From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- js/src/builtin/AtomicsObject.cpp | 1105 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 1105 insertions(+) create mode 100644 js/src/builtin/AtomicsObject.cpp (limited to 'js/src/builtin/AtomicsObject.cpp') diff --git a/js/src/builtin/AtomicsObject.cpp b/js/src/builtin/AtomicsObject.cpp new file mode 100644 index 0000000000..c4a221aab8 --- /dev/null +++ b/js/src/builtin/AtomicsObject.cpp @@ -0,0 +1,1105 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: set ts=8 sts=2 et sw=2 tw=80: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * JS Atomics pseudo-module. + * + * See chapter 24.4 "The Atomics Object" and chapter 27 "Memory Model" in + * ECMAScript 2021 for the full specification. + */ + +#include "builtin/AtomicsObject.h" + +#include "mozilla/Atomics.h" +#include "mozilla/DebugOnly.h" +#include "mozilla/FloatingPoint.h" +#include "mozilla/Maybe.h" +#include "mozilla/ScopeExit.h" + +#include "jsnum.h" + +#include "jit/AtomicOperations.h" +#include "jit/InlinableNatives.h" +#include "js/Class.h" +#include "js/friend/ErrorMessages.h" // js::GetErrorMessage, JSMSG_* +#include "js/PropertySpec.h" +#include "js/Result.h" +#include "js/WaitCallbacks.h" +#include "vm/GlobalObject.h" +#include "vm/TypedArrayObject.h" + +#include "vm/Compartment-inl.h" +#include "vm/JSObject-inl.h" + +using namespace js; + +static bool ReportBadArrayType(JSContext* cx) { + JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, + JSMSG_ATOMICS_BAD_ARRAY); + return false; +} + +static bool ReportDetachedArrayBuffer(JSContext* cx) { + JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, + JSMSG_TYPED_ARRAY_DETACHED); + return false; +} + +static bool ReportResizedArrayBuffer(JSContext* cx) { + JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, + JSMSG_TYPED_ARRAY_RESIZED_BOUNDS); + return false; +} + +static bool ReportOutOfRange(JSContext* cx) { + // Use JSMSG_BAD_INDEX here, it is what ToIndex uses for some cases that it + // reports directly. + JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BAD_INDEX); + return false; +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// Plus: https://github.com/tc39/ecma262/pull/1908 +// 24.4.1.1 ValidateIntegerTypedArray ( typedArray [ , waitable ] ) +static bool ValidateIntegerTypedArray( + JSContext* cx, HandleValue typedArray, bool waitable, + MutableHandle unwrappedTypedArray) { + // Step 1 (implicit). + + // Step 2. + auto* unwrapped = UnwrapAndTypeCheckValue( + cx, typedArray, [cx]() { ReportBadArrayType(cx); }); + if (!unwrapped) { + return false; + } + + if (unwrapped->hasDetachedBuffer()) { + return ReportDetachedArrayBuffer(cx); + } + + // Steps 3-6. + if (waitable) { + switch (unwrapped->type()) { + case Scalar::Int32: + case Scalar::BigInt64: + break; + default: + return ReportBadArrayType(cx); + } + } else { + switch (unwrapped->type()) { + case Scalar::Int8: + case Scalar::Uint8: + case Scalar::Int16: + case Scalar::Uint16: + case Scalar::Int32: + case Scalar::Uint32: + case Scalar::BigInt64: + case Scalar::BigUint64: + break; + default: + return ReportBadArrayType(cx); + } + } + + // Steps 7-9 (modified to return the TypedArray). + unwrappedTypedArray.set(unwrapped); + return true; +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.1.2 ValidateAtomicAccess ( typedArray, requestIndex ) +static bool ValidateAtomicAccess(JSContext* cx, + Handle typedArray, + HandleValue requestIndex, size_t* index) { + MOZ_ASSERT(!typedArray->hasDetachedBuffer()); + + // Steps 1-2. + mozilla::Maybe length = typedArray->length(); + if (!length) { + // ValidateIntegerTypedArray doesn't check for out-of-bounds in our + // implementation, so we have to handle this case here. + return ReportResizedArrayBuffer(cx); + } + + // Steps 3-4. + uint64_t accessIndex; + if (!ToIndex(cx, requestIndex, &accessIndex)) { + return false; + } + + // Step 5. + if (accessIndex >= *length) { + return ReportOutOfRange(cx); + } + + // Steps 6-9. + *index = size_t(accessIndex); + return true; +} + +template +struct ArrayOps { + using Type = T; + + static JS::Result convertValue(JSContext* cx, HandleValue v) { + int32_t n; + if (!ToInt32(cx, v, &n)) { + return cx->alreadyReportedError(); + } + return static_cast(n); + } + + static JS::Result convertValue(JSContext* cx, HandleValue v, + MutableHandleValue result) { + double d; + if (!ToInteger(cx, v, &d)) { + return cx->alreadyReportedError(); + } + result.setNumber(d); + return static_cast(JS::ToInt32(d)); + } + + static JS::Result<> storeResult(JSContext* cx, T v, + MutableHandleValue result) { + result.setInt32(v); + return Ok(); + } +}; + +template <> +JS::Result<> ArrayOps::storeResult(JSContext* cx, uint32_t v, + MutableHandleValue result) { + // Always double typed so that the JITs can assume the types are stable. + result.setDouble(v); + return Ok(); +} + +template <> +struct ArrayOps { + using Type = int64_t; + + static JS::Result convertValue(JSContext* cx, HandleValue v) { + BigInt* bi = ToBigInt(cx, v); + if (!bi) { + return cx->alreadyReportedError(); + } + return BigInt::toInt64(bi); + } + + static JS::Result convertValue(JSContext* cx, HandleValue v, + MutableHandleValue result) { + BigInt* bi = ToBigInt(cx, v); + if (!bi) { + return cx->alreadyReportedError(); + } + result.setBigInt(bi); + return BigInt::toInt64(bi); + } + + static JS::Result<> storeResult(JSContext* cx, int64_t v, + MutableHandleValue result) { + BigInt* bi = BigInt::createFromInt64(cx, v); + if (!bi) { + return cx->alreadyReportedError(); + } + result.setBigInt(bi); + return Ok(); + } +}; + +template <> +struct ArrayOps { + using Type = uint64_t; + + static JS::Result convertValue(JSContext* cx, HandleValue v) { + BigInt* bi = ToBigInt(cx, v); + if (!bi) { + return cx->alreadyReportedError(); + } + return BigInt::toUint64(bi); + } + + static JS::Result convertValue(JSContext* cx, HandleValue v, + MutableHandleValue result) { + BigInt* bi = ToBigInt(cx, v); + if (!bi) { + return cx->alreadyReportedError(); + } + result.setBigInt(bi); + return BigInt::toUint64(bi); + } + + static JS::Result<> storeResult(JSContext* cx, uint64_t v, + MutableHandleValue result) { + BigInt* bi = BigInt::createFromUint64(cx, v); + if (!bi) { + return cx->alreadyReportedError(); + } + result.setBigInt(bi); + return Ok(); + } +}; + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.1.11 AtomicReadModifyWrite ( typedArray, index, value, op ), steps 1-2. +// 24.4.1.12 AtomicLoad ( typedArray, index ), steps 1-2. +// 24.4.4 Atomics.compareExchange ( typedArray, index, ... ), steps 1-2. +// 24.4.9 Atomics.store ( typedArray, index, value ), steps 1-2. +template +bool AtomicAccess(JSContext* cx, HandleValue obj, HandleValue index, Op op) { + // Step 1. + Rooted unwrappedTypedArray(cx); + if (!ValidateIntegerTypedArray(cx, obj, false, &unwrappedTypedArray)) { + return false; + } + + // Step 2. + size_t intIndex; + if (!ValidateAtomicAccess(cx, unwrappedTypedArray, index, &intIndex)) { + return false; + } + + switch (unwrappedTypedArray->type()) { + case Scalar::Int8: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::Uint8: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::Int16: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::Uint16: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::Int32: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::Uint32: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::BigInt64: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::BigUint64: + return op(ArrayOps{}, unwrappedTypedArray, intIndex); + case Scalar::Float32: + case Scalar::Float64: + case Scalar::Uint8Clamped: + case Scalar::MaxTypedArrayViewType: + case Scalar::Int64: + case Scalar::Simd128: + break; + } + MOZ_CRASH("Unsupported TypedArray type"); +} + +template +static SharedMem TypedArrayData(JSContext* cx, TypedArrayObject* typedArray, + size_t index) { + // RevalidateAtomicAccess, steps 1-3. + mozilla::Maybe length = typedArray->length(); + + // RevalidateAtomicAccess, step 4. + if (!length) { + ReportDetachedArrayBuffer(cx); + return {}; + } + + // RevalidateAtomicAccess, step 5. + if (index >= *length) { + ReportOutOfRange(cx); + return {}; + } + + SharedMem typedArrayData = typedArray->dataPointerEither(); + return typedArrayData.cast() + index; +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.4 Atomics.compareExchange ( typedArray, index, expectedValue, +// replacementValue ) +static bool atomics_compareExchange(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + HandleValue typedArray = args.get(0); + HandleValue index = args.get(1); + + return AtomicAccess( + cx, typedArray, index, + [cx, &args](auto ops, Handle unwrappedTypedArray, + size_t index) { + using T = typename decltype(ops)::Type; + + HandleValue expectedValue = args.get(2); + HandleValue replacementValue = args.get(3); + + T oldval; + JS_TRY_VAR_OR_RETURN_FALSE(cx, oldval, + ops.convertValue(cx, expectedValue)); + + T newval; + JS_TRY_VAR_OR_RETURN_FALSE(cx, newval, + ops.convertValue(cx, replacementValue)); + + SharedMem addr = TypedArrayData(cx, unwrappedTypedArray, index); + if (!addr) { + return false; + } + + oldval = + jit::AtomicOperations::compareExchangeSeqCst(addr, oldval, newval); + + JS_TRY_OR_RETURN_FALSE(cx, ops.storeResult(cx, oldval, args.rval())); + return true; + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.7 Atomics.load ( typedArray, index ) +static bool atomics_load(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + HandleValue typedArray = args.get(0); + HandleValue index = args.get(1); + + return AtomicAccess( + cx, typedArray, index, + [cx, &args](auto ops, Handle unwrappedTypedArray, + size_t index) { + using T = typename decltype(ops)::Type; + + SharedMem addr = TypedArrayData(cx, unwrappedTypedArray, index); + if (!addr) { + return false; + } + + T v = jit::AtomicOperations::loadSeqCst(addr); + + JS_TRY_OR_RETURN_FALSE(cx, ops.storeResult(cx, v, args.rval())); + return true; + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.9 Atomics.store ( typedArray, index, value ) +static bool atomics_store(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + HandleValue typedArray = args.get(0); + HandleValue index = args.get(1); + + return AtomicAccess( + cx, typedArray, index, + [cx, &args](auto ops, Handle unwrappedTypedArray, + size_t index) { + using T = typename decltype(ops)::Type; + + HandleValue value = args.get(2); + + T v; + JS_TRY_VAR_OR_RETURN_FALSE(cx, v, + ops.convertValue(cx, value, args.rval())); + + SharedMem addr = TypedArrayData(cx, unwrappedTypedArray, index); + if (!addr) { + return false; + } + + jit::AtomicOperations::storeSeqCst(addr, v); + return true; + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.1.11 AtomicReadModifyWrite ( typedArray, index, value, op ) +template +static bool AtomicReadModifyWrite(JSContext* cx, const CallArgs& args, + AtomicOp op) { + HandleValue typedArray = args.get(0); + HandleValue index = args.get(1); + + return AtomicAccess( + cx, typedArray, index, + [cx, &args, op](auto ops, Handle unwrappedTypedArray, + size_t index) { + using T = typename decltype(ops)::Type; + + HandleValue value = args.get(2); + + T v; + JS_TRY_VAR_OR_RETURN_FALSE(cx, v, ops.convertValue(cx, value)); + + SharedMem addr = TypedArrayData(cx, unwrappedTypedArray, index); + if (!addr) { + return false; + } + + v = op(addr, v); + + JS_TRY_OR_RETURN_FALSE(cx, ops.storeResult(cx, v, args.rval())); + return true; + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.5 