Google Git
Sign in
webkit / WebKit / 073946215ebdb84e0e846fd86bc55466c6621458 / . / Source / JavaScriptCore / ChangeLog
blob: 0b80b3d749d59e7193cc157ca79d6c5afd631157 [file] [log] [blame]
2016-12-18 Mark Lam <mark.lam@apple.com>
Rename finallyActionRegister to completionTypeRegister and only store int JSValues in it.
https://bugs.webkit.org/show_bug.cgi?id=165979
Reviewed by Saam Barati.
This patch makes it so that we only store int JSValues in the finallyActionRegister
thereby making type prediction on this register more successful for JITs. In so
doing, we are able to get some additional benefits:
1. Renamed the following:
FinallyRegistersScope => CompletionRecordScope
finallyActionRegister => completionTypeRegister
finallyReturnValueRegister => completionValueRegister
These new names are more in line with the ES spec, which describes these
values as the completion record and its type and value properties.
https://tc39.github.io/ecma262/#sec-completion-record-specification-type
2. We now think of the Break and Continue jumpIDs as encodings of CompletionType
(in our implementation of completion type). As a result, we only need one of
each of the emitter methods for getting, setting, and compare-and-jump on the
completion type. The code using these methods also reads much clearer now.
3. Finally blocks' op_catch should now always pop the caught Exception object into
the completionValueRegister instead of the completionTypeRegister (formerly
finallyActionRegister).
Also removed the restoreScopeRegister() call in the IteratorClose catch block
because that is an implementation specific synthesized catch block, and we
can guarantee that it never needs to resolve any symbols from the scope. Hence,
there is no need to restore the scope register.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitEnumeration):
(JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitFinallyCompletion):
(JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
(JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
(JSC::BytecodeGenerator::emitJumpIfCompletionType):
(JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
(JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
(JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::bytecodeOffsetToJumpID):
(JSC::FinallyJump::FinallyJump):
(JSC::FinallyContext::registerJump):
(JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
(JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
(JSC::BytecodeGenerator::completionTypeRegister):
(JSC::BytecodeGenerator::completionValueRegister):
(JSC::BytecodeGenerator::emitSetCompletionType):
(JSC::BytecodeGenerator::emitSetCompletionValue):
(JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
(JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
(JSC::BytecodeGenerator::finallyActionRegister): Deleted.
(JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
(JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
(JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
(JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
(JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
(JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
(JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::TryNode::emitBytecode):
2016-12-17 Saam Barati <sbarati@apple.com>
WebAssembly: WasmB3IRGenerator uses WarmAny as a ValueRep but expects the incoming value to be a register
https://bugs.webkit.org/show_bug.cgi?id=165989
Reviewed by Mark Lam.
The input should be constrained to a register to match what
the patchpoint code expects.
* wasm/WasmB3IRGenerator.cpp:
2016-12-17 Saam Barati <sbarati@apple.com>
WebAssembly: Change a RELEASE_ASSERT_NOT_REACHED to a jit.breakpoint() for now to allow us to run some wasm benchmarks
https://bugs.webkit.org/show_bug.cgi?id=165990
Reviewed by Mark Lam.
* wasm/WasmBinding.cpp:
(JSC::Wasm::importStubGenerator):
2016-12-16 Joseph Pecoraro <pecoraro@apple.com>
JSContext Inspector: Avoid some possible exceptions inspecting a JSContext
https://bugs.webkit.org/show_bug.cgi?id=165986
<rdar://problem/29551379>
Reviewed by Matt Baker.
* inspector/InjectedScriptSource.js:
(InjectedScript.prototype.processProperties):
Prefer String.prototype.endsWith now that it is available.
(InjectedScript.prototype._describe):
Prefer Function.prototype.toString for converting functions to String.
Previously we were doing String(f) which would to Symbol.toPrimitive
conversion which seems unnecessary here.
2016-12-16 Michael Catanzaro <mcatanzaro@igalia.com>
Unreviewed, fix GCC 6 build failure after r209952
Return false, not nullptr, in function returning bool.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
2016-12-16 Saam Barati <sbarati@apple.com>
WebAssembly: We still have some incorrect parsing productions inside unreachable code
https://bugs.webkit.org/show_bug.cgi?id=165981
Reviewed by Keith Miller.
This hardens our parsing for CallIndirect and Loop/Block/If to be exactly like their reachable variant.
It also fixes a more nefarious bug in which we were decoding an extra varuint32
for Br/BrIf inside unreachable code.
* wasm/WasmFunctionParser.h:
2016-12-16 Filip Pizlo <fpizlo@apple.com>
CellState should have members with accurate names
https://bugs.webkit.org/show_bug.cgi?id=165969
Reviewed by Mark Lam.
This once again renames the members in CellState. I wanted to convey the following
pieces of information in the names:
- What does the state mean for Generational GC?
- What does the state mean for Concurrent GC?
- Does the state guarantee what it means, or is there some contingency?
The names I came up with are:
PossiblyOldOrBlack: An object in this state may be old, or may be black, depending on
other things. If the mark bit is set then the object is either black or being
blackened as we speak. It's going to survive the GC, so it will be old, but may be
new now. In between GCs, objects in this state are definitely old. If the mark bit
is not set, then the object is actually old and white.
DefinitelyNewAndWhite: The object was just allocated so it is white (not marked) and
new.
DefinitelyGrey: The object is definitely grey - it will be rescanned in the future. It
may be new or old depending on other things.
* heap/CellState.h:
* heap/Heap.cpp:
(JSC::Heap::addToRememberedSet):
(JSC::Heap::writeBarrierSlowPath):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
(JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::visitChildren):
* runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
* runtime/StructureIDBlob.h:
(JSC::StructureIDBlob::StructureIDBlob):
2016-12-16 Saam Barati <sbarati@apple.com>
B3::DoubleToFloatReduction will accidentally convince itself it converted a Phi from Double to Float and then convert uses of that Phi into a use of FloatToDouble(@Phi)
https://bugs.webkit.org/show_bug.cgi?id=165946
Reviewed by Keith Miller.
This was happening because the phase will convert some Phi nodes
from Double to Float. However, one place that did this conversion
forgot to first check if the Phi was already a Float. If it's already
a Float, a later part of the phase will be buggy if the phase claims that it has
converted it from Double->Float. The reason is that at the end of the
phase, we'll look for all uses of former Double Phi nodes and make them
be a use of ConvertFloatToDouble on the Phi, instead of a use of the Phi itself.
This is clearly wrong if the Phi were Float to begin with (and
therefore, the uses were Float uses to begin with).
* b3/B3ReduceDoubleToFloat.cpp:
* b3/testb3.cpp:
(JSC::B3::testReduceFloatToDoubleValidates):
(JSC::B3::run):
2016-12-16 Mark Lam <mark.lam@apple.com>
De-duplicate finally blocks.
https://bugs.webkit.org/show_bug.cgi?id=160168
Reviewed by Keith Miller.
JS execution can arrive at a finally block when there are abrupt completions from
its try or catch block. The abrupt completion types include Break,
Continue, Return, and Throw. The non-abrupt completion type is called Normal
(i.e. the case of a try block falling through to the finally block).
Previously, we enable each of these paths for abrupt completion (except for Throw)
to run the finally block code by duplicating the finally block code at each of
the sites that trigger those completions. This patch fixes the implementation so
that each of these abrupt completions will set a finallyActionRegister (plus a
finallyReturnValueRegister for CompletionType::Return) and then jump to the
relevant finally blocks, and continue to thread through subsequent outer finally
blocks until execution reaches the outermost finally block that the completion
type dictates. We no longer duplicate the finally block code.
The implementation details:
1. We allocate a pair of finallyActionRegister and finallyReturnValueRegister
just before entering the outermost try-catch-finally scope.
On allocating the registers, we set them to the empty JSValue. This serves
to set the completion type to CompletionType::Normal (see (2) below).
2. The finallyActionRegister serves 2 purpose:
a. indicates the CompletionType that triggered entry into the finally block.
This is how we encode the completion type in the finallyActionRegister:
1. CompletionType::Normal
- finallyActionRegister is set to the empty JSValue.
2. CompletionType::Break
- finallyActionRegister is set to the int jumpID for the site of the break statement.
3. CompletionType::Continue
- finallyActionRegister is set to the int jumpID for the site of the continue statement.
4. CompletionType::Return
- finallyActionRegister is set to CompletionType::Return as an int JSValue.
- finallyReturnValueRegister is set to the value to be returned.
5. CompletionType::Throw
- finallyActionRegister is set to the exception object that was caught by the finally block.
Hence, if the finallyActionRegister can either be:
1. empty i.e. we're handling CompletionType::Normal.
2. an int JSValue i.e. we're handling CompletionType::Break, Continue, or Return.
3. an object i.e. we're handling CompletionType::Throw.
b. stores the exception caught in the finally block if we're handing
CompletionType::Throw.
3. Each finally block will have 2 entries:
a. the entry via throw.
b. the normal entry.
The entry via throw is recorded in the codeBlock's exception table, and can
only be jumped to by the VM's exception handling mechanism.
The normal entry is recorded in a FinallyContext (at bytecode generation time
only) and is jumped to when we want enter the finally block due any of the
other CompletionTypes.
4. CompletionType::Normal
======================
We encounter this when falling through from a try or catch block to the finally block.
For the try block case, since finallyActionRegister is set to Normal by default,
there's nothing more that needs to be done.
For the catch block case, since we entered the catch block with an exception,
finallyActionRegister may be set to Throw. We'll need to set it to Normal
before jumping to the finally block's normal entry.
CompletionType::Break
=====================
When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
that we need to service before jumping to the breakTarget. If we do, then:
a. we'll register a jumpID along with the breakTarget with the outermost FinallyContext.
b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
from the innermost to the outermost.
c. instead of emitting bytecode to jump to the breakTarget, we:
1. emit bytecode to set finallyActionRegister to the jumpID.
b. emit bytecode to jump to the normal entry of the innermost finally block.
Each finally block will take care of cascading to the next outer finally block
as needed (see (5) below).
CompletionType::Continue
========================
Since continues and breaks work the same way (i.e. with a jump), we handle this
exactly the same way as CompletionType::Break, except that we use the
continueTarget instead of the breakTarget.
CompletionType::Return
======================
When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
at all on the m_controlFlowScopeStack.
If so, then instead of emitting op_ret, we:
1. emit bytecode to set finallyActionRegister to the CompletionType::Return.
1. emit bytecode to move the return value into finallyReturnValueRegister.
2. emit bytecode to jump to the normal entry of the innermost finally block.
Each finally block will take care of cascading to the next outer finally block
as needed (see (5) below).
CompletionType::Throw
======================
The op_catch of a finally block will always store the caught exception object
in the finallyActionRegister. This means we're handling CompletionType::Throw
(see (2) above).
5. What happens in each finally block?
==================================
Only the finally block's entry via throw will have an op_catch that catches the
pending exception (and stores it in the finallyActionRegister). This throw
entry then falls through to the normal entry.
The finally block's normal entry will restore the scope of the finally block
and proceed to execute its code.
At the end of the finally block (see emitFinallyCompletion()), the finally
block will check the finallyActionRegister for each completion type in the
following order:
a. CompletionType::Normal: jump to the code after the finally block as
designated by a normalCompletion label.
b. CompletionType::Break and Continue:
If the FinallyContext for this block has registered FinallyJumps, we'll
check for the jumpIDs against the finallyActionRegister. If the jumpID
matches, jump to the corresponding jumpTarget.
If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
greater than the number of registered FinallyJumps, then this means that
we have a Break or Continue that needs to be handled by an outer finally
block. In that case, jump to the outer finally block's normal entry.
c. CompletionType::Return:
If this finally block is not the outermost and finallyActionRegister contains
CompletionType::Return, then jump to the outer finally block's normal entry.
Otherwise, if this finally block is the outermost and finallyActionRegister
contains CompletionType::Return, then execute op_ret and return the value
in finallyReturnValueRegister.
d. CompletionType::Throw:
If we're not handling any of the above cases, then just throw the
finallyActionRegister which contains the exception to re-throw.
6. restoreScopeRegister()
Since the needed scope objects are always stored in a local, we can restore
the scope register by simply moving from that local instead of going through
op_get_parent_scope.
7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
This makes it easier to keep a pointer to the FinallyContext on that stack,
and not have to worry about the vector being realloc'ed due to resizing.
Performance appears to be neutral both on ES6SampleBench (run via cli) and the
JSC benchmarks.
Relevant spec references:
https://tc39.github.io/ecma262/#sec-completion-record-specification-type
https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation
* bytecode/HandlerInfo.h:
(JSC::HandlerInfoBase::typeName):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitReturn):
(JSC::BytecodeGenerator::pushFinallyControlFlowScope):
(JSC::BytecodeGenerator::popFinallyControlFlowScope):
(JSC::BytecodeGenerator::allocateAndEmitScope):
(JSC::BytecodeGenerator::pushTry):
(JSC::BytecodeGenerator::popTry):
(JSC::BytecodeGenerator::emitCatch):
(JSC::BytecodeGenerator::restoreScopeRegister):
(JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
(JSC::BytecodeGenerator::labelScopeDepth):
(JSC::BytecodeGenerator::pushLocalControlFlowScope):
(JSC::BytecodeGenerator::popLocalControlFlowScope):
(JSC::BytecodeGenerator::emitEnumeration):
(JSC::BytecodeGenerator::emitIsNumber):
(JSC::BytecodeGenerator::emitYield):
(JSC::BytecodeGenerator::emitDelegateYield):
(JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitFinallyCompletion):
(JSC::BytecodeGenerator::allocateFinallyRegisters):
(JSC::BytecodeGenerator::releaseFinallyRegisters):
(JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf):
(JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
(JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
(JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
(JSC::BytecodeGenerator::emitPopScopes): Deleted.
(JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::FinallyJump::FinallyJump):
(JSC::FinallyContext::FinallyContext):
(JSC::FinallyContext::outerContext):
(JSC::FinallyContext::finallyLabel):
(JSC::FinallyContext::depth):
(JSC::FinallyContext::numberOfBreaksOrContinues):
(JSC::FinallyContext::incNumberOfBreaksOrContinues):
(JSC::FinallyContext::handlesReturns):
(JSC::FinallyContext::setHandlesReturns):
(JSC::FinallyContext::registerJump):
(JSC::FinallyContext::numberOfJumps):
(JSC::FinallyContext::jumps):
(JSC::ControlFlowScope::ControlFlowScope):
(JSC::ControlFlowScope::isLabelScope):
(JSC::ControlFlowScope::isFinallyScope):
(JSC::BytecodeGenerator::currentLexicalScopeIndex):
(JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope):
(JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope):
(JSC::BytecodeGenerator::finallyActionRegister):
(JSC::BytecodeGenerator::finallyReturnValueRegister):
(JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion):
(JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion):
(JSC::BytecodeGenerator::emitSetFinallyActionToJumpID):
(JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister):
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion):
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump):
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion):
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion):
(JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion):
(JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow):
(JSC::BytecodeGenerator::bytecodeOffsetToJumpID):
(JSC::BytecodeGenerator::isInFinallyBlock): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ContinueNode::emitBytecode):
(JSC::BreakNode::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::TryNode::emitBytecode):
2016-12-16 Keith Miller <keith_miller@apple.com>
Add missing cases to parseUnreachableExpression and cleanup FunctionParser
https://bugs.webkit.org/show_bug.cgi?id=165966
Reviewed by Saam Barati.
This patch adds a number of missing cases to the Wasm FunctionParser's unreachable
code decoder. It also, removes unneeded OpType namespaces where they were not
needed and has the unary / binary macros cover all the cases rather than
just the simple cases.
* wasm/WasmFunctionParser.h:
2016-12-16 Mark Lam <mark.lam@apple.com>
Add predecessor info to dumps from JSC_dumpBytecodeLivenessResults=true.
https://bugs.webkit.org/show_bug.cgi?id=165958
Reviewed by Saam Barati.
Also:
1. refactored the code to use a common lambda function to dump FastBitVectors.
2. list successors by their block index instead of pointers.
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::BytecodeLivenessAnalysis::dumpResults):
2016-12-16 Saam Barati <sbarati@apple.com>
WebAssembly: WasmB3IRGenerator should throw exceptions instead of crash
https://bugs.webkit.org/show_bug.cgi?id=165834
Reviewed by Keith Miller.
This patch generalizes how we throw exceptions in the Wasm::B3IRGenerator.
There are still places where we need to throw exceptions and we don't, but
this patch removes most of those places inside the IR generator. There are
still a few places we need to throw exceptions inside the IR generator, like
div/mod by 0. Those will be done in a separate patch. Also, there are
still some stubs we need to throw exceptions from; those will also be
done in a separate patch.
All exceptions thrown from Wasm share a common stub. The ABI for the stub
is to move the Wasm::ExceptionType into argGPR1 and jump to the stub.
The stub will then throw an exception with an error message tailored
to the particular Wasm::ExceptionType failure.
This patch also refactors B3::Compilation. Before, B3::Compilation(VM, Procedure)
constructor would compile a B3 function. This patch makes B3::Compilation a simple
tuple that keeps the necessary bits of B3 function alive in order to be runnable.
There is a new function that actually does the compilation for you. It is:
Compilation B3::compile(VM&, Procedure&)
The reason for this change is that I'm now using B3::Compilation(CodeRef, OpaqueByproducts)
constructor in Wasm code. It is weird to have a class both have a
constructor that instantiates the tuple, and another that performs the
compilation and then instantiates the tuple. It's more straight
forward if Compilation's job wasn't to actually do the compilation
but just to hold the necessary bits to keep a compiled B3 alive.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3Compilation.cpp:
(JSC::B3::Compilation::Compilation):
* b3/B3Compilation.h:
* b3/B3Compile.cpp: Added.
(JSC::B3::compile):
* b3/B3Compile.h: Added.
* b3/testb3.cpp:
(JSC::B3::compile):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromWasmThunkGenerator):
* jit/ThunkGenerators.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::emitExceptionCheck):
(JSC::Wasm::createJSToWasmWrapper):
(JSC::Wasm::parseAndCompile):
* wasm/WasmExceptionType.h: Added.
(JSC::Wasm::errorMessageForExceptionType):
2016-12-16 Keith Miller <keith_miller@apple.com>
i64.eqz should use an Int64 zero
https://bugs.webkit.org/show_bug.cgi?id=165942
Reviewed by Mark Lam.
This patch fixes i64.eqz, which was using an Int32 zero
for the comparison previously. This patch also, adds
printing opcodes names in verbose mode.
* wasm/WasmFunctionParser.h:
* wasm/generateWasmOpsHeader.py:
* wasm/wasm.json:
2016-12-15 Darin Adler <darin@apple.com>
Use asString instead of toWTFString, toString, or getString when we already checked isString
https://bugs.webkit.org/show_bug.cgi?id=165895
Reviewed by Yusuke Suzuki.
Once we have called isString, we should always use asString and value rather than using
functions that have to deal with non-JSString objects. This leads to slightly fewer branches,
slightly less reference count churn, since the string is stored right inside the JSString,
and obviates the need for exception handling.
* bindings/ScriptValue.cpp:
(Inspector::jsToInspectorValue): Use asString/value instead of getString.
* dfg/DFGOperations.cpp:
(JSC::DFG::operationMapHash): Call jsMapHash with its new arguments.
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): Use asString/value instead
of toWTFString.
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension): Ditto.
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::getPreview): Use asString/tryGetValue, instead of the
peculiar getString(nullptr) that was here before.
* jsc.cpp:
(functionGetGetterSetter): Use asString/toIdentifier instead of the much less efficient
toWTFString/Identifier::fromString.
(functionIsRope): Use asString instead of jsCast<JSString*>; same thing, but we should
prefer the asString function, since it exists.
(functionFindTypeForExpression): Use asString/value instead of getString.
(functionHasBasicBlockExecuted): Ditto.
(functionBasicBlockExecutionCount): Ditto.
(functionCreateBuiltin): Use asString/value instead of toWTFString and removed
unneeded RETURN_IF_EXCEPTION.
(valueWithTypeOfWasmValue): Use asString instead of jsCast<String*>.
(box): Ditto.
* runtime/DateConstructor.cpp:
(JSC::constructDate): Use asString/values instead of getString.
* runtime/ExceptionHelpers.cpp:
(JSC::errorDescriptionForValue): Tweaked formatting.
* runtime/HashMapImpl.h:
(JSC::jsMapHash): Changed this function to use asString/value.
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContextAssumingStructure): Use asString instead of
jsCast<JSString*>.
(JSC::JSValue::dumpForBacktrace): Ditto.
* runtime/JSCJSValueInlines.h:
(JSC::toPreferredPrimitiveType): Ditto.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval): Use asString/value instead of toWTFString.
* runtime/JSString.cpp:
(JSC::JSString::destroy): Streamlined by removing local variable.
(JSC::JSString::estimatedSize): Use asString instead of jsCast<JSString*>.
(JSC::JSString::visitChildren): Ditto.
(JSC::JSString::toThis): Ditto.
* runtime/JSString.h:
(JSC::JSValue::toString): Ditto.
(JSC::JSValue::toStringOrNull): Ditto.
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncValueOf): Ditto.
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncToString): Ditto.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncRepeatCharacter): Ditto.
(JSC::stringProtoFuncSubstr): Ditto.
(JSC::builtinStringSubstrInternal): Simplified assertion by removing local variable.
2016-12-15 Keith Miller <keith_miller@apple.com>
Fix validation of non-void if blocks with no else
https://bugs.webkit.org/show_bug.cgi?id=165938
Reviewed by Saam Barati.
We should not have been allowing non-void if-blocks that don't
have an else. Since this causes a value to be placed on the
stack that only appears under some control flow and not another.
* wasm/WasmValidate.cpp:
2016-12-15 Filip Pizlo <fpizlo@apple.com>
Get rid of HeapRootVisitor and make SlotVisitor less painful to use
https://bugs.webkit.org/show_bug.cgi?id=165911
Reviewed by Geoffrey Garen.
Previously we had two ways of adding a raw pointer to the GC's mark stack:
- SlotVisitor::appendUnbarrieredXYZ() methods
- HeapRootVisitor::visit() methods
HeapRootVisitor existed only to prevent you from calling its non-WriteBarrier<> methods
unless you had permission. But SlotVisitor would let you do it anyway, because that was
a lot more practical.
I think that we should just have one way to do it. This removes HeapRootVisitor. It
also renames appendUnbarrieredXYZ to appendUnbarriered, and it removes the use of extra
indirection (so you now pass const WriteBarrier<>& instead of WriteBarrier<>*).
* API/JSCallbackObject.h:
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/builtins/builtins_templates.py:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitWeakly):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::visitOSRExitTargets):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::stronglyVisitWeakReferences):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::visitAggregate):
* bytecode/InternalFunctionAllocationProfile.h:
(JSC::InternalFunctionAllocationProfile::visitAggregate):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::visitAggregate):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::propagateTransitions):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildren):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::visitChildren):
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::visitChildren):
* dfg/DFGDesiredTransitions.cpp:
(JSC::DFG::DesiredTransition::visitChildren):
* dfg/DFGDesiredWeakReferences.cpp:
(JSC::DFG::DesiredWeakReferences::visitChildren):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::markCodeBlocks):
(JSC::DFG::Plan::checkLivenessAndVisitChildren):
* heap/HandleSet.cpp:
(JSC::HandleSet::visitStrongHandles):
* heap/HandleSet.h:
* heap/HandleStack.cpp:
(JSC::HandleStack::visit):
* heap/HandleStack.h:
* heap/Heap.cpp:
(JSC::Heap::markToFixpoint):
* heap/Heap.h:
* heap/HeapRootVisitor.h: Removed.
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::visitWeakSet):
* heap/LargeAllocation.h:
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::visitWeakSet):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::visitWeakSets):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendUnbarriered):
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::appendUnbarriered):
(JSC::SlotVisitor::append):
(JSC::SlotVisitor::appendHidden):
(JSC::SlotVisitor::appendValues):
(JSC::SlotVisitor::appendValuesHidden):
(JSC::SlotVisitor::appendUnbarrieredPointer): Deleted.
(JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer): Deleted.
(JSC::SlotVisitor::appendUnbarrieredValue): Deleted.
(JSC::SlotVisitor::appendUnbarrieredReadOnlyValue): Deleted.
(JSC::SlotVisitor::appendUnbarrieredWeak): Deleted.
* heap/WeakBlock.cpp:
(JSC::WeakBlock::specializedVisit):
(JSC::WeakBlock::visit):
* heap/WeakBlock.h:
* heap/WeakSet.h:
(JSC::WeakSet::visit):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::visitChildren):
* jit/GCAwareJITStubRoutine.cpp:
(JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
* jsc.cpp:
(WTF::Element::visitChildren):
(WTF::ImpureGetter::visitChildren):
(WTF::SimpleObject::visitChildren):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::visitChildren):
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::markLists):
* runtime/ArgList.h:
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::visitChildren):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::visitChildren):
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/Exception.cpp:
(JSC::Exception::visitChildren):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::visitChildren):
* runtime/GetterSetter.cpp:
(JSC::GetterSetter::visitChildren):
* runtime/HashMapImpl.cpp:
(JSC::HashMapBucket<Data>::visitChildren):
(JSC::HashMapImpl<HashMapBucket>::visitChildren):
* runtime/InferredTypeTable.cpp:
(JSC::InferredTypeTable::visitChildren):
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::visitChildren):
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::visitChildren):
* runtime/IntlCollatorConstructor.cpp:
(JSC::IntlCollatorConstructor::visitChildren):
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::visitChildren):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::IntlDateTimeFormatConstructor::visitChildren):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::visitChildren):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::IntlNumberFormatConstructor::visitChildren):
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::visitChildren):
* runtime/JSCallee.cpp:
(JSC::JSCallee::visitChildren):
* runtime/JSCellInlines.h:
(JSC::JSCell::visitChildren):
* runtime/JSCustomGetterSetterFunction.cpp:
(JSC::JSCustomGetterSetterFunction::visitChildren):
* runtime/JSFunction.cpp:
(JSC::JSFunction::visitChildren):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::visitChildren):
* runtime/JSMapIterator.cpp:
(JSC::JSMapIterator::visitChildren):
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::visitChildren):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::visitChildren):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::visitChildren):
* runtime/JSNativeStdFunction.cpp:
(JSC::JSNativeStdFunction::visitChildren):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
* runtime/JSPromiseDeferred.cpp:
(JSC::JSPromiseDeferred::visitChildren):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::visitChildren):
* runtime/JSProxy.cpp:
(JSC::JSProxy::visitChildren):
* runtime/JSScope.cpp:
(JSC::JSScope::visitChildren):
* runtime/JSSegmentedVariableObject.cpp:
(JSC::JSSegmentedVariableObject::visitChildren):
* runtime/JSSetIterator.cpp:
(JSC::JSSetIterator::visitChildren):
* runtime/JSString.cpp:
(JSC::JSRopeString::visitFibers):
* runtime/JSSymbolTableObject.cpp:
(JSC::JSSymbolTableObject::visitChildren):
* runtime/JSWeakMap.cpp:
(JSC::JSWeakMap::visitChildren):
* runtime/JSWeakSet.cpp:
(JSC::JSWeakSet::visitChildren):
* runtime/JSWithScope.cpp:
(JSC::JSWithScope::visitChildren):
* runtime/JSWrapperObject.cpp:
(JSC::JSWrapperObject::visitChildren):
* runtime/LazyClassStructure.cpp:
(JSC::LazyClassStructure::visit):
* runtime/LazyPropertyInlines.h:
(JSC::ElementType>::visit):
* runtime/MapBase.cpp:
(JSC::MapBase<HashMapBucketType>::visitChildren):
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/NativeErrorConstructor.cpp:
(JSC::NativeErrorConstructor::visitChildren):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::visitChildren):
* runtime/ProxyRevoke.cpp:
(JSC::ProxyRevoke::visitChildren):
* runtime/RegExpCachedResult.cpp:
(JSC::RegExpCachedResult::visitChildren):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::visitChildren):
* runtime/RegExpPrototype.cpp:
(JSC::RegExpPrototype::visitChildren):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::visit):
* runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::visitChildren):
* runtime/SmallStrings.cpp:
(JSC::SmallStrings::visitStrongReferences):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::visitChildren):
* runtime/Structure.cpp:
(JSC::Structure::visitChildren):
(JSC::Structure::markIfCheap):
* runtime/StructureChain.cpp:
(JSC::StructureChain::visitChildren):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::visitChildren):
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::visitChildren):
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::visit):
* runtime/WeakMapData.cpp:
(JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::visitChildren):
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::visitChildren):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::visitChildren):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::visitChildren):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::visitChildren):
2016-12-15 Myles C. Maxfield <mmaxfield@apple.com>
Sort Xcode project files
https://bugs.webkit.org/show_bug.cgi?id=165937
Reviewed by Simon Fraser.
* JavaScriptCore.xcodeproj/project.pbxproj:
2016-12-15 Keith Miller <keith_miller@apple.com>
Wasm should not create empty unlinked callsites
https://bugs.webkit.org/show_bug.cgi?id=165933
Reviewed by Mark Lam.
Wasm would create holes in the unlinked callsite vector if B3 was able to
eliminate the callsite.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCall):
2016-12-15 JF Bastien <jfbastien@apple.com>
WebAssembly: improve compilation error messages
https://bugs.webkit.org/show_bug.cgi?id=163919
Reviewed by Saam Barati.
The error handling messages were underwhelming because most
locations merely returned `false` on failure. This patch uses
std::expected to denote that failure isn't expected. Doing this
makes it almost impossible to mess up the code: either a function
returns a result (or a partial result for internal helpers) or an
error. We're not synchronizing the error string with the m_failed
bool anymore, and the caller will abort if they try to get a
result but the outcome was an error.
This also shortens the code significantly using macros, while also
judiciously preventing inlining of error handling code and biasing
towards success using UNLIKELY. This means that the generated code
should be more efficient (no string formatting on success, and
regalloc can avoid these unlikely paths).
The patch adds a few missing checks as well, especially related to
count limits and memory allocation failure.
As a follow-up I'd like to improve WTF::makeString further, so it
does coercions to string and understands ADL as I did in this
patch.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::fail):
(JSC::Wasm::parseAndCompile):
* wasm/WasmB3IRGenerator.h:
* wasm/WasmFormat.h:
(JSC::Wasm::isValidExternalKind):
(JSC::Wasm::makeString):
* wasm/WasmFunctionParser.h:
* wasm/WasmModuleParser.cpp:
* wasm/WasmModuleParser.h:
* wasm/WasmParser.h:
(JSC::Wasm::FailureHelper::makeString):
(JSC::Wasm::Parser::fail):
(JSC::Wasm::Parser<SuccessType>::Parser):
(JSC::Wasm::Parser<SuccessType>::consumeCharacter):
(JSC::Wasm::Parser<SuccessType>::consumeString):
(JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
(JSC::Wasm::Parser<SuccessType>::parseVarUInt32):
(JSC::Wasm::Parser<SuccessType>::parseVarUInt64):
(JSC::Wasm::Parser<SuccessType>::parseVarInt32):
(JSC::Wasm::Parser<SuccessType>::parseVarInt64):
(JSC::Wasm::Parser<SuccessType>::parseUInt32):
(JSC::Wasm::Parser<SuccessType>::parseUInt64):
(JSC::Wasm::Parser<SuccessType>::parseUInt8):
(JSC::Wasm::Parser<SuccessType>::parseInt7):
(JSC::Wasm::Parser<SuccessType>::parseUInt7):
(JSC::Wasm::Parser<SuccessType>::parseVarUInt1):
(JSC::Wasm::Parser<SuccessType>::parseResultType):
(JSC::Wasm::Parser<SuccessType>::parseValueType):
(JSC::Wasm::Parser<SuccessType>::parseExternalKind):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::run):
* wasm/WasmSections.h:
(JSC::Wasm::isValidSection):
(JSC::Wasm::validateOrder):
(JSC::Wasm::makeString):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::fail):
(JSC::Wasm::Validate::addUnreachable):
(JSC::Wasm::validateFunction):
* wasm/WasmValidate.h:
* wasm/generateWasmB3IRGeneratorInlinesHeader.py:
* wasm/generateWasmOpsHeader.py:
* wasm/generateWasmValidateInlinesHeader.py:
(loadMacro):
(storeMacro):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
2016-12-15 JF Bastien <jfbastien@apple.com>
WebAssembly API: improve data section errors, initialize after Element
https://bugs.webkit.org/show_bug.cgi?id=165733
Reviewed by Keith Miller.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseData): Data section without Memory section or import is a validation error
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::dataSegmentFail):
(JSC::WebAssemblyModuleRecord::evaluate): tighten checks (though the spec isn't fully baked), and move after Element initialization
2016-12-15 Keith Miller <keith_miller@apple.com>
Turn on WebAssembly by default
https://bugs.webkit.org/show_bug.cgi?id=165918
Reviewed by Saam Barati.
* runtime/Options.h:
2016-12-15 Konstantin Tokarev <annulen@yandex.ru>
Added missing override and final specifiers
https://bugs.webkit.org/show_bug.cgi?id=165903
Reviewed by Darin Adler.
* bytecompiler/BytecodeGenerator.h:
* jsc.cpp:
* parser/Nodes.h:
2016-12-15 Chris Dumez <cdumez@apple.com>
Harden JSObject::getOwnPropertyDescriptor()
https://bugs.webkit.org/show_bug.cgi?id=165908
Reviewed by Geoffrey Garen.
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertyDescriptor):
2016-12-15 Keith Miller <keith_miller@apple.com>
Fix 64-bit shift family Wasm opcodes
https://bugs.webkit.org/show_bug.cgi?id=165902
Reviewed by Geoffrey Garen.
The Int64 versions of the shift family B3 opcodes take an Int32
for the shift value. Wasm, however, takes an i64, so we need to
Trunc the shift value. Also, this fixes a bug where shr_u mapped
to signed shift and shr_s mapped to the unsigned shift.
* wasm/wasm.json:
2016-12-14 Keith Miller <keith_miller@apple.com>
Wasm should decode constants correctly
https://bugs.webkit.org/show_bug.cgi?id=165886
Reviewed by Saam Barati.
This patch fixes how we decode the constant part of i32, i64, f32,
and f64.const opcodes.
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/wasm.json:
2016-12-14 Saam Barati <sbarati@apple.com>
WebAssembly: Add various low hanging fruit that will allow us to run the LLVM torture tests in Wasm
https://bugs.webkit.org/show_bug.cgi?id=165883
Reviewed by Keith Miller.
This patch implements some low hanging fruit:
- Exporting Table
- Exporting Memory
- Load16 with zero extension to both 32 and 64 bit values.
- Fixes Unreachable to emit code that will prevent B3 from having a validation error.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addUnreachable):
(JSC::Wasm::sizeOfLoadOp):
(JSC::Wasm::B3IRGenerator::emitLoadOp):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseExport):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::addUnreachable):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::finishCreation):
(JSC::WebAssemblyModuleRecord::link):
2016-12-14 Yusuke Suzuki <utatane.tea@gmail.com>
Update ModuleLoader code by using the latest builtin primitives
https://bugs.webkit.org/show_bug.cgi?id=165851
Reviewed by Sam Weinig.
Update the module loader code,
1. Use @globalPrivate for the utilities, instead of setting them as the member of ModuleLoader.
2. Use @putByValDirect instead of @push. @push is user-observable since it uses Set() operation
and it can be observed by defining indexed setters in Array.prototype.
* builtins/ModuleLoaderPrototype.js:
(ensureRegistered):
(fulfillFetch):
(commitInstantiated):
(requestFetch):
(requestSatisfy):
(setStateToMax): Deleted.
(newRegistryEntry): Deleted.
* runtime/ModuleLoaderPrototype.cpp:
2016-12-14 Michael Saboff <msaboff@apple.com>
The stress GC bot crashes in JavaScriptCore beneath ShadowChicken::update and Inspector::jsToInspectorValue
https://bugs.webkit.org/show_bug.cgi?id=165871
Reviewed by Mark Lam.
This fixes two issues with the VM watch dog timer firing in a worker.
The first issue has to do with bytecode ordering. Prior to this change, the first few opcodes
generated when the watch dog is enabled are:
op_enter
op_watchdog
op_get_scope
When the watchdog fires, the function will get an exception at op_watchdog. In processing that exception,
we'll try to update the ShadowChicken shadow stack. That update assumes that if there is a scope
VirtualRegister allocated, then the slot contains a valid JSScope. With the current bytecode ordering,
this is not true at op_watchdog as op_enter will put JSUndefined in the scope slot. It isn't until the
op_get_scope gets processed that we'll have a valid scope in the slot. The fix for this issue is to
ensure that op_get_scope happens before the op_watchdog.
The second issue is that ScriptFunctionCall::call() will not tell its caller that a terminated
execution exception happened. Instead call() returns an empty JSValue. InjectedScript::wrapCallFrames()
wasn't checking for an empty JSValue, but was passing it to another function. Added a short circuit
return when call returns an empty JSValue.
Added <https://bugs.webkit.org/show_bug.cgi?id=165875> to fix other callers of ScriptFunctionCall::call()
to check for an empty JSValue return value.
Also tracked with <rdar://problem/29671015>.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitEnter):
* inspector/InjectedScript.cpp:
(Inspector::InjectedScript::wrapCallFrames):
2016-12-14 Filip Pizlo <fpizlo@apple.com>
DirectTailCall implementation needs to tell the shuffler what to put into the ArgumentCount explicitly
https://bugs.webkit.org/show_bug.cgi?id=165882
Reviewed by Mark Lam.
The CallFrameShuffler was assuming that the ArgumentCount that it should store into the
callee frame is simply the size of the args vector.
That's not true for DirectTailCall, which will pad the args vector with undefined if we
are optimizing an arity mismatch. We need to pass the ArgumentCount explicitly in this
case.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
* jit/CallFrameShuffleData.h:
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::CallFrameShuffler):
(JSC::CallFrameShuffler::prepareAny):
* jit/CallFrameShuffler.h:
(JSC::CallFrameShuffler::snapshot):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
2016-12-14 Keith Miller <keith_miller@apple.com>
WebAssembly JS API: implement Global
https://bugs.webkit.org/show_bug.cgi?id=164133
Reviewed by Saam Barati.
This patch adds support for globals. It handles imports, exports
and internal globals. In the MVP only internal globals are allowed
to be mutable. This means we can store a C-array of 64-bit slots
off the instance holding them. When globals are exported to JS
they are done so as numbers. This means that i64 globals cannot be
imported or exported.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::getGlobal):
(JSC::Wasm::B3IRGenerator::setGlobal):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
(JSC::Wasm::parseAndCompile):
* wasm/WasmFormat.h:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseImport):
(JSC::Wasm::ModuleParser::parseGlobal):
(JSC::Wasm::ModuleParser::parseExport):
(JSC::Wasm::ModuleParser::parseElement):
(JSC::Wasm::ModuleParser::parseInitExpr):
(JSC::Wasm::ModuleParser::parseGlobalType):
(JSC::Wasm::ModuleParser::parseData):
* wasm/WasmModuleParser.h:
* wasm/WasmParser.h:
(JSC::Wasm::Parser::parseVarInt32):
(JSC::Wasm::Parser::parseVarInt64):
(JSC::Wasm::Parser::parseUInt64):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::hasMemory):
(JSC::Wasm::Validate::Validate):
(JSC::Wasm::Validate::getGlobal):
(JSC::Wasm::Validate::setGlobal):
(JSC::Wasm::validateFunction):
* wasm/generateWasmOpsHeader.py:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
(JSC::JSWebAssemblyInstance::finishCreation):
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::loadI32Global):
(JSC::JSWebAssemblyInstance::loadI64Global):
(JSC::JSWebAssemblyInstance::loadF32Global):
(JSC::JSWebAssemblyInstance::loadF64Global):
(JSC::JSWebAssemblyInstance::setGlobal):
(JSC::JSWebAssemblyInstance::offsetOfGlobals):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::finishCreation):
(JSC::WebAssemblyModuleRecord::link):
2016-12-14 Filip Pizlo <fpizlo@apple.com>
Unreviewed, re-enable concurrent GC on ARM64 now that the most likely culprit of the memory
regressions is fixed. Lets see what the bots think!
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2016-12-14 Filip Pizlo <fpizlo@apple.com>
Devices with fewer cores should use a more aggressive GC schedule by default
https://bugs.webkit.org/show_bug.cgi?id=165859
Reviewed by Mark Lam.
* heap/Heap.cpp:
(JSC::Heap::markToFixpoint): Log when we have an unexpected delay in wake-up.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::drainInParallelPassively): Don't drain passively if there aren't many cores.
* runtime/Options.cpp:
(JSC::overrideDefaults): Change the heuristics if we have fewer cores.
(JSC::Options::initialize):
* runtime/Options.h:
2016-12-14 Mark Lam <mark.lam@apple.com>
BytecodeBasicBlock::computeImpl() should not keep iterating blocks if all jump targets have already been found.
https://bugs.webkit.org/show_bug.cgi?id=165820
Reviewed by Saam Barati.
Currently, if an opcode is a branch type opcode, BytecodeBasicBlock::computeImpl()
will iterate over all basic blocks looking for the block containing the jump
target, and it will continue to do this even when all the jump targets have been
found. This is wasted work, and all the more so given that most branch type
opcodes only have a single jump target.
* bytecode/BytecodeBasicBlock.cpp:
(JSC::BytecodeBasicBlock::computeImpl):
2016-12-14 Gavin Barraclough <barraclough@apple.com>
MarkedBlock::marksConveyLivenessDuringMarking should take into account collection scope
https://bugs.webkit.org/show_bug.cgi?id=165741
Unreviewed, re-landing this with fix (revert erroneous change to Options).
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/CellContainer.cpp: Added.
(JSC::CellContainer::isNewlyAllocated):
* heap/CellContainer.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::addBlock):
(JSC::MarkedAllocator::removeBlock):
(JSC::MarkedAllocator::dumpBits):
* heap/MarkedAllocator.h:
(JSC::MarkedAllocator::forEachBitVector):
(JSC::MarkedAllocator::forEachBitVectorWithName):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::tryCreate):
(JSC::MarkedBlock::Handle::~Handle):
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::Handle::dumpState):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::markingVersion):
(JSC::MarkedBlock::isMarkedRaw):
(JSC::MarkedBlock::isMarked):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::marksConveyLivenessDuringMarking):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::size):
(JSC::StructureIDTable::get):
2016-12-14 Chris Dumez <cdumez@apple.com>
Unreviewed, rolling out r209766.
Regressed Dromaeo JSLib by ~50%
Reverted changeset:
"Make opaque root scanning truly constraint-based"
https://bugs.webkit.org/show_bug.cgi?id=165760
http://trac.webkit.org/changeset/209766
2016-12-14 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209795.
https://bugs.webkit.org/show_bug.cgi?id=165853
rolled out the wrong revision (Requested by pizlo on #webkit).
Reverted changeset:
"MarkedBlock::marksConveyLivenessDuringMarking should take
into account collection scope"
https://bugs.webkit.org/show_bug.cgi?id=165741
http://trac.webkit.org/changeset/209795
2016-12-14 Filip Pizlo <fpizlo@apple.com>
Unreviewed, disable concurrent GC on ARM while we investigate a memory use regression.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2016-12-13 Yusuke Suzuki <utatane.tea@gmail.com>
Use JSValue::toWTFString instead of calling toString(exec) and value(exec)
https://bugs.webkit.org/show_bug.cgi?id=165795
Reviewed by Saam Barati.
In old days, we frequently use the idiom like, `value.toString(exec)->value(exec)` to
get WTFString from the given JSValue. But now, we have better function, `toWTFString`.
`toWTFString` does not create intermediate JSString objects, then reduce unnecessary
allocations.
This patch mechanically replaces `value.toString(exec)->value(exec)` with `toWTFString(exec)`.
* API/JSValueRef.cpp:
(JSValueToStringCopy):
* bindings/ScriptValue.cpp:
(Deprecated::ScriptValue::toString):
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
* inspector/ScriptCallStackFactory.cpp:
(Inspector::extractSourceInformationFromException):
* runtime/ConsoleObject.cpp:
(JSC::valueToStringWithUndefinedOrNullCheck):
(JSC::valueOrDefaultLabelString):
* runtime/DateConstructor.cpp:
(JSC::dateParse):
* runtime/DatePrototype.cpp:
(JSC::formatLocaleDate):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::sanitizedToString):
* runtime/ErrorPrototype.cpp:
(JSC::errorProtoFuncToString):
* runtime/InspectorInstrumentationObject.cpp:
(JSC::inspectorInstrumentationObjectLog):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::fetch):
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
* runtime/RegExpConstructor.cpp:
(JSC::regExpCreate):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
(JSC::regExpProtoFuncToString):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplitFast):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncLocaleCompare):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::trimString):
(JSC::stringProtoFuncStartsWith):
(JSC::stringProtoFuncEndsWith):
(JSC::stringProtoFuncIncludes):
(JSC::builtinStringIncludesInternal):
(JSC::stringProtoFuncNormalize):
* tools/JSDollarVMPrototype.cpp:
(JSC::functionPrint):
* wasm/js/JSWebAssemblyCompileError.h:
(JSC::JSWebAssemblyCompileError::create):
* wasm/js/JSWebAssemblyRuntimeError.h:
(JSC::JSWebAssemblyRuntimeError::create):
2016-12-14 Gavin Barraclough <barraclough@apple.com>
MarkedBlock::marksConveyLivenessDuringMarking should take into account collection scope
https://bugs.webkit.org/show_bug.cgi?id=165741
Unreviewed rollout due to performance regression.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/CellContainer.cpp: Removed.
* heap/CellContainer.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::addBlock):
(JSC::MarkedAllocator::removeBlock):
(JSC::MarkedAllocator::dumpBits):
* heap/MarkedAllocator.h:
(JSC::MarkedAllocator::forEachBitVector):
(JSC::MarkedAllocator::forEachBitVectorWithName):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::tryCreate):
(JSC::MarkedBlock::Handle::~Handle):
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::Handle::dumpState): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::isMarked):
(JSC::MarkedBlock::markingVersion): Deleted.
(JSC::MarkedBlock::isMarkedRaw): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::marksConveyLivenessDuringMarking):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
* runtime/Options.h:
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::get):
(JSC::StructureIDTable::size): Deleted.
2016-12-13 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209792.
https://bugs.webkit.org/show_bug.cgi?id=165841
Cause build failures (Requested by yusukesuzuki on #webkit).
Reverted changeset:
"Use JSValue::toWTFString instead of calling toString(exec)
and value(exec)"
https://bugs.webkit.org/show_bug.cgi?id=165795
http://trac.webkit.org/changeset/209792
2016-12-13 Yusuke Suzuki <utatane.tea@gmail.com>
Use JSValue::toWTFString instead of calling toString(exec) and value(exec)
https://bugs.webkit.org/show_bug.cgi?id=165795
Reviewed by Saam Barati.
In old days, we frequently use the idiom like, `value.toString(exec)->value(exec)` to
get WTFString from the given JSValue. But now, we have better function, `toWTFString`.
`toWTFString` does not create intermediate JSString objects, then reduce unnecessary
allocations.
This patch mechanically replaces `value.toString(exec)->value(exec)` with `toWTFString(exec)`.
* API/JSValueRef.cpp:
(JSValueToStringCopy):
* bindings/ScriptValue.cpp:
(Deprecated::ScriptValue::toString):
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
* inspector/ScriptCallStackFactory.cpp:
(Inspector::extractSourceInformationFromException):
* runtime/ConsoleObject.cpp:
(JSC::valueToStringWithUndefinedOrNullCheck):
(JSC::valueOrDefaultLabelString):
* runtime/DateConstructor.cpp:
(JSC::dateParse):
* runtime/DatePrototype.cpp:
(JSC::formatLocaleDate):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::sanitizedToString):
* runtime/ErrorPrototype.cpp:
(JSC::errorProtoFuncToString):
* runtime/InspectorInstrumentationObject.cpp:
(JSC::inspectorInstrumentationObjectLog):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toWTFStringSlowCase):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::fetch):
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
* runtime/RegExpConstructor.cpp:
(JSC::regExpCreate):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
(JSC::regExpProtoFuncToString):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplitFast):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncLocaleCompare):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::trimString):
(JSC::stringProtoFuncStartsWith):
(JSC::stringProtoFuncEndsWith):
(JSC::stringProtoFuncIncludes):
(JSC::builtinStringIncludesInternal):
(JSC::stringProtoFuncNormalize):
* tools/JSDollarVMPrototype.cpp:
(JSC::functionPrint):
* wasm/js/JSWebAssemblyCompileError.h:
(JSC::JSWebAssemblyCompileError::create):
* wasm/js/JSWebAssemblyRuntimeError.h:
(JSC::JSWebAssemblyRuntimeError::create):
2016-12-13 Saam Barati <sbarati@apple.com>
WebAssembly: implement the elements section
https://bugs.webkit.org/show_bug.cgi?id=165715
Reviewed by Keith Miller.
This is a straight forward implementation of the Element
section in the Wasm spec:
https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#element-section
There are a few ambiguities I encountered when implementing this, so I've
filed bugs against the Wasm design repo, and corresponding bugzilla bugs
for us to address after they've been discussed by the various Wasm folks:
- https://bugs.webkit.org/show_bug.cgi?id=165827
- https://bugs.webkit.org/show_bug.cgi?id=165826
- https://bugs.webkit.org/show_bug.cgi?id=165825
* wasm/WasmFormat.h:
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseElement):
(JSC::Wasm::ModuleParser::parseInitExpr):
(JSC::Wasm::ModuleParser::parseData):
* wasm/WasmModuleParser.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
2016-12-13 Chris Dumez <cdumez@apple.com>
Unreviewed, rolling out r209544.
Looks like r209489 did not cause the performance regression
after all
Reverted changeset:
"Unreviewed, rolling out r209489."
https://bugs.webkit.org/show_bug.cgi?id=165550
http://trac.webkit.org/changeset/209544
2016-12-13 Saam Barati <sbarati@apple.com>
WebAssembly: implement the table section and table import
https://bugs.webkit.org/show_bug.cgi?id=165716
Reviewed by Keith Miller.
This patch implements the Table space for wasm:
https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#table-section
It only implements defining and importing a table. The bulk
of this patch is implementing the various wasm Table prototype
methods and the underlying Table object:
https://github.com/WebAssembly/design/blob/master/JS.md#webassemblytable-constructor
This patch also fixes a bug in our implementation with call_indirect.
We initially implemented call_indirect as a way to call functions that
are imported or defined in the module. This was the wrong
interpretation of the spec. Instead, call_indirect can only index into
the table index space.
* JavaScriptCore.xcodeproj/project.pbxproj:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
(JSC::Wasm::parseAndCompile):
* wasm/WasmFormat.h:
(JSC::Wasm::TableInformation::TableInformation):
(JSC::Wasm::TableInformation::operator bool):
(JSC::Wasm::TableInformation::isImport):
(JSC::Wasm::TableInformation::initial):
(JSC::Wasm::TableInformation::maximum):
(JSC::Wasm::CallableFunction::CallableFunction):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseImport):
(JSC::Wasm::ModuleParser::parseResizableLimits):
(JSC::Wasm::ModuleParser::parseTableHelper):
(JSC::Wasm::ModuleParser::parseTable):
(JSC::Wasm::ModuleParser::parseMemoryHelper):
(JSC::Wasm::ModuleParser::parseExport):
* wasm/WasmModuleParser.h:
* wasm/js/JSWebAssemblyHelpers.h: Added.
(JSC::toNonWrappingUint32):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::table):
(JSC::JSWebAssemblyInstance::setTable):
(JSC::JSWebAssemblyInstance::offsetOfTable):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::create):
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::visitChildren):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::clearFunction):
(JSC::JSWebAssemblyTable::setFunction):
* wasm/js/JSWebAssemblyTable.h:
(JSC::JSWebAssemblyTable::maximum):
(JSC::JSWebAssemblyTable::size):
(JSC::JSWebAssemblyTable::getFunction):
(JSC::JSWebAssemblyTable::offsetOfSize):
(JSC::JSWebAssemblyTable::offsetOfFunctions):
(JSC::JSWebAssemblyTable::isValidSize):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::call):
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::visitChildren):
(JSC::WebAssemblyFunction::finishCreation):
* wasm/js/WebAssemblyFunction.h:
(JSC::WebAssemblyFunction::signature):
(JSC::WebAssemblyFunction::wasmEntrypoint):
(JSC::WebAssemblyFunction::webAssemblyCallee): Deleted.
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::constructJSWebAssemblyMemory):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::finishCreation):
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyTableConstructor.cpp:
(JSC::constructJSWebAssemblyTable):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::getTable):
(JSC::webAssemblyTableProtoFuncLength):
(JSC::webAssemblyTableProtoFuncGrow):
(JSC::webAssemblyTableProtoFuncGet):
(JSC::webAssemblyTableProtoFuncSet):
(JSC::WebAssemblyTablePrototype::create):
(JSC::WebAssemblyTablePrototype::finishCreation):
* wasm/js/WebAssemblyTablePrototype.h:
2016-12-13 Filip Pizlo <fpizlo@apple.com>
Add null checks to opaque root APIs.
Rubber stamped by Saam Barati.
If we got a crash report about null in the opaque root HashSet, we would probably not
celebrate how great it is that we found out about a new race - instead we would probably
be annoyed that null wasn't just silently ignored.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addOpaqueRoot):
(JSC::SlotVisitor::containsOpaqueRoot):
(JSC::SlotVisitor::containsOpaqueRootTriState):
2016-12-13 Filip Pizlo <fpizlo@apple.com>
Make opaque root scanning truly constraint-based
https://bugs.webkit.org/show_bug.cgi?id=165760
Reviewed by Saam Barati.
We have bugs when visitChildren() changes its mind about what opaque root to add, since
we don't have barriers on opaque roots. This supposedly once worked for generational GC,
and I started adding more barriers to support concurrent GC. But I think that the real
bug here is that we want the JSObject->OpaqueRoot to be evaluated as a constraint that
participates in the fixpoint. A constraint is different from the normal visiting in that
the GC will not wait for a barrier to rescan the object.
So, it's now possible for any visitChildren() method to become a constraint by calling
slotVisitor.rescanAsConstraint(). Because opaque roots are constraints, addOpaqueRoot()
does rescanAsConstraint() for you.
The constraint set is simply a HashSet<JSCell*> that accumulates with every
rescanAsConstraint() call and is only cleared at the start of full GC. This trivially
resolves most classes of GC bugs that would have arisen from opaque roots being changed
in a way that the GC did not anticipate.
Looks like this is perf-neutral.
* heap/Heap.cpp:
(JSC::Heap::markToFixpoint):
(JSC::Heap::setMutatorShouldBeFenced):
(JSC::Heap::writeBarrierOpaqueRootSlow): Deleted.
(JSC::Heap::addMutatorShouldBeFencedCache): Deleted.
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::writeBarrierOpaqueRoot): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::visitWeakSets):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::visitChildren):
(JSC::SlotVisitor::visitSubsequently):
(JSC::SlotVisitor::drain):
(JSC::SlotVisitor::addOpaqueRoot):
(JSC::SlotVisitor::rescanAsConstraint):
(JSC::SlotVisitor::mergeIfNecessary):
(JSC::SlotVisitor::mergeOpaqueRootsAndConstraints):
(JSC::SlotVisitor::mergeOpaqueRootsIfNecessary): Deleted.
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::reportExtraMemoryVisited):
(JSC::SlotVisitor::reportExternalMemoryVisited):
(JSC::SlotVisitor::didNotRace):
* heap/WeakBlock.cpp:
(JSC::WeakBlock::specializedVisit):
(JSC::WeakBlock::visit):
* heap/WeakBlock.h:
* heap/WeakSet.h:
(JSC::WeakSet::visit):
2016-12-13 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209725.
https://bugs.webkit.org/show_bug.cgi?id=165811
"Broke ARMv7 builds" (Requested by msaboff on #webkit).
Reverted changeset:
"REGRESSION(r209653): speedometer crashes making virtual slow
path tailcalls"
https://bugs.webkit.org/show_bug.cgi?id=165748
http://trac.webkit.org/changeset/209725
2016-12-13 Filip Pizlo <fpizlo@apple.com>
Unreviewed, revert the collectorPermittedIdleRatio back to 0 because of 100MB
regression on membuster. Also, it didn't seem to help perf.
* runtime/Options.h:
2016-12-13 JF Bastien <jfbastien@apple.com>
[WTF] Turn tryMakeString(), makeString() into variadic templates
https://bugs.webkit.org/show_bug.cgi?id=147142
Reviewed by Mark Lam.
* runtime/JSStringBuilder.h:
(JSC::jsMakeNontrivialString): remove WTF:: prefix, it isn't needed anymore
* runtime/Lookup.cpp:
(JSC::reifyStaticAccessor): remove WTF:: prefix, it isn't needed anymore
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncToString): remove WTF:: prefix, it isn't needed anymore
2016-12-12 Mark Lam <mark.lam@apple.com>
Rename BytecodeGenerator's ControlFlowContext to ControlFlowScope.
https://bugs.webkit.org/show_bug.cgi?id=165777
Reviewed by Keith Miller.
The existing code sometimes refer to ControlFlowContext (and associated references)
as context, and sometimes as scope. Let's be consistent and always call it a scope.
Also renamed push/popScopedControlFlowContext() to push/popLocalControlFlowScope()
because these are only used when we inc/dec the m_localScopeDepth.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
(JSC::BytecodeGenerator::pushLexicalScopeInternal):
(JSC::BytecodeGenerator::popLexicalScopeInternal):
(JSC::BytecodeGenerator::emitPushWithScope):
(JSC::BytecodeGenerator::emitPopWithScope):
(JSC::BytecodeGenerator::pushFinallyControlFlowScope):
(JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope):
(JSC::BytecodeGenerator::popFinallyControlFlowScope):
(JSC::BytecodeGenerator::popIteratorCloseControlFlowScope):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::emitPopScopes):
(JSC::BytecodeGenerator::pushLocalControlFlowScope):
(JSC::BytecodeGenerator::popLocalControlFlowScope):
(JSC::BytecodeGenerator::emitEnumeration):
(JSC::BytecodeGenerator::pushFinallyContext): Deleted.
(JSC::BytecodeGenerator::pushIteratorCloseContext): Deleted.
(JSC::BytecodeGenerator::popFinallyContext): Deleted.
(JSC::BytecodeGenerator::popIteratorCloseContext): Deleted.
(JSC::BytecodeGenerator::pushScopedControlFlowContext): Deleted.
(JSC::BytecodeGenerator::popScopedControlFlowContext): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::TryNode::emitBytecode):
2016-12-12 Filip Pizlo <fpizlo@apple.com>
GC scheduler should avoid consecutive pauses
https://bugs.webkit.org/show_bug.cgi?id=165758
Reviewed by Michael Saboff.
This factors out the scheduler from lambdas in Heap::markToFixpoint to an actual class.
It's called the SpaceTimeScheduler because it is a linear controller that ties the
amount of time you spend on things to the amount of space you are using.
This patch uses this refactoring to fix a bug where the GC would pause even though we
still had time during a mutator timeslice. This is a 15% improvement on
JetStream/splay-latency. Seems neutral on everything else. However, it's not at all
clear if this is the right policy or not since retreating wavefront can sometimes be so
sensitive to scheduling decisions. For this reason, there is a tunable option that lets
you decide how long the GC will sit idle before the start of its timeslice.
So, we can revert this policy change in this patch without reverting the patch.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/Heap.cpp:
(JSC::Heap::markToFixpoint):
* heap/Heap.h:
* heap/SpaceTimeScheduler.cpp: Added.
(JSC::SpaceTimeScheduler::Decision::targetMutatorUtilization):
(JSC::SpaceTimeScheduler::Decision::targetCollectorUtilization):
(JSC::SpaceTimeScheduler::Decision::elapsedInPeriod):
(JSC::SpaceTimeScheduler::Decision::phase):
(JSC::SpaceTimeScheduler::Decision::shouldBeResumed):
(JSC::SpaceTimeScheduler::Decision::timeToResume):
(JSC::SpaceTimeScheduler::Decision::timeToStop):
(JSC::SpaceTimeScheduler::SpaceTimeScheduler):
(JSC::SpaceTimeScheduler::snapPhase):
(JSC::SpaceTimeScheduler::currentDecision):
* heap/SpaceTimeScheduler.h: Added.
(JSC::SpaceTimeScheduler::Decision::Decision):
(JSC::SpaceTimeScheduler::Decision::operator bool):
* runtime/Options.h:
2016-12-12 Michael Saboff <msaboff@apple.com>
REGRESSION(r209653): speedometer crashes making virtual slow path tailcalls
https://bugs.webkit.org/show_bug.cgi?id=165748
Reviewed by Filip Pizlo.
The virtual slow path for tailcalls always passes arguments on the stack.
The fix here is to link to the stack argument entrypoint instead of a register
argument entrypoint.
While fixing this bug, I found that we weren't clearing the code origin when
shuffling the call frame for a register argument tailcall.
Also rolling back in r209653, r209654, r209663, and r209673.
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::prepareAny):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
2016-12-12 Mark Lam <mark.lam@apple.com>
Rename BytecodeGenerator's m_symbolTableStack to m_lexicalScopeStack.
https://bugs.webkit.org/show_bug.cgi?id=165768
Reviewed by Saam Barati.
The lexical scope in "m_lexicalScopeStack" here refers to a pair of { } in the
source code that bounds the scope of variables.
There are 4 places in the code where we call m_symbolTableStack.append() to
append a new stack entry. In only 3 of the 4 cases, a symbol table is provided
in the new stack entry. In all 4 cases, a scope register is provided in the new
stack entry.
Also, 3 of the 4 functions that appends an entry to this stack are named:
1. initializeVarLexicalEnvironment()
2. pushLexicalScopeInternal()
3. emitPushWithScope()
The 4th function is the BytecodeGenerator constructor where it pushes the scope
for a module environment.
Based on these details, m_lexicalScopeStack is a better name for this stack than
m_symbolTableStack.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
(JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
(JSC::BytecodeGenerator::pushLexicalScopeInternal):
(JSC::BytecodeGenerator::initializeBlockScopedFunctions):
(JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
(JSC::BytecodeGenerator::popLexicalScopeInternal):
(JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
(JSC::BytecodeGenerator::variable):
(JSC::BytecodeGenerator::resolveType):
(JSC::BytecodeGenerator::emitResolveScope):
(JSC::BytecodeGenerator::emitPushWithScope):
(JSC::BytecodeGenerator::emitPopWithScope):
(JSC::BytecodeGenerator::pushFinallyContext):
(JSC::BytecodeGenerator::pushIteratorCloseContext):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::popTryAndEmitCatch):
(JSC::BytecodeGenerator::emitPushFunctionNameScope):
* bytecompiler/BytecodeGenerator.h:
2016-12-12 Saam Barati <sbarati@apple.com>
Unreviewed. Try to fix the cloop build.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::calleeSaveRegisters):
* interpreter/StackVisitor.h:
2016-12-12 Michael Saboff <msaboff@apple.com>
FTL: Dumping disassembly requires that code origin is set when making polymorphic tail calls.
https://bugs.webkit.org/show_bug.cgi?id=165747
Reviewed by Filip Pizlo.
Setting the code origin needs to be done for both the fast and slow path as we might need
it when linking a polymorphic or virtual call stub.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2016-12-11 Saam Barati <sbarati@apple.com>
Unreviewed. Try to fix the linux build.
* runtime/StackFrame.h:
2016-12-11 Saam Barati <sbarati@apple.com>
We should be able to throw exceptions from Wasm code and when Wasm frames are on the stack
https://bugs.webkit.org/show_bug.cgi?id=165429
Reviewed by Keith Miller.
This patch teaches the stack walking runtime about wasm.
To do this, I taught StackVisitor that a callee is not
always an object.
To be able to unwind callee save registers properly, I've given
JSWebAssemblyCallee a list of RegisterAtOffsetList for the callee
saves that B3 saved in the prologue. Also, because we have two
B3Compilations per wasm function, one for wasm entrypoint, and
one for the JS entrypoint, I needed to create a callee for each
because they each might spill callee save registers.
I also fixed a bug inside the Wasm::Memory constructor where we
were trying to mmap the same number of bytes even after the first
mmap failed. We should start by trying to mmap the maximum bytes,
and if that fails, fall back to the specified initial bytes. However,
the code was just mmapping the maximum twice. I've fixed that and
also added a RELEASE_ASSERT_NOT_REACHED() for when the second mmap
fails along with a FIXME to throw an OOM error.
There was a second bug I fixed where JSModuleRecord was calling
visitWeak on its CallLinkInfos inside ::visitChldren(). It needs
to do this after marking. I changed JSModuleRecord to do what
CodeBlock does and call visitWeak on its CallLinkInfos inside
an UnconditionalFinalizer.
* API/JSContextRef.cpp:
(BacktraceFunctor::operator()):
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStackFromException):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::vmEntryGlobalObject):
* interpreter/CallFrame.h:
(JSC::ExecState::callee):
* interpreter/Interpreter.cpp:
(JSC::GetStackTraceFunctor::operator()):
(JSC::UnwindFunctor::operator()):
(JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
* interpreter/Interpreter.h:
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::StackVisitor):
(JSC::StackVisitor::readFrame):
(JSC::StackVisitor::readNonInlinedFrame):
(JSC::StackVisitor::readInlinedFrame):
(JSC::StackVisitor::Frame::isWasmFrame):
(JSC::StackVisitor::Frame::codeType):
(JSC::StackVisitor::Frame::calleeSaveRegisters):
(JSC::StackVisitor::Frame::functionName):
(JSC::StackVisitor::Frame::sourceURL):
(JSC::StackVisitor::Frame::toString):
(JSC::StackVisitor::Frame::hasLineAndColumnInfo):
(JSC::StackVisitor::Frame::setToEnd):
* interpreter/StackVisitor.h:
(JSC::StackVisitor::Frame::callee):
(JSC::StackVisitor::Frame::isNativeFrame):
(JSC::StackVisitor::Frame::isJSFrame): Deleted.
* jsc.cpp:
(callWasmFunction):
(functionTestWasmModuleFunctions):
* runtime/Error.cpp:
(JSC::addErrorInfoAndGetBytecodeOffset):
* runtime/JSCell.cpp:
(JSC::JSCell::isAnyWasmCallee):
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::RetrieveArgumentsFunctor::operator()):
(JSC::RetrieveCallerFunctionFunctor::operator()):
* runtime/StackFrame.cpp:
(JSC::StackFrame::sourceID):
(JSC::StackFrame::sourceURL):
(JSC::StackFrame::functionName):
(JSC::StackFrame::computeLineAndColumn):
(JSC::StackFrame::toString):
* runtime/StackFrame.h:
(JSC::StackFrame::StackFrame):
(JSC::StackFrame::hasLineAndColumnInfo):
(JSC::StackFrame::hasBytecodeOffset):
(JSC::StackFrame::bytecodeOffset):
(JSC::StackFrame::isNative): Deleted.
* runtime/VM.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::createJSToWasmWrapper):
(JSC::Wasm::parseAndCompile):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::setupFrameInPrologue):
* wasm/WasmFormat.h:
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::isValid):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::run):
(JSC::Wasm::Plan::initializeCallees):
* wasm/WasmPlan.h:
(JSC::Wasm::Plan::jsToWasmEntryPointForFunction): Deleted.
* wasm/js/JSWebAssemblyCallee.cpp:
(JSC::JSWebAssemblyCallee::finishCreation):
* wasm/js/JSWebAssemblyCallee.h:
(JSC::JSWebAssemblyCallee::create):
(JSC::JSWebAssemblyCallee::entrypoint):
(JSC::JSWebAssemblyCallee::calleeSaveRegisters):
(JSC::JSWebAssemblyCallee::jsToWasmEntryPoint): Deleted.
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::JSWebAssemblyModule):
(JSC::JSWebAssemblyModule::visitChildren):
(JSC::JSWebAssemblyModule::UnconditionalFinalizer::finalizeUnconditionally):
* wasm/js/JSWebAssemblyModule.h:
(JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace):
(JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace):
(JSC::JSWebAssemblyModule::setJSEntrypointCallee):
(JSC::JSWebAssemblyModule::setWasmEntrypointCallee):
(JSC::JSWebAssemblyModule::allocationSize):
(JSC::JSWebAssemblyModule::calleeFromFunctionIndexSpace): Deleted.
* wasm/js/JSWebAssemblyRuntimeError.h:
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::call):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::constructJSWebAssemblyMemory):
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
2016-12-11 Filip Pizlo <fpizlo@apple.com>
Re-enable concurrent GC.
Rubber stampted by Saam Barati.
This change actually landed in r209692 by accident.
* runtime/Options.h:
2016-12-10 Filip Pizlo <fpizlo@apple.com>
MarkedBlock::marksConveyLivenessDuringMarking should take into account collection scope
https://bugs.webkit.org/show_bug.cgi?id=165741
Reviewed by Saam Barati.
MarkedBlock::marksConveyLivenessDuringMarking thought that the off-by-one marking
version indicated liveness during any collection when it's just during full collection.
One of its users - MarkedBlock::sweep - knew this and had a special case, but the other
one - MarkedBlock::isLive - didn't. So, I moved the special case into
marksConveyLivenessDuringMarking.
Also, this cleans up some remaining bitvector races.
To find this bug, I significantly strengthened our assertions.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/CellContainer.cpp: Added.
(JSC::CellContainer::isNewlyAllocated):
* heap/CellContainer.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::addBlock):
(JSC::MarkedAllocator::removeBlock):
(JSC::MarkedAllocator::dumpBits):
* heap/MarkedAllocator.h:
(JSC::MarkedAllocator::forEachBitVector):
(JSC::MarkedAllocator::forEachBitVectorWithName):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::tryCreate):
(JSC::MarkedBlock::Handle::~Handle):
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::Handle::dumpState):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::markingVersion):
(JSC::MarkedBlock::isMarkedRaw):
(JSC::MarkedBlock::isMarked):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::marksConveyLivenessDuringMarking):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::size):
(JSC::StructureIDTable::get):
2016-12-10 Filip Pizlo <fpizlo@apple.com>
The DOM should have an advancing wavefront opaque root barrier
https://bugs.webkit.org/show_bug.cgi?id=165712
Reviewed by Yusuke Suzuki.
This exposes the ability to fire an advancing wavefront barrier on opaque roots. It also
gives clients the ability to maintain their own cache of whether that barrier needs to
be enabled.
The DOM uses this to enable a very cheap barrier on the DOM. This is neutral on
Speedometer and fixes another concurrent GC crash.
* heap/Heap.cpp:
(JSC::Heap::beginMarking):
(JSC::Heap::endMarking):
(JSC::Heap::writeBarrierOpaqueRootSlow):
(JSC::Heap::addMutatorShouldBeFencedCache):
(JSC::Heap::setMutatorShouldBeFenced):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::writeBarrierOpaqueRoot):
2016-12-10 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209653, r209654, r209663, and
r209673.
https://bugs.webkit.org/show_bug.cgi?id=165739
speedometer crashes (Requested by pizlo on #webkit).
Reverted changesets:
"JSVALUE64: Pass arguments in platform argument registers when
making JavaScript calls"
https://bugs.webkit.org/show_bug.cgi?id=160355
http://trac.webkit.org/changeset/209653
"Unreviewed build fix for 32 bit builds."
http://trac.webkit.org/changeset/209654
"Unreviewed build fix for the CLOOP after r209653"
http://trac.webkit.org/changeset/209663
"REGRESSION(r209653) Crash in CallFrameShuffler::snapshot()"
https://bugs.webkit.org/show_bug.cgi?id=165728
http://trac.webkit.org/changeset/209673
2016-12-10 Michael Saboff <msaboff@apple.com>
REGRESSION(r209653) Crash in CallFrameShuffler::snapshot()
https://bugs.webkit.org/show_bug.cgi?id=165728
Reviewed by Filip Pizlo.
It can be the case that a JSValueReg's CachedRecovery is the source for mutliple
GPRs. We only store the CachedRecovery in one slot of m_newRegisters to simplify
the recovery process. This is also done for the case where the recovery source
and destination are the same GPR.
In light of this change, snapshot needs to be taught that one CacheRecovery is
the source for multiple registers. This is done by using a two step process.
First find all the argument CachedRecovery's and create a vector mapping all of
the target GPRs and the source recovery. Then use that vector to get the
recovery for each register.
* jit/CallFrameShuffler.h:
(JSC::CallFrameShuffler::snapshot):
2016-12-10 Keith Miller <keith_miller@apple.com>
Fix indirect_call if the result type is used.
https://bugs.webkit.org/show_bug.cgi?id=165727
Reviewed by Michael Saboff.
The patchpoint for indirect_call assumed that the callee would be
in params[0]. This is not the case, however, if the callee returns
a value.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCallIndirect):
2016-12-10 Konstantin Tokarev <annulen@yandex.ru>
[cmake] Include WTF, JSC, and WebCore headers automatically to targers using them
https://bugs.webkit.org/show_bug.cgi?id=165686
Reviewed by Michael Catanzaro.
This change reduces duplication of include path lists between modules,
and reduces future need for fixes like r209605 (broken build because of
WebCore header suddenly becoming used in WebKit2).
