedArray,
                   size_t index) {
         using T = typename decltype(ops)::Type;
@@ -388,7 +401,7 @@ static bool atomics_store(JSContext* cx, unsigned argc, Value* vp) {
   HandleValue index = args.get(1);
 
   return AtomicAccess(
-      cx, typedArray, index,
+      cx, typedArray, index, AccessMode::Write,
       [cx, &args](auto ops, Handle<TypedArrayObject*> unwrappedTypedArray,
                   size_t index) {
         using T = typename decltype(ops)::Type;
@@ -418,7 +431,7 @@ static bool AtomicReadModifyWrite(JSContext* cx, const CallArgs& args,
   HandleValue index = args.get(1);
 
   return AtomicAccess(
-      cx, typedArray, index,
+      cx, typedArray, index, AccessMode::Write,
       [cx, &args, op](auto ops, Handle<TypedArrayObject*> unwrappedTypedArray,
                       size_t index) {
         using T = typename decltype(ops)::Type;
@@ -1303,7 +1316,8 @@ static bool DoWait(JSContext* cx, bool isAsync, HandleValue objv,
                    MutableHandleValue r) {
   // Steps 1-2.
   Rooted<TypedArrayObject*> unwrappedTypedArray(cx);
-  if (!ValidateIntegerTypedArray(cx, objv, true, &unwrappedTypedArray)) {
+  if (!ValidateIntegerTypedArray(cx, objv, true, AccessMode::Read,
+                                 &unwrappedTypedArray)) {
     return false;
   }
   MOZ_ASSERT(unwrappedTypedArray->type() == Scalar::Int32 ||
@@ -1472,7 +1486,8 @@ static bool atomics_notify(JSContext* cx, unsigned argc, Value* vp) {
 
   // Step 1.
   Rooted<TypedArrayObject*> unwrappedTypedArray(cx);
-  if (!ValidateIntegerTypedArray(cx, objv, true, &unwrappedTypedArray)) {
+  if (!ValidateIntegerTypedArray(cx, objv, true, AccessMode::Read,
+                                 &unwrappedTypedArray)) {
     return false;
   }
   MOZ_ASSERT(unwrappedTypedArray->type() == Scalar::Int32 ||

js/src/jit-test/tests/atomics/load-from-immutable-typedarray.js

@@ -0,0 +1,38 @@
+// |jit-test| --enable-arraybuffer-immutable; skip-if: !ArrayBuffer.prototype.transferToImmutable
+
+const IntTypedArrays = [
+  Int8Array,
+  Uint8Array,
+  Int16Array,
+  Uint16Array,
+  Int32Array,
+  Uint32Array,
+  BigInt64Array,
+  BigUint64Array,
+];
+
+function test(TA) {
+  const length = 4;
+
+  let expected = new TA(length);
+  let type = expected[0].constructor;
+
+  for (let i = 0; i < length; ++i) {
+    expected[i] = type(i + 1);
+  }
+
+  let actual = new TA(expected.buffer.sliceToImmutable());
+  assertEq(actual.buffer.immutable, true);
+
+  for (let i = 0; i < 200; ++i) {
+    let index = i % length;
+    assertEq(Atomics.load(actual, index), expected[index]);
+  }
+}
+
+for (let TA of IntTypedArrays) {
+  // Copy test function to ensure monomorphic ICs.
+  let copy = Function(`return ${test}`)();
+
+  for (let i = 0; i < 2; ++i) copy(TA);
+}

js/src/jit/CacheIR.cpp

@@ -9545,8 +9545,16 @@ AttachDecision InlinableNativeIRGenerator::tryAttachReflectGetPrototypeOf() {
   return AttachDecision::Attach;
 }
 
+enum class AtomicAccess { Read, Write };
+
 static bool AtomicsMeetsPreconditions(TypedArrayObject* typedArray,
-                                      const Value& index) {
+                                      const Value& index, AtomicAccess access) {
+  // Can't write into immutable TypedArrays.
+  if (access == AtomicAccess::Write &&
+      typedArray->is<ImmutableTypedArrayObject>()) {
+    return false;
+  }
+
   switch (typedArray->type()) {
     case Scalar::Int8:
     case Scalar::Uint8:
@@ -9603,7 +9611,7 @@ AttachDecision InlinableNativeIRGenerator::tryAttachAtomicsCompareExchange() {
   }
 
   auto* typedArray = &args_[0].toObject().as<TypedArrayObject>();
-  if (!AtomicsMeetsPreconditions(typedArray, args_[1])) {
+  if (!AtomicsMeetsPreconditions(typedArray, args_[1], AtomicAccess::Write)) {
     return AttachDecision::NoAction;
   }
 
@@ -9669,7 +9677,7 @@ bool InlinableNativeIRGenerator::canAttachAtomicsReadWriteModify() {
   }
 
   auto* typedArray = &args_[0].toObject().as<TypedArrayObject>();
-  if (!AtomicsMeetsPreconditions(typedArray, args_[1])) {
+  if (!AtomicsMeetsPreconditions(typedArray, args_[1], AtomicAccess::Write)) {
     return false;
   }
   if (!ValueCanConvertToNumeric(typedArray->type(), args_[2])) {
@@ -9845,7 +9853,7 @@ AttachDecision InlinableNativeIRGenerator::tryAttachAtomicsLoad() {
   }
 
   auto* typedArray = &args_[0].toObject().as<TypedArrayObject>();
-  if (!AtomicsMeetsPreconditions(typedArray, args_[1])) {
+  if (!AtomicsMeetsPreconditions(typedArray, args_[1], AtomicAccess::Read)) {
     return AttachDecision::NoAction;
   }
 
@@ -9900,7 +9908,7 @@ AttachDecision InlinableNativeIRGenerator::tryAttachAtomicsStore() {
   }
 
   auto* typedArray = &args_[0].toObject().as<TypedArrayObject>();
-  if (!AtomicsMeetsPreconditions(typedArray, args_[1])) {
+  if (!AtomicsMeetsPreconditions(typedArray, args_[1], AtomicAccess::Write)) {
     return AttachDecision::NoAction;
   }