Atomics.exchange ( typedArray, index, value ) +static bool atomics_exchange(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + + return AtomicReadModifyWrite(cx, args, [](auto addr, auto val) { + return jit::AtomicOperations::exchangeSeqCst(addr, val); + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.2 Atomics.add ( typedArray, index, value ) +static bool atomics_add(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + + return AtomicReadModifyWrite(cx, args, [](auto addr, auto val) { + return jit::AtomicOperations::fetchAddSeqCst(addr, val); + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.10 Atomics.sub ( typedArray, index, value ) +static bool atomics_sub(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + + return AtomicReadModifyWrite(cx, args, [](auto addr, auto val) { + return jit::AtomicOperations::fetchSubSeqCst(addr, val); + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.3 Atomics.and ( typedArray, index, value ) +static bool atomics_and(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + + return AtomicReadModifyWrite(cx, args, [](auto addr, auto val) { + return jit::AtomicOperations::fetchAndSeqCst(addr, val); + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.8 Atomics.or ( typedArray, index, value ) +static bool atomics_or(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + + return AtomicReadModifyWrite(cx, args, [](auto addr, auto val) { + return jit::AtomicOperations::fetchOrSeqCst(addr, val); + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.13 Atomics.xor ( typedArray, index, value ) +static bool atomics_xor(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + + return AtomicReadModifyWrite(cx, args, [](auto addr, auto val) { + return jit::AtomicOperations::fetchXorSeqCst(addr, val); + }); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.6 Atomics.isLockFree ( size ) +static bool atomics_isLockFree(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + HandleValue v = args.get(0); + + // Step 1. + int32_t size; + if (v.isInt32()) { + size = v.toInt32(); + } else { + double dsize; + if (!ToInteger(cx, v, &dsize)) { + return false; + } + + // Step 7 (non-integer case only). + if (!mozilla::NumberEqualsInt32(dsize, &size)) { + args.rval().setBoolean(false); + return true; + } + } + + // Steps 2-7. + args.rval().setBoolean(jit::AtomicOperations::isLockfreeJS(size)); + return true; +} + +namespace js { + +// Represents one waiting worker. +// +// The type is declared opaque in SharedArrayObject.h. Instances of +// js::FutexWaiter are stack-allocated and linked onto a list across a +// call to FutexThread::wait(). +// +// The 'waiters' field of the SharedArrayRawBuffer points to the highest +// priority waiter in the list, and lower priority nodes are linked through +// the 'lower_pri' field. The 'back' field goes the other direction. +// The list is circular, so the 'lower_pri' field of the lowest priority +// node points to the first node in the list. The list has no dedicated +// header node. + +class FutexWaiter { + public: + FutexWaiter(size_t offset, JSContext* cx) + : offset(offset), cx(cx), lower_pri(nullptr), back(nullptr) {} + + size_t offset; // int32 element index within the SharedArrayBuffer + JSContext* cx; // The waiting thread + FutexWaiter* lower_pri; // Lower priority nodes in circular doubly-linked + // list of waiters + FutexWaiter* back; // Other direction +}; + +class AutoLockFutexAPI { + // We have to wrap this in a Maybe because of the way loading + // mozilla::Atomic pointers works. + mozilla::Maybe> unique_; + + public: + AutoLockFutexAPI() { + js::Mutex* lock = FutexThread::lock_; + unique_.emplace(*lock); + } + + ~AutoLockFutexAPI() { unique_.reset(); } + + js::UniqueLock& unique() { return *unique_; } +}; + +} // namespace js + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.11 