* CMakeLists.txt:
* PlatformEfl.cmake:
* PlatformGTK.cmake:
* PlatformJSCOnly.cmake:
* PlatformMac.cmake:
2016-12-10 Michael Saboff <msaboff@apple.com>
Unreviewed build fix for the CLOOP after r209653
* jit/GPRInfo.h:
Provided a definition for NUMBER_OF_JS_FUNCTION_ARGUMENT_REGISTERS when the JIT is disabled.
* jit/JITEntryPoints.h:
Removed #if ENABLE(JIT) protection around contents.
2016-12-10 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Module namespace object behaves like immutable prototype exotic object
https://bugs.webkit.org/show_bug.cgi?id=165598
Reviewed by Mark Lam.
In the latest ECMA262 draft, the module namespace object behaves like immutable prototype exotic object.
https://tc39.github.io/ecma262/#sec-module-namespace-exotic-objects-setprototypeof-v
* runtime/JSModuleNamespaceObject.h:
2016-12-10 Yusuke Suzuki <utatane.tea@gmail.com>
REGRESSION(r208791): Assertion in testb3
https://bugs.webkit.org/show_bug.cgi?id=165651
Reviewed by Saam Barati.
Accidentally we always use edx/rdx for the result of UDiv/UMod.
But it is incorrect. We should use eax/rax for the result of UDiv.
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::lowerX86UDiv):
2016-12-09 Michael Saboff <msaboff@apple.com>
Unreviewed build fix for 32 bit builds.
* dfg/DFGMinifiedNode.h:
(JSC::DFG::MinifiedNode::argumentIndex): Added a static_cast<unsigned>().
2016-12-09 Michael Saboff <msaboff@apple.com>
JSVALUE64: Pass arguments in platform argument registers when making JavaScript calls
https://bugs.webkit.org/show_bug.cgi?id=160355
Reviewed by Filip Pizlo.
This patch implements passing JavaScript function arguments in registers for 64 bit platforms.
The implemented convention follows the ABI conventions for the associated platform.
The first two arguments are the callee and argument count, the rest of the argument registers
contain "this" and following argument until all platform argument registers are exhausted.
Arguments beyond what fit in registers are placed on the stack in the same location as
before this patch.
For X86-64 non-Windows platforms, there are 6 argument registers specified in the related ABI.
ARM64 has had argument registers. This allows for 4 or 6 parameter values to be placed in
registers on these respective platforms. This patch doesn't implement passing arguments in
registers for 32 bit platform, since most platforms have at most 4 argument registers
specified and 32 bit platforms use two 32 bit registers/memory locations to store one JSValue.
The call frame on the stack in unchanged in format and the arguments that are passed in
registers use the corresponding call frame location as a spill location. Arguments can
also be passed on the stack. The LLInt, baseline JIT'ed code as well as the initial entry
from C++ code base arguments on the stack. DFG s and FTL generated code pass arguments
via registers. All callees can accept arguments either in registers or on the stack.
The callee is responsible for moving argument to its preferred location.
The multiple entry points to JavaSCript code is now handled via the JITEntryPoints class and
related code. That class now has entries for StackArgsArityCheckNotRequired,
StackArgsMustCheckArity and for platforms that support registers arguments,
RegisterArgsArityCheckNotRequired, RegisterArgsMustCheckArity as well as and additional
RegisterArgsPossibleExtraArgs entry point when extra registers argument are passed.
This last case is needed to spill those extra arguments to the corresponding call frame
slots.
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3ArgumentRegValue.h:
* b3/B3Validate.cpp:
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::CallLinkInfo):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::setUpCall):
(JSC::CallLinkInfo::argumentsLocation):
(JSC::CallLinkInfo::argumentsInRegisters):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
(JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
(JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initArgumentRegisterValue):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::needsFlushedThis):
(JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::compileEntry): Deleted.
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addJSDirectCall):
(JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
(JSC::DFG::JITCompiler::JSDirectCallRecord::hasSlowCall):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::JITFinalizer):
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGJITFinalizer.h:
* dfg/DFGLiveCatchVariablePreservationPhase.cpp:
(JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
* dfg/DFGMaximalFlushInsertionPhase.cpp:
(JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
(JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
* dfg/DFGMayExit.cpp:
* dfg/DFGMinifiedNode.cpp:
(JSC::DFG::MinifiedNode::fromNode):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::hasVariableAccessData):
* dfg/DFGNode.h:
(JSC::DFG::Node::accessesStack):
(JSC::DFG::Node::setVariableAccessData):
(JSC::DFG::Node::hasArgumentRegisterIndex):
(JSC::DFG::Node::argumentRegisterIndex):
* dfg/DFGNodeType.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGRegisterBank.h:
(JSC::DFG::RegisterBank::iterator::unlock):
(JSC::DFG::RegisterBank::unlockAtIndex):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::clearGenerationInfo):
(JSC::DFG::dumpRegisterInfo):
(JSC::DFG::SpeculativeJIT::dump):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
(JSC::DFG::SpeculativeJIT::setupArgumentRegistersForEntry):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::allocate):
(JSC::DFG::SpeculativeJIT::spill):
(JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
(JSC::DFG::JSValueOperand::JSValueOperand):
(JSC::DFG::JSValueOperand::gprUseSpecific):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrEntryThunkGenerator):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::allocateRegister):
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::~JITCode):
(JSC::FTL::JITCode::initializeEntrypointThunk):
(JSC::FTL::JITCode::setEntryFor):
(JSC::FTL::JITCode::addressForCall):
(JSC::FTL::JITCode::executableAddressAtOffset):
(JSC::FTL::JITCode::initializeAddressForCall): Deleted.
(JSC::FTL::JITCode::initializeArityCheckEntrypoint): Deleted.
* ftl/FTLJITCode.h:
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeFunction):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentRegister):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::argumentRegister):
(JSC::FTL::Output::argumentRegisterInt32):
* ftl/FTLOutput.h:
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDumbVirtualCall):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::spillArgumentRegistersToFrameBeforePrologue):
(JSC::AssemblyHelpers::spillArgumentRegistersToFrame):
(JSC::AssemblyHelpers::fillArgumentRegistersFromFrameBeforePrologue):
(JSC::AssemblyHelpers::emitPutArgumentToCallFrameBeforePrologue):
(JSC::AssemblyHelpers::emitPutArgumentToCallFrame):
(JSC::AssemblyHelpers::emitGetFromCallFrameHeaderBeforePrologue):
(JSC::AssemblyHelpers::emitGetFromCallFrameArgumentBeforePrologue):
(JSC::AssemblyHelpers::emitGetPayloadFromCallFrameHeaderBeforePrologue):
(JSC::AssemblyHelpers::incrementCounter):
* jit/CachedRecovery.cpp:
(JSC::CachedRecovery::addTargetJSValueRegs):
* jit/CachedRecovery.h:
(JSC::CachedRecovery::gprTargets):
(JSC::CachedRecovery::setWantedFPR):
(JSC::CachedRecovery::wantedJSValueRegs):
(JSC::CachedRecovery::setWantedJSValueRegs): Deleted.
* jit/CallFrameShuffleData.h:
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::CallFrameShuffler):
(JSC::CallFrameShuffler::dump):
(JSC::CallFrameShuffler::tryWrites):
(JSC::CallFrameShuffler::prepareAny):
* jit/CallFrameShuffler.h:
(JSC::CallFrameShuffler::snapshot):
(JSC::CallFrameShuffler::addNew):
(JSC::CallFrameShuffler::initDangerFrontier):
(JSC::CallFrameShuffler::updateDangerFrontier):
(JSC::CallFrameShuffler::findDangerFrontierFrom):
* jit/CallFrameShuffler64.cpp:
(JSC::CallFrameShuffler::emitDisplace):
* jit/GPRInfo.h:
(JSC::JSValueRegs::operator==):
(JSC::JSValueRegs::operator!=):
(JSC::GPRInfo::toArgumentIndex):
(JSC::argumentRegisterFor):
(JSC::argumentRegisterForCallee):
(JSC::argumentRegisterForArgumentCount):
(JSC::argumentRegisterIndexForJSFunctionArgument):
(JSC::jsFunctionArgumentForArgumentRegister):
(JSC::argumentRegisterForFunctionArgument):
(JSC::numberOfRegisterArgumentsFor):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
(JSC::JIT::compileCTINativeCall): Deleted.
* jit/JIT.h:
(JSC::JIT::compileNativeCallEntryPoints):
* jit/JITCall.cpp:
(JSC::JIT::compileSetupVarargsFrame):
(JSC::JIT::compileCallEval):
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCode.cpp:
(JSC::JITCode::execute):
(JSC::DirectJITCode::DirectJITCode):
(JSC::DirectJITCode::initializeEntryPoints):
(JSC::DirectJITCode::addressForCall):
(JSC::NativeJITCode::addressForCall):
(JSC::DirectJITCode::initializeCodeRef): Deleted.
* jit/JITCode.h:
(JSC::JITCode::executableAddress): Deleted.
* jit/JITEntryPoints.h: Added.
(JSC::JITEntryPoints::JITEntryPoints):
(JSC::JITEntryPoints::entryFor):
(JSC::JITEntryPoints::setEntryFor):
(JSC::JITEntryPoints::offsetOfEntryFor):
(JSC::JITEntryPoints::registerEntryTypeForArgumentCount):
(JSC::JITEntryPoints::registerEntryTypeForArgumentType):
(JSC::JITEntryPoints::clearEntries):
(JSC::JITEntryPoints::operator=):
(JSC::JITEntryPointsWithRef::JITEntryPointsWithRef):
(JSC::JITEntryPointsWithRef::codeRef):
(JSC::argumentsLocationFor):
(JSC::registerEntryPointTypeFor):
(JSC::entryPointTypeFor):
(JSC::thunkEntryPointTypeFor):
(JSC::JITJSCallThunkEntryPointsWithRef::JITJSCallThunkEntryPointsWithRef):
(JSC::JITJSCallThunkEntryPointsWithRef::entryFor):
(JSC::JITJSCallThunkEntryPointsWithRef::setEntryFor):
(JSC::JITJSCallThunkEntryPointsWithRef::offsetOfEntryFor):
(JSC::JITJSCallThunkEntryPointsWithRef::clearEntries):
(JSC::JITJSCallThunkEntryPointsWithRef::codeRef):
(JSC::JITJSCallThunkEntryPointsWithRef::operator=):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileJITEntryNativeCall):
(JSC::JIT::privateCompileCTINativeCall): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileJITEntryNativeCall):
(JSC::JIT::privateCompileCTINativeCall): Deleted.
* jit/JITOperations.cpp:
* jit/JITThunks.cpp:
(JSC::JITThunks::jitEntryNativeCall):
(JSC::JITThunks::jitEntryNativeConstruct):
(JSC::JITThunks::jitEntryStub):
(JSC::JITThunks::jitCallThunkEntryStub):
(JSC::JITThunks::hostFunctionStub):
(JSC::JITThunks::ctiNativeCall): Deleted.
(JSC::JITThunks::ctiNativeConstruct): Deleted.
* jit/JITThunks.h:
* jit/JSInterfaceJIT.h:
(JSC::JSInterfaceJIT::emitJumpIfNotInt32):
(JSC::JSInterfaceJIT::emitLoadInt32):
* jit/RegisterSet.cpp:
(JSC::RegisterSet::argumentRegisters):
* jit/RegisterSet.h:
* jit/Repatch.cpp:
(JSC::linkSlowFor):
(JSC::revertCall):
(JSC::unlinkFor):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::SpecializedThunkJIT):
(JSC::SpecializedThunkJIT::checkJSStringArgument):
(JSC::SpecializedThunkJIT::linkFailureHere):
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerator.h:
* jit/ThunkGenerators.cpp:
(JSC::createRegisterArgumentsSpillEntry):
(JSC::slowPathFor):
(JSC::linkCallThunkGenerator):
(JSC::linkDirectCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::nativeCallGenerator):
(JSC::nativeTailCallGenerator):
(JSC::nativeTailCallWithoutSavedTagsGenerator):
(JSC::nativeConstructGenerator):
(JSC::stringCharLoadRegCall):
(JSC::charCodeAtThunkGenerator):
(JSC::charAtThunkGenerator):
(JSC::fromCharCodeThunkGenerator):
(JSC::clz32ThunkGenerator):
(JSC::sqrtThunkGenerator):
(JSC::floorThunkGenerator):
(JSC::ceilThunkGenerator):
(JSC::truncThunkGenerator):
(JSC::roundThunkGenerator):
(JSC::expThunkGenerator):
(JSC::logThunkGenerator):
(JSC::absThunkGenerator):
(JSC::imulThunkGenerator):
(JSC::randomThunkGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* jit/ThunkGenerators.h:
* jsc.cpp:
(jscmain):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setFunctionEntrypoint):
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::entryOSR):
(JSC::LLInt::setUpCall):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForRegisterCallEntryThunkGenerator):
(JSC::LLInt::functionForStackCallEntryThunkGenerator):
(JSC::LLInt::functionForRegisterConstructEntryThunkGenerator):
(JSC::LLInt::functionForStackConstructEntryThunkGenerator):
(JSC::LLInt::functionForRegisterCallArityCheckThunkGenerator):
(JSC::LLInt::functionForStackCallArityCheckThunkGenerator):
(JSC::LLInt::functionForRegisterConstructArityCheckThunkGenerator):
(JSC::LLInt::functionForStackConstructArityCheckThunkGenerator):
(JSC::LLInt::functionForCallEntryThunkGenerator): Deleted.
(JSC::LLInt::functionForConstructEntryThunkGenerator): Deleted.
(JSC::LLInt::functionForCallArityCheckThunkGenerator): Deleted.
(JSC::LLInt::functionForConstructArityCheckThunkGenerator): Deleted.
* llint/LLIntThunks.h:
* runtime/ArityCheckMode.h:
* runtime/ExecutableBase.cpp:
(JSC::ExecutableBase::clearCode):
* runtime/ExecutableBase.h:
(JSC::ExecutableBase::entrypointFor):
(JSC::ExecutableBase::offsetOfEntryFor):
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
* runtime/JSBoundFunction.cpp:
(JSC::boundThisNoArgsFunctionCall):
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::finishCreation):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::thunkGeneratorForIntrinsic):
(JSC::VM::clearCounters):
(JSC::VM::dumpCounters):
* runtime/VM.h:
(JSC::VM::getJITEntryStub):
(JSC::VM::getJITCallThunkEntryStub):
(JSC::VM::addressOfCounter):
(JSC::VM::counterFor):
* wasm/WasmBinding.cpp:
(JSC::Wasm::importStubGenerator):
2016-12-09 Keith Miller <keith_miller@apple.com>
Wasm should support call_indirect
https://bugs.webkit.org/show_bug.cgi?id=165718
Reviewed by Filip Pizlo.
This patch adds support for call_indirect. The basic framework for
an indirect call is that the module holds a buffer containing a
stub for each function in the index space. Whenever a function
needs to do an indirect call it gets a index into that table. In
order to ensure call_indirect is calling a valid function the
functionIndexSpace also needs a pointer to a canonicalized
signature. When making an indirect call, we first check the index
is in range, then check the signature matches the value we were given.
This patch also differentiates between FunctionIndexSpaces and
ImmutableFunctionIndexSpaces. Since we don't know the size of the
FunctionIndexSpace when we start parsing we need to be able to
resize the IndexSpace. However, once we have finished parsing all
the sections we want to prevent an relocation of the function
index space pointer.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
(JSC::Wasm::createJSToWasmWrapper):
(JSC::Wasm::parseAndCompile):
* wasm/WasmB3IRGenerator.h:
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::setupCall):
* wasm/WasmFormat.h:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser::setErrorMessage):
(JSC::Wasm::FunctionParser<Context>::FunctionParser):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::run):
* wasm/WasmPlan.h:
(JSC::Wasm::Plan::takeFunctionIndexSpace):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::addCallIndirect):
(JSC::Wasm::validateFunction):
* wasm/WasmValidate.h:
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::create):
(JSC::JSWebAssemblyModule::JSWebAssemblyModule):
* wasm/js/JSWebAssemblyModule.h:
(JSC::JSWebAssemblyModule::signatureForFunctionIndexSpace):
(JSC::JSWebAssemblyModule::offsetOfFunctionIndexSpace):
2016-12-09 JF Bastien <jfbastien@apple.com>
WebAssembly: implement data section
https://bugs.webkit.org/show_bug.cgi?id=165696
Reviewed by Keith Miller.
As specified in https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#data-section
Note that some of the interesting corner cases are ill-defined by the spec: https://github.com/WebAssembly/design/issues/897
* wasm/WasmFormat.h: segments are what represent sections of memory to initialize (similar to ELF's non-zero intializer data / rodata)
(JSC::Wasm::Segment::make):
(JSC::Wasm::Segment::destroy):
(JSC::Wasm::Segment::byte):
(JSC::Wasm::Segment::makePtr):
* wasm/WasmModuleParser.cpp: parse the data section, and prevent a few overflows if a user passes in UINT_MAX (the loops would overflow)
(JSC::Wasm::ModuleParser::parseType):
(JSC::Wasm::ModuleParser::parseImport):
(JSC::Wasm::ModuleParser::parseFunction):
(JSC::Wasm::ModuleParser::parseExport):
(JSC::Wasm::ModuleParser::parseCode):
(JSC::Wasm::ModuleParser::parseData):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate): the only sensible time to initialize the data section is after linking, but before calling start, I test for this but the spec isn't clear it's correct yet
2016-12-09 Karim H <karim@karhm.com>
It is okay to turn undefined into null because we are producing values for a
JSON representation (InspectorValue) and JSON has a `null` value and no
`undefined` value.
https://bugs.webkit.org/show_bug.cgi?id=165506
Reviewed by Darin Adler.
* bindings/ScriptValue.cpp:
(Inspector::jsToInspectorValue):
2016-12-09 Filip Pizlo <fpizlo@apple.com>
REGRESSION (r209554-209571): stress/poly-setter-combo crashing
https://bugs.webkit.org/show_bug.cgi?id=165669
Reviewed by Geoffrey Garen.
We now rely on objects being zero-filled in a bunch of places, not just concurrent GC.
So, we need 32-bit to do it too.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
2016-12-09 Eric Carlson <eric.carlson@apple.com>
Annotate MediaStream and WebRTC idl with EnabledAtRuntime flag
https://bugs.webkit.org/show_bug.cgi?id=165251
Reviewed by Dean Jackson.
Based on a patch by Dr Alex Gouaillard <agouaillard@gmail.com>
* runtime/CommonIdentifiers.h: Add WebRTC and MediaStream identifiers.
2016-12-09 JF Bastien <jfbastien@apple.com>
WebAssembly JS API: implement start function
https://bugs.webkit.org/show_bug.cgi?id=165150
Reviewed by Saam Barati.
* wasm/WasmFormat.h: pass the start function around
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseTable): mark unreachable code
(JSC::Wasm::ModuleParser::parseGlobal): mark unreachable code
(JSC::Wasm::ModuleParser::parseStart): mark unreachable code
(JSC::Wasm::ModuleParser::parseElement): mark unreachable code
(JSC::Wasm::ModuleParser::parseData): mark unreachable code
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction): NFC: call the new function below
(JSC::WebAssemblyFunction::call): separate this out so that the start function can use it
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::visitChildren): visit the start function
(JSC::WebAssemblyModuleRecord::link): handle start function
(JSC::WebAssemblyModuleRecord::evaluate): call the start function, if present
* wasm/js/WebAssemblyModuleRecord.h:
2016-12-09 Filip Pizlo <fpizlo@apple.com>
GC might be forced to look at a nuked object due to ordering of AllocatePropertyStorage, MaterializeNewObject, and PutStructure
https://bugs.webkit.org/show_bug.cgi?id=165672
Reviewed by Geoffrey Garen.
We need to make sure that the shady stuff in a property put happens after the
PutByOffset, since the PutByOffset is the place where we materialize. More generally, we
should strive to not have any fenceposts between Nodes where a GC would be illegal.
This gets us most of the way there by separating NukeStructureAndSetButterfly from
[Re]AllocatePropertyStorage. A transitioning put will now look something like:
GetButterfly
ReallocatePropertyStorage
PutByOffset
NukeStructureAndSetButterfly
PutStructure
Previously the structure would get nuked by ReallocatePropertyStorage, so if we placed
an object materialization just after it (before the PutByOffset) then any GC that
completed at that safepoint would encounter an unresolved visit race due to seeing a
nuked structure. We cannot have nuked structures at safepoints, and this change makes
sure that we don't - at least until someone tries to sink to the PutStructure. We will
eventually have to create a combined SetStructureAndButterfly node, but we don't need it
yet.
This also fixes a goof where the DFG's AllocatePropertyStorage was nulling the structure
instead of nuking it. This could easily have caused many crashes in GC.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handlePutById):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNukeStructureAndSetButterfly):
(JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h: Fix a bug - make it possible to turn on concurrent GC optionally again.
2016-12-09 Chris Dumez <cdumez@apple.com>
Inline JSCell::toObject()
https://bugs.webkit.org/show_bug.cgi?id=165679
Reviewed by Geoffrey Garen.
Inline JSCell::toObject() as it shows on Speedometer profiles.
* runtime/JSCell.cpp:
(JSC::JSCell::toObjectSlow):
(JSC::JSCell::toObject): Deleted.
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::toObject):
2016-12-09 Geoffrey Garen <ggaren@apple.com>
Deploy OrdinalNumber in JSC::SourceCode
https://bugs.webkit.org/show_bug.cgi?id=165687
Reviewed by Michael Saboff.
We have a lot of confusion between 1-based and 0-based counting in line
and column numbers. Let's use OrdinalNumber to clear up the confusion.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::UnlinkedFunctionExecutable::link):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitExpressionInfo):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::functionDetails):
* parser/Lexer.cpp:
(JSC::Lexer<T>::setCode):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::Parser):
* parser/Parser.h:
(JSC::Parser<LexerType>::parse):
* parser/SourceCode.h:
(JSC::SourceCode::SourceCode):
(JSC::SourceCode::firstLine):
(JSC::SourceCode::startColumn):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
* runtime/ScriptExecutable.h:
(JSC::ScriptExecutable::firstLine):
(JSC::ScriptExecutable::startColumn):
* tools/CodeProfile.h:
(JSC::CodeProfile::CodeProfile):
2016-12-09 Saam Barati <sbarati@apple.com>
WebAssembly JS API: implement importing and defining Memory
https://bugs.webkit.org/show_bug.cgi?id=164134
Reviewed by Keith Miller.
This patch implements the WebAssembly.Memory object. It refactors
the code to now associate a Memory with the instance instead of
the Module.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* jsc.cpp:
(functionTestWasmModuleFunctions):
* runtime/VM.h:
* shell/CMakeLists.txt:
* testWasm.cpp: Removed.
This has bitrotted. I'm removing it.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::sizeOfLoadOp):
(JSC::Wasm::createJSToWasmWrapper):
(JSC::Wasm::parseAndCompile):
* wasm/WasmB3IRGenerator.h:
* wasm/WasmFormat.cpp:
(JSC::Wasm::ModuleInformation::~ModuleInformation): Deleted.
* wasm/WasmFormat.h:
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::size):
(JSC::Wasm::Memory::initial):
(JSC::Wasm::Memory::maximum):
(JSC::Wasm::Memory::pinnedRegisters): Deleted.
* wasm/WasmMemoryInformation.cpp: Added.
(JSC::Wasm::MemoryInformation::MemoryInformation):
* wasm/WasmMemoryInformation.h: Added.
(JSC::Wasm::MemoryInformation::MemoryInformation):
(JSC::Wasm::MemoryInformation::pinnedRegisters):
(JSC::Wasm::MemoryInformation::initial):
(JSC::Wasm::MemoryInformation::maximum):
(JSC::Wasm::MemoryInformation::isImport):
(JSC::Wasm::MemoryInformation::operator bool):
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseImport):
(JSC::Wasm::ModuleParser::parseMemoryHelper):
(JSC::Wasm::ModuleParser::parseMemory):
(JSC::Wasm::ModuleParser::parseExport):
* wasm/WasmModuleParser.h:
* wasm/WasmPageCount.h: Added. Implement a new way of describing Wasm
pages and then asking for how many bytes a quantity of pages is. This
class also makes it clear when we're talking about bytes or pages.
(JSC::Wasm::PageCount::PageCount):
(JSC::Wasm::PageCount::bytes):
(JSC::Wasm::PageCount::isValid):
(JSC::Wasm::PageCount::max):
(JSC::Wasm::PageCount::operator bool):
(JSC::Wasm::PageCount::operator<):
(JSC::Wasm::PageCount::operator>):
(JSC::Wasm::PageCount::operator>=):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::run):
* wasm/WasmPlan.h:
(JSC::Wasm::Plan::memory): Deleted.
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::hasMemory):
(JSC::Wasm::Validate::Validate):
(JSC::Wasm::validateFunction):
* wasm/WasmValidate.h:
* wasm/generateWasmValidateInlinesHeader.py:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::memory):
(JSC::JSWebAssemblyInstance::setMemory):
(JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
(JSC::JSWebAssemblyInstance::allocationSize):
* wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::create):
(JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
(JSC::JSWebAssemblyMemory::buffer):
(JSC::JSWebAssemblyMemory::visitChildren):
* wasm/js/JSWebAssemblyMemory.h:
(JSC::JSWebAssemblyMemory::memory):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
Handle importing and creating of memory according
to the spec. This also does the needed validation
of making sure the memory defined in the module
is compatible with the imported memory.
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::constructJSWebAssemblyMemory):
(JSC::callJSWebAssemblyMemory):
* wasm/js/WebAssemblyMemoryPrototype.cpp:
(JSC::webAssemblyMemoryProtoFuncBuffer):
(JSC::WebAssemblyMemoryPrototype::create):
(JSC::WebAssemblyMemoryPrototype::finishCreation):
* wasm/js/WebAssemblyMemoryPrototype.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::finishCreation):
(JSC::WebAssemblyModuleRecord::link):
2016-12-09 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Some resources fetched via Fetch API do not have data
https://bugs.webkit.org/show_bug.cgi?id=165230
<rdar://problem/29449220>
Reviewed by Alex Christensen.
* inspector/protocol/Page.json:
Add new Fetch Page.ResourceType.
2016-12-09 Geoffrey Garen <ggaren@apple.com>
TextPosition and OrdinalNumber should be more like idiomatic numbers
https://bugs.webkit.org/show_bug.cgi?id=165678
Reviewed by Filip Pizlo.
Adopt default constructor.
* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* API/JSObjectRef.cpp:
(JSObjectMakeFunction):
* API/JSScriptRef.cpp:
(OpaqueJSScript::OpaqueJSScript):
* jsc.cpp:
(functionCheckModuleSyntax):
* parser/SourceCode.h:
(JSC::makeSource):
* parser/SourceProvider.h:
(JSC::StringSourceProvider::create):
(JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunction):
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
2016-12-09 Filip Pizlo <fpizlo@apple.com>
Unreviewed, disable concurrent GC for real.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2016-12-09 Filip Pizlo <fpizlo@apple.com>
Unreviewed, disable concurrent GC while crashes get investigated.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2016-12-09 Filip Pizlo <fpizlo@apple.com>
JSSegmentedVariableObject should keep its state private
Rubber stamped by Michael Saboff.
Its state fields were protected for no reason. They really should be private because
you have to know to obey a particular concurrency protocol when accessing them.
* runtime/JSSegmentedVariableObject.h:
2016-12-09 Csaba Osztrogonác <ossy@webkit.org>
Unreviewed ARM buildfix after 209570.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::or32): Added.
2016-12-08 JF Bastien <jfbastien@apple.com>
WebAssembly: JSC::link* shouldn't need a CodeBlock
https://bugs.webkit.org/show_bug.cgi?id=165591
Reviewed by Keith Miller.
Allow linking without a CodeBlock, which WebAssembly's wasm -> JS stubs does. This needs to work for polymorphic and virtual calls. This patch adds corresponding tests for this.
* assembler/LinkBuffer.cpp:
(JSC::shouldDumpDisassemblyFor): don't look at the tier option if there isn't a CodeBlock, only look at the global one. This is a WebAssembly function, so the tier information is irrelevant.
* jit/Repatch.cpp:
(JSC::isWebAssemblyToJSCallee): this is used in the link* functions below
(JSC::linkFor):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
* runtime/Options.h: add an option to change the maximum number of polymorphic calls in stubs from wasm to JS, which will come in handy when we try to tune performance or try merging some of the WebAssembly stubs
* wasm/WasmBinding.cpp:
(JSC::Wasm::importStubGenerator): remove the breakpoint since the code now works
* wasm/js/WebAssemblyToJSCallee.h:
2016-12-08 Filip Pizlo <fpizlo@apple.com>
MultiPutByOffset should get a barrier if it transitions
https://bugs.webkit.org/show_bug.cgi?id=165646
Reviewed by Keith Miller.
Previously, if we knew that we were storing a non-cell but we needed to transition, we
would fail to add the barrier but the FTL's lowering expected the barrier to be there.
Strictly, we need to "consider" the barrier on MultiPutByOffset if the value is
possibly a cell or if the MultiPutByOffset may transition. Then "considering" the
barrier implies checking if the base is possibly old.
But because the barrier is so cheap anyway, this patch implements something safer: we
just consider the barrier on MultiPutByOffset unconditionally, which opts it out of any
barrier optimizations other than those based on the predicted state of the base. Those
optimizations are already sound - for example they use doesGC() to detect safepoints
and that function correctly predicts when MultiPutByOffset could GC.
Because the barrier optimizations are only a very small speed-up, I think it's great to
fix bugs by weakening the optimizer without cleverness.
* dfg/DFGFixupPhase.cpp:
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::assertValidCell):
2016-12-08 Filip Pizlo <fpizlo@apple.com>
Enable concurrent GC on ARM64
https://bugs.webkit.org/show_bug.cgi?id=165643
Reviewed by Saam Barati.
It looks stable enough to enable.
* assembler/CPU.h:
(JSC::useGCFences): Deleted.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::mutatorFence):
(JSC::AssemblyHelpers::storeButterfly):
(JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
(JSC::AssemblyHelpers::emitInitializeInlineStorage):
(JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2016-12-08 Filip Pizlo <fpizlo@apple.com>
Disable collectContinuously if not useConcurrentGC
Rubber stamped by Geoffrey Garen.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2016-12-08 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix cloop build.
* runtime/JSObject.h:
2016-12-06 Filip Pizlo <fpizlo@apple.com>
Concurrent GC should be stable enough to land enabled on X86_64
https://bugs.webkit.org/show_bug.cgi?id=164990
Reviewed by Geoffrey Garen.
This fixes a ton of performance and correctness bugs revealed by getting the concurrent GC to
be stable enough to land enabled.
I had to redo the JSObject::visitChildren concurrency protocol again. This time I think it's
even more correct than ever!
This is an enormous win on JetStream/splay-latency and Octane/SplayLatency. It looks to be
mostly neutral on everything else, though Speedometer is showing statistically weak signs of a
slight regression.
* API/JSAPIWrapperObject.mm: Added locking.
(JSC::JSAPIWrapperObject::visitChildren):
* API/JSCallbackObject.h: Added locking.
(JSC::JSCallbackObjectData::visitChildren):
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::deletePrivateProperty):
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): This had a TOCTOU race on shouldJettisonDueToOldAge.
(JSC::EvalCodeCache::visitAggregate): Moved to EvalCodeCache.cpp.
* bytecode/DirectEvalCodeCache.cpp: Added. Outlined some functions and made them use locks.
(JSC::DirectEvalCodeCache::setSlow):
(JSC::DirectEvalCodeCache::clear):
(JSC::DirectEvalCodeCache::visitAggregate):
* bytecode/DirectEvalCodeCache.h:
(JSC::DirectEvalCodeCache::set):
(JSC::DirectEvalCodeCache::clear): Deleted.
* bytecode/UnlinkedCodeBlock.cpp: Added locking.
(JSC::UnlinkedCodeBlock::visitChildren):
(JSC::UnlinkedCodeBlock::setInstructions):
(JSC::UnlinkedCodeBlock::shrinkToFit):
* bytecode/UnlinkedCodeBlock.h: Added locking.
(JSC::UnlinkedCodeBlock::addRegExp):
(JSC::UnlinkedCodeBlock::addConstant):
(JSC::UnlinkedCodeBlock::addFunctionDecl):
(JSC::UnlinkedCodeBlock::addFunctionExpr):
(JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
(JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
* debugger/Debugger.cpp: Use the right delete API.
(JSC::Debugger::recompileAllJSFunctions):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix a pre-existing bug in ToFunction constant folding.
* dfg/DFGClobberize.h: Add support for nuking.
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp: Add support for nuking.
(JSC::DFG::clobbersExitState):
* dfg/DFGFixupPhase.cpp: Add support for nuking.
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::indexForChecks):
(JSC::DFG::FixupPhase::originForCheck):
(JSC::DFG::FixupPhase::speculateForBarrier):
(JSC::DFG::FixupPhase::insertCheck):
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGSpeculativeJIT.cpp: Add support for nuking.
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* ftl/FTLLowerDFGToB3.cpp: Add support for nuking.
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
(JSC::FTL::DFG::LowerDFGToB3::nukeStructureAndSetButterfly):
(JSC::FTL::DFG::LowerDFGToB3::setButterfly): Deleted.
* heap/CodeBlockSet.cpp: We need to be more careful about the CodeBlockSet workflow during GC, since we will allocate CodeBlocks in eden while collecting.
(JSC::CodeBlockSet::clearMarksForFullCollection):
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
* heap/Heap.cpp: Added code to measure max pauses. Added a better collectContinuously mode.
(JSC::Heap::lastChanceToFinalize): Stop the collectContinuously thread.
(JSC::Heap::harvestWeakReferences): Inline SlotVisitor::harvestWeakReferences.
(JSC::Heap::finalizeUnconditionalFinalizers): Inline SlotVisitor::finalizeUnconditionalReferences.
(JSC::Heap::markToFixpoint): We need to do some MarkedSpace stuff before every conservative scan, rather than just at the start of marking, so we now call prepareForConservativeScan() before each conservative scan. Also call a less-parallel version of drainInParallel when the mutator is running.
(JSC::Heap::collectInThread): Inline Heap::prepareForAllocation().
(JSC::Heap::stopIfNecessarySlow): We need to be more careful about ensuring that we run finalization before and after stopping. Also, we should sanitize stack when stopping the world.
(JSC::Heap::acquireAccessSlow): Add some optional debug prints.
(JSC::Heap::handleNeedFinalize): Assert that we are running this when the world is not stopped.
(JSC::Heap::finalize): Remove the old collectContinuously code.
(JSC::Heap::requestCollection): We don't need to sanitize stack here anymore.
(JSC::Heap::notifyIsSafeToCollect): Start the collectContinuously thread. It will request collection 1 KHz.
(JSC::Heap::prepareForAllocation): Deleted.
(JSC::Heap::preventCollection): Prevent any new concurrent GCs from being initiated.
(JSC::Heap::allowCollection):
(JSC::Heap::forEachSlotVisitor): Allows us to safely iterate slot visitors.
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::writeBarrier): If the 'to' cell is not NewWhite then it could be AnthraciteOrBlack. During a full collection, objects may be AnthraciteOrBlack from a previous GC. Turns out, we don't benefit from this optimization so we can just kill it.
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::buildSnapshot): This needs to use PreventCollectionScope to ensure snapshot soundness.
* heap/ListableHandler.h:
(JSC::ListableHandler::isOnList): Useful helper.
* heap/LockDuringMarking.h:
(JSC::lockDuringMarking): It's a locker that only locks while we're marking.
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::addBlock): Hold the bitvector lock while resizing.
* heap/MarkedBlock.cpp: Hold the bitvector lock while accessing the bitvectors while the mutator is running.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::prepareForConservativeScan): We used to do this in prepareForMarking, but we need to do it before each conservative scan not just before marking.
(JSC::MarkedSpace::prepareForMarking): Remove the logic moved to prepareForConservativeScan.
* heap/MarkedSpace.h:
* heap/PreventCollectionScope.h: Added.
* heap/SlotVisitor.cpp: Refactored drainFromShared so that we can write a similar function called drainInParallelPassively.
(JSC::SlotVisitor::updateMutatorIsStopped): Update whether we can use "fast" scanning.
(JSC::SlotVisitor::mutatorIsStoppedIsUpToDate):
(JSC::SlotVisitor::didReachTermination):
(JSC::SlotVisitor::hasWork):
(JSC::SlotVisitor::drain): This now uses the rightToRun lock to allow the main GC thread to safepoint the workers.
(JSC::SlotVisitor::drainFromShared):
(JSC::SlotVisitor::drainInParallelPassively): This runs marking with one fewer threads than normal. It's useful for when we have resumed the mutator, since then the mutator has a better chance of getting on a core.
(JSC::SlotVisitor::addWeakReferenceHarvester):
(JSC::SlotVisitor::addUnconditionalFinalizer):
(JSC::SlotVisitor::harvestWeakReferences): Deleted.
(JSC::SlotVisitor::finalizeUnconditionalFinalizers): Deleted.
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h: Outline stuff.
(JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
(JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
* runtime/InferredType.cpp: This needed thread safety.
(JSC::InferredType::visitChildren): This needs to keep its structure finalizer alive until it runs.
(JSC::InferredType::set):
(JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally):
* runtime/InferredType.h:
* runtime/InferredValue.cpp: This needed thread safety.
(JSC::InferredValue::visitChildren):
(JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase): Update to use new butterfly API.
(JSC::JSArray::unshiftCountWithArrayStorage): Update to use new butterfly API.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::visitChildren): Thread safety.
* runtime/JSCell.h:
(JSC::JSCell::setStructureIDDirectly): This is used for nuking the structure.
(JSC::JSCell::InternalLocker::InternalLocker): Deleted. The cell is now the lock.
(JSC::JSCell::InternalLocker::~InternalLocker): Deleted. The cell is now the lock.
* runtime/JSCellInlines.h:
(JSC::JSCell::structure): Clean this up.
(JSC::JSCell::lock): The cell is now the lock.
(JSC::JSCell::tryLock):
(JSC::JSCell::unlock):
(JSC::JSCell::isLocked):
(JSC::JSCell::lockInternalLock): Deleted.
(JSC::JSCell::unlockInternalLock): Deleted.
* runtime/JSFunction.cpp:
(JSC::JSFunction::visitChildren): Thread safety.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Thread safety.
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Thread safety.
* runtime/JSObject.cpp:
(JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties): Factor out this "easy" step of butterfly visiting.
(JSC::JSObject::visitButterfly): Make this achieve 100% precision about structure-butterfly relationships. This relies on the mutator "nuking" the structure prior to "locked" structure-butterfly transitions.
(JSC::JSObject::visitChildren): Use the new, nicer API.
(JSC::JSFinalObject::visitChildren): Use the new, nicer API.
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): Use the new butterfly API.
(JSC::JSObject::createInitialUndecided): Use the new butterfly API.
(JSC::JSObject::createInitialInt32): Use the new butterfly API.
(JSC::JSObject::createInitialDouble): Use the new butterfly API.
(JSC::JSObject::createInitialContiguous): Use the new butterfly API.
(JSC::JSObject::createArrayStorage): Use the new butterfly API.
(JSC::JSObject::convertUndecidedToContiguous): Use the new butterfly API.
(JSC::JSObject::convertUndecidedToArrayStorage): Use the new butterfly API.
(JSC::JSObject::convertInt32ToArrayStorage): Use the new butterfly API.
(JSC::JSObject::convertDoubleToContiguous): Use the new butterfly API.
(JSC::JSObject::convertDoubleToArrayStorage): Use the new butterfly API.
(JSC::JSObject::convertContiguousToArrayStorage): Use the new butterfly API.
(JSC::JSObject::increaseVectorLength): Use the new butterfly API.
(JSC::JSObject::shiftButterflyAfterFlattening): Use the new butterfly API.
* runtime/JSObject.h:
(JSC::JSObject::setButterfly): This now does all of the fences. Only use this when you are not also transitioning the structure or the structure's lastOffset.
(JSC::JSObject::nukeStructureAndSetButterfly): Use this when doing locked structure-butterfly transitions.
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectWithoutTransition): Use the newly factored out API.
(JSC::JSObject::prepareToPutDirectWithoutTransition): Factor this out!
(JSC::JSObject::putDirectInternal): Use the newly factored out API.
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::finishCreation): Locks!
(JSC::JSPropertyNameEnumerator::visitChildren): Locks!
* runtime/JSSegmentedVariableObject.cpp:
(JSC::JSSegmentedVariableObject::visitChildren): Locks!
* runtime/JSString.cpp:
(JSC::JSString::visitChildren): Thread safety.
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren): Thread safety.
* runtime/Options.cpp: For now we disable concurrent GC on not-X86_64.
(JSC::recomputeDependentOptions):
* runtime/Options.h: Change the default max GC parallelism to 8. I don't know why it was still 7.
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::stackTracesAsJSON): This needs to defer GC before grabbing its lock.
* runtime/SparseArrayValueMap.cpp: This needed thread safety.
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::remove):
(JSC::SparseArrayValueMap::visitChildren):
* runtime/SparseArrayValueMap.h:
* runtime/Structure.cpp: This had a race between addNewPropertyTransition and visitChildren.
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyTable):
(JSC::Structure::addNewPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::add): Help out with nuking support - the m_offset needs to play along.
(JSC::Structure::visitChildren):
* runtime/Structure.h: Make some useful things public - like the notion of a lastOffset.
* runtime/StructureChain.cpp:
(JSC::StructureChain::visitChildren): Thread safety!
* runtime/StructureChain.h: Thread safety!
* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::allocateID): Ensure that we don't get nuked IDs.
* runtime/StructureIDTable.h: Add the notion of a nuked ID! It's a bit that the runtime never sees except during specific shady actions like locked structure-butterfly transitions. "Nuking" tells the GC to steer clear and rescan once we fire the barrier.
(JSC::nukedStructureIDBit):
(JSC::nuke):
(JSC::isNuked):
(JSC::decontaminate):
* runtime/StructureInlines.h:
(JSC::Structure::hasIndexingHeader): Better API.
(JSC::Structure::add):
* runtime/VM.cpp: Better GC interaction.
(JSC::VM::ensureWatchdog):
(JSC::VM::deleteAllLinkedCode):
(JSC::VM::deleteAllCode):
* runtime/VM.h:
(JSC::VM::getStructure): Why wasn't this always an API!
* runtime/WebAssemblyExecutable.cpp:
(JSC::WebAssemblyExecutable::visitChildren): Thread safety.
2016-12-08 Filip Pizlo <fpizlo@apple.com>
Enable SharedArrayBuffer, remove the flag
https://bugs.webkit.org/show_bug.cgi?id=165614
Rubber stamped by Geoffrey Garen.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/RuntimeFlags.h:
2016-12-08 JF Bastien <jfbastien@apple.com>
WebAssembly JS API: wire up Instance imports
https://bugs.webkit.org/show_bug.cgi?id=165118
Reviewed by Saam Barati.
Change a bunch of the WebAssembly object model, and pipe the
necessary changes to be able to call JS imports from
WebAssembly. This will make it easier to call_indirect, and
unblock many other missing features.
As a follow-up I need to teach JSC::linkFor to live without a
CodeBlock: wasm doesn't have one and the IC patching is sad. We'll
switch on the callee (or its type?) and then use that as the owner
(because the callee is alive if the instance is alive, ditto
module, and module owns the CallLinkInfo).
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* interpreter/CallFrame.h:
(JSC::ExecState::callee): give access to the callee as a JSCell
* jit/RegisterSet.cpp: dead code from previous WebAssembly implementation
* jsc.cpp:
(callWasmFunction):
(functionTestWasmModuleFunctions):
* runtime/JSCellInlines.h:
(JSC::ExecState::vm): check callee instead of jsCallee: wasm only has a JSCell and not a JSObject
* runtime/VM.cpp:
(JSC::VM::VM): store the "top" WebAssembly.Instance on entry to WebAssembly (and restore the previous one on exit)
* runtime/VM.h:
* testWasm.cpp:
(runWasmTests):
* wasm/JSWebAssembly.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator): pass unlinked calls around to shorten their lifetime: they're ony needed until the Plan is done
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::createJSToWasmWrapper):
(JSC::Wasm::parseAndCompile): also pass in the function index space, so that imports can be signature-checked along with internal functions
* wasm/WasmB3IRGenerator.h:
* wasm/WasmBinding.cpp: Added.
(JSC::Wasm::importStubGenerator): stubs from wasm to JS
* wasm/WasmBinding.h: Copied from Source/JavaScriptCore/wasm/WasmValidate.h.
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::setupFrameInPrologue):
* wasm/WasmFormat.h: fix the object model
(JSC::Wasm::CallableFunction::CallableFunction):
* wasm/WasmFunctionParser.h: simplify some of the failure condition checks
(JSC::Wasm::FunctionParser<Context>::FunctionParser): need function index space, not just internal functions
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmModuleParser.cpp: early-create some of the structures which will be needed later
(JSC::Wasm::ModuleParser::parseImport):
(JSC::Wasm::ModuleParser::parseFunction):
(JSC::Wasm::ModuleParser::parseMemory):
(JSC::Wasm::ModuleParser::parseExport):
(JSC::Wasm::ModuleParser::parseCode):
* wasm/WasmModuleParser.h:
(JSC::Wasm::ModuleParser::functionIndexSpace):
(JSC::Wasm::ModuleParser::functionLocations):
* wasm/WasmParser.h:
(JSC::Wasm::Parser::consumeUTF8String):
* wasm/WasmPlan.cpp: pass around the wasm objects at the right time, reducing their lifetime and making it easier to pass them around when needed
(JSC::Wasm::Plan::run):
(JSC::Wasm::Plan::initializeCallees):
* wasm/WasmPlan.h:
(JSC::Wasm::Plan::exports):
(JSC::Wasm::Plan::internalFunctionCount):
(JSC::Wasm::Plan::jsToWasmEntryPointForFunction):
(JSC::Wasm::Plan::takeModuleInformation):
(JSC::Wasm::Plan::takeCallLinkInfos):
(JSC::Wasm::Plan::takeWasmToJSStubs):
(JSC::Wasm::Plan::takeFunctionIndexSpace):
* wasm/WasmValidate.cpp: check function index space instead of only internal functions
(JSC::Wasm::Validate::addCall):
(JSC::Wasm::validateFunction):
* wasm/WasmValidate.h:
* wasm/js/JSWebAssemblyCallee.cpp:
(JSC::JSWebAssemblyCallee::finishCreation):
* wasm/js/JSWebAssemblyCallee.h:
(JSC::JSWebAssemblyCallee::create):
(JSC::JSWebAssemblyCallee::jsToWasmEntryPoint):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyInstance.h: hold the import functions off the end of the Instance
(JSC::JSWebAssemblyInstance::importFunction):
(JSC::JSWebAssemblyInstance::importFunctions):
(JSC::JSWebAssemblyInstance::setImportFunction):
(JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
(JSC::JSWebAssemblyInstance::offsetOfImportFunction):
(JSC::JSWebAssemblyInstance::allocationSize):
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::create):
(JSC::JSWebAssemblyModule::JSWebAssemblyModule):
(JSC::JSWebAssemblyModule::visitChildren):
* wasm/js/JSWebAssemblyModule.h: hold the link call info, the import function stubs, and the function index space
(JSC::JSWebAssemblyModule::signatureForFunctionIndexSpace):
(JSC::JSWebAssemblyModule::importCount):
(JSC::JSWebAssemblyModule::calleeFromFunctionIndexSpace):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction): set top Instance on VM
* wasm/js/WebAssemblyFunction.h:
(JSC::WebAssemblyFunction::instance):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance): handle function imports
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule): generate the stubs for import functions
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyToJSCallee.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
(JSC::WebAssemblyToJSCallee::create): dummy JSCell singleton which lives on the VM, and is put as the callee in the import stub's frame to identified it when unwinding
(JSC::WebAssemblyToJSCallee::createStructure):
(JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
(JSC::WebAssemblyToJSCallee::finishCreation):
(JSC::WebAssemblyToJSCallee::destroy):
* wasm/js/WebAssemblyToJSCallee.h: Copied from Source/JavaScriptCore/wasm/WasmB3IRGenerator.h.
2016-12-08 Mark Lam <mark.lam@apple.com>
Enable JSC restricted options by default in the jsc shell.
https://bugs.webkit.org/show_bug.cgi?id=165615
Reviewed by Keith Miller.
The jsc shell is only used for debugging and development testing. We should
allow it to use restricted options like JSC_useDollarVM even for release builds.
* jsc.cpp:
(jscmain):
* runtime/Options.cpp:
(JSC::Options::enableRestrictedOptions):
(JSC::Options::isAvailable):
(JSC::allowRestrictedOptions): Deleted.
* runtime/Options.h:
2016-12-08 Chris Dumez <cdumez@apple.com>
Unreviewed, rolling out r209489.
Likely caused large regressions on JetStream, Sunspider and
Speedometer
Reverted changeset:
"Add system trace points for JavaScript VM entry/exit"
https://bugs.webkit.org/show_bug.cgi?id=165550
http://trac.webkit.org/changeset/209489
2016-12-08 Keith Miller <keith_miller@apple.com>
Move LEB tests to API tests
https://bugs.webkit.org/show_bug.cgi?id=165586
Reviewed by Saam Barati.
Delete old stuff.
* testWasm.cpp:
(printUsageStatement):
(CommandLine::parseArguments):
(main):
(runLEBTests): Deleted.
2016-12-07 JF Bastien <jfbastien@apple.com>
Cleanup WebAssembly's RETURN_IF_EXCEPTION
https://bugs.webkit.org/show_bug.cgi?id=165595
Reviewed by Filip Pizlo.
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::constructJSWebAssemblyCompileError):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::constructJSWebAssemblyRuntimeError):
2016-12-07 Geoffrey Garen <ggaren@apple.com>
Renamed SourceCode members to match their accessor names
https://bugs.webkit.org/show_bug.cgi?id=165573
Reviewed by Keith Miller.
startChar => startOffset
endChar => endOffset
* parser/UnlinkedSourceCode.h:
(JSC::UnlinkedSourceCode::UnlinkedSourceCode):
(JSC::UnlinkedSourceCode::view):
(JSC::UnlinkedSourceCode::startOffset):
(JSC::UnlinkedSourceCode::endOffset):
(JSC::UnlinkedSourceCode::length):
2016-12-07 Keith Miller <keith_miller@apple.com>
Add more missing trivial wasm ops.
https://bugs.webkit.org/show_bug.cgi?id=165564
Reviewed by Geoffrey Garen.
This patch adds the nop, drop, and tee_local opcodes.
It also fixes an issue where we were not generating
the proper enums for the grow_memory and current_memory
opcodes.
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/generateWasmOpsHeader.py:
2016-12-07 Geoffrey Garen <ggaren@apple.com>
Renamed source => parentSource
https://bugs.webkit.org/show_bug.cgi?id=165570
Reviewed by Keith Miller.
For less confuse.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2016-12-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Drop translate phase in module loader
https://bugs.webkit.org/show_bug.cgi?id=164861
Reviewed by Saam Barati.
Originally, this "translate" phase was introduced to the module loader.
However, recent rework discussion[1] starts dropping this phase.
And this "translate" phase is meaningless in the browser side module loader
since this phase originally mimics the node.js's translation hook (like,
transpiling CoffeeScript source to JavaScript).
This "translate" phase is not necessary for the exposed HTML5
<script type="module"> tag right now. Once the module loader pipeline is
redefined and specified, we need to update the current loader anyway.
So dropping "translate" phase right now is OK.
This a bit simplifies the current module loader pipeline.
[1]: https://github.com/whatwg/loader/issues/147
* builtins/ModuleLoaderPrototype.js:
(newRegistryEntry):
(fulfillFetch):
(requestFetch):
(requestInstantiate):
(provide):
(fulfillTranslate): Deleted.
(requestTranslate): Deleted.
* bytecode/BytecodeIntrinsicRegistry.cpp:
(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
* jsc.cpp:
* runtime/JSGlobalObject.cpp:
* runtime/JSGlobalObject.h:
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::translate): Deleted.
* runtime/JSModuleLoader.h:
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeInstantiate):
(JSC::moduleLoaderPrototypeTranslate): Deleted.
2016-12-07 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Add ability to distinguish if a Script was parsed as a module
https://bugs.webkit.org/show_bug.cgi?id=164900
<rdar://problem/29323817>
Reviewed by Timothy Hatcher.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::didParseSource):
* inspector/protocol/Debugger.json:
Add an optional event parameter to distinguish if a script was a module or not.
2016-12-07 Simon Fraser <simon.fraser@apple.com>
Add system trace points for JavaScript VM entry/exit
https://bugs.webkit.org/show_bug.cgi?id=165550
Reviewed by Tim Horton.
Add trace points for entry/exit into/out of the JS VM.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
2016-12-06 Keith Miller <keith_miller@apple.com>
Add support for truncation operators
https://bugs.webkit.org/show_bug.cgi?id=165519
Reviewed by Geoffrey Garen.
This patch adds initial support for truncation operators. The current patch
does range based out of bounds checking, in the future we should use system
register flags on ARM and other tricks on X86 improve the performance of
these opcodes.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
(JSC::MacroAssemblerARM64::truncateDoubleToInt64):
(JSC::MacroAssemblerARM64::truncateDoubleToUint64):
(JSC::MacroAssemblerARM64::truncateFloatToInt32):
(JSC::MacroAssemblerARM64::truncateFloatToUint32):
(JSC::MacroAssemblerARM64::truncateFloatToInt64):
(JSC::MacroAssemblerARM64::truncateFloatToUint64):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::truncateFloatToInt32):
(JSC::MacroAssemblerX86Common::truncateDoubleToUint32): Deleted.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::truncateDoubleToUint32):
(JSC::MacroAssemblerX86_64::truncateDoubleToInt64):
(JSC::MacroAssemblerX86_64::truncateDoubleToUint64):
(JSC::MacroAssemblerX86_64::truncateFloatToUint32):
(JSC::MacroAssemblerX86_64::truncateFloatToInt64):
(JSC::MacroAssemblerX86_64::truncateFloatToUint64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::cvttss2si_rr):
(JSC::X86Assembler::cvttss2siq_rr):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncSF64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncSF32>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncUF64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncUF32>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncSF64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncSF32>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
2016-12-07 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Remove unused and mostly untested Page domain commands and events
https://bugs.webkit.org/show_bug.cgi?id=165507
Reviewed by Brian Burg.
Remove unused and unsupported commands and events.
- Page.setDocumentContent
- Page.getScriptExecutionStatus
- Page.setScriptExecutionDisabled
- Page.handleJavaScriptDialog
- Page.javascriptDialogOpening
- Page.javascriptDialogClosed
- Page.scriptsEnabled
* inspector/protocol/Page.json:
2016-12-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Merge PromiseReactions
https://bugs.webkit.org/show_bug.cgi?id=165526
Reviewed by Sam Weinig.
Our promise implementation has two arrays per Promise; promiseFulfillReactions and promiseRejectReactions.
And everytime we call `promise.then`, we create two promise reactions for fullfill and reject.
However, these two reactions and the arrays for reactions can be merged into one array and one reaction.
It reduces the unnecessary object allocations.
No behavior change.
* builtins/BuiltinNames.h:
* builtins/PromiseOperations.js:
(globalPrivate.newPromiseReaction):
(globalPrivate.triggerPromiseReactions):
(globalPrivate.rejectPromise):
(globalPrivate.fulfillPromise):
(globalPrivate.promiseReactionJob):
(globalPrivate.initializePromise):
* builtins/PromisePrototype.js:
(then):
* runtime/JSPromise.cpp:
(JSC::JSPromise::finishCreation):
2016-12-06 Mark Lam <mark.lam@apple.com>
GetByID IC is wrongly unwrapping the global proxy this value for getter/setters.
https://bugs.webkit.org/show_bug.cgi?id=165401
Reviewed by Saam Barati.
When the this value for a property access is the JS global and that property
access is via a GetterSetter, the underlying getter / setter functions would
expect the this value they receive to be the JSProxy instance instead of the
JSGlobalObject. This is consistent with how the LLINT and runtime code behaves.
The IC code should behave the same way.
Also added some ASSERTs to document invariants in the code, and help detect
bugs sooner if the code gets changed in a way that breaks those invariants in
the future.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
2016-12-06 Joseph Pecoraro <pecoraro@apple.com>
DumpRenderTree ASSERT in JSC::ExecutableBase::isHostFunction seen on bots
https://bugs.webkit.org/show_bug.cgi?id=165497
<rdar://problem/29538973>
Reviewed by Saam Barati.
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::trackingComplete):
Defer collection when extracting and processing the samples to avoid
any objects held by the samples from getting collected while processing.
This is because while processing we call into functions that can
allocate and we must prevent those functions from syncing with the
GC thread which may collect other sample data yet to be processed.
2016-12-06 Alexey Proskuryakov <ap@apple.com>
Correct SDKROOT values in xcconfig files
https://bugs.webkit.org/show_bug.cgi?id=165487
rdar://problem/29539209
Reviewed by Dan Bernstein.
Fix suggested by Dan Bernstein.
* Configurations/DebugRelease.xcconfig:
2016-12-06 Saam Barati <sbarati@apple.com>
Remove old Wasm object model
https://bugs.webkit.org/show_bug.cgi?id=165481
Reviewed by Keith Miller and Mark Lam.
It's confusing to see code that consults both the old
Wasm object model alongside the new one. The old object
model is not a thing, and it's not being used. Let's
remove it now to prevent further confusion.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::replacement):
(JSC::CodeBlock::computeCapabilityLevel):
(JSC::CodeBlock::updateAllPredictions):
* bytecode/CodeBlock.h:
* bytecode/WebAssemblyCodeBlock.cpp: Removed.
* bytecode/WebAssemblyCodeBlock.h: Removed.
* dfg/DFGCapabilities.cpp:
(JSC::DFG::isSupportedForInlining):
* interpreter/Interpreter.cpp:
(JSC::GetStackTraceFunctor::operator()):
(JSC::UnwindFunctor::operator()):
(JSC::isWebAssemblyExecutable): Deleted.
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/ExecutableBase.cpp:
(JSC::ExecutableBase::clearCode):
* runtime/ExecutableBase.h:
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
* runtime/JSFunction.cpp:
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::isBuiltinFunction):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/WebAssemblyExecutable.cpp: Removed.
* runtime/WebAssemblyExecutable.h: Removed.
2016-12-06 JF Bastien <jfbastien@apple.com>
PureNaN: fix typo
https://bugs.webkit.org/show_bug.cgi?id=165493
Reviewed by Mark Lam.
* runtime/PureNaN.h:
2016-12-06 Mark Lam <mark.lam@apple.com>
Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec.
https://bugs.webkit.org/show_bug.cgi?id=165227
<rdar://problem/29442665>
Reviewed by Saam Barati.
* runtime/JSObject.cpp:
(JSC::JSObject::setPrototypeWithCycleCheck):
- This is where we check for immutable prototype exotic objects and refuse to set
the prototype if needed.
See https://tc39.github.io/ecma262/#sec-immutable-prototype-exotic-objects.
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::isImmutablePrototypeExoticObject):
* runtime/Structure.h:
- Add flag for declaring immutable prototype exotic objects.
* runtime/ObjectPrototype.h:
- Declare that Object.prototype is an immutable prototype exotic object.
See https://tc39.github.io/ecma262/#sec-properties-of-the-object-prototype-object.
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSetPrototypeOf):
- Use better error messages.
2016-12-04 Darin Adler <darin@apple.com>
Use ASCIICType more, and improve it a little bit
https://bugs.webkit.org/show_bug.cgi?id=165360
Reviewed by Sam Weinig.
* inspector/InspectorValues.cpp:
(Inspector::readHexDigits): Use isASCIIHexDigit.
(Inspector::hextoInt): Deleted.
(decodeString): Use toASCIIHexValue.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::parseDigit): Use isASCIIDigit, isASCIIUpper, and isASCIILower.
* runtime/StringPrototype.cpp:
(JSC::substituteBackreferencesSlow): Use isASCIIDigit.
2016-12-06 Csaba Osztrogonác <ossy@webkit.org>
Add storeFence support for ARMv7
https://bugs.webkit.org/show_bug.cgi?id=164733
Reviewed by Saam Barati.
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::dmbISHST): Added.
* assembler/ARMv7Assembler.h: Typo fixed, DMB has only T1 encoding.
(JSC::ARMv7Assembler::dmbSY):
(JSC::ARMv7Assembler::dmbISHST): Added.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::storeFence):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::storeFence):
2016-12-05 Matt Baker <mattbaker@apple.com>
Web Inspector: remove ASSERT from InspectorDebuggerAgent::derefAsyncCallData
https://bugs.webkit.org/show_bug.cgi?id=165413
<rdar://problem/29517587>
Reviewed by Brian Burg.
DOMTimer::removeById can call into InspectorInstrumentation with an
invalid identifier, so don't assert that async call data exists.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::derefAsyncCallData):
2016-12-05 Geoffrey Garen <ggaren@apple.com>
Fixed a bug in my last patch.
Unreviewed.
* bytecode/UnlinkedFunctionExecutable.h: Restore the conversion to
one-based counting.
2016-12-05 Geoffrey Garen <ggaren@apple.com>
Moved start and end column linking into helper functions
https://bugs.webkit.org/show_bug.cgi?id=165422
Reviewed by Sam Weinig.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::link):
* bytecode/UnlinkedFunctionExecutable.h:
2016-12-05 Mark Lam <mark.lam@apple.com>
Fix JSC files so that we can build a release build with NDEBUG #undef'ed.
https://bugs.webkit.org/show_bug.cgi?id=165409
Reviewed by Keith Miller.
This allows us to run a release build with DEBUG ASSERTs enabled.
* bytecode/BytecodeLivenessAnalysis.cpp:
* bytecode/UnlinkedEvalCodeBlock.cpp:
* bytecode/UnlinkedFunctionCodeBlock.cpp:
* bytecode/UnlinkedModuleProgramCodeBlock.cpp:
* bytecode/UnlinkedProgramCodeBlock.cpp:
* runtime/EvalExecutable.cpp:
2016-12-05 Geoffrey Garen <ggaren@apple.com>
Renamed source => parentSource
https://bugs.webkit.org/show_bug.cgi?id=165419
Reviewed by Saam Barati.
This should help clarify that a FunctionExecutable holds the source
code to its *parent* scope, and not its own SourceCode.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createExecutable):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::UnlinkedFunctionExecutable::link):
* bytecode/UnlinkedFunctionExecutable.h:
2016-12-05 Geoffrey Garen <ggaren@apple.com>
ScriptExecutable should not contain a copy of firstLine and startColumn
https://bugs.webkit.org/show_bug.cgi?id=165415
Reviewed by Keith Miller.
We already have this data in SourceCode.
It's super confusing to have two copies of this data, where one is
allowed to mutate. In reality, your line and column number never change.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::link):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
* runtime/CodeCache.h:
(JSC::generateUnlinkedCodeBlock):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::FunctionExecutable):
* runtime/FunctionExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::ScriptExecutable):
(JSC::ScriptExecutable::newCodeBlockFor):
* runtime/ScriptExecutable.h:
(JSC::ScriptExecutable::firstLine):
(JSC::ScriptExecutable::startColumn):
(JSC::ScriptExecutable::recordParse):
2016-12-05 Caitlin Potter <caitp@igalia.com>
[JSC] report unexpected token when "async" is followed by identifier
https://bugs.webkit.org/show_bug.cgi?id=165091
Reviewed by Mark Lam.
Report a SyntaxError, in order to report correct error in contexts
an async ArrowFunction cannot occur. Also corrects errors in comment
describing JSTokenType bitfield, which was added in r209293.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/ParserTokens.h:
2016-12-05 Keith Miller <keith_miller@apple.com>
Add Wasm i64 to i32 conversion.
https://bugs.webkit.org/show_bug.cgi?id=165378
Reviewed by Filip Pizlo.
It turns out the wrap operation is just B3's Trunc.
* wasm/wasm.json:
2016-12-05 Joseph Pecoraro <pecoraro@apple.com>
REGRESSION(r208985): SafariForWebKitDevelopment Symbol Not Found looking for method with WTF::Optional
https://bugs.webkit.org/show_bug.cgi?id=165351
Reviewed by Yusuke Suzuki.
Some versions of Safari expect:
Inspector::BackendDispatcher::reportProtocolError(WTF::Optional<long>, Inspector::BackendDispatcher::CommonErrorCode, WTF::String const&)
Which we had updated to use std::optional. Expose a version with the original
Symbol for these Safaris. This stub will just call through to the new version.
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::BackendDispatcher::reportProtocolError):
* inspector/InspectorBackendDispatcher.h:
2016-12-05 Konstantin Tokarev <annulen@yandex.ru>
Add __STDC_FORMAT_MACROS before inttypes.h is included
https://bugs.webkit.org/show_bug.cgi?id=165374
We need formatting macros like PRIu64 to be available in all places where
inttypes.h header is used. All these usages get inttypes.h definitions
via wtf/Assertions.h header, except SQLiteFileSystem.cpp where formatting
macros are not used anymore since r185129.
This patch fixes multiple build errors with MinGW and reduces number of
independent __STDC_FORMAT_MACROS uses in the code base.
Reviewed by Darin Adler.
* disassembler/ARM64/A64DOpcode.cpp: Removed __STDC_FORMAT_MACROS
because it is obtained via Assertions.h now
* disassembler/ARM64Disassembler.cpp: Ditto.
2016-12-04 Keith Miller <keith_miller@apple.com>
Add support for Wasm ctz and popcnt
https://bugs.webkit.org/show_bug.cgi?id=165369
Reviewed by Saam Barati.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::countTrailingZeros32):
(JSC::MacroAssemblerARM64::countTrailingZeros64):
* assembler/MacroAssemblerX86Common.cpp:
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::countTrailingZeros32):
(JSC::MacroAssemblerX86Common::supportsBMI1):
(JSC::MacroAssemblerX86Common::ctzAfterBsf):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::countTrailingZeros64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::tzcnt_rr):
(JSC::X86Assembler::tzcntq_rr):
(JSC::X86Assembler::bsf_rr):
(JSC::X86Assembler::bsfq_rr):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32Ctz>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64Ctz>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
2016-12-04 Saam Barati <sbarati@apple.com>
We should have a Wasm callee
https://bugs.webkit.org/show_bug.cgi?id=165163
Reviewed by Keith Miller.
This patch adds JSWebAssemblyCallee and stores it into the
callee slot in the call frame as part of the prologue of a
wasm function. This is the first step in implementing
unwinding from/through wasm frames. We will use the callee
to identify that a machine frame belongs to wasm code.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* jsc.cpp:
(callWasmFunction):
(functionTestWasmModuleFunctions):
* llint/LowLevelInterpreter64.asm:
* runtime/JSGlobalObject.cpp:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/JSWebAssembly.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::parseAndCompile):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::setupFrameInPrologue):
* wasm/WasmFormat.h:
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::initializeCallees):
* wasm/WasmPlan.h:
(JSC::Wasm::Plan::compiledFunction):
(JSC::Wasm::Plan::getCompiledFunctions): Deleted.
* wasm/js/JSWebAssemblyCallee.cpp: Added.
(JSC::JSWebAssemblyCallee::JSWebAssemblyCallee):
(JSC::JSWebAssemblyCallee::finishCreation):
(JSC::JSWebAssemblyCallee::destroy):
* wasm/js/JSWebAssemblyCallee.h: Added.
(JSC::JSWebAssemblyCallee::create):
(JSC::JSWebAssemblyCallee::createStructure):
(JSC::JSWebAssemblyCallee::jsEntryPoint):
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::create):
(JSC::JSWebAssemblyModule::JSWebAssemblyModule):
(JSC::JSWebAssemblyModule::visitChildren):
* wasm/js/JSWebAssemblyModule.h:
(JSC::JSWebAssemblyModule::moduleInformation):
(JSC::JSWebAssemblyModule::callee):
(JSC::JSWebAssemblyModule::callees):
(JSC::JSWebAssemblyModule::offsetOfCallees):
(JSC::JSWebAssemblyModule::allocationSize):
(JSC::JSWebAssemblyModule::compiledFunctions): Deleted.
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::visitChildren):
(JSC::WebAssemblyFunction::finishCreation):
* wasm/js/WebAssemblyFunction.h:
(JSC::WebAssemblyFunction::webAssemblyCallee):
(JSC::WebAssemblyFunction::instance):
(JSC::WebAssemblyFunction::signature):
(JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction): Deleted.
(JSC::WebAssemblyFunction::webAssemblyFunctionCell): Deleted.
* wasm/js/WebAssemblyFunctionCell.cpp:
(JSC::WebAssemblyFunctionCell::create): Deleted.
(JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell): Deleted.
(JSC::WebAssemblyFunctionCell::destroy): Deleted.
(JSC::WebAssemblyFunctionCell::createStructure): Deleted.
* wasm/js/WebAssemblyFunctionCell.h:
(JSC::WebAssemblyFunctionCell::function): Deleted.
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
2016-12-04 Matt Baker <mattbaker@apple.com>
Web Inspector: Assertion Failures breakpoint should respect global Breakpoints enabled setting
https://bugs.webkit.org/show_bug.cgi?id=165277
<rdar://problem/29467098>
Reviewed by Mark Lam.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::handleConsoleAssert):
Check that breakpoints are active before pausing.
2016-12-03 Yusuke Suzuki <utatane.tea@gmail.com>
Refactor SymbolImpl layout
https://bugs.webkit.org/show_bug.cgi?id=165247
Reviewed by Darin Adler.
Use SymbolImpl::{create, createNullSymbol} instead.
* runtime/PrivateName.h:
(JSC::PrivateName::PrivateName):
2016-12-03 JF Bastien <jfbastien@apple.com>
WebAssembly: update binary format to 0xD version
https://bugs.webkit.org/show_bug.cgi?id=165345
Reviewed by Keith Miller.
As described in the following PR: https://github.com/WebAssembly/design/pull/836
Originally committed in r209175, reverted in r209242, and fixed in r209284.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::zeroForType):
(JSC::Wasm::B3IRGenerator::addConstant):
(JSC::Wasm::createJSWrapper):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::marshallArgument):
* wasm/WasmFormat.cpp:
(JSC::Wasm::toString): Deleted.
* wasm/WasmFormat.h:
(JSC::Wasm::isValueType):
(JSC::Wasm::toB3Type): Deleted.
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
(JSC::Wasm::ModuleParser::parseType):
* wasm/WasmModuleParser.h:
* wasm/WasmParser.h:
(JSC::Wasm::Parser::parseResultType):
* wasm/generateWasm.py:
(Wasm.__init__):
* wasm/generateWasmOpsHeader.py:
(cppMacro):
(typeMacroizer):
(opcodeMacroizer):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/wasm.json:
2016-12-02 Keith Miller <keith_miller@apple.com>
Add Wasm copysign
https://bugs.webkit.org/show_bug.cgi?id=165355
Reviewed by Filip Pizlo.
This patch also makes two other important changes:
1) allows for i64 constants in the B3 generator language.
2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
of a Double in B3.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
* wasm/generateWasmB3IRGeneratorInlinesHeader.py:
(CodeGenerator.generateOpcode):
(generateConstCode):
(generateI32ConstCode): Deleted.
* wasm/wasm.json:
2016-12-03 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209298.
https://bugs.webkit.org/show_bug.cgi?id=165359
broke the build (Requested by smfr on #webkit).
Reverted changeset:
"Add Wasm copysign"
https://bugs.webkit.org/show_bug.cgi?id=165355
http://trac.webkit.org/changeset/209298
2016-12-02 Keith Miller <keith_miller@apple.com>
Add Wasm copysign
https://bugs.webkit.org/show_bug.cgi?id=165355
Reviewed by Filip Pizlo.
This patch also makes two other important changes:
1) allows for i64 constants in the B3 generator language.
2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
of a Double in B3.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
* wasm/generateWasmB3IRGeneratorInlinesHeader.py:
(CodeGenerator.generateOpcode):
(generateConstCode):
(generateI32ConstCode): Deleted.
* wasm/wasm.json:
2016-12-02 Keith Miller <keith_miller@apple.com>
Unreviewed, fix git having a breakdown over trying to reland a rollout.
2016-12-02 Keith Miller <keith_miller@apple.com>
Add Wasm floating point nearest and trunc
https://bugs.webkit.org/show_bug.cgi?id=165339
Reviewed by Saam Barati.
This patch also allows any wasm primitive type to be passed as a
string.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::nearestIntDouble):
(JSC::MacroAssemblerARM64::nearestIntFloat):
(JSC::MacroAssemblerARM64::truncDouble):
(JSC::MacroAssemblerARM64::truncFloat):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::nearestIntDouble):
(JSC::MacroAssemblerX86Common::nearestIntFloat):
* jsc.cpp:
(box):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
2016-12-02 Caitlin Potter <caitp@igalia.com>
[JSC] add additional bit to JSTokenType bitfield
https://bugs.webkit.org/show_bug.cgi?id=165091
Reviewed by Geoffrey Garen.
