1 files changed, 36 insertions, 26 deletions

diff --git a/Source/JavaScriptCore/runtime/ArrayBufferView.h b/Source/JavaScriptCore/runtime/ArrayBufferView.h
index 2b8f70d8b..e76e6e265 100644
--- a/Source/JavaScriptCore/runtime/ArrayBufferView.h
+++ b/Source/JavaScriptCore/runtime/ArrayBufferView.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2009, 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,10 +10,10 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
- * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
@@ -23,14 +23,12 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
  */
 
-#ifndef ArrayBufferView_h
-#define ArrayBufferView_h
+#pragma once
 
 #include "ArrayBuffer.h"
 #include "TypedArrayType.h"
 #include <algorithm>
 #include <limits.h>
-#include <wtf/PassRefPtr.h>
 #include <wtf/RefCounted.h>
 #include <wtf/RefPtr.h>
 
@@ -49,12 +47,26 @@ public:
         return !m_buffer || m_buffer->isNeutered();
     }
     
-    PassRefPtr<ArrayBuffer> buffer() const
+    RefPtr<ArrayBuffer> possiblySharedBuffer() const
     {
         if (isNeutered())
-            return 0;
+            return nullptr;
         return m_buffer;
     }
+    
+    RefPtr<ArrayBuffer> unsharedBuffer() const
+    {
+        RefPtr<ArrayBuffer> result = possiblySharedBuffer();
+        RELEASE_ASSERT(!result->isShared());
+        return result;
+    }
+    
+    bool isShared() const
+    {
+        if (isNeutered())
+            return false;
+        return m_buffer->isShared();
+    }
 
     void* baseAddress() const
     {
@@ -63,6 +75,8 @@ public:
         return m_baseAddress;
     }
 
+    void* data() const { return baseAddress(); }
+
     unsigned byteOffset() const
     {
         if (isNeutered())
@@ -77,22 +91,20 @@ public:
 
     JS_EXPORT_PRIVATE virtual ~ArrayBufferView();
 
+    // Helper to verify byte offset is size aligned.
+    static bool verifyByteOffsetAlignment(unsigned byteOffset, size_t size)
+    {
+        return !(byteOffset & (size - 1));
+    }
+
     // Helper to verify that a given sub-range of an ArrayBuffer is
     // within range.
-    // FIXME: This should distinguish between alignment errors and bounds errors.
-    // https://bugs.webkit.org/show_bug.cgi?id=125391
-    template <typename T>
-    static bool verifySubRange(
-        PassRefPtr<ArrayBuffer> buffer,
-        unsigned byteOffset,
-        unsigned numElements)
+    static bool verifySubRangeLength(const ArrayBuffer& buffer, unsigned byteOffset, unsigned numElements, size_t size)
     {
-        unsigned byteLength = buffer->byteLength();
-        if (sizeof(T) > 1 && byteOffset % sizeof(T))
-            return false;
+        unsigned byteLength = buffer.byteLength();
         if (byteOffset > byteLength)
             return false;
-        unsigned remainingElements = (byteLength - byteOffset) / sizeof(T);
+        unsigned remainingElements = (byteLength - byteOffset) / size;
         if (numElements > remainingElements)
             return false;
         return true;
@@ -101,7 +113,7 @@ public:
     virtual JSArrayBufferView* wrap(ExecState*, JSGlobalObject*) = 0;
     
 protected:
-    JS_EXPORT_PRIVATE ArrayBufferView(PassRefPtr<ArrayBuffer>, unsigned byteOffset);
+    JS_EXPORT_PRIVATE ArrayBufferView(RefPtr<ArrayBuffer>&&, unsigned byteOffset);
 
     inline bool setImpl(ArrayBufferView*, unsigned byteOffset);
 
@@ -117,20 +129,20 @@ protected:
     // output offset is in number of bytes from the underlying buffer's view.
     template <typename T>
     static void clampOffsetAndNumElements(
-        PassRefPtr<ArrayBuffer> buffer,
+        const ArrayBuffer& buffer,
         unsigned arrayByteOffset,
         unsigned *offset,
         unsigned *numElements)
     {
         unsigned maxOffset = (UINT_MAX - arrayByteOffset) / sizeof(T);
         if (*offset > maxOffset) {
-            *offset = buffer->byteLength();
+            *offset = buffer.byteLength();
             *numElements = 0;
             return;
         }
         *offset = arrayByteOffset + *offset * sizeof(T);
-        *offset = std::min(buffer->byteLength(), *offset);
-        unsigned remainingElements = (buffer->byteLength() - *offset) / sizeof(T);
+        *offset = std::min(buffer.byteLength(), *offset);
+        unsigned remainingElements = (buffer.byteLength() - *offset) / sizeof(T);
         *numElements = std::min(remainingElements, *numElements);
     }
 
@@ -209,5 +221,3 @@ void ArrayBufferView::calculateOffsetAndLength(
 } // namespace JSC
 
 using JSC::ArrayBufferView;
-
-#endif // ArrayBufferView_h