Atomics.wait ( typedArray, index, value, timeout ), steps 8-9, 14-25. +template +static FutexThread::WaitResult AtomicsWait( + JSContext* cx, SharedArrayRawBuffer* sarb, size_t byteOffset, T value, + const mozilla::Maybe& timeout) { + // Validation and other guards should ensure that this does not happen. + MOZ_ASSERT(sarb, "wait is only applicable to shared memory"); + + // Steps 8-9. + if (!cx->fx.canWait()) { + JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, + JSMSG_ATOMICS_WAIT_NOT_ALLOWED); + return FutexThread::WaitResult::Error; + } + + SharedMem addr = + sarb->dataPointerShared().cast() + (byteOffset / sizeof(T)); + + // Steps 15 (reordered), 17.a and 23 (through destructor). + // This lock also protects the "waiters" field on SharedArrayRawBuffer, + // and it provides the necessary memory fence. + AutoLockFutexAPI lock; + + // Steps 16-17. + if (jit::AtomicOperations::loadSafeWhenRacy(addr) != value) { + return FutexThread::WaitResult::NotEqual; + } + + // Steps 14, 18-22. + FutexWaiter w(byteOffset, cx); + if (FutexWaiter* waiters = sarb->waiters()) { + w.lower_pri = waiters; + w.back = waiters->back; + waiters->back->lower_pri = &w; + waiters->back = &w; + } else { + w.lower_pri = w.back = &w; + sarb->setWaiters(&w); + } + + FutexThread::WaitResult retval = cx->fx.wait(cx, lock.unique(), timeout); + + if (w.lower_pri == &w) { + sarb->setWaiters(nullptr); + } else { + w.lower_pri->back = w.back; + w.back->lower_pri = w.lower_pri; + if (sarb->waiters() == &w) { + sarb->setWaiters(w.lower_pri); + } + } + + // Steps 24-25. + return retval; +} + +FutexThread::WaitResult js::atomics_wait_impl( + JSContext* cx, SharedArrayRawBuffer* sarb, size_t byteOffset, int32_t value, + const mozilla::Maybe& timeout) { + return AtomicsWait(cx, sarb, byteOffset, value, timeout); +} + +FutexThread::WaitResult js::atomics_wait_impl( + JSContext* cx, SharedArrayRawBuffer* sarb, size_t byteOffset, int64_t value, + const mozilla::Maybe& timeout) { + return AtomicsWait(cx, sarb, byteOffset, value, timeout); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.11 Atomics.wait ( typedArray, index, value, timeout ), steps 6-25. +template +static bool DoAtomicsWait(JSContext* cx, + Handle unwrappedTypedArray, + size_t index, T value, HandleValue timeoutv, + MutableHandleValue r) { + mozilla::Maybe timeout; + if (!timeoutv.isUndefined()) { + // Step 6. + double timeout_ms; + if (!ToNumber(cx, timeoutv, &timeout_ms)) { + return false; + } + + // Step 7. + if (!std::isnan(timeout_ms)) { + if (timeout_ms < 0) { + timeout = mozilla::Some(mozilla::TimeDuration::FromSeconds(0.0)); + } else if (!std::isinf(timeout_ms)) { + timeout = + mozilla::Some(mozilla::TimeDuration::FromMilliseconds(timeout_ms)); + } + } + } + + // Step 10. + Rooted unwrappedSab( + cx, unwrappedTypedArray->bufferShared()); + + // Step 11. + mozilla::Maybe offset = unwrappedTypedArray->byteOffset(); + MOZ_ASSERT( + offset, + "offset can't become invalid because shared buffers can only grow"); + + // Steps 12-13. + // The computation will not overflow because range checks have been + // performed. + size_t indexedPosition = index * sizeof(T) + *offset; + + // Steps 8-9, 14-25. + switch (atomics_wait_impl(cx, unwrappedSab->rawBufferObject(), + indexedPosition, value, timeout)) { + case FutexThread::WaitResult::NotEqual: + r.setString(cx->names().not_equal_); + return true; + case FutexThread::WaitResult::OK: + r.setString(cx->names().ok); + return true; + case FutexThread::WaitResult::TimedOut: + r.setString(cx->names().timed_out_); + return true; + case FutexThread::WaitResult::Error: + return false; + default: + MOZ_CRASH("Should not happen"); + } +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.11 Atomics.wait ( typedArray, index, value, timeout ) +static bool