Avoid overflow which causes keyword tokens to be treated as unary
tokens now that "async" is tokenized as a keyword, by granting an
additional 64 bits to be occupied by token IDs.
* parser/ParserTokens.h:
2016-12-02 Andy Estes <aestes@apple.com>
[Cocoa] Adopt the PRODUCT_BUNDLE_IDENTIFIER build setting
https://bugs.webkit.org/show_bug.cgi?id=164492
Reviewed by Dan Bernstein.
* Configurations/JavaScriptCore.xcconfig: Set PRODUCT_BUNDLE_IDENTIFIER to
com.apple.$(PRODUCT_NAME:rfc1034identifier).
* Info.plist: Changed CFBundleIdentifier's value from com.apple.${PRODUCT_NAME} to
${PRODUCT_BUNDLE_IDENTIFIER}.
2016-12-02 JF Bastien <jfbastien@apple.com>
WebAssembly: mark WasmOps.h as private
https://bugs.webkit.org/show_bug.cgi?id=165335
Reviewed by Mark Lam.
* JavaScriptCore.xcodeproj/project.pbxproj: WasmOps.h will be used by non-JSC and should therefore be private
2016-12-02 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209275 and r209276.
https://bugs.webkit.org/show_bug.cgi?id=165348
"broke the arm build" (Requested by keith_miller on #webkit).
Reverted changesets:
"Add Wasm floating point nearest and trunc"
https://bugs.webkit.org/show_bug.cgi?id=165339
http://trac.webkit.org/changeset/209275
"Unreviewed, forgot to change instruction after renaming."
http://trac.webkit.org/changeset/209276
2016-12-02 Keith Miller <keith_miller@apple.com>
Unreviewed, forgot to change instruction after renaming.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::nearestIntDouble):
(JSC::MacroAssemblerARM64::nearestIntFloat):
2016-12-02 Keith Miller <keith_miller@apple.com>
Add Wasm floating point nearest and trunc
https://bugs.webkit.org/show_bug.cgi?id=165339
Reviewed by Filip Pizlo.
This patch also allows any wasm primitive type to be passed as a
string.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::nearestIntDouble):
(JSC::MacroAssemblerARM64::nearestIntFloat):
(JSC::MacroAssemblerARM64::truncDouble):
(JSC::MacroAssemblerARM64::truncFloat):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::nearestIntDouble):
(JSC::MacroAssemblerX86Common::nearestIntFloat):
* jsc.cpp:
(box):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
2016-12-02 JF Bastien <jfbastien@apple.com>
WebAssembly: revert patch causing odd breakage
https://bugs.webkit.org/show_bug.cgi?id=165308
Unreviewed.
Bug #164724 seems to cause build issues which I haven't tracked down yet. WasmOps.h can't be found:
./Source/JavaScriptCore/wasm/WasmFormat.h:34:10: fatal error: 'WasmOps.h' file not found
It's weird since the file is auto-generated and has been for a while. #164724 merely includes it in WasmFormat.h.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::zeroForType):
(JSC::Wasm::B3IRGenerator::addConstant):
(JSC::Wasm::createJSWrapper):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::marshallArgument):
* wasm/WasmFormat.cpp:
(JSC::Wasm::toString):
* wasm/WasmFormat.h:
(JSC::Wasm::toB3Type):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
(JSC::Wasm::ModuleParser::parseType):
* wasm/WasmModuleParser.h:
* wasm/WasmParser.h:
(JSC::Wasm::Parser::parseResultType):
* wasm/generateWasm.py:
(Wasm.__init__):
* wasm/generateWasmOpsHeader.py:
(cppMacro):
(opcodeMacroizer):
(typeMacroizer): Deleted.
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/wasm.json:
2016-12-01 Brian Burg <bburg@apple.com>
Remote Inspector: fix weird typo in generated ObjC protocol type initializer implementations
https://bugs.webkit.org/show_bug.cgi?id=165295
<rdar://problem/29427778>
Reviewed by Joseph Pecoraro.
Remove a stray semicolon appended after custom initializer signatures.
This is a syntax error when building with less lenient compiler warnings.
* inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
(ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2016-12-01 Saam Barati <sbarati@apple.com>
Rename CallFrame::callee() to CallFrame::jsCallee()
https://bugs.webkit.org/show_bug.cgi?id=165293
Reviewed by Keith Miller.
Wasm will soon have its own Callee that doesn't derive
from JSObject, but derives from JSCell. I want to introduce
a new function like:
```
CalleeBase* CallFrame::callee()
```
once we have a Wasm callee. It only makes sense to name that
function callee() and rename the current one turn to:
```
JSObject* CallFrame::jsCallee()
```
* API/APICallbackFunction.h:
(JSC::APICallbackFunction::call):
(JSC::APICallbackFunction::construct):
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::construct):
(JSC::JSCallbackObject<Parent>::call):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::scope):
(JSC::DebuggerCallFrame::type):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::friendlyFunctionName):
* interpreter/CallFrame.h:
(JSC::ExecState::jsCallee):
(JSC::ExecState::callee): Deleted.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::dumpRegisters):
(JSC::notifyDebuggerOfUnwinding):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::readNonInlinedFrame):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::traceFunctionPrologue):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ArrayConstructor.cpp:
(JSC::constructArrayWithSizeQuirk):
* runtime/AsyncFunctionConstructor.cpp:
(JSC::callAsyncFunctionConstructor):
(JSC::constructAsyncFunctionConstructor):
* runtime/BooleanConstructor.cpp:
(JSC::constructWithBooleanConstructor):
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createWithInlineFrame):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor):
* runtime/DateConstructor.cpp:
(JSC::constructWithDateConstructor):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::createByCopying):
* runtime/Error.h:
(JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
(JSC::StrictModeTypeErrorFunction::callThrowTypeError):
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
(JSC::Interpreter::callErrorConstructor):
* runtime/FunctionConstructor.cpp:
(JSC::constructWithFunctionConstructor):
(JSC::callFunctionConstructor):
* runtime/GeneratorFunctionConstructor.cpp:
(JSC::callGeneratorFunctionConstructor):
(JSC::constructGeneratorFunctionConstructor):
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::createSubclassStructure):
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlCollatorConstructor.cpp:
(JSC::constructIntlCollator):
(JSC::callIntlCollator):
(JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::constructIntlDateTimeFormat):
(JSC::callIntlDateTimeFormat):
(JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::constructIntlNumberFormat):
(JSC::callIntlNumberFormat):
(JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlObject.cpp:
(JSC::canonicalizeLocaleList):
(JSC::defaultLocale):
(JSC::lookupSupportedLocales):
(JSC::intlObjectFuncGetCanonicalLocales):
* runtime/JSArrayBufferConstructor.cpp:
(JSC::constructArrayBuffer):
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice):
* runtime/JSBoundFunction.cpp:
(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):
* runtime/JSCellInlines.h:
(JSC::ExecState::vm):
* runtime/JSCustomGetterSetterFunction.cpp:
(JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
* runtime/JSFunction.cpp:
(JSC::callHostFunctionAsConstructor):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSInternalPromiseConstructor.cpp:
(JSC::constructPromise):
* runtime/JSMapIterator.cpp:
(JSC::JSMapIterator::createPair):
(JSC::JSMapIterator::clone):
* runtime/JSNativeStdFunction.cpp:
(JSC::runStdFunction):
* runtime/JSPromiseConstructor.cpp:
(JSC::constructPromise):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::clone):
* runtime/JSScope.h:
(JSC::ExecState::lexicalGlobalObject):
* runtime/JSSetIterator.cpp:
(JSC::JSSetIterator::createPair):
(JSC::JSSetIterator::clone):
* runtime/JSStringIterator.cpp:
(JSC::JSStringIterator::clone):
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/MapPrototype.cpp:
(JSC::mapProtoFuncValues):
(JSC::mapProtoFuncEntries):
(JSC::mapProtoFuncKeys):
(JSC::privateFuncMapIterator):
* runtime/NativeErrorConstructor.cpp:
(JSC::Interpreter::constructWithNativeErrorConstructor):
(JSC::Interpreter::callNativeErrorConstructor):
* runtime/ObjectConstructor.cpp:
(JSC::constructObject):
* runtime/ProxyObject.cpp:
(JSC::performProxyCall):
(JSC::performProxyConstruct):
* runtime/ProxyRevoke.cpp:
(JSC::performProxyRevoke):
* runtime/RegExpConstructor.cpp:
(JSC::constructWithRegExpConstructor):
(JSC::callRegExpConstructor):
* runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::createByCopying):
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/SetPrototype.cpp:
(JSC::setProtoFuncValues):
(JSC::setProtoFuncEntries):
(JSC::privateFuncSetIterator):
* runtime/StringConstructor.cpp:
(JSC::constructWithStringConstructor):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncIterator):
* runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
* runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::constructJSWebAssemblyCompileError):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::constructJSWebAssemblyRuntimeError):
2016-12-01 Brian Burg <bburg@apple.com>
Web Inspector: generated code should use a framework-style import for *ProtocolArrayConversions.h
https://bugs.webkit.org/show_bug.cgi?id=165281
<rdar://problem/29427778>
Reviewed by Joseph Pecoraro.
* inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
(ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/expected/enum-values.json-result:
* inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2016-12-01 Geoffrey Garen <ggaren@apple.com>
SourceCodeKey should use unlinked source code
https://bugs.webkit.org/show_bug.cgi?id=165286
Reviewed by Saam Barati.
This patch splits out UnlinkedSourceCode from SourceCode, and deploys
UnlinkedSourceCode in SourceCodeKey.
It's misleading to store SourceCode in SourceCodeKey because SourceCode
has an absolute location whereas unlinked cached code has no location.
I plan to deploy UnlinkedSourceCode in more places, to indicate code
that has no absolute location.
* JavaScriptCore.xcodeproj/project.pbxproj:
* parser/SourceCode.cpp:
(JSC::UnlinkedSourceCode::toUTF8):
(JSC::SourceCode::toUTF8): Deleted.
* parser/SourceCode.h:
(JSC::SourceCode::SourceCode):
(JSC::SourceCode::startColumn):
(JSC::SourceCode::isHashTableDeletedValue): Deleted.
(JSC::SourceCode::hash): Deleted.
(JSC::SourceCode::view): Deleted.
(JSC::SourceCode::providerID): Deleted.
(JSC::SourceCode::isNull): Deleted.
(JSC::SourceCode::provider): Deleted.
(JSC::SourceCode::startOffset): Deleted.
(JSC::SourceCode::endOffset): Deleted.
(JSC::SourceCode::length): Deleted. Move a bunch of stuff in to a new
base class, UnlinkedSourceCode.
* parser/SourceCodeKey.h:
(JSC::SourceCodeKey::SourceCodeKey): Use UnlinkedSourceCode since code
in the cache has no location.
* parser/UnlinkedSourceCode.h: Copied from Source/JavaScriptCore/parser/SourceCode.h.
(JSC::UnlinkedSourceCode::UnlinkedSourceCode):
(JSC::UnlinkedSourceCode::provider):
(JSC::SourceCode::SourceCode): Deleted.
(JSC::SourceCode::isHashTableDeletedValue): Deleted.
(JSC::SourceCode::hash): Deleted.
(JSC::SourceCode::view): Deleted.
(JSC::SourceCode::providerID): Deleted.
(JSC::SourceCode::isNull): Deleted.
(JSC::SourceCode::provider): Deleted.
(JSC::SourceCode::firstLine): Deleted.
(JSC::SourceCode::startColumn): Deleted.
(JSC::SourceCode::startOffset): Deleted.
(JSC::SourceCode::endOffset): Deleted.
(JSC::SourceCode::length): Deleted.
(JSC::makeSource): Deleted.
(JSC::SourceCode::subExpression): Deleted.
* runtime/CodeCache.h: Use UnlinkedSourceCode in the cache.
2016-12-01 Keith Miller <keith_miller@apple.com>
Add wasm int to floating point opcodes
https://bugs.webkit.org/show_bug.cgi?id=165252
Reviewed by Geoffrey Garen.
This patch adds support for the Wasm integral type => floating point
type conversion opcodes. Most of these were already supported by B3
however there was no support for uint64 to float/double. Unfortunately,
AFAIK x86_64 does not have a single instruction that performs this
conversion. Since there is a signed conversion instruction on x86 we
use that for all uint64s that don't have the top bit set. If they do have
the top bit set we need to divide by 2 (rounding up) then convert the number
with the signed conversion then double the result.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::convertUInt64ToDouble):
(JSC::MacroAssemblerX86_64::convertUInt64ToFloat):
* jsc.cpp:
(valueWithTypeOfWasmValue):
(box):
(functionTestWasmModuleFunctions):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/wasm.json:
2016-12-01 Geoffrey Garen <ggaren@apple.com>
Renamed EvalCodeCache => DirectEvalCodeCache
https://bugs.webkit.org/show_bug.cgi?id=165271
Reviewed by Saam Barati.
We only use this cache for DirectEval, not IndirectEval.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::DirectEvalCodeCache::visitAggregate):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::EvalCodeCache::visitAggregate): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::directEvalCodeCache):
(JSC::CodeBlock::evalCodeCache): Deleted.
* bytecode/DirectEvalCodeCache.h: Copied from Source/JavaScriptCore/bytecode/EvalCodeCache.h.
(JSC::EvalCodeCache::CacheKey::CacheKey): Deleted.
(JSC::EvalCodeCache::CacheKey::hash): Deleted.
(JSC::EvalCodeCache::CacheKey::isEmptyValue): Deleted.
(JSC::EvalCodeCache::CacheKey::operator==): Deleted.
(JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue): Deleted.
(JSC::EvalCodeCache::CacheKey::Hash::hash): Deleted.
(JSC::EvalCodeCache::CacheKey::Hash::equal): Deleted.
(JSC::EvalCodeCache::tryGet): Deleted.
(JSC::EvalCodeCache::set): Deleted.
(JSC::EvalCodeCache::isEmpty): Deleted.
(JSC::EvalCodeCache::clear): Deleted.
* bytecode/EvalCodeCache.h: Removed.
* interpreter/Interpreter.cpp:
(JSC::eval):
* runtime/DirectEvalExecutable.cpp:
(JSC::DirectEvalExecutable::create):
2016-12-01 Geoffrey Garen <ggaren@apple.com>
Removed some unnecessary indirection in code generation
https://bugs.webkit.org/show_bug.cgi?id=165264
Reviewed by Keith Miller.
There's no need to route through JSGlobalObject when producing code --
it just made the code harder to read.
This patch moves functions from JSGlobalObject to their singleton
call sites.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedEvalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock): Deleted.
* runtime/CodeCache.h:
* runtime/DirectEvalExecutable.cpp:
(JSC::DirectEvalExecutable::create):
* runtime/IndirectEvalExecutable.cpp:
(JSC::IndirectEvalExecutable::create):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::createProgramCodeBlock): Deleted.
(JSC::JSGlobalObject::createLocalEvalCodeBlock): Deleted.
(JSC::JSGlobalObject::createGlobalEvalCodeBlock): Deleted.
(JSC::JSGlobalObject::createModuleProgramCodeBlock): Deleted.
* runtime/JSGlobalObject.h:
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::create):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/ProgramExecutable.h:
2016-11-30 Darin Adler <darin@apple.com>
Roll out StringBuilder changes from the previous patch.
They were a slowdown on a Kraken JSON test.
* runtime/JSONObject.cpp:
Roll out changes from below.
2016-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Specifying same module entry point multiple times cause TypeError
https://bugs.webkit.org/show_bug.cgi?id=164858
Reviewed by Saam Barati.
Allow importing the same module multiple times. Previously, when specifying the same
module in the <script type="module" src="here">, it throws TypeError.
* builtins/ModuleLoaderPrototype.js:
(requestFetch):
(requestTranslate):
(requestInstantiate):
(requestSatisfy):
2016-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
WebAssembly JS API: export a module namespace object instead of a module environment
https://bugs.webkit.org/show_bug.cgi?id=165121
Reviewed by Saam Barati.
This patch setup AbstractModuleRecord further for WebAssemblyModuleRecord.
For exported entries in a wasm instance, we set up exported entries for
AbstractModuleRecord. This allows us to export WASM exported functions in
the module handling code.
Since the exported entries in the abstract module record are correctly
instantiated, the module namespace object for WASM module also starts
working correctly. So we start exposing the module namespace object
as `instance.exports` instead of the module environment object.
And we move SourceCode, lexicalVariables, and declaredVariables fields to
JSModuleRecord since they are related to JS source code (in the spec words,
they are related to the source text module record).
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::AbstractModuleRecord):
* runtime/AbstractModuleRecord.h:
(JSC::AbstractModuleRecord::sourceCode): Deleted.
(JSC::AbstractModuleRecord::declaredVariables): Deleted.
(JSC::AbstractModuleRecord::lexicalVariables): Deleted.
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::JSModuleRecord):
* runtime/JSModuleRecord.h:
(JSC::JSModuleRecord::sourceCode):
(JSC::JSModuleRecord::declaredVariables):
(JSC::JSModuleRecord::lexicalVariables):
* wasm/WasmFormat.cpp:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finishCreation):
* wasm/js/WebAssemblyFunction.cpp:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::create):
(JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
(JSC::WebAssemblyModuleRecord::finishCreation):
WebAssemblyModuleRecord::link should perform linking things.
So allocating exported entries should be done here.
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyModuleRecord.h:
2016-11-30 Mark Lam <mark.lam@apple.com>
TypeInfo::OutOfLineTypeFlags should be 16 bits in size.
https://bugs.webkit.org/show_bug.cgi?id=165224
Reviewed by Saam Barati.
There's no reason for OutOfLineTypeFlags to be constraint to 8 bits since the
space is available to us. Making OutOfLineTypeFlags 16 bits brings TypeInfo up
to 32 bits in size from the current 24 bits.
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
2016-11-30 Joseph Pecoraro <pecoraro@apple.com>
REGRESSION: inspector/sampling-profiler/* LayoutTests are flaky timeouts
https://bugs.webkit.org/show_bug.cgi?id=164388
<rdar://problem/29101555>
Reviewed by Saam Barati.
There was a possibility of a deadlock between the main thread and the GC thread
with the SamplingProfiler lock when Inspector is processing samples to send to
the frontend. The Inspector (main thread) was holding the SamplingProfiler lock
while processing samples, which runs JavaScript that could trigger a GC, and
GC then tries to acquire the SamplingProfiler lock to process unprocessed samples.
A simple solution here is to tighten the bounds of when Inspector holds the
SamplingProfiler lock. It only needs the lock when extracting samples from
the SamplingProfiler. It doesn't need to hold the lock for processing those
samples, which is what can run script and cause a GC.
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::trackingComplete):
Tighten bounds of this lock to only where it is needed.
2016-11-30 Mark Lam <mark.lam@apple.com>
Proxy is not allowed in the global prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=165205
Reviewed by Geoffrey Garen.
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
- We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
2016-11-30 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209112.
https://bugs.webkit.org/show_bug.cgi?id=165208
"It regressed Octane/Raytrace and JetStream" (Requested by
saamyjoon on #webkit).
Reverted changeset:
"We should support CreateThis in the FTL"
https://bugs.webkit.org/show_bug.cgi?id=164904
http://trac.webkit.org/changeset/209112
2016-11-30 Darin Adler <darin@apple.com>
Streamline and speed up tokenizer and segmented string classes
https://bugs.webkit.org/show_bug.cgi?id=165003
Reviewed by Sam Weinig.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
no benefit in creating a String for that function if one doesn't already exist.
2016-11-29 JF Bastien <jfbastien@apple.com>
WebAssembly JS API: improve Instance
https://bugs.webkit.org/show_bug.cgi?id=164757
Reviewed by Keith Miller.
An Instance's `exports` property wasn't populated with exports.
According to the spec [0], `exports` should present itself as a WebAssembly
Module Record. In order to do this we need to split JSModuleRecord into
AbstractModuleRecord (without the `link` and `evaluate` functions), and
JSModuleRecord (which implements link and evaluate). We can then have a separate
WebAssemblyModuleRecord which shares most of the implementation.
`exports` then maps function names to WebAssemblyFunction and
WebAssemblyFunctionCell, which call into the B3-generated WebAssembly code.
A follow-up patch will do imports.
A few things of note:
- Use Identifier instead of String. They get uniqued, we need them for the JSModuleNamespaceObject. This is safe because JSWebAssemblyModule creation is on the main thread.
- JSWebAssemblyInstance needs to refer to the JSWebAssemblyModule used to create it, because the module owns the code, identifiers, etc. The world would be very sad if it got GC'd.
- Instance.exports shouldn't use putWithoutTransition because it affects all Structures, whereas here each instance needs its own exports.
- Expose the compiled functions, and pipe them to the InstanceConstructor. Start moving things around to split JSModuleRecord out into JS and WebAssembly parts.
[0]: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstance-constructor
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/AbstractModuleRecord.cpp: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.cpp, which I split in two
(JSC::AbstractModuleRecord::AbstractModuleRecord):
(JSC::AbstractModuleRecord::destroy):
(JSC::AbstractModuleRecord::finishCreation):
(JSC::AbstractModuleRecord::visitChildren):
(JSC::AbstractModuleRecord::appendRequestedModule):
(JSC::AbstractModuleRecord::addStarExportEntry):
(JSC::AbstractModuleRecord::addImportEntry):
(JSC::AbstractModuleRecord::addExportEntry):
(JSC::identifierToJSValue):
(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::ResolveQuery::ResolveQuery):
(JSC::AbstractModuleRecord::ResolveQuery::isEmptyValue):
(JSC::AbstractModuleRecord::ResolveQuery::isDeletedValue):
(JSC::AbstractModuleRecord::ResolveQuery::Hash::hash):
(JSC::AbstractModuleRecord::ResolveQuery::Hash::equal):
(JSC::AbstractModuleRecord::cacheResolution):
(JSC::getExportedNames):
(JSC::AbstractModuleRecord::getModuleNamespace):
(JSC::printableName):
(JSC::AbstractModuleRecord::dump):
* runtime/AbstractModuleRecord.h: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.h.
(JSC::AbstractModuleRecord::ImportEntry::isNamespace):
(JSC::AbstractModuleRecord::sourceCode):
(JSC::AbstractModuleRecord::moduleKey):
(JSC::AbstractModuleRecord::requestedModules):
(JSC::AbstractModuleRecord::exportEntries):
(JSC::AbstractModuleRecord::importEntries):
(JSC::AbstractModuleRecord::starExportEntries):
(JSC::AbstractModuleRecord::declaredVariables):
(JSC::AbstractModuleRecord::lexicalVariables):
(JSC::AbstractModuleRecord::moduleEnvironment):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::webAssemblyModuleRecordStructure):
(JSC::JSGlobalObject::webAssemblyFunctionStructure):
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::create):
(JSC::JSModuleEnvironment::finishCreation):
(JSC::JSModuleEnvironment::getOwnPropertySlot):
(JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
(JSC::JSModuleEnvironment::put):
(JSC::JSModuleEnvironment::deleteProperty):
* runtime/JSModuleEnvironment.h:
(JSC::JSModuleEnvironment::create):
(JSC::JSModuleEnvironment::offsetOfModuleRecord):
(JSC::JSModuleEnvironment::allocationSize):
(JSC::JSModuleEnvironment::moduleRecord):
(JSC::JSModuleEnvironment::moduleRecordSlot):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::finishCreation):
(JSC::JSModuleNamespaceObject::getOwnPropertySlot):
* runtime/JSModuleNamespaceObject.h:
(JSC::JSModuleNamespaceObject::create):
(JSC::JSModuleNamespaceObject::moduleRecord):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::createStructure):
(JSC::JSModuleRecord::create):
(JSC::JSModuleRecord::JSModuleRecord):
(JSC::JSModuleRecord::destroy):
(JSC::JSModuleRecord::finishCreation):
(JSC::JSModuleRecord::visitChildren):
(JSC::JSModuleRecord::instantiateDeclarations):
* runtime/JSModuleRecord.h:
* runtime/JSScope.cpp:
(JSC::abstractAccess):
(JSC::JSScope::collectClosureVariablesUnderTDZ):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/JSWebAssembly.h:
* wasm/WasmFormat.h: use Identifier instead of String
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
(JSC::Wasm::ModuleParser::parseType):
(JSC::Wasm::ModuleParser::parseImport): fix off-by-one
(JSC::Wasm::ModuleParser::parseFunction):
(JSC::Wasm::ModuleParser::parseExport):
* wasm/WasmModuleParser.h:
(JSC::Wasm::ModuleParser::ModuleParser):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::run):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
(JSC::JSWebAssemblyInstance::finishCreation):
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::module):
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::create):
(JSC::JSWebAssemblyModule::finishCreation):
(JSC::JSWebAssemblyModule::visitChildren):
* wasm/js/JSWebAssemblyModule.h:
(JSC::JSWebAssemblyModule::moduleInformation):
(JSC::JSWebAssemblyModule::compiledFunctions):
(JSC::JSWebAssemblyModule::exportSymbolTable):
* wasm/js/WebAssemblyFunction.cpp: Added.
(JSC::callWebAssemblyFunction):
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::createStructure):
(JSC::WebAssemblyFunction::WebAssemblyFunction):
(JSC::WebAssemblyFunction::visitChildren):
(JSC::WebAssemblyFunction::finishCreation):
* wasm/js/WebAssemblyFunction.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
(JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction):
(JSC::WebAssemblyFunction::webAssemblyFunctionCell):
* wasm/js/WebAssemblyFunctionCell.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
(JSC::WebAssemblyFunctionCell::create):
(JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell):
(JSC::WebAssemblyFunctionCell::destroy):
(JSC::WebAssemblyFunctionCell::createStructure):
* wasm/js/WebAssemblyFunctionCell.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
(JSC::WebAssemblyFunctionCell::function):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule):
* wasm/js/WebAssemblyModuleRecord.cpp: Added.
(JSC::WebAssemblyModuleRecord::createStructure):
(JSC::WebAssemblyModuleRecord::create):
(JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
(JSC::WebAssemblyModuleRecord::destroy):
(JSC::WebAssemblyModuleRecord::finishCreation):
(JSC::WebAssemblyModuleRecord::visitChildren):
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyModuleRecord.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
2016-11-29 Saam Barati <sbarati@apple.com>
We should be able optimize the pattern where we spread a function's rest parameter to another call
https://bugs.webkit.org/show_bug.cgi?id=163865
Reviewed by Filip Pizlo.
This patch optimizes the following patterns to prevent both the allocation
of the rest parameter, and the execution of the iterator protocol:
```
function foo(...args) {
let arr = [...args];
}
and
function foo(...args) {
bar(...args);
}
```
To do this, I've extended the arguments elimination phase to reason
about Spread and NewArrayWithSpread. I've added two new nodes, PhantomSpread
and PhantomNewArrayWithSpread. PhantomSpread is only allowed over rest
parameters that don't escape. If the rest parameter *does* escape, we can't
convert the spread into a phantom because it would not be sound w.r.t JS
semantics because we would be reading from the call frame even though
the rest array may have changed.
Note that NewArrayWithSpread also understands what to do when one of its
arguments is PhantomSpread(@PhantomCreateRest) even if it itself is escaped.
PhantomNewArrayWithSpread is only allowed over a series of
PhantomSpread(@PhantomCreateRest) nodes. Like with PhantomSpread, PhantomNewArrayWithSpread
is only allowed if none of its arguments that are being spread are escaped
and if it itself is not escaped.
Because there is a dependency between a node being a candidate and
the escaped state of the node's children, I've extended the notion
of escaping a node inside the arguments elimination phase. Now, when
any node is escaped, we must consider all other candidates that are may
now no longer be valid.
For example:
```
function foo(...args) {
escape(args);
bar(...args);
}
```
In the above program, we don't know if the function call to escape()
modifies args, therefore, the spread can not become phantom because
the execution of the spread may not be as simple as reading the
arguments from the call frame.
Unfortunately, the arguments elimination phase does not consider control
flow when doing its escape analysis. It would be good to integrate this
phase with the object allocation sinking phase. To see why, consider
an example where we don't eliminate the spread and allocation of the rest
parameter even though we could:
```
function foo(rareCondition, ...args) {
bar(...args);
if (rareCondition)
baz(args);
}
```
There are only a few users of the PhantomSpread and PhantomNewArrayWithSpread
nodes. PhantomSpread is only used by PhantomNewArrayWithSpread and NewArrayWithSpread.
PhantomNewArrayWithSpread is only used by ForwardVarargs and the various
*Call*ForwardVarargs nodes. The users of these phantoms know how to produce
what the phantom node would have produced. For example, NewArrayWithSpread
knows how to produce the values that would have been produced by PhantomSpread(@PhantomCreateRest)
by directly reading from the call frame.
This patch is a 6% speedup on my MBP on ES6SampleBench.
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::tryAppendLea):
* b3/B3ValueRep.h:
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createDefaultConstructor):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGForAllKills.h:
(JSC::DFG::forAllKillsInBlock):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasConstant):
(JSC::DFG::Node::constant):
(JSC::DFG::Node::bitVector):
(JSC::DFG::Node::isPhantomAllocation):
* dfg/DFGNodeType.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::OSRAvailabilityAnalysisPhase::run):
(JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGOSRAvailabilityAnalysisPhase.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPromotedHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGPromotedHeapLocation.h:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
(JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame):
(JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
* jit/SetupVarargsFrame.cpp:
(JSC::emitSetupVarargsFrameFastCase):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionMaxArguments):
* runtime/JSFixedArray.h:
(JSC::JSFixedArray::createFromArray):
2016-11-29 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r209058 and r209074.
https://bugs.webkit.org/show_bug.cgi?id=165188
These changes caused API test StringBuilderTest.Equal to crash
and/or fail. (Requested by ryanhaddad on #webkit).
Reverted changesets:
"Streamline and speed up tokenizer and segmented string
classes"
https://bugs.webkit.org/show_bug.cgi?id=165003
http://trac.webkit.org/changeset/209058
"REGRESSION (r209058): API test StringBuilderTest.Equal
crashing"
https://bugs.webkit.org/show_bug.cgi?id=165142
http://trac.webkit.org/changeset/209074
2016-11-29 Caitlin Potter <caitp@igalia.com>
[JSC] always wrap AwaitExpression operand in a new Promise
https://bugs.webkit.org/show_bug.cgi?id=165181
Reviewed by Yusuke Suzuki.
Ensure operand of AwaitExpression is wrapped in a new Promise by
explicitly creating a new Promise Capability and invoking its
resolve callback. This avoids the specified short-circuit for
Promise.resolve().
* builtins/AsyncFunctionPrototype.js:
(globalPrivate.asyncFunctionResume):
2016-11-29 Saam Barati <sbarati@apple.com>
We should support CreateThis in the FTL
https://bugs.webkit.org/show_bug.cgi?id=164904
Reviewed by Geoffrey Garen.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
(JSC::FTL::DFG::LowerDFGToB3::storeStructure):
(JSC::FTL::DFG::LowerDFGToB3::allocateCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* runtime/Structure.h:
2016-11-29 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/RegExp* files.
https://bugs.webkit.org/show_bug.cgi?id=165054
Reviewed by Saam Barati.
Also replaced returning JSValue() with returning { }.
* runtime/RegExpConstructor.cpp:
(JSC::toFlags):
(JSC::regExpCreate):
(JSC::constructRegExp):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::defineOwnProperty):
(JSC::collectMatches):
(JSC::RegExpObject::matchGlobal):
* runtime/RegExpObjectInlines.h:
(JSC::getRegExpObjectLastIndexAsUnsigned):
(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
(JSC::flagsString):
(JSC::regExpProtoFuncToString):
(JSC::regExpProtoFuncSplitFast):
2016-11-29 Andy Estes <aestes@apple.com>
[Cocoa] Enable two clang warnings recommended by Xcode
https://bugs.webkit.org/show_bug.cgi?id=164498
Reviewed by Mark Lam.
* Configurations/Base.xcconfig: Enabled CLANG_WARN_INFINITE_RECURSION and CLANG_WARN_SUSPICIOUS_MOVE.
2016-11-29 Keith Miller <keith_miller@apple.com>
Add simple way to implement Wasm ops that require more than one B3 opcode
https://bugs.webkit.org/show_bug.cgi?id=165129
Reviewed by Geoffrey Garen.
This patch adds a simple way to show the B3IRGenerator opcode script how
to generate code for Wasm opcodes that do not have a one to one mapping.
The syntax is pretty simple right now. There are only three things one
can use as of this patch (although more things might be added in the future)
1) Wasm opcode arguments: These are referred to as @<argument_number>. For example,
I32.sub would map to Sub(@0, @1).
2) 32-bit int constants: These are reffered to as i32(<value>). For example, i32.inc
would map to Add(@0, i32(1))
3) B3 opcodes: These are referred to as the B3 opcode name followed by the B3Value's constructor
arguments. A value may take the result of another value as an argument. For example, you can do
Div(Mul(@0, Add(@0, i32(1))), i32(2)) if there was a b3 opcode that computed the sum from 1 to n.
These scripts are used to implement Wasm's eqz and floating point max/min opcodes. This patch
also adds missing support for the Wasm Neg opcodes.
* jsc.cpp:
(box):
(functionTestWasmModuleFunctions):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::toB3Op): Deleted.
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseBody):
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseType):
* wasm/WasmParser.h:
(JSC::Wasm::Parser::parseUInt8):
(JSC::Wasm::Parser::parseValueType):
* wasm/generateWasmB3IRGeneratorInlinesHeader.py:
(Source):
(Source.__init__):
(read):
(lex):
(CodeGenerator):
(CodeGenerator.__init__):
(CodeGenerator.advance):
(CodeGenerator.token):
(CodeGenerator.parseError):
(CodeGenerator.consume):
(CodeGenerator.generateParameters):
(CodeGenerator.generateOpcode):
(CodeGenerator.generate):
(temp):
(generateB3OpCode):
(generateI32ConstCode):
(generateB3Code):
(generateSimpleCode):
* wasm/wasm.json:
2016-11-29 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165053
Reviewed by Saam Barati.
Also replaced returning JSValue() with returning { }.
* runtime/ProxyConstructor.cpp:
(JSC::constructProxyObject):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::structureForTarget):
(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::getOwnPropertySlotCommon):
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::putByIndexCommon):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):
2016-11-28 Matt Baker <mattbaker@apple.com>
Web Inspector: Debugger should have an option for showing asynchronous call stacks
https://bugs.webkit.org/show_bug.cgi?id=163230
<rdar://problem/28698683>
Reviewed by Joseph Pecoraro.
* inspector/ScriptCallFrame.cpp:
(Inspector::ScriptCallFrame::isNative):
Encapsulate check for native code source URL.
* inspector/ScriptCallFrame.h:
* inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::firstNonNativeCallFrame):
(Inspector::ScriptCallStack::buildInspectorArray):
* inspector/ScriptCallStack.h:
Replace use of Console::StackTrace with Array<Console::CallFrame>.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::disable):
(Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
Set number of async frames to store (including boundary frames).
A value of zero disables recording of async call stacks.
(Inspector::InspectorDebuggerAgent::buildAsyncStackTrace):
Helper function for building a linked list StackTraces.
(Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
Store a call stack for the script that scheduled the async call.
If the call repeats (e.g. setInterval), the starting reference count is
set to 1. This ensures that dereffing after dispatch won't clear the stack.
If another async call is currently being dispatched, increment the
AsyncCallData reference count for that call.
(Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
Decrement the reference count for the canceled call.
(Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
Set the identifier for the async callback currently being dispatched,
so that if the debugger pauses during dispatch a stack trace can be
associated with the pause location. If an async call is already being
dispatched, which could be the case when a script schedules an async
call in a nested runloop, do nothing.
(Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
Decrement the reference count for the canceled call.
(Inspector::InspectorDebuggerAgent::didPause):
If a stored stack trace exists for this location, convert to a protocol
object and send to the frontend.
(Inspector::InspectorDebuggerAgent::didClearGlobalObject):
(Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
(Inspector::InspectorDebuggerAgent::refAsyncCallData):
Increment AsyncCallData reference count.
(Inspector::InspectorDebuggerAgent::derefAsyncCallData):
Decrement AsyncCallData reference count. If zero, deref its parent
(if it exists) and remove the AsyncCallData entry.
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/protocol/Console.json:
* inspector/protocol/Network.json:
Replace use of Console.StackTrace with array of Console.CallFrame.
* inspector/protocol/Debugger.json:
New protocol command and event data.
2016-11-28 Darin Adler <darin@apple.com>
Streamline and speed up tokenizer and segmented string classes
https://bugs.webkit.org/show_bug.cgi?id=165003
Reviewed by Sam Weinig.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
no benefit in creating a String for that function if one doesn't already exist.
2016-11-21 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/Intl* files.
https://bugs.webkit.org/show_bug.cgi?id=165014
Reviewed by Saam Barati.
* runtime/IntlCollatorConstructor.cpp:
(JSC::constructIntlCollator):
(JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorPrototypeFuncResolvedOptions):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::constructIntlDateTimeFormat):
(JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatFuncFormatDateTime):
(JSC::IntlDateTimeFormatPrototypeGetterFormat):
(JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::constructIntlNumberFormat):
(JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatFuncFormatNumber):
(JSC::IntlNumberFormatPrototypeGetterFormat):
(JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
* runtime/IntlObject.cpp:
(JSC::lookupSupportedLocales):
* runtime/IntlObjectInlines.h:
(JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in IteratorOperations.h.
https://bugs.webkit.org/show_bug.cgi?id=165015
Reviewed by Saam Barati.
* runtime/IteratorOperations.h:
(JSC::forEachInIterable):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in JSArray* files.
https://bugs.webkit.org/show_bug.cgi?id=165016
Reviewed by Saam Barati.
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::put):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::put):
(JSC::JSArrayBuffer::defineOwnProperty):
* runtime/JSArrayInlines.h:
(JSC::getLength):
(JSC::toLength):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in JSDataView.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165020
Reviewed by Saam Barati.
* runtime/JSDataView.cpp:
(JSC::JSDataView::put):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in JSFunction.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165021
Reviewed by Saam Barati.
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
https://bugs.webkit.org/show_bug.cgi?id=165022
Reviewed by Saam Barati.
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncJoin):
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/Operations.cpp/h.
https://bugs.webkit.org/show_bug.cgi?id=165046
Reviewed by Saam Barati.
Also switched to using returning { } instead of JSValue().
* runtime/Operations.cpp:
(JSC::jsAddSlowCase):
(JSC::jsIsObjectTypeOrNull):
* runtime/Operations.h:
(JSC::jsStringFromRegisterArray):
(JSC::jsStringFromArguments):
(JSC::jsLess):
(JSC::jsLessEq):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in JSScope.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165047
Reviewed by Saam Barati.
* runtime/JSScope.cpp:
(JSC::JSScope::resolve):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165049
Reviewed by Saam Barati.
* runtime/JSTypedArrayViewPrototype.cpp:
(JSC::typedArrayViewPrivateFuncSort):
(JSC::typedArrayViewProtoFuncSet):
(JSC::typedArrayViewProtoFuncCopyWithin):
(JSC::typedArrayViewProtoFuncIncludes):
(JSC::typedArrayViewProtoFuncLastIndexOf):
(JSC::typedArrayViewProtoFuncIndexOf):
(JSC::typedArrayViewProtoFuncJoin):
(JSC::typedArrayViewProtoGetterFuncBuffer):
(JSC::typedArrayViewProtoGetterFuncLength):
(JSC::typedArrayViewProtoGetterFuncByteLength):
(JSC::typedArrayViewProtoGetterFuncByteOffset):
(JSC::typedArrayViewProtoFuncReverse):
(JSC::typedArrayViewPrivateFuncSubarrayCreate):
(JSC::typedArrayViewProtoFuncSlice):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/Map* files.
https://bugs.webkit.org/show_bug.cgi?id=165050
Reviewed by Saam Barati.
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/MapIteratorPrototype.cpp:
(JSC::MapIteratorPrototypeFuncNext):
* runtime/MapPrototype.cpp:
(JSC::privateFuncMapIteratorNext):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in more miscellaneous files.
https://bugs.webkit.org/show_bug.cgi?id=165102
Reviewed by Saam Barati.
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/Weak* files.
https://bugs.webkit.org/show_bug.cgi?id=165096
Reviewed by Geoffrey Garen.
* runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
* runtime/WeakMapPrototype.cpp:
(JSC::protoFuncWeakMapSet):
* runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
* runtime/WeakSetPrototype.cpp:
(JSC::protoFuncWeakSetAdd):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/String* files.
https://bugs.webkit.org/show_bug.cgi?id=165067
Reviewed by Saam Barati.
* runtime/StringConstructor.cpp:
(JSC::stringFromCodePoint):
(JSC::constructWithStringConstructor):
* runtime/StringObject.cpp:
(JSC::StringObject::put):
(JSC::StringObject::putByIndex):
(JSC::StringObject::defineOwnProperty):
* runtime/StringPrototype.cpp:
(JSC::jsSpliceSubstrings):
(JSC::jsSpliceSubstringsWithSeparators):
(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):
(JSC::repeatCharacter):
(JSC::replace):
(JSC::stringProtoFuncReplaceUsingStringSearch):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCodePointAt):
(JSC::stringProtoFuncConcat):
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncLastIndexOf):
(JSC::splitStringByOneCharacterImpl):
(JSC::stringProtoFuncSplitFast):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
(JSC::stringProtoFuncToUpperCase):
(JSC::toLocaleCase):
(JSC::trimString):
(JSC::stringProtoFuncIncludes):
(JSC::builtinStringIncludesInternal):
(JSC::stringProtoFuncIterator):
(JSC::normalize):
(JSC::stringProtoFuncNormalize):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165051
Reviewed by Saam Barati.
Also,
1. Replaced returning JSValue() with returning { }.
2. Replaced uses of exec->propertyNames() with vm.propertyNames.
* runtime/ObjectConstructor.cpp:
(JSC::constructObject):
(JSC::objectConstructorGetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorGetOwnPropertyDescriptors):
(JSC::objectConstructorGetOwnPropertyNames):
(JSC::objectConstructorGetOwnPropertySymbols):
(JSC::objectConstructorKeys):
(JSC::ownEnumerablePropertyKeys):
(JSC::toPropertyDescriptor):
(JSC::defineProperties):
(JSC::objectConstructorDefineProperties):
(JSC::objectConstructorCreate):
(JSC::setIntegrityLevel):
(JSC::objectConstructorSeal):
(JSC::objectConstructorPreventExtensions):
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):
(JSC::ownPropertyKeys):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString):
2016-11-26 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in miscellaneous files.
https://bugs.webkit.org/show_bug.cgi?id=165055
Reviewed by Saam Barati.
* runtime/MathObject.cpp:
(JSC::mathProtoFuncIMul):
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
(JSC::moduleLoaderPrototypeRequestedModules):
* runtime/NativeErrorConstructor.cpp:
(JSC::Interpreter::constructWithNativeErrorConstructor):
* runtime/NumberConstructor.cpp:
(JSC::constructWithNumberConstructor):
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/SetIteratorPrototype.cpp:
(JSC::SetIteratorPrototypeFuncNext):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayEntry::put):
* runtime/TemplateRegistry.cpp:
(JSC::TemplateRegistry::getTemplateObject):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in ReflectObject.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165066
Reviewed by Saam Barati.
* runtime/ReflectObject.cpp:
(JSC::reflectObjectConstruct):
(JSC::reflectObjectDefineProperty):
(JSC::reflectObjectEnumerate):
(JSC::reflectObjectGet):
(JSC::reflectObjectGetOwnPropertyDescriptor):
(JSC::reflectObjectGetPrototypeOf):
(JSC::reflectObjectOwnKeys):
(JSC::reflectObjectSet):
2016-11-24 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164972
Reviewed by Geoffrey Garen.
* runtime/ArrayConstructor.cpp:
(JSC::constructArrayWithSizeQuirk):
* runtime/ArrayPrototype.cpp:
(JSC::getProperty):
(JSC::putLength):
(JSC::speciesWatchpointsValid):
(JSC::speciesConstructArray):
(JSC::shift):
(JSC::unshift):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::slowJoin):
(JSC::fastJoin):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::concatAppendOne):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
(JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
2016-11-28 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in LLIntSlowPaths.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164969
Reviewed by Geoffrey Garen.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
(JSC::LLInt::setUpCall):
(JSC::LLInt::varargsSetup):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
2016-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Import std::optional reference implementation as WTF::Optional
https://bugs.webkit.org/show_bug.cgi?id=164199
Reviewed by Saam Barati and Sam Weinig.
Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
std::optional::emplace has the same semantics to the previous one.
So we change the code to use it.
* Scripts/builtins/builtins_templates.py:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
* b3/B3CheckSpecial.cpp:
(JSC::B3::CheckSpecial::forEachArg):
(JSC::B3::CheckSpecial::shouldTryAliasingDef):
* b3/B3CheckSpecial.h:
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::scaleForShl):
(JSC::B3::Air::LowerToAir::effectiveAddr):
(JSC::B3::Air::LowerToAir::tryAppendLea):
* b3/B3Opcode.cpp:
(JSC::B3::invertedCompare):
* b3/B3Opcode.h:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::forEachArg):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
* b3/B3StackmapSpecial.h:
* b3/B3Value.cpp:
(JSC::B3::Value::invertedCompare):
* b3/air/AirArg.h:
(JSC::B3::Air::Arg::isValidScale):
(JSC::B3::Air::Arg::isValidAddrForm):
(JSC::B3::Air::Arg::isValidIndexForm):
(JSC::B3::Air::Arg::isValidForm):
* b3/air/AirCustom.h:
(JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
* b3/air/AirFixObviousSpills.cpp:
* b3/air/AirInst.h:
* b3/air/AirInstInlines.h:
(JSC::B3::Air::Inst::shouldTryAliasingDef):
* b3/air/AirIteratedRegisterCoalescing.cpp:
* b3/air/AirSpecial.cpp:
(JSC::B3::Air::Special::shouldTryAliasingDef):
* b3/air/AirSpecial.h:
* bytecode/BytecodeGeneratorification.cpp:
(JSC::BytecodeGeneratorification::storageForGeneratorLocal):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::findPC):
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
* bytecode/CodeBlock.h:
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::link):
* bytecode/UnlinkedFunctionExecutable.h:
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitPutConstantProperty):
(JSC::ObjectPatternNode::bindValue):
* debugger/Debugger.cpp:
(JSC::Debugger::resolveBreakpoint):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::currentPosition):
* debugger/DebuggerParseData.cpp:
(JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
* debugger/DebuggerParseData.h:
* debugger/ScriptProfilingScope.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::findPC):
* dfg/DFGJITCode.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::SlowPathGenerator::generate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
(JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
(JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
(JSC::DFG::SpeculativeJIT::compileMathIC):
(JSC::DFG::SpeculativeJIT::compileArithDiv):
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::findPC):
* ftl/FTLJITCode.h:
* heap/Heap.cpp:
(JSC::Heap::collectAsync):
(JSC::Heap::collectSync):
(JSC::Heap::collectInThread):
(JSC::Heap::requestCollection):
(JSC::Heap::willStartCollection):
(JSC::Heap::didFinishCollection):
(JSC::Heap::shouldDoFullCollection):
* heap/Heap.h:
(JSC::Heap::collectionScope):
* heap/HeapSnapshot.cpp:
(JSC::HeapSnapshot::nodeForCell):
(JSC::HeapSnapshot::nodeForObjectIdentifier):
* heap/HeapSnapshot.h:
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::BackendDispatcher::dispatch):
(Inspector::BackendDispatcher::sendPendingErrors):
(Inspector::BackendDispatcher::reportProtocolError):
* inspector/InspectorBackendDispatcher.h:
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
(Inspector::InspectorHeapAgent::getPreview):
(Inspector::InspectorHeapAgent::getRemoteObject):
* inspector/agents/InspectorHeapAgent.h:
* inspector/remote/RemoteConnectionToTarget.h:
* inspector/remote/RemoteConnectionToTarget.mm:
(Inspector::RemoteConnectionToTarget::targetIdentifier):
(Inspector::RemoteConnectionToTarget::setup):
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::updateClientCapabilities):
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(_generate_declarations_for_enum_conversion_methods):
(_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/enum-values.json-result:
* inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
* jit/JITCode.h:
(JSC::JITCode::findPC):
* jit/JITDivGenerator.cpp:
(JSC::JITDivGenerator::generateFastPath):
* jit/JITOperations.cpp:
* jit/PCToCodeOriginMap.cpp:
(JSC::PCToCodeOriginMap::findPC):
* jit/PCToCodeOriginMap.h:
* jsc.cpp:
(WTF::RuntimeArray::getOwnPropertySlot):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* parser/ModuleAnalyzer.cpp:
(JSC::ModuleAnalyzer::exportVariable):
* runtime/ConcurrentJSLock.h:
(JSC::ConcurrentJSLocker::ConcurrentJSLocker):
* runtime/DefinePropertyAttributes.h:
(JSC::DefinePropertyAttributes::writable):
(JSC::DefinePropertyAttributes::configurable):
(JSC::DefinePropertyAttributes::enumerable):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::getOwnPropertySlot):
(JSC::GenericArguments<Type>::put):
(JSC::GenericArguments<Type>::deleteProperty):
(JSC::GenericArguments<Type>::defineOwnProperty):
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::get):
* runtime/HashMapImpl.h:
(JSC::concurrentJSMapHash):
* runtime/Identifier.h:
(JSC::parseIndex):
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toNumberFromPrimitive):
(JSC::JSValue::putToPrimitive):
* runtime/JSCJSValue.h:
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
* runtime/JSModuleRecord.cpp:
* runtime/JSModuleRecord.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::putDirectMayBeIndex):
(JSC::JSObject::defineOwnProperty):
* runtime/JSObject.h:
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::putOwnDataPropertyMayBeIndex):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putInline):
* runtime/JSString.cpp:
(JSC::JSString::getStringPropertyDescriptor):
* runtime/JSString.h:
(JSC::JSString::getStringPropertySlot):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
* runtime/MathCommon.h:
(JSC::safeReciprocalForDivByConst):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncHasOwnProperty):
* runtime/PropertyDescriptor.h:
(JSC::toPropertyDescriptor):
* runtime/PropertyName.h:
(JSC::parseIndex):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::processUnverifiedStackTraces):
* runtime/StringObject.cpp:
(JSC::StringObject::put):
(JSC::isStringOwnProperty):
(JSC::StringObject::deleteProperty):
* runtime/ToNativeFromValue.h:
(JSC::toNativeFromValueWithoutCoercion):
* runtime/TypedArrayAdaptors.h:
(JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
(JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
(JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
(JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
(JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
(JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
(JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
2016-11-26 Sam Weinig <sam@webkit.org>
Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
https://bugs.webkit.org/show_bug.cgi?id=164965
Reviewed by Simon Fraser.
* runtime/CommonIdentifiers.h:
Add identifiers needed for RuntimeEnabledFeatures.
2016-11-23 Zan Dobersek <zdobersek@igalia.com>
Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
https://bugs.webkit.org/show_bug.cgi?id=165027
Reviewed by Darin Adler.
Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
No port enables this and the guarded code doesn't build at all,
so it's safe to say it's abandoned.
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::initializeAllocator):
(JSC::ExecutableAllocator::ExecutableAllocator):
(JSC::ExecutableAllocator::reprotectRegion): Deleted.
2016-11-18 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in JSC profiler files.
https://bugs.webkit.org/show_bug.cgi?id=164971
Reviewed by Saam Barati.
* profiler/ProfilerBytecodeSequence.cpp:
(JSC::Profiler::BytecodeSequence::addSequenceProperties):
* profiler/ProfilerCompilation.cpp:
(JSC::Profiler::Compilation::toJS):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::toJS):
(JSC::Profiler::Database::toJSON):
* profiler/ProfilerOSRExitSite.cpp:
(JSC::Profiler::OSRExitSite::toJS):
* profiler/ProfilerOriginStack.cpp:
(JSC::Profiler::OriginStack::toJS):
2016-11-22 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in JSONObject.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165025
Reviewed by Saam Barati.
* runtime/JSONObject.cpp:
(JSC::gap):
(JSC::Stringifier::Stringifier):
(JSC::Stringifier::stringify):
(JSC::Stringifier::toJSON):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::appendNextProperty):
(JSC::Walker::walk):
(JSC::JSONProtoFuncParse):
(JSC::JSONProtoFuncStringify):
(JSC::JSONStringify):
2016-11-21 Mark Lam <mark.lam@apple.com>
Removed an extra space character at the end of line.
Not reviewed.
* runtime/JSCell.cpp:
(JSC::JSCell::toNumber):
2016-11-21 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in FunctionConstructor.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165011
Reviewed by Saam Barati.
* runtime/FunctionConstructor.cpp:
(JSC::constructFunction):
(JSC::constructFunctionSkippingEvalEnabledCheck):
2016-11-21 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in GetterSetter.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165013
Reviewed by Saam Barati.
* runtime/GetterSetter.cpp:
(JSC::callGetter):
(JSC::callSetter):
2016-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
https://bugs.webkit.org/show_bug.cgi?id=164898
Reviewed by Darin Adler.
The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
same tagged template literal need to return an identical object.
The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
can prune its entries in the collector thread. At that time, this TemplateRegistryKey
is deallocated. Since it includes String (and then, StringImpl), we accidentally call
ref(), deref() and StringImpl::destroy() in the different thread from the main thread
while this TemplateRegistryKey is allocated in the main thread.
Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
while the entry of the WeakGCMap is alive, the callsite object has the reference to
the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinNames.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
* bytecompiler/BytecodeGenerator.h:
* runtime/JSGlobalObject.cpp:
(JSC::getTemplateObject):
* runtime/JSTemplateRegistryKey.cpp:
(JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
(JSC::JSTemplateRegistryKey::create):
* runtime/JSTemplateRegistryKey.h:
* runtime/TemplateRegistry.cpp:
(JSC::TemplateRegistry::getTemplateObject):
* runtime/TemplateRegistry.h:
* runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
(JSC::TemplateRegistryKey::~TemplateRegistryKey):
* runtime/TemplateRegistryKey.h:
(JSC::TemplateRegistryKey::calculateHash):
(JSC::TemplateRegistryKey::create):
(JSC::TemplateRegistryKey::TemplateRegistryKey):
* runtime/TemplateRegistryKeyTable.cpp: Added.
(JSC::TemplateRegistryKeyTranslator::hash):
(JSC::TemplateRegistryKeyTranslator::equal):
(JSC::TemplateRegistryKeyTranslator::translate):
(JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
(JSC::TemplateRegistryKeyTable::createKey):
(JSC::TemplateRegistryKeyTable::unregister):
* runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::TemplateRegistryKeyTable::KeyHash::hash):
(JSC::TemplateRegistryKeyTable::KeyHash::equal):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable):
2016-11-21 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in runtime/Error* files.
https://bugs.webkit.org/show_bug.cgi?id=164998
Reviewed by Darin Adler.
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::create):
* runtime/ErrorInstance.h:
* runtime/ErrorPrototype.cpp:
(JSC::errorProtoFuncToString):
2016-11-21 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in *Executable.cpp files.
https://bugs.webkit.org/show_bug.cgi?id=164996
Reviewed by Darin Adler.
* runtime/DirectEvalExecutable.cpp:
(JSC::DirectEvalExecutable::create):
* runtime/IndirectEvalExecutable.cpp:
(JSC::IndirectEvalExecutable::create):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::prepareForExecutionImpl):
2016-11-20 Zan Dobersek <zdobersek@igalia.com>
[EncryptedMedia] Make EME API runtime-enabled
https://bugs.webkit.org/show_bug.cgi?id=164927
Reviewed by Jer Noble.
* runtime/CommonIdentifiers.h: Add the necessary identifiers.
2016-11-20 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in ConstructData.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164976
Reviewed by Darin Adler.
* runtime/ConstructData.cpp:
(JSC::construct):
2016-11-20 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in CommonSlowPaths.cpp/h.
https://bugs.webkit.org/show_bug.cgi?id=164975
Reviewed by Darin Adler.
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
2016-11-20 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164995
Reviewed by Darin Adler.
* runtime/DateConstructor.cpp:
(JSC::millisecondsFromComponents):
(JSC::constructDate):
* runtime/DatePrototype.cpp:
(JSC::dateProtoFuncToPrimitiveSymbol):
2016-11-20 Caitlin Potter <caitp@igalia.com>
[JSC] speed up parsing of async functions
https://bugs.webkit.org/show_bug.cgi?id=164808
Reviewed by Yusuke Suzuki.
Minor adjustments to Parser in order to mitigate slowdown with async
function parsing enabled:
- Tokenize "async" as a keyword
- Perform less branching in various areas of the Parser
* parser/Keywords.table:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseStatementListItem):
(JSC::Parser<LexerType>::parseStatement):
(JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseExportDeclaration):
(JSC::Parser<LexerType>::parseAssignmentExpression):
(JSC::Parser<LexerType>::parseProperty):
(JSC::Parser<LexerType>::createResolveAndUseVariable):
(JSC::Parser<LexerType>::parsePrimaryExpression):
(JSC::Parser<LexerType>::parseMemberExpression):
(JSC::Parser<LexerType>::printUnexpectedTokenText):
* parser/Parser.h:
(JSC::isAnyContextualKeyword):
(JSC::isIdentifierOrAnyContextualKeyword):
(JSC::isSafeContextualKeyword):
(JSC::Parser::matchSpecIdentifier):
* parser/ParserTokens.h:
* runtime/CommonIdentifiers.h:
2016-11-19 Mark Lam <mark.lam@apple.com>
Add --timeoutMultiplier option to allow some tests more time to run.
https://bugs.webkit.org/show_bug.cgi?id=164951
Reviewed by Yusuke Suzuki.
* jsc.cpp:
(timeoutThreadMain):
- Modified to factor in a timeout multiplier that can adjust the timeout duration.
(startTimeoutThreadIfNeeded):
- Moved the code that starts the timeout thread here from main() so that we can
call it after command line args have been parsed instead.
(main):
- Deleted old timeout thread starting code.
(CommandLine::parseArguments):
- Added parsing of the --timeoutMultiplier option.
(jscmain):
- Start the timeout thread if needed after we've parsed the command line args.
2016-11-19 Mark Lam <mark.lam@apple.com>
Fix missing exception checks in JSC inspector files.
https://bugs.webkit.org/show_bug.cgi?id=164959
Reviewed by Saam Barati.
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::getInternalProperties):
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetEntries):
(Inspector::JSInjectedScriptHost::iteratorEntries):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2016-11-18 Mark Lam <mark.lam@apple.com>
Fix missing exception checks in DFGOperations.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164958
Reviewed by Geoffrey Garen.
* dfg/DFGOperations.cpp:
2016-11-18 Mark Lam <mark.lam@apple.com>
Fix exception scope verification failures in ShadowChicken.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164966
Reviewed by Saam Barati.
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::functionsOnStack):
2016-11-18 Jeremy Jones <jeremyj@apple.com>
Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
https://bugs.webkit.org/show_bug.cgi?id=163801
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig:
2016-11-18 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix cloop.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
2016-11-18 Filip Pizlo <fpizlo@apple.com>
Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
https://bugs.webkit.org/show_bug.cgi?id=164282
Reviewed by Geoffrey Garen and Oliver Hunt.
The two three remaining bugs were:
- Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
That proved a bit tricky. On the other hand, this means that we could probably remove the
requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
yet because I still think it might protect some weird cases, and it doesn't seem to cost us
anything.
- CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
their friends now hold locks) and incremental-safe (we need to update predictions in the
finalizer to make sure we clear anything that was put into a value profile towards the end
of GC).
- The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
I found that they would do many useless iterations of GC because they wouldn't pause long
enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
pause. In the end, I realized that I could get the desired effect by putting a ceiling on
mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
the amount of allocation that the mutator had done is low. Having a utilization ceiling
seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
huge heaps (like CDjs in its "large" configuration).
This preserves splay performance, makes the concurrent GC more stable, and makes the
concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
performance as well, but this is still hard to tell because we crash a lot in that benchmark.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::visitWeakly):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::shouldVisitStrongly):
(JSC::CodeBlock::shouldJettisonDueToOldAge):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
(JSC::CodeBlock::visitOSRExitTargets):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::stronglyVisitWeakReferences):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
* heap/Heap.cpp:
(JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
(JSC::Heap::markToFixpoint):
(JSC::Heap::beginMarking):
(JSC::Heap::addToRememberedSet):
(JSC::Heap::collectInThread):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::mutatorFence):
* heap/MarkedBlock.cpp:
* runtime/JSCellInlines.h:
(JSC::JSCell::finishCreation):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):
* runtime/Options.h:
* runtime/Structure.cpp:
(JSC::Structure::add):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::add):
2016-11-18 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Generator functions should have a displayable name when shown in stack traces
https://bugs.webkit.org/show_bug.cgi?id=164844
<rdar://problem/29300697>
Reviewed by Yusuke Suzuki.
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createGeneratorFunctionBody):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createGeneratorFunctionBody):
New way to create a generator function with an inferred name.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
* parser/Parser.h:
Pass on the name of the generator wrapper function so we can
use it on the inner generator function.
2016-11-17 Ryosuke Niwa <rniwa@webkit.org>
Add an experimental API to find elements across shadow boundaries
https://bugs.webkit.org/show_bug.cgi?id=164851
<rdar://problem/28220092>
Reviewed by Sam Weinig.
* runtime/CommonIdentifiers.h:
2016-11-17 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Drop arguments.caller
https://bugs.webkit.org/show_bug.cgi?id=164859
Reviewed by Saam Barati.
Originally, some JavaScript engine has `arguments.caller` property.
But it easily causes some information leaks and it becomes obstacles
for secure ECMAScript (SES). In ES5, we make it deprecated in strict
mode. To do so, we explicitly set "caller" getter throwing TypeError
to arguments in strict mode.
But now, there is no modern engine which supports `arguments.caller`
in sloppy mode. So the original compatibility problem is gone and
"caller" getter in the strict mode arguments becomes meaningless.
ES2017 drops this from the spec. In this patch, we also drop this
`arguments.caller` in strict mode support.
Note that Function#caller is still alive.
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::getOwnPropertySlot):
(JSC::ClonedArguments::put):
(JSC::ClonedArguments::deleteProperty):
(JSC::ClonedArguments::defineOwnProperty):
(JSC::ClonedArguments::materializeSpecials):
2016-11-17 Mark Lam <mark.lam@apple.com>
Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
https://bugs.webkit.org/show_bug.cgi?id=164893
<rdar://problem/29146436>
Reviewed by Saam Barati.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2016-11-17 Filip Pizlo <fpizlo@apple.com>
Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
https://bugs.webkit.org/show_bug.cgi?id=164885
Reviewed by Mark Lam.
This adds a useGCFences() function that we use to guard all eager object zero-fill and the
related fences. It currently returns true only on x86().
The goal here is to get the bots to tell us if this code is responsible for perf issues on
any non-x86 platforms. We have a few different paths that we can pursue if this turns out
to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
we could get rid of it and instead teach B3 how to think about fences.
* assembler/CPU.h:
(JSC::useGCFences):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
(JSC::FTL::DFG::LowerDFGToB3::setButterfly):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::mutatorFence):
(JSC::AssemblyHelpers::storeButterfly):
(JSC::AssemblyHelpers::emitInitializeInlineStorage):
(JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
2016-11-17 Keith Miller <keith_miller@apple.com>
Add rotate to Wasm
https://bugs.webkit.org/show_bug.cgi?id=164871
Reviewed by Filip Pizlo.
Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
This also moves arm specific transformations of rotate left to lower macros
after optimization. It's a bad idea to have platform specific canonicalizations
in reduce strength since other optimizations may not be aware of it.
Add a bug to do pure CSE after lower macros after optimization since we want to
clean up RotL(value, Neg(Neg(shift))).
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/B3LowerMacrosAfterOptimizations.cpp:
* b3/B3ReduceStrength.cpp:
* wasm/wasm.json:
2016-11-17 Keith Miller <keith_miller@apple.com>
Add sqrt to Wasm
https://bugs.webkit.org/show_bug.cgi?id=164877
Reviewed by Mark Lam.
B3 already has a Sqrt opcode we just need to map Wasm to it.
* wasm/wasm.json:
2016-11-17 Keith Miller <keith_miller@apple.com>
Add support for rotate in B3 and the relevant assemblers
https://bugs.webkit.org/show_bug.cgi?id=164869
Reviewed by Geoffrey Garen.
This patch runs RotR and RotL (rotate right and left respectively)
through B3 and B3's assemblers. One thing of note is that ARM64 does
not support rotate left instead it allows negative right rotations.
This patch also fixes a theoretical bug in the assembler where
on X86 doing someShiftOp(reg, edx) would instead shift the shift
amount by the value. Additionally, this patch refactors some
of the X86 assembler to use templates when deciding how to format
the appropriate shift instruction.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::rotateRight32):
(JSC::MacroAssemblerARM64::rotateRight64):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::rotateRight32):
(JSC::MacroAssemblerX86Common::rotateLeft32):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::lshift64):
(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::urshift64):
(JSC::MacroAssemblerX86_64::rotateRight64):
(JSC::MacroAssemblerX86_64::rotateLeft64):
(JSC::MacroAssemblerX86_64::or64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::xorq_rm):
(JSC::X86Assembler::shiftInstruction32):
(JSC::X86Assembler::sarl_i8r):
(JSC::X86Assembler::shrl_i8r):
(JSC::X86Assembler::shll_i8r):
(JSC::X86Assembler::rorl_i8r):
(JSC::X86Assembler::rorl_CLr):
(JSC::X86Assembler::roll_i8r):
(JSC::X86Assembler::roll_CLr):
(JSC::X86Assembler::shiftInstruction64):
(JSC::X86Assembler::sarq_CLr):
(JSC::X86Assembler::sarq_i8r):
(JSC::X86Assembler::shrq_i8r):
(JSC::X86Assembler::shlq_i8r):
(JSC::X86Assembler::rorq_i8r):
(JSC::X86Assembler::rorq_CLr):
(JSC::X86Assembler::rolq_i8r):
(JSC::X86Assembler::rolq_CLr):
* b3/B3Common.h:
(JSC::B3::rotateRight):
(JSC::B3::rotateLeft):
* b3/B3Const32Value.cpp:
(JSC::B3::Const32Value::rotRConstant):
(JSC::B3::Const32Value::rotLConstant):
* b3/B3Const32Value.h:
* b3/B3Const64Value.cpp:
(JSC::B3::Const64Value::rotRConstant):
(JSC::B3::Const64Value::rotLConstant):
* b3/B3Const64Value.h:
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::lower):
* b3/B3Opcode.cpp:
(WTF::printInternal):
* b3/B3Opcode.h:
* b3/B3ReduceStrength.cpp:
* b3/B3Validate.cpp:
* b3/B3Value.cpp:
(JSC::B3::Value::rotRConstant):
(JSC::B3::Value::rotLConstant):
(JSC::B3::Value::effects):
(JSC::B3::Value::key):
(JSC::B3::Value::typeFor):
* b3/B3Value.h:
* b3/B3ValueKey.cpp:
(JSC::B3::ValueKey::materialize):
* b3/air/AirInstInlines.h:
(JSC::B3::Air::isRotateRight32Valid):
(JSC::B3::Air::isRotateLeft32Valid):
(JSC::B3::Air::isRotateRight64Valid):
(JSC::B3::Air::isRotateLeft64Valid):
* b3/air/AirOpcode.opcodes:
* b3/testb3.cpp:
(JSC::B3::testRotR):
(JSC::B3::testRotL):
(JSC::B3::testRotRWithImmShift):
(JSC::B3::testRotLWithImmShift):
(JSC::B3::run):
2016-11-17 Saam Barati <sbarati@apple.com>
Remove async/await compile time flag and enable tests
https://bugs.webkit.org/show_bug.cgi?id=164828
<rdar://problem/28639334>
Reviewed by Yusuke Suzuki.
* Configurations/FeatureDefines.xcconfig:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseStatementListItem):
(JSC::Parser<LexerType>::parseStatement):
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseExportDeclaration):
(JSC::Parser<LexerType>::parseAssignmentExpression):
(JSC::Parser<LexerType>::parseProperty):
(JSC::Parser<LexerType>::parsePrimaryExpression):
(JSC::Parser<LexerType>::parseMemberExpression):
(JSC::Parser<LexerType>::parseUnaryExpression):
2016-11-17 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] WTF::TemporaryChange with WTF::SetForScope
https://bugs.webkit.org/show_bug.cgi?id=164761
Reviewed by Saam Barati.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/SetForScope.h: Removed.
* debugger/Debugger.cpp:
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::BackendDispatcher::dispatch):
* inspector/ScriptDebugServer.cpp:
(Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
(Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
(Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
(Inspector::ScriptDebugServer::sourceParsed):
(Inspector::ScriptDebugServer::dispatchFunctionToListeners):
* parser/Parser.cpp:
2016-11-16 Mark Lam <mark.lam@apple.com>
ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
https://bugs.webkit.org/show_bug.cgi?id=164843
Reviewed by Keith Miller.
The ThrowScope will check for unchecked simulated exceptions before throwing a
new exception. This ensures that we don't quietly overwrite a pending exception
(which should never happen, with the only exception being to rethrow the same
exception). However, ExceptionFuzz works by intentionally throwing its own
exception even when one may already exist thereby potentially overwriting an
existing exception. This is ok for ExceptionFuzz testing, but we need to placate
the exception check verifier before ExceptionFuzz throws its own exception.
* runtime/ExceptionFuzz.cpp:
(JSC::doExceptionFuzzing):
2016-11-16 Geoffrey Garen <ggaren@apple.com>
UnlinkedCodeBlock should not have a starting line number
https://bugs.webkit.org/show_bug.cgi?id=164838
Reviewed by Mark Lam.
Here's how the starting line number in UnlinkedCodeBlock used to work:
(1) Assign the source code starting line number to the parser starting
line number.
(2) Assign (1) to the AST.
(3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
Then, when linking:
(4) Add (3) to (1).
This was an awesome no-op.
Generally, unlinked code is code that is not tied to any particular
web page or resource. So, it's inappropriate to think of it having a
starting line number.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::recordParse):
(JSC::UnlinkedCodeBlock::hasCapturedVariables):
(JSC::UnlinkedCodeBlock::firstLine): Deleted.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
* runtime/CodeCache.h:
(JSC::generateUnlinkedCodeBlock):
2016-11-16 Yusuke Suzuki <utatane.tea@gmail.com>
[ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
https://bugs.webkit.org/show_bug.cgi?id=164827
Reviewed by Ryosuke Niwa.
* Configurations/FeatureDefines.xcconfig:
2016-11-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r208811. It's not sound.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
(JSC::FTL::DFG::LowerDFGToB3::setButterfly):
(JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
2016-11-16 Keith Miller <keith_miller@apple.com>
Wasm function parser should use template functions for each binary and unary opcode
https://bugs.webkit.org/show_bug.cgi?id=164835
Reviewed by Mark Lam.
This patch changes the wasm function parser to call into a template specialization
for each binary/unary opcode. This change makes it easier to have custom implementations
of various opcodes. It is also, in theory a speedup since it does not require switching
on the opcode twice.
* CMakeLists.txt:
* DerivedSources.make:
* wasm/WasmB3IRGenerator.cpp:
(): Deleted.
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::binaryCase):
(JSC::Wasm::FunctionParser<Context>::unaryCase):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmValidate.cpp:
* wasm/generateWasm.py:
(isBinary):
(isSimple):
* wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
(generateSimpleCode):
* wasm/generateWasmOpsHeader.py:
(opcodeMacroizer):
* wasm/generateWasmValidateInlinesHeader.py:
2016-11-16 Mark Lam <mark.lam@apple.com>
ExceptionFuzz functions should use its client's ThrowScope.
https://bugs.webkit.org/show_bug.cgi?id=164834
Reviewed by Geoffrey Garen.
This is because ExceptionFuzz's purpose is to throw exceptions from its client at
exception check sites. Using the client's ThrowScope solves 2 problems:
1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
mis-attributed to ExceptionFuzz when it should be attributed to its client.
2. One way exception scope verification works is by having ThrowScopes assert
that there are no unchecked simulated exceptions when the ThrowScope is
instantiated. However, ExceptionFuzz necessarily works by inserting
doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
and an exception check. If we declare a ThrowScope in ExceptionFuzz's code,
we will be instantiating the ThrowScope between the point where a simulated
throw occurs and where the needed exception check can occur. Hence, having
ExceptionFuzz instantiate its own ThrowScope will fail exception scope
verification every time.
Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
already exists in every slow path function instead of creating a new one.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
* runtime/CommonSlowPaths.cpp:
* runtime/ExceptionFuzz.cpp:
(JSC::doExceptionFuzzing):
* runtime/ExceptionFuzz.h:
(JSC::doExceptionFuzzingIfEnabled):
2016-11-16 Filip Pizlo <fpizlo@apple.com>
Slight Octane regression from concurrent GC's eager object zero-fill
https://bugs.webkit.org/show_bug.cgi?id=164823
Reviewed by Geoffrey Garen.
During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
executing the end-of-allocation fence. This causes some regressions. This is an attempt
to fix those regressions by making them conditional on whether the mutator is fenced.
This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
regression.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
(JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2016-11-16 Mark Lam <mark.lam@apple.com>
Fix exception scope checking in JSGlobalObject.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164831
Reviewed by Saam Barati.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
- Use a CatchScope here because we don't ever expect JSGlobalObject initialization
to fail with errors.
