Bug 1590539 - Filter atomics ops for type early. r=jorendorff

Spec compliance requires us to check the element type of the
TypedArray at the same time as we check it's a shared TypedArray, not
later.  This results in some tests being done twice, but only for the
slow C++ path.

Differential Revision: https://phabricator.services.mozilla.com/D50158

--HG--
extra : moz-landing-system : lando

js/src/builtin/AtomicsObject.cpp

@@ -88,7 +88,7 @@ static bool ReportOutOfRange(JSContext* cx) {
   return false;
 }
 
-static bool GetSharedTypedArray(JSContext* cx, HandleValue v,
+static bool GetSharedTypedArray(JSContext* cx, HandleValue v, bool waitable,
                                 MutableHandle<TypedArrayObject*> viewp) {
   if (!v.isObject()) {
     return ReportBadArrayType(cx);
@@ -100,6 +100,29 @@ static bool GetSharedTypedArray(JSContext* cx, HandleValue v,
   if (!viewp->isSharedMemory()) {
     return ReportBadArrayType(cx);
   }
+  if (waitable) {
+    switch (viewp->type()) {
+      case Scalar::Int32:
+      case Scalar::BigInt64:
+        break;
+      default:
+        return ReportBadArrayType(cx);
+    }
+  } else {
+    switch (viewp->type()) {
+      case Scalar::Int8:
+      case Scalar::Uint8:
+      case Scalar::Int16:
+      case Scalar::Uint16:
+      case Scalar::Int32:
+      case Scalar::Uint32:
+      case Scalar::BigInt64:
+      case Scalar::BigUint64:
+        break;
+      default:
+        return ReportBadArrayType(cx);
+    }
+  }
   return true;
 }
 
@@ -216,7 +239,7 @@ struct ArrayOps<uint64_t> {
 template <template <typename> class F, typename... Args>
 bool perform(JSContext* cx, HandleValue objv, HandleValue idxv, Args... args) {
   Rooted<TypedArrayObject*> view(cx, nullptr);
-  if (!GetSharedTypedArray(cx, objv, &view)) {
+  if (!GetSharedTypedArray(cx, objv, false, &view)) {
     return false;
   }
   uint32_t offset;
@@ -237,14 +260,13 @@ bool perform(JSContext* cx, HandleValue objv, HandleValue idxv, Args... args) {
       return F<int32_t>::run(cx, viewData.cast<int32_t*>() + offset, args...);
     case Scalar::Uint32:
       return F<uint32_t>::run(cx, viewData.cast<uint32_t*>() + offset, args...);
-    case Scalar::Float32:
-    case Scalar::Float64:
-    case Scalar::Uint8Clamped:
-      return ReportBadArrayType(cx);
     case Scalar::BigInt64:
       return F<int64_t>::run(cx, viewData.cast<int64_t*>() + offset, args...);
     case Scalar::BigUint64:
       return F<uint64_t>::run(cx, viewData.cast<uint64_t*>() + offset, args...);
+    case Scalar::Float32:
+    case Scalar::Float64:
+    case Scalar::Uint8Clamped:
     case Scalar::MaxTypedArrayViewType:
     case Scalar::Int64:
       break;
@@ -614,13 +636,10 @@ bool js::atomics_wait(JSContext* cx, unsigned argc, Value* vp) {
   MutableHandleValue r = args.rval();
 
   Rooted<TypedArrayObject*> view(cx, nullptr);
-  if (!GetSharedTypedArray(cx, objv, &view)) {
+  if (!GetSharedTypedArray(cx, objv, true, &view)) {
     return false;
   }
-
-  if (view->type() != Scalar::Int32 && view->type() != Scalar::BigInt64) {
-    return ReportBadArrayType(cx);
-  }
+  MOZ_ASSERT(view->type() == Scalar::Int32 || view->type() == Scalar::BigInt64);
 
   uint32_t offset;
   if (!GetTypedArrayIndex(cx, idxv, view, &offset)) {
@@ -686,12 +705,10 @@ bool js::atomics_notify(JSContext* cx, unsigned argc, Value* vp) {
   MutableHandleValue r = args.rval();
 
   Rooted<TypedArrayObject*> view(cx, nullptr);
-  if (!GetSharedTypedArray(cx, objv, &view)) {
+  if (!GetSharedTypedArray(cx, objv, true, &view)) {
     return false;
   }
-  if (view->type() != Scalar::Int32 && view->type() != Scalar::BigInt64) {
-    return ReportBadArrayType(cx);
-  }
+  MOZ_ASSERT(view->type() == Scalar::Int32 || view->type() == Scalar::BigInt64);
   uint32_t elementSize =
       view->type() == Scalar::Int32 ? sizeof(int32_t) : sizeof(int64_t);
   uint32_t offset;

js/src/tests/jstests.list

@@ -441,17 +441,6 @@ skip script test262/intl402/ListFormat/constructor/constructor/options-toobject-
 skip script test262/intl402/ListFormat/constructor/constructor/options-order.js
 skip script test262/intl402/ListFormat/constructor/constructor/options-type-valid.js
 
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1590539
-skip script test262/built-ins/Atomics/add/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/and/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/compareExchange/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/exchange/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/load/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/or/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/store/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/sub/validate-arraytype-before-index-coercion.js
-skip script test262/built-ins/Atomics/xor/validate-arraytype-before-index-coercion.js
-
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1590543
 skip script test262/built-ins/String/prototype/matchAll/flags-nonglobal-throws.js
 skip script test262/built-ins/String/prototype/matchAll/flags-undefined-throws.js