atomics_wait(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + HandleValue objv = args.get(0); + HandleValue index = args.get(1); + HandleValue valv = args.get(2); + HandleValue timeoutv = args.get(3); + MutableHandleValue r = args.rval(); + + // Step 1. + Rooted unwrappedTypedArray(cx); + if (!ValidateIntegerTypedArray(cx, objv, true, &unwrappedTypedArray)) { + return false; + } + MOZ_ASSERT(unwrappedTypedArray->type() == Scalar::Int32 || + unwrappedTypedArray->type() == Scalar::BigInt64); + + // https://github.com/tc39/ecma262/pull/1908 + if (!unwrappedTypedArray->isSharedMemory()) { + return ReportBadArrayType(cx); + } + + // Step 2. + size_t intIndex; + if (!ValidateAtomicAccess(cx, unwrappedTypedArray, index, &intIndex)) { + return false; + } + + if (unwrappedTypedArray->type() == Scalar::Int32) { + // Step 5. + int32_t value; + if (!ToInt32(cx, valv, &value)) { + return false; + } + + // Steps 6-25. + return DoAtomicsWait(cx, unwrappedTypedArray, intIndex, value, timeoutv, r); + } + + MOZ_ASSERT(unwrappedTypedArray->type() == Scalar::BigInt64); + + // Step 4. + RootedBigInt value(cx, ToBigInt(cx, valv)); + if (!value) { + return false; + } + + // Steps 6-25. + return DoAtomicsWait(cx, unwrappedTypedArray, intIndex, + BigInt::toInt64(value), timeoutv, r); +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.12 Atomics.notify ( typedArray, index, count ), steps 10-16. +int64_t js::atomics_notify_impl(SharedArrayRawBuffer* sarb, size_t byteOffset, + int64_t count) { + // Validation should ensure this does not happen. + MOZ_ASSERT(sarb, "notify is only applicable to shared memory"); + + // Steps 12 (reordered), 15 (through destructor). + AutoLockFutexAPI lock; + + // Step 11 (reordered). + int64_t woken = 0; + + // Steps 10, 13-14. + FutexWaiter* waiters = sarb->waiters(); + if (waiters && count) { + FutexWaiter* iter = waiters; + do { + FutexWaiter* c = iter; + iter = iter->lower_pri; + if (c->offset != byteOffset || !c->cx->fx.isWaiting()) { + continue; + } + c->cx->fx.notify(FutexThread::NotifyExplicit); + // Overflow will be a problem only in two cases: + // (1) 128-bit systems with substantially more than 2^64 bytes of + // memory per process, and a very lightweight + // Atomics.waitAsync(). Obviously a future problem. + // (2) Bugs. + MOZ_RELEASE_ASSERT(woken < INT64_MAX); + ++woken; + if (count > 0) { + --count; + } + } while (count && iter != waiters); + } + + // Step 16. + return woken; +} + +// ES2021 draft rev bd868f20b8c574ad6689fba014b62a1dba819e56 +// 24.4.12 Atomics.notify ( typedArray, index, count ) +static bool atomics_notify(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + HandleValue objv = args.get(0); + HandleValue index = args.get(1); + HandleValue countv = args.get(2); + MutableHandleValue r = args.rval(); + + // Step 1. + Rooted unwrappedTypedArray(cx); + if (!ValidateIntegerTypedArray(cx, objv, true, &unwrappedTypedArray)) { + return false; + } + MOZ_ASSERT(unwrappedTypedArray->type() == Scalar::Int32 || + unwrappedTypedArray->type() == Scalar::BigInt64); + + // Step 2. + size_t intIndex; + if (!ValidateAtomicAccess(cx, unwrappedTypedArray, index, &intIndex)) { + return false; + } + + // Steps 3-4. + int64_t count; + if (countv.isUndefined()) { + count = -1; + } else { + double dcount; + if (!ToInteger(cx, countv, &dcount)) { + return false; + } + if (dcount < 0.0) { + dcount = 0.0; + } + count = dcount < double(1ULL << 63) ? int64_t(dcount) : -1; + } + + // https://github.com/tc39/ecma262/pull/1908 + if (!unwrappedTypedArray->isSharedMemory()) { + r.setInt32(0); + return true; + } + + // Step 5. + Rooted unwrappedSab( + cx, unwrappedTypedArray->bufferShared()); + + // Step 6. + mozilla::Maybe offset = unwrappedTypedArray->byteOffset(); + MOZ_ASSERT( + offset, + "offset can't become invalid because shared buffers can only grow"); + + // Steps 7-9. + // The