(JSC::JSGlobalObject::put):
- Fix exception check requirements.
2016-11-16 Keith Miller <keith_miller@apple.com>
Unreviewed, ARM build fix.
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::lower):
(JSC::B3::Air::LowerToAir::lowerX86Div):
(JSC::B3::Air::LowerToAir::lowerX86UDiv):
2016-11-15 Mark Lam <mark.lam@apple.com>
Make JSC test functions more robust.
https://bugs.webkit.org/show_bug.cgi?id=164807
Reviewed by Keith Miller.
* jsc.cpp:
(functionGetHiddenValue):
(functionSetHiddenValue):
2016-11-15 Keith Miller <keith_miller@apple.com>
B3 should support UDiv/UMod
https://bugs.webkit.org/show_bug.cgi?id=164811
Reviewed by Filip Pizlo.
This patch adds support for UDiv and UMod in B3. Many of the magic number
cases have been ommited for now since they are unlikely to happen in wasm
code. Most wasm code we will see is generated via llvm, which has more
robust versions of what we would do anyway. Additionally, this patch
links the new opcodes up to the wasm parser.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::uDiv32):
(JSC::MacroAssemblerARM64::uDiv64):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::x86UDiv32):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::x86UDiv64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::divq_r):
* b3/B3Common.h:
(JSC::B3::chillUDiv):
(JSC::B3::chillUMod):
* b3/B3Const32Value.cpp:
(JSC::B3::Const32Value::uDivConstant):
(JSC::B3::Const32Value::uModConstant):
* b3/B3Const32Value.h:
* b3/B3Const64Value.cpp:
(JSC::B3::Const64Value::uDivConstant):
(JSC::B3::Const64Value::uModConstant):
* b3/B3Const64Value.h:
* b3/B3LowerMacros.cpp:
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::lower):
(JSC::B3::Air::LowerToAir::lowerX86UDiv):
* b3/B3Opcode.cpp:
(WTF::printInternal):
* b3/B3Opcode.h:
* b3/B3ReduceStrength.cpp:
* b3/B3Validate.cpp:
* b3/B3Value.cpp:
(JSC::B3::Value::uDivConstant):
(JSC::B3::Value::uModConstant):
(JSC::B3::Value::effects):
(JSC::B3::Value::key):
(JSC::B3::Value::typeFor):
* b3/B3Value.h:
* b3/B3ValueKey.cpp:
(JSC::B3::ValueKey::materialize):
* b3/air/AirInstInlines.h:
(JSC::B3::Air::isX86UDiv32Valid):
(JSC::B3::Air::isX86UDiv64Valid):
* b3/air/AirOpcode.opcodes:
* b3/testb3.cpp:
(JSC::B3::testUDivArgsInt32):
(JSC::B3::testUDivArgsInt64):
(JSC::B3::testUModArgsInt32):
(JSC::B3::testUModArgsInt64):
(JSC::B3::run):
* wasm/wasm.json:
2016-11-15 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Preview other CSS @media in browser window (print)
https://bugs.webkit.org/show_bug.cgi?id=13530
<rdar://problem/5712928>
Reviewed by Timothy Hatcher.
* inspector/protocol/Page.json:
Update to preferred JSON style.
2016-11-15 Filip Pizlo <fpizlo@apple.com>
Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* heap/Heap.cpp:
(JSC::Heap::addToRememberedSet):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::compileLater):
(JSC::JITWorklist::compileNow):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
* runtime/WriteBarrierInlines.h:
(JSC::WriteBarrierBase<T>::set):
(JSC::WriteBarrierBase<Unknown>::set):
2016-11-15 Geoffrey Garen <ggaren@apple.com>
Debugging and other tools should not disable the code cache
https://bugs.webkit.org/show_bug.cgi?id=164802
Reviewed by Mark Lam.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
change.
* parser/SourceCodeKey.h:
(JSC::SourceCodeFlags::SourceCodeFlags):
(JSC::SourceCodeFlags::bits):
(JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools
as part of our key so that we can cache code while using tools. Be sure
to include these bits in our hash function so you don't get storms of
collisions as you open and close the Web Inspector.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): Treat tools as
a part of our key instead of as a reason to disable caching.
* runtime/CodeCache.h:
2016-11-15 Mark Lam <mark.lam@apple.com>
Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString.
https://bugs.webkit.org/show_bug.cgi?id=164777
Reviewed by Geoffrey Garen.
JSString::SafeView no longer achieves its intended goal to make it easier to
handle strings safely. Its clients still need to do explicit exception checks in
order to be correct. We'll remove it and replace its uses with
StringViewWithUnderlyingString instead which serves to gets the a StringView
(which is what we really wanted from SafeView) and keeps the backing String alive
while the view is in use.
Also added some missing exception checks.
* jsc.cpp:
(printInternal):
(functionDebug):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncJoin):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorFuncCompare):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncJoin):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::toStringView):
(JSC::globalFuncParseFloat):
* runtime/JSONObject.cpp:
(JSC::JSONProtoFuncParse):
* runtime/JSString.h:
(JSC::JSString::SafeView::is8Bit): Deleted.
(JSC::JSString::SafeView::length): Deleted.
(JSC::JSString::SafeView::SafeView): Deleted.
(JSC::JSString::SafeView::get): Deleted.
(JSC::JSString::view): Deleted.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncRepeatCharacter):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncNormalize):
2016-11-15 Filip Pizlo <fpizlo@apple.com>
Unreviewed, remove bogus assertion.
* heap/Heap.cpp:
(JSC::Heap::markToFixpoint):
2016-11-15 Filip Pizlo <fpizlo@apple.com>
[mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
https://bugs.webkit.org/show_bug.cgi?id=162986
Reviewed by Saam Barati.
This assertion is wrong for concurrent GC anyway, so this removes it.
* runtime/Structure.cpp:
(JSC::Structure::visitChildren):
2016-11-15 Filip Pizlo <fpizlo@apple.com>
Rename CONCURRENT_JIT/ConcurrentJIT to CONCURRENT_JS/ConcurrentJS
https://bugs.webkit.org/show_bug.cgi?id=164791
Reviewed by Geoffrey Garen.
Just renaming.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::computeUpdatedPrediction):
(JSC::ArrayProfile::briefDescription):
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* bytecode/ArrayProfile.h:
(JSC::ArrayProfile::observedArrayModes):
(JSC::ArrayProfile::mayInterceptIndexedAccesses):
(JSC::ArrayProfile::mayStoreToHole):
(JSC::ArrayProfile::outOfBounds):
(JSC::ArrayProfile::usesOriginalArrayStructures):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeFromCallLinkInfo):
(JSC::CallLinkStatus::computeDFGStatuses):
* bytecode/CallLinkStatus.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpValueProfiling):
(JSC::CodeBlock::dumpArrayProfiling):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::getStubInfoMap):
(JSC::CodeBlock::getCallLinkInfoMap):
(JSC::CodeBlock::getByValInfoMap):
(JSC::CodeBlock::addStubInfo):
(JSC::CodeBlock::addByValInfo):
(JSC::CodeBlock::addCallLinkInfo):
(JSC::CodeBlock::resetJITData):
(JSC::CodeBlock::shrinkToFit):
(JSC::CodeBlock::getArrayProfile):
(JSC::CodeBlock::addArrayProfile):
(JSC::CodeBlock::getOrAddArrayProfile):
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
(JSC::CodeBlock::updateAllArrayPredictions):
(JSC::CodeBlock::nameForRegister):
(JSC::CodeBlock::livenessAnalysisSlow):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::setJITCode):
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
(JSC::CodeBlock::addFrequentExitSite):
(JSC::CodeBlock::hasExitSite):
(JSC::CodeBlock::livenessAnalysis):
* bytecode/DFGExitProfile.cpp:
(JSC::DFG::ExitProfile::add):
(JSC::DFG::ExitProfile::hasExitSite):
(JSC::DFG::QueryableExitProfile::initialize):
* bytecode/DFGExitProfile.h:
(JSC::DFG::ExitProfile::hasExitSite):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::hasExitSite):
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/GetByIdStatus.h:
* bytecode/LazyOperandValueProfile.cpp:
(JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
(JSC::CompressedLazyOperandValueProfileHolder::add):
(JSC::LazyOperandValueProfileParser::initialize):
(JSC::LazyOperandValueProfileParser::prediction):
* bytecode/LazyOperandValueProfile.h:
* bytecode/MethodOfGettingAValueProfile.cpp:
(JSC::MethodOfGettingAValueProfile::emitReportValue):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::hasExitSite):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.h:
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubClearingWatchpoint::fireInternal):
* bytecode/ValueProfile.h:
(JSC::ValueProfileBase::briefDescription):
(JSC::ValueProfileBase::computeUpdatedPrediction):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::withSpeculationFromProfile):
(JSC::DFG::ArrayMode::withProfile):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::getArrayMode):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetConstantClosureVar):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* heap/Heap.cpp:
(JSC::Heap::addToRememberedSet):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
* jit/JITInlines.h:
(JSC::JIT::chooseArrayMode):
* jit/JITOperations.cpp:
(JSC::tryGetByValOptimize):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::compileLater):
(JSC::JITWorklist::compileNow):
* jit/Repatch.cpp:
(JSC::repatchGetByID):
(JSC::repatchPutByID):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setUpCall):
* profiler/ProfilerBytecodeSequence.cpp:
(JSC::Profiler::BytecodeSequence::BytecodeSequence):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
(JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
* runtime/ConcurrentJITLock.h: Removed.
* runtime/ConcurrentJSLock.h: Copied from Source/JavaScriptCore/runtime/ConcurrentJITLock.h.
(JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
(JSC::ConcurrentJSLockerBase::~ConcurrentJSLockerBase):
(JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker):
(JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker):
(JSC::ConcurrentJSLocker::ConcurrentJSLocker):
(JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): Deleted.
(JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): Deleted.
(JSC::ConcurrentJITLockerBase::unlockEarly): Deleted.
(JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): Deleted.
(JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): Deleted.
(JSC::ConcurrentJITLocker::ConcurrentJITLocker): Deleted.
* runtime/InferredType.cpp:
(JSC::InferredType::canWatch):
(JSC::InferredType::addWatchpoint):
(JSC::InferredType::willStoreValueSlow):
(JSC::InferredType::makeTopSlow):
(JSC::InferredType::set):
(JSC::InferredType::removeStructure):
* runtime/InferredType.h:
* runtime/InferredTypeTable.cpp:
(JSC::InferredTypeTable::visitChildren):
(JSC::InferredTypeTable::get):
(JSC::InferredTypeTable::willStoreValue):
(JSC::InferredTypeTable::makeTop):
* runtime/InferredTypeTable.h:
* runtime/JSEnvironmentRecord.cpp:
(JSC::JSEnvironmentRecord::heapSnapshot):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addStaticGlobals):
* runtime/JSLexicalEnvironment.cpp:
(JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
* runtime/JSObject.cpp:
(JSC::JSObject::deleteProperty):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):
* runtime/JSScope.cpp:
(JSC::abstractAccess):
(JSC::JSScope::collectClosureVariablesUnderTDZ):
* runtime/JSSegmentedVariableObject.cpp:
(JSC::JSSegmentedVariableObject::findVariableIndex):
(JSC::JSSegmentedVariableObject::addVariables):
(JSC::JSSegmentedVariableObject::heapSnapshot):
* runtime/JSSegmentedVariableObject.h:
* runtime/JSSymbolTableObject.cpp:
(JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTableGet):
(JSC::symbolTablePut):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::compileMatchOnly):
(JSC::RegExp::deleteCode):
* runtime/RegExp.h:
* runtime/Structure.cpp:
(JSC::Structure::materializePropertyTable):
(JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
(JSC::Structure::addNewPropertyTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::ensurePropertyReplacementWatchpointSet):
(JSC::Structure::add):
(JSC::Structure::remove):
(JSC::Structure::visitChildren):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::propertyReplacementWatchpointSet):
(JSC::Structure::add):
(JSC::Structure::remove):
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::visitChildren):
(JSC::SymbolTable::localToEntry):
(JSC::SymbolTable::entryFor):
(JSC::SymbolTable::prepareForTypeProfiling):
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForOffset):
(JSC::SymbolTable::globalTypeSetForOffset):
(JSC::SymbolTable::globalTypeSetForVariable):
* runtime/SymbolTable.h:
* runtime/TypeSet.cpp:
(JSC::TypeSet::addTypeInformation):
(JSC::TypeSet::invalidateCache):
* runtime/TypeSet.h:
(JSC::TypeSet::structureSet):
* runtime/VM.h:
* runtime/WriteBarrierInlines.h:
(JSC::WriteBarrierBase<T>::set):
(JSC::WriteBarrierBase<Unknown>::set):
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::compile):
(JSC::Yarr::byteCompile):
* yarr/YarrInterpreter.h:
(JSC::Yarr::BytecodePattern::BytecodePattern):
2016-11-15 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
https://bugs.webkit.org/show_bug.cgi?id=164793
Reviewed by Matt Baker.
* inspector/protocol/Page.json:
2016-11-15 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for Windows debug build after r208738
https://bugs.webkit.org/show_bug.cgi?id=164727
This static member variable can be touched outside of the JSC project
since inlined MacroAssembler member functions read / write it.
So it should be exported.
* assembler/MacroAssemblerX86Common.h:
2016-11-15 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
https://bugs.webkit.org/show_bug.cgi?id=164787
Reviewed by Timothy Hatcher.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
Clear this DebuggerAgent state when we resume.
2016-11-15 Filip Pizlo <fpizlo@apple.com>
It should be possible to disable concurrent GC timeslicing
https://bugs.webkit.org/show_bug.cgi?id=164788
Reviewed by Saam Barati.
Collector timeslicing means that the collector will try to pause once every 2ms. This is
great because it throttles the mutator and prevents it from outpacing the collector. But
it reduces some of the efficacy of the collectContinuously=true configuration: while
it's great that collecting continuously means that the collector will also pause more
frequently and so it will test the pausing code, it also means that the collector will
spend less time running concurrently. The primary purpose of collectContinuously is to
maximize the amount of time that the collector is running concurrently to the mutator to
maximize the likelihood that a race will cause a detectable error.
This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
The idea is that we will usually use this in conjunction with collectContinuously=true
to find race conditions during marking, but we can also use the two options
independently to focus our testing on other things.
* heap/Heap.cpp:
(JSC::Heap::markToFixpoint):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
* heap/SlotVisitor.h:
* runtime/Options.h:
2016-11-15 Filip Pizlo <fpizlo@apple.com>
The concurrent GC should have a timeslicing controller
https://bugs.webkit.org/show_bug.cgi?id=164783
Reviewed by Geoffrey Garen.
This adds a simple control system for deciding when the collector should let the mutator run
and when it should stop the mutator. We definitely have to stop the mutator during certain
collector phases, but during marking - which takes the most time - we can go either way.
Normally we want to let the mutator run, but if the heap size starts to grow then we have to
stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
lead to memory exhaustion, so it's better to just stop in that case.
The controller tries to never stop the mutator for longer than short timeslices. It slices on
a 2ms period (configurable via Options). The amount of that period that the collector spends
with the mutator stopped is determined by the fraction of the collector's concurrent headroom
that has been allocated over. The headroom is currently configured at 50% of what was
allocated before the collector started.
This moves a bunch of parameters into Options so that it's easier to play with different
configurations.
I tried these different values for the period:
1ms: 30% worse than 2ms on splay-latency.
2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
3ms: 40% worse than 2ms on splay-latency.
4ms: 40% worse than 2ms on splay-latency.
I also tried 100% headroom as an alternate to 50% and found it to be a worse.
This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
concurrent GC.
* heap/Heap.cpp:
(JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
(JSC::Heap::markToFixpoint):
(JSC::Heap::collectInThread):
* runtime/Options.h:
2016-11-15 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for CLoop after r208738
https://bugs.webkit.org/show_bug.cgi?id=164727
* jsc.cpp:
(WTF::DOMJITFunctionObject::unsafeFunction):
(WTF::DOMJITFunctionObject::finishCreation):
2016-11-15 Mark Lam <mark.lam@apple.com>
The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
https://bugs.webkit.org/show_bug.cgi?id=164781
<rdar://problem/28418590>
Reviewed by Geoffrey Garen and Michael Saboff.
* jsc.cpp:
(functionSetImpureGetterDelegate):
2016-11-15 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
https://bugs.webkit.org/show_bug.cgi?id=164727
Reviewed by Filip Pizlo.
While CallDOMGetter can use macro assembler scratch registers, we previiously
assumed that CheckDOM code generator does not use macro assembler scratch registers.
It is currently true in x86 environment. But it is not true in the other environments.
We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
CheckDOM to use macro assembler scratch registers.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
* jsc.cpp:
(WTF::DOMJITFunctionObject::DOMJITFunctionObject):
(WTF::DOMJITFunctionObject::createStructure):
(WTF::DOMJITFunctionObject::create):
(WTF::DOMJITFunctionObject::unsafeFunction):
(WTF::DOMJITFunctionObject::safeFunction):
(WTF::DOMJITFunctionObject::checkDOMJITNode):
(WTF::DOMJITFunctionObject::finishCreation):
(GlobalObject::finishCreation):
(functionCreateDOMJITFunctionObject):
2016-11-14 Geoffrey Garen <ggaren@apple.com>
CodeCache should stop pretending to cache builtins
https://bugs.webkit.org/show_bug.cgi?id=164750
Reviewed by Saam Barati.
We were passing JSParserBuiltinMode to all CodeCache functions, but the
passed-in value was always NotBuiltin.
Let's stop passing it.
* parser/SourceCodeKey.h:
(JSC::SourceCodeFlags::SourceCodeFlags):
(JSC::SourceCodeKey::SourceCodeKey):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedProgramCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
(JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/CodeCache.h:
(JSC::generateUnlinkedCodeBlock):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::createProgramCodeBlock):
(JSC::JSGlobalObject::createLocalEvalCodeBlock):
(JSC::JSGlobalObject::createGlobalEvalCodeBlock):
(JSC::JSGlobalObject::createModuleProgramCodeBlock):
2016-11-15 Filip Pizlo <fpizlo@apple.com>
REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
https://bugs.webkit.org/show_bug.cgi?id=164775
Reviewed by Mark Lam and Keith Miller.
We were calling inlineStorage() which asserts that inline storage is not empty. But we
were calling it in a context where it could be empty and that's fine. So, we now call
inlineStorageUnsafe().
* runtime/JSObject.h:
(JSC::JSFinalObject::JSFinalObject):
2016-11-14 Csaba Osztrogonác <ossy@webkit.org>
[ARM] Unreviewed buildfix after r208720.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
2016-11-14 Caitlin Potter <caitp@igalia.com>
[JSC] do not reference AwaitExpression Promises in async function Promise chain
https://bugs.webkit.org/show_bug.cgi?id=164753
Reviewed by Yusuke Suzuki.
Previously, long-running async functions which contained many AwaitExpressions
would allocate and retain references to intermediate Promise objects for each `await`,
resulting in a memory leak.
To mitigate this leak, a reference to the original Promise (and its resolve and reject
functions) associated with the async function are kept, and passed to each call to
@asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
with an async function wrapper. The capability is used to reject the Promise if an
exception is thrown during parameter initialization, and is used to store the resulting
value once the async function has terminated.
* builtins/AsyncFunctionPrototype.js:
(globalPrivate.asyncFunctionResume):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::promiseCapabilityRegister):
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionNode::emitBytecode):
2016-11-14 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Worker debugging should pause all targets and view call frames in all targets
https://bugs.webkit.org/show_bug.cgi?id=164305
<rdar://problem/29056192>
Reviewed by Timothy Hatcher.
* inspector/InjectedScriptSource.js:
(InjectedScript.prototype._propertyDescriptors):
Accessing __proto__ does a ToThis(...) conversion on the receiver.
In the case of GlobalObjects (such as WorkerGlobalScope when paused)
this would return undefined and throw an exception. We can use
Object.getPrototypeOf to avoid that conversion and possible error.
* inspector/protocol/Debugger.json:
Provide a new way to effectively `resume` + `pause` immediately.
This must be implemented on the backend to correctly synchronize
the resuming and pausing.
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
Treat this as `resume` and `pause`. Resume now, and trigger
a pause if the VM becomes idle and we didn't pause before then
(such as hitting a breakpoint after we resumed).
(Inspector::InspectorDebuggerAgent::pause):
(Inspector::InspectorDebuggerAgent::resume):
(Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
(Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
Clean up and correct pause on next statement logic.
(Inspector::InspectorDebuggerAgent::registerIdleHandler):
(Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
(Inspector::InspectorDebuggerAgent::didBecomeIdle):
(Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
The idle handler may now also trigger a pause in the case
where continueUntilNextRunLoop resumed and wants to pause.
(Inspector::InspectorDebuggerAgent::didPause):
Eliminate the useless didPause. The DOMDebugger was keeping track
of its own state that was worse then the state in DebuggerAgent.
2016-11-14 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix cloop.
* runtime/JSCellInlines.h:
2016-11-14 Filip Pizlo <fpizlo@apple.com>
The GC should be optionally concurrent and disabled by default
https://bugs.webkit.org/show_bug.cgi?id=164454
Reviewed by Geoffrey Garen.
This started out as a patch to have the GC scan the stack at the end, and then the
outage happened and I decided to pick a more aggresive target: give the GC a concurrent
mode that can be enabled at runtime, and whose only effect is that it turns on the
ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
thread is running solo with the world stopped and the parallel markers converged and
waiting. We have a parallel work scope to enable the parallel markers and now we have a
ResumeTheWorldScope that will optionally resume the world and then stop it again.
It's easy to make a concurrent GC that always instantly crashes. I can't promise that
this one won't do that when you run it. I set a specific goal: I wanted to do >10
concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
disabled.
To reach this milestone, I needed to do a bunch of stuff:
- The mutator needs a separate mark stack for the barrier, since it will mutate this
stack concurrently to the collector's slot visitors.
- The use of CellState to indicate whether an object is being scanned the first time or
a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
time as visitChildren is running or if the barrier runs at the same time as the GC
marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
you know why you're being scanned by looking at which stack you came off of.
- All of root marking must be in the collector fixpoint. I renamed markRoots to
markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
this way. We never gained anything from forcing people to make a choice between
scanning something in the fixpoint versus outside of it. Because root scanning is
cheap, we can afford to do it repeatedly, which means all root scanning can now do
constraint-based marking (like: I'll mark you if that thing is marked).
- JSObject::visitChildren's scanning of the butterfly raced with property additions,
indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
reshaping functions - like the one that flattens a dictionary and some sneaky
ArrayStorage transformations. Many of these can be fixed by using store-store fences
in the mutator and load-load fences in the collector. I've adopted the rule that the
collector must always see either a butterfly and structure that match or a newer
butterfly with an older structure, where their age is just one transition apart. This
can be achieved with fences. For the cases where it breaks down, I added a lock to
every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
the indexingType. See the WTF ChangeLog for details.
The mutator fencing rules are as follows:
- Store-store fence before and after setting the butterfly.
- Store-store fence before setting structure if you had changed the shape of the
butterfly.
- Store-store fence after initializing all fields in an allocation.
- A dictionary Structure can change in strange ways while the GC is trying to scan it.
So, JSObject::visitChildren will now grab the object's structure's lock if the
object's structure is a dictionary. Dictionary structures are 1:1 with their object,
so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
scan an object from two threads).
- The GC can blow away a Structure's property table at any time. As a small consolation,
it's now holding the Structure's lock when it does so. But there was tons of code in
Structure that uses DeferGC to prevent the GC from blowing away the property table.
This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
marking and it was the Structure::visitChildren that would delete the table. It turns
out that Structure's reliance on the property table not being deleted was the product
of code rot. We already had functions that would materialize the table on demand. We
were simply making the mistake of saying:
structure->materializePropertyMap();
...
structure->propertyTable()->things
Instead of saying:
PropertyTable* table = structure->ensurePropertyTable();
...
table->things
Switching the code to use the latter idiom allowed me to simplify the code a lot while
fixing the race.
- The LLInt's get_by_val handling was broken because the indexing shape constants were
wrong. Once I started putting more things into the IndexingType, that started causing
crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
had rotted in subtle ways.
This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
is disabled: in all of the places where it would have resumed the world to run marking
concurrently to the mutator, it will just skip the resume step. When you enable
concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
It seems to perform quite well: on my machine, it improves both splay-throughput and
splay-latency. It's probably unstable for other programs.
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine isOldExternalObject:]):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::storeFence):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateArrayLength):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::initialize):
(JSC::ObjectAllocationProfile::inlineCapacity):
(JSC::ObjectAllocationProfile::clear):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
* dfg/DFGArrayifySlowPathGenerator.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOperations.cpp:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::markCodeBlocks):
(JSC::DFG::Plan::rememberCodeBlocks):
* dfg/DFGPlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::arrayify):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileCreateActivation):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNewStringObject):
(JSC::DFG::SpeculativeJIT::compileNewTypedArray):
(JSC::DFG::SpeculativeJIT::compileStoreBarrier):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::markCodeBlocks):
(JSC::DFG::Worklist::rememberCodeBlocks):
(JSC::DFG::markCodeBlocks):
(JSC::DFG::completeAllPlansForVM):
(JSC::DFG::rememberCodeBlocks):
* dfg/DFGWorklist.h:
* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
(JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::~JITCode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
(JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
(JSC::FTL::DFG::LowerDFGToB3::splatWords):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::isArrayType):
(JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
(JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
(JSC::FTL::DFG::LowerDFGToB3::setButterfly):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::signExt32ToPtr):
(JSC::FTL::Output::fence):
* ftl/FTLOutput.h:
* heap/CellState.h:
* heap/GCSegmentedArray.h:
* heap/Heap.cpp:
(JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
(JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
(JSC::Heap::Heap):
(JSC::Heap::~Heap):
(JSC::Heap::harvestWeakReferences):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::completeAllJITPlans):
(JSC::Heap::markToFixpoint):
(JSC::Heap::gatherStackRoots):
(JSC::Heap::beginMarking):
(JSC::Heap::visitConservativeRoots):
(JSC::Heap::visitCompilerWorklistWeakReferences):
(JSC::Heap::updateObjectCounts):
(JSC::Heap::endMarking):
(JSC::Heap::addToRememberedSet):
(JSC::Heap::collectInThread):
(JSC::Heap::stopTheWorld):
(JSC::Heap::resumeTheWorld):
(JSC::Heap::setGCDidJIT):
(JSC::Heap::setNeedFinalize):
(JSC::Heap::setMutatorWaiting):
(JSC::Heap::clearMutatorWaiting):
(JSC::Heap::finalize):
(JSC::Heap::flushWriteBarrierBuffer):
(JSC::Heap::writeBarrierSlowPath):
(JSC::Heap::canCollect):
(JSC::Heap::reportExtraMemoryVisited):
(JSC::Heap::reportExternalMemoryVisited):
(JSC::Heap::notifyIsSafeToCollect):
(JSC::Heap::markRoots): Deleted.
(JSC::Heap::visitExternalRememberedSet): Deleted.
(JSC::Heap::visitSmallStrings): Deleted.
(JSC::Heap::visitProtectedObjects): Deleted.
(JSC::Heap::visitArgumentBuffers): Deleted.
(JSC::Heap::visitException): Deleted.
(JSC::Heap::visitStrongHandles): Deleted.
(JSC::Heap::visitHandleStack): Deleted.
(JSC::Heap::visitSamplingProfiler): Deleted.
(JSC::Heap::visitTypeProfiler): Deleted.
(JSC::Heap::visitShadowChicken): Deleted.
(JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
(JSC::Heap::visitWeakHandles): Deleted.
(JSC::Heap::flushOldStructureIDTables): Deleted.
(JSC::Heap::stopAllocation): Deleted.
* heap/Heap.h:
(JSC::Heap::collectorSlotVisitor):
(JSC::Heap::mutatorMarkStack):
(JSC::Heap::mutatorShouldBeFenced):
(JSC::Heap::addressOfMutatorShouldBeFenced):
(JSC::Heap::slotVisitor): Deleted.
(JSC::Heap::notifyIsSafeToCollect): Deleted.
(JSC::Heap::barrierShouldBeFenced): Deleted.
(JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
* heap/MarkStack.cpp:
(JSC::MarkStackArray::transferTo):
* heap/MarkStack.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::tryAllocateIn):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::sweep):
(JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
(JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
* heap/MarkedBlock.h:
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::resumeAllocating):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::SlotVisitor):
(JSC::SlotVisitor::~SlotVisitor):
(JSC::SlotVisitor::reset):
(JSC::SlotVisitor::clearMarkStacks):
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
(JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::appendToMutatorMarkStack):
(JSC::SlotVisitor::visitChildren):
(JSC::SlotVisitor::donateKnownParallel):
(JSC::SlotVisitor::drain):
(JSC::SlotVisitor::drainFromShared):
(JSC::SlotVisitor::containsOpaqueRoot):
(JSC::SlotVisitor::donateAndDrain):
(JSC::SlotVisitor::mergeOpaqueRoots):
(JSC::SlotVisitor::dump):
(JSC::SlotVisitor::clearMarkStack): Deleted.
(JSC::SlotVisitor::opaqueRootCount): Deleted.
* heap/SlotVisitor.h:
(JSC::SlotVisitor::collectorMarkStack):
(JSC::SlotVisitor::mutatorMarkStack):
(JSC::SlotVisitor::isEmpty):
(JSC::SlotVisitor::bytesVisited):
(JSC::SlotVisitor::markStack): Deleted.
(JSC::SlotVisitor::bytesCopied): Deleted.
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::reportExtraMemoryVisited):
(JSC::SlotVisitor::reportExternalMemoryVisited):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
(JSC::AssemblyHelpers::barrierStoreLoadFence):
(JSC::AssemblyHelpers::mutatorFence):
(JSC::AssemblyHelpers::storeButterfly):
(JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
(JSC::AssemblyHelpers::emitInitializeInlineStorage):
(JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
(JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfilingSiteWithCell):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emit_op_put_to_arguments):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ButterflyInlines.h:
(JSC::Butterfly::create):
(JSC::Butterfly::createOrGrowPropertyStorage):
* runtime/ConcurrentJITLock.h:
(JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
(JSC::GenericArguments<Type>::putByIndex):
* runtime/IndexingType.h:
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSCell.h:
(JSC::JSCell::InternalLocker::InternalLocker):
(JSC::JSCell::InternalLocker::~InternalLocker):
(JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
(JSC::JSCell::atomicCompareExchangeCellStateStrong):
(JSC::JSCell::indexingTypeAndMiscOffset):
(JSC::JSCell::indexingTypeOffset): Deleted.
* runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
(JSC::JSCell::finishCreation):
(JSC::JSCell::indexingTypeAndMisc):
(JSC::JSCell::indexingType):
(JSC::JSCell::setStructure):
(JSC::JSCell::callDestructor):
(JSC::JSCell::lockInternalLock):
(JSC::JSCell::unlockInternalLock):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterfly):
(JSC::JSObject::visitChildren):
(JSC::JSFinalObject::visitChildren):
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::allocateMoreOutOfLineStorage):
(JSC::JSObject::shiftButterflyAfterFlattening):
(JSC::JSObject::growOutOfLineStorage): Deleted.
* runtime/JSObject.h:
(JSC::JSFinalObject::JSFinalObject):
(JSC::JSObject::setButterfly):
(JSC::JSObject::getOwnNonIndexPropertySlot):
(JSC::JSObject::fillCustomGetterPropertySlot):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::setStructureAndButterfly): Deleted.
(JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
(JSC::JSObject::putDirectInternal): Deleted.
(JSC::JSObject::putDirectWithoutTransition): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
(JSC::JSObject::putDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):
* runtime/Options.h:
* runtime/SparseArrayValueMap.h:
* runtime/Structure.cpp:
(JSC::Structure::dumpStatistics):
(JSC::Structure::findStructuresAndMapForMaterialization):
(JSC::Structure::materializePropertyTable):
(JSC::Structure::addNewPropertyTransition):
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::isSealed):
(JSC::Structure::isFrozen):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::pin):
(JSC::Structure::pinForCaching):
(JSC::Structure::willStoreValueSlow):
(JSC::Structure::copyPropertyTableForPinning):
(JSC::Structure::add):
(JSC::Structure::remove):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::visitChildren):
(JSC::Structure::materializePropertyMap): Deleted.
(JSC::Structure::addPropertyWithoutTransition): Deleted.
(JSC::Structure::removePropertyWithoutTransition): Deleted.
(JSC::Structure::copyPropertyTable): Deleted.
(JSC::Structure::createPropertyMap): Deleted.
(JSC::PropertyTable::checkConsistency): Deleted.
(JSC::Structure::checkConsistency): Deleted.
* runtime/Structure.h:
* runtime/StructureIDBlob.h:
(JSC::StructureIDBlob::StructureIDBlob):
(JSC::StructureIDBlob::indexingTypeIncludingHistory):
(JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
(JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
(JSC::StructureIDBlob::indexingType): Deleted.
(JSC::StructureIDBlob::setIndexingType): Deleted.
(JSC::StructureIDBlob::indexingTypeOffset): Deleted.
* runtime/StructureInlines.h:
(JSC::Structure::get):
(JSC::Structure::checkOffsetConsistency):
(JSC::Structure::checkConsistency):
(JSC::Structure::add):
(JSC::Structure::remove):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
(JSC::Structure::setPropertyTable):
(JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
(JSC::Structure::propertyTable): Deleted.
(JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
2016-11-14 Keith Miller <keith_miller@apple.com>
Add Wasm select
https://bugs.webkit.org/show_bug.cgi?id=164743
Reviewed by Saam Barati.
Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
when they shouldn't be.
* jsc.cpp:
(box):
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::addSelect):
2016-11-11 Geoffrey Garen <ggaren@apple.com>
JSC should distinguish between local and global eval
https://bugs.webkit.org/show_bug.cgi?id=164628
Reviewed by Saam Barati.
Local use of the 'eval' keyword and invocation of the global window.eval
function are distinct operations in JavaScript.
This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
order to help distinguish these operations in code.
Our code used to do some silly things for lack of distinguishing these
cases. For example, it would double cache local eval in CodeCache and
EvalCodeCache. This made CodeCache seem more complicated than it really
was.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj: Added some files.
* bytecode/CodeBlock.h:
* bytecode/EvalCodeCache.h:
(JSC::EvalCodeCache::tryGet):
(JSC::EvalCodeCache::set):
(JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
the cache to avoid tight coupling. Now the cache just caches.
* bytecode/UnlinkedEvalCodeBlock.h:
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* bytecode/UnlinkedModuleProgramCodeBlock.h:
* bytecode/UnlinkedProgramCodeBlock.h:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::evaluateWithScopeExtension): Updated for interface
changes.
* interpreter/Interpreter.cpp:
(JSC::eval): Moved code generation here so the cache didn't need to build
it in.
* llint/LLIntOffsetsExtractor.cpp:
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock): No need to check for TDZ
variables any more. We only cache global programs, and global variable
access always does TDZ checks.
(JSC::CodeCache::getUnlinkedProgramCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
(JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
(JSC::CodeCache::CodeCache): Deleted.
(JSC::CodeCache::~CodeCache): Deleted.
(JSC::CodeCache::getGlobalCodeBlock): Deleted.
(JSC::CodeCache::getProgramCodeBlock): Deleted.
(JSC::CodeCache::getEvalCodeBlock): Deleted.
(JSC::CodeCache::getModuleProgramCodeBlock): Deleted.
(JSC::CodeCache::getFunctionExecutableFromGlobalCode): Deleted.
* runtime/CodeCache.h:
(JSC::CodeCache::clear):
(JSC::generateUnlinkedCodeBlock): Moved unlinked code block creation
out of the CodeCache class and into a stand-alone function because
we need it for local eval, which does not live in CodeCache.
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::create): Deleted.
* runtime/EvalExecutable.h:
(): Deleted.
* runtime/GlobalEvalExecutable.cpp: Added.
(JSC::GlobalEvalExecutable::create):
(JSC::GlobalEvalExecutable::GlobalEvalExecutable):
* runtime/GlobalEvalExecutable.h: Added.
* runtime/LocalEvalExecutable.cpp: Added.
(JSC::LocalEvalExecutable::create):
(JSC::LocalEvalExecutable::LocalEvalExecutable):
* runtime/LocalEvalExecutable.h: Added. Split out Local vs Global
EvalExecutable classes to distinguish these operations in code. The key
difference is that LocalEvalExecutable does not live in the CodeCache
and only lives in the EvalCodeCache.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::createProgramCodeBlock):
(JSC::JSGlobalObject::createLocalEvalCodeBlock):
(JSC::JSGlobalObject::createGlobalEvalCodeBlock):
(JSC::JSGlobalObject::createModuleProgramCodeBlock):
(JSC::JSGlobalObject::createEvalCodeBlock): Deleted.
* runtime/JSGlobalObject.h:
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSScope.cpp:
(JSC::JSScope::collectClosureVariablesUnderTDZ):
(JSC::JSScope::collectVariablesUnderTDZ): Deleted. We don't include
global lexical variables in our concept of TDZ scopes anymore. Global
variable access always does TDZ checks unconditionally. So, only closure
scope accesses give specific consideration to TDZ checks.
* runtime/JSScope.h:
2016-11-14 Caitlin Potter <caitp@igalia.com>
[JSC] Handle new_async_func / new_async_func_exp in DFG / FTL
https://bugs.webkit.org/show_bug.cgi?id=164037
Reviewed by Yusuke Suzuki.
This patch introduces new_async_func / new_async_func_exp into DFG and FTL,
in much the same capacity that https://trac.webkit.org/changeset/194216 added
DFG / FTL support for generators: by adding new DFG nodes (NewAsyncFunction and
PhantomNewAsyncFunction), rather than extending the existing NewFunction node type.
Like NewFunction and PhantomNewFunction, and the Generator variants, allocation of
async wrapper functions may be deferred or eliminated during the allocation sinking
phase.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPhantomNewFunction):
(JSC::DFG::Node::convertToPhantomNewAsyncFunction):
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::isFunctionAllocation):
(JSC::DFG::Node::isPhantomFunctionAllocation):
(JSC::DFG::Node::isPhantomAllocation):
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewFunction):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::asyncFunctionPrototype):
(JSC::JSGlobalObject::asyncFunctionStructure):
(JSC::JSGlobalObject::lazyAsyncFunctionStructure): Deleted.
(JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently): Deleted.
(JSC::JSGlobalObject::asyncFunctionStructureConcurrently): Deleted.
2016-11-14 Mark Lam <mark.lam@apple.com>
Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
https://bugs.webkit.org/show_bug.cgi?id=164701
<rdar://problem/27462104>
Reviewed by Darin Adler.
The characters8(), characters16(), and operator[] in JSString::SafeView converts
the underlying JSString to a StringView via get(), and then uses the StringView
without first checking if an exception was thrown during the conversion. This is
unsafe because the conversion may have failed.
Instead, we should remove these 3 convenience methods, and make the caller
explicitly call get() and do the appropriate exception checks before using the
StringView.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::toStringView):
(JSC::encode):
(JSC::decode):
(JSC::globalFuncParseInt):
(JSC::globalFuncEscape):
(JSC::globalFuncUnescape):
(JSC::toSafeView): Deleted.
* runtime/JSONObject.cpp:
(JSC::JSONProtoFuncParse):
* runtime/JSString.h:
(JSC::JSString::SafeView::length):
(JSC::JSString::SafeView::characters8): Deleted.
(JSC::JSString::SafeView::characters16): Deleted.
(JSC::JSString::SafeView::operator[]): Deleted.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncRepeatCharacter):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncNormalize):
2016-11-14 Mark Lam <mark.lam@apple.com>
RegExpObject::exec/match should handle errors gracefully.
https://bugs.webkit.org/show_bug.cgi?id=155145
<rdar://problem/27435934>
Reviewed by Keith Miller.
1. Added some missing exception checks to RegExpObject::execInline() and
RegExpObject::matchInline().
2. Updated related code to work with ExceptionScope verification requirements.
* dfg/DFGOperations.cpp:
* runtime/RegExpObjectInlines.h:
(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncTestFast):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncMatchFast):
2016-11-13 Mark Lam <mark.lam@apple.com>
Add debugging facility to limit the max single allocation size.
https://bugs.webkit.org/show_bug.cgi?id=164681
Reviewed by Keith Miller.
Added JSC option to set FastMalloc's maxSingleAllocationSize for testing purposes.
This option is only available on Debug builds.
* runtime/Options.cpp:
(JSC::Options::isAvailable):
(JSC::recomputeDependentOptions):
* runtime/Options.h:
2016-11-12 Joseph Pecoraro <pecoraro@apple.com>
Follow-up fix to r208639.
Unreviewed fix. This is a straightfoward change where I forgot to
switch from uncheckedArgument() to argument() in once case after
dropping an argumentCount check. All other cases do this properly.
This addresses an ASSERT seen on the bots running tests.
* runtime/JSDataViewPrototype.cpp:
(JSC::setData):
2016-11-11 Joseph Pecoraro <pecoraro@apple.com>
test262: DataView with explicit undefined byteLength should be the same as it not being present
https://bugs.webkit.org/show_bug.cgi?id=164453
Reviewed by Darin Adler.
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView):
Handle the special case of DataView construction with an undefined byteLength value.
2016-11-11 Joseph Pecoraro <pecoraro@apple.com>
test262: DataView get methods should allow for missing offset, set methods should allow for missing value
https://bugs.webkit.org/show_bug.cgi?id=164451
Reviewed by Darin Adler.
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
Missing offset is still valid and will be coerced to 0.
(JSC::setData):
Missing value is still valid and will be coerced to 0.
2016-11-11 Saam Barati <sbarati@apple.com>
We should have a more concise way of determining when we're varargs calling a function using rest parameters
https://bugs.webkit.org/show_bug.cgi?id=164258
Reviewed by Yusuke Suzuki.
This patch adds two new bytecodes and DFG nodes for the following code patterns:
```
foo(a, b, ...c)
let x = [a, b, ...c];
```
To do this, I've introduced two new bytecode operations (and their
corresponding DFG nodes):
op_spread and op_new_array_with_spread.
op_spread takes a single input and performs the ES6 iteration protocol on it.
It returns the result of doing the spread inside a new class I've
made called JSFixedArray. JSFixedArray is a cell with a single 'size'
field and a buffer of values allocated inline in the cell. Abstracting
the protocol into a single node is good because it will make IR analysis
in the future much simpler. For now, it's also good because it allows
us to create fast paths for array iteration (which is quite common).
This fast path allows us to emit really good code for array iteration
inside the DFG/FTL.
op_new_array_with_spread is a variable argument bytecode that also
has a bit vector associated with it. The bit vector indicates if
any particular argument is to be spread or not. Arguments that
are spread are known to be JSFixedArray because we must emit an
op_spread before op_new_array_with_spread consumes the value.
For example, for this array:
[a, b, ...c, d, ...e]
we will have this bit vector:
[0, 0, 1, 0, 1]
The reason I've chosen this IR is that it will make eliminating
a rest allocation for this type of code much easier:
```
function foo(...args) {
return bar(a, b, ...args);
}
```
It will be easier to analyze the IR now that the operations
will be described at a high level.
This patch is an ~8% speedup on ES6SampleBench on my MBP.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/IteratorHelpers.js: Added.
(performIteration):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionForSelfEquivalence):
* bytecode/ObjectPropertyConditionSet.h:
* bytecode/TrackedReferences.cpp:
(JSC::TrackedReferences::check):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::bitVectors):
(JSC::UnlinkedCodeBlock::bitVector):
(JSC::UnlinkedCodeBlock::addBitVector):
(JSC::UnlinkedCodeBlock::shrinkToFit):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewArrayWithSpread):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::watchHavingABadTime):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
* dfg/DFGNode.h:
(JSC::DFG::Node::bitVector):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
(JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_array_with_spread):
(JSC::JIT::emit_op_spread):
* jit/JITOperations.h:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
* llint/LowLevelInterpreter.asm:
* runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
(JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
(JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
* runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/IteratorOperations.h:
(JSC::forEachInIterable):
* runtime/JSCInlines.h:
* runtime/JSFixedArray.cpp: Added.
(JSC::JSFixedArray::visitChildren):
* runtime/JSFixedArray.h: Added.
(JSC::JSFixedArray::createStructure):
(JSC::JSFixedArray::createFromArray):
(JSC::JSFixedArray::get):
(JSC::JSFixedArray::buffer):
(JSC::JSFixedArray::size):
(JSC::JSFixedArray::offsetOfSize):
(JSC::JSFixedArray::offsetOfData):
(JSC::JSFixedArray::create):
(JSC::JSFixedArray::JSFixedArray):
(JSC::JSFixedArray::allocationSize):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
(JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
(JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
(JSC::JSGlobalObject::iteratorProtocolFunction):
* runtime/JSGlobalObjectInlines.h: Added.
(JSC::JSGlobalObject::objectPrototypeIsSane):
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):
(JSC::JSGlobalObject::stringPrototypeChainIsSane):
(JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
* runtime/JSType.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2016-11-11 Keith Miller <keith_miller@apple.com>
Move Wasm tests to JS
https://bugs.webkit.org/show_bug.cgi?id=164611
Reviewed by Geoffrey Garen.
This patch translates most of the tests from testWasm.cpp to the JS testing api. Most of the
ommited tests were earliest tests, which tested trivial things, like adding two
constants. Some tests are ommited for other reasons, however. These are:
1) Tests using I64 since the testing api does not yet know how to handle 64-bit numbers. 2)
Tests that would validate the memory of the module once wasm was done with it since that's
not really possible in JS.
In order to make such a translation easier this patch also adds some features to the JS
testing api:
1) Blocks can now be done lexically by adding a lambda as the last argument of the block
opcode. For example one can do:
...
.Block("i32", b => b.I32Const(1) )
and the nested lambda will automatically have an end attached.
2) The JS testing api can now handle inline signature types.
3) Relocate some code to make it easier to follow and prevent 44 space indentation.
4) Rename varuint/varint to varuint32/varint32, this lets them be directly called from the
wasm.json without being remapped.
5) Add support for Memory and Function sections to the Builder.
6) Add support for local variables.
On the JSC side, we needed to expose a new function to validate the compiled wasm code
behaves the way we expect. At least until the JS Wasm API is finished. The new validation
function, testWasmModuleFunctions, takes an array buffer containing the wasm binary, the
number of functions in the blob and tests for each of those functions.
* jsc.cpp:
(GlobalObject::finishCreation):
(box):
(callWasmFunction):
(functionTestWasmModuleFunctions):
* testWasm.cpp:
(checkPlan):
(runWasmTests):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::parseAndCompile):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parse):
(JSC::Wasm::FunctionParser<Context>::parseBody):
(JSC::Wasm::FunctionParser<Context>::parseBlock): Deleted.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseMemory):
(JSC::Wasm::ModuleParser::parseExport):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::Plan):
(JSC::Wasm::Plan::run):
* wasm/WasmPlan.h:
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule):
2016-11-11 Saam Barati <sbarati@apple.com>
Unreviewed try to fix windows build after https://bugs.webkit.org/show_bug.cgi?id=164650
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2016-11-11 Saam Barati <sbarati@apple.com>
We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
https://bugs.webkit.org/show_bug.cgi?id=164650
Reviewed by Geoffrey Garen.
Some code was incorrectly holding a lock when recursively calling
back into the bytecode parser's via inlining a put_by_val as a put_by_id.
This can cause a deadlock if the inlinee CodeBlock is something we're
already holding a lock for. I've changed the range of the lock holder
to be as narrow as possible.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2016-11-11 Chris Dumez <cdumez@apple.com>
Unreviewed, rolling out r208584.
Seems to have regressed Speedometer by 1% on Mac
Reverted changeset:
"We should have a more concise way of determining when we're
varargs calling a function using rest parameters"
https://bugs.webkit.org/show_bug.cgi?id=164258
http://trac.webkit.org/changeset/208584
2016-11-11 Chris Dumez <cdumez@apple.com>
Unreviewed, rolling out r208117 and r208160.
Regressed Speedometer by >1.5%
Reverted changesets:
"We should have a way of profiling when a get_by_id is pure
and to emit a PureGetById in the DFG/FTL"
https://bugs.webkit.org/show_bug.cgi?id=163305
http://trac.webkit.org/changeset/208117
"Debug JSC test microbenchmarks/pure-get-by-id-cse-2.js timing
out"
https://bugs.webkit.org/show_bug.cgi?id=164227
http://trac.webkit.org/changeset/208160
2016-11-11 Saam Barati <sbarati@apple.com>
We should have a more concise way of determining when we're varargs calling a function using rest parameters
https://bugs.webkit.org/show_bug.cgi?id=164258
Reviewed by Yusuke Suzuki.
This patch adds two new bytecodes and DFG nodes for the following code patterns:
```
foo(a, b, ...c)
let x = [a, b, ...c];
```
To do this, I've introduced two new bytecode operations (and their
corresponding DFG nodes):
op_spread and op_new_array_with_spread.
op_spread takes a single input and performs the ES6 iteration protocol on it.
It returns the result of doing the spread inside a new class I've
made called JSFixedArray. JSFixedArray is a cell with a single 'size'
field and a buffer of values allocated inline in the cell. Abstracting
the protocol into a single node is good because it will make IR analysis
in the future much simpler. For now, it's also good because it allows
us to create fast paths for array iteration (which is quite common).
This fast path allows us to emit really good code for array iteration
inside the DFG/FTL.
op_new_array_with_spread is a variable argument bytecode that also
has a bit vector associated with it. The bit vector indicates if
any particular argument is to be spread or not. Arguments that
are spread are known to be JSFixedArray because we must emit an
op_spread before op_new_array_with_spread consumes the value.
For example, for this array:
[a, b, ...c, d, ...e]
we will have this bit vector:
[0, 0, 1, 0, 1]
The reason I've chosen this IR is that it will make eliminating
a rest allocation for this type of code much easier:
```
function foo(...args) {
return bar(a, b, ...args);
}
```
It will be easier to analyze the IR now that the operations
will be described at a high level.
This patch is an ~8% speedup on ES6SampleBench on my MBP.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/IteratorHelpers.js: Added.
(performIteration):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionForSelfEquivalence):
* bytecode/ObjectPropertyConditionSet.h:
* bytecode/TrackedReferences.cpp:
(JSC::TrackedReferences::check):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::bitVectors):
(JSC::UnlinkedCodeBlock::bitVector):
(JSC::UnlinkedCodeBlock::addBitVector):
(JSC::UnlinkedCodeBlock::shrinkToFit):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewArrayWithSpread):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::watchHavingABadTime):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
* dfg/DFGNode.h:
(JSC::DFG::Node::bitVector):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
(JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_array_with_spread):
(JSC::JIT::emit_op_spread):
* jit/JITOperations.h:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
* llint/LowLevelInterpreter.asm:
* runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
(JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
(JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
* runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/IteratorOperations.h:
(JSC::forEachInIterable):
* runtime/JSCInlines.h:
* runtime/JSFixedArray.cpp: Added.
(JSC::JSFixedArray::visitChildren):
* runtime/JSFixedArray.h: Added.
(JSC::JSFixedArray::createStructure):
(JSC::JSFixedArray::createFromArray):
(JSC::JSFixedArray::get):
(JSC::JSFixedArray::buffer):
(JSC::JSFixedArray::size):
(JSC::JSFixedArray::offsetOfSize):
(JSC::JSFixedArray::offsetOfData):
(JSC::JSFixedArray::create):
(JSC::JSFixedArray::JSFixedArray):
(JSC::JSFixedArray::allocationSize):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
(JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
(JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
(JSC::JSGlobalObject::iteratorProtocolFunction):
* runtime/JSGlobalObjectInlines.h: Added.
(JSC::JSGlobalObject::objectPrototypeIsSane):
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):
(JSC::JSGlobalObject::stringPrototypeChainIsSane):
(JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
* runtime/JSType.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2016-11-10 JF Bastien <jfbastien@apple.com>
ASSERTION FAILED: length > offset encountered with wasm.yaml/wasm/js-api/test_Module.js.default-wasm
https://bugs.webkit.org/show_bug.cgi?id=164597
Reviewed by Keith Miller.
* wasm/WasmParser.h:
(JSC::Wasm::Parser::parseVarUInt32): move closer to other parsers
(JSC::Wasm::Parser::parseVarUInt64): move closer to other parsers
2016-11-10 Joseph Pecoraro <pecoraro@apple.com>
test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex)
https://bugs.webkit.org/show_bug.cgi?id=164450
Reviewed by Darin Adler.
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toIndex):
Introduce a method for toIndex, which is used by DataView and TypedArrays
to convert an argument to a number with the possibility of throwing
RangeErrors for negative values. We also throw RangeErrors for large
values, because wherever this is used we expect an unsigned.
* runtime/JSArrayBufferConstructor.cpp:
(JSC::constructArrayBuffer):
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):
Use toIndex instead of toUint32 where required.
2016-11-10 Mark Lam <mark.lam@apple.com>
A few bits of minor code clean up.
https://bugs.webkit.org/show_bug.cgi?id=164523
Reviewed by Yusuke Suzuki.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::dump):
- Insert a space to make the dump more legible.
* runtime/Options.h:
- Fixed some typos.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncReplaceUsingRegExp):
(JSC::stringProtoFuncReplaceUsingStringSearch):
- Use the VM& that is already available.
2016-11-10 Mark Lam <mark.lam@apple.com>
Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node.
https://bugs.webkit.org/show_bug.cgi?id=164600
<rdar://problem/28828676>
Reviewed by Filip Pizlo.
Currently, Graph::methodOfGettingAValueProfileFor() assumes that the operand DFG
node that it is provided with always has a different origin than the node that is
using that operand. For example, in a DFG graph that looks like this:
a: ...
b: ArithAdd(@a, ...)
... when emitting speculation checks on @a for the ArithAdd node at @b,
Graph::methodOfGettingAValueProfileFor() is passed @a, and expects @a's to
originate from a different bytecode than @b. The intent here is to get the
profile for @a so that the OSR exit ramp for @b can update @a's profile with the
observed result type from @a so that future type prediction on incoming args for
the ArithAdd node can take this into consideration.
However, op_negate can be compiled into the following series of nodes:
a: ...
b: BooleanToNumber(@a)
c: DoubleRep(@b)
d: ArithNegate(@c)
All 3 nodes @b, @c, and @d maps to the same op_negate bytecode i.e. they have the
same origin. When the speculativeJIT emits a speculationCheck for DoubleRep, it
calls Graph::methodOfGettingAValueProfileFor() to get the ArithProfile for the
BooleanToNumber node. But because all 3 nodes have the same origin,
Graph::methodOfGettingAValueProfileFor() erroneously returns the ArithProfile for
the op_negate. Subsequently, the OSR exit ramp will modify the ArithProfile of
the op_negate and corrupt its profile. Instead, what the OSR exit ramp should be
doing is update the ArithProfile of op_negate's operand i.e. BooleanToNumber's
operand @a in this case.
The fix is to always pass the current node we're generating code for (in addition
to the operand node) to Graph::methodOfGettingAValueProfileFor(). This way, we
know the profile is valid if and only if the current node and its operand node
does not have the same origin.
In this patch, we also fixed the following:
1. Teach Graph::methodOfGettingAValueProfileFor() to get the profile for
BooleanToNumber's operand if the operand node it is given is BooleanToNumber.
2. Change JITCompiler::appendExceptionHandlingOSRExit() to explicitly pass an
empty MethodOfGettingAValueProfile(). It was implicitly doing this before.
3. Change SpeculativeJIT::emitInvalidationPoint() to pass an empty
MethodOfGettingAValueProfile(). It has no child node. Hence, it doesn't
make sense to call Graph::methodOfGettingAValueProfileFor() for a child node
that does not exist.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculationCheck):
(JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
2016-11-10 Aaron Chu <aaron_chu@apple.com>
Web Inspector: AXI: clarify button roles (e.g. toggle or popup button)
https://bugs.webkit.org/show_bug.cgi?id=130726
<rdar://problem/16420420>
Reviewed by Brian Burg.
Add the isPopupButton flag to the AccessibilityProperties type.
* inspector/protocol/DOM.json:
2016-11-10 Csaba Osztrogonác <ossy@webkit.org>
[ARM] Unreviewed buildfix after r208450.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::load8SignedExtendTo32): Added.
2016-11-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Avoid cloned arguments allocation in ArrayPrototype methods
https://bugs.webkit.org/show_bug.cgi?id=164502
Reviewed by Saam Barati.
In many builtin functions, we use `arguments` to just get optional parameters.
While FTL argument elimination can drop `arguments` allocations, it leaves
the allocations in LLInt, Baseline, and DFG. And we found that DFG compiled
Array#map is heavily used in ES6SampleBench/Basic. And it always creates
a meaningless ClonedArguments.
Using ES6 default parameter here is not a solution. It increases the number
of parameters of the CodeBlock (not `function.length`). And the optional
parameters in Array.prototype.xxx methods are not typically passed. For
example, we typically do not pass `thisArg` to `Array.prototype.map` function.
In this case, the arity check frequently fails. It requires the additional C
call to fixup arguments and it becomes pure overhead.
To solve this problem, this patch introduces a new bytecode intrinsic @argument().
This offers the way to retrieve the argument value without increasing the
arity of the function. And if the argument is not passed (out of bounds), it
just returns `undefined`. The semantics of this intrinsic is the same to the C++
ExecState::argument(). This operation does not require `arguments` object. And we
can drop the `argument` references even in lower 3 tiers.
We implement op_get_argument for this intrinsic. And later this will be converted
to DFG GetArgument node. All the tiers handles this feature.
This patch improves ES6SampleBench/Basic 13.8% in steady state. And in summary,
it improves 4.5%.
In the future, we can improve the implementation of the default parameters.
Currently, the default parameter always increases the arity of the function. So
if you do not pass the argument, the arity check fails. But since it is the default
parameter, it is likely that we don't pass the argument. Using op_get_argument to
implement the default parameter can decrease the case in which the arity check
frequently fails. And it can change the builtin implementation to use the ES6
default parameters instead of using the special @argument() intrinsic in the future.
And at that case, the user code also receives the benefit.
ES6SampleBench/Basic.
Baseline:
Running... Basic ( 1 to go)
firstIteration: 39.38 ms +- 4.48 ms
averageWorstCase: 20.79 ms +- 0.96 ms
steadyState: 1959.22 ms +- 65.55 ms
Patched:
Running... Basic ( 1 to go)
firstIteration: 37.85 ms +- 4.09 ms
averageWorstCase: 18.60 ms +- 0.76 ms
steadyState: 1721.89 ms +- 57.58 ms
All summary.
Baseline:
summary: 164.34 ms +- 5.01 ms
Patched:
summary: 157.26 ms +- 5.96 ms
* builtins/ArrayConstructor.js:
* builtins/ArrayPrototype.js:
(reduce):
(reduceRight):
(every):
(forEach):
(filter):
(map):
(some):
(fill):
(find):
(findIndex):
(includes):
(copyWithin):
* builtins/DatePrototype.js:
(toLocaleString):
(toLocaleDateString):
(toLocaleTimeString):
* builtins/MapPrototype.js:
(forEach):
* builtins/NumberPrototype.js:
(toLocaleString):
* builtins/SetPrototype.js:
(forEach):
* builtins/StringPrototype.js:
(padStart):
(padEnd):
(localeCompare):
* builtins/TypedArrayConstructor.js:
* builtins/TypedArrayPrototype.js:
(every):
(fill):
(find):
(findIndex):
(forEach):
(some):
(reduce):
(reduceRight):
(map):
(filter):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finishCreation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetArgument):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_argument):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasArgumentIndex):
(JSC::DFG::Node::argumentIndex):
* dfg/DFGNodeType.h:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetArgument):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_get_argument):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_get_argument):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2016-11-08 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: DebuggerManager.Event.Resumed introduces test flakiness
https://bugs.webkit.org/show_bug.cgi?id=161951
<rdar://problem/28295767>
Reviewed by Brian Burg.
This removes an ambiguity in the protocol when stepping through
JavaScript. Previously, when paused and issuing a Debugger.step*
command the frontend would always receive a Debugger.resumed event and
then, maybe, a Debugger.paused event indicating we paused again (after
stepping). However, this ambiguity means that the frontend needs to
wait for a short period of time to determine if we really resumed
or not. And even still that decision may be incorrect if the step
takes a sufficiently long period of time.
The new approach removes this ambiguity. Now, in response to a
Debugger.step* command the backend MUST send a single Debugger.paused
event or Debugger.resumed event. Now the frontend knows that the
next Debugger event it receives after issuing the step command is
the result (stepped and paused, or stepped and resumed).
To make resuming consistent in all cases, a Debugger.resume command
will always respond with a Debugger.resumed event.
Finally, Debugger.continueToLocation is treated like a "big step"
in cases where we can resolve the location. If we can't resolve the
location it is treated as a resume, maintaining the old behavior.
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::stepOver):
(Inspector::InspectorDebuggerAgent::stepInto):
(Inspector::InspectorDebuggerAgent::stepOut):
(Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
(Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping):
When stepping register a VM exit observer so that we can issue
a Debugger.resumed event if the step caused us to exit the VM.
(Inspector::InspectorDebuggerAgent::resume):
Set a flag to issue a Debugger.resumed event once we break out
of the nested run loop.
(Inspector::InspectorDebuggerAgent::didPause):
We are issuing Debugger.paused so clear the state to indicate that
we no longer need to issue Debugger.resumed event, we have paused.
(Inspector::InspectorDebuggerAgent::didContinue):
Only issue the Debugger.resumed event if needed (explicitly asked
to resume).
(Inspector::InspectorDebuggerAgent::continueToLocation):
(Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
All places that do continueProgram should be audited. In error cases,
if we are paused and continue we should remember to send Debugger.resumed.
* inspector/protocol/Debugger.json:
Clarify in the protocol description the contract of these methods.
2016-11-09 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Associate Worker Resources with the Worker and not the Page
https://bugs.webkit.org/show_bug.cgi?id=164342
<rdar://problem/29075775>
Reviewed by Timothy Hatcher.
* inspector/protocol/Network.json:
* inspector/protocol/Page.json:
Associate Resource data with a target.
2016-11-09 Keith Miller <keith_miller@apple.com>
jsc CLI should work with the remote inspector
https://bugs.webkit.org/show_bug.cgi?id=164569
Reviewed by Joseph Pecoraro.
This patch enables using the remote inspector on the jsc CLI.
In order to use the remote inspector, jsc users need to pass an option.
* jsc.cpp:
(CommandLine::parseArguments):
(runJSC):
2016-11-09 Saam Barati <sbarati@apple.com>
Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser
https://bugs.webkit.org/show_bug.cgi?id=164464
<rdar://problem/29131452>
Reviewed by Darin Adler.
We were incorrectly matching this pattern inside the bytecode parser
to return NaN. Instead, we must return:
Infinity for Math.min()
-Infinity for Math.max()
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleMinMax):
2016-11-09 Saam Barati <sbarati@apple.com>
TypeProfiler and running GC collection on another thread don't play nicely with each other
https://bugs.webkit.org/show_bug.cgi?id=164441
<rdar://problem/29132174>
Reviewed by Geoffrey Garen.
This fix here is simple: we now treat the type profiler log as a GC root.
GC will make sure that we mark any values/structures that are in the log.
It's easy to reason about the correctness of this, and it also solves
the problem that we were clearing the log on the GC thread. Clearing the
log on the GC thread was a problem because when we clear the log, we may
allocate, which we're not allowed to do from the GC thread.
* heap/Heap.cpp:
(JSC::Heap::markRoots):
(JSC::Heap::visitTypeProfiler):
(JSC::Heap::collectInThread):
* heap/Heap.h:
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::processLogEntries):
(JSC::TypeProfilerLog::visit):
* runtime/TypeProfilerLog.h:
2016-11-09 JF Bastien <jfbastien@apple.com>
WebAssembly: Silence noisy warning
https://bugs.webkit.org/show_bug.cgi?id=164459
Reviewed by Yusuke Suzuki.
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::Plan):
2016-11-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t
https://bugs.webkit.org/show_bug.cgi?id=164432
Reviewed by Michael Saboff.
Except for X86, our supported MacroAssemblers do not have native 8bit instructions.
It means that all the 8bit instructions are converted to 32bit operations by using
scratch registers. For example, ARM64 branch8 implementation is the following.
Jump branch8(RelationCondition cord, Address left, TrustedImm32 right)
{
TrustedImm32 right8(static_cast<int8_t>(right.m_value));
load8(left, getCachedMemoryTempRegisterIDAndInvalidate());
return branch32(cone, memoryTempRegister, right8);
}
The problem is that we exclusively use zero-extended load instruction (load8). Even
for signed RelationConditions, we do not perform sign extension. It makes signed
operations with negative numbers incorrect! Consider the |left| address holds `-1`
in int8_t form. However load8 will load it as 255 into 32bit register. On the other hand,
|right| will be sign extended. If you pass 0 as |right| and LessThan condition, this
branch8 should jump based on the answer of `-1 < 0`. But the current MacroAssembler
performs `255 < 0` in int32_t context and returns the incorrect result.
We should follow the x86 model. So we should select the appropriate load operation and masking
operation based on the RelationCondition. This patch introduces mask8OnCondition and load8OnCondition.
And we use them in 8bit operations including branch8, branchTest8, compare8, and test8.
We intentionally do not change anything on x86 assembler since it has the native signed 8bit operations.
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::isSigned):
(JSC::MacroAssembler::isUnsigned):
(JSC::MacroAssembler::branchTest8):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branch8):
(JSC::MacroAssemblerARM::branchTest8):
(JSC::MacroAssemblerARM::compare8):
(JSC::MacroAssemblerARM::test8):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::load8SignedExtendTo32):
(JSC::MacroAssemblerARM64::branch8):
(JSC::MacroAssemblerARM64::branchTest8):
(JSC::MacroAssemblerARM64::compare8):
(JSC::MacroAssemblerARM64::test8):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branch8):
(JSC::MacroAssemblerARMv7::branchTest8):
(JSC::MacroAssemblerARMv7::compare8):
(JSC::MacroAssemblerARMv7::test8):
* assembler/MacroAssemblerHelpers.h: Added.
(JSC::MacroAssemblerHelpers::isSigned):
(JSC::MacroAssemblerHelpers::isUnsigned):
(JSC::MacroAssemblerHelpers::mask8OnCondition):
(JSC::MacroAssemblerHelpers::load8OnCondition):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branch8):
(JSC::MacroAssemblerMIPS::compare8):
(JSC::MacroAssemblerMIPS::branchTest8):
(JSC::MacroAssemblerMIPS::test8):
* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::branchTest8):
(JSC::MacroAssemblerSH4::branch8):
(JSC::MacroAssemblerSH4::compare8):
(JSC::MacroAssemblerSH4::test8):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::branch8):
2016-11-08 Geoffrey Garen <ggaren@apple.com>
REGRESSION: date-format-tofte.js is super slow
https://bugs.webkit.org/show_bug.cgi?id=164499
Reviewed by Sam Weinig.
* bytecode/EvalCodeCache.h:
(JSC::EvalCodeCache::CacheKey::operator==): Use character comparison,
not pointer comparison. (This function was always wrong, but I started
calling it in more places.)
2016-11-08 Saam Barati <sbarati@apple.com>
REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache
https://bugs.webkit.org/show_bug.cgi?id=164433
Reviewed by Mark Lam.
Clearing the HasOwnPropertyCache will call deref() on the StringImpls
in the cache. We were doing this from the collector thread, which is
not allowed. It must be done from the mutator thread. We now clear the
cache in Heap::finalize() which happens before the mutator begins
executing JS after a collection happens.
* heap/Heap.cpp:
(JSC::Heap::collectInThread):
(JSC::Heap::finalize):
2016-11-05 Konstantin Tokarev <annulen@yandex.ru>
Fixed compilation of LLInt with MinGW
https://bugs.webkit.org/show_bug.cgi?id=164449
Reviewed by Michael Catanzaro.
MinGW uses LLIntAssembly.h with GNU assembler syntax, just like GCC on
other platforms.
* llint/LowLevelInterpreter.cpp: Include LLIntAssembly.h with
appropriate preamble.
2016-11-04 Filip Pizlo <fpizlo@apple.com>
WTF::ParkingLot should stop using std::chrono because std::chrono::duration casts are prone to overflows
https://bugs.webkit.org/show_bug.cgi?id=152045
Reviewed by Andy Estes.
Probably the nicest example of why this patch is a good idea is the change in
AtomicsObject.cpp.
* jit/ICStats.cpp:
(JSC::ICStats::ICStats):
* runtime/AtomicsObject.cpp:
(JSC::atomicsFuncWait):
2016-11-04 JF Bastien <jfbastien@apple.com>
testWASM should be very sad if no options are provided
https://bugs.webkit.org/show_bug.cgi?id=164444
Reviewed by Saam Barati.
Detect missing or invalid options on the command line.
* testWasm.cpp:
(CommandLine::parseArguments):
2016-11-04 Mark Lam <mark.lam@apple.com>
Error description code should be able to handle Symbol values.
https://bugs.webkit.org/show_bug.cgi?id=164436
<rdar://problem/29115583>
Reviewed by Filip Pizlo and Saam Barati.
Previously, we try to toString() the Symbol value, resulting in it throwing an
exception in errorDescriptionForValue() which breaks the invariant that
errorDescriptionForValue() should not throw.
We fixed this by making errorDescriptionForValue() aware of the Symbol type, and
not so a toString() on Symbol values. Also fixed notAFunctionSourceAppender()
to build a nicer message for Symbol values.
* runtime/ExceptionHelpers.cpp:
(JSC::errorDescriptionForValue):
(JSC::notAFunctionSourceAppender):
2016-11-02 Geoffrey Garen <ggaren@apple.com>
EvalCodeCache should not give up in strict mode and other cases
https://bugs.webkit.org/show_bug.cgi?id=164357
Reviewed by Michael Saboff.
EvalCodeCache gives up in non-trivial cases because generated eval code
can't soundly migrate from, for example, a let scope to a non-let scope.
The number of cases has grown over time.
Instead, let's cache eval code based on the location of the call to
eval(). That way, we never relocate the code, and it's sound to make
normal assumptions about our surrounding scope.
* bytecode/EvalCodeCache.h:
(JSC::EvalCodeCache::CacheKey::CacheKey): Use CallSiteIndex to uniquely
identify the location of our call to eval().
(JSC::EvalCodeCache::CacheKey::hash):
(JSC::EvalCodeCache::CacheKey::operator==):
(JSC::EvalCodeCache::CacheKey::Hash::equal): Use CallSiteIndex instead
of lots of other flags.
(JSC::EvalCodeCache::tryGet): No need to include details that are implied
by our CallSiteIndex.
(JSC::EvalCodeCache::getSlow): No need to skip caching in complex
situations. We promise we'll never relocate the cached code.
(JSC::EvalCodeCache::isCacheableScope): Deleted.
(JSC::EvalCodeCache::isCacheable): Deleted.
* interpreter/Interpreter.cpp:
(JSC::eval): Pass through a CallSiteIndex to uniquely identify this call
to eval().
2016-11-04 Keith Miller <keith_miller@apple.com>
Add support for Wasm br_table
https://bugs.webkit.org/show_bug.cgi?id=164429
Reviewed by Michael Saboff.
This patch adds support for Wasm br_table. The Wasm br_table
opcode essentially directly maps to B3's switch opcode.
There are also three other minor changes:
1) all non-argument locals should be initialized to zero at function entry.
2) add new setErrorMessage member to WasmFunctionParser.h
3) return does not decode an extra immediate anymore.
* testWasm.cpp:
(runWasmTests):
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser::setErrorMessage):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
(JSC::Wasm::FunctionParser<Context>::popExpressionStack):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::checkBranchTarget):
(JSC::Wasm::Validate::addBranch):
(JSC::Wasm::Validate::addSwitch):
2016-11-04 JF Bastien <jfbastien@apple.com>
WebAssembly JS API: implement more sections
https://bugs.webkit.org/show_bug.cgi?id=164023
Reviewed by Keith Miller.
On the JSC side:
- Put in parser stubs for all WebAssembly sections.
- Parse Import, Export sections.
- Use tryReserveCapacity instead of reserve, and bail out of the parser if it fails. This prevents the parser from bringing everything down when faced with a malicious input.
- Encapsulate all parsed module information into its own structure, making it easier to pass around (from parser to Plan to Module to Instance).
- Create WasmFormat.cpp to hold parsed module information's dtor to avoid including WasmMemory.h needlessly.
- Remove all remainders of polyfill-prototype-1, and update license.
- Add missing WasmOps.h and WasmValidateInlines.h auto-generation for cmake build.
On the Builder.js testing side:
- Implement Type, Import (function only), Export (function only) sections.
- Check section order and uniqueness.
- Optionally auto-generate the Type section from subsequent Export / Import / Code entries.
- Allow re-exporting an import.