computation will not overflow because range checks have been + // performed. + size_t elementSize = Scalar::byteSize(unwrappedTypedArray->type()); + size_t indexedPosition = intIndex * elementSize + *offset; + + // Steps 10-16. + r.setNumber(double(atomics_notify_impl(unwrappedSab->rawBufferObject(), + indexedPosition, count))); + + return true; +} + +/* static */ +bool js::FutexThread::initialize() { + MOZ_ASSERT(!lock_); + lock_ = js_new(mutexid::FutexThread); + return lock_ != nullptr; +} + +/* static */ +void js::FutexThread::destroy() { + if (lock_) { + js::Mutex* lock = lock_; + js_delete(lock); + lock_ = nullptr; + } +} + +/* static */ +void js::FutexThread::lock() { + // Load the atomic pointer. + js::Mutex* lock = lock_; + + lock->lock(); +} + +/* static */ mozilla::Atomic + FutexThread::lock_; + +/* static */ +void js::FutexThread::unlock() { + // Load the atomic pointer. + js::Mutex* lock = lock_; + + lock->unlock(); +} + +js::FutexThread::FutexThread() + : cond_(nullptr), state_(Idle), canWait_(false) {} + +bool js::FutexThread::initInstance() { + MOZ_ASSERT(lock_); + cond_ = js_new(); + return cond_ != nullptr; +} + +void js::FutexThread::destroyInstance() { + if (cond_) { + js_delete(cond_); + } +} + +bool js::FutexThread::isWaiting() { + // When a worker is awoken for an interrupt it goes into state + // WaitingNotifiedForInterrupt for a short time before it actually + // wakes up and goes into WaitingInterrupted. In those states the + // worker is still waiting, and if an explicit notify arrives the + // worker transitions to Woken. See further comments in + // FutexThread::wait(). + return state_ == Waiting || state_ == WaitingInterrupted || + state_ == WaitingNotifiedForInterrupt; +} + +FutexThread::WaitResult js::FutexThread::wait( + JSContext* cx, js::UniqueLock& locked, + const mozilla::Maybe& timeout) { + MOZ_ASSERT(&cx->fx == this); + MOZ_ASSERT(cx->fx.canWait()); + MOZ_ASSERT(state_ == Idle || state_ == WaitingInterrupted); + + // Disallow waiting when a runtime is processing an interrupt. + // See explanation below. + + if (state_ == WaitingInterrupted) { + UnlockGuard unlock(locked); + JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, + JSMSG_ATOMICS_WAIT_NOT_ALLOWED); + return WaitResult::Error; + } + + // Go back to Idle after returning. + auto onFinish = mozilla::MakeScopeExit([&] { state_ = Idle; }); + + const bool isTimed = timeout.isSome(); + + auto finalEnd = timeout.map([](const mozilla::TimeDuration& timeout) { + return mozilla::TimeStamp::Now() + timeout; + }); + + // 4000s is about the longest timeout slice that is guaranteed to + // work cross-platform. + auto maxSlice = mozilla::TimeDuration::FromSeconds(4000.0); + + for (;;) { + // If we are doing a timed wait, calculate the end time for this wait + // slice. + auto sliceEnd = finalEnd.map([&](mozilla::TimeStamp& finalEnd) { + auto sliceEnd = mozilla::TimeStamp::Now() + maxSlice; + if (finalEnd < sliceEnd) { + sliceEnd = finalEnd; + } + return sliceEnd; + }); + + state_ = Waiting; + + MOZ_ASSERT((cx->runtime()->beforeWaitCallback == nullptr) == + (cx->runtime()->afterWaitCallback == nullptr)); + mozilla::DebugOnly callbacksPresent = + cx->runtime()->beforeWaitCallback != nullptr; + + void* cookie = nullptr; + uint8_t clientMemory[JS::WAIT_CALLBACK_CLIENT_MAXMEM]; + if (cx->runtime()->beforeWaitCallback) { + cookie = (*cx->runtime()->beforeWaitCallback)(clientMemory); + } + + if (isTimed) { + (void)cond_->wait_until(locked, *sliceEnd); + } else { + cond_->wait(locked); + } + + MOZ_ASSERT((cx->runtime()->afterWaitCallback != nullptr) == + callbacksPresent); + if (cx->runtime()->afterWaitCallback) { + (*cx->runtime()->afterWaitCallback)(cookie); + } + + switch (state_) { + case FutexThread::Waiting: + // Timeout or spurious wakeup. + if (isTimed) { + auto now = mozilla::TimeStamp::Now(); + if (now >= *finalEnd) { + return WaitResult::TimedOut; + } + } + break; + + case FutexThread::Woken: + return WaitResult::OK; + + case FutexThread::WaitingNotifiedForInterrupt: + // The interrupt handler may reenter the engine. In that case + // there are two complications: + // + // - The waiting thread is not actually waiting on the + // condition variable so we have to record that it + // should be woken when the interrupt handler returns. + // To that end, we flag the thread as interrupted around + // the interrupt and check state_ when the interrupt + // handler returns. A notify() call that reaches the + // runtime during the interrupt sets state_ to Woken. + // + // - It is in principle possible for wait() to be + // reentered on the same thread/runtime and waiting on the + // same location and to yet again be interrupted and enter + // the interrupt handler. In this case, it is important + // that when another agent notifies waiters, all waiters using + // the same runtime on the same location are woken in LIFO + // order; FIFO may be the required order, but FIFO would + // fail to wake up the innermost call. Interrupts are + // outside any spec anyway. Also, several such suspended + // waiters may be woken at a time. + // + // For the time being we disallow waiting from within code + // that runs from within an interrupt handler; this may + // occasionally (very rarely) be surprising but is + // expedient. Other solutions exist, see bug #1131943. The + // code that performs the check is above, at the head of + // this function. + + state_ = WaitingInterrupted; + { + UnlockGuard unlock(locked); + if (!cx->handleInterrupt()) { + return WaitResult::Error; + } + } + if (state_ == Woken) { + return WaitResult::OK; + } + break; + + default: + MOZ_CRASH("Bad FutexState in wait()"); + } + } +} + +void js::FutexThread::notify(NotifyReason reason) { + MOZ_ASSERT(isWaiting()); + + if ((state_ == WaitingInterrupted || state_ == WaitingNotifiedForInterrupt) && + reason == NotifyExplicit) { + state_ = Woken; + return; + } + switch (reason) { + case NotifyExplicit: + state_ = Woken; + break; + case NotifyForJSInterrupt: + if (state_ == WaitingNotifiedForInterrupt) { + return; + } + state_ = WaitingNotifiedForInterrupt; + break; + default: + MOZ_CRASH("bad NotifyReason in FutexThread::notify()"); + } + cond_->notify_all(); +} + +const JSFunctionSpec AtomicsMethods[] = { + JS_INLINABLE_FN("compareExchange", atomics_compareExchange, 4, 0, + AtomicsCompareExchange), + JS_INLINABLE_FN("load", atomics_load, 2, 0, AtomicsLoad), + JS_INLINABLE_FN("store", atomics_store, 3, 0, AtomicsStore), + JS_INLINABLE_FN("exchange", atomics_exchange, 3, 0, AtomicsExchange), + JS_INLINABLE_FN("add", atomics_add, 3, 0, AtomicsAdd), + JS_INLINABLE_FN("sub", atomics_sub, 3, 0, AtomicsSub), + JS_INLINABLE_FN("and", atomics_and, 3, 0, AtomicsAnd), + JS_INLINABLE_FN("or", atomics_or, 3, 0, AtomicsOr), + JS_INLINABLE_FN("xor", atomics_xor, 3, 0, AtomicsXor), + JS_INLINABLE_FN("isLockFree", atomics_isLockFree, 1, 0, AtomicsIsLockFree), + JS_FN("wait", atomics_wait, 4, 0), + JS_FN("notify", atomics_notify, 3, 0), + JS_FN("wake", atomics_notify, 3, 0), // Legacy name + JS_FS_END}; + +static const JSPropertySpec AtomicsProperties[] = { + JS_STRING_SYM_PS(toStringTag, "Atomics", JSPROP_READONLY), JS_PS_END}; + +static JSObject* CreateAtomicsObject(JSContext* cx, JSProtoKey key) { + RootedObject proto(cx, &cx->global()->getObjectPrototype()); + return NewTenuredObjectWithGivenProto(cx, &AtomicsObject::class_, proto); +} + +static const ClassSpec AtomicsClassSpec = {CreateAtomicsObject, nullptr, + AtomicsMethods, AtomicsProperties}; + +const JSClass AtomicsObject::class_ = { + "Atomics", JSCLASS_HAS_CACHED_PROTO(JSProto_Atomics), JS_NULL_CLASS_OPS, + &AtomicsClassSpec}; -- cgit v1.2.3