* CMakeLists.txt: missing auto-genration
* JavaScriptCore.xcodeproj/project.pbxproj: merge conflict
* testWasm.cpp: update for API changes, no functional change
(checkPlan):
(runWasmTests):
* wasm/WasmFormat.cpp: add a dtor which requires extra headers which I'd rather not include in WasmFormat.h
(JSC::Wasm::ModuleInformation::~ModuleInformation):
* wasm/WasmFormat.h: Add External, Import, Functioninformation, Export, ModuleInformation, CompiledFunction, and remove obsolete stuff which was a holdover from the first implementation (all that code is now gone, so remove its license)
(JSC::Wasm::External::isValid):
* wasm/WasmModuleParser.cpp: simplify some, make names consistent with the WebAssembly section names, check memory allocations so they can fail early
(JSC::Wasm::ModuleParser::parse):
(JSC::Wasm::ModuleParser::parseType):
(JSC::Wasm::ModuleParser::parseImport):
(JSC::Wasm::ModuleParser::parseFunction):
(JSC::Wasm::ModuleParser::parseTable):
(JSC::Wasm::ModuleParser::parseMemory):
(JSC::Wasm::ModuleParser::parseGlobal):
(JSC::Wasm::ModuleParser::parseExport):
(JSC::Wasm::ModuleParser::parseStart):
(JSC::Wasm::ModuleParser::parseElement):
(JSC::Wasm::ModuleParser::parseCode): avoid overflow through function size.
(JSC::Wasm::ModuleParser::parseData):
* wasm/WasmModuleParser.h:
(JSC::Wasm::ModuleParser::moduleInformation):
* wasm/WasmParser.h:
(JSC::Wasm::Parser::consumeUTF8String): add as required by spec
(JSC::Wasm::Parser::parseExternalKind): add as per spec
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::Plan): fix some ownership, improve some error messages
* wasm/WasmPlan.h: fix some ownership
(JSC::Wasm::Plan::getModuleInformation):
(JSC::Wasm::Plan::getMemory):
(JSC::Wasm::Plan::compiledFunctionCount):
(JSC::Wasm::Plan::compiledFunction):
(JSC::Wasm::Plan::getCompiledFunctions):
* wasm/WasmSections.h: macroize with description, so that error messages are super pretty. This could be auto-generated.
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::create): take module information
(JSC::JSWebAssemblyModule::JSWebAssemblyModule): ditto
* wasm/js/JSWebAssemblyModule.h:
(JSC::JSWebAssemblyModule::moduleInformation):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance): check that modules with imports are instantiated with an import object, as per spec. This needs to be tested.
* wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::constructJSWebAssemblyMemory):
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule):
* wasm/js/WebAssemblyTableConstructor.cpp:
(JSC::constructJSWebAssemblyTable):
2016-11-03 Mark Lam <mark.lam@apple.com>
ClonedArguments need to also support haveABadTime mode.
https://bugs.webkit.org/show_bug.cgi?id=164200
<rdar://problem/27211336>
Reviewed by Geoffrey Garen.
For those who are not familiar with the parlance, "have a bad time" in the VM
means that Object.prototype has been modified in such a way that we can no longer
trivially do indexed property accesses without consulting the Object.prototype.
This defeats JIT indexed put optimizations, and hence, makes the VM "have a
bad time".
Once the VM enters haveABadTime mode, all existing objects are converted to use
slow put storage. Thereafter, JSArrays are always created with slow put storage.
JSObjects are always created with a blank indexing type. When a new indexed
property is put into the new object, its indexing type will be converted to the
slow put array indexing type just before we perform the put operation. This is
how we ensure that the objects will also use slow put storage.
However, ClonedArguments is an object which was previously created unconditionally
to use contiguous storage. Subsequently, if we try to call Object.preventExtensions()
on that ClonedArguments object, Object.preventExtensions() will:
1. make the ClonedArguments enter dictionary indexing mode, which means it will
2. first ensure that the ClonedArguments is using slow put array storage via
JSObject::ensureArrayStorageSlow().
However, JSObject::ensureArrayStorageSlow() expects that we never see an object
with contiguous storage once we're in haveABadTime mode. Our ClonedArguments
object did not obey this invariant.
The fix is to make the ClonedArguments factories create objects that use slow put
array storage when in haveABadTime mode. This means:
1. JSGlobalObject::haveABadTime() now changes m_clonedArgumentsStructure to use
its slow put version.
Also the caching of the slow put version of m_regExpMatchesArrayStructure,
because we only need to create it when we are having a bad time.
2. The ClonedArguments factories now allocates a butterfly with slow put array
storage if we're in haveABadTime mode.
Also added some assertions in ClonedArguments' factory methods to ensure that
the created object has the slow put indexing type when it needsSlowPutIndexing().
3. DFGFixupPhase now watches the havingABadTimeWatchpoint because ClonedArguments'
structure will change when having a bad time.
4. DFGArgumentEliminationPhase and DFGVarargsForwardingPhase need not be changed
because it is still valid to eliminate the creation of the arguments object
even having a bad time, as long as the arguments object does not escape.
5. The DFGAbstractInterpreterInlines now checks for haveABadTime, and sets the
predicted type to be SpecObject.
Note: this issue does not apply to DirectArguments and ScopedArguments because
they use a blank indexing type (just like JSObject).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::dump):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
(JSC::ClonedArguments::createWithInlineFrame):
(JSC::ClonedArguments::createWithMachineFrame):
(JSC::ClonedArguments::createByCopyingFrom):
(JSC::ClonedArguments::createStructure):
(JSC::ClonedArguments::createSlowPutStructure):
* runtime/ClonedArguments.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::haveABadTime):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
2016-11-03 Filip Pizlo <fpizlo@apple.com>
DFG plays fast and loose with the shadow values of a Phi
https://bugs.webkit.org/show_bug.cgi?id=164309
Reviewed by Saam Barati.
Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
not a special case for most compiler transforms. It does this by introducing another value
called Upsilon, which stores a value into some Phi.
B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
the value from its phiTmp to its tmp.
This is necessary to support scenarios like this:
a: Phi()
b: Upsilon(@x, ^a)
c: Use(@a)
Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
the a value (like @a) doesn't change during its lifetime.
Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
model the Upsilon as storing into the Phi directly.
Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
shadow value. This change addresses this problem by introducing the concept of a
NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
a good amount of code.
This looks to be perf-neutral.
Rolled back in after fixing the debug build.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/air/AirLiveness.h:
(JSC::B3::Air::TmpLivenessAdapter::numIndices):
(JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
(JSC::B3::Air::RegLivenessAdapter::numIndices):
(JSC::B3::Air::AbstractLiveness::AbstractLiveness):
(JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
(JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
(JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::forNode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
* dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::createValueForNode):
(JSC::DFG::AtTailAbstractState::forNode):
* dfg/DFGAtTailAbstractState.h:
* dfg/DFGBasicBlock.h:
* dfg/DFGCombinedLiveness.cpp:
(JSC::DFG::liveNodesAtHead):
* dfg/DFGCombinedLiveness.h:
* dfg/DFGFlowIndexing.cpp: Added.
(JSC::DFG::FlowIndexing::FlowIndexing):
(JSC::DFG::FlowIndexing::~FlowIndexing):
(JSC::DFG::FlowIndexing::recompute):
* dfg/DFGFlowIndexing.h: Added.
(JSC::DFG::FlowIndexing::graph):
(JSC::DFG::FlowIndexing::numIndices):
(JSC::DFG::FlowIndexing::index):
(JSC::DFG::FlowIndexing::shadowIndex):
(JSC::DFG::FlowIndexing::nodeProjection):
* dfg/DFGFlowMap.h: Added.
(JSC::DFG::FlowMap::FlowMap):
(JSC::DFG::FlowMap::resize):
(JSC::DFG::FlowMap::graph):
(JSC::DFG::FlowMap::at):
(JSC::DFG::FlowMap::atShadow):
(WTF::printInternal):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::abstractValuesCache): Deleted.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
(JSC::DFG::setLiveValues):
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
(JSC::DFG::InPlaceAbstractState::merge):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::createValueForNode):
(JSC::DFG::InPlaceAbstractState::forNode):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
* dfg/DFGLivenessAnalysisPhase.cpp:
(JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
(JSC::DFG::LivenessAnalysisPhase::run):
(JSC::DFG::LivenessAnalysisPhase::processBlock):
(JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::NodeComparator::operator()):
(JSC::DFG::nodeListDump):
(JSC::DFG::nodeMapDump):
(JSC::DFG::nodeValuePairListDump):
(JSC::DFG::nodeComparator): Deleted.
* dfg/DFGNodeAbstractValuePair.cpp: Added.
(JSC::DFG::NodeAbstractValuePair::dump):
* dfg/DFGNodeAbstractValuePair.h: Added.
(JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
* dfg/DFGNodeFlowProjection.cpp: Added.
(JSC::DFG::NodeFlowProjection::dump):
* dfg/DFGNodeFlowProjection.h: Added.
(JSC::DFG::NodeFlowProjection::NodeFlowProjection):
(JSC::DFG::NodeFlowProjection::operator bool):
(JSC::DFG::NodeFlowProjection::kind):
(JSC::DFG::NodeFlowProjection::node):
(JSC::DFG::NodeFlowProjection::operator*):
(JSC::DFG::NodeFlowProjection::operator->):
(JSC::DFG::NodeFlowProjection::hash):
(JSC::DFG::NodeFlowProjection::operator==):
(JSC::DFG::NodeFlowProjection::operator!=):
(JSC::DFG::NodeFlowProjection::operator<):
(JSC::DFG::NodeFlowProjection::operator>):
(JSC::DFG::NodeFlowProjection::operator<=):
(JSC::DFG::NodeFlowProjection::operator>=):
(JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
(JSC::DFG::NodeFlowProjection::isStillValid):
(JSC::DFG::NodeFlowProjection::forEach):
(JSC::DFG::NodeFlowProjectionHash::hash):
(JSC::DFG::NodeFlowProjectionHash::equal):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
2016-11-03 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r208364.
https://bugs.webkit.org/show_bug.cgi?id=164402
broke the build (Requested by smfr on #webkit).
Reverted changeset:
"DFG plays fast and loose with the shadow values of a Phi"
https://bugs.webkit.org/show_bug.cgi?id=164309
http://trac.webkit.org/changeset/208364
2016-11-03 Filip Pizlo <fpizlo@apple.com>
DFG plays fast and loose with the shadow values of a Phi
https://bugs.webkit.org/show_bug.cgi?id=164309
Reviewed by Saam Barati.
Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
not a special case for most compiler transforms. It does this by introducing another value
called Upsilon, which stores a value into some Phi.
B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
the value from its phiTmp to its tmp.
This is necessary to support scenarios like this:
a: Phi()
b: Upsilon(@x, ^a)
c: Use(@a)
Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
the a value (like @a) doesn't change during its lifetime.
Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
model the Upsilon as storing into the Phi directly.
Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
shadow value. This change addresses this problem by introducing the concept of a
NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
a good amount of code.
This looks to be perf-neutral.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/air/AirLiveness.h:
(JSC::B3::Air::TmpLivenessAdapter::numIndices):
(JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
(JSC::B3::Air::RegLivenessAdapter::numIndices):
(JSC::B3::Air::AbstractLiveness::AbstractLiveness):
(JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
(JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
(JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::forNode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
* dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::createValueForNode):
(JSC::DFG::AtTailAbstractState::forNode):
* dfg/DFGAtTailAbstractState.h:
* dfg/DFGBasicBlock.h:
* dfg/DFGCombinedLiveness.cpp:
(JSC::DFG::liveNodesAtHead):
* dfg/DFGCombinedLiveness.h:
* dfg/DFGFlowIndexing.cpp: Added.
(JSC::DFG::FlowIndexing::FlowIndexing):
(JSC::DFG::FlowIndexing::~FlowIndexing):
(JSC::DFG::FlowIndexing::recompute):
* dfg/DFGFlowIndexing.h: Added.
(JSC::DFG::FlowIndexing::graph):
(JSC::DFG::FlowIndexing::numIndices):
(JSC::DFG::FlowIndexing::index):
(JSC::DFG::FlowIndexing::shadowIndex):
(JSC::DFG::FlowIndexing::nodeProjection):
* dfg/DFGFlowMap.h: Added.
(JSC::DFG::FlowMap::FlowMap):
(JSC::DFG::FlowMap::resize):
(JSC::DFG::FlowMap::graph):
(JSC::DFG::FlowMap::at):
(JSC::DFG::FlowMap::atShadow):
(WTF::printInternal):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::abstractValuesCache): Deleted.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
(JSC::DFG::setLiveValues):
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
(JSC::DFG::InPlaceAbstractState::merge):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::createValueForNode):
(JSC::DFG::InPlaceAbstractState::forNode):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
* dfg/DFGLivenessAnalysisPhase.cpp:
(JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
(JSC::DFG::LivenessAnalysisPhase::run):
(JSC::DFG::LivenessAnalysisPhase::processBlock):
(JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::NodeComparator::operator()):
(JSC::DFG::nodeListDump):
(JSC::DFG::nodeMapDump):
(JSC::DFG::nodeValuePairListDump):
(JSC::DFG::nodeComparator): Deleted.
* dfg/DFGNodeAbstractValuePair.cpp: Added.
(JSC::DFG::NodeAbstractValuePair::dump):
* dfg/DFGNodeAbstractValuePair.h: Added.
(JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
* dfg/DFGNodeFlowProjection.cpp: Added.
(JSC::DFG::NodeFlowProjection::dump):
* dfg/DFGNodeFlowProjection.h: Added.
(JSC::DFG::NodeFlowProjection::NodeFlowProjection):
(JSC::DFG::NodeFlowProjection::operator bool):
(JSC::DFG::NodeFlowProjection::kind):
(JSC::DFG::NodeFlowProjection::node):
(JSC::DFG::NodeFlowProjection::operator*):
(JSC::DFG::NodeFlowProjection::operator->):
(JSC::DFG::NodeFlowProjection::hash):
(JSC::DFG::NodeFlowProjection::operator==):
(JSC::DFG::NodeFlowProjection::operator!=):
(JSC::DFG::NodeFlowProjection::operator<):
(JSC::DFG::NodeFlowProjection::operator>):
(JSC::DFG::NodeFlowProjection::operator<=):
(JSC::DFG::NodeFlowProjection::operator>=):
(JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
(JSC::DFG::NodeFlowProjection::isStillValid):
(JSC::DFG::NodeFlowProjection::forEach):
(JSC::DFG::NodeFlowProjectionHash::hash):
(JSC::DFG::NodeFlowProjectionHash::equal):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
2016-11-03 Keith Miller <keith_miller@apple.com>
Unreviewed, changelog fix due to failed git rebase..
2016-11-03 Keith Miller <keith_miller@apple.com>
Wasm starts a new stack whenever it adds a new block and has return types for blocks.
https://bugs.webkit.org/show_bug.cgi?id=164100
Reviewed by Saam Barati.
This patch overhauls much of the Wasm function parser, validator, and B3 IR generator
to work with block return types. In Wasm, blocks can act as expressions and have a
return value. Most of the control flow operators needed to be rewritten in order to
support this feature. To enable return types the function parser needed to be able
to save and restore the expression stack from previous blocks, which is done via the
control stack.
This patch also removes the lazy continuation block system added previously. It's
not clear if there would be any performance win from such a system. There are likely
many other things with orders of magnitude more impact on B3 IR generation. The
complexity cost of such a system is not worth the effort without sufficient evidence
otherwise.
* testWasm.cpp:
(runWasmTests):
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseBlock):
(JSC::Wasm::FunctionParser<Context>::addReturn):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
(JSC::Wasm::FunctionParser<Context>::popExpressionStack):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::ControlData::hasNonVoidSignature):
(JSC::Wasm::Validate::addElse):
(JSC::Wasm::Validate::addElseToUnreachable):
(JSC::Wasm::Validate::addBranch):
(JSC::Wasm::Validate::endBlock):
(JSC::Wasm::Validate::addEndToUnreachable):
(JSC::Wasm::Validate::dump):
(JSC::Wasm::validateFunction):
(JSC::Wasm::Validate::isContinuationReachable): Deleted.
2016-11-03 Saam Barati <sbarati@apple.com>
Asking for a value profile prediction should be defensive against not finding a value profile
https://bugs.webkit.org/show_bug.cgi?id=164306
Reviewed by Mark Lam.
Currently, the code that calls CodeBlock::valueProfilePredictionForBytecodeOffset
in the DFG assumes it will always be at a value producing node. However, this isn't
true if we tail call from an inlined setter. When we're at a tail call, we try
to find the first caller that isn't a tail call to see what value the
tail_call produces. If we inline a setter, however, we will end up finding
the put_by_id as our first non-tail-called "caller", and that won't have a
value profile associated with it since it's not a value producing node.
CodeBlock::valueProfilePredictionForBytecodeOffset should be defensive
against finding a null value profile.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2016-11-02 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix CLoop build after r208320.
https://bugs.webkit.org/show_bug.cgi?id=162980
Add required forward declarations.
* domjit/DOMJITHeapRange.cpp:
* domjit/DOMJITSignature.h:
* runtime/VM.h:
2016-11-02 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Add DOMJIT::Signature
https://bugs.webkit.org/show_bug.cgi?id=162980
Reviewed by Saam Barati and Sam Weinig.
This patch introduces a new mechanism called DOMJIT::Signature. We can annotate the function with DOMJIT::Signature.
DOMJIT::Signature has type information of that function. And it also maintains the effect of the function and the
pointer to the unsafe function. The unsafe function means the function without type and argument count checks.
By using these information, we can separate type and argument count checks from the function. And we can emit
these things as DFG checks and convert the function call itself to CallDOM node. CallDOM node can call the unsafe
function directly without any checks. Furthermore, this CallDOM node can represent its own clobberizing rules based
on DOMJIT::Effect maintained by DOMJIT::Signature. It allows us to make opaque Call node to a CallDOM node that
merely reads some part of heap. These changes (1) can drop duplicate type checks in DFG, (2) offer ability to move
CallDOM node to somewhere, and (3) track more detailed heap reads and writes of CallDOM nodes.
We first emit Call node with DOMJIT::Signature in DFGByteCodeParser. And in the fixup phase, we attempt to lower
Call node to CallDOM node with checks & edge filters. This is because we do not know the type predictions in
DFGByteCodeParser phase. If we always emit CallDOM node in DFGByteCodeParser, if we evaluate `div.getAttribute(true)`
thingy, the Uncountable OSR exits repeatedly happen because AI figures out the abstract value is cleared.
Currently, DOMJIT signature only allows the types that can reside in GPR. This is because the types of the unsafe
function arguments are represented as the sequence of void*. In the future, we will extend to accept other types like
float, double etc.
We annotate several functions in Element. In particular, we annotate Element::getAttribute. This allows us to perform
LICM in Dromaeo dom-attr test. In the Dromaeo dom-attr getAttribute test, we can see 32x improvement. (134974.8 v.s. 4203.4)
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallVariant.h:
(JSC::CallVariant::functionExecutable):
(JSC::CallVariant::nativeExecutable):
(JSC::CallVariant::signatureFor):
* bytecode/SpeculatedType.h:
(JSC::isNotStringSpeculation):
(JSC::isNotInt32Speculation):
(JSC::isNotBooleanSpeculation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleDOMJITCall):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeCallDOM):
(JSC::DFG::FixupPhase::fixupCheckDOM):
(JSC::DFG::FixupPhase::fixupCallDOM):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToCallDOM):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::shouldSpeculateNotInt32):
(JSC::DFG::Node::shouldSpeculateNotBoolean):
(JSC::DFG::Node::shouldSpeculateNotString):
(JSC::DFG::Node::hasSignature):
(JSC::DFG::Node::signature):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOM):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* domjit/DOMJITEffect.h:
(JSC::DOMJIT::Effect::Effect):
(JSC::DOMJIT::Effect::forWrite):
(JSC::DOMJIT::Effect::forRead):
(JSC::DOMJIT::Effect::forReadWrite):
(JSC::DOMJIT::Effect::forPure):
(JSC::DOMJIT::Effect::forDef):
(JSC::DOMJIT::Effect::mustGenerate):
In clang, we cannot make this Effect constructor constexpr if we use Optional<HeapRange>.
So we use HeapRange::top() for Nullopt def now.
* domjit/DOMJITHeapRange.h:
(JSC::DOMJIT::HeapRange::fromRaw):
(JSC::DOMJIT::HeapRange::operator bool):
(JSC::DOMJIT::HeapRange::operator==):
(JSC::DOMJIT::HeapRange::operator!=):
(JSC::DOMJIT::HeapRange::fromConstant):
* domjit/DOMJITSignature.h: Copied from Source/JavaScriptCore/domjit/DOMJITEffect.h.
(JSC::DOMJIT::Signature::Signature):
(JSC::DOMJIT::Signature::argumentCount):
(JSC::DOMJIT::Signature::checkDOM):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
* jit/JITOperations.h:
* jit/JITThunks.cpp:
(JSC::JITThunks::hostFunctionStub):
* jit/JITThunks.h:
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::create):
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::create):
* runtime/JSFunction.h:
* runtime/JSNativeStdFunction.cpp:
(JSC::JSNativeStdFunction::create):
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectNativeFunction):
* runtime/JSObject.h:
* runtime/Lookup.h:
(JSC::HashTableValue::functionLength):
(JSC::HashTableValue::signature):
(JSC::reifyStaticProperty):
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::create):
(JSC::NativeExecutable::NativeExecutable):
* runtime/NativeExecutable.h:
* runtime/PropertySlot.h:
* runtime/VM.cpp:
(JSC::VM::getHostFunction):
* runtime/VM.h:
2016-11-02 Andreas Kling <akling@apple.com>
MarkedSpace should have specialized size classes for popular engine objects.
<https://webkit.org/b/164345>
Reviewed by Filip Pizlo.
The MarkedSpace size classes were recently reworked to minimize wasted space
at the end of MarkedBlocks.
However, we know that some specific objects will be allocated in very high volume.
Adding specialized size classes for those object sizes achieves greater utilization
since we're basically guaranteed to allocate them all the time.
Inject specialized size classes for these four objects:
- FunctionCodeBlock
560 bytes instead of 624
28 per block instead of 26 (+2)
- FunctionExecutable
176 bytes instead of 224
92 per block instead of 72 (+20)
- UnlinkedFunctionCodeBlock
256 bytes instead of 320
63 per block instead of 50 (+13)
- UnlinkedFunctionExecutable
192 bytes instead of 224
84 per block instead of 72 (+12)
* heap/MarkedSpace.cpp:
2016-11-02 Geoffrey Garen <ggaren@apple.com>
One file per class for UnlinkedCodeBlock.h/.cpp
https://bugs.webkit.org/show_bug.cgi?id=164348
Reviewed by Saam Barati.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/FunctionCodeBlock.h:
* bytecode/ModuleProgramCodeBlock.h:
* bytecode/ProgramCodeBlock.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionExecutable::destroy): Deleted.
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
* bytecode/UnlinkedEvalCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
(JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
(JSC::dumpLineColumnEntry): Deleted.
(JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
(JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionExecutable::destroy): Deleted.
(JSC::UnlinkedCodeBlock::setInstructions): Deleted.
(JSC::UnlinkedCodeBlock::instructions): Deleted.
(JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
(JSC::UnlinkedCodeBlock::applyModification): Deleted.
* bytecode/UnlinkedEvalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
(JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
(JSC::UnlinkedSimpleJumpTable::add): Deleted.
(JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
(JSC::UnlinkedCodeBlock::isConstructor): Deleted.
(JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
(JSC::UnlinkedCodeBlock::usesEval): Deleted.
(JSC::UnlinkedCodeBlock::parseMode): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
(JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
(JSC::UnlinkedCodeBlock::evalContextType): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
(JSC::UnlinkedCodeBlock::isClassContext): Deleted.
(JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
(JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
(JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
(JSC::UnlinkedCodeBlock::addParameter): Deleted.
(JSC::UnlinkedCodeBlock::numParameters): Deleted.
(JSC::UnlinkedCodeBlock::addRegExp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
(JSC::UnlinkedCodeBlock::regexp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
(JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
(JSC::UnlinkedCodeBlock::identifier): Deleted.
(JSC::UnlinkedCodeBlock::identifiers): Deleted.
(JSC::UnlinkedCodeBlock::addConstant): Deleted.
(JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
(JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
(JSC::UnlinkedCodeBlock::constantRegister): Deleted.
(JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
(JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
(JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
(JSC::UnlinkedCodeBlock::constructorKind): Deleted.
(JSC::UnlinkedCodeBlock::superBinding): Deleted.
(JSC::UnlinkedCodeBlock::scriptMode): Deleted.
(JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
(JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
(JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
(JSC::UnlinkedCodeBlock::functionDecl): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
(JSC::UnlinkedCodeBlock::functionExpr): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
(JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
(JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
(JSC::UnlinkedCodeBlock::codeType): Deleted.
(JSC::UnlinkedCodeBlock::thisRegister): Deleted.
(JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
(JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
(JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::hasRareData): Deleted.
(JSC::UnlinkedCodeBlock::recordParse): Deleted.
(JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
(JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
(JSC::UnlinkedCodeBlock::firstLine): Deleted.
(JSC::UnlinkedCodeBlock::lineCount): Deleted.
(JSC::UnlinkedCodeBlock::startColumn): Deleted.
(JSC::UnlinkedCodeBlock::endColumn): Deleted.
(JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::UnlinkedCodeBlock::didOptimize): Deleted.
(JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
(JSC::UnlinkedCodeBlock::finishCreation): Deleted.
(JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
(JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
* bytecode/UnlinkedFunctionCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
(JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
(JSC::dumpLineColumnEntry): Deleted.
(JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
(JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionExecutable::destroy): Deleted.
(JSC::UnlinkedCodeBlock::setInstructions): Deleted.
(JSC::UnlinkedCodeBlock::instructions): Deleted.
(JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
(JSC::UnlinkedCodeBlock::applyModification): Deleted.
* bytecode/UnlinkedFunctionCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
(JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
(JSC::UnlinkedSimpleJumpTable::add): Deleted.
(JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
(JSC::UnlinkedCodeBlock::isConstructor): Deleted.
(JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
(JSC::UnlinkedCodeBlock::usesEval): Deleted.
(JSC::UnlinkedCodeBlock::parseMode): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
(JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
(JSC::UnlinkedCodeBlock::evalContextType): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
(JSC::UnlinkedCodeBlock::isClassContext): Deleted.
(JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
(JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
(JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
(JSC::UnlinkedCodeBlock::addParameter): Deleted.
(JSC::UnlinkedCodeBlock::numParameters): Deleted.
(JSC::UnlinkedCodeBlock::addRegExp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
(JSC::UnlinkedCodeBlock::regexp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
(JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
(JSC::UnlinkedCodeBlock::identifier): Deleted.
(JSC::UnlinkedCodeBlock::identifiers): Deleted.
(JSC::UnlinkedCodeBlock::addConstant): Deleted.
(JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
(JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
(JSC::UnlinkedCodeBlock::constantRegister): Deleted.
(JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
(JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
(JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
(JSC::UnlinkedCodeBlock::constructorKind): Deleted.
(JSC::UnlinkedCodeBlock::superBinding): Deleted.
(JSC::UnlinkedCodeBlock::scriptMode): Deleted.
(JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
(JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
(JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
(JSC::UnlinkedCodeBlock::functionDecl): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
(JSC::UnlinkedCodeBlock::functionExpr): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
(JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
(JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
(JSC::UnlinkedCodeBlock::codeType): Deleted.
(JSC::UnlinkedCodeBlock::thisRegister): Deleted.
(JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
(JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
(JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::hasRareData): Deleted.
(JSC::UnlinkedCodeBlock::recordParse): Deleted.
(JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
(JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
(JSC::UnlinkedCodeBlock::firstLine): Deleted.
(JSC::UnlinkedCodeBlock::lineCount): Deleted.
(JSC::UnlinkedCodeBlock::startColumn): Deleted.
(JSC::UnlinkedCodeBlock::endColumn): Deleted.
(JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::UnlinkedCodeBlock::didOptimize): Deleted.
(JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
(JSC::UnlinkedCodeBlock::finishCreation): Deleted.
(JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
(JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::destroy):
* bytecode/UnlinkedGlobalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
(JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
(JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
(JSC::UnlinkedSimpleJumpTable::add): Deleted.
(JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
(): Deleted.
(JSC::UnlinkedCodeBlock::isConstructor): Deleted.
(JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
(JSC::UnlinkedCodeBlock::usesEval): Deleted.
(JSC::UnlinkedCodeBlock::parseMode): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
(JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
(JSC::UnlinkedCodeBlock::evalContextType): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
(JSC::UnlinkedCodeBlock::isClassContext): Deleted.
(JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
(JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
(JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
(JSC::UnlinkedCodeBlock::addParameter): Deleted.
(JSC::UnlinkedCodeBlock::numParameters): Deleted.
(JSC::UnlinkedCodeBlock::addRegExp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
(JSC::UnlinkedCodeBlock::regexp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
(JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
(JSC::UnlinkedCodeBlock::identifier): Deleted.
(JSC::UnlinkedCodeBlock::identifiers): Deleted.
(JSC::UnlinkedCodeBlock::addConstant): Deleted.
(JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
(JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
(JSC::UnlinkedCodeBlock::constantRegister): Deleted.
(JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
(JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
(JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
(JSC::UnlinkedCodeBlock::constructorKind): Deleted.
(JSC::UnlinkedCodeBlock::superBinding): Deleted.
(JSC::UnlinkedCodeBlock::scriptMode): Deleted.
(JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
(JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
(JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
(JSC::UnlinkedCodeBlock::functionDecl): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
(JSC::UnlinkedCodeBlock::functionExpr): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
(JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
(JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
(JSC::UnlinkedCodeBlock::codeType): Deleted.
(JSC::UnlinkedCodeBlock::thisRegister): Deleted.
(JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
(JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
(JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::hasRareData): Deleted.
(JSC::UnlinkedCodeBlock::recordParse): Deleted.
(JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
(JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
(JSC::UnlinkedCodeBlock::firstLine): Deleted.
(JSC::UnlinkedCodeBlock::lineCount): Deleted.
(JSC::UnlinkedCodeBlock::startColumn): Deleted.
(JSC::UnlinkedCodeBlock::endColumn): Deleted.
(JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::UnlinkedCodeBlock::didOptimize): Deleted.
(JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
(JSC::UnlinkedCodeBlock::finishCreation): Deleted.
(JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
* bytecode/UnlinkedModuleProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
(JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
(JSC::dumpLineColumnEntry): Deleted.
(JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
(JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionExecutable::destroy): Deleted.
(JSC::UnlinkedCodeBlock::setInstructions): Deleted.
(JSC::UnlinkedCodeBlock::instructions): Deleted.
(JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
(JSC::UnlinkedCodeBlock::applyModification): Deleted.
* bytecode/UnlinkedModuleProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
(JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
(JSC::UnlinkedSimpleJumpTable::add): Deleted.
(JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
(JSC::UnlinkedCodeBlock::isConstructor): Deleted.
(JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
(JSC::UnlinkedCodeBlock::usesEval): Deleted.
(JSC::UnlinkedCodeBlock::parseMode): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
(JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
(JSC::UnlinkedCodeBlock::evalContextType): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
(JSC::UnlinkedCodeBlock::isClassContext): Deleted.
(JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
(JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
(JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
(JSC::UnlinkedCodeBlock::addParameter): Deleted.
(JSC::UnlinkedCodeBlock::numParameters): Deleted.
(JSC::UnlinkedCodeBlock::addRegExp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
(JSC::UnlinkedCodeBlock::regexp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
(JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
(JSC::UnlinkedCodeBlock::identifier): Deleted.
(JSC::UnlinkedCodeBlock::identifiers): Deleted.
(JSC::UnlinkedCodeBlock::addConstant): Deleted.
(JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
(JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
(JSC::UnlinkedCodeBlock::constantRegister): Deleted.
(JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
(JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
(JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
(JSC::UnlinkedCodeBlock::constructorKind): Deleted.
(JSC::UnlinkedCodeBlock::superBinding): Deleted.
(JSC::UnlinkedCodeBlock::scriptMode): Deleted.
(JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
(JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
(JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
(JSC::UnlinkedCodeBlock::functionDecl): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
(JSC::UnlinkedCodeBlock::functionExpr): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
(JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
(JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
(JSC::UnlinkedCodeBlock::codeType): Deleted.
(JSC::UnlinkedCodeBlock::thisRegister): Deleted.
(JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
(JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
(JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::hasRareData): Deleted.
(JSC::UnlinkedCodeBlock::recordParse): Deleted.
(JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
(JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
(JSC::UnlinkedCodeBlock::firstLine): Deleted.
(JSC::UnlinkedCodeBlock::lineCount): Deleted.
(JSC::UnlinkedCodeBlock::startColumn): Deleted.
(JSC::UnlinkedCodeBlock::endColumn): Deleted.
(JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::UnlinkedCodeBlock::didOptimize): Deleted.
(JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
(JSC::UnlinkedCodeBlock::finishCreation): Deleted.
(JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
(JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
* bytecode/UnlinkedProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
(JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
(JSC::dumpLineColumnEntry): Deleted.
(JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
(JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
(JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
(JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
(JSC::UnlinkedFunctionExecutable::destroy): Deleted.
(JSC::UnlinkedCodeBlock::setInstructions): Deleted.
(JSC::UnlinkedCodeBlock::instructions): Deleted.
(JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
(JSC::UnlinkedCodeBlock::applyModification): Deleted.
* bytecode/UnlinkedProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
(JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
(JSC::UnlinkedSimpleJumpTable::add): Deleted.
(JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
(JSC::UnlinkedCodeBlock::isConstructor): Deleted.
(JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
(JSC::UnlinkedCodeBlock::usesEval): Deleted.
(JSC::UnlinkedCodeBlock::parseMode): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
(JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
(JSC::UnlinkedCodeBlock::evalContextType): Deleted.
(JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
(JSC::UnlinkedCodeBlock::isClassContext): Deleted.
(JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
(JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
(JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
(JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
(JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
(JSC::UnlinkedCodeBlock::addParameter): Deleted.
(JSC::UnlinkedCodeBlock::numParameters): Deleted.
(JSC::UnlinkedCodeBlock::addRegExp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
(JSC::UnlinkedCodeBlock::regexp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
(JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
(JSC::UnlinkedCodeBlock::identifier): Deleted.
(JSC::UnlinkedCodeBlock::identifiers): Deleted.
(JSC::UnlinkedCodeBlock::addConstant): Deleted.
(JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
(JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
(JSC::UnlinkedCodeBlock::constantRegister): Deleted.
(JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
(JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
(JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
(JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
(JSC::UnlinkedCodeBlock::constructorKind): Deleted.
(JSC::UnlinkedCodeBlock::superBinding): Deleted.
(JSC::UnlinkedCodeBlock::scriptMode): Deleted.
(JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
(JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
(JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
(JSC::UnlinkedCodeBlock::functionDecl): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
(JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
(JSC::UnlinkedCodeBlock::functionExpr): Deleted.
(JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
(JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
(JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
(JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
(JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
(JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
(JSC::UnlinkedCodeBlock::codeType): Deleted.
(JSC::UnlinkedCodeBlock::thisRegister): Deleted.
(JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
(JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
(JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
(JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
(JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
(JSC::UnlinkedCodeBlock::hasRareData): Deleted.
(JSC::UnlinkedCodeBlock::recordParse): Deleted.
(JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
(JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
(JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
(JSC::UnlinkedCodeBlock::firstLine): Deleted.
(JSC::UnlinkedCodeBlock::lineCount): Deleted.
(JSC::UnlinkedCodeBlock::startColumn): Deleted.
(JSC::UnlinkedCodeBlock::endColumn): Deleted.
(JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
(JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::UnlinkedCodeBlock::didOptimize): Deleted.
(JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
(JSC::UnlinkedCodeBlock::finishCreation): Deleted.
(JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
(JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
* runtime/CodeCache.cpp:
* runtime/EvalExecutable.h:
* runtime/JSModuleRecord.cpp:
2016-11-02 Saam Barati <sbarati@apple.com>
Allocation elimination of rest parameter doesn't take into account indexed properties on Array.prototype/Object.prototype
https://bugs.webkit.org/show_bug.cgi?id=164301
Reviewed by Geoffrey Garen.
We weren't taking into account indexed properties on the __proto__
of the rest parameter. This made the code for doing out of bound
accesses incorrect since it just assumed it's safe for the result of
an out of bound access to be undefined. This broke the semantics
of JS code when there was an indexed property on the Array.prototype
or Object.prototype.
This patch makes sure we set up the proper watchpoints for making
sure out of bound accesses are safe to return undefined.
* dfg/DFGArgumentsEliminationPhase.cpp:
2016-11-02 Geoffrey Garen <ggaren@apple.com>
One file per class for CodeBlock.h/.cpp
https://bugs.webkit.org/show_bug.cgi?id=164343
Reviewed by Andreas Kling.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallLinkInfo.cpp:
* bytecode/CodeBlock.cpp:
(JSC::FunctionCodeBlock::destroy): Deleted.
(JSC::WebAssemblyCodeBlock::destroy): Deleted.
(JSC::ProgramCodeBlock::destroy): Deleted.
(JSC::ModuleProgramCodeBlock::destroy): Deleted.
(JSC::EvalCodeBlock::destroy): Deleted.
* bytecode/CodeBlock.h:
(JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
(JSC::WebAssemblyCodeBlock::create): Deleted.
(JSC::WebAssemblyCodeBlock::createStructure): Deleted.
(JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
(JSC::ScriptExecutable::forEachCodeBlock): Deleted.
* bytecode/EvalCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/CodeBlock.cpp.
(JSC::FunctionCodeBlock::destroy): Deleted.
(JSC::WebAssemblyCodeBlock::destroy): Deleted.
(JSC::ProgramCodeBlock::destroy): Deleted.
(JSC::ModuleProgramCodeBlock::destroy): Deleted.
(JSC::CodeBlock::inferredName): Deleted.
(JSC::CodeBlock::hasHash): Deleted.
(JSC::CodeBlock::isSafeToComputeHash): Deleted.
(JSC::CodeBlock::hash): Deleted.
(JSC::CodeBlock::sourceCodeForTools): Deleted.
(JSC::CodeBlock::sourceCodeOnOneLine): Deleted.
(JSC::CodeBlock::hashAsStringIfPossible): Deleted.
(JSC::CodeBlock::dumpAssumingJITType): Deleted.
(JSC::CodeBlock::dump): Deleted.
(JSC::idName): Deleted.
(JSC::CodeBlock::registerName): Deleted.
(JSC::CodeBlock::constantName): Deleted.
(JSC::regexpToSourceString): Deleted.
(JSC::regexpName): Deleted.
(JSC::debugHookName): Deleted.
(JSC::CodeBlock::printUnaryOp): Deleted.
(JSC::CodeBlock::printBinaryOp): Deleted.
(JSC::CodeBlock::printConditionalJump): Deleted.
(JSC::CodeBlock::printGetByIdOp): Deleted.
(JSC::dumpStructure): Deleted.
(JSC::dumpChain): Deleted.
(JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
(JSC::CodeBlock::printCallOp): Deleted.
(JSC::CodeBlock::printPutByIdOp): Deleted.
(JSC::CodeBlock::dumpSource): Deleted.
(JSC::CodeBlock::dumpBytecode): Deleted.
(JSC::CodeBlock::dumpExceptionHandlers): Deleted.
(JSC::CodeBlock::beginDumpProfiling): Deleted.
(JSC::CodeBlock::dumpValueProfiling): Deleted.
(JSC::CodeBlock::dumpArrayProfiling): Deleted.
(JSC::CodeBlock::dumpRareCaseProfile): Deleted.
(JSC::CodeBlock::dumpArithProfile): Deleted.
(JSC::CodeBlock::printLocationAndOp): Deleted.
(JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
(JSC::sizeInBytes): Deleted.
(JSC::CodeBlock::CodeBlock): Deleted.
(JSC::CodeBlock::finishCreation): Deleted.
(JSC::CodeBlock::~CodeBlock): Deleted.
(JSC::CodeBlock::setConstantRegisters): Deleted.
(JSC::CodeBlock::setAlternative): Deleted.
(JSC::CodeBlock::setNumParameters): Deleted.
(JSC::EvalCodeCache::visitAggregate): Deleted.
(JSC::CodeBlock::specialOSREntryBlockOrNull): Deleted.
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::estimatedSize): Deleted.
(JSC::CodeBlock::visitChildren): Deleted.
(JSC::CodeBlock::shouldVisitStrongly): Deleted.
(JSC::CodeBlock::shouldJettisonDueToWeakReference): Deleted.
(JSC::timeToLive): Deleted.
(JSC::CodeBlock::shouldJettisonDueToOldAge): Deleted.
(JSC::shouldMarkTransition): Deleted.
(JSC::CodeBlock::propagateTransitions): Deleted.
(JSC::CodeBlock::determineLiveness): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
(JSC::CodeBlock::finalizeLLIntInlineCaches): Deleted.
(JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
(JSC::CodeBlock::getStubInfoMap): Deleted.
(JSC::CodeBlock::getCallLinkInfoMap): Deleted.
(JSC::CodeBlock::getByValInfoMap): Deleted.
(JSC::CodeBlock::addStubInfo): Deleted.
(JSC::CodeBlock::addJITAddIC): Deleted.
(JSC::CodeBlock::addJITMulIC): Deleted.
(JSC::CodeBlock::addJITSubIC): Deleted.
(JSC::CodeBlock::addJITNegIC): Deleted.
(JSC::CodeBlock::findStubInfo): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
(JSC::CodeBlock::addCallLinkInfo): Deleted.
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted.
(JSC::CodeBlock::resetJITData): Deleted.
(JSC::CodeBlock::visitOSRExitTargets): Deleted.
(JSC::CodeBlock::stronglyVisitStrongReferences): Deleted.
(JSC::CodeBlock::stronglyVisitWeakReferences): Deleted.
(JSC::CodeBlock::baselineAlternative): Deleted.
(JSC::CodeBlock::baselineVersion): Deleted.
(JSC::CodeBlock::hasOptimizedReplacement): Deleted.
(JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::CodeBlock::handlerForIndex): Deleted.
(JSC::CodeBlock::newExceptionHandlingCallSiteIndex): Deleted.
(JSC::CodeBlock::removeExceptionHandlerForCallSite): Deleted.
(JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::CodeBlock::hasOpDebugForLineAndColumn): Deleted.
(JSC::CodeBlock::shrinkToFit): Deleted.
(JSC::CodeBlock::linkIncomingCall): Deleted.
(JSC::CodeBlock::linkIncomingPolymorphicCall): Deleted.
(JSC::CodeBlock::unlinkIncomingCalls): Deleted.
(JSC::CodeBlock::newReplacement): Deleted.
(JSC::CodeBlock::replacement): Deleted.
(JSC::CodeBlock::computeCapabilityLevel): Deleted.
(JSC::CodeBlock::jettison): Deleted.
(JSC::CodeBlock::globalObjectFor): Deleted.
(JSC::RecursionCheckFunctor::RecursionCheckFunctor): Deleted.
(JSC::RecursionCheckFunctor::operator()): Deleted.
(JSC::RecursionCheckFunctor::didRecurse): Deleted.
(JSC::CodeBlock::noticeIncomingCall): Deleted.
(JSC::CodeBlock::reoptimizationRetryCounter): Deleted.
(JSC::CodeBlock::setCalleeSaveRegisters): Deleted.
(JSC::roundCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::countReoptimization): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::codeTypeThresholdMultiplier): Deleted.
(JSC::CodeBlock::optimizationThresholdScalingFactor): Deleted.
(JSC::clipThreshold): Deleted.
(JSC::CodeBlock::adjustedCounterValue): Deleted.
(JSC::CodeBlock::checkIfOptimizationThresholdReached): Deleted.
(JSC::CodeBlock::optimizeNextInvocation): Deleted.
(JSC::CodeBlock::dontOptimizeAnytimeSoon): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::optimizeAfterLongWarmUp): Deleted.
(JSC::CodeBlock::optimizeSoon): Deleted.
(JSC::CodeBlock::forceOptimizationSlowPathConcurrently): Deleted.
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Deleted.
(JSC::CodeBlock::adjustedExitCountThreshold): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimization): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): Deleted.
(JSC::CodeBlock::shouldReoptimizeNow): Deleted.
(JSC::CodeBlock::shouldReoptimizeFromLoopNow): Deleted.
(JSC::CodeBlock::getArrayProfile): Deleted.
(JSC::CodeBlock::addArrayProfile): Deleted.
(JSC::CodeBlock::getOrAddArrayProfile): Deleted.
(JSC::CodeBlock::codeOrigins): Deleted.
(JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
(JSC::CodeBlock::updateAllValueProfilePredictions): Deleted.
(JSC::CodeBlock::updateAllArrayPredictions): Deleted.
(JSC::CodeBlock::updateAllPredictions): Deleted.
(JSC::CodeBlock::shouldOptimizeNow): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::dumpValueProfiles): Deleted.
(JSC::CodeBlock::frameRegisterCount): Deleted.
(JSC::CodeBlock::stackPointerOffset): Deleted.
(JSC::CodeBlock::predictedMachineCodeSize): Deleted.
(JSC::CodeBlock::usesOpcode): Deleted.
(JSC::CodeBlock::nameForRegister): Deleted.
(JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::validate): Deleted.
(JSC::CodeBlock::beginValidationDidFail): Deleted.
(JSC::CodeBlock::endValidationDidFail): Deleted.
(JSC::CodeBlock::addBreakpoint): Deleted.
(JSC::CodeBlock::setSteppingMode): Deleted.
(JSC::CodeBlock::addRareCaseProfile): Deleted.
(JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForPC): Deleted.
(JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
(JSC::CodeBlock::capabilityLevel): Deleted.
(JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): Deleted.
(JSC::CodeBlock::setPCToCodeOriginMap): Deleted.
(JSC::CodeBlock::findPC): Deleted.
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted.
(JSC::CodeBlock::thresholdForJIT): Deleted.
(JSC::CodeBlock::jitAfterWarmUp): Deleted.
(JSC::CodeBlock::jitSoon): Deleted.
(JSC::CodeBlock::dumpMathICStats): Deleted.
(JSC::CodeBlock::livenessAnalysisSlow): Deleted.
* bytecode/EvalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/CodeBlock.h.
(): Deleted.
(JSC::CodeBlock::unlinkedCodeBlock): Deleted.
(JSC::CodeBlock::numParameters): Deleted.
(JSC::CodeBlock::numCalleeLocals): Deleted.
(JSC::CodeBlock::addressOfNumParameters): Deleted.
(JSC::CodeBlock::offsetOfNumParameters): Deleted.
(JSC::CodeBlock::alternative): Deleted.
(JSC::CodeBlock::forEachRelatedCodeBlock): Deleted.
(JSC::CodeBlock::specializationKind): Deleted.
(JSC::CodeBlock::isStrictMode): Deleted.
(JSC::CodeBlock::ecmaMode): Deleted.
(JSC::CodeBlock::isKnownNotImmediate): Deleted.
(JSC::CodeBlock::isTemporaryRegisterIndex): Deleted.
(JSC::CodeBlock::stubInfoBegin): Deleted.
(JSC::CodeBlock::stubInfoEnd): Deleted.
(JSC::CodeBlock::callLinkInfosBegin): Deleted.
(JSC::CodeBlock::callLinkInfosEnd): Deleted.
(JSC::CodeBlock::setJITCodeMap): Deleted.
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::CodeBlock::bytecodeOffset): Deleted.
(JSC::CodeBlock::numberOfInstructions): Deleted.
(JSC::CodeBlock::instructions): Deleted.
(JSC::CodeBlock::instructionCount): Deleted.
(JSC::CodeBlock::setJITCode): Deleted.
(JSC::CodeBlock::jitCode): Deleted.
(JSC::CodeBlock::jitCodeOffset): Deleted.
(JSC::CodeBlock::jitType): Deleted.
(JSC::CodeBlock::hasBaselineJITProfiling): Deleted.
(JSC::CodeBlock::capabilityLevelState): Deleted.
(JSC::CodeBlock::ownerExecutable): Deleted.
(JSC::CodeBlock::ownerScriptExecutable): Deleted.
(JSC::CodeBlock::vm): Deleted.
(JSC::CodeBlock::setThisRegister): Deleted.
(JSC::CodeBlock::thisRegister): Deleted.
(JSC::CodeBlock::usesEval): Deleted.
(JSC::CodeBlock::setScopeRegister): Deleted.
(JSC::CodeBlock::scopeRegister): Deleted.
(JSC::CodeBlock::codeType): Deleted.
(JSC::CodeBlock::putByIdContext): Deleted.
(JSC::CodeBlock::source): Deleted.
(JSC::CodeBlock::sourceOffset): Deleted.
(JSC::CodeBlock::firstLineColumnOffset): Deleted.
(JSC::CodeBlock::numberOfJumpTargets): Deleted.
(JSC::CodeBlock::jumpTarget): Deleted.
(JSC::CodeBlock::numberOfArgumentValueProfiles): Deleted.
(JSC::CodeBlock::valueProfileForArgument): Deleted.
(JSC::CodeBlock::numberOfValueProfiles): Deleted.
(JSC::CodeBlock::valueProfile): Deleted.
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
(JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
(JSC::CodeBlock::getFromAllValueProfiles): Deleted.
(JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
(JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
(JSC::CodeBlock::couldTakeSlowCase): Deleted.
(JSC::CodeBlock::numberOfArrayProfiles): Deleted.
(JSC::CodeBlock::arrayProfiles): Deleted.
(JSC::CodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::CodeBlock::exceptionHandler): Deleted.
(JSC::CodeBlock::hasExpressionInfo): Deleted.
(JSC::CodeBlock::hasCodeOrigins): Deleted.
(JSC::CodeBlock::canGetCodeOrigin): Deleted.
(JSC::CodeBlock::codeOrigin): Deleted.
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
(JSC::CodeBlock::numberOfIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::constants): Deleted.
(JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::addConstant): Deleted.
(JSC::CodeBlock::addConstantLazily): Deleted.
(JSC::CodeBlock::constantRegister): Deleted.
(JSC::CodeBlock::isConstantRegisterIndex): Deleted.
(JSC::CodeBlock::getConstant): Deleted.
(JSC::CodeBlock::constantSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::functionDecl): Deleted.
(JSC::CodeBlock::numberOfFunctionDecls): Deleted.
(JSC::CodeBlock::functionExpr): Deleted.
(JSC::CodeBlock::regexp): Deleted.
(JSC::CodeBlock::numberOfConstantBuffers): Deleted.
(JSC::CodeBlock::addConstantBuffer): Deleted.
(JSC::CodeBlock::constantBufferAsVector): Deleted.
(JSC::CodeBlock::constantBuffer): Deleted.
(JSC::CodeBlock::heap): Deleted.
(JSC::CodeBlock::globalObject): Deleted.
(JSC::CodeBlock::livenessAnalysis): Deleted.
(JSC::CodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::CodeBlock::addSwitchJumpTable): Deleted.
(JSC::CodeBlock::switchJumpTable): Deleted.
(JSC::CodeBlock::clearSwitchJumpTables): Deleted.
(JSC::CodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::CodeBlock::stringSwitchJumpTable): Deleted.
(JSC::CodeBlock::evalCodeCache): Deleted.
(JSC::CodeBlock::checkIfJITThresholdReached): Deleted.
(JSC::CodeBlock::dontJITAnytimeSoon): Deleted.
(JSC::CodeBlock::llintExecuteCounter): Deleted.
(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
(JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): Deleted.
(JSC::CodeBlock::addressOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionTotalCount): Deleted.
(JSC::CodeBlock::jitExecuteCounter): Deleted.
(JSC::CodeBlock::optimizationDelayCounter): Deleted.
(JSC::CodeBlock::osrExitCounter): Deleted.
(JSC::CodeBlock::countOSRExit): Deleted.
(JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
(JSC::CodeBlock::offsetOfOSRExitCounter): Deleted.
(JSC::CodeBlock::calleeSaveRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::hasDebuggerRequests): Deleted.
(JSC::CodeBlock::debuggerRequestsAddress): Deleted.
(JSC::CodeBlock::removeBreakpoint): Deleted.
(JSC::CodeBlock::clearDebuggerRequests): Deleted.
(JSC::CodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::CodeBlock::clearExceptionHandlers): Deleted.
(JSC::CodeBlock::appendExceptionHandler): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::replaceConstant): Deleted.
(JSC::CodeBlock::timeSinceCreation): Deleted.
(JSC::CodeBlock::createRareDataIfNecessary): Deleted.
(JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
(JSC::WebAssemblyCodeBlock::create): Deleted.
(JSC::WebAssemblyCodeBlock::createStructure): Deleted.
(JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
(JSC::ExecState::r): Deleted.
(JSC::ExecState::uncheckedR): Deleted.
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
(JSC::ScriptExecutable::forEachCodeBlock): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* bytecode/FunctionCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/CodeBlock.cpp.
(JSC::WebAssemblyCodeBlock::destroy): Deleted.
(JSC::ProgramCodeBlock::destroy): Deleted.
(JSC::ModuleProgramCodeBlock::destroy): Deleted.
(JSC::EvalCodeBlock::destroy): Deleted.
(JSC::CodeBlock::inferredName): Deleted.
(JSC::CodeBlock::hasHash): Deleted.
(JSC::CodeBlock::isSafeToComputeHash): Deleted.
(JSC::CodeBlock::hash): Deleted.
(JSC::CodeBlock::sourceCodeForTools): Deleted.
(JSC::CodeBlock::sourceCodeOnOneLine): Deleted.
(JSC::CodeBlock::hashAsStringIfPossible): Deleted.
(JSC::CodeBlock::dumpAssumingJITType): Deleted.
(JSC::CodeBlock::dump): Deleted.
(JSC::idName): Deleted.
(JSC::CodeBlock::registerName): Deleted.
(JSC::CodeBlock::constantName): Deleted.
(JSC::regexpToSourceString): Deleted.
(JSC::regexpName): Deleted.
(JSC::debugHookName): Deleted.
(JSC::CodeBlock::printUnaryOp): Deleted.
(JSC::CodeBlock::printBinaryOp): Deleted.
(JSC::CodeBlock::printConditionalJump): Deleted.
(JSC::CodeBlock::printGetByIdOp): Deleted.
(JSC::dumpStructure): Deleted.
(JSC::dumpChain): Deleted.
(JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
(JSC::CodeBlock::printCallOp): Deleted.
(JSC::CodeBlock::printPutByIdOp): Deleted.
(JSC::CodeBlock::dumpSource): Deleted.
(JSC::CodeBlock::dumpBytecode): Deleted.
(JSC::CodeBlock::dumpExceptionHandlers): Deleted.
(JSC::CodeBlock::beginDumpProfiling): Deleted.
(JSC::CodeBlock::dumpValueProfiling): Deleted.
(JSC::CodeBlock::dumpArrayProfiling): Deleted.
(JSC::CodeBlock::dumpRareCaseProfile): Deleted.
(JSC::CodeBlock::dumpArithProfile): Deleted.
(JSC::CodeBlock::printLocationAndOp): Deleted.
(JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
(JSC::sizeInBytes): Deleted.
(JSC::CodeBlock::CodeBlock): Deleted.
(JSC::CodeBlock::finishCreation): Deleted.
(JSC::CodeBlock::~CodeBlock): Deleted.
(JSC::CodeBlock::setConstantRegisters): Deleted.
(JSC::CodeBlock::setAlternative): Deleted.
(JSC::CodeBlock::setNumParameters): Deleted.
(JSC::EvalCodeCache::visitAggregate): Deleted.
(JSC::CodeBlock::specialOSREntryBlockOrNull): Deleted.
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::estimatedSize): Deleted.
(JSC::CodeBlock::visitChildren): Deleted.
(JSC::CodeBlock::shouldVisitStrongly): Deleted.
(JSC::CodeBlock::shouldJettisonDueToWeakReference): Deleted.
(JSC::timeToLive): Deleted.
(JSC::CodeBlock::shouldJettisonDueToOldAge): Deleted.
(JSC::shouldMarkTransition): Deleted.
(JSC::CodeBlock::propagateTransitions): Deleted.
(JSC::CodeBlock::determineLiveness): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
(JSC::CodeBlock::finalizeLLIntInlineCaches): Deleted.
(JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
(JSC::CodeBlock::getStubInfoMap): Deleted.
(JSC::CodeBlock::getCallLinkInfoMap): Deleted.
(JSC::CodeBlock::getByValInfoMap): Deleted.
(JSC::CodeBlock::addStubInfo): Deleted.
(JSC::CodeBlock::addJITAddIC): Deleted.
(JSC::CodeBlock::addJITMulIC): Deleted.
(JSC::CodeBlock::addJITSubIC): Deleted.
(JSC::CodeBlock::addJITNegIC): Deleted.
(JSC::CodeBlock::findStubInfo): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
(JSC::CodeBlock::addCallLinkInfo): Deleted.
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted.
(JSC::CodeBlock::resetJITData): Deleted.
(JSC::CodeBlock::visitOSRExitTargets): Deleted.
(JSC::CodeBlock::stronglyVisitStrongReferences): Deleted.
(JSC::CodeBlock::stronglyVisitWeakReferences): Deleted.
(JSC::CodeBlock::baselineAlternative): Deleted.
(JSC::CodeBlock::baselineVersion): Deleted.
(JSC::CodeBlock::hasOptimizedReplacement): Deleted.
(JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::CodeBlock::handlerForIndex): Deleted.
(JSC::CodeBlock::newExceptionHandlingCallSiteIndex): Deleted.
(JSC::CodeBlock::removeExceptionHandlerForCallSite): Deleted.
(JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::CodeBlock::hasOpDebugForLineAndColumn): Deleted.
(JSC::CodeBlock::shrinkToFit): Deleted.
(JSC::CodeBlock::linkIncomingCall): Deleted.
(JSC::CodeBlock::linkIncomingPolymorphicCall): Deleted.
(JSC::CodeBlock::unlinkIncomingCalls): Deleted.
(JSC::CodeBlock::newReplacement): Deleted.
(JSC::CodeBlock::replacement): Deleted.
(JSC::CodeBlock::computeCapabilityLevel): Deleted.
(JSC::CodeBlock::jettison): Deleted.
(JSC::CodeBlock::globalObjectFor): Deleted.
(JSC::RecursionCheckFunctor::RecursionCheckFunctor): Deleted.
(JSC::RecursionCheckFunctor::operator()): Deleted.
(JSC::RecursionCheckFunctor::didRecurse): Deleted.
(JSC::CodeBlock::noticeIncomingCall): Deleted.
(JSC::CodeBlock::reoptimizationRetryCounter): Deleted.
(JSC::CodeBlock::setCalleeSaveRegisters): Deleted.
(JSC::roundCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::countReoptimization): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::codeTypeThresholdMultiplier): Deleted.
(JSC::CodeBlock::optimizationThresholdScalingFactor): Deleted.
(JSC::clipThreshold): Deleted.
(JSC::CodeBlock::adjustedCounterValue): Deleted.
(JSC::CodeBlock::checkIfOptimizationThresholdReached): Deleted.
(JSC::CodeBlock::optimizeNextInvocation): Deleted.
(JSC::CodeBlock::dontOptimizeAnytimeSoon): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::optimizeAfterLongWarmUp): Deleted.
(JSC::CodeBlock::optimizeSoon): Deleted.
(JSC::CodeBlock::forceOptimizationSlowPathConcurrently): Deleted.
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Deleted.
(JSC::CodeBlock::adjustedExitCountThreshold): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimization): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): Deleted.
(JSC::CodeBlock::shouldReoptimizeNow): Deleted.
(JSC::CodeBlock::shouldReoptimizeFromLoopNow): Deleted.
(JSC::CodeBlock::getArrayProfile): Deleted.
(JSC::CodeBlock::addArrayProfile): Deleted.
(JSC::CodeBlock::getOrAddArrayProfile): Deleted.
(JSC::CodeBlock::codeOrigins): Deleted.
(JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
(JSC::CodeBlock::updateAllValueProfilePredictions): Deleted.
(JSC::CodeBlock::updateAllArrayPredictions): Deleted.
(JSC::CodeBlock::updateAllPredictions): Deleted.
(JSC::CodeBlock::shouldOptimizeNow): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::dumpValueProfiles): Deleted.
(JSC::CodeBlock::frameRegisterCount): Deleted.
(JSC::CodeBlock::stackPointerOffset): Deleted.
(JSC::CodeBlock::predictedMachineCodeSize): Deleted.
(JSC::CodeBlock::usesOpcode): Deleted.
(JSC::CodeBlock::nameForRegister): Deleted.
(JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::validate): Deleted.
(JSC::CodeBlock::beginValidationDidFail): Deleted.
(JSC::CodeBlock::endValidationDidFail): Deleted.
(JSC::CodeBlock::addBreakpoint): Deleted.
(JSC::CodeBlock::setSteppingMode): Deleted.
(JSC::CodeBlock::addRareCaseProfile): Deleted.
(JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForPC): Deleted.
(JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
(JSC::CodeBlock::capabilityLevel): Deleted.
(JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): Deleted.
(JSC::CodeBlock::setPCToCodeOriginMap): Deleted.
(JSC::CodeBlock::findPC): Deleted.
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted.
(JSC::CodeBlock::thresholdForJIT): Deleted.
(JSC::CodeBlock::jitAfterWarmUp): Deleted.
(JSC::CodeBlock::jitSoon): Deleted.
(JSC::CodeBlock::dumpMathICStats): Deleted.
(JSC::CodeBlock::livenessAnalysisSlow): Deleted.
* bytecode/FunctionCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/CodeBlock.h.
(): Deleted.
(JSC::CodeBlock::unlinkedCodeBlock): Deleted.
(JSC::CodeBlock::numParameters): Deleted.
(JSC::CodeBlock::numCalleeLocals): Deleted.
(JSC::CodeBlock::addressOfNumParameters): Deleted.
(JSC::CodeBlock::offsetOfNumParameters): Deleted.
(JSC::CodeBlock::alternative): Deleted.
(JSC::CodeBlock::forEachRelatedCodeBlock): Deleted.
(JSC::CodeBlock::specializationKind): Deleted.
(JSC::CodeBlock::isStrictMode): Deleted.
(JSC::CodeBlock::ecmaMode): Deleted.
(JSC::CodeBlock::isKnownNotImmediate): Deleted.
(JSC::CodeBlock::isTemporaryRegisterIndex): Deleted.
(JSC::CodeBlock::stubInfoBegin): Deleted.
(JSC::CodeBlock::stubInfoEnd): Deleted.
(JSC::CodeBlock::callLinkInfosBegin): Deleted.
(JSC::CodeBlock::callLinkInfosEnd): Deleted.
(JSC::CodeBlock::setJITCodeMap): Deleted.
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::CodeBlock::bytecodeOffset): Deleted.
(JSC::CodeBlock::numberOfInstructions): Deleted.
(JSC::CodeBlock::instructions): Deleted.
(JSC::CodeBlock::instructionCount): Deleted.
(JSC::CodeBlock::setJITCode): Deleted.
(JSC::CodeBlock::jitCode): Deleted.
(JSC::CodeBlock::jitCodeOffset): Deleted.
(JSC::CodeBlock::jitType): Deleted.
(JSC::CodeBlock::hasBaselineJITProfiling): Deleted.
(JSC::CodeBlock::capabilityLevelState): Deleted.
(JSC::CodeBlock::ownerExecutable): Deleted.
(JSC::CodeBlock::ownerScriptExecutable): Deleted.
(JSC::CodeBlock::vm): Deleted.
(JSC::CodeBlock::setThisRegister): Deleted.
(JSC::CodeBlock::thisRegister): Deleted.
(JSC::CodeBlock::usesEval): Deleted.
(JSC::CodeBlock::setScopeRegister): Deleted.
(JSC::CodeBlock::scopeRegister): Deleted.
(JSC::CodeBlock::codeType): Deleted.
(JSC::CodeBlock::putByIdContext): Deleted.
(JSC::CodeBlock::source): Deleted.
(JSC::CodeBlock::sourceOffset): Deleted.
(JSC::CodeBlock::firstLineColumnOffset): Deleted.
(JSC::CodeBlock::numberOfJumpTargets): Deleted.
(JSC::CodeBlock::jumpTarget): Deleted.
(JSC::CodeBlock::numberOfArgumentValueProfiles): Deleted.
(JSC::CodeBlock::valueProfileForArgument): Deleted.
(JSC::CodeBlock::numberOfValueProfiles): Deleted.
(JSC::CodeBlock::valueProfile): Deleted.
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
(JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
(JSC::CodeBlock::getFromAllValueProfiles): Deleted.
(JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
(JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
(JSC::CodeBlock::couldTakeSlowCase): Deleted.
(JSC::CodeBlock::numberOfArrayProfiles): Deleted.
(JSC::CodeBlock::arrayProfiles): Deleted.
(JSC::CodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::CodeBlock::exceptionHandler): Deleted.
(JSC::CodeBlock::hasExpressionInfo): Deleted.
(JSC::CodeBlock::hasCodeOrigins): Deleted.
(JSC::CodeBlock::canGetCodeOrigin): Deleted.
(JSC::CodeBlock::codeOrigin): Deleted.
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
(JSC::CodeBlock::numberOfIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::constants): Deleted.
(JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::addConstant): Deleted.
(JSC::CodeBlock::addConstantLazily): Deleted.
(JSC::CodeBlock::constantRegister): Deleted.
(JSC::CodeBlock::isConstantRegisterIndex): Deleted.
(JSC::CodeBlock::getConstant): Deleted.
(JSC::CodeBlock::constantSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::functionDecl): Deleted.
(JSC::CodeBlock::numberOfFunctionDecls): Deleted.
(JSC::CodeBlock::functionExpr): Deleted.
(JSC::CodeBlock::regexp): Deleted.
(JSC::CodeBlock::numberOfConstantBuffers): Deleted.
(JSC::CodeBlock::addConstantBuffer): Deleted.
(JSC::CodeBlock::constantBufferAsVector): Deleted.
(JSC::CodeBlock::constantBuffer): Deleted.
(JSC::CodeBlock::heap): Deleted.
(JSC::CodeBlock::globalObject): Deleted.
(JSC::CodeBlock::livenessAnalysis): Deleted.
(JSC::CodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::CodeBlock::addSwitchJumpTable): Deleted.
(JSC::CodeBlock::switchJumpTable): Deleted.
(JSC::CodeBlock::clearSwitchJumpTables): Deleted.
(JSC::CodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::CodeBlock::stringSwitchJumpTable): Deleted.
(JSC::CodeBlock::evalCodeCache): Deleted.
(JSC::CodeBlock::checkIfJITThresholdReached): Deleted.
(JSC::CodeBlock::dontJITAnytimeSoon): Deleted.
(JSC::CodeBlock::llintExecuteCounter): Deleted.
(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
(JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): Deleted.
(JSC::CodeBlock::addressOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionTotalCount): Deleted.
(JSC::CodeBlock::jitExecuteCounter): Deleted.
(JSC::CodeBlock::optimizationDelayCounter): Deleted.
(JSC::CodeBlock::osrExitCounter): Deleted.
(JSC::CodeBlock::countOSRExit): Deleted.
(JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
(JSC::CodeBlock::offsetOfOSRExitCounter): Deleted.
(JSC::CodeBlock::calleeSaveRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::hasDebuggerRequests): Deleted.
(JSC::CodeBlock::debuggerRequestsAddress): Deleted.
(JSC::CodeBlock::removeBreakpoint): Deleted.
(JSC::CodeBlock::clearDebuggerRequests): Deleted.
(JSC::CodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::CodeBlock::clearExceptionHandlers): Deleted.
(JSC::CodeBlock::appendExceptionHandler): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::replaceConstant): Deleted.
(JSC::CodeBlock::timeSinceCreation): Deleted.
(JSC::CodeBlock::createRareDataIfNecessary): Deleted.
(JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock): Deleted.
(JSC::WebAssemblyCodeBlock::create): Deleted.
(JSC::WebAssemblyCodeBlock::createStructure): Deleted.
(JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
(JSC::ExecState::r): Deleted.
(JSC::ExecState::uncheckedR): Deleted.
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
(JSC::ScriptExecutable::forEachCodeBlock): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* bytecode/GlobalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/CodeBlock.h.
(): Deleted.
(JSC::CodeBlock::unlinkedCodeBlock): Deleted.
(JSC::CodeBlock::numParameters): Deleted.
(JSC::CodeBlock::numCalleeLocals): Deleted.
(JSC::CodeBlock::addressOfNumParameters): Deleted.
(JSC::CodeBlock::offsetOfNumParameters): Deleted.
(JSC::CodeBlock::alternative): Deleted.
(JSC::CodeBlock::forEachRelatedCodeBlock): Deleted.
(JSC::CodeBlock::specializationKind): Deleted.
(JSC::CodeBlock::isStrictMode): Deleted.
(JSC::CodeBlock::ecmaMode): Deleted.
(JSC::CodeBlock::isKnownNotImmediate): Deleted.
(JSC::CodeBlock::isTemporaryRegisterIndex): Deleted.
(JSC::CodeBlock::stubInfoBegin): Deleted.
(JSC::CodeBlock::stubInfoEnd): Deleted.
(JSC::CodeBlock::callLinkInfosBegin): Deleted.
(JSC::CodeBlock::callLinkInfosEnd): Deleted.
(JSC::CodeBlock::setJITCodeMap): Deleted.
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::CodeBlock::bytecodeOffset): Deleted.
(JSC::CodeBlock::numberOfInstructions): Deleted.
(JSC::CodeBlock::instructions): Deleted.
(JSC::CodeBlock::instructionCount): Deleted.
(JSC::CodeBlock::setJITCode): Deleted.
(JSC::CodeBlock::jitCode): Deleted.
(JSC::CodeBlock::jitCodeOffset): Deleted.
(JSC::CodeBlock::jitType): Deleted.
(JSC::CodeBlock::hasBaselineJITProfiling): Deleted.
(JSC::CodeBlock::capabilityLevelState): Deleted.
(JSC::CodeBlock::ownerExecutable): Deleted.
(JSC::CodeBlock::ownerScriptExecutable): Deleted.
(JSC::CodeBlock::vm): Deleted.
(JSC::CodeBlock::setThisRegister): Deleted.
(JSC::CodeBlock::thisRegister): Deleted.
(JSC::CodeBlock::usesEval): Deleted.
(JSC::CodeBlock::setScopeRegister): Deleted.
(JSC::CodeBlock::scopeRegister): Deleted.
(JSC::CodeBlock::codeType): Deleted.
(JSC::CodeBlock::putByIdContext): Deleted.
(JSC::CodeBlock::source): Deleted.
(JSC::CodeBlock::sourceOffset): Deleted.
(JSC::CodeBlock::firstLineColumnOffset): Deleted.
(JSC::CodeBlock::numberOfJumpTargets): Deleted.
(JSC::CodeBlock::jumpTarget): Deleted.
(JSC::CodeBlock::numberOfArgumentValueProfiles): Deleted.
(JSC::CodeBlock::valueProfileForArgument): Deleted.
(JSC::CodeBlock::numberOfValueProfiles): Deleted.
(JSC::CodeBlock::valueProfile): Deleted.
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
(JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
(JSC::CodeBlock::getFromAllValueProfiles): Deleted.
(JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
(JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
(JSC::CodeBlock::couldTakeSlowCase): Deleted.
(JSC::CodeBlock::numberOfArrayProfiles): Deleted.
(JSC::CodeBlock::arrayProfiles): Deleted.
(JSC::CodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::CodeBlock::exceptionHandler): Deleted.
(JSC::CodeBlock::hasExpressionInfo): Deleted.
(JSC::CodeBlock::hasCodeOrigins): Deleted.
(JSC::CodeBlock::canGetCodeOrigin): Deleted.
(JSC::CodeBlock::codeOrigin): Deleted.
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
(JSC::CodeBlock::numberOfIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::constants): Deleted.
(JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::addConstant): Deleted.
(JSC::CodeBlock::addConstantLazily): Deleted.
(JSC::CodeBlock::constantRegister): Deleted.
(JSC::CodeBlock::isConstantRegisterIndex): Deleted.
(JSC::CodeBlock::getConstant): Deleted.
(JSC::CodeBlock::constantSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::functionDecl): Deleted.
(JSC::CodeBlock::numberOfFunctionDecls): Deleted.
(JSC::CodeBlock::functionExpr): Deleted.
(JSC::CodeBlock::regexp): Deleted.
(JSC::CodeBlock::numberOfConstantBuffers): Deleted.
(JSC::CodeBlock::addConstantBuffer): Deleted.
(JSC::CodeBlock::constantBufferAsVector): Deleted.
(JSC::CodeBlock::constantBuffer): Deleted.
(JSC::CodeBlock::heap): Deleted.
(JSC::CodeBlock::globalObject): Deleted.
(JSC::CodeBlock::livenessAnalysis): Deleted.
(JSC::CodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::CodeBlock::addSwitchJumpTable): Deleted.
(JSC::CodeBlock::switchJumpTable): Deleted.
(JSC::CodeBlock::clearSwitchJumpTables): Deleted.
(JSC::CodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::CodeBlock::stringSwitchJumpTable): Deleted.
(JSC::CodeBlock::evalCodeCache): Deleted.
(JSC::CodeBlock::checkIfJITThresholdReached): Deleted.
(JSC::CodeBlock::dontJITAnytimeSoon): Deleted.
(JSC::CodeBlock::llintExecuteCounter): Deleted.
(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
(JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): Deleted.
(JSC::CodeBlock::addressOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionTotalCount): Deleted.
(JSC::CodeBlock::jitExecuteCounter): Deleted.
(JSC::CodeBlock::optimizationDelayCounter): Deleted.
(JSC::CodeBlock::osrExitCounter): Deleted.
(JSC::CodeBlock::countOSRExit): Deleted.
(JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
(JSC::CodeBlock::offsetOfOSRExitCounter): Deleted.
(JSC::CodeBlock::calleeSaveRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::hasDebuggerRequests): Deleted.
(JSC::CodeBlock::debuggerRequestsAddress): Deleted.
(JSC::CodeBlock::removeBreakpoint): Deleted.
(JSC::CodeBlock::clearDebuggerRequests): Deleted.
(JSC::CodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::CodeBlock::clearExceptionHandlers): Deleted.
(JSC::CodeBlock::appendExceptionHandler): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::replaceConstant): Deleted.
(JSC::CodeBlock::timeSinceCreation): Deleted.
(JSC::CodeBlock::createRareDataIfNecessary): Deleted.
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
(JSC::WebAssemblyCodeBlock::create): Deleted.
(JSC::WebAssemblyCodeBlock::createStructure): Deleted.
(JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
(JSC::ExecState::r): Deleted.
(JSC::ExecState::uncheckedR): Deleted.
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
(JSC::ScriptExecutable::forEachCodeBlock): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* bytecode/ModuleProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/CodeBlock.cpp.
(JSC::FunctionCodeBlock::destroy): Deleted.
(JSC::WebAssemblyCodeBlock::destroy): Deleted.
(JSC::ProgramCodeBlock::destroy): Deleted.
(JSC::EvalCodeBlock::destroy): Deleted.
(JSC::CodeBlock::inferredName): Deleted.
(JSC::CodeBlock::hasHash): Deleted.
(JSC::CodeBlock::isSafeToComputeHash): Deleted.
(JSC::CodeBlock::hash): Deleted.
(JSC::CodeBlock::sourceCodeForTools): Deleted.
(JSC::CodeBlock::sourceCodeOnOneLine): Deleted.
(JSC::CodeBlock::hashAsStringIfPossible): Deleted.
(JSC::CodeBlock::dumpAssumingJITType): Deleted.
(JSC::CodeBlock::dump): Deleted.
(JSC::idName): Deleted.
(JSC::CodeBlock::registerName): Deleted.
(JSC::CodeBlock::constantName): Deleted.
(JSC::regexpToSourceString): Deleted.
(JSC::regexpName): Deleted.
(JSC::debugHookName): Deleted.
(JSC::CodeBlock::printUnaryOp): Deleted.
(JSC::CodeBlock::printBinaryOp): Deleted.
(JSC::CodeBlock::printConditionalJump): Deleted.
(JSC::CodeBlock::printGetByIdOp): Deleted.
(JSC::dumpStructure): Deleted.
(JSC::dumpChain): Deleted.
(JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
(JSC::CodeBlock::printCallOp): Deleted.
(JSC::CodeBlock::printPutByIdOp): Deleted.
(JSC::CodeBlock::dumpSource): Deleted.
(JSC::CodeBlock::dumpBytecode): Deleted.
(JSC::CodeBlock::dumpExceptionHandlers): Deleted.
(JSC::CodeBlock::beginDumpProfiling): Deleted.
(JSC::CodeBlock::dumpValueProfiling): Deleted.
(JSC::CodeBlock::dumpArrayProfiling): Deleted.
(JSC::CodeBlock::dumpRareCaseProfile): Deleted.
(JSC::CodeBlock::dumpArithProfile): Deleted.
(JSC::CodeBlock::printLocationAndOp): Deleted.
(JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
(JSC::sizeInBytes): Deleted.
(JSC::CodeBlock::CodeBlock): Deleted.
(JSC::CodeBlock::finishCreation): Deleted.
(JSC::CodeBlock::~CodeBlock): Deleted.
(JSC::CodeBlock::setConstantRegisters): Deleted.
(JSC::CodeBlock::setAlternative): Deleted.
(JSC::CodeBlock::setNumParameters): Deleted.
(JSC::EvalCodeCache::visitAggregate): Deleted.
(JSC::CodeBlock::specialOSREntryBlockOrNull): Deleted.
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::estimatedSize): Deleted.
(JSC::CodeBlock::visitChildren): Deleted.
(JSC::CodeBlock::shouldVisitStrongly): Deleted.
(JSC::CodeBlock::shouldJettisonDueToWeakReference): Deleted.
(JSC::timeToLive): Deleted.
(JSC::CodeBlock::shouldJettisonDueToOldAge): Deleted.
(JSC::shouldMarkTransition): Deleted.
(JSC::CodeBlock::propagateTransitions): Deleted.
(JSC::CodeBlock::determineLiveness): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
(JSC::CodeBlock::finalizeLLIntInlineCaches): Deleted.
(JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
(JSC::CodeBlock::getStubInfoMap): Deleted.
(JSC::CodeBlock::getCallLinkInfoMap): Deleted.
(JSC::CodeBlock::getByValInfoMap): Deleted.
(JSC::CodeBlock::addStubInfo): Deleted.
(JSC::CodeBlock::addJITAddIC): Deleted.
(JSC::CodeBlock::addJITMulIC): Deleted.
(JSC::CodeBlock::addJITSubIC): Deleted.
(JSC::CodeBlock::addJITNegIC): Deleted.
(JSC::CodeBlock::findStubInfo): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
(JSC::CodeBlock::addCallLinkInfo): Deleted.
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted.
(JSC::CodeBlock::resetJITData): Deleted.
(JSC::CodeBlock::visitOSRExitTargets): Deleted.
(JSC::CodeBlock::stronglyVisitStrongReferences): Deleted.
(JSC::CodeBlock::stronglyVisitWeakReferences): Deleted.
(JSC::CodeBlock::baselineAlternative): Deleted.
(JSC::CodeBlock::baselineVersion): Deleted.
(JSC::CodeBlock::hasOptimizedReplacement): Deleted.
(JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::CodeBlock::handlerForIndex): Deleted.
(JSC::CodeBlock::newExceptionHandlingCallSiteIndex): Deleted.
(JSC::CodeBlock::removeExceptionHandlerForCallSite): Deleted.
(JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::CodeBlock::hasOpDebugForLineAndColumn): Deleted.
(JSC::CodeBlock::shrinkToFit): Deleted.
(JSC::CodeBlock::linkIncomingCall): Deleted.
(JSC::CodeBlock::linkIncomingPolymorphicCall): Deleted.
(JSC::CodeBlock::unlinkIncomingCalls): Deleted.
(JSC::CodeBlock::newReplacement): Deleted.
(JSC::CodeBlock::replacement): Deleted.
(JSC::CodeBlock::computeCapabilityLevel): Deleted.
(JSC::CodeBlock::jettison): Deleted.
(JSC::CodeBlock::globalObjectFor): Deleted.
(JSC::RecursionCheckFunctor::RecursionCheckFunctor): Deleted.
(JSC::RecursionCheckFunctor::operator()): Deleted.
(JSC::RecursionCheckFunctor::didRecurse): Deleted.
(JSC::CodeBlock::noticeIncomingCall): Deleted.
(JSC::CodeBlock::reoptimizationRetryCounter): Deleted.
(JSC::CodeBlock::setCalleeSaveRegisters): Deleted.
(JSC::roundCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::countReoptimization): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::codeTypeThresholdMultiplier): Deleted.
(JSC::CodeBlock::optimizationThresholdScalingFactor): Deleted.
(JSC::clipThreshold): Deleted.
(JSC::CodeBlock::adjustedCounterValue): Deleted.
(JSC::CodeBlock::checkIfOptimizationThresholdReached): Deleted.
(JSC::CodeBlock::optimizeNextInvocation): Deleted.
(JSC::CodeBlock::dontOptimizeAnytimeSoon): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::optimizeAfterLongWarmUp): Deleted.
(JSC::CodeBlock::optimizeSoon): Deleted.
(JSC::CodeBlock::forceOptimizationSlowPathConcurrently): Deleted.
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Deleted.
(JSC::CodeBlock::adjustedExitCountThreshold): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimization): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): Deleted.
(JSC::CodeBlock::shouldReoptimizeNow): Deleted.
(JSC::CodeBlock::shouldReoptimizeFromLoopNow): Deleted.
(JSC::CodeBlock::getArrayProfile): Deleted.
(JSC::CodeBlock::addArrayProfile): Deleted.
(JSC::CodeBlock::getOrAddArrayProfile): Deleted.
(JSC::CodeBlock::codeOrigins): Deleted.
(JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
(JSC::CodeBlock::updateAllValueProfilePredictions): Deleted.
(JSC::CodeBlock::updateAllArrayPredictions): Deleted.
(JSC::CodeBlock::updateAllPredictions): Deleted.
(JSC::CodeBlock::shouldOptimizeNow): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::dumpValueProfiles): Deleted.
(JSC::CodeBlock::frameRegisterCount): Deleted.
(JSC::CodeBlock::stackPointerOffset): Deleted.
(JSC::CodeBlock::predictedMachineCodeSize): Deleted.
(JSC::CodeBlock::usesOpcode): Deleted.
(JSC::CodeBlock::nameForRegister): Deleted.
(JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::validate): Deleted.
(JSC::CodeBlock::beginValidationDidFail): Deleted.
(JSC::CodeBlock::endValidationDidFail): Deleted.
(JSC::CodeBlock::addBreakpoint): Deleted.
(JSC::CodeBlock::setSteppingMode): Deleted.
(JSC::CodeBlock::addRareCaseProfile): Deleted.
(JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForPC): Deleted.
(JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
(JSC::CodeBlock::capabilityLevel): Deleted.
(JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): Deleted.
(JSC::CodeBlock::setPCToCodeOriginMap): Deleted.
(JSC::CodeBlock::findPC): Deleted.
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted.
(JSC::CodeBlock::thresholdForJIT): Deleted.
(JSC::CodeBlock::jitAfterWarmUp): Deleted.
(JSC::CodeBlock::jitSoon): Deleted.
(JSC::CodeBlock::dumpMathICStats): Deleted.
(JSC::CodeBlock::livenessAnalysisSlow): Deleted.
* bytecode/ModuleProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/CodeBlock.h.
(): Deleted.
(JSC::CodeBlock::unlinkedCodeBlock): Deleted.
(JSC::CodeBlock::numParameters): Deleted.
(JSC::CodeBlock::numCalleeLocals): Deleted.
(JSC::CodeBlock::addressOfNumParameters): Deleted.
(JSC::CodeBlock::offsetOfNumParameters): Deleted.
(JSC::CodeBlock::alternative): Deleted.
(JSC::CodeBlock::forEachRelatedCodeBlock): Deleted.
(JSC::CodeBlock::specializationKind): Deleted.
(JSC::CodeBlock::isStrictMode): Deleted.
(JSC::CodeBlock::ecmaMode): Deleted.
(JSC::CodeBlock::isKnownNotImmediate): Deleted.
(JSC::CodeBlock::isTemporaryRegisterIndex): Deleted.
(JSC::CodeBlock::stubInfoBegin): Deleted.
(JSC::CodeBlock::stubInfoEnd): Deleted.
(JSC::CodeBlock::callLinkInfosBegin): Deleted.
(JSC::CodeBlock::callLinkInfosEnd): Deleted.
(JSC::CodeBlock::setJITCodeMap): Deleted.
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::CodeBlock::bytecodeOffset): Deleted.
(JSC::CodeBlock::numberOfInstructions): Deleted.
(JSC::CodeBlock::instructions): Deleted.
(JSC::CodeBlock::instructionCount): Deleted.
(JSC::CodeBlock::setJITCode): Deleted.
(JSC::CodeBlock::jitCode): Deleted.
(JSC::CodeBlock::jitCodeOffset): Deleted.
(JSC::CodeBlock::jitType): Deleted.
(JSC::CodeBlock::hasBaselineJITProfiling): Deleted.
(JSC::CodeBlock::capabilityLevelState): Deleted.
(JSC::CodeBlock::ownerExecutable): Deleted.
(JSC::CodeBlock::ownerScriptExecutable): Deleted.
(JSC::CodeBlock::vm): Deleted.
(JSC::CodeBlock::setThisRegister): Deleted.
(JSC::CodeBlock::thisRegister): Deleted.
(JSC::CodeBlock::usesEval): Deleted.
(JSC::CodeBlock::setScopeRegister): Deleted.
(JSC::CodeBlock::scopeRegister): Deleted.
(JSC::CodeBlock::codeType): Deleted.
(JSC::CodeBlock::putByIdContext): Deleted.
(JSC::CodeBlock::source): Deleted.
(JSC::CodeBlock::sourceOffset): Deleted.
(JSC::CodeBlock::firstLineColumnOffset): Deleted.
(JSC::CodeBlock::numberOfJumpTargets): Deleted.
(JSC::CodeBlock::jumpTarget): Deleted.
(JSC::CodeBlock::numberOfArgumentValueProfiles): Deleted.
(JSC::CodeBlock::valueProfileForArgument): Deleted.
(JSC::CodeBlock::numberOfValueProfiles): Deleted.
(JSC::CodeBlock::valueProfile): Deleted.
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
(JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
(JSC::CodeBlock::getFromAllValueProfiles): Deleted.
(JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
(JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
(JSC::CodeBlock::couldTakeSlowCase): Deleted.
(JSC::CodeBlock::numberOfArrayProfiles): Deleted.
(JSC::CodeBlock::arrayProfiles): Deleted.
(JSC::CodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::CodeBlock::exceptionHandler): Deleted.
(JSC::CodeBlock::hasExpressionInfo): Deleted.
(JSC::CodeBlock::hasCodeOrigins): Deleted.
(JSC::CodeBlock::canGetCodeOrigin): Deleted.
(JSC::CodeBlock::codeOrigin): Deleted.
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
(JSC::CodeBlock::numberOfIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::constants): Deleted.
(JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::addConstant): Deleted.
(JSC::CodeBlock::addConstantLazily): Deleted.
(JSC::CodeBlock::constantRegister): Deleted.
(JSC::CodeBlock::isConstantRegisterIndex): Deleted.
(JSC::CodeBlock::getConstant): Deleted.
(JSC::CodeBlock::constantSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::functionDecl): Deleted.
(JSC::CodeBlock::numberOfFunctionDecls): Deleted.
(JSC::CodeBlock::functionExpr): Deleted.
(JSC::CodeBlock::regexp): Deleted.
(JSC::CodeBlock::numberOfConstantBuffers): Deleted.
(JSC::CodeBlock::addConstantBuffer): Deleted.
(JSC::CodeBlock::constantBufferAsVector): Deleted.
(JSC::CodeBlock::constantBuffer): Deleted.
(JSC::CodeBlock::heap): Deleted.
(JSC::CodeBlock::globalObject): Deleted.
(JSC::CodeBlock::livenessAnalysis): Deleted.
(JSC::CodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::CodeBlock::addSwitchJumpTable): Deleted.
(JSC::CodeBlock::switchJumpTable): Deleted.
(JSC::CodeBlock::clearSwitchJumpTables): Deleted.
(JSC::CodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::CodeBlock::stringSwitchJumpTable): Deleted.
(JSC::CodeBlock::evalCodeCache): Deleted.
(JSC::CodeBlock::checkIfJITThresholdReached): Deleted.
(JSC::CodeBlock::dontJITAnytimeSoon): Deleted.
(JSC::CodeBlock::llintExecuteCounter): Deleted.
(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
(JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): Deleted.
(JSC::CodeBlock::addressOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionTotalCount): Deleted.
(JSC::CodeBlock::jitExecuteCounter): Deleted.
(JSC::CodeBlock::optimizationDelayCounter): Deleted.
(JSC::CodeBlock::osrExitCounter): Deleted.
(JSC::CodeBlock::countOSRExit): Deleted.
(JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
(JSC::CodeBlock::offsetOfOSRExitCounter): Deleted.
(JSC::CodeBlock::calleeSaveRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::hasDebuggerRequests): Deleted.
(JSC::CodeBlock::debuggerRequestsAddress): Deleted.
(JSC::CodeBlock::removeBreakpoint): Deleted.
(JSC::CodeBlock::clearDebuggerRequests): Deleted.
(JSC::CodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::CodeBlock::clearExceptionHandlers): Deleted.
(JSC::CodeBlock::appendExceptionHandler): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::replaceConstant): Deleted.
(JSC::CodeBlock::timeSinceCreation): Deleted.
(JSC::CodeBlock::createRareDataIfNecessary): Deleted.
(JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
(JSC::WebAssemblyCodeBlock::create): Deleted.
(JSC::WebAssemblyCodeBlock::createStructure): Deleted.
(JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
(JSC::ExecState::r): Deleted.
(JSC::ExecState::uncheckedR): Deleted.
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
(JSC::ScriptExecutable::forEachCodeBlock): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* bytecode/ProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/CodeBlock.cpp.
(JSC::FunctionCodeBlock::destroy): Deleted.
(JSC::WebAssemblyCodeBlock::destroy): Deleted.
(JSC::ModuleProgramCodeBlock::destroy): Deleted.
(JSC::EvalCodeBlock::destroy): Deleted.
(JSC::CodeBlock::inferredName): Deleted.
(JSC::CodeBlock::hasHash): Deleted.
(JSC::CodeBlock::isSafeToComputeHash): Deleted.
(JSC::CodeBlock::hash): Deleted.
(JSC::CodeBlock::sourceCodeForTools): Deleted.
(JSC::CodeBlock::sourceCodeOnOneLine): Deleted.
(JSC::CodeBlock::hashAsStringIfPossible): Deleted.
(JSC::CodeBlock::dumpAssumingJITType): Deleted.
(JSC::CodeBlock::dump): Deleted.
(JSC::idName): Deleted.
(JSC::CodeBlock::registerName): Deleted.
(JSC::CodeBlock::constantName): Deleted.
(JSC::regexpToSourceString): Deleted.
(JSC::regexpName): Deleted.
(JSC::debugHookName): Deleted.
(JSC::CodeBlock::printUnaryOp): Deleted.
(JSC::CodeBlock::printBinaryOp): Deleted.
(JSC::CodeBlock::printConditionalJump): Deleted.
(JSC::CodeBlock::printGetByIdOp): Deleted.
(JSC::dumpStructure): Deleted.
(JSC::dumpChain): Deleted.
(JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
(JSC::CodeBlock::printCallOp): Deleted.
(JSC::CodeBlock::printPutByIdOp): Deleted.
(JSC::CodeBlock::dumpSource): Deleted.
(JSC::CodeBlock::dumpBytecode): Deleted.
(JSC::CodeBlock::dumpExceptionHandlers): Deleted.
(JSC::CodeBlock::beginDumpProfiling): Deleted.
(JSC::CodeBlock::dumpValueProfiling): Deleted.
(JSC::CodeBlock::dumpArrayProfiling): Deleted.
(JSC::CodeBlock::dumpRareCaseProfile): Deleted.
(JSC::CodeBlock::dumpArithProfile): Deleted.
(JSC::CodeBlock::printLocationAndOp): Deleted.
(JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
(JSC::sizeInBytes): Deleted.
(JSC::CodeBlock::CodeBlock): Deleted.
(JSC::CodeBlock::finishCreation): Deleted.
(JSC::CodeBlock::~CodeBlock): Deleted.
(JSC::CodeBlock::setConstantRegisters): Deleted.
(JSC::CodeBlock::setAlternative): Deleted.
(JSC::CodeBlock::setNumParameters): Deleted.
(JSC::EvalCodeCache::visitAggregate): Deleted.
(JSC::CodeBlock::specialOSREntryBlockOrNull): Deleted.
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::estimatedSize): Deleted.
(JSC::CodeBlock::visitChildren): Deleted.
(JSC::CodeBlock::shouldVisitStrongly): Deleted.
(JSC::CodeBlock::shouldJettisonDueToWeakReference): Deleted.
(JSC::timeToLive): Deleted.
(JSC::CodeBlock::shouldJettisonDueToOldAge): Deleted.
(JSC::shouldMarkTransition): Deleted.
(JSC::CodeBlock::propagateTransitions): Deleted.
(JSC::CodeBlock::determineLiveness): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
(JSC::CodeBlock::finalizeLLIntInlineCaches): Deleted.
(JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
(JSC::CodeBlock::getStubInfoMap): Deleted.
(JSC::CodeBlock::getCallLinkInfoMap): Deleted.
(JSC::CodeBlock::getByValInfoMap): Deleted.
(JSC::CodeBlock::addStubInfo): Deleted.
(JSC::CodeBlock::addJITAddIC): Deleted.
(JSC::CodeBlock::addJITMulIC): Deleted.
(JSC::CodeBlock::addJITSubIC): Deleted.
(JSC::CodeBlock::addJITNegIC): Deleted.
(JSC::CodeBlock::findStubInfo): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
(JSC::CodeBlock::addCallLinkInfo): Deleted.
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted.
(JSC::CodeBlock::resetJITData): Deleted.
(JSC::CodeBlock::visitOSRExitTargets): Deleted.
(JSC::CodeBlock::stronglyVisitStrongReferences): Deleted.
(JSC::CodeBlock::stronglyVisitWeakReferences): Deleted.
(JSC::CodeBlock::baselineAlternative): Deleted.
(JSC::CodeBlock::baselineVersion): Deleted.
(JSC::CodeBlock::hasOptimizedReplacement): Deleted.
(JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::CodeBlock::handlerForIndex): Deleted.
(JSC::CodeBlock::newExceptionHandlingCallSiteIndex): Deleted.
(JSC::CodeBlock::removeExceptionHandlerForCallSite): Deleted.
(JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::CodeBlock::hasOpDebugForLineAndColumn): Deleted.
(JSC::CodeBlock::shrinkToFit): Deleted.
(JSC::CodeBlock::linkIncomingCall): Deleted.
(JSC::CodeBlock::linkIncomingPolymorphicCall): Deleted.
(JSC::CodeBlock::unlinkIncomingCalls): Deleted.
(JSC::CodeBlock::newReplacement): Deleted.
(JSC::CodeBlock::replacement): Deleted.
(JSC::CodeBlock::computeCapabilityLevel): Deleted.
(JSC::CodeBlock::jettison): Deleted.
(JSC::CodeBlock::globalObjectFor): Deleted.
(JSC::RecursionCheckFunctor::RecursionCheckFunctor): Deleted.
(JSC::RecursionCheckFunctor::operator()): Deleted.
(JSC::RecursionCheckFunctor::didRecurse): Deleted.
(JSC::CodeBlock::noticeIncomingCall): Deleted.
(JSC::CodeBlock::reoptimizationRetryCounter): Deleted.
(JSC::CodeBlock::setCalleeSaveRegisters): Deleted.
(JSC::roundCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::countReoptimization): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::codeTypeThresholdMultiplier): Deleted.
(JSC::CodeBlock::optimizationThresholdScalingFactor): Deleted.
(JSC::clipThreshold): Deleted.
(JSC::CodeBlock::adjustedCounterValue): Deleted.
(JSC::CodeBlock::checkIfOptimizationThresholdReached): Deleted.
(JSC::CodeBlock::optimizeNextInvocation): Deleted.
(JSC::CodeBlock::dontOptimizeAnytimeSoon): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::optimizeAfterLongWarmUp): Deleted.
(JSC::CodeBlock::optimizeSoon): Deleted.
(JSC::CodeBlock::forceOptimizationSlowPathConcurrently): Deleted.
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Deleted.
(JSC::CodeBlock::adjustedExitCountThreshold): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimization): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): Deleted.
(JSC::CodeBlock::shouldReoptimizeNow): Deleted.
(JSC::CodeBlock::shouldReoptimizeFromLoopNow): Deleted.
(JSC::CodeBlock::getArrayProfile): Deleted.
(JSC::CodeBlock::addArrayProfile): Deleted.
(JSC::CodeBlock::getOrAddArrayProfile): Deleted.
(JSC::CodeBlock::codeOrigins): Deleted.
(JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
(JSC::CodeBlock::updateAllValueProfilePredictions): Deleted.
(JSC::CodeBlock::updateAllArrayPredictions): Deleted.
(JSC::CodeBlock::updateAllPredictions): Deleted.
(JSC::CodeBlock::shouldOptimizeNow): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::dumpValueProfiles): Deleted.
(JSC::CodeBlock::frameRegisterCount): Deleted.
(JSC::CodeBlock::stackPointerOffset): Deleted.
(JSC::CodeBlock::predictedMachineCodeSize): Deleted.
(JSC::CodeBlock::usesOpcode): Deleted.
(JSC::CodeBlock::nameForRegister): Deleted.
(JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::validate): Deleted.
(JSC::CodeBlock::beginValidationDidFail): Deleted.
(JSC::CodeBlock::endValidationDidFail): Deleted.
(JSC::CodeBlock::addBreakpoint): Deleted.
(JSC::CodeBlock::setSteppingMode): Deleted.
(JSC::CodeBlock::addRareCaseProfile): Deleted.
(JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForPC): Deleted.
(JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
(JSC::CodeBlock::capabilityLevel): Deleted.
(JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): Deleted.
(JSC::CodeBlock::setPCToCodeOriginMap): Deleted.
(JSC::CodeBlock::findPC): Deleted.
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted.
(JSC::CodeBlock::thresholdForJIT): Deleted.
(JSC::CodeBlock::jitAfterWarmUp): Deleted.
(JSC::CodeBlock::jitSoon): Deleted.
(JSC::CodeBlock::dumpMathICStats): Deleted.
(JSC::CodeBlock::livenessAnalysisSlow): Deleted.
* bytecode/ProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/CodeBlock.h.
(): Deleted.
(JSC::CodeBlock::unlinkedCodeBlock): Deleted.
(JSC::CodeBlock::numParameters): Deleted.
(JSC::CodeBlock::numCalleeLocals): Deleted.
(JSC::CodeBlock::addressOfNumParameters): Deleted.
(JSC::CodeBlock::offsetOfNumParameters): Deleted.
(JSC::CodeBlock::alternative): Deleted.
(JSC::CodeBlock::forEachRelatedCodeBlock): Deleted.
(JSC::CodeBlock::specializationKind): Deleted.
(JSC::CodeBlock::isStrictMode): Deleted.
(JSC::CodeBlock::ecmaMode): Deleted.
(JSC::CodeBlock::isKnownNotImmediate): Deleted.
(JSC::CodeBlock::isTemporaryRegisterIndex): Deleted.
(JSC::CodeBlock::stubInfoBegin): Deleted.
(JSC::CodeBlock::stubInfoEnd): Deleted.
(JSC::CodeBlock::callLinkInfosBegin): Deleted.
(JSC::CodeBlock::callLinkInfosEnd): Deleted.
(JSC::CodeBlock::setJITCodeMap): Deleted.
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::CodeBlock::bytecodeOffset): Deleted.
(JSC::CodeBlock::numberOfInstructions): Deleted.
(JSC::CodeBlock::instructions): Deleted.
(JSC::CodeBlock::instructionCount): Deleted.
(JSC::CodeBlock::setJITCode): Deleted.
(JSC::CodeBlock::jitCode): Deleted.
(JSC::CodeBlock::jitCodeOffset): Deleted.
(JSC::CodeBlock::jitType): Deleted.
(JSC::CodeBlock::hasBaselineJITProfiling): Deleted.
(JSC::CodeBlock::capabilityLevelState): Deleted.
(JSC::CodeBlock::ownerExecutable): Deleted.
(JSC::CodeBlock::ownerScriptExecutable): Deleted.
(JSC::CodeBlock::vm): Deleted.
(JSC::CodeBlock::setThisRegister): Deleted.
(JSC::CodeBlock::thisRegister): Deleted.
(JSC::CodeBlock::usesEval): Deleted.
(JSC::CodeBlock::setScopeRegister): Deleted.
(JSC::CodeBlock::scopeRegister): Deleted.
(JSC::CodeBlock::codeType): Deleted.
(JSC::CodeBlock::putByIdContext): Deleted.
(JSC::CodeBlock::source): Deleted.
(JSC::CodeBlock::sourceOffset): Deleted.
(JSC::CodeBlock::firstLineColumnOffset): Deleted.
(JSC::CodeBlock::numberOfJumpTargets): Deleted.
(JSC::CodeBlock::jumpTarget): Deleted.
(JSC::CodeBlock::numberOfArgumentValueProfiles): Deleted.
(JSC::CodeBlock::valueProfileForArgument): Deleted.
(JSC::CodeBlock::numberOfValueProfiles): Deleted.
(JSC::CodeBlock::valueProfile): Deleted.
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
(JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
(JSC::CodeBlock::getFromAllValueProfiles): Deleted.
(JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
(JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
(JSC::CodeBlock::couldTakeSlowCase): Deleted.
(JSC::CodeBlock::numberOfArrayProfiles): Deleted.
(JSC::CodeBlock::arrayProfiles): Deleted.
(JSC::CodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::CodeBlock::exceptionHandler): Deleted.
(JSC::CodeBlock::hasExpressionInfo): Deleted.
(JSC::CodeBlock::hasCodeOrigins): Deleted.
(JSC::CodeBlock::canGetCodeOrigin): Deleted.
(JSC::CodeBlock::codeOrigin): Deleted.
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
(JSC::CodeBlock::numberOfIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::constants): Deleted.
(JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::addConstant): Deleted.
(JSC::CodeBlock::addConstantLazily): Deleted.
(JSC::CodeBlock::constantRegister): Deleted.
(JSC::CodeBlock::isConstantRegisterIndex): Deleted.
(JSC::CodeBlock::getConstant): Deleted.
(JSC::CodeBlock::constantSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::functionDecl): Deleted.
(JSC::CodeBlock::numberOfFunctionDecls): Deleted.
(JSC::CodeBlock::functionExpr): Deleted.
(JSC::CodeBlock::regexp): Deleted.
(JSC::CodeBlock::numberOfConstantBuffers): Deleted.
(JSC::CodeBlock::addConstantBuffer): Deleted.
(JSC::CodeBlock::constantBufferAsVector): Deleted.
(JSC::CodeBlock::constantBuffer): Deleted.
(JSC::CodeBlock::heap): Deleted.
(JSC::CodeBlock::globalObject): Deleted.
(JSC::CodeBlock::livenessAnalysis): Deleted.
(JSC::CodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::CodeBlock::addSwitchJumpTable): Deleted.
(JSC::CodeBlock::switchJumpTable): Deleted.
(JSC::CodeBlock::clearSwitchJumpTables): Deleted.
(JSC::CodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::CodeBlock::stringSwitchJumpTable): Deleted.
(JSC::CodeBlock::evalCodeCache): Deleted.
(JSC::CodeBlock::checkIfJITThresholdReached): Deleted.
(JSC::CodeBlock::dontJITAnytimeSoon): Deleted.
(JSC::CodeBlock::llintExecuteCounter): Deleted.
(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
(JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): Deleted.
(JSC::CodeBlock::addressOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionTotalCount): Deleted.
(JSC::CodeBlock::jitExecuteCounter): Deleted.
(JSC::CodeBlock::optimizationDelayCounter): Deleted.
(JSC::CodeBlock::osrExitCounter): Deleted.
(JSC::CodeBlock::countOSRExit): Deleted.
(JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
(JSC::CodeBlock::offsetOfOSRExitCounter): Deleted.
(JSC::CodeBlock::calleeSaveRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::hasDebuggerRequests): Deleted.
(JSC::CodeBlock::debuggerRequestsAddress): Deleted.
(JSC::CodeBlock::removeBreakpoint): Deleted.
(JSC::CodeBlock::clearDebuggerRequests): Deleted.
(JSC::CodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::CodeBlock::clearExceptionHandlers): Deleted.
(JSC::CodeBlock::appendExceptionHandler): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::replaceConstant): Deleted.
(JSC::CodeBlock::timeSinceCreation): Deleted.
(JSC::CodeBlock::createRareDataIfNecessary): Deleted.
(JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
(JSC::WebAssemblyCodeBlock::create): Deleted.
(JSC::WebAssemblyCodeBlock::createStructure): Deleted.
(JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
(JSC::ExecState::r): Deleted.
(JSC::ExecState::uncheckedR): Deleted.
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
(JSC::ScriptExecutable::forEachCodeBlock): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* bytecode/WebAssemblyCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/CodeBlock.cpp.
(JSC::FunctionCodeBlock::destroy): Deleted.
(JSC::ProgramCodeBlock::destroy): Deleted.
(JSC::ModuleProgramCodeBlock::destroy): Deleted.
(JSC::EvalCodeBlock::destroy): Deleted.
(JSC::CodeBlock::inferredName): Deleted.
(JSC::CodeBlock::hasHash): Deleted.
(JSC::CodeBlock::isSafeToComputeHash): Deleted.
(JSC::CodeBlock::hash): Deleted.
(JSC::CodeBlock::sourceCodeForTools): Deleted.
(JSC::CodeBlock::sourceCodeOnOneLine): Deleted.
(JSC::CodeBlock::hashAsStringIfPossible): Deleted.
(JSC::CodeBlock::dumpAssumingJITType): Deleted.
(JSC::CodeBlock::dump): Deleted.
(JSC::idName): Deleted.
(JSC::CodeBlock::registerName): Deleted.
(JSC::CodeBlock::constantName): Deleted.
(JSC::regexpToSourceString): Deleted.
(JSC::regexpName): Deleted.
(JSC::debugHookName): Deleted.
(JSC::CodeBlock::printUnaryOp): Deleted.
(JSC::CodeBlock::printBinaryOp): Deleted.
(JSC::CodeBlock::printConditionalJump): Deleted.
(JSC::CodeBlock::printGetByIdOp): Deleted.
(JSC::dumpStructure): Deleted.
(JSC::dumpChain): Deleted.
(JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
(JSC::CodeBlock::printCallOp): Deleted.
(JSC::CodeBlock::printPutByIdOp): Deleted.
(JSC::CodeBlock::dumpSource): Deleted.
(JSC::CodeBlock::dumpBytecode): Deleted.
(JSC::CodeBlock::dumpExceptionHandlers): Deleted.
(JSC::CodeBlock::beginDumpProfiling): Deleted.
(JSC::CodeBlock::dumpValueProfiling): Deleted.
(JSC::CodeBlock::dumpArrayProfiling): Deleted.
(JSC::CodeBlock::dumpRareCaseProfile): Deleted.
(JSC::CodeBlock::dumpArithProfile): Deleted.
(JSC::CodeBlock::printLocationAndOp): Deleted.
(JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
(JSC::sizeInBytes): Deleted.
(JSC::CodeBlock::CodeBlock): Deleted.
(JSC::CodeBlock::finishCreation): Deleted.
(JSC::CodeBlock::~CodeBlock): Deleted.
(JSC::CodeBlock::setConstantRegisters): Deleted.
(JSC::CodeBlock::setAlternative): Deleted.
(JSC::CodeBlock::setNumParameters): Deleted.
(JSC::EvalCodeCache::visitAggregate): Deleted.
(JSC::CodeBlock::specialOSREntryBlockOrNull): Deleted.
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::estimatedSize): Deleted.
(JSC::CodeBlock::visitChildren): Deleted.
(JSC::CodeBlock::shouldVisitStrongly): Deleted.
(JSC::CodeBlock::shouldJettisonDueToWeakReference): Deleted.
(JSC::timeToLive): Deleted.
(JSC::CodeBlock::shouldJettisonDueToOldAge): Deleted.
(JSC::shouldMarkTransition): Deleted.
(JSC::CodeBlock::propagateTransitions): Deleted.
(JSC::CodeBlock::determineLiveness): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
(JSC::CodeBlock::finalizeLLIntInlineCaches): Deleted.
(JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
(JSC::CodeBlock::getStubInfoMap): Deleted.
(JSC::CodeBlock::getCallLinkInfoMap): Deleted.
(JSC::CodeBlock::getByValInfoMap): Deleted.
(JSC::CodeBlock::addStubInfo): Deleted.
(JSC::CodeBlock::addJITAddIC): Deleted.
(JSC::CodeBlock::addJITMulIC): Deleted.
(JSC::CodeBlock::addJITSubIC): Deleted.
(JSC::CodeBlock::addJITNegIC): Deleted.
(JSC::CodeBlock::findStubInfo): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
(JSC::CodeBlock::addCallLinkInfo): Deleted.
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted.
(JSC::CodeBlock::resetJITData): Deleted.
(JSC::CodeBlock::visitOSRExitTargets): Deleted.
(JSC::CodeBlock::stronglyVisitStrongReferences): Deleted.
(JSC::CodeBlock::stronglyVisitWeakReferences): Deleted.
(JSC::CodeBlock::baselineAlternative): Deleted.
(JSC::CodeBlock::baselineVersion): Deleted.
(JSC::CodeBlock::hasOptimizedReplacement): Deleted.
(JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::CodeBlock::handlerForIndex): Deleted.
(JSC::CodeBlock::newExceptionHandlingCallSiteIndex): Deleted.
(JSC::CodeBlock::removeExceptionHandlerForCallSite): Deleted.
(JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::expressionRangeForBytecodeOffset): Deleted.
(JSC::CodeBlock::hasOpDebugForLineAndColumn): Deleted.
(JSC::CodeBlock::shrinkToFit): Deleted.
(JSC::CodeBlock::linkIncomingCall): Deleted.
(JSC::CodeBlock::linkIncomingPolymorphicCall): Deleted.
(JSC::CodeBlock::unlinkIncomingCalls): Deleted.
(JSC::CodeBlock::newReplacement): Deleted.
(JSC::CodeBlock::replacement): Deleted.
(JSC::CodeBlock::computeCapabilityLevel): Deleted.
(JSC::CodeBlock::jettison): Deleted.
(JSC::CodeBlock::globalObjectFor): Deleted.
(JSC::RecursionCheckFunctor::RecursionCheckFunctor): Deleted.
(JSC::RecursionCheckFunctor::operator()): Deleted.
(JSC::RecursionCheckFunctor::didRecurse): Deleted.
(JSC::CodeBlock::noticeIncomingCall): Deleted.
(JSC::CodeBlock::reoptimizationRetryCounter): Deleted.
(JSC::CodeBlock::setCalleeSaveRegisters): Deleted.
(JSC::roundCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::countReoptimization): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::codeTypeThresholdMultiplier): Deleted.
(JSC::CodeBlock::optimizationThresholdScalingFactor): Deleted.
(JSC::clipThreshold): Deleted.
(JSC::CodeBlock::adjustedCounterValue): Deleted.
(JSC::CodeBlock::checkIfOptimizationThresholdReached): Deleted.
(JSC::CodeBlock::optimizeNextInvocation): Deleted.
(JSC::CodeBlock::dontOptimizeAnytimeSoon): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::optimizeAfterLongWarmUp): Deleted.
(JSC::CodeBlock::optimizeSoon): Deleted.
(JSC::CodeBlock::forceOptimizationSlowPathConcurrently): Deleted.
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Deleted.
(JSC::CodeBlock::adjustedExitCountThreshold): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimization): Deleted.
(JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): Deleted.
(JSC::CodeBlock::shouldReoptimizeNow): Deleted.
(JSC::CodeBlock::shouldReoptimizeFromLoopNow): Deleted.
(JSC::CodeBlock::getArrayProfile): Deleted.
(JSC::CodeBlock::addArrayProfile): Deleted.
(JSC::CodeBlock::getOrAddArrayProfile): Deleted.
(JSC::CodeBlock::codeOrigins): Deleted.
(JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
(JSC::CodeBlock::updateAllValueProfilePredictions): Deleted.
(JSC::CodeBlock::updateAllArrayPredictions): Deleted.
(JSC::CodeBlock::updateAllPredictions): Deleted.
(JSC::CodeBlock::shouldOptimizeNow): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::dumpValueProfiles): Deleted.
(JSC::CodeBlock::frameRegisterCount): Deleted.
(JSC::CodeBlock::stackPointerOffset): Deleted.
(JSC::CodeBlock::predictedMachineCodeSize): Deleted.
(JSC::CodeBlock::usesOpcode): Deleted.
(JSC::CodeBlock::nameForRegister): Deleted.
(JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::validate): Deleted.
(JSC::CodeBlock::beginValidationDidFail): Deleted.
(JSC::CodeBlock::endValidationDidFail): Deleted.
(JSC::CodeBlock::addBreakpoint): Deleted.
(JSC::CodeBlock::setSteppingMode): Deleted.
(JSC::CodeBlock::addRareCaseProfile): Deleted.
(JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForPC): Deleted.
(JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
(JSC::CodeBlock::capabilityLevel): Deleted.
(JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): Deleted.
(JSC::CodeBlock::setPCToCodeOriginMap): Deleted.
(JSC::CodeBlock::findPC): Deleted.
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted.
(JSC::CodeBlock::thresholdForJIT): Deleted.
(JSC::CodeBlock::jitAfterWarmUp): Deleted.
(JSC::CodeBlock::jitSoon): Deleted.
(JSC::CodeBlock::dumpMathICStats): Deleted.
(JSC::CodeBlock::livenessAnalysisSlow): Deleted.
* bytecode/WebAssemblyCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/CodeBlock.h.
(): Deleted.
(JSC::CodeBlock::unlinkedCodeBlock): Deleted.
(JSC::CodeBlock::numParameters): Deleted.
(JSC::CodeBlock::numCalleeLocals): Deleted.
(JSC::CodeBlock::addressOfNumParameters): Deleted.
(JSC::CodeBlock::offsetOfNumParameters): Deleted.
(JSC::CodeBlock::alternative): Deleted.
(JSC::CodeBlock::forEachRelatedCodeBlock): Deleted.
(JSC::CodeBlock::specializationKind): Deleted.
(JSC::CodeBlock::isStrictMode): Deleted.
(JSC::CodeBlock::ecmaMode): Deleted.
(JSC::CodeBlock::isKnownNotImmediate): Deleted.
(JSC::CodeBlock::isTemporaryRegisterIndex): Deleted.
(JSC::CodeBlock::stubInfoBegin): Deleted.
(JSC::CodeBlock::stubInfoEnd): Deleted.
(JSC::CodeBlock::callLinkInfosBegin): Deleted.
(JSC::CodeBlock::callLinkInfosEnd): Deleted.
(JSC::CodeBlock::setJITCodeMap): Deleted.
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::CodeBlock::bytecodeOffset): Deleted.
(JSC::CodeBlock::numberOfInstructions): Deleted.
(JSC::CodeBlock::instructions): Deleted.
(JSC::CodeBlock::instructionCount): Deleted.
(JSC::CodeBlock::setJITCode): Deleted.
(JSC::CodeBlock::jitCode): Deleted.
(JSC::CodeBlock::jitCodeOffset): Deleted.
(JSC::CodeBlock::jitType): Deleted.
(JSC::CodeBlock::hasBaselineJITProfiling): Deleted.
(JSC::CodeBlock::capabilityLevelState): Deleted.
(JSC::CodeBlock::ownerExecutable): Deleted.
(JSC::CodeBlock::ownerScriptExecutable): Deleted.
(JSC::CodeBlock::vm): Deleted.
(JSC::CodeBlock::setThisRegister): Deleted.
(JSC::CodeBlock::thisRegister): Deleted.
(JSC::CodeBlock::usesEval): Deleted.
(JSC::CodeBlock::setScopeRegister): Deleted.
(JSC::CodeBlock::scopeRegister): Deleted.
(JSC::CodeBlock::codeType): Deleted.
(JSC::CodeBlock::putByIdContext): Deleted.
(JSC::CodeBlock::source): Deleted.
(JSC::CodeBlock::sourceOffset): Deleted.
(JSC::CodeBlock::firstLineColumnOffset): Deleted.
(JSC::CodeBlock::numberOfJumpTargets): Deleted.
(JSC::CodeBlock::jumpTarget): Deleted.
(JSC::CodeBlock::numberOfArgumentValueProfiles): Deleted.
(JSC::CodeBlock::valueProfileForArgument): Deleted.
(JSC::CodeBlock::numberOfValueProfiles): Deleted.
(JSC::CodeBlock::valueProfile): Deleted.
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
(JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
(JSC::CodeBlock::getFromAllValueProfiles): Deleted.
(JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
(JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
(JSC::CodeBlock::couldTakeSlowCase): Deleted.
(JSC::CodeBlock::numberOfArrayProfiles): Deleted.
(JSC::CodeBlock::arrayProfiles): Deleted.
(JSC::CodeBlock::numberOfExceptionHandlers): Deleted.
(JSC::CodeBlock::exceptionHandler): Deleted.
(JSC::CodeBlock::hasExpressionInfo): Deleted.
(JSC::CodeBlock::hasCodeOrigins): Deleted.
(JSC::CodeBlock::canGetCodeOrigin): Deleted.
(JSC::CodeBlock::codeOrigin): Deleted.
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
(JSC::CodeBlock::numberOfIdentifiers): Deleted.
(JSC::CodeBlock::identifier): Deleted.
(JSC::CodeBlock::constants): Deleted.
(JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::addConstant): Deleted.
(JSC::CodeBlock::addConstantLazily): Deleted.
(JSC::CodeBlock::constantRegister): Deleted.
(JSC::CodeBlock::isConstantRegisterIndex): Deleted.
(JSC::CodeBlock::getConstant): Deleted.
(JSC::CodeBlock::constantSourceCodeRepresentation): Deleted.
(JSC::CodeBlock::functionDecl): Deleted.
(JSC::CodeBlock::numberOfFunctionDecls): Deleted.
(JSC::CodeBlock::functionExpr): Deleted.
(JSC::CodeBlock::regexp): Deleted.
(JSC::CodeBlock::numberOfConstantBuffers): Deleted.
(JSC::CodeBlock::addConstantBuffer): Deleted.
(JSC::CodeBlock::constantBufferAsVector): Deleted.
(JSC::CodeBlock::constantBuffer): Deleted.
(JSC::CodeBlock::heap): Deleted.
(JSC::CodeBlock::globalObject): Deleted.
(JSC::CodeBlock::livenessAnalysis): Deleted.
(JSC::CodeBlock::numberOfSwitchJumpTables): Deleted.
(JSC::CodeBlock::addSwitchJumpTable): Deleted.
(JSC::CodeBlock::switchJumpTable): Deleted.
(JSC::CodeBlock::clearSwitchJumpTables): Deleted.
(JSC::CodeBlock::numberOfStringSwitchJumpTables): Deleted.
(JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
(JSC::CodeBlock::stringSwitchJumpTable): Deleted.
(JSC::CodeBlock::evalCodeCache): Deleted.
(JSC::CodeBlock::checkIfJITThresholdReached): Deleted.
(JSC::CodeBlock::dontJITAnytimeSoon): Deleted.
(JSC::CodeBlock::llintExecuteCounter): Deleted.
(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
(JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): Deleted.
(JSC::CodeBlock::addressOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecuteCounter): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): Deleted.
(JSC::CodeBlock::offsetOfJITExecutionTotalCount): Deleted.
(JSC::CodeBlock::jitExecuteCounter): Deleted.
(JSC::CodeBlock::optimizationDelayCounter): Deleted.
(JSC::CodeBlock::osrExitCounter): Deleted.
(JSC::CodeBlock::countOSRExit): Deleted.
(JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
(JSC::CodeBlock::offsetOfOSRExitCounter): Deleted.
(JSC::CodeBlock::calleeSaveRegisters): Deleted.
(JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
(JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
(JSC::CodeBlock::numberOfDFGCompiles): Deleted.
(JSC::CodeBlock::hasDebuggerRequests): Deleted.
(JSC::CodeBlock::debuggerRequestsAddress): Deleted.
(JSC::CodeBlock::removeBreakpoint): Deleted.
(JSC::CodeBlock::clearDebuggerRequests): Deleted.
(JSC::CodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
(JSC::CodeBlock::clearExceptionHandlers): Deleted.
(JSC::CodeBlock::appendExceptionHandler): Deleted.
(JSC::CodeBlock::tallyFrequentExitSites): Deleted.
(JSC::CodeBlock::replaceConstant): Deleted.
(JSC::CodeBlock::timeSinceCreation): Deleted.
(JSC::CodeBlock::createRareDataIfNecessary): Deleted.
(JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
(JSC::ExecState::r): Deleted.
(JSC::ExecState::uncheckedR): Deleted.
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
(JSC::ScriptExecutable::forEachCodeBlock): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* dfg/DFGByteCodeParser.cpp:
* interpreter/Interpreter.cpp:
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
* llint/LLIntSlowPaths.cpp:
* runtime/CommonSlowPaths.h:
* runtime/EvalExecutable.cpp:
* runtime/ExecutableBase.cpp:
* runtime/FunctionExecutable.cpp:
* runtime/FunctionExecutableDump.cpp:
* runtime/ModuleProgramExecutable.cpp:
* runtime/ProgramExecutable.cpp:
* runtime/ScriptExecutable.cpp:
* runtime/ScriptExecutable.h:
* runtime/TestRunnerUtils.cpp:
* runtime/VM.cpp:
* runtime/WebAssemblyExecutable.cpp:
* tools/JSDollarVMPrototype.cpp:
2016-11-01 Sam Weinig <sam@webkit.org>
[WebIDL] Move interfaces and typed arrays over to JSDOMConvert
https://bugs.webkit.org/show_bug.cgi?id=164256
Reviewed by Alex Christensen.
* runtime/JSArrayBuffer.h:
(JSC::JSArrayBuffer::toWrapped):
Change return type to ArrayBuffer* to match WebCore's expectation.
2016-11-02 Filip Pizlo <fpizlo@apple.com>
The GC should be in a thread
https://bugs.webkit.org/show_bug.cgi?id=163562
Reviewed by Geoffrey Garen and Andreas Kling.
In a concurrent GC, the work of collecting happens on a separate thread. This patch
implements this, and schedules the thread the way that a concurrent GC thread would be
scheduled. But, the GC isn't actually concurrent yet because it calls stopTheWorld() before
doing anything and calls resumeTheWorld() after it's done with everything. The next step will
be to make it really concurrent by basically calling stopTheWorld()/resumeTheWorld() around
bounded snippets of work while making most of the work happen with the world running. Our GC
will probably always have stop-the-world phases because the semantics of JSC weak references
call for it.
This implements concurrent GC scheduling. This means that there is no longer a
Heap::collect() API. Instead, you can call collectAsync() which makes sure that a GC is
scheduled (it will do nothing if one is scheduled or ongoing) or you can call collectSync()
to schedule a GC and wait for it to happen. I made our debugging stuff call collectSync().
It should be a goal to never call collectSync() except for debugging or benchmark harness
hacks.
The collector thread is an AutomaticThread, so it won't linger when not in use. It works on
a ticket-based system, like you would see at the DMV. A ticket is a 64-bit integer. There are
two ticket counters: last granted and last served. When you request a collection, last
granted is incremented and its new value given to you. When a collection completes, last
served is incremented. collectSync() waits until last served catches up to what last granted
had been at the time you requested a GC. This means that if you request a sync GC in the
middle of an async GC, you will wait for that async GC to finish and then you will request
and wait for your sync GC.
The synchronization between the collector thread and the main threads is complex. The
collector thread needs to be able to ask the main thread to stop. It needs to be able to do
some post-GC clean-up, like the synchronous CodeBlock and LargeAllocation sweeps, on the main
thread. The collector needs to be able to ask the main thread to execute a cross-modifying
code fence before running any JIT code, since the GC might aid the JIT worklist and run JIT
finalization. It's possible for the GC to want the main thread to run something at the same
time that the main thread wants to wait for the GC. The main thread needs to be able to run
non-JSC stuff without causing the GC to completely stall. The main thread needs to be able
to query its own state (is there a request to stop?) and change it (running JSC versus not)
quickly, since this may happen on hot paths. This kind of intertwined system of requests,
notifications, and state changes requires a combination of lock-free algorithms and waiting.
So, this is all implemented using a Atomic<unsigned> Heap::m_worldState, which has bits to
represent things being requested by the collector and the heap access state of the mutator. I
am borrowing a lot of terms that I've seen in other VMs that I've worked on. Here's what they
mean:
- Stop the world: make sure that either the mutator is not running, or that it's not running
code that could mess with the heap.
- Heap access: the mutator is said to have heap access if it could mess with the heap.
If you stop the world and the mutator doesn't have heap access, all you're doing is making
sure that it will block when it tries to acquire heap access. This means that our GC is
already fully concurrent in cases where the GC is requested while the mutator has no heap
access. This probably won't happen, but if it did then it should just work. Usually, stopping
the world means that we state our shouldStop request with m_worldState, and a future call
to Heap::stopIfNecessary() will go to slow path and stop. The act of stopping or waiting to
acquire heap access is managed by using ParkingLot API directly on m_worldState. This works
out great because it would be very awkward to get the same functionality using locks and
condition variables, since we want stopIfNecessary/acquireAccess/requestAccess fast paths
that are single atomic instructions (load/CAS/CAS, respectively). The mutator will call these
things frequently. Currently we have Heap::stopIfNecessary() polling on every allocator slow
path, but we may want to make it even more frequent than that.
Currently only JSC API clients benefit from the heap access optimization. The DOM forces us
to assume that heap access is permanently on, since DOM manipulation doesn't always hold the
JSLock. We could still allow the GC to proceed when the runloop is idle by having the GC put
a task on the runloop that just calls stopIfNecessary().
This is perf neutral. The only behavior change that clients ought to observe is that marking
and the weak fixpoint happen on a separate thread. Marking was already parallel so it already
handled multiple threads, but now it _never_ runs on the main thread. The weak fixpoint
needed some help to be able to run on another thread - mostly because there was some code in
IndexedDB that was using thread specifics in the weak fixpoint.
* API/JSBase.cpp:
(JSSynchronousEdenCollectForDebugging):
* API/JSManagedValue.mm:
(-[JSManagedValue initWithValue:]):
* heap/EdenGCActivityCallback.cpp:
(JSC::EdenGCActivityCallback::doCollection):
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
* heap/Heap.cpp:
(JSC::Heap::Thread::Thread):
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::markRoots):
(JSC::Heap::gatherStackRoots):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::collectAllGarbage):
(JSC::Heap::collectAsync):
(JSC::Heap::collectSync):
(JSC::Heap::shouldCollectInThread):
(JSC::Heap::collectInThread):
(JSC::Heap::stopTheWorld):
(JSC::Heap::resumeTheWorld):
(JSC::Heap::stopIfNecessarySlow):
(JSC::Heap::acquireAccessSlow):
(JSC::Heap::releaseAccessSlow):
(JSC::Heap::handleDidJIT):
(JSC::Heap::handleNeedFinalize):
(JSC::Heap::setDidJIT):
(JSC::Heap::setNeedFinalize):
(JSC::Heap::waitWhileNeedFinalize):
(JSC::Heap::finalize):
(JSC::Heap::requestCollection):
(JSC::Heap::waitForCollection):
(JSC::Heap::didFinishCollection):
(JSC::Heap::canCollect):
(JSC::Heap::shouldCollectHeuristic):
(JSC::Heap::shouldCollect):
(JSC::Heap::collectIfNecessaryOrDefer):
(JSC::Heap::collectAccordingToDeferGCProbability):
(JSC::Heap::collect): Deleted.
(JSC::Heap::collectWithoutAnySweep): Deleted.
(JSC::Heap::collectImpl): Deleted.
* heap/Heap.h:
(JSC::Heap::ReleaseAccessScope::ReleaseAccessScope):
(JSC::Heap::ReleaseAccessScope::~ReleaseAccessScope):
* heap/HeapInlines.h:
(JSC::Heap::acquireAccess):
(JSC::Heap::releaseAccess):
(JSC::Heap::stopIfNecessary):
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::gatherConservativeRoots):
(JSC::MachineThreads::gatherFromCurrentThread): Deleted.
* heap/MachineStackMarker.h:
* jit/JITWorklist.cpp:
(JSC::JITWorklist::completeAllForVM):
* jit/JITWorklist.h:
* jsc.cpp:
(functionFullGC):
(functionEdenGC):
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
(JSC::JSLock::unlock):
(JSC::JSLock::willReleaseLock):
* tools/JSDollarVMPrototype.cpp:
(JSC::JSDollarVMPrototype::edenGC):
2016-11-02 Michael Saboff <msaboff@apple.com>
Crash beneath SlotVisitor::drain @ cooksillustrated.com
https://bugs.webkit.org/show_bug.cgi?id=164304
Reviewed by Mark Lam.
Added back write barrier for the base cell of put-by_id in the LLInt when the structure is
changed. Also removed the unused macro "storeStructureWithTypeInfo".
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2016-11-02 Keith Miller <keith_miller@apple.com>
We should not pop from an empty stack in the Wasm function parser.
https://bugs.webkit.org/show_bug.cgi?id=164275
Reviewed by Filip Pizlo.
This patch prevents an issue in the wasm parser where we might
accidentially pop from the expression stack without if there
are no entries. It also fixes a similar issue with else
blocks where a user might try to put an else on the top level
of a function.
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::popExpressionStack):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::setErrorMessage):
2016-11-02 Romain Bellessort <romain.bellessort@crf.canon.fr>
[Readable Streams API] Enable creation of ReadableByteStreamController
https://bugs.webkit.org/show_bug.cgi?id=164014
Reviewed by Youenn Fablet.
Added flag for the byte stream part of Readable Streams API.
* Configurations/FeatureDefines.xcconfig:
2016-11-02 Per Arne Vollan <pvollan@apple.com>
[Win] Copy build results to AAS 'Program Files' folder.
https://bugs.webkit.org/show_bug.cgi?id=164273
Reviewed by Brent Fulgham.
The preferred location for the binaries is the AAS 'Program Files' folder.
* JavaScriptCore.vcxproj/JavaScriptCore.proj:
2016-11-01 Ryosuke Niwa <rniwa@webkit.org>
Remove CUSTOM_ELEMENTS build flag
https://bugs.webkit.org/show_bug.cgi?id=164267
Reviewed by Antti Koivisto.
Removed the build flag.
* Configurations/FeatureDefines.xcconfig:
2016-11-01 Keith Miller <keith_miller@apple.com>
Add a WASM function validator.
https://bugs.webkit.org/show_bug.cgi?id=161707
Reviewed by Saam Barati.
This is a new template specialization of the Wasm FunctionParser class. Instead of having
the FunctionParser track what B3 values each stack entry refers to the validator has each
entry refer to the type of the stack entry. Additionally, the control stack tracks what type
of block the object is and what the result type of the block is. The validation functions
for unary, binary, and memory operations are autogenerated by the
generateWasmValidateInlinesHeader.py script.
There are still a couple issue with validating that will be addressed in follow-up patches.
1) We need to handle result types from basic blocks. https://bugs.webkit.org/show_bug.cgi?id=164100
2) We need to handle popping things from stacks when they don't exist. https://bugs.webkit.org/show_bug.cgi?id=164275
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* testWasm.cpp:
(runWasmTests):
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmFormat.cpp: Added.
(JSC::Wasm::toString):
* wasm/WasmFormat.h:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::Plan):
* wasm/WasmValidate.cpp: Added.
(JSC::Wasm::Validate::ControlData::ControlData):
(JSC::Wasm::Validate::ControlData::dump):
(JSC::Wasm::Validate::ControlData::type):
(JSC::Wasm::Validate::ControlData::signature):
(JSC::Wasm::Validate::addConstant):
(JSC::Wasm::Validate::isContinuationReachable):
(JSC::Wasm::Validate::errorMessage):
(JSC::Wasm::Validate::Validate):
(JSC::Wasm::Validate::addArguments):
(JSC::Wasm::Validate::addLocal):
(JSC::Wasm::Validate::getLocal):
(JSC::Wasm::Validate::setLocal):
(JSC::Wasm::Validate::addBlock):
(JSC::Wasm::Validate::addLoop):
(JSC::Wasm::Validate::addIf):
(JSC::Wasm::Validate::addElse):
(JSC::Wasm::Validate::addReturn):
(JSC::Wasm::Validate::addBranch):
(JSC::Wasm::Validate::endBlock):
(JSC::Wasm::Validate::addCall):
(JSC::Wasm::Validate::unify):
(JSC::Wasm::Validate::dump):
(JSC::Wasm::validateFunction):
* wasm/WasmValidate.h: Added.
* wasm/generateWasmValidateInlinesHeader.py: Added.
(cppType):
(toCpp):
(unaryMacro):
(binaryMacro):
(loadMacro):
(storeMacro):
2016-11-01 Saam Barati <sbarati@apple.com>
We should be able to eliminate rest parameter allocations
https://bugs.webkit.org/show_bug.cgi?id=163925
Reviewed by Filip Pizlo.
This is the first step towards eliminating rest parameter
allocations when they're spread to other function calls:
`function foo(...args) { bar(...args); }`
This patch simply removes the allocation for rest parameter
allocations using the same escape analysis that is performed
in the argument elimination phase. I've added a new rule to
the phase to make sure that CheckStructure doesn't count as
an escape for an allocation since this often shows up in code
like this:
```
function foo(...args) {
let r = [];
for (let i = 0; i < args.length; i++)
r.push(args[i]);
return r;
}
```
The above program now entirely eliminates the allocation for args
compiled in the FTL. Programs like this also eliminate the allocation
for args:
```
function foo(...args) { return [args.length, args[0]]; }
function bar(...args) { return someOtherFunction.apply(null, args); }
```
This patch extends the arguments elimination phase to understand
the concept that we may want to forward arguments, or get from
the arguments region, starting at some offset. The offset is the
number of names parameter before the rest parameter. For example:
```
function foo(a, b, ...args) { return bar.apply(null, args); }
```
Will forward arguments starting at the *third* argument.
Our arguments forwarding code already had the notion of starting
from some offset, however, I found bugs in that code. I extended
it to work properly for rest parameters with arbitrary skip offsets.
And this program:
```
function foo(...args) {
let r = [];
for (let i = 0; i < args.length; i++)
r.push(args[i]);
return r;
}
```
Knows to perform the GetMyArgumentByVal* with an offset of 3
inside the loop. To make this work, I taught GetMyArgumentByVal
and GetMyArgumentByValOutOfBounds to take an offset representing
the number of arguments to skip.
This patch is a ~20% speedup on microbenchmarks.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasConstant):
(JSC::DFG::Node::constant):
(JSC::DFG::Node::isPhantomAllocation):
(JSC::DFG::Node::numberOfArgumentsToSkip):
* dfg/DFGNodeType.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGOperations.cpp:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateRest):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
(JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
(JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
* jit/SetupVarargsFrame.cpp:
(JSC::emitSetVarargsFrame):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::restParameterStructure):
2016-11-01 Geoffrey Garen <ggaren@apple.com>
Lots of stderr logging in JSManagedValue
https://bugs.webkit.org/show_bug.cgi?id=164279
<rdar://problem/28949886>
Reviewed by Filip Pizlo.
Revert an accidental change in <https://trac.webkit.org/changeset/205462>.
* API/JSManagedValue.mm:
(-[JSManagedValue initWithValue:]):
2016-11-01 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r208208 and r208210.
https://bugs.webkit.org/show_bug.cgi?id=164276
This change caused 28 JSC test failures. (Requested by
ryanhaddad on #webkit).
Reverted changesets:
"We should be able to eliminate rest parameter allocations"
https://bugs.webkit.org/show_bug.cgi?id=163925
http://trac.webkit.org/changeset/208208
"Fix the EFL build."
http://trac.webkit.org/changeset/208210
2016-11-01 Ryosuke Niwa <rniwa@webkit.org>
Web Inspector: Add the support for custom elements
https://bugs.webkit.org/show_bug.cgi?id=164266
<rdar://problem/29038883>
Reviewed by Joseph Pecoraro.
Added customElementState of type CustomElementState to reflect the custom element state on each DOM node
along with customElementStateChanged which fires when the custom element state changes.
* inspector/protocol/DOM.json:
2016-10-31 Simon Fraser <simon.fraser@apple.com>
Fix the EFL build.
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
2016-10-29 Filip Pizlo <fpizlo@apple.com>
JSC should support SharedArrayBuffer
https://bugs.webkit.org/show_bug.cgi?id=163986
Reviewed by Keith Miller.
This implements https://tc39.github.io/ecmascript_sharedmem/shmem.html.
There is now a new SharedArrayBuffer type. In the JS runtime, which includes typed array
types, the SharedArrayBuffer is a drop-in replacement for ArrayBuffer, even though they are
distinct types (new SharedArrayBuffer() instanceof ArrayBuffer == false and vice versa). The
DOM will not recognize SharedArrayBuffer, or any typed array that wraps it, to ensure safety.
This matches what other browsers intend to do, see
https://github.com/tc39/ecmascript_sharedmem/issues/38. API is provided for the DOM to opt
into SharedArrayBuffer. One notable place is postMessage, which will share the
SharedArrayBuffer's underlying data storage with other workers. This creates a pool of shared
memory that the workers can use to talk to each other.
There is also an Atomics object in global scope, which exposes sequentially consistent atomic
operations: add, and, compareExchange, exchange, load, or, store, sub, and xor. Additionally
it exposes a Atomics.isLockFree utility, which takes a byte amount and returns true or false.
Also there is Atomics.wake/wait, which neatly map to ParkingLot.
Accesses to typed arrays that wrap SharedArrayBuffer are optimized by JSC the same way as
always. I believe that DFG and B3 already obey the following memory model, which I believe is
a bit weaker than Cambridge and a bit stronger than what is being proposed for
SharedArrayBuffer. To predict a program's behavior under the B3 memory model, imagine the
space of all possible programs that would result from running an optimizer that adversarially
follows B3's transformation rules. B3 transformations are correct if the newly created
program is equivalent to the old one, assuming that any opaque effect in IR (like the reads
and writes of a patchpoint/call/fence) could perform any load/store that satisfies the
B3::Effects summary. Opaque effects are a way of describing an infinite set of programs: any
program that only does the effects summarized in B3::Effects belongs to the set. For example,
this prevents motion of operations across fences since fences are summarized as opaque
effects that could read or write memory. This rule alone is not enough, because it leaves the
door open for turning an atomic operation (like a load) into a non-atomic one (like a load
followed by a store of the same value back to the same location or multiple loads). This is
not an optimization that either our compiler or the CPU would want to do. One way to think of
what exactly is forbidden is that B3 transformations that mess with memory accesses can only
reorder them or remove them. This means that for any execution of the untransformed program,
the corresponding execution of the transformed program (i.e. with the same input arguments
and the same programs filled in for the opaque effects) must have the same loads and stores,
with some removed and some reordered. This is a fairly simple mental model that B3 and DFG
already follow and it's based on existing abstractions for the infinite set of programs
inside an opaque effect (DFG's AbstractHeaps and B3's Effects).
This patch makes all atomics operations intrinsic, but the DFG doesn't know about any of them
yet. That's covered by bug 164108.
This ought to be perf-neutral, but I am still running tests to confirm this. I'm also still
writing new tests to cover all of the Atomics functionality and the behavior of SAB objects.
* API/JSTypedArray.cpp:
(JSObjectGetTypedArrayBytesPtr):
(JSObjectGetTypedArrayBuffer):
(JSObjectMakeArrayBufferWithBytesNoCopy):
* API/tests/CompareAndSwapTest.cpp:
(Bitmap::concurrentTestAndSet):
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
* heap/Heap.cpp:
(JSC::Heap::reportExtraMemoryVisited):
(JSC::Heap::reportExternalMemoryVisited):
* jsc.cpp:
(functionTransferArrayBuffer):
* runtime/ArrayBuffer.cpp:
(JSC::SharedArrayBufferContents::SharedArrayBufferContents):
(JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
(JSC::ArrayBufferContents::ArrayBufferContents):
(JSC::ArrayBufferContents::operator=):
(JSC::ArrayBufferContents::~ArrayBufferContents):
(JSC::ArrayBufferContents::clear):
(JSC::ArrayBufferContents::destroy):
(JSC::ArrayBufferContents::reset):
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::makeShared):
(JSC::ArrayBufferContents::transferTo):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBufferContents::shareWith):
(JSC::ArrayBuffer::create):
(JSC::ArrayBuffer::createAdopted):
(JSC::ArrayBuffer::createFromBytes):
(JSC::ArrayBuffer::tryCreate):
(JSC::ArrayBuffer::createUninitialized):
(JSC::ArrayBuffer::tryCreateUninitialized):
(JSC::ArrayBuffer::createInternal):
(JSC::ArrayBuffer::ArrayBuffer):
(JSC::ArrayBuffer::slice):
(JSC::ArrayBuffer::sliceImpl):
(JSC::ArrayBuffer::makeShared):
(JSC::ArrayBuffer::setSharingMode):
(JSC::ArrayBuffer::transferTo):
(JSC::ArrayBuffer::transfer): Deleted.
* runtime/ArrayBuffer.h:
(JSC::arrayBufferSharingModeName):
(JSC::SharedArrayBufferContents::data):
(JSC::ArrayBufferContents::data):
(JSC::ArrayBufferContents::sizeInBytes):
(JSC::ArrayBufferContents::isShared):
(JSC::ArrayBuffer::sharingMode):
(JSC::ArrayBuffer::isShared):
(JSC::ArrayBuffer::gcSizeEstimateInBytes):
(JSC::arrayBufferDestructorNull): Deleted.
(JSC::arrayBufferDestructorDefault): Deleted.
(JSC::ArrayBufferContents::ArrayBufferContents): Deleted.
(JSC::ArrayBufferContents::transfer): Deleted.
(JSC::ArrayBufferContents::copyTo): Deleted.
(JSC::ArrayBuffer::create): Deleted.
(JSC::ArrayBuffer::createAdopted): Deleted.
(JSC::ArrayBuffer::createFromBytes): Deleted.
(JSC::ArrayBuffer::tryCreate): Deleted.
(JSC::ArrayBuffer::createUninitialized): Deleted.
(JSC::ArrayBuffer::tryCreateUninitialized): Deleted.
(JSC::ArrayBuffer::createInternal): Deleted.
(JSC::ArrayBuffer::ArrayBuffer): Deleted.
(JSC::ArrayBuffer::slice): Deleted.
(JSC::ArrayBuffer::sliceImpl): Deleted.
(JSC::ArrayBufferContents::tryAllocate): Deleted.
(JSC::ArrayBufferContents::~ArrayBufferContents): Deleted.
* runtime/ArrayBufferSharingMode.h: Added.
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::possiblySharedBuffer):
(JSC::ArrayBufferView::unsharedBuffer):
(JSC::ArrayBufferView::isShared):
(JSC::ArrayBufferView::buffer): Deleted.
* runtime/AtomicsObject.cpp: Added.
(JSC::AtomicsObject::AtomicsObject):
(JSC::AtomicsObject::create):
(JSC::AtomicsObject::createStructure):
(JSC::AtomicsObject::finishCreation):
(JSC::atomicsFuncAdd):
(JSC::atomicsFuncAnd):
(JSC::atomicsFuncCompareExchange):
(JSC::atomicsFuncExchange):
(JSC::atomicsFuncIsLockFree):
(JSC::atomicsFuncLoad):
(JSC::atomicsFuncOr):
(JSC::atomicsFuncStore):
(JSC::atomicsFuncSub):
(JSC::atomicsFuncWait):
(JSC::atomicsFuncWake):
(JSC::atomicsFuncXor):
* runtime/AtomicsObject.h: Added.
* runtime/CommonIdentifiers.h:
* runtime/DataView.cpp:
(JSC::DataView::wrap):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::subarray):
* runtime/Intrinsic.h:
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::finishCreation):
(JSC::JSArrayBuffer::isShared):
(JSC::JSArrayBuffer::sharingMode):
* runtime/JSArrayBuffer.h:
(JSC::toPossiblySharedArrayBuffer):
(JSC::toUnsharedArrayBuffer):
(JSC::JSArrayBuffer::toWrapped):
(JSC::toArrayBuffer): Deleted.
* runtime/JSArrayBufferConstructor.cpp:
(JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
(JSC::JSArrayBufferConstructor::finishCreation):
(JSC::JSArrayBufferConstructor::create):
(JSC::constructArrayBuffer):
* runtime/JSArrayBufferConstructor.h:
(JSC::JSArrayBufferConstructor::sharingMode):
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice):
(JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
(JSC::JSArrayBufferPrototype::finishCreation):
(JSC::JSArrayBufferPrototype::create):
* runtime/JSArrayBufferPrototype.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::finishCreation):
(JSC::JSArrayBufferView::visitChildren):
(JSC::JSArrayBufferView::unsharedBuffer):
(JSC::JSArrayBufferView::unsharedJSBuffer):
(JSC::JSArrayBufferView::possiblySharedJSBuffer):
(JSC::JSArrayBufferView::neuter):
(JSC::JSArrayBufferView::toWrapped): Deleted.
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::jsBuffer): Deleted.
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::isShared):
(JSC::JSArrayBufferView::possiblySharedBuffer):
(JSC::JSArrayBufferView::possiblySharedImpl):
(JSC::JSArrayBufferView::unsharedImpl):
(JSC::JSArrayBufferView::byteOffset):
(JSC::JSArrayBufferView::toWrapped):
(JSC::JSArrayBufferView::buffer): Deleted.
(JSC::JSArrayBufferView::impl): Deleted.
(JSC::JSArrayBufferView::neuter): Deleted.
* runtime/JSDataView.cpp:
(JSC::JSDataView::possiblySharedTypedImpl):
(JSC::JSDataView::unsharedTypedImpl):
(JSC::JSDataView::getTypedArrayImpl):
(JSC::JSDataView::typedImpl): Deleted.
* runtime/JSDataView.h:
(JSC::JSDataView::possiblySharedBuffer):
(JSC::JSDataView::unsharedBuffer):
(JSC::JSDataView::buffer): Deleted.
* runtime/JSDataViewPrototype.cpp:
(JSC::dataViewProtoGetterBuffer):
* runtime/JSGenericTypedArrayView.h:
(JSC::toPossiblySharedNativeTypedView):
(JSC::toUnsharedNativeTypedView):
(JSC::JSGenericTypedArrayView<Adaptor>::toWrapped):
(JSC::JSGenericTypedArrayView::typedImpl): Deleted.
(JSC::toNativeTypedView): Deleted.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
(JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
(JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
(JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoGetterFuncBuffer):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* runtime/JSGlobalObject.cpp:
(JSC::createAtomicsProperty):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayBufferPrototype):
(JSC::JSGlobalObject::arrayBufferStructure):
* runtime/MathObject.cpp:
* runtime/RuntimeFlags.h:
* runtime/SimpleTypedArrayController.cpp:
(JSC::SimpleTypedArrayController::toJS):
* runtime/TypedArrayType.h:
(JSC::typedArrayTypeForType):
2016-10-31 Saam Barati <sbarati@apple.com>
We should be able to eliminate rest parameter allocations
https://bugs.webkit.org/show_bug.cgi?id=163925
Reviewed by Filip Pizlo.
This is the first step towards eliminating rest parameter
allocations when they're spread to other function calls:
`function foo(...args) { bar(...args); }`
This patch simply removes the allocation for rest parameter
allocations using the same escape analysis that is performed
in the argument elimination phase. I've added a new rule to
the phase to make sure that CheckStructure doesn't count as
an escape for an allocation since this often shows up in code
like this:
```
function foo(...args) {
let r = [];
for (let i = 0; i < args.length; i++)
r.push(args[i]);
return r;
}
```
The above program now entirely eliminates the allocation for args
compiled in the FTL. Programs like this also eliminate the allocation
for args:
```
function foo(...args) { return [args.length, args[0]]; }
function bar(...args) { return someOtherFunction.apply(null, args); }
```
This patch extends the arguments elimination phase to understand
the concept that we may want to forward arguments, or get from
the arguments region, starting at some offset. The offset is the
number of names parameter before the rest parameter. For example:
```
function foo(a, b, ...args) { return bar.apply(null, args); }
```
Will forward arguments starting at the *third* argument.
Our arguments forwarding code already had the notion of starting
from some offset, however, I found bugs in that code. I extended
it to work properly for rest parameters with arbitrary skip offsets.
And this program:
```
function foo(...args) {
let r = [];
for (let i = 0; i < args.length; i++)
r.push(args[i]);
return r;
}
```
Knows to perform the GetMyArgumentByVal* with an offset of 3
inside the loop. To make this work, I taught GetMyArgumentByVal
and GetMyArgumentByValOutOfBounds to take an offset representing
the number of arguments to skip.
This patch is a ~20% speedup on microbenchmarks.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasConstant):
(JSC::DFG::Node::constant):
(JSC::DFG::Node::isPhantomAllocation):
(JSC::DFG::Node::numberOfArgumentsToSkip):
* dfg/DFGNodeType.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGOperations.cpp:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateRest):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
(JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
(JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
* jit/SetupVarargsFrame.cpp:
(JSC::emitSetVarargsFrame):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::restParameterStructure):
2016-10-31 Mark Lam <mark.lam@apple.com>
Add $vm.codeBlockFor() debugging utility.
https://bugs.webkit.org/show_bug.cgi?id=164192
Reviewed by Saam Barati.
Sometimes, while debugging, it would be nice if we can get the codeBlock info for
a function. Amongst other uses, this is useful for checking what optimization
level the function is currently at. With $vm.codeBlockFor(), we can now do this.
For example, when JS_useDollarVM=true:
print("test's codeBlock = " + $vm.codeBlockFor(test)); // prints function test's codeBlock.
Also added some comments to clarify some pre-existing code.
* tools/JSDollarVMPrototype.cpp:
(JSC::functionCodeBlockForFrame):
(JSC::codeBlockFromArg):
(JSC::functionCodeBlockFor):
(JSC::JSDollarVMPrototype::finishCreation):
2016-10-31 Saam Barati <sbarati@apple.com>
GetByOffset rule is has incorrect assumptions inside arguments elimination phase
https://bugs.webkit.org/show_bug.cgi?id=164239
<rdar://problem/29032041>
Reviewed by Keith Miller.
The rule for GetByOffset assumes that a child will always be transformed before
the user of a child is by assuming its child will already be a phantom allocation.
This will almost certainly be true because of how we generate bytecode for
arguments allocation and how traversal of the graph works using blocksInNaturalOrder.
However, there is no guarantee that blocksInNaturalOrder must first traverse a
block's dominator before the block being dominated. Since it's unlikely that this
bug will ever be seen by real code, this fix is mostly for maintaining good hygiene.
* dfg/DFGArgumentsEliminationPhase.cpp:
2016-10-31 Simon Fraser <simon.fraser@apple.com>
Implement IntersectionObserver
https://bugs.webkit.org/show_bug.cgi?id=159475
Reviewed by Ryosuke Niwa.
Add ENABLE_INTERSECTION_OBSERVER, enabled by default.
* Configurations/FeatureDefines.xcconfig:
2016-10-31 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Provide an opportunity to clear ScriptValues associated with debugged target
https://bugs.webkit.org/show_bug.cgi?id=164167
<rdar://problem/29010148>
Reviewed by Mark Lam.
* inspector/InspectorAgentBase.h:
(Inspector::InspectorAgentBase::discardValues):
* inspector/InspectorAgentRegistry.cpp:
(Inspector::AgentRegistry::~AgentRegistry):
(Inspector::AgentRegistry::discardValues):
* inspector/InspectorAgentRegistry.h:
New standard agent method to allow the agent to discard values.
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::discardValues):
Discard ScriptValues in ConsoleMessages.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
Global object is going away, discard values.
2016-10-31 Keith Miller <keith_miller@apple.com>
autogenerated files from wasm.json should be in derived sources.
https://bugs.webkit.org/show_bug.cgi?id=164152
Reviewed by Filip Pizlo.
Add two new python scripts to the build. These scripts do what the
old js script in JSTests did. Previously, changes to wasm.json needed
to be manually reflected in WasmOps.h. This patch will auto-build from
the json file. That system was unsustainable, especially as future patches
will likely add more autogenerated files. The generated header files are
identical other than the comment at the top and the order of the opcodes.
I believe ordering difference just has to do with the iteration order for
sets.
* DerivedSources.make:
* wasm/WasmOps.h: Removed.
* wasm/generateWasm.py: Added.
(Wasm):
(Wasm.__init__):
(opcodeIterator):
(toCpp):
(isNormal):
(isUnary):
(isBinary):
* wasm/generateWasmOpsHeader.py: Added.
(cppMacro):
(opcodeMacroizer):
(ceilDiv):
(bitSet):
(BinaryOpType):
(UnaryOpType):
(LoadOpType):
(StoreOpType):
* wasm/wasm.json: Added.
2016-10-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] JSON.stringify should handle Proxy which is non JSArray but isArray is true
https://bugs.webkit.org/show_bug.cgi?id=164123
Reviewed by Mark Lam.
When JSON.stringify encounter the undefined value, the result depends
on the context. If it is produced under the object property context, we ignore
that property. On the other hand, if it is produced under the array element
context, we produce "null".
For example,
// https://tc39.github.io/ecma262/#sec-serializejsonobject section 8.b.
// Skip the property that value is undefined.
JSON.stringify({ value: undefined }); // => "{}"
// https://tc39.github.io/ecma262/#sec-serializejsonarray section 8.b.
// Write "null" when the element is undefined.
JSON.stringify([undefined]); // => "[null]"
At that time, we decide the context based on the `holder->inherits(JSArray::info())`.
But it is not correct since we have a holder that creates the array element context
but it is not JSArray subtype. ES6 Proxy to an array is one example. In that case,
`isArray(exec, proxy)` returns `true`, but `inherits(JSArray::info())` returns false.
Since we already have this `isArray()` value in Stringifier::Holder, we should reuse
this here. And this is the correct behavior in the ES6 spec.
* runtime/JSONObject.cpp:
(JSC::Stringifier::Holder::isArray):
(JSC::Stringifier::stringify):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::Holder):
(JSC::Stringifier::Holder::appendNextProperty):
2016-10-29 Saam Barati <sbarati@apple.com>
We should have a way of profiling when a get_by_id is pure and to emit a PureGetById in the DFG/FTL
https://bugs.webkit.org/show_bug.cgi?id=163305
Reviewed by Keith Miller.
This creates a new GetById node in the DFG called PureGetById. We emit a
PureGetById when we profile that a get_by_id in the baseline never does
side effects. PureGetById speculates on the fact that it won't do side
effects. If it realizes that it must perform side effects, it will perform
the side effect, but also invalidate the CodeBlock that compiled it,
which will cause us to exit once we return back to the compiled code.
This allows us to have stricter clobberize rules for PureGetById which
model how getOwnPropertySlot(VMInquiry) behaves. This means that PureGetByIds
can be CSEd with each other, and that other things are more likely to
be CSEd around a PureGetById. To profile if a get_by_id does side
effects, I've added an extra bit into StructureStubInfo that we write
to when performing a get_by_id slow path call. If we notice that we
never do effects, inside the ByteCodeParser, we will emit a PureGetById
instead of a GetById.
To justify the performance benefit of this patch, I ran the suite of
benchmarks with useAccessInlining=false. This meant that we don't compile
any (Multi)GetByOffset/(Multi)PutByOffset. This was just to try to see if
this patch is worth anything at all in a world where we emit many
PureGetByIds. Running the benchmarks under this mode showed a 3.5% octane
improvement and a 15% kraken improvement. However, when running benchmarks
with useAccessInlining=true (the default JSC state), this patch is neutral.
I think the main reason for this is that the DFG is good at knowing when to
emit (Multi)GetByOffset, and most benchmarks that would benefit from
PureGetById are already emitting (Multi)GetByOffset. However, PureGetById can be
profitable when we encounter code that is too polymorphic for (Multi)GetByOffset.
It's reasonable to expect that JS code in the wild will fall into this use
case even though it might not be represented in some of the major JS benchmarks.
I wrote some microbenchmarks to demonstrate the benefits of PureGetById CSE,
and they were 30% (eliminating a few PureGetById from an add expression)
to 10x faster (eliminating a PureGetById in a loop).
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::StructureStubInfo):
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::canBecomeGetArrayLength):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToGetByOffset):
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileTryGetById):
(JSC::DFG::SpeculativeJIT::compilePureGetById):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetById):
(JSC::FTL::DFG::LowerDFGToB3::getById):
* jit/JITOperations.cpp:
(JSC::pureGetByIdCommon):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_try_get_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_try_get_by_id):
* jit/Repatch.cpp:
(JSC::appropriateOptimizingGetByIdFunction):
(JSC::appropriateGenericGetByIdFunction):
(JSC::tryCacheGetByID):
* jit/Repatch.h:
* profiler/ProfilerJettisonReason.cpp:
(WTF::printInternal):
* profiler/ProfilerJettisonReason.h:
2016-10-28 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Breakpoints not working in scripts with unicode characters
https://bugs.webkit.org/show_bug.cgi?id=164172
<rdar://problem/28895862>
Reviewed by Ryosuke Niwa.
* parser/Parser.h:
(JSC::parse):
Ensure we pass the debuggerParseData struct to get populated in the
non 8bit string case!
2016-10-28 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Include identifier name in CallDOMGetter to dump it
https://bugs.webkit.org/show_bug.cgi?id=164161
Reviewed by Mark Lam.
This patch adds an identifier number to CallDOMGetterData and use it when dumping the data.
CallDOMGetter did not include identifier. It made CallDOMGetter super hard to debug when dumping DFG graph.
The dump becomes like this.
CallDOMGetter(Cell:@21, JS|MustGen|UseAsOther, Nonboolint32, id0{customGetter}, domJIT = 0x42f8a0, R:World, W:Heap, Exits, ClobbersExit, bc#15) predicting Nonboolint32
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
(JSC::DFG::ByteCodeParser::handleGetById):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.h:
2016-10-28 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Rename CallDOM to CallDOMGetter
https://bugs.webkit.org/show_bug.cgi?id=164157
Reviewed by Keith Miller.
Rename CallDOM to CallDOMGetter to represent that
this is used for DOMJIT getter explicitly.
CallDOM will be used for DOM functions (like element.getAttribute()) later.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::emitDOMJITGetter):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::blessCallDOMGetter):
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
(JSC::DFG::blessCallDOM): Deleted.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCallDOMGetterData):
(JSC::DFG::Node::callDOMGetterData):
(JSC::DFG::Node::hasCallDOMData): Deleted.
(JSC::DFG::Node::callDOMData): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
(JSC::DFG::SpeculativeJIT::compileCallDOM): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* domjit/DOMJITCallDOMGetterPatchpoint.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::CallDOMGetterPatchpoint::create):
* domjit/DOMJITGetterSetter.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): Deleted.
* jsc.cpp:
2016-10-28 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix in CLoop builds after r208063.
Include required headers.
* parser/Parser.h:
* runtime/Completion.cpp:
* runtime/JSGlobalObjectFunctions.cpp:
2016-10-28 Ryan Haddad <ryanhaddad@apple.com>
Update reference files for builtins generator tests after r208063.
Unreviewed test gardening.
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2016-10-28 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add wasm/js directory to JSC include directories in CMakeLists.txt
https://bugs.webkit.org/show_bug.cgi?id=164145
Reviewed by Michael Catanzaro.
Attempt to fix CMake ports. We include a file under wasm/js.
But we didn't add it to JSC include directories.
* CMakeLists.txt:
2016-10-27 Geoffrey Garen <ggaren@apple.com>
One file per class for Executable.h/.cpp
https://bugs.webkit.org/show_bug.cgi?id=164099
Reviewed by Saam Barati.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/builtins/builtins_generate_combined_implementation.py:
(BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
* Scripts/builtins/builtins_generate_separate_implementation.py:
(BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
* builtins/BuiltinExecutables.cpp:
* bytecode/CallVariant.h:
* bytecode/CodeBlock.cpp:
* bytecode/CodeBlock.h:
(JSC::ScriptExecutable::prepareForExecution):
* bytecode/CodeOrigin.cpp:
* bytecode/EvalCodeCache.h:
* bytecode/InlineCallFrame.cpp:
* bytecode/UnlinkedCodeBlock.cpp:
* bytecode/UnlinkedFunctionExecutable.cpp:
* bytecompiler/StaticPropertyAnalysis.h:
* debugger/DebuggerLocation.cpp:
* dfg/DFGCapabilities.h:
* dfg/DFGOSRExitPreparation.cpp:
* dfg/DFGToFTLDeferredCompilationCallback.cpp:
* dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
* interpreter/StackVisitor.cpp:
* jit/JITThunks.cpp:
* jit/JITToDFGDeferredCompilationCallback.cpp:
* jit/SpecializedThunkJIT.h:
* llint/LLIntOffsetsExtractor.cpp:
* parser/Parser.h:
* runtime/CallData.cpp:
* runtime/ConstructData.cpp:
* runtime/EvalExecutable.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::ExecutableBase::destroy): Deleted.
(JSC::ExecutableBase::clearCode): Deleted.
(JSC::NativeExecutable::create): Deleted.
(JSC::NativeExecutable::destroy): Deleted.
(JSC::NativeExecutable::createStructure): Deleted.
(JSC::NativeExecutable::finishCreation): Deleted.
(JSC::NativeExecutable::NativeExecutable): Deleted.
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
(JSC::ScriptExecutable::destroy): Deleted.
(JSC::ScriptExecutable::installCode): Deleted.
(JSC::ScriptExecutable::newCodeBlockFor): Deleted.
(JSC::ScriptExecutable::newReplacementCodeBlockFor): Deleted.
(JSC::setupLLInt): Deleted.
(JSC::setupJIT): Deleted.
(JSC::ScriptExecutable::prepareForExecutionImpl): Deleted.
(JSC::ProgramExecutable::ProgramExecutable): Deleted.
(JSC::ProgramExecutable::destroy): Deleted.
(JSC::ModuleProgramExecutable::ModuleProgramExecutable): Deleted.
(JSC::ModuleProgramExecutable::create): Deleted.
(JSC::ModuleProgramExecutable::destroy): Deleted.
(JSC::FunctionExecutable::FunctionExecutable): Deleted.
(JSC::FunctionExecutable::finishCreation): Deleted.
(JSC::FunctionExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::ProgramExecutable::checkSyntax): Deleted.
(JSC::ProgramExecutable::initializeGlobalProperties): Deleted.
(JSC::ProgramExecutable::visitChildren): Deleted.
(JSC::ModuleProgramExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::baselineCodeBlockFor): Deleted.
(JSC::FunctionExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::fromGlobalCode): Deleted.
(JSC::WebAssemblyExecutable::WebAssemblyExecutable): Deleted.
(JSC::WebAssemblyExecutable::destroy): Deleted.
(JSC::WebAssemblyExecutable::visitChildren): Deleted.
(JSC::ExecutableBase::dump): Deleted.
(JSC::ExecutableBase::hashFor): Deleted.
(JSC::NativeExecutable::hashFor): Deleted.
(JSC::ScriptExecutable::hashFor): Deleted.
* runtime/EvalExecutable.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(JSC::isCall): Deleted.
(JSC::ExecutableBase::ExecutableBase): Deleted.
(JSC::ExecutableBase::finishCreation): Deleted.
(JSC::ExecutableBase::isEvalExecutable): Deleted.
(JSC::ExecutableBase::isFunctionExecutable): Deleted.
(JSC::ExecutableBase::isProgramExecutable): Deleted.
(JSC::ExecutableBase::isModuleProgramExecutable): Deleted.
(JSC::ExecutableBase::isHostFunction): Deleted.
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
(JSC::ExecutableBase::createStructure): Deleted.
(JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
(JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::generatedJITCodeFor): Deleted.
(JSC::ExecutableBase::entrypointFor): Deleted.
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
(JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
(JSC::ExecutableBase::hasJITCodeForCall): Deleted.
(JSC::ExecutableBase::hasJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::hasJITCodeFor): Deleted.
(JSC::ExecutableBase::intrinsic): Deleted.
(JSC::ExecutableBase::intrinsicFor): Deleted.
(JSC::ScriptExecutable::source): Deleted.
(JSC::ScriptExecutable::sourceID): Deleted.
(JSC::ScriptExecutable::sourceURL): Deleted.
(JSC::ScriptExecutable::firstLine): Deleted.
(JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::hasOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::overrideLineNumber): Deleted.
(JSC::ScriptExecutable::lastLine): Deleted.
(JSC::ScriptExecutable::startColumn): Deleted.
(JSC::ScriptExecutable::endColumn): Deleted.
(JSC::ScriptExecutable::typeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::typeProfilingEndOffset): Deleted.
(JSC::ScriptExecutable::usesEval): Deleted.
(JSC::ScriptExecutable::usesArguments): Deleted.
(JSC::ScriptExecutable::isArrowFunctionContext): Deleted.
(JSC::ScriptExecutable::isStrictMode): Deleted.
(JSC::ScriptExecutable::derivedContextType): Deleted.
(JSC::ScriptExecutable::evalContextType): Deleted.
(JSC::ScriptExecutable::ecmaMode): Deleted.
(JSC::ScriptExecutable::setNeverInline): Deleted.
(JSC::ScriptExecutable::setNeverOptimize): Deleted.
(JSC::ScriptExecutable::setNeverFTLOptimize): Deleted.
(JSC::ScriptExecutable::setDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::setCanUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::neverInline): Deleted.
(JSC::ScriptExecutable::neverOptimize): Deleted.
(JSC::ScriptExecutable::neverFTLOptimize): Deleted.
(JSC::ScriptExecutable::didTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::isInliningCandidate): Deleted.
(JSC::ScriptExecutable::isOkToOptimize): Deleted.
(JSC::ScriptExecutable::canUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::features): Deleted.
(JSC::ScriptExecutable::recordParse): Deleted.
(JSC::ScriptExecutable::finishCreation): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* runtime/Executable.cpp: Removed.
* runtime/Executable.h: Removed.
* runtime/ExecutableBase.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::NativeExecutable::create): Deleted.
(JSC::NativeExecutable::destroy): Deleted.
(JSC::NativeExecutable::createStructure): Deleted.
(JSC::NativeExecutable::finishCreation): Deleted.
(JSC::NativeExecutable::NativeExecutable): Deleted.
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
(JSC::ScriptExecutable::destroy): Deleted.
(JSC::ScriptExecutable::installCode): Deleted.
(JSC::ScriptExecutable::newCodeBlockFor): Deleted.
(JSC::ScriptExecutable::newReplacementCodeBlockFor): Deleted.
(JSC::setupLLInt): Deleted.
(JSC::setupJIT): Deleted.
(JSC::ScriptExecutable::prepareForExecutionImpl): Deleted.
(JSC::EvalExecutable::create): Deleted.
(JSC::EvalExecutable::EvalExecutable): Deleted.
(JSC::EvalExecutable::destroy): Deleted.
(JSC::ProgramExecutable::ProgramExecutable): Deleted.
(JSC::ProgramExecutable::destroy): Deleted.
(JSC::ModuleProgramExecutable::ModuleProgramExecutable): Deleted.
(JSC::ModuleProgramExecutable::create): Deleted.
(JSC::ModuleProgramExecutable::destroy): Deleted.
(JSC::FunctionExecutable::FunctionExecutable): Deleted.
(JSC::FunctionExecutable::finishCreation): Deleted.
(JSC::FunctionExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::EvalExecutable::visitChildren): Deleted.
(JSC::ProgramExecutable::checkSyntax): Deleted.
(JSC::ProgramExecutable::initializeGlobalProperties): Deleted.
(JSC::ProgramExecutable::visitChildren): Deleted.
(JSC::ModuleProgramExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::baselineCodeBlockFor): Deleted.
(JSC::FunctionExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::fromGlobalCode): Deleted.
(JSC::WebAssemblyExecutable::WebAssemblyExecutable): Deleted.
(JSC::WebAssemblyExecutable::destroy): Deleted.
(JSC::WebAssemblyExecutable::visitChildren): Deleted.
(JSC::NativeExecutable::hashFor): Deleted.
(JSC::ScriptExecutable::hashFor): Deleted.
* runtime/ExecutableBase.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(JSC::ScriptExecutable::source): Deleted.
(JSC::ScriptExecutable::sourceID): Deleted.
(JSC::ScriptExecutable::sourceURL): Deleted.
(JSC::ScriptExecutable::firstLine): Deleted.
(JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::hasOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::overrideLineNumber): Deleted.
(JSC::ScriptExecutable::lastLine): Deleted.
(JSC::ScriptExecutable::startColumn): Deleted.
(JSC::ScriptExecutable::endColumn): Deleted.
(JSC::ScriptExecutable::typeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::typeProfilingEndOffset): Deleted.
(JSC::ScriptExecutable::usesEval): Deleted.
(JSC::ScriptExecutable::usesArguments): Deleted.
(JSC::ScriptExecutable::isArrowFunctionContext): Deleted.
(JSC::ScriptExecutable::isStrictMode): Deleted.
(JSC::ScriptExecutable::derivedContextType): Deleted.
(JSC::ScriptExecutable::evalContextType): Deleted.
(JSC::ScriptExecutable::ecmaMode): Deleted.
(JSC::ScriptExecutable::setNeverInline): Deleted.
(JSC::ScriptExecutable::setNeverOptimize): Deleted.
(JSC::ScriptExecutable::setNeverFTLOptimize): Deleted.
(JSC::ScriptExecutable::setDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::setCanUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::neverInline): Deleted.
(JSC::ScriptExecutable::neverOptimize): Deleted.
(JSC::ScriptExecutable::neverFTLOptimize): Deleted.
(JSC::ScriptExecutable::didTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::isInliningCandidate): Deleted.
(JSC::ScriptExecutable::isOkToOptimize): Deleted.
(JSC::ScriptExecutable::canUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::features): Deleted.
(JSC::ScriptExecutable::recordParse): Deleted.
(JSC::ScriptExecutable::finishCreation): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* runtime/FunctionExecutable.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::ExecutableBase::destroy): Deleted.
(JSC::ExecutableBase::clearCode): Deleted.
(JSC::NativeExecutable::create): Deleted.
(JSC::NativeExecutable::destroy): Deleted.
(JSC::NativeExecutable::createStructure): Deleted.
(JSC::NativeExecutable::finishCreation): Deleted.
(JSC::NativeExecutable::NativeExecutable): Deleted.
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
(JSC::ScriptExecutable::destroy): Deleted.
(JSC::ScriptExecutable::installCode): Deleted.
(JSC::ScriptExecutable::newCodeBlockFor): Deleted.
(JSC::ScriptExecutable::newReplacementCodeBlockFor): Deleted.
(JSC::setupLLInt): Deleted.
(JSC::setupJIT): Deleted.
(JSC::ScriptExecutable::prepareForExecutionImpl): Deleted.
(JSC::EvalExecutable::create): Deleted.
(JSC::EvalExecutable::EvalExecutable): Deleted.
(JSC::EvalExecutable::destroy): Deleted.
(JSC::ProgramExecutable::ProgramExecutable): Deleted.
(JSC::ProgramExecutable::destroy): Deleted.
(JSC::ModuleProgramExecutable::ModuleProgramExecutable): Deleted.
(JSC::ModuleProgramExecutable::create): Deleted.
(JSC::ModuleProgramExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::EvalExecutable::visitChildren): Deleted.
(JSC::ProgramExecutable::checkSyntax): Deleted.
(JSC::ProgramExecutable::initializeGlobalProperties): Deleted.
(JSC::ProgramExecutable::visitChildren): Deleted.
(JSC::ModuleProgramExecutable::visitChildren): Deleted.
(JSC::WebAssemblyExecutable::WebAssemblyExecutable): Deleted.
(JSC::WebAssemblyExecutable::destroy): Deleted.
(JSC::WebAssemblyExecutable::visitChildren): Deleted.
(JSC::ExecutableBase::dump): Deleted.
(JSC::ExecutableBase::hashFor): Deleted.
(JSC::NativeExecutable::hashFor): Deleted.
(JSC::ScriptExecutable::hashFor): Deleted.
* runtime/FunctionExecutable.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(JSC::isCall): Deleted.
(JSC::ExecutableBase::ExecutableBase): Deleted.
(JSC::ExecutableBase::finishCreation): Deleted.
(JSC::ExecutableBase::isEvalExecutable): Deleted.
(JSC::ExecutableBase::isFunctionExecutable): Deleted.
(JSC::ExecutableBase::isProgramExecutable): Deleted.
(JSC::ExecutableBase::isModuleProgramExecutable): Deleted.
(JSC::ExecutableBase::isHostFunction): Deleted.
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
(JSC::ExecutableBase::createStructure): Deleted.
(JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
(JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::generatedJITCodeFor): Deleted.
(JSC::ExecutableBase::entrypointFor): Deleted.
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
(JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
(JSC::ExecutableBase::hasJITCodeForCall): Deleted.
(JSC::ExecutableBase::hasJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::hasJITCodeFor): Deleted.
(JSC::ExecutableBase::intrinsic): Deleted.
(JSC::ExecutableBase::intrinsicFor): Deleted.
(JSC::ScriptExecutable::source): Deleted.
(JSC::ScriptExecutable::sourceID): Deleted.
(JSC::ScriptExecutable::sourceURL): Deleted.
(JSC::ScriptExecutable::firstLine): Deleted.
(JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::hasOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::overrideLineNumber): Deleted.
(JSC::ScriptExecutable::lastLine): Deleted.
(JSC::ScriptExecutable::startColumn): Deleted.
(JSC::ScriptExecutable::endColumn): Deleted.
(JSC::ScriptExecutable::typeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::typeProfilingEndOffset): Deleted.
(JSC::ScriptExecutable::usesEval): Deleted.
(JSC::ScriptExecutable::usesArguments): Deleted.
(JSC::ScriptExecutable::isArrowFunctionContext): Deleted.
(JSC::ScriptExecutable::isStrictMode): Deleted.
(JSC::ScriptExecutable::derivedContextType): Deleted.
(JSC::ScriptExecutable::evalContextType): Deleted.
(JSC::ScriptExecutable::ecmaMode): Deleted.
(JSC::ScriptExecutable::setNeverInline): Deleted.
(JSC::ScriptExecutable::setNeverOptimize): Deleted.
(JSC::ScriptExecutable::setNeverFTLOptimize): Deleted.
(JSC::ScriptExecutable::setDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::setCanUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::neverInline): Deleted.
(JSC::ScriptExecutable::neverOptimize): Deleted.
(JSC::ScriptExecutable::neverFTLOptimize): Deleted.
(JSC::ScriptExecutable::didTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::isInliningCandidate): Deleted.
(JSC::ScriptExecutable::isOkToOptimize): Deleted.
(JSC::ScriptExecutable::canUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::features): Deleted.
(JSC::ScriptExecutable::recordParse): Deleted.
(JSC::ScriptExecutable::finishCreation): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* runtime/FunctionExecutableDump.h:
* runtime/JSArray.cpp:
* runtime/JSFunctionInlines.h:
* runtime/JSModuleRecord.cpp:
* runtime/JSObject.cpp:
* runtime/Lookup.cpp:
* runtime/ModuleProgramExecutable.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::ExecutableBase::destroy): Deleted.
(JSC::ExecutableBase::clearCode): Deleted.
(JSC::NativeExecutable::create): Deleted.
(JSC::NativeExecutable::destroy): Deleted.
(JSC::NativeExecutable::createStructure): Deleted.
(JSC::NativeExecutable::finishCreation): Deleted.
(JSC::NativeExecutable::NativeExecutable): Deleted.
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
(JSC::ScriptExecutable::destroy): Deleted.
(JSC::ScriptExecutable::installCode): Deleted.
(JSC::ScriptExecutable::newCodeBlockFor): Deleted.
(JSC::ScriptExecutable::newReplacementCodeBlockFor): Deleted.
(JSC::setupLLInt): Deleted.
(JSC::setupJIT): Deleted.
(JSC::ScriptExecutable::prepareForExecutionImpl): Deleted.
(JSC::EvalExecutable::create): Deleted.
(JSC::EvalExecutable::EvalExecutable): Deleted.
(JSC::EvalExecutable::destroy): Deleted.
(JSC::ProgramExecutable::ProgramExecutable): Deleted.
(JSC::ProgramExecutable::destroy): Deleted.
(JSC::FunctionExecutable::FunctionExecutable): Deleted.
(JSC::FunctionExecutable::finishCreation): Deleted.
(JSC::FunctionExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::EvalExecutable::visitChildren): Deleted.
(JSC::ProgramExecutable::checkSyntax): Deleted.
(JSC::ProgramExecutable::initializeGlobalProperties): Deleted.
(JSC::ProgramExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::baselineCodeBlockFor): Deleted.
(JSC::FunctionExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::fromGlobalCode): Deleted.
(JSC::WebAssemblyExecutable::WebAssemblyExecutable): Deleted.
(JSC::WebAssemblyExecutable::destroy): Deleted.
(JSC::WebAssemblyExecutable::visitChildren): Deleted.
(JSC::ExecutableBase::dump): Deleted.
(JSC::ExecutableBase::hashFor): Deleted.
(JSC::NativeExecutable::hashFor): Deleted.
(JSC::ScriptExecutable::hashFor): Deleted.
* runtime/ModuleProgramExecutable.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(JSC::isCall): Deleted.
(JSC::ExecutableBase::ExecutableBase): Deleted.
(JSC::ExecutableBase::finishCreation): Deleted.
(JSC::ExecutableBase::isEvalExecutable): Deleted.
(JSC::ExecutableBase::isFunctionExecutable): Deleted.
(JSC::ExecutableBase::isProgramExecutable): Deleted.
(JSC::ExecutableBase::isModuleProgramExecutable): Deleted.
(JSC::ExecutableBase::isHostFunction): Deleted.
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
(JSC::ExecutableBase::createStructure): Deleted.
(JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
(JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::generatedJITCodeFor): Deleted.
(JSC::ExecutableBase::entrypointFor): Deleted.
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
(JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
(JSC::ExecutableBase::hasJITCodeForCall): Deleted.
(JSC::ExecutableBase::hasJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::hasJITCodeFor): Deleted.
(JSC::ExecutableBase::intrinsic): Deleted.
(JSC::ExecutableBase::intrinsicFor): Deleted.
(JSC::ScriptExecutable::source): Deleted.
(JSC::ScriptExecutable::sourceID): Deleted.
(JSC::ScriptExecutable::sourceURL): Deleted.
(JSC::ScriptExecutable::firstLine): Deleted.
(JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::hasOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::overrideLineNumber): Deleted.
(JSC::ScriptExecutable::lastLine): Deleted.
(JSC::ScriptExecutable::startColumn): Deleted.
(JSC::ScriptExecutable::endColumn): Deleted.
(JSC::ScriptExecutable::typeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::typeProfilingEndOffset): Deleted.
(JSC::ScriptExecutable::usesEval): Deleted.
(JSC::ScriptExecutable::usesArguments): Deleted.
(JSC::ScriptExecutable::isArrowFunctionContext): Deleted.
(JSC::ScriptExecutable::isStrictMode): Deleted.
(JSC::ScriptExecutable::derivedContextType): Deleted.
(JSC::ScriptExecutable::evalContextType): Deleted.
(JSC::ScriptExecutable::ecmaMode): Deleted.
(JSC::ScriptExecutable::setNeverInline): Deleted.
(JSC::ScriptExecutable::setNeverOptimize): Deleted.
(JSC::ScriptExecutable::setNeverFTLOptimize): Deleted.
(JSC::ScriptExecutable::setDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::setCanUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::neverInline): Deleted.
(JSC::ScriptExecutable::neverOptimize): Deleted.
(JSC::ScriptExecutable::neverFTLOptimize): Deleted.
(JSC::ScriptExecutable::didTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::isInliningCandidate): Deleted.
(JSC::ScriptExecutable::isOkToOptimize): Deleted.
(JSC::ScriptExecutable::canUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::features): Deleted.
(JSC::ScriptExecutable::recordParse): Deleted.
(JSC::ScriptExecutable::finishCreation): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* runtime/NativeExecutable.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::ExecutableBase::destroy): Deleted.
(JSC::ExecutableBase::clearCode): Deleted.
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
(JSC::ScriptExecutable::destroy): Deleted.
(JSC::ScriptExecutable::installCode): Deleted.
(JSC::ScriptExecutable::newCodeBlockFor): Deleted.
(JSC::ScriptExecutable::newReplacementCodeBlockFor): Deleted.
(JSC::setupLLInt): Deleted.
(JSC::setupJIT): Deleted.
(JSC::ScriptExecutable::prepareForExecutionImpl): Deleted.
(JSC::EvalExecutable::create): Deleted.
(JSC::EvalExecutable::EvalExecutable): Deleted.
(JSC::EvalExecutable::destroy): Deleted.
(JSC::ProgramExecutable::ProgramExecutable): Deleted.
(JSC::ProgramExecutable::destroy): Deleted.
(JSC::ModuleProgramExecutable::ModuleProgramExecutable): Deleted.
(JSC::ModuleProgramExecutable::create): Deleted.
(JSC::ModuleProgramExecutable::destroy): Deleted.
(JSC::FunctionExecutable::FunctionExecutable): Deleted.
(JSC::FunctionExecutable::finishCreation): Deleted.
(JSC::FunctionExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::EvalExecutable::visitChildren): Deleted.
(JSC::ProgramExecutable::checkSyntax): Deleted.
(JSC::ProgramExecutable::initializeGlobalProperties): Deleted.
(JSC::ProgramExecutable::visitChildren): Deleted.
(JSC::ModuleProgramExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::baselineCodeBlockFor): Deleted.
(JSC::FunctionExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::fromGlobalCode): Deleted.
(JSC::WebAssemblyExecutable::WebAssemblyExecutable): Deleted.
(JSC::WebAssemblyExecutable::destroy): Deleted.
(JSC::WebAssemblyExecutable::visitChildren): Deleted.
(JSC::ExecutableBase::dump): Deleted.
(JSC::ExecutableBase::hashFor): Deleted.
(JSC::ScriptExecutable::hashFor): Deleted.
* runtime/NativeExecutable.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(JSC::isCall): Deleted.
(JSC::ExecutableBase::ExecutableBase): Deleted.
(JSC::ExecutableBase::finishCreation): Deleted.
(JSC::ExecutableBase::isEvalExecutable): Deleted.
(JSC::ExecutableBase::isFunctionExecutable): Deleted.
(JSC::ExecutableBase::isProgramExecutable): Deleted.
(JSC::ExecutableBase::isModuleProgramExecutable): Deleted.
(JSC::ExecutableBase::isHostFunction): Deleted.
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
(JSC::ExecutableBase::createStructure): Deleted.
(JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
(JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::generatedJITCodeFor): Deleted.
(JSC::ExecutableBase::entrypointFor): Deleted.
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
(JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
(JSC::ExecutableBase::hasJITCodeForCall): Deleted.
(JSC::ExecutableBase::hasJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::hasJITCodeFor): Deleted.
(JSC::ExecutableBase::intrinsic): Deleted.
(JSC::ExecutableBase::intrinsicFor): Deleted.
(JSC::ScriptExecutable::source): Deleted.
(JSC::ScriptExecutable::sourceID): Deleted.
(JSC::ScriptExecutable::sourceURL): Deleted.
(JSC::ScriptExecutable::firstLine): Deleted.
(JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::hasOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::overrideLineNumber): Deleted.
(JSC::ScriptExecutable::lastLine): Deleted.
(JSC::ScriptExecutable::startColumn): Deleted.
(JSC::ScriptExecutable::endColumn): Deleted.
(JSC::ScriptExecutable::typeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::typeProfilingEndOffset): Deleted.
(JSC::ScriptExecutable::usesEval): Deleted.
(JSC::ScriptExecutable::usesArguments): Deleted.
(JSC::ScriptExecutable::isArrowFunctionContext): Deleted.
(JSC::ScriptExecutable::isStrictMode): Deleted.
(JSC::ScriptExecutable::derivedContextType): Deleted.
(JSC::ScriptExecutable::evalContextType): Deleted.
(JSC::ScriptExecutable::ecmaMode): Deleted.
(JSC::ScriptExecutable::setNeverInline): Deleted.
(JSC::ScriptExecutable::setNeverOptimize): Deleted.
(JSC::ScriptExecutable::setNeverFTLOptimize): Deleted.
(JSC::ScriptExecutable::setDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::setCanUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::neverInline): Deleted.
(JSC::ScriptExecutable::neverOptimize): Deleted.
(JSC::ScriptExecutable::neverFTLOptimize): Deleted.
(JSC::ScriptExecutable::didTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::isInliningCandidate): Deleted.
(JSC::ScriptExecutable::isOkToOptimize): Deleted.
(JSC::ScriptExecutable::canUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::features): Deleted.
(JSC::ScriptExecutable::recordParse): Deleted.
(JSC::ScriptExecutable::finishCreation): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* runtime/ProgramExecutable.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::ExecutableBase::destroy): Deleted.
(JSC::ExecutableBase::clearCode): Deleted.
(JSC::NativeExecutable::create): Deleted.
(JSC::NativeExecutable::destroy): Deleted.
(JSC::NativeExecutable::createStructure): Deleted.
(JSC::NativeExecutable::finishCreation): Deleted.
(JSC::NativeExecutable::NativeExecutable): Deleted.
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
(JSC::ScriptExecutable::destroy): Deleted.
(JSC::ScriptExecutable::installCode): Deleted.
(JSC::ScriptExecutable::newCodeBlockFor): Deleted.
(JSC::ScriptExecutable::newReplacementCodeBlockFor): Deleted.
(JSC::setupLLInt): Deleted.
(JSC::setupJIT): Deleted.
(JSC::ScriptExecutable::prepareForExecutionImpl): Deleted.
(JSC::EvalExecutable::create): Deleted.
(JSC::EvalExecutable::EvalExecutable): Deleted.
(JSC::EvalExecutable::destroy): Deleted.
(JSC::ModuleProgramExecutable::ModuleProgramExecutable): Deleted.
(JSC::ModuleProgramExecutable::create): Deleted.
(JSC::ModuleProgramExecutable::destroy): Deleted.
(JSC::FunctionExecutable::FunctionExecutable): Deleted.
(JSC::FunctionExecutable::finishCreation): Deleted.
(JSC::FunctionExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::EvalExecutable::visitChildren): Deleted.
(JSC::ModuleProgramExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::baselineCodeBlockFor): Deleted.
(JSC::FunctionExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::fromGlobalCode): Deleted.
(JSC::WebAssemblyExecutable::WebAssemblyExecutable): Deleted.
(JSC::WebAssemblyExecutable::destroy): Deleted.
(JSC::WebAssemblyExecutable::visitChildren): Deleted.
(JSC::ExecutableBase::dump): Deleted.
(JSC::ExecutableBase::hashFor): Deleted.
(JSC::NativeExecutable::hashFor): Deleted.
(JSC::ScriptExecutable::hashFor): Deleted.
* runtime/ProgramExecutable.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(JSC::isCall): Deleted.
(JSC::ExecutableBase::ExecutableBase): Deleted.
(JSC::ExecutableBase::finishCreation): Deleted.
(JSC::ExecutableBase::isEvalExecutable): Deleted.
(JSC::ExecutableBase::isFunctionExecutable): Deleted.
(JSC::ExecutableBase::isProgramExecutable): Deleted.
(JSC::ExecutableBase::isModuleProgramExecutable): Deleted.
(JSC::ExecutableBase::isHostFunction): Deleted.
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
(JSC::ExecutableBase::createStructure): Deleted.
(JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
(JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::generatedJITCodeFor): Deleted.
(JSC::ExecutableBase::entrypointFor): Deleted.
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
(JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
(JSC::ExecutableBase::hasJITCodeForCall): Deleted.
(JSC::ExecutableBase::hasJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::hasJITCodeFor): Deleted.
(JSC::ExecutableBase::intrinsic): Deleted.
(JSC::ExecutableBase::intrinsicFor): Deleted.
(JSC::ScriptExecutable::source): Deleted.
(JSC::ScriptExecutable::sourceID): Deleted.
(JSC::ScriptExecutable::sourceURL): Deleted.
(JSC::ScriptExecutable::firstLine): Deleted.
(JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::hasOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::overrideLineNumber): Deleted.
(JSC::ScriptExecutable::lastLine): Deleted.
(JSC::ScriptExecutable::startColumn): Deleted.
(JSC::ScriptExecutable::endColumn): Deleted.
(JSC::ScriptExecutable::typeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::typeProfilingEndOffset): Deleted.
(JSC::ScriptExecutable::usesEval): Deleted.
(JSC::ScriptExecutable::usesArguments): Deleted.
(JSC::ScriptExecutable::isArrowFunctionContext): Deleted.
(JSC::ScriptExecutable::isStrictMode): Deleted.
(JSC::ScriptExecutable::derivedContextType): Deleted.
(JSC::ScriptExecutable::evalContextType): Deleted.
(JSC::ScriptExecutable::ecmaMode): Deleted.
(JSC::ScriptExecutable::setNeverInline): Deleted.
(JSC::ScriptExecutable::setNeverOptimize): Deleted.
(JSC::ScriptExecutable::setNeverFTLOptimize): Deleted.
(JSC::ScriptExecutable::setDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::setCanUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::neverInline): Deleted.
(JSC::ScriptExecutable::neverOptimize): Deleted.
(JSC::ScriptExecutable::neverFTLOptimize): Deleted.
(JSC::ScriptExecutable::didTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::isInliningCandidate): Deleted.
(JSC::ScriptExecutable::isOkToOptimize): Deleted.
(JSC::ScriptExecutable::canUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::features): Deleted.
(JSC::ScriptExecutable::recordParse): Deleted.
(JSC::ScriptExecutable::finishCreation): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* runtime/SamplingProfiler.cpp:
* runtime/ScriptExecutable.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::ExecutableBase::destroy): Deleted.
(JSC::ExecutableBase::clearCode): Deleted.
(JSC::NativeExecutable::create): Deleted.
(JSC::NativeExecutable::destroy): Deleted.
(JSC::NativeExecutable::createStructure): Deleted.
(JSC::NativeExecutable::finishCreation): Deleted.
(JSC::NativeExecutable::NativeExecutable): Deleted.
(JSC::EvalExecutable::create): Deleted.
(JSC::EvalExecutable::EvalExecutable): Deleted.
(JSC::EvalExecutable::destroy): Deleted.
(JSC::ProgramExecutable::ProgramExecutable): Deleted.
(JSC::ProgramExecutable::destroy): Deleted.
(JSC::ModuleProgramExecutable::ModuleProgramExecutable): Deleted.
(JSC::ModuleProgramExecutable::create): Deleted.
(JSC::ModuleProgramExecutable::destroy): Deleted.
(JSC::FunctionExecutable::FunctionExecutable): Deleted.
(JSC::FunctionExecutable::finishCreation): Deleted.
(JSC::FunctionExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::EvalExecutable::visitChildren): Deleted.
(JSC::ProgramExecutable::checkSyntax): Deleted.
(JSC::ProgramExecutable::initializeGlobalProperties): Deleted.
(JSC::ProgramExecutable::visitChildren): Deleted.
(JSC::ModuleProgramExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::baselineCodeBlockFor): Deleted.
(JSC::FunctionExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::fromGlobalCode): Deleted.
(JSC::WebAssemblyExecutable::WebAssemblyExecutable): Deleted.
(JSC::WebAssemblyExecutable::destroy): Deleted.
(JSC::WebAssemblyExecutable::visitChildren): Deleted.
(JSC::ExecutableBase::dump): Deleted.
(JSC::ExecutableBase::hashFor): Deleted.
(JSC::NativeExecutable::hashFor): Deleted.
* runtime/ScriptExecutable.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(): Deleted.
(JSC::isCall): Deleted.
(JSC::ExecutableBase::ExecutableBase): Deleted.
(JSC::ExecutableBase::finishCreation): Deleted.
(JSC::ExecutableBase::isEvalExecutable): Deleted.
(JSC::ExecutableBase::isFunctionExecutable): Deleted.
(JSC::ExecutableBase::isProgramExecutable): Deleted.
(JSC::ExecutableBase::isModuleProgramExecutable): Deleted.
(JSC::ExecutableBase::isHostFunction): Deleted.
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
(JSC::ExecutableBase::createStructure): Deleted.
(JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
(JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::generatedJITCodeFor): Deleted.
(JSC::ExecutableBase::entrypointFor): Deleted.
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
(JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
(JSC::ExecutableBase::hasJITCodeForCall): Deleted.
(JSC::ExecutableBase::hasJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::hasJITCodeFor): Deleted.
(JSC::ExecutableBase::intrinsic): Deleted.
(JSC::ExecutableBase::intrinsicFor): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
* runtime/StringConstructor.cpp:
* runtime/StringPrototype.cpp:
* runtime/WebAssemblyExecutable.cpp: Copied from Source/JavaScriptCore/runtime/Executable.cpp.
(JSC::ExecutableBase::destroy): Deleted.
(JSC::ExecutableBase::clearCode): Deleted.
(JSC::NativeExecutable::create): Deleted.
(JSC::NativeExecutable::destroy): Deleted.
(JSC::NativeExecutable::createStructure): Deleted.
(JSC::NativeExecutable::finishCreation): Deleted.
(JSC::NativeExecutable::NativeExecutable): Deleted.
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
(JSC::ScriptExecutable::destroy): Deleted.
(JSC::ScriptExecutable::installCode): Deleted.
(JSC::ScriptExecutable::newCodeBlockFor): Deleted.
(JSC::ScriptExecutable::newReplacementCodeBlockFor): Deleted.
(JSC::setupLLInt): Deleted.
(JSC::setupJIT): Deleted.
(JSC::ScriptExecutable::prepareForExecutionImpl): Deleted.
(JSC::EvalExecutable::create): Deleted.
(JSC::EvalExecutable::EvalExecutable): Deleted.
(JSC::EvalExecutable::destroy): Deleted.
(JSC::ProgramExecutable::ProgramExecutable): Deleted.
(JSC::ProgramExecutable::destroy): Deleted.
(JSC::ModuleProgramExecutable::ModuleProgramExecutable): Deleted.
(JSC::ModuleProgramExecutable::create): Deleted.
(JSC::ModuleProgramExecutable::destroy): Deleted.
(JSC::FunctionExecutable::FunctionExecutable): Deleted.
(JSC::FunctionExecutable::finishCreation): Deleted.
(JSC::FunctionExecutable::destroy): Deleted.
(JSC::samplingDescription): Deleted.
(JSC::EvalExecutable::visitChildren): Deleted.
(JSC::ProgramExecutable::checkSyntax): Deleted.
(JSC::ProgramExecutable::initializeGlobalProperties): Deleted.
(JSC::ProgramExecutable::visitChildren): Deleted.
(JSC::ModuleProgramExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::baselineCodeBlockFor): Deleted.
(JSC::FunctionExecutable::visitChildren): Deleted.
(JSC::FunctionExecutable::fromGlobalCode): Deleted.
(JSC::ExecutableBase::dump): Deleted.
(JSC::ExecutableBase::hashFor): Deleted.
(JSC::NativeExecutable::hashFor): Deleted.
(JSC::ScriptExecutable::hashFor): Deleted.
* runtime/WebAssemblyExecutable.h: Copied from Source/JavaScriptCore/runtime/Executable.h.
(JSC::isCall): Deleted.
(JSC::ExecutableBase::ExecutableBase): Deleted.
(JSC::ExecutableBase::finishCreation): Deleted.
(JSC::ExecutableBase::isEvalExecutable): Deleted.
(JSC::ExecutableBase::isFunctionExecutable): Deleted.
(JSC::ExecutableBase::isProgramExecutable): Deleted.
(JSC::ExecutableBase::isModuleProgramExecutable): Deleted.
(JSC::ExecutableBase::isHostFunction): Deleted.
(JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
(JSC::ExecutableBase::createStructure): Deleted.
(JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
(JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::generatedJITCodeFor): Deleted.
(JSC::ExecutableBase::entrypointFor): Deleted.
(JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): Deleted.
(JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
(JSC::ExecutableBase::hasJITCodeForCall): Deleted.
(JSC::ExecutableBase::hasJITCodeForConstruct): Deleted.
(JSC::ExecutableBase::hasJITCodeFor): Deleted.
(JSC::ExecutableBase::intrinsic): Deleted.
(JSC::ExecutableBase::intrinsicFor): Deleted.
(JSC::ScriptExecutable::source): Deleted.
(JSC::ScriptExecutable::sourceID): Deleted.
(JSC::ScriptExecutable::sourceURL): Deleted.
(JSC::ScriptExecutable::firstLine): Deleted.
(JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::hasOverrideLineNumber): Deleted.
(JSC::ScriptExecutable::overrideLineNumber): Deleted.
(JSC::ScriptExecutable::lastLine): Deleted.
(JSC::ScriptExecutable::startColumn): Deleted.
(JSC::ScriptExecutable::endColumn): Deleted.
(JSC::ScriptExecutable::typeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::typeProfilingEndOffset): Deleted.
(JSC::ScriptExecutable::usesEval): Deleted.
(JSC::ScriptExecutable::usesArguments): Deleted.
(JSC::ScriptExecutable::isArrowFunctionContext): Deleted.
(JSC::ScriptExecutable::isStrictMode): Deleted.
(JSC::ScriptExecutable::derivedContextType): Deleted.
(JSC::ScriptExecutable::evalContextType): Deleted.
(JSC::ScriptExecutable::ecmaMode): Deleted.
(JSC::ScriptExecutable::setNeverInline): Deleted.
(JSC::ScriptExecutable::setNeverOptimize): Deleted.
(JSC::ScriptExecutable::setNeverFTLOptimize): Deleted.
(JSC::ScriptExecutable::setDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::setCanUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::neverInline): Deleted.
(JSC::ScriptExecutable::neverOptimize): Deleted.
(JSC::ScriptExecutable::neverFTLOptimize): Deleted.
(JSC::ScriptExecutable::didTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::isInliningCandidate): Deleted.
(JSC::ScriptExecutable::isOkToOptimize): Deleted.
(JSC::ScriptExecutable::canUseOSRExitFuzzing): Deleted.
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): Deleted.
(JSC::ScriptExecutable::features): Deleted.
(JSC::ScriptExecutable::recordParse): Deleted.
(JSC::ScriptExecutable::finishCreation): Deleted.
(JSC::ScriptExecutable::prepareForExecution): Deleted.
2016-10-20 Caitlin Potter <caitp@igalia.com>
[JSC] implement runtime for async functions
https://bugs.webkit.org/show_bug.cgi?id=163760
Reviewed by Yusuke Suzuki.
Async functions generate bytecode equivalent to the following, which is
highly dependent on the Generator implementation:
```
// Before translation:
async function asyncfn() {}
// After translation:
function asyncfn() {
let generator = {
@generatorNext: function(@generator, @generatorState, @generatorValue, @generatorResumeMode, @generatorFrameState) {
// Body of async function
},
@generatorState: 0,
@generatorThis: this,
@generatorFrameState: <frame state>,
};
return @asyncFunctionResume(generator, undefined, GeneratorResumeMode::NormalMode);
}
```
Await Expressions are equivalent to non-delegating Yield expressions, and emit identical bytecode.
There are some caveats to be addressed later:
1) the `op_to_this` is always performed, whether it's used or not, like normal generators. (https://bugs.webkit.org/show_bug.cgi?id=151586)
2) for async arrow functions, the home object is always stored on the "body" function, regardless of whether it's needed or
not, for the same reason as #1 (and should also be fixed as part of https://bugs.webkit.org/show_bug.cgi?id=151586)
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/AsyncFunctionPrototype.js: Added.
(asyncFunctionResume):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::isArrowFunction):
* bytecode/UnlinkedFunctionExecutable.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
(JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
(JSC::BytecodeGenerator::emitNewFunction):
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionNode::emitBytecode):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emitNewFuncCommon):
(JSC::JIT::emit_op_new_async_func):
(JSC::JIT::emitNewFuncExprCommon):
(JSC::JIT::emit_op_new_async_func_exp):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
(JSC::Parser<LexerType>::parseFunctionInfo):
* parser/Parser.h:
(JSC::Scope::setSourceParseMode):
* parser/ParserModes.h:
(JSC::isGeneratorOrAsyncFunctionBodyParseMode):
(JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
* runtime/AsyncFunctionConstructor.cpp: Added.
(JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
(JSC::AsyncFunctionConstructor::finishCreation):
(JSC::callAsyncFunctionConstructor):
(JSC::constructAsyncFunctionConstructor):
(JSC::AsyncFunctionConstructor::getCallData):
(JSC::AsyncFunctionConstructor::getConstructData):
* runtime/AsyncFunctionConstructor.h: Added.
(JSC::AsyncFunctionConstructor::create):
(JSC::AsyncFunctionConstructor::createStructure):
* runtime/AsyncFunctionPrototype.cpp: Added.
(JSC::AsyncFunctionPrototype::AsyncFunctionPrototype):
(JSC::AsyncFunctionPrototype::finishCreation):
* runtime/AsyncFunctionPrototype.h: Added.
(JSC::AsyncFunctionPrototype::create):
(JSC::AsyncFunctionPrototype::createStructure):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionConstructor.h:
* runtime/JSAsyncFunction.cpp: Added.
(JSC::JSAsyncFunction::JSAsyncFunction):
(JSC::JSAsyncFunction::createImpl):
(JSC::JSAsyncFunction::create):
(JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
* runtime/JSAsyncFunction.h: Added.
(JSC::JSAsyncFunction::allocationSize):
(JSC::JSAsyncFunction::createStructure):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::lazyAsyncFunctionStructure):
(JSC::JSGlobalObject::asyncFunctionPrototype):
(JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently):
(JSC::JSGlobalObject::asyncFunctionStructure):
(JSC::JSGlobalObject::asyncFunctionStructureConcurrently):
2016-10-27 Mark Lam <mark.lam@apple.com>
JSFunction::put() should not allow caching of lazily reified properties.
https://bugs.webkit.org/show_bug.cgi?id=164081
Reviewed by Geoffrey Garen.
It is incorrect for JSFunction::put() to return PutPropertySlots that indicates
that its lazily reified properties (e.g. .caller, and .arguments) are cacheable.
The reason for this is:
1. Currently, a cacheable put may only consist of the following types of put
operations:
a. putting a new property at an offset in the object storage.
b. changing the value of an existing property at an offset in the object storage.
c. invoking the setter for a property at an offset in the object storage.
Returning a PutPropertySlot that indicates the property is cacheable means that
the property put must be one of the above operations.
For lazily reified properties, JSFunction::put() implements complex conditional
behavior that is different than the set of cacheable put operations above.
Hence, it should not claim that the property put is cacheable.
2. Cacheable puts are cached on the original structure of the object before the
put operation.
Reifying a lazy property will trigger a structure transition. Even though
subsequent puts to such a property may be cacheable after the structure
transition, it is incorrect to indicate that the property put is cacheable
because the caching is on the original structure, not the new transitioned
structure.
Also fixed some missing exception checks.
* jit/JITOperations.cpp:
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
(JSC::JSFunction::reifyLazyPropertyIfNeeded):
(JSC::JSFunction::reifyBoundNameIfNeeded):
* runtime/JSFunction.h:
2016-10-27 Caitlin Potter <caitp@igalia.com>
[JSC] forbid lexical redeclaration of generator formal parameters
https://bugs.webkit.org/show_bug.cgi?id=163930
Reviewed by Yusuke Suzuki.
Also forbids "arguments" and "eval" as generator argument names in strict mode.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::declareRestOrNormalParameter):
* parser/Parser.h:
(JSC::Parser::declareVariable):
(JSC::Parser::hasDeclaredParameter):
(JSC::Parser::isValidStrictMode):
2016-10-27 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Include ConsoleAgent in Workers - real console.log support
https://bugs.webkit.org/show_bug.cgi?id=163844
<rdar://problem/28903328>
Reviewed by Brian Burg.
* inspector/protocol/Worker.json:
2016-10-27 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Introduce Page WorkerAgent and Worker InspectorController
https://bugs.webkit.org/show_bug.cgi?id=163817
<rdar://problem/28899063>
Reviewed by Brian Burg.
* CMakeLists.txt:
* DerivedSources.make:
* inspector/protocol/Worker.json: Added.
New Worker domain.
2016-10-26 JF Bastien <jfbastien@apple.com>
WebAssembly API: implement Instance
As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstance-objects
- Take ownership of Wasm::Plan's compilation result when successfully creating a JSWebAssemblyModule object.
- Construct a basic Instance with a Module.
- Handle second argument (importObject) of WebAssembly.Instance.
- Add reference text from the spec to WebAssembly.Module's code.
- Expose and test an empty 'exports' ModuleNamespaceObject on WebAssembly.Instance.
The implementation isn't complete yet: it relies on further work for which I've filed bugs.
WebAssembly API: implement Instance
https://bugs.webkit.org/show_bug.cgi?id=163998
Reviewed by Keith Miller.
* wasm/WasmPlan.h:
(JSC::Wasm::Plan::getFunctions): allow transfering state out
(JSC::Wasm::Plan::getMemory): allow transfering state out
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
(JSC::JSWebAssemblyInstance::finishCreation): set the ModuleNamespaceObject, and expose it as "exports"
(JSC::JSWebAssemblyInstance::visitChildren): visit the ModuleNamespaceObject child
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::create):
(JSC::JSWebAssemblyModule::JSWebAssemblyModule): move in the compiled functions and the memory
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance): take the Module, extract the Plan's results, and create the (empty for now) ModuleNamespaceObject
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule): add a few comments from the spec, and pass out the Plan's results
2016-10-26 Brian Burg <bburg@apple.com>
Web Inspector: remove unused bool return value from FrontendChannel::sendMessageToFrontend
https://bugs.webkit.org/show_bug.cgi?id=164046
Reviewed by Joseph Pecoraro.
* inspector/InspectorFrontendChannel.h:
* inspector/remote/RemoteConnectionToTarget.h:
* inspector/remote/RemoteConnectionToTarget.mm:
(Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
2016-10-26 JF Bastien <jfbastien@apple.com>
WebAssembly: remove now-dead JSWasmModule
https://bugs.webkit.org/show_bug.cgi?id=164044
Reviewed by Keith Miller.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/Executable.cpp:
(JSC::WebAssemblyExecutable::WebAssemblyExecutable):
(JSC::WebAssemblyExecutable::visitChildren):
* runtime/Executable.h:
* wasm/JSWasmModule.cpp: Removed.
* wasm/JSWasmModule.h: Removed.
* wasm/WasmModuleParser.cpp:
2016-10-26 Mark Lam <mark.lam@apple.com>
JSGenericTypedArrayView::set() should check for exceptions.
https://bugs.webkit.org/show_bug.cgi?id=164007
<rdar://problem/28853775>
Reviewed by Filip Pizlo.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
2016-10-25 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Tell IDL result type to DFG to drop type checks in AI
https://bugs.webkit.org/show_bug.cgi?id=163900
Reviewed by Sam Weinig.
The IDL tells the conservative result type. While we use the heap prediction
for prediction propagation phase in DOMJIT getter (it is offered by get_by_id!),
we leverage the type told by IDL to produce the abstract value with the proven type
in AI. It effectively drops unnecessary type checks followed by CallDOM operations.
For example, when you write the code like,
if (node.nodeType === 9) {
// document.
}
Previously, we inserted a Int32 check for the result of node.nodeType.
It is dropped now.
We annotate the DOMJIT getter in jsc.cpp to ensure that the unnecessary type checks
are correctly dropped when executing JSTests/stress/domjit-getter.js.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* domjit/DOMJITGetterSetter.h:
(JSC::DOMJIT::GetterSetter::GetterSetter):
(JSC::DOMJIT::GetterSetter::resultType):
* jsc.cpp:
(WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT):
(WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT):
2016-10-25 Mark Lam <mark.lam@apple.com>
String.prototype.replace() should throw an OutOfMemoryError when using too much memory.
https://bugs.webkit.org/show_bug.cgi?id=163996
<rdar://problem/28263117>
Reviewed by Geoffrey Garen.
String.prototype.replace() uses a Vector internally for bookkeeping work.
Currently, if this vector gets too big, we just crash on allocation failure.
While this is correct behavior, it is not too friendly.
We now detect the imminent failure, and throw a OutOfMemoryError instead.
* runtime/StringPrototype.cpp:
(JSC::removeUsingRegExpSearch):
(JSC::replaceUsingRegExpSearch):
(JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
(JSC::stringProtoFuncReplaceUsingRegExp):
2016-10-25 Mark Lam <mark.lam@apple.com>
Rename the reject() helper function to something more meaningful.
https://bugs.webkit.org/show_bug.cgi?id=163549
Reviewed by Saam Barati.
We'll rename reject() to typeError(). The intuition behind this is that all the
clients that uses this function will return typeError(..., shouldThrow, ...).
In a sense, they are returning a "type" of TypeError (which happened to be the
value false). In addition, it may also throw a JS TypeError if the shouldThrow
parameter is true.
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/GetterSetter.cpp:
(JSC::callSetter):
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::setLengthWithArrayStorage):
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::put):
(JSC::JSArrayBuffer::defineOwnProperty):
* runtime/JSArrayBufferView.cpp:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSDataView.cpp:
(JSC::JSDataView::put):
(JSC::JSDataView::defineOwnProperty):
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
* runtime/JSObject.cpp:
(JSC::ordinarySetSlow):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::validateAndApplyPropertyDescriptor):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putInline):
* runtime/JSProxy.cpp:
(JSC::JSProxy::setPrototype):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::defineOwnProperty):
* runtime/RegExpObject.h:
(JSC::RegExpObject::setLastIndex):
* runtime/Reject.h: Removed.
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayValueMap::putDirect):
(JSC::SparseArrayEntry::put):
* runtime/StringObject.cpp:
(JSC::StringObject::put):
(JSC::StringObject::putByIndex):
* runtime/TypeError.h: Copied from Source/JavaScriptCore/runtime/Reject.h.
(JSC::typeError):
(JSC::reject): Deleted.
2016-10-25 Filip Pizlo <fpizlo@apple.com>
HeapTimer should not hardcode all of its subclasses and USE(CF) shouldn't be a bizarre special case
https://bugs.webkit.org/show_bug.cgi?id=163947
Reviewed by Geoffrey Garen.
I want to introduce another HeapTimer. Prior to this change, that would have meant writing
exact copies of that timer's logic for each platform that has a HeapTimer (CF, GLIB, and
EFL). That logic would in turn be a duplicate of the logic already present in
IncrementalSweeper and GCActivityCallback: all of the subclasses of HeapTimer have their
own code for scheduling timers, so a new subclass would have to duplicate that code. Then,
to add insult to injury, the USE(CF) version of HeapTimer would have to have an extra case
for that new subclass since it doesn't use virtual methods effectively.
This changes HeapTimer on USE(CF) to know to get its runloop from Heap and to use virtual
methods effectively so that it doesn't have to know about all of its subclasses.
This also moves IncrementalSweeper's code for scheduling timers into HeapTimer. This means
that future subclasses of HeapTimer could simply use that logic.
This keeps changes to GCActivityCallback to a minimum. It still has a lot of
platform-specific code and I'm not sure that this code can be trivially deduplicated since
that code has more quirks. That's fine for now, since I mainly just need a sane way of
creating new timers that use IncrementalSweeper-like scheduling logic.
* heap/EdenGCActivityCallback.cpp:
* heap/EdenGCActivityCallback.h:
* heap/FullGCActivityCallback.cpp:
* heap/FullGCActivityCallback.h:
* heap/GCActivityCallback.cpp:
(JSC::GCActivityCallback::GCActivityCallback):
* heap/GCActivityCallback.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
* heap/Heap.h:
(JSC::Heap::runLoop):
* heap/HeapTimer.cpp:
(JSC::HeapTimer::HeapTimer):
(JSC::HeapTimer::setRunLoop):
(JSC::HeapTimer::~HeapTimer):
(JSC::HeapTimer::timerDidFire):
(JSC::HeapTimer::scheduleTimer):
(JSC::HeapTimer::cancelTimer):
(JSC::retainAPILock): Deleted.
(JSC::releaseAPILock): Deleted.
* heap/HeapTimer.h:
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::scheduleTimer):
(JSC::IncrementalSweeper::cancelTimer): Deleted.
* heap/IncrementalSweeper.h:
2016-10-25 JF Bastien <jfbastien@apple.com>
Remove redundant argument count check
Indexing argument out of bounds already returns jsUndefined().
Remove redundant argument count check
https://bugs.webkit.org/show_bug.cgi?id=163957
Reviewed by Keith Miller.
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
(JSC::Interpreter::callErrorConstructor):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::constructJSWebAssemblyRuntimeError):
2016-10-25 Mark Lam <mark.lam@apple.com>
Add ThrowScope::release() calls at all call sites of jsMakeNontrivialString().
https://bugs.webkit.org/show_bug.cgi?id=163990
Reviewed by Geoffrey Garen.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
* runtime/ErrorPrototype.cpp:
(JSC::errorProtoFuncToString):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncToString):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
2016-10-25 Mark Lam <mark.lam@apple.com>
JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX.
https://bugs.webkit.org/show_bug.cgi?id=163937
<rdar://problem/28642990>
Reviewed by Geoffrey Garen.
JSStringJoiner::joinedLength() was previously limiting it to UINT_MAX. This is
inconsistent with other parts of string code which expects a max length of INT_MAX.
This is now fixed.
Also fixed jsMakeNontrivialString() to ensure that the resultant string length
is valid. It was previously allowing lengths greater than INT_MAX. This was
caught by the new assertion in JSString::setLength().
There are already pre-existing assertions in various JSString::finishCreation()
which do RELEASE_ASSERTs on the string length. To be consistent, I'm making the
assertion in JSString::setLength() a RELEASE_ASSERT. If this proves to be a
performance issue, I'll change this to a debug ASSERT later.
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeInternal8):
(JSC::JSRopeString::resolveRopeInternal8NoSubstring):
(JSC::JSRopeString::resolveRopeInternal16):
(JSC::JSRopeString::resolveRopeInternal16NoSubstring):
(JSC::JSRopeString::resolveRopeToAtomicString):
(JSC::JSRopeString::resolveRopeToExistingAtomicString):
(JSC::JSRopeString::resolveRope):
(JSC::JSRopeString::resolveRopeSlowCase8):
(JSC::JSRopeString::resolveRopeSlowCase):
(JSC::JSString::getStringPropertyDescriptor):
* runtime/JSString.h:
(JSC::JSString::finishCreation):
(JSC::JSString::length):
(JSC::JSString::isValidLength):
(JSC::JSString::toBoolean):
(JSC::JSString::canGetIndex):
(JSC::JSString::setLength):
(JSC::JSString::getStringPropertySlot):
(JSC::JSRopeString::unsafeView):
(JSC::JSRopeString::viewWithUnderlyingString):
* runtime/JSStringBuilder.h:
(JSC::jsMakeNontrivialString):
* runtime/JSStringJoiner.cpp:
(JSC::JSStringJoiner::joinedLength):
2016-10-25 JF Bastien <jfbastien@apple.com>
WebAssembly: fix unknown section name handling, and check for section size overflow
https://bugs.webkit.org/show_bug.cgi?id=163959
See: https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#high-level-structure
Name length and name are already included in the payload length.
Reviewed by Filip Pizlo.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
2016-10-25 Christopher Reid <Christopher.Reid@am.sony.com>
jsc.cpp is leaking memory allocated by readline in runInteractive
https://bugs.webkit.org/show_bug.cgi?id=163958
According to http://web.mit.edu/gnu/doc/html/rlman_2.html,
"The line readline returns is allocated with malloc ();
you should free () the line when you are done with it."
The memory allocated by readline is not being freed when it should.
Reviewed by Mark Lam.
* jsc.cpp:
2016-10-25 Konstantin Tokarev <annulen@yandex.ru>
[cmake] Check if jscLib and WebKitGUID targets exist before using them
https://bugs.webkit.org/show_bug.cgi?id=163945
Reviewed by Alex Christensen.
Currently these targets are used under WIN32 condition, however they
are defined in PlatformWin.cmake, causing CMake warnings if port
supports WIN32 but does not use PlatformWin.cmake
* shell/CMakeLists.txt:
2016-10-25 JF Bastien <jfbastien@apple.com>
WebAssembly JS API: implement Module
This implementation allows us to:
- Syncrhonously create a WebAssembly.Module with a typed array.
- Creates a compilation plan.
- Parse the Module and creates corresponding code.
- Throw WebAssembly.CompileError with mildly helpful [*] error messages on
failure.
Consult the API documentation for expected behavior: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodule-constructor
For now the implementation discards the generated code.
The next steps will be:
- Expose a Module's exports.
- Implement WebAssembly.Instance, which allows instantiating and running a
compiled Module.
- Beef up the testing infrastructure under JSTests/wasm so that more complex
modules can be created and tested (instead of writing the bits by hand).
This patch also:
- Adds assert.instanceof in assert.js.
- Refactors Wasm::Parser and friends to accept const uint8_t* as well as a
Vector, to avoid copying when invoked synchronously.
- Remove useless Structure from some of the wasm constructors: they're already
on the JSGlobalObject, visited properly and all.
- Fix off-by-one error in parsing: Parser::parseUInt32 failed if the integer
was exactly at end of file.
[*] On error messages while parsing: I filed https://bugs.webkit.org/show_bug.cgi?id=163919
WebAssembly JS API: implement Module
https://bugs.webkit.org/show_bug.cgi?id=163903
Reviewed by Keith Miller.
* runtime/ExceptionHelpers.cpp:
(JSC::defaultSourceAppender): make this public so that WebAssembly can use it: it generates those fancy (evaluating '...') messages at the end
* runtime/ExceptionHelpers.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): remove the useless Structure from the WebAssembly objects (it's already in this file, no need to hold two references and visit them twice)
* testWasm.cpp:
(runWasmTests): update API
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::parseAndCompile): use updated API
* wasm/WasmB3IRGenerator.h:
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::FunctionParser): use updated API
(JSC::Wasm::FunctionParser<Context>::parseExpression): use updated API
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse): generate error messages
* wasm/WasmModuleParser.h:
(JSC::Wasm::ModuleParser::ModuleParser):
(JSC::Wasm::ModuleParser::failed):
(JSC::Wasm::ModuleParser::errorMessage):
(JSC::Wasm::ModuleParser::functionInformation):
(JSC::Wasm::ModuleParser::memory):
* wasm/WasmParser.h: use update non-public API
(JSC::Wasm::Parser::parseVarUInt32):
(JSC::Wasm::Parser::parseVarUInt64):
(JSC::Wasm::Parser::source):
(JSC::Wasm::Parser::length):
(JSC::Wasm::Parser::Parser):
(JSC::Wasm::Parser::consumeCharacter):
(JSC::Wasm::Parser::consumeString):
(JSC::Wasm::Parser::parseUInt32):
(JSC::Wasm::Parser::parseUInt7):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::Plan):
(JSC::Wasm::Plan::~Plan):
* wasm/WasmPlan.h:
(JSC::Wasm::Plan::failed):
(JSC::Wasm::Plan::errorMessage):
(JSC::Wasm::Plan::resultSize):
(JSC::Wasm::Plan::result):
(JSC::Wasm::Plan::memory):
* wasm/js/JSWebAssemblyCompileError.cpp:
(JSC::createWebAssemblyCompileError): makes it easier to throw a WebAssembly.CompileError from Module
* wasm/js/JSWebAssemblyCompileError.h:
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::WebAssemblyCompileErrorConstructor::create):
(JSC::WebAssemblyCompileErrorConstructor::finishCreation):
* wasm/js/WebAssemblyCompileErrorConstructor.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::WebAssemblyInstanceConstructor::create):
(JSC::WebAssemblyInstanceConstructor::finishCreation):
(JSC::WebAssemblyInstanceConstructor::visitChildren):
* wasm/js/WebAssemblyInstanceConstructor.h:
* wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::WebAssemblyMemoryConstructor::create):
(JSC::WebAssemblyMemoryConstructor::finishCreation):
(JSC::WebAssemblyMemoryConstructor::visitChildren):
* wasm/js/WebAssemblyMemoryConstructor.h:
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::constructJSWebAssemblyModule):
(JSC::WebAssemblyModuleConstructor::create):
(JSC::WebAssemblyModuleConstructor::finishCreation):
(JSC::WebAssemblyModuleConstructor::visitChildren):
* wasm/js/WebAssemblyModuleConstructor.h:
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::WebAssemblyRuntimeErrorConstructor::create):
(JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
* wasm/js/WebAssemblyRuntimeErrorConstructor.h:
* wasm/js/WebAssemblyTableConstructor.cpp:
(JSC::WebAssemblyTableConstructor::create):
(JSC::WebAssemblyTableConstructor::finishCreation):
(JSC::WebAssemblyTableConstructor::visitChildren):
* wasm/js/WebAssemblyTableConstructor.h:
2016-10-25 Keith Miller <keith_miller@apple.com>
Add trivial Wasm conversion opcodes
https://bugs.webkit.org/show_bug.cgi?id=163950
Reviewed by Filip Pizlo.
This patch differentiates between Wasm opcodes that are trivially mapped to a B3 opcode and
those that are not. Some of the Wasm opcodes that are currently a non-simple opcode will
become simple as we add B3 opcodes for Wasm operations. The remaining opcodes will need to
be added via patchpoints in a later patch.
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmOps.h:
(JSC::Wasm::isSimple):
2016-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
Arrow functions with concise bodies cannot return regular expressions
https://bugs.webkit.org/show_bug.cgi?id=163162
Reviewed by Filip Pizlo.
When we encounter the RegExp in the parser, we first scan it as / or /=.
And if / or /= is parsed under the primary expression context, we rescan it
as RegExp. However, we did not update the token record information. So the
token record still says "I'm / or /=".
When we parse the string "() => /hello/", the last token becomes "/", which is
the first character of the RegExp, instead of "/hello/". Since the arrow
function parsing utilizes the end offset of the last token, we accidentally
recognize the range of the above arrow function as "() => /".
In this patch, we update the token when rescanning under the RegExp context.
This logic is similar to parsing Tail Template Literal token.
We also refine the error message for regular expression literals. And since
the REGEXP token is now introduced, the other error messages using that token
are improved too.
Currently, unterminated error messages can be seen in Parser.cpp. However,
these messages cannot be shown to users if the lexer has m_error. So these
code is meaningless. I'll move these tokenizing errors to the lexer in the
subsequent patch[1].
[1]: https://bugs.webkit.org/show_bug.cgi?id=163928
* parser/Lexer.cpp:
(JSC::Lexer<T>::fillTokenInfo):
(JSC::Lexer<T>::lex):
(JSC::Lexer<T>::scanRegExp):
(JSC::Lexer<T>::scanTrailingTemplateString):
(JSC::Lexer<T>::skipRegExp): Deleted.
* parser/Lexer.h:
(JSC::Lexer::getToken):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseAssignmentExpression):
* parser/Parser.h:
(JSC::Parser::getToken):
* parser/ParserTokens.h:
2016-10-24 Per Arne Vollan <pvollan@apple.com>
[Win] CMake build type is not set.
https://bugs.webkit.org/show_bug.cgi?id=163917
Reviewed by Alex Christensen.
The CMAKE_BUILD_TYPE variable should be set to Debug or Release.
* JavaScriptCore.vcxproj/JavaScriptCore.proj:
2016-10-24 Chris Dumez <cdumez@apple.com>
Reduce special handling for typed arrays in JSDOMConvert.h
https://bugs.webkit.org/show_bug.cgi?id=163907
Reviewed by Sam Weinig.
Reduce special handling for typed arrays in JSDOMConvert.h by adding a toWrapped() static
function on JSGenericTypedArrayView, similarly to other wrapper types.
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::typedImpl):
(JSC::JSGenericTypedArrayView<Adaptor>::toWrapped):
2016-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT][DFG] CallDOM never writes Stack
https://bugs.webkit.org/show_bug.cgi?id=163926
Reviewed by Filip Pizlo and Saam Barati.
There is no way to write(Stack) in CallDOM.
This worst case (the most clobbering case) scenario
should be aligned to the one of Call, read(World) and write(Heap).
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2016-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Add a way for DOMJIT::Patchpoint to express effects
https://bugs.webkit.org/show_bug.cgi?id=163657
Reviewed by Saam Barati.
This patch introduces DOMJIT::Effect. It describes the side effects of
the DOMJIT::CallDOMPatchpoint. DOMJIT::CallDOMPatchpoint can use this
feature to teach the compilers about the effects. And the compilers
will perform CSE based on the reported effects.
As the same to B3's HeapRange, the effects are represented as a pair of
integers. [begin, end) pair will represents the range of the abstract
heap. We encode the abstract heap hierarchy into these pairs. Like,
Root: [0, 32)
Child1: [0, 20) Child2: [20, 32)
Child11: [0, 4) Child12: [4, 20)
This simplifies the representation of the abstract heap. And WebCore
just tells pairs of integers and it does not tell any detailed hierarchy.
So, DFG and FTL can optimize DOM operations without deep knowledge of
the DOM abstract heap hierarchy. For example, WebCore will tell that
firstChild will read Node_firstChild abstract heap. But this information
is encoded to the pair and DFG does not know the details. But still
DFG can understand the abstract heap hierarchy and can query whether the
given abstract heap overlaps with some abstract heap.
The heap range told by the WebCore is represented as DOMJIT::HeapRange.
DFG will handle this under the DOMState abstract heap. DOMJIT::HeapRange
is stored in DFG::AbstractHeap's Payload. We maintain the hierarchy by
DOMJIT::HeapRange in the DOMState abstract heap. We add a necessary
handling in DFG's AbstractHeap and ClobberSet.
And we also introduce DOMStateLoc for HeapLocation. It is combined with
DOMState AbstractHeap with DOMJIT::HeapRange. For example, we can
represent Node.firstChild as `read(DOMState:Node_firstChild)` and
`def(HeapLocation(node, DOMState:Node_firstChild))` thingy. This allows us
to perform CSE onto DOM getters that will read some of DOM heap!
For simplicity, we convert CallDOM from NodeVarArgs to the normal one.
CallDOM is now just used for DOMJIT getter. So its children is at most 2.
It may have either 1 or 2 children. If the global object is required
by CallDOMPatchpoint, it has 2 children. And we changed the order of
the children to further simplify the code. Before this change, the order
is 1: globalObject 2: base. After this patch, the order becomes 1: base,
and 2: globalObject. And the child2 may not exists if the global object
is not required. We changed all the existing DOMJIT patchpoint to this
form.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::emitDOMJITGetter):
* dfg/DFGAbstractHeap.cpp:
(JSC::DFG::AbstractHeap::dump):
* dfg/DFGAbstractHeap.h:
(JSC::DFG::AbstractHeap::isStrictSubtypeOf):
(JSC::DFG::AbstractHeap::overlaps):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::blessCallDOM):
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
* dfg/DFGClobberSet.cpp:
(JSC::DFG::ClobberSet::overlaps):
* dfg/DFGClobberSet.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCallDOMData):
(JSC::DFG::Node::callDOMData):
(JSC::DFG::Node::hasCallDOMPatchpoint): Deleted.
(JSC::DFG::Node::callDOMPatchpoint): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOM):
* domjit/DOMJITAbstractHeap.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::AbstractHeap::compute):
(JSC::DOMJIT::AbstractHeap::dump):
(JSC::DOMJIT::AbstractHeap::shallowDump):
(JSC::DOMJIT::AbstractHeap::deepDump):
* domjit/DOMJITAbstractHeap.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::AbstractHeap::AbstractHeap):
(JSC::DOMJIT::AbstractHeap::setParent):
(JSC::DOMJIT::AbstractHeap::isRoot):
(JSC::DOMJIT::AbstractHeap::isComputed):
(JSC::DOMJIT::AbstractHeap::range):
* domjit/DOMJITCallDOMPatchpoint.h:
* domjit/DOMJITEffect.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::Effect::forReadWrite):
(JSC::DOMJIT::Effect::forPure):
(JSC::DOMJIT::Effect::forDef):
(JSC::DOMJIT::Effect::mustGenerate):
* domjit/DOMJITHeapRange.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::HeapRange::dump):
* domjit/DOMJITHeapRange.h: Added.
(JSC::DOMJIT::HeapRange::HeapRange):
(JSC::DOMJIT::HeapRange::fromRaw):
(JSC::DOMJIT::HeapRange::begin):
(JSC::DOMJIT::HeapRange::end):
(JSC::DOMJIT::HeapRange::rawRepresentation):
(JSC::DOMJIT::HeapRange::operator bool):
(JSC::DOMJIT::HeapRange::operator==):
(JSC::DOMJIT::HeapRange::top):
(JSC::DOMJIT::HeapRange::none):
(JSC::DOMJIT::HeapRange::isStrictSubtypeOf):
(JSC::DOMJIT::HeapRange::isSubtypeOf):
(JSC::DOMJIT::HeapRange::overlaps):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
* jsc.cpp:
2016-10-24 Alex Christensen <achristensen@webkit.org>
JSONParse should not crash with null Strings
https://bugs.webkit.org/show_bug.cgi?id=163918
<rdar://problem/28834095>
Reviewed by Michael Saboff.
When JSONParse is called with a null String, it calls String::is8bit, which dereferences a null pointer.
This is happening with new work in the Fetch API, but callers of JSONParse should not have to check
if the String is null.
* API/tests/JSONParseTest.cpp: Added.
(testJSONParse):
* API/tests/JSONParseTest.h: Added.
* API/tests/testapi.c:
(main):
Test parsing null Strings. They should have the same result as parsing empty Strings.
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/JSONObject.cpp:
(JSC::JSONParse):
Check for null Strings.
* shell/PlatformWin.cmake:
2016-10-24 Devin Rousso <dcrousso+webkit@gmail.com>
Web Inspector: Scope chain shouldn't show empty Closure sections
https://bugs.webkit.org/show_bug.cgi?id=152348
Reviewed by Joseph Pecoraro.
* inspector/InjectedScriptSource.js:
(isEmptyObject):
(InjectedScript.CallFrameProxy._createScopeJson):
If the scope object has no properties, set empty to true.
* inspector/protocol/Debugger.json:
Added empty property to Scope type.
2016-10-24 Keith Miller <keith_miller@apple.com>
Wasm should support floating point operations.
https://bugs.webkit.org/show_bug.cgi?id=163770
Reviewed by Michael Saboff.
Since we now have a Double => Float Trunc in B3, we can now support calls in Wasm
that take floating point arguments. This patch also enables most of the Wasm
floating point operations, as the associated B3 opcode has been linked via wasm.json.
If there is no direct mapping to a B3 opcode the Wasm is not yet implemented. This
patch also fixes a bug in calls where the arguments would be reversed.
* testWasm.cpp:
(cast):
(invoke):
(boxf):
(boxd):
(runWasmTests):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::createJSWrapper):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::loadArguments):
(JSC::Wasm::CallingConvention::setupCall):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
* wasm/WasmOps.h:
2016-10-24 Mark Lam <mark.lam@apple.com>
Dumping of op_negate bytecode is broken.
https://bugs.webkit.org/show_bug.cgi?id=163896
Reviewed by Darin Adler.
It thinks the bytecode consists of only 3 machine words, when it consists of 4.
This is now fixed.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
2016-10-24 Youenn Fablet <youenn@apple.com>
Activate WEB_RTC compilation flags for Mac bots
https://bugs.webkit.org/show_bug.cgi?id=163886
Reviewed by Eric Carlson.
* Configurations/FeatureDefines.xcconfig:
2016-10-23 Zan Dobersek <zdobersek@igalia.com>
Unreviewed. Build fix for Clang and libstdc++ configurations.
* b3/testb3.cpp:
(JSC::B3::testAbsArgWithEffectfulDoubleConversion): Explicitly cast the
float-typed return value of fabs(float) to double in order to avoid
ambiguous calls to isIdentical().
(JSC::B3::testSqrtArgWithEffectfulDoubleConversion): Ditto for sqrt(float).
2016-10-22 Chris Dumez <cdumez@apple.com>
WebGLRenderingContextBase.bufferData() should use a union instead of overloading
https://bugs.webkit.org/show_bug.cgi?id=163795
Reviewed by Darin Adler.
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::data):
Add a data() method which aliases baseAddress() to align the API with
ArrayBuffer and reduce special handling at call sites.
* runtime/JSArrayBuffer.h:
(JSC::toArrayBuffer):
(JSC::JSArrayBuffer::toWrapped):
Add toWrapped() method similarly with WebCore wrapper types to
reduce special handling of JSArrayBuffer type.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::toWrapped):
* runtime/JSArrayBufferView.h:
Add toWrapped() method similarly with WebCore wrapper types to
reduce special handling of JSArrayBufferView type.
2016-10-21 Filip Pizlo <fpizlo@apple.com>
Slow and big Heap methods should not be inline
https://bugs.webkit.org/show_bug.cgi?id=163802
Reviewed by Keith Miller.
JSC often suffers from the inline cargo cult, and Heap is a prime example. This outlines a
bunch of Heap methods that are either already very big, or call out-of-line methods, or call
very big methods, or are not called often enough for inlining to matter.
This simplifies concurrent GC work because I'm so tired of recompiling the world when I touch
one of these methods.
This looks to be perf-neutral.
* heap/Heap.cpp:
(JSC::Heap::shouldCollect):
(JSC::Heap::isCurrentThreadBusy):
(JSC::Heap::reportExtraMemoryVisited):
(JSC::Heap::reportExternalMemoryVisited):
(JSC::Heap::collectIfNecessaryOrDefer):
(JSC::Heap::collectAccordingToDeferGCProbability):
(JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
(JSC::Heap::registerWeakGCMap):
(JSC::Heap::unregisterWeakGCMap):
(JSC::Heap::didAllocateBlock):
(JSC::Heap::didFreeBlock):
* heap/HeapInlines.h:
(JSC::Heap::shouldCollect): Deleted.
(JSC::Heap::isCurrentThreadBusy): Deleted.
(JSC::Heap::reportExtraMemoryVisited): Deleted.
(JSC::Heap::reportExternalMemoryVisited): Deleted.
(JSC::Heap::collectIfNecessaryOrDefer): Deleted.
(JSC::Heap::collectAccordingToDeferGCProbability): Deleted.
(JSC::Heap::decrementDeferralDepthAndGCIfNeeded): Deleted.
(JSC::Heap::registerWeakGCMap): Deleted.
(JSC::Heap::unregisterWeakGCMap): Deleted.
(JSC::Heap::didAllocateBlock): Deleted.
(JSC::Heap::didFreeBlock): Deleted.
2016-10-21 Saam Barati <sbarati@apple.com>
SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path
https://bugs.webkit.org/show_bug.cgi?id=163622
Reviewed by Yusuke Suzuki.
We were passing in DontSpill in the Untyped:child1() case, which caused us
not to spill the base register. This is obviously wrong because the
DFG's register allocator expected the base to still be in the register
that it allocated for it after the TryGetById node executed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileTryGetById):
2016-10-21 Keith Miller <keith_miller@apple.com>
Expand Trunc in B3 to support Double to Float
https://bugs.webkit.org/show_bug.cgi?id=163809
Reviewed by Geoffrey Garen.
This feature is useful for passing floating point arguments via registers.
Currently, ArgumentRegValue returns a the full 64-bit register. Thus, we
need a way to indicate to B3 that we only want the low 32-bits.
* b3/B3Common.h:
(JSC::B3::isIdentical):
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::lower):
* b3/B3Opcode.h:
* b3/B3ReduceStrength.cpp:
* b3/B3Validate.cpp:
* b3/B3Value.cpp:
(JSC::B3::Value::typeFor):
* b3/testb3.cpp:
(JSC::B3::testAddFPRArgsFloat):
(JSC::B3::testCeilArgWithEffectfulDoubleConversion):
(JSC::B3::testFloorArgWithEffectfulDoubleConversion):
(JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
(JSC::B3::run):
2016-10-21 Keith Miller <keith_miller@apple.com>
Rename WASM to Wasm
https://bugs.webkit.org/show_bug.cgi?id=163796
Rubber stamped by Filip Pizlo.
* CMakeLists.txt:
* Configurations/ToolExecutable.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
* llint/LLIntThunks.cpp:
(JSC::vmEntryToWasm):
(JSC::vmEntryToWASM): Deleted.
* llint/LLIntThunks.h:
* runtime/Executable.cpp:
(JSC::WebAssemblyExecutable::WebAssemblyExecutable):
* runtime/Executable.h:
* shell/CMakeLists.txt:
* testWASM.cpp:
(runWASMTests): Deleted.
* testWasm.cpp: Renamed from Source/JavaScriptCore/testWASM.cpp.
(CommandLine::CommandLine):
(printUsageStatement):
(CommandLine::parseArguments):
(runLEBTests):
(invoke):
(box):
(runWasmTests):
(main):
* wasm/JSWASMModule.cpp:
(JSC::JSWASMModule::JSWASMModule): Deleted.
(JSC::JSWASMModule::destroy): Deleted.
(JSC::JSWASMModule::visitChildren): Deleted.
* wasm/JSWASMModule.h:
(JSC::JSWASMModule::create): Deleted.
(JSC::JSWASMModule::createStructure): Deleted.
(JSC::JSWASMModule::i32Constants): Deleted.
(JSC::JSWASMModule::f32Constants): Deleted.
(JSC::JSWASMModule::f64Constants): Deleted.
(JSC::JSWASMModule::signatures): Deleted.
(JSC::JSWASMModule::functionImports): Deleted.
(JSC::JSWASMModule::functionImportSignatures): Deleted.
(JSC::JSWASMModule::globalVariableTypes): Deleted.
(JSC::JSWASMModule::functionDeclarations): Deleted.
(JSC::JSWASMModule::functionPointerTables): Deleted.
(JSC::JSWASMModule::arrayBuffer): Deleted.
(JSC::JSWASMModule::functions): Deleted.
(JSC::JSWASMModule::functionStartOffsetsInSource): Deleted.
(JSC::JSWASMModule::functionStackHeights): Deleted.
(JSC::JSWASMModule::globalVariables): Deleted.
(JSC::JSWASMModule::importedFunctions): Deleted.
* wasm/JSWasmModule.cpp: Renamed from Source/JavaScriptCore/wasm/JSWASMModule.cpp.
(JSC::JSWasmModule::JSWasmModule):
(JSC::JSWasmModule::destroy):
(JSC::JSWasmModule::visitChildren):
* wasm/JSWasmModule.h: Renamed from Source/JavaScriptCore/wasm/JSWASMModule.h.
(JSC::JSWasmModule::create):
(JSC::JSWasmModule::createStructure):
(JSC::JSWasmModule::i32Constants):
(JSC::JSWasmModule::f32Constants):
(JSC::JSWasmModule::f64Constants):
(JSC::JSWasmModule::signatures):
(JSC::JSWasmModule::functionImports):
(JSC::JSWasmModule::functionImportSignatures):
(JSC::JSWasmModule::globalVariableTypes):
(JSC::JSWasmModule::functionDeclarations):
(JSC::JSWasmModule::functionPointerTables):
(JSC::JSWasmModule::arrayBuffer):
(JSC::JSWasmModule::functions):
(JSC::JSWasmModule::functionStartOffsetsInSource):
(JSC::JSWasmModule::functionStackHeights):
(JSC::JSWasmModule::globalVariables):
(JSC::JSWasmModule::importedFunctions):
* wasm/WASMB3IRGenerator.cpp:
(JSC::WASM::createJSWrapper): Deleted.
(JSC::WASM::parseAndCompile): Deleted.
* wasm/WASMCallingConvention.cpp:
(JSC::WASM::jscCallingConvention): Deleted.
(JSC::WASM::wasmCallingConvention): Deleted.
* wasm/WASMCallingConvention.h:
(JSC::WASM::CallingConvention::CallingConvention): Deleted.
(JSC::WASM::CallingConvention::marshallArgumentImpl): Deleted.
(JSC::WASM::CallingConvention::marshallArgument): Deleted.
(JSC::WASM::CallingConvention::loadArguments): Deleted.
(JSC::WASM::CallingConvention::setupCall): Deleted.
(JSC::WASM::nextJSCOffset): Deleted.
* wasm/WASMFormat.h:
(JSC::WASM::toB3Type): Deleted.
(JSC::WASM::isValueType): Deleted.
* wasm/WASMFunctionParser.h:
(JSC::WASM::FunctionParser<Context>::FunctionParser): Deleted.
(JSC::WASM::FunctionParser<Context>::parse): Deleted.
(JSC::WASM::FunctionParser<Context>::parseBlock): Deleted.
(JSC::WASM::FunctionParser<Context>::parseExpression): Deleted.
(JSC::WASM::FunctionParser<Context>::parseUnreachableExpression): Deleted.
* wasm/WASMMemory.cpp:
(JSC::WASM::Memory::Memory): Deleted.
* wasm/WASMMemory.h:
(JSC::WASM::Memory::~Memory): Deleted.
(JSC::WASM::Memory::memory): Deleted.
(JSC::WASM::Memory::size): Deleted.
(JSC::WASM::Memory::pinnedRegisters): Deleted.
(JSC::WASM::Memory::mode): Deleted.
(JSC::WASM::Memory::grow): Deleted.
(JSC::WASM::Memory::offsetOfSize): Deleted.
* wasm/WASMModuleParser.cpp:
(JSC::WASM::ModuleParser::parse): Deleted.
(JSC::WASM::ModuleParser::parseMemory): Deleted.
(JSC::WASM::ModuleParser::parseFunctionTypes): Deleted.
(JSC::WASM::ModuleParser::parseFunctionSignatures): Deleted.
(JSC::WASM::ModuleParser::parseFunctionDefinitions): Deleted.
* wasm/WASMModuleParser.h:
(JSC::WASM::ModuleParser::ModuleParser): Deleted.
(JSC::WASM::ModuleParser::functionInformation): Deleted.
(JSC::WASM::ModuleParser::memory): Deleted.
* wasm/WASMOps.h:
(JSC::WASM::isValidOpType): Deleted.
(JSC::WASM::isControlOp): Deleted.
* wasm/WASMParser.h:
(JSC::WASM::Parser::parseVarUInt32): Deleted.
(JSC::WASM::Parser::parseVarUInt64): Deleted.
(JSC::WASM::Parser::Parser): Deleted.
(JSC::WASM::Parser::consumeCharacter): Deleted.
(JSC::WASM::Parser::consumeString): Deleted.
(JSC::WASM::Parser::parseUInt32): Deleted.
(JSC::WASM::Parser::parseUInt7): Deleted.
(JSC::WASM::Parser::parseVarUInt1): Deleted.
(JSC::WASM::Parser::parseValueType): Deleted.
* wasm/WASMPlan.cpp:
(JSC::WASM::Plan::Plan): Deleted.
* wasm/WASMSections.h:
(JSC::WASM::Sections::validateOrder): Deleted.
* wasm/WasmB3IRGenerator.cpp: Renamed from Source/JavaScriptCore/wasm/WASMB3IRGenerator.cpp.
(dumpProcedure):
(JSC::Wasm::createJSWrapper):
(JSC::Wasm::parseAndCompile):
* wasm/WasmB3IRGenerator.h: Renamed from Source/JavaScriptCore/wasm/WASMB3IRGenerator.h.
* wasm/WasmCallingConvention.cpp: Renamed from Source/JavaScriptCore/wasm/WASMCallingConvention.cpp.
(JSC::Wasm::jscCallingConvention):
(JSC::Wasm::wasmCallingConvention):
* wasm/WasmCallingConvention.h: Renamed from Source/JavaScriptCore/wasm/WASMCallingConvention.h.
(JSC::Wasm::CallingConvention::CallingConvention):
(JSC::Wasm::CallingConvention::marshallArgumentImpl):
(JSC::Wasm::CallingConvention::marshallArgument):
(JSC::Wasm::CallingConvention::loadArguments):
(JSC::Wasm::CallingConvention::setupCall):
(JSC::Wasm::nextJSCOffset):
* wasm/WasmFormat.h: Renamed from Source/JavaScriptCore/wasm/WASMFormat.h.
(JSC::Wasm::toB3Type):
(JSC::Wasm::isValueType):
* wasm/WasmFunctionParser.h: Renamed from Source/JavaScriptCore/wasm/WASMFunctionParser.h.
(JSC::Wasm::FunctionParser<Context>::FunctionParser):
(JSC::Wasm::FunctionParser<Context>::parse):
(JSC::Wasm::FunctionParser<Context>::parseBlock):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
* wasm/WasmMemory.cpp: Renamed from Source/JavaScriptCore/wasm/WASMMemory.cpp.
(JSC::Wasm::Memory::Memory):
* wasm/WasmMemory.h: Renamed from Source/JavaScriptCore/wasm/WASMMemory.h.
(JSC::Wasm::Memory::~Memory):
(JSC::Wasm::Memory::memory):
(JSC::Wasm::Memory::size):
(JSC::Wasm::Memory::pinnedRegisters):
(JSC::Wasm::Memory::mode):
(JSC::Wasm::Memory::grow):
(JSC::Wasm::Memory::offsetOfSize):
* wasm/WasmModuleParser.cpp: Renamed from Source/JavaScriptCore/wasm/WASMModuleParser.cpp.
(JSC::Wasm::ModuleParser::parse):
(JSC::Wasm::ModuleParser::parseMemory):
(JSC::Wasm::ModuleParser::parseFunctionTypes):
(JSC::Wasm::ModuleParser::parseFunctionSignatures):
(JSC::Wasm::ModuleParser::parseFunctionDefinitions):
* wasm/WasmModuleParser.h: Renamed from Source/JavaScriptCore/wasm/WASMModuleParser.h.
(JSC::Wasm::ModuleParser::ModuleParser):
(JSC::Wasm::ModuleParser::functionInformation):
(JSC::Wasm::ModuleParser::memory):
* wasm/WasmOps.h: Renamed from Source/JavaScriptCore/wasm/WASMOps.h.
(JSC::Wasm::isValidOpType):
(JSC::Wasm::isControlOp):
* wasm/WasmParser.h: Renamed from Source/JavaScriptCore/wasm/WASMParser.h.
(JSC::Wasm::Parser::parseVarUInt32):
(JSC::Wasm::Parser::parseVarUInt64):
(JSC::Wasm::Parser::Parser):
(JSC::Wasm::Parser::consumeCharacter):
(JSC::Wasm::Parser::consumeString):
(JSC::Wasm::Parser::parseUInt32):
(JSC::Wasm::Parser::parseUInt7):
(JSC::Wasm::Parser::parseVarUInt1):
(JSC::Wasm::Parser::parseValueType):
* wasm/WasmPlan.cpp: Renamed from Source/JavaScriptCore/wasm/WASMPlan.cpp.
(JSC::Wasm::Plan::Plan):
* wasm/WasmPlan.h: Renamed from Source/JavaScriptCore/wasm/WASMPlan.h.
* wasm/WasmSections.h: Renamed from Source/JavaScriptCore/wasm/WASMSections.h.
(JSC::Wasm::Sections::validateOrder):
2016-10-21 Caitlin Potter <caitp@igalia.com>
[JSC] don't crash when arguments to `new Function()` produce unexpected AST
https://bugs.webkit.org/show_bug.cgi?id=163748
Reviewed by Mark Lam.
The ASSERT(statement); and ASSERT(funcDecl); lines are removed, replaced with blocks
to report a generic Parser error message. These lines are only possible to be reached
if the input string produced an unexpected AST, which previously could be used to crash
the process via ASSERT failure.
The node type assertions are left in the tree, as it should be impossible for a top-level
`{` to produce anything other than a Block node. If the node turns out not to be a Block,
it indicates that the (C++) caller of this function (E.g in FunctionConstructor.cpp), is
doing something incorrect. Similarly, it should be impossible for the `funcDecl` node to
be anything other than a function declaration given the conventions of the caller of this
function.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2016-10-20 Keith Miller <keith_miller@apple.com>
Add support for WASM calls
https://bugs.webkit.org/show_bug.cgi?id=161727
Reviewed by Filip Pizlo and Michael Saboff.
Add support for WASM calls. Since most of the work for this was already done when we added
WASM Memory, this is mostly just cleanup work. The main interesting part of this patch is
how we link calls to other WASM functions in the same module. Since a WASM callee may not
have been compiled by the time the current function has started compilation we don't know
what address we need to call to. For each callsite in the compiling function, WASM
remembers the CodeLocationCall and the target function index. Once all WASM functions are
compiled, each callsite is linked to the appropriate entrypoint.
* testWASM.cpp:
(runWASMTests):
* wasm/WASMB3IRGenerator.cpp:
(JSC::WASM::createJSWrapper):
(JSC::WASM::parseAndCompile):
* wasm/WASMB3IRGenerator.h:
* wasm/WASMCallingConvention.cpp:
(JSC::WASM::jscCallingConvention):
(JSC::WASM::wasmCallingConvention):
* wasm/WASMCallingConvention.h:
(JSC::WASM::CallingConvention::CallingConvention):
(JSC::WASM::CallingConvention::marshallArgumentImpl):
(JSC::WASM::CallingConvention::marshallArgument):
(JSC::WASM::CallingConvention::loadArguments):
(JSC::WASM::CallingConvention::setupCall):
(JSC::WASM::CallingConvention::iterate): Deleted.
* wasm/WASMFormat.h:
* wasm/WASMFunctionParser.h:
(JSC::WASM::FunctionParser<Context>::FunctionParser):
(JSC::WASM::FunctionParser<Context>::parseBlock):
(JSC::WASM::FunctionParser<Context>::parseExpression):
* wasm/WASMModuleParser.cpp:
(JSC::WASM::ModuleParser::parse):
* wasm/WASMOps.h:
* wasm/WASMParser.h:
(JSC::WASM::Parser::parseVarUInt32):
(JSC::WASM::Parser::parseVarUInt64):
* wasm/WASMPlan.cpp:
(JSC::WASM::Plan::Plan):
2016-10-21 Wenson Hsieh <wenson_hsieh@apple.com>
Implement InputEvent.getTargetRanges() for the input events spec
https://bugs.webkit.org/show_bug.cgi?id=162947
<rdar://problem/28853079>
Reviewed by Darin Adler.
Boilerplate change to add a runtime guard for InputEvents-related IDL interfaces. See WebCore ChangeLog entry
for more details.
* runtime/CommonIdentifiers.h:
2016-10-20 Zan Dobersek <zdobersek@igalia.com>
Fix JSC cast-align compiler warnings on ARMv7
https://bugs.webkit.org/show_bug.cgi?id=163744
Reviewed by Mark Lam.
Use the reinterpret_cast_ptr workaround in a few places where
the cast alignment warning is being thrown by the GCC compiler
when compiling for the ARMv7 architecture.
* heap/Heap.cpp:
(JSC::Zombify::visit):
* heap/HeapCell.h:
(JSC::HeapCell::zap):
(JSC::HeapCell::isZapped):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::specializedSweep):
2016-10-20 Filip Pizlo <fpizlo@apple.com>
The tracking of the coarse-grain Heap state (allocating or not, collector or not, eden vs full) should respect the orthogonality between allocating and collecting
https://bugs.webkit.org/show_bug.cgi?id=163738
Reviewed by Geoffrey Garen.
We need to know if we're currently in an allocation slow path, so that code can assert that
it's not being used from inside a destructor that runs during a sweep. We need to know if
we're currently collecting, because some code behaves differently during collection, and
other code wants to assert that it's not being used from inside a visitChildren method that
runs during marking. If we are collecting, we need to know if it's an eden collection or a
full collection. If we are requesting a collection, we need to know if we're requesting an
eden collection, a full collection, or any kind of collection.
Prior to this change, you would reason about all of these things using the HeapOperation. It
had the following states: NoOperation, Allocation, FullCollection, EdenCollection, and
AnyCollection. NoOperation versus Allocation was primarily for asserting that sweep didn't
call arbitrary JS. FullCollection versus EdenCollection was about describing generations. We
would even use HeapOperation in places where we knew that it could only be either Full or
Eden, because we just needed a variable to tell us which generation we were talking about.
It was all very confusing.
Where it completely breaks down is the fact that a concurrent GC has two logical threads, the
mutator and the collector, which can change state independently. The mutator can be
allocating. It can also be doing some work to help the GC. That's three states: running,
allocating, or helping GC. At the same time, the GC thread could either be running or not,
and if it's running, it could be a full collection or an eden collection. Because the mutator
and collector can run at the same time, it means that if we used one enum, we would need nine
states: every combination of mutator running, allocating, or helping GC, crossed with
collector not running, running eden, or running full. So, this change decouples mutator state
from collector state and uses two separate fields with two different types.
Mutator state is described using MutatorState, which can be either MutatorState::Running,
MutatorState::Allocating, or MutatorState::HelpingGC.
Collector state is described using Optional<CollectionScope>. CollectionScope describes how
big the scope of the collection is, and it can be either CollectionScope::Eden or
CollectionScope::Full. If the Optional is Nullopt, it means that we are not collecting. This
way, you can treat collectionScope as a boolean (an Optional is true iff it's engaged). You
can pass around just a CollectionScope if you know that you must be collecting and you just
want to know about the generation. Also, we can use Nullopt in methods that request
collection, which those methods take to mean that they can run any kind of collection (the
old AnyCollection).
Another use of HeapOperation was to answer questions about whether the caller is running as
part of the GC or as part of the mutator. Optional<CollectionScope> does not answer this,
since code that runs in the mutator while the mutator is not HelpingGC at the same time as
the collector is running should run as if it was part of the mutator not as if it was part of
the GC. MutatorState is needed to answer this question, but it doesn't tell the whole story
since code that runs in the collector thread at the same time as the mutator is running
should run as if it was part of the GC not as if it was part of the mutator. So, we need to
know if we're on the collector thread or the mutator thread. We already have a WTF facility
for this, which answers if a thread is a GC thread. But we already use this to answer a
stronger question: are we part of the parallel GC helpers? Some functions in the GC, like
mark bit queries, will work fine in a concurrent collector thread so long as there is no
parallel marking. So, this change also changes WTF's mayBeGCThread to tell what kind of GC
thread we may be: either GCThreadType::Main or GCThreadType::Helper. The parallel GC safety
checks look for GCThreadType::Helper. The "should I run as mutator" query can now be answered
by checking with mayBeGCThread, which returns Optional<GCThreadType>; if engaged, then run as
GC, else run as GC if MutatorState is HelpingGC, else run as mutator.
This doesn't change the way that the GC behaves, but it does change how the GC represents a
fundamental piece of state. So, it's a big change. It should be perf-neutral (still testing).
* API/JSBase.cpp:
(JSSynchronousEdenCollectForDebugging):
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
* dfg/DFGWorklist.cpp:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* heap/AllocatingScope.h: Added.
(JSC::AllocatingScope::AllocatingScope):
(JSC::AllocatingScope::~AllocatingScope):
* heap/AllocationScope.h: Removed.
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
* heap/CodeBlockSet.h:
* heap/CollectionScope.cpp: Added.
(JSC::collectionScopeName):
(WTF::printInternal):
* heap/CollectionScope.h: Added.
* heap/EdenGCActivityCallback.cpp:
(JSC::EdenGCActivityCallback::doCollection):
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
* heap/GCTypeMap.h:
(JSC::GCTypeMap::operator[]):
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::markRoots):
(JSC::Heap::beginMarking):
(JSC::Heap::visitSmallStrings):
(JSC::Heap::updateObjectCounts):
(JSC::Heap::deleteAllCodeBlocks):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::collectAllGarbage):
(JSC::Heap::collect):
(JSC::Heap::collectWithoutAnySweep):
(JSC::Heap::collectImpl):
(JSC::Heap::willStartCollection):
(JSC::Heap::flushWriteBarrierBuffer):
(JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
(JSC::Heap::notifyIncrementalSweeper):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didFinishCollection):
(JSC::Heap::isValidAllocation):
(JSC::Heap::shouldDoFullCollection):
* heap/Heap.h:
(JSC::Heap::mutatorState):
(JSC::Heap::collectionScope):
(JSC::Heap::operationInProgress): Deleted.
* heap/HeapInlines.h:
(JSC::Heap::shouldCollect):
(JSC::Heap::isCurrentThreadBusy):
(JSC::Heap::isMarked):
(JSC::Heap::reportExtraMemoryVisited):
(JSC::Heap::reportExternalMemoryVisited):
(JSC::Heap::collectAccordingToDeferGCProbability):
(JSC::Heap::isBusy): Deleted.
(JSC::Heap::isCollecting): Deleted.
* heap/HeapObserver.h:
* heap/HeapOperation.cpp: Removed.
* heap/HeapOperation.h: Removed.
* heap/HeapVerifier.cpp:
(JSC::HeapVerifier::initializeGCCycle):
(JSC::HeapVerifier::reportObject):
(JSC::HeapVerifier::collectionTypeName): Deleted.
* heap/HeapVerifier.h:
(JSC::HeapVerifier::GCCycle::collectionTypeName): Deleted.
* heap/HelpingGCScope.h: Added.
(JSC::HelpingGCScope::HelpingGCScope):
(JSC::HelpingGCScope::~HelpingGCScope):
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::flip):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::doTestCollectionsIfNeeded):
(JSC::MarkedAllocator::allocateSlowCaseImpl):
* heap/MarkedBlock.h:
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::prepareForAllocation):
(JSC::MarkedSpace::visitWeakSets):
(JSC::MarkedSpace::reapWeakSets):
(JSC::MarkedSpace::prepareForMarking):
(JSC::MarkedSpace::beginMarking):
(JSC::MarkedSpace::snapshotUnswept):
* heap/MutatorState.cpp: Added.
(WTF::printInternal):
* heap/MutatorState.h: Added.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::didStartMarking):
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::protocolTypeForHeapOperation):
(Inspector::InspectorHeapAgent::didGarbageCollect):
* inspector/agents/InspectorHeapAgent.h:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
* jsc.cpp:
(functionFullGC):
(functionEdenGC):
* runtime/Completion.cpp:
(JSC::evaluate):
(JSC::loadAndEvaluateModule):
(JSC::loadModule):
(JSC::linkAndEvaluateModule):
* runtime/JSLock.cpp:
(JSC::JSLock::DropAllLocks::DropAllLocks):
* runtime/SmallStrings.h:
(JSC::SmallStrings::needsToBeVisited):
* runtime/VM.h:
(JSC::VM::isCollectorBusyOnCurrentThread):
(JSC::VM::isCollectorBusy): Deleted.
* tools/JSDollarVMPrototype.cpp:
(JSC::JSDollarVMPrototype::edenGC):
2016-10-20 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Drop isEnvironmentRecord type info flag and use JSType information instead
https://bugs.webkit.org/show_bug.cgi?id=163761
Reviewed by Keith Miller.
When we call a function in the following form,
var charAt = String.prototype.charAt;
charAt(); // |this| becomes the global object.
we should see |this| as undefined/null. In StringPrototype.cpp,
we use IsEnvironmentRecord type info flag to check whther the
given |this| is an environment record.
However, type info flag is precious thing and only StringPrototype.cpp
uses IsEnvironmentRecord. In addition to that, JSType should
already knows whether the given object is an environment record.
So IsEnvironmentRecord type info flag should be dropped.
This patch adds a new JSType, StrictEvalActivation. And we add a new
method JSObject::isEnvironmentRecord(). This method uses JSType to
return the result. And we drop IsEnvironmentRecord type info flag.
This patch makes a room for putting one bit flag to the out of line
type info flag. Previously, it is already exhausted.
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
* runtime/JSObject.h:
(JSC::JSObject::isStrictEvalActivation):
(JSC::JSObject::isEnvironmentRecord):
* runtime/JSSymbolTableObject.h:
* runtime/JSType.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
(JSC::TypeInfo::isEnvironmentRecord): Deleted.
* runtime/StrictEvalActivation.h:
(JSC::StrictEvalActivation::createStructure):
* runtime/StringPrototype.cpp:
(JSC::checkObjectCoercible):
2016-10-20 JF Bastien <jfbastien@apple.com>
WebAssembly API: implement exception constructors properly
- Rename WebAssemblyObject to JSWebAssembly for consistency.
- WebAssembly object now has its own prototype: add WebAssemblyPrototype, and
use it to register JSWebAssembly's function properties through auto-generated
.lut.h, instead of manually.
- The error constructors used to throw (e.g. `new WebAssembly.CompileError()`).
- Register WebAssembly's constructors from the global object, and hold a
reference to their structure and prototype so that invoking the constructor
can use the structure directly from the global object.
- Add a prototype base field to global object creation. Previous ones all had
Object's prototype as their base, but WebAssembly's error constructors have
Error as their base.
- Test for the error object's correctness.
- Add missing #if ENABLE(WEBASSEMBLY)
WebAssembly API: implement exception constructors properly
https://bugs.webkit.org/show_bug.cgi?id=163699
Reviewed by Keith Miller.
* CMakeLists.txt: rename WebAssemblyObject -> JSWebAssembly; add a .lut.h file
* DerivedSources.make: new .lut.h file
* JavaScriptCore.xcodeproj/project.pbxproj: ditto
* runtime/JSGlobalObject.cpp: new prototypeBase macro
(JSC::JSGlobalObject::init): register WebAssembly constructors here
(JSC::JSGlobalObject::visitChildren): use the macro to visit
* runtime/JSGlobalObject.h: declare the WebAssembly constructor macro
* wasm/JSWebAssembly.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::JSWebAssembly::create):
(JSC::JSWebAssembly::createStructure):
(JSC::JSWebAssembly::finishCreation):
(JSC::JSWebAssembly::JSWebAssembly):
* wasm/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/WebAssemblyObject.cpp: Removed.
* wasm/js/JSWebAssemblyCompileError.cpp:
* wasm/js/JSWebAssemblyCompileError.h:
(JSC::JSWebAssemblyCompileError::create): string convenience
* wasm/js/JSWebAssemblyInstance.cpp:
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/JSWebAssemblyMemory.cpp:
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.cpp:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyRuntimeError.cpp:
* wasm/js/JSWebAssemblyRuntimeError.h:
(JSC::JSWebAssemblyRuntimeError::create): string convenience
* wasm/js/JSWebAssemblyTable.cpp:
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::constructJSWebAssemblyCompileError):don't throw, create the object
(JSC::WebAssemblyCompileErrorConstructor::finishCreation):no need for the structure, it's on the global object
* wasm/js/WebAssemblyCompileErrorConstructor.h:
* wasm/js/WebAssemblyCompileErrorPrototype.cpp:
* wasm/js/WebAssemblyCompileErrorPrototype.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
* wasm/js/WebAssemblyInstanceConstructor.h:
* wasm/js/WebAssemblyInstancePrototype.cpp:
* wasm/js/WebAssemblyInstancePrototype.h:
* wasm/js/WebAssemblyMemoryConstructor.cpp:
* wasm/js/WebAssemblyMemoryConstructor.h:
* wasm/js/WebAssemblyMemoryPrototype.cpp:
* wasm/js/WebAssemblyMemoryPrototype.h:
* wasm/js/WebAssemblyModuleConstructor.cpp:
* wasm/js/WebAssemblyModuleConstructor.h:
* wasm/js/WebAssemblyModulePrototype.cpp:
* wasm/js/WebAssemblyModulePrototype.h:
* wasm/js/WebAssemblyPrototype.cpp: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyCompileErrorPrototype.cpp.
(JSC::webAssemblyFunctionValidate):
(JSC::webAssemblyFunctionCompile):
(JSC::WebAssemblyPrototype::create):
(JSC::WebAssemblyPrototype::createStructure):
(JSC::WebAssemblyPrototype::finishCreation):
(JSC::WebAssemblyPrototype::WebAssemblyPrototype):
* wasm/js/WebAssemblyPrototype.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyMemoryPrototype.h.
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::constructJSWebAssemblyRuntimeError):don't throw, create the object
(JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):no need for the structure, it's on the global object
* wasm/js/WebAssemblyRuntimeErrorConstructor.h:
* wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
* wasm/js/WebAssemblyRuntimeErrorPrototype.h:
* wasm/js/WebAssemblyTableConstructor.cpp:
* wasm/js/WebAssemblyTableConstructor.h:
* wasm/js/WebAssemblyTablePrototype.cpp:
* wasm/js/WebAssemblyTablePrototype.h:
2016-10-19 Myles C. Maxfield <mmaxfield@apple.com>
[macOS] [iOS] Disable variation fonts on macOS El Capitan and iOS 9
https://bugs.webkit.org/show_bug.cgi?id=163374
Reviewed by Darin Adler.
* Configurations/FeatureDefines.xcconfig:
2016-10-20 Caitlin Potter <caitp@igalia.com>
[JSC] disallow references to `await` in AsyncFunction formal parameters
https://bugs.webkit.org/show_bug.cgi?id=163694
Reviewed by Saam Barati.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseAssignmentExpression):
2016-10-19 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Move InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero to out of line type info flags
https://bugs.webkit.org/show_bug.cgi?id=163716
Reviewed by Saam Barati.
We found that all the accesses to the InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero flag is
done through the Structure. There is no user that accesses this flag in the cell inlined member. And JIT
code does not access it directly. That means that we can move this flag from inlined flags to out of line
flags. This patch moves it to the out of line flags. And make one bit empty in inlined flags. Later this
new empty flag will be used by megamorphic DOMJIT implementation.
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::hasStaticPropertyTable):
(JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
2016-10-20 Keith Miller <keith_miller@apple.com>
Invalid assertion in arguments elimination
https://bugs.webkit.org/show_bug.cgi?id=163740
<rdar://problem/27911462>
Reviewed by Michael Saboff.
The DFGFTL's arguments elimination phase incorrectly asserted that a GetFromArguments' first
child would always be a CreateDirectArguments. While we only create the
op_get_from_arguments bytecode pointing to a create_direct_arguments, its possible for a
number of reasons that a DFG GetFromArguments may not point to a CreateDirectArguments. For
example, if we are OSR entering in some function with direct arguments the
CreateDirectArguments node might become ExtractOSREntryLocals.
* dfg/DFGArgumentsEliminationPhase.cpp:
2016-10-20 Caitlin Potter <caitp@igalia.com>
[JSC] throw TypeError when constructing dynamically created JSGeneratorFunction
https://bugs.webkit.org/show_bug.cgi?id=163714
Reviewed by Mark Lam.
According to CreateDynamicFunction() (https://tc39.github.io/ecma262/#sec-createdynamicfunction),
non-normal functions are not constructors. Previously, dynamically created functions would always
be constructible, and so it was possible to evaluate `new (function*() {}.constructor())`,
and have it return an Iterator object.
This change selects a dynamically created function's ConstructAbility based on its parse mode instead.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2016-10-19 JF Bastien <jfbastien@apple.com>
create_hash_table: allow empty tables
The Windows build was broken by because I added empty tables and Windows insists that empty tables are horrible. Put in dummy entries in that case.
create_hash_table: allow empty tables
https://bugs.webkit.org/show_bug.cgi?id=163701
Reviewed by Keith Miller.
* create_hash_table:
2016-10-19 JF Bastien <jfbastien@apple.com>
JavaScript WebAssembly API: baby steps
- Expand WebAssembly constructors into their own files. This requires a lot of
boilerplate, as well as adding the .lut.h files. All of the
JSWebAssembly*.{h,cpp}, as well as Constructor and Prototype files, are
currently the same between the 4 specified WebAssembly constructors. It'll be
easy to implement individual functions on constructed objects as per the
spec, and have each of these files diverge. The error constructors are also
similar, except that their instance derives from ErrorInstance.
- Use constructor macro when initializing the global object.
- Dramatically improve testing of the WebAssembly API by checking for
properties specified in the spec [*].
- Clean up assert.js' exception testing.
- Fix a copy-paste bug in wasm.json: floating-point const return values were
swapped.
[*] https://github.com/WebAssembly/design/blob/master/JS.md
Implement more of the JavaScript WebAssembly API
https://bugs.webkit.org/show_bug.cgi?id=163571
Reviewed by Keith Miller.
* CMakeLists.txt: add .lut.h generation
* DerivedSources.make: ditto
* JavaScriptCore.xcodeproj/project.pbxproj: add .lut.h generation and all the new files
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): use macro to list all constructors
* wasm/WebAssemblyObject.cpp: unboilerplate, all constructors into their own files
* wasm/WebAssemblyObject.h: ditto
* wasm/js/JSWebAssemblyCompileError.cpp: Added.
(JSC::JSWebAssemblyCompileError::create):
(JSC::JSWebAssemblyCompileError::createStructure):
(JSC::JSWebAssemblyCompileError::JSWebAssemblyCompileError):
(JSC::JSWebAssemblyCompileError::finishCreation):
(JSC::JSWebAssemblyCompileError::destroy):
(JSC::JSWebAssemblyCompileError::visitChildren):
* wasm/js/JSWebAssemblyCompileError.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/JSWebAssemblyInstance.cpp: Added.
(JSC::JSWebAssemblyInstance::create):
(JSC::JSWebAssemblyInstance::createStructure):
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::finishCreation):
(JSC::JSWebAssemblyInstance::destroy):
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyInstance.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/JSWebAssemblyMemory.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::JSWebAssemblyMemory::create):
(JSC::JSWebAssemblyMemory::createStructure):
(JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
(JSC::JSWebAssemblyMemory::finishCreation):
(JSC::JSWebAssemblyMemory::destroy):
(JSC::JSWebAssemblyMemory::visitChildren):
* wasm/js/JSWebAssemblyMemory.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/JSWebAssemblyModule.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::JSWebAssemblyModule::create):
(JSC::JSWebAssemblyModule::createStructure):
(JSC::JSWebAssemblyModule::JSWebAssemblyModule):
(JSC::JSWebAssemblyModule::finishCreation):
(JSC::JSWebAssemblyModule::destroy):
(JSC::JSWebAssemblyModule::visitChildren):
* wasm/js/JSWebAssemblyModule.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/JSWebAssemblyRuntimeError.cpp: Added.
(JSC::JSWebAssemblyRuntimeError::create):
(JSC::JSWebAssemblyRuntimeError::createStructure):
(JSC::JSWebAssemblyRuntimeError::JSWebAssemblyRuntimeError):
(JSC::JSWebAssemblyRuntimeError::finishCreation):
(JSC::JSWebAssemblyRuntimeError::destroy):
(JSC::JSWebAssemblyRuntimeError::visitChildren):
* wasm/js/JSWebAssemblyRuntimeError.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/JSWebAssemblyTable.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::JSWebAssemblyTable::create):
(JSC::JSWebAssemblyTable::createStructure):
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::finishCreation):
(JSC::JSWebAssemblyTable::destroy):
(JSC::JSWebAssemblyTable::visitChildren):
* wasm/js/JSWebAssemblyTable.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/WebAssemblyCompileErrorConstructor.cpp: Added.
(JSC::constructJSWebAssemblyCompileError):
(JSC::callJSWebAssemblyCompileError):
(JSC::WebAssemblyCompileErrorConstructor::create):
(JSC::WebAssemblyCompileErrorConstructor::createStructure):
(JSC::WebAssemblyCompileErrorConstructor::finishCreation):
(JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
(JSC::WebAssemblyCompileErrorConstructor::getConstructData):
(JSC::WebAssemblyCompileErrorConstructor::getCallData):
(JSC::WebAssemblyCompileErrorConstructor::visitChildren):
* wasm/js/WebAssemblyCompileErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyCompileErrorConstructor::CompileErrorStructure):
* wasm/js/WebAssemblyCompileErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyCompileErrorPrototype::create):
(JSC::WebAssemblyCompileErrorPrototype::createStructure):
(JSC::WebAssemblyCompileErrorPrototype::finishCreation):
(JSC::WebAssemblyCompileErrorPrototype::WebAssemblyCompileErrorPrototype):
* wasm/js/WebAssemblyCompileErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/WebAssemblyInstanceConstructor.cpp: Added.
(JSC::constructJSWebAssemblyInstance):
(JSC::callJSWebAssemblyInstance):
(JSC::WebAssemblyInstanceConstructor::create):
(JSC::WebAssemblyInstanceConstructor::createStructure):
(JSC::WebAssemblyInstanceConstructor::finishCreation):
(JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
(JSC::WebAssemblyInstanceConstructor::getConstructData):
(JSC::WebAssemblyInstanceConstructor::getCallData):
(JSC::WebAssemblyInstanceConstructor::visitChildren):
* wasm/js/WebAssemblyInstanceConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyInstanceConstructor::InstanceStructure):
* wasm/js/WebAssemblyInstancePrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyInstancePrototype::create):
(JSC::WebAssemblyInstancePrototype::createStructure):
(JSC::WebAssemblyInstancePrototype::finishCreation):
(JSC::WebAssemblyInstancePrototype::WebAssemblyInstancePrototype):
* wasm/js/WebAssemblyInstancePrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/WebAssemblyMemoryConstructor.cpp: Added.
(JSC::constructJSWebAssemblyMemory):
(JSC::callJSWebAssemblyMemory):
(JSC::WebAssemblyMemoryConstructor::create):
(JSC::WebAssemblyMemoryConstructor::createStructure):
(JSC::WebAssemblyMemoryConstructor::finishCreation):
(JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
(JSC::WebAssemblyMemoryConstructor::getConstructData):
(JSC::WebAssemblyMemoryConstructor::getCallData):
(JSC::WebAssemblyMemoryConstructor::visitChildren):
* wasm/js/WebAssemblyMemoryConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyMemoryConstructor::MemoryStructure):
* wasm/js/WebAssemblyMemoryPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyMemoryPrototype::create):
(JSC::WebAssemblyMemoryPrototype::createStructure):
(JSC::WebAssemblyMemoryPrototype::finishCreation):
(JSC::WebAssemblyMemoryPrototype::WebAssemblyMemoryPrototype):
* wasm/js/WebAssemblyMemoryPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/WebAssemblyModuleConstructor.cpp: Added.
(JSC::constructJSWebAssemblyModule):
(JSC::callJSWebAssemblyModule):
(JSC::WebAssemblyModuleConstructor::create):
(JSC::WebAssemblyModuleConstructor::createStructure):
(JSC::WebAssemblyModuleConstructor::finishCreation):
(JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
(JSC::WebAssemblyModuleConstructor::getConstructData):
(JSC::WebAssemblyModuleConstructor::getCallData):
(JSC::WebAssemblyModuleConstructor::visitChildren):
* wasm/js/WebAssemblyModuleConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyModuleConstructor::ModuleStructure):
* wasm/js/WebAssemblyModulePrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyModulePrototype::create):
(JSC::WebAssemblyModulePrototype::createStructure):
(JSC::WebAssemblyModulePrototype::finishCreation):
(JSC::WebAssemblyModulePrototype::WebAssemblyModulePrototype):
* wasm/js/WebAssemblyModulePrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: Added.
(JSC::constructJSWebAssemblyRuntimeError):
(JSC::callJSWebAssemblyRuntimeError):
(JSC::WebAssemblyRuntimeErrorConstructor::create):
(JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
(JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
(JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
(JSC::WebAssemblyRuntimeErrorConstructor::getConstructData):
(JSC::WebAssemblyRuntimeErrorConstructor::getCallData):
(JSC::WebAssemblyRuntimeErrorConstructor::visitChildren):
* wasm/js/WebAssemblyRuntimeErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyRuntimeErrorConstructor::RuntimeErrorStructure):
* wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyRuntimeErrorPrototype::create):
(JSC::WebAssemblyRuntimeErrorPrototype::createStructure):
(JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
(JSC::WebAssemblyRuntimeErrorPrototype::WebAssemblyRuntimeErrorPrototype):
* wasm/js/WebAssemblyRuntimeErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
* wasm/js/WebAssemblyTableConstructor.cpp: Added.
(JSC::constructJSWebAssemblyTable):
(JSC::callJSWebAssemblyTable):
(JSC::WebAssemblyTableConstructor::create):
(JSC::WebAssemblyTableConstructor::createStructure):
(JSC::WebAssemblyTableConstructor::finishCreation):
(JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
(JSC::WebAssemblyTableConstructor::getConstructData):
(JSC::WebAssemblyTableConstructor::getCallData):
(JSC::WebAssemblyTableConstructor::visitChildren):
* wasm/js/WebAssemblyTableConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyTableConstructor::TableStructure):
* wasm/js/WebAssemblyTablePrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
(JSC::WebAssemblyTablePrototype::create):
(JSC::WebAssemblyTablePrototype::createStructure):
(JSC::WebAssemblyTablePrototype::finishCreation):
(JSC::WebAssemblyTablePrototype::WebAssemblyTablePrototype):
* wasm/js/WebAssemblyTablePrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
2016-10-19 Caitlin Potter <caitp@igalia.com>
[JSC] forbid "use strict" directive in generator functions with non-simple parameters
https://bugs.webkit.org/show_bug.cgi?id=163683
Reviewed by Geoffrey Garen.
Because generator functions and async functions both have an implicit
inner function whose arguments are inherited from its parent, "use strict"
directives within these functions did not yield a SyntaxError.
Now, the correct syntax error is reported, fixing several test262 failures
for generators and async functions.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseFunctionInfo):
2016-10-19 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r207557.
This change caused animations/font-variations tests to time
out on pre-Sierra Macs.
Reverted changeset:
"[macOS] [iOS] Disable variation fonts on macOS El Capitan and
iOS 9"
https://bugs.webkit.org/show_bug.cgi?id=163374
http://trac.webkit.org/changeset/207557
2016-10-19 Filip Pizlo <fpizlo@apple.com>
Baseline JIT should use AutomaticThread
https://bugs.webkit.org/show_bug.cgi?id=163686
Reviewed by Geoffrey Garen.
Change the JITWorklist to use AutomaticThread, so that the Baseline JIT's concurrent
compiler thread shuts down automatically after inactivity.
With this change, all of JSC's threads shut down automatically. If you run splay for a few
seconds (which fires up all threads - compiler and GC) and then go to sleep for a second,
you'll see that the only threads left are the main thread and the bmalloc thread.
* jit/JITWorklist.cpp:
(JSC::JITWorklist::Thread::Thread):
(JSC::JITWorklist::JITWorklist):
(JSC::JITWorklist::completeAllForVM):
(JSC::JITWorklist::poll):
(JSC::JITWorklist::compileLater):
(JSC::JITWorklist::compileNow):
(JSC::JITWorklist::finalizePlans):
(JSC::JITWorklist::runThread): Deleted.
* jit/JITWorklist.h:
2016-10-19 Myles C. Maxfield <mmaxfield@apple.com>
[macOS] [iOS] Disable variation fonts on macOS El Capitan and iOS 9
https://bugs.webkit.org/show_bug.cgi?id=163374
Reviewed by Darin Adler.
* Configurations/FeatureDefines.xcconfig:
2016-10-19 Aaron Chu <aaron_chu@apple.com>
Web Inspector: AXI: expose computed tree node and heading level
https://bugs.webkit.org/show_bug.cgi?id=130825
<rdar://problem/16442349>
Reviewed by Joseph Pecoraro.
Exposing two new accessibility properties: Heading Level and Hierarchical Level.
* inspector/protocol/DOM.json:
2016-10-18 Filip Pizlo <fpizlo@apple.com>
DFG worklist should use AutomaticThread
https://bugs.webkit.org/show_bug.cgi?id=163615
Reviewed by Mark Lam.
AutomaticThread is a new feature in WTF that allows you to easily create worker threads that
shut down automatically. This changes DFG::Worklist to use AutomaticThread, so that its
threads shut down automatically, too. This has the potential to save a lot of memory.
This required some improvements to AutomaticThread: Worklist likes to be able to keep state
around for the whole lifetime of a thread, and so it likes knowing when threads are born and
when they die. I added virtual methods for that. Also, Worklist uses notifyOne() so I added
that, too.
This looks to be perf-neutral.
* dfg/DFGThreadData.cpp:
(JSC::DFG::ThreadData::ThreadData):
* dfg/DFGThreadData.h:
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::ThreadBody::ThreadBody):
(JSC::DFG::Worklist::Worklist):
(JSC::DFG::Worklist::~Worklist):
(JSC::DFG::Worklist::finishCreation):
(JSC::DFG::Worklist::isActiveForVM):
(JSC::DFG::Worklist::enqueue):
(JSC::DFG::Worklist::compilationState):
(JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
(JSC::DFG::Worklist::removeAllReadyPlansForVM):
(JSC::DFG::Worklist::completeAllReadyPlansForVM):
(JSC::DFG::Worklist::rememberCodeBlocks):
(JSC::DFG::Worklist::visitWeakReferences):
(JSC::DFG::Worklist::removeDeadPlans):
(JSC::DFG::Worklist::removeNonCompilingPlansForVM):
(JSC::DFG::Worklist::queueLength):
(JSC::DFG::Worklist::dump):
(JSC::DFG::Worklist::runThread): Deleted.
(JSC::DFG::Worklist::threadFunction): Deleted.
* dfg/DFGWorklist.h:
2016-10-19 Dan Bernstein <mitz@apple.com>
[Xcode] JavaScriptCore fails to build when CLANG_WARN_DOCUMENTATION_COMMENTS is enabled
https://bugs.webkit.org/show_bug.cgi?id=163642
Reviewed by Darin Adler.
* API/JSClassRef.cpp: Removed a bad headerdoc comment inside an implementation file.
* API/JSContext.h: Changed @methodgroup to @functiongroup, because the compiler requires the
former to be followed by a method (and we have a property), but not the latter. Changed
a couple of instances of “method” to “@method”. Removed empty @param entries.
* API/JSContextRefInternal.h: Named a parameter referenced in a @param entry.
* API/JSContextRefPrivate.h: Ditto.
* API/JSManagedValue.h: Removed empty @param entries.
* API/JSObjectRef.h: Corrected parameter name in @param entry.
* API/JSTypedArray.h: Ditto.
* API/JSValue.h: Removed empty @param entries, changed @methodgroup to @functiongroup, and
changed @method to @property where appropriate. Removed empty @param entries.
* API/JSValueRef.h: Named a parameter referenced in a @param entry.
* API/JSWeakObjectMapRefPrivate.h: Ditto.
* Configurations/Base.xcconfig: Enabled CLANG_WARN_DOCUMENTATION_COMMENTS. Made the compiler
treat the icu headers as system headers, to stop it from emitting warnings about headers
we don’t want to change.
* Configurations/ToolExecutable.xcconfig: Made the compiler treat the icu headers as system
headers.
2016-10-19 Csaba Osztrogonác <ossy@webkit.org>
Unreviewed ARM buildfix after r207475.
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::relinkJumpToNop):
2016-10-18 Mark Lam <mark.lam@apple.com>
Invoking Object.prototype.__proto__ accessors directly should throw a TypeError.
https://bugs.webkit.org/show_bug.cgi?id=154377
<rdar://problem/27330808>
Reviewed by Filip Pizlo and Saam Barati.
In a scenario where we cache the __proto__ accessors in global variables, and
later explicitly invoke those accessors as functions, the spec for Function Calls
(see https://tc39.github.io/ecma262/#sec-function-calls) states that the function
ref value is of type Reference, and base of ref is an Environment Record. Then,
it follows that the thisValue should be set to refEnv.WithBaseObject()
(see section 4.b.ii of 12.3.4.1 at
https://tc39.github.io/ecma262/#sec-function-calls-runtime-semantics-evaluation).
refEnv in this case is the environment record that the cached accessors were
found in i.e. the global object. The WithBaseObject() of the global object is
undefined (see details about WithBaseObject at
https://tc39.github.io/ecma262/#sec-environment-records).
Hence, the __proto__ accessors should see a thisValue of undefined, and throw
TypeErrors. See https://tc39.github.io/ecma262/#sec-get-object.prototype.__proto__,
https://tc39.github.io/ecma262/#sec-set-object.prototype.__proto__,
https://tc39.github.io/ecma262/#sec-toobject, and
https://tc39.github.io/ecma262/#sec-requireobjectcoercible.
In JSC's implementation, the callee needs to do a ToThis operation on the
incoming "this" argument in order to get the specified thisValue. The
implementations of the __proto__ accessors were not doing this correctly. This
has now been fixed.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
2016-10-18 Sam Weinig <sam@webkit.org>
Replace std::experimental::variant with WTF::Variant (or similar)
https://bugs.webkit.org/show_bug.cgi?id=163626
Reviewed by Chris Dumez.
Rename std::experimental::variant, Variant. Move helpers get/holds_alternative/etc.
into the WTF namespace.
* domjit/DOMJITReg.h:
(JSC::DOMJIT::Reg::gpr):
(JSC::DOMJIT::Reg::fpr):
(JSC::DOMJIT::Reg::jsValueRegs):
2016-10-18 Keith Miller <keith_miller@apple.com>
GetByVal to GetById conversion in the DFG is incorrect for getters with control flow
https://bugs.webkit.org/show_bug.cgi?id=163629
Reviewed by Yusuke Suzuki.
This patch fixes a bug in the DFG when attempt to convert a
GetByVal into a GetById. While converting the GetByVal, during
handleGetById in the Bytecode parser, we would mistakenly use the
opcode length of op_get_by_id rather than op_get_by_val. This causes
the new basic block we create to point to the wrong offset. In the
added test this will cause us to infinite loop.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
2016-10-18 Dean Jackson <dino@apple.com>
Remove CSS_SHAPES feature definition. This should always be on.
https://bugs.webkit.org/show_bug.cgi?id=163628
<rdar://problem/28834613>
Reviewed by Tim Horton.
* Configurations/FeatureDefines.xcconfig:
2016-10-18 Michael Saboff <msaboff@apple.com>
Add JSC option to show time spent in each optimization phase
https://bugs.webkit.org/show_bug.cgi?id=163617
Reviewed by Saam Barati.
Added reportDFGPhaseTimes option. This outputs one line per phase similar to
Phase CPS rethreading took 0.2661 ms
One line is output for each phase run.
* dfg/DFGPhase.h:
(JSC::DFG::runAndLog):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
2016-10-18 Filip Pizlo <fpizlo@apple.com>
WTF should make it easier to create threads that die automatically after inactivity
https://bugs.webkit.org/show_bug.cgi?id=163576
Reviewed by Andreas Kling.
Added a sleepSeconds() function, which made it easier for me to test this change.
The WTF changes in this patch change how the JSC GC manages threads: the GC threads will now
shut down automatically after 1 second of inactivity. Maybe this will save some memory.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionSleepSeconds):
2016-10-18 Keith Miller <keith_miller@apple.com>
Cleanup Wasm memory.
https://bugs.webkit.org/show_bug.cgi?id=163601
Reviewed by Saam Barati.
There were a couple of issues with the original Wasm memory patch.
This is a follow-up patch to fix those issues.
* wasm/WASMMemory.cpp:
(JSC::WASM::Memory::Memory):
* wasm/WASMMemory.h:
2016-10-15 Filip Pizlo <fpizlo@apple.com>
DFG and FTL should be able to use DirectCall ICs when they proved the callee or its executable
https://bugs.webkit.org/show_bug.cgi?id=163371
Reviewed by Geoffrey Garen and Saam Barati.
This adds a new kind of call inline cache for when the DFG can prove what the callee
executable is. In those cases, we can skip some of the things that the traditional call IC
would do:
- No need to check who the callee is.
- No need to do arity checks.
This case isn't as simple as just emitting a call instruction since the callee may not be
compiled at the time that the caller is compiled. So, we need lazy resolution. Also, the
callee may be jettisoned independently of the caller, so we need to be able to revert the
call to an unlinked state. This means that we need almost all of the things that
CallLinkInfo has. CallLinkInfo already knows about different kinds of calls. This patch
teaches it about new "Direct" call types.
The direct non-tail call IC looks like this:
set up arguments
FastPath:
call _SlowPath
lea -FrameSize(%rbp), %rsp
SlowPath:
pop
call operationLinkDirectCall
check exception
jmp FastPath
The job of operationLinkDirectCall is to link the fast path's call entrypoint of the callee.
This means that in steady state, a call is just that: a call. There are no extra branches or
checks.
The direct tail call IC is a bit more complicated because the act of setting up arguments
destroys our frame, which would prevent us from being able to throw an exception if we
failed to compile the callee. So, direct tail call ICs look like this:
jmp _SlowPath
FastPath:
set up arguments
jmp 0 // patch to jump to callee
SlowPath:
silent spill
call operationLinkDirectCall
silent fill
check exception
jmp FastPath
The jmp to the slow path is patched to be a fall-through jmp when we link the call.
Direct calls mean less code at call sites, fewer checks on the steady state call fast path,
and no need for arity fixup. This looks like a slight speed-up (~0.8%) on both Octane and
AsmBench.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::relinkJumpToNop):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::relinkJumpToNop):
(JSC::ARMv7Assembler::relinkJump): Deleted.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::repatchJumpToNop):
(JSC::AbstractMacroAssembler::repatchJump): Deleted.
* assembler/X86Assembler.h:
(JSC::X86Assembler::relinkJumpToNop):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::CallLinkInfo):
(JSC::CallLinkInfo::callReturnLocation):
(JSC::CallLinkInfo::patchableJump):
(JSC::CallLinkInfo::hotPathBegin):
(JSC::CallLinkInfo::slowPathStart):
(JSC::CallLinkInfo::setCallee):
(JSC::CallLinkInfo::clearCallee):
(JSC::CallLinkInfo::callee):
(JSC::CallLinkInfo::setCodeBlock):
(JSC::CallLinkInfo::clearCodeBlock):
(JSC::CallLinkInfo::codeBlock):
(JSC::CallLinkInfo::setLastSeenCallee):
(JSC::CallLinkInfo::clearLastSeenCallee):
(JSC::CallLinkInfo::lastSeenCallee):
(JSC::CallLinkInfo::haveLastSeenCallee):
(JSC::CallLinkInfo::setExecutableDuringCompilation):
(JSC::CallLinkInfo::executable):
(JSC::CallLinkInfo::setMaxNumArguments):
(JSC::CallLinkInfo::visitWeak):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::specializationKindFor):
(JSC::CallLinkInfo::callModeFor):
(JSC::CallLinkInfo::isDirect):
(JSC::CallLinkInfo::nearCallMode):
(JSC::CallLinkInfo::isLinked):
(JSC::CallLinkInfo::setCallLocations):
(JSC::CallLinkInfo::addressOfMaxNumArguments):
(JSC::CallLinkInfo::maxNumArguments):
(JSC::CallLinkInfo::isTailCall): Deleted.
(JSC::CallLinkInfo::setUpCallFromFTL): Deleted.
(JSC::CallLinkInfo::callReturnLocation): Deleted.
(JSC::CallLinkInfo::hotPathBegin): Deleted.
(JSC::CallLinkInfo::callee): Deleted.
(JSC::CallLinkInfo::setLastSeenCallee): Deleted.
(JSC::CallLinkInfo::clearLastSeenCallee): Deleted.
(JSC::CallLinkInfo::lastSeenCallee): Deleted.
(JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeDFGStatuses):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/UnlinkedFunctionExecutable.h:
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::forEachReg):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::findTerminal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::handleCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::parameterSlotsForArgCount):
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addJSDirectCall):
(JSC::DFG::JITCompiler::addJSDirectTailCall):
(JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
(JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
(JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
(JSC::DFG::JITCompiler::currentJSCallIndex): Deleted.
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToDirectCall):
* dfg/DFGNode.h:
(JSC::DFG::Node::isTerminal):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITCall.cpp:
(JSC::JIT::compileSetupVarargsFrame):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileSetupVarargsFrame):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/Repatch.cpp:
(JSC::linkDirectFor):
(JSC::revertCall):
* jit/Repatch.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/Executable.cpp:
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/Executable.h:
(JSC::ScriptExecutable::prepareForExecution):
* runtime/Options.h:
2016-10-18 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Not emit exception case if it is not necessary
https://bugs.webkit.org/show_bug.cgi?id=163589
Reviewed by Sam Weinig.
We should not emit exception case if we do not use the slow path calls.
For example, nodeType accessor does not use the slow path calls.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::emitDOMJITGetter):
2016-10-18 Caitlin Potter <caitp@igalia.com>
[JSC] ES6 Method functions should not have prototype
https://bugs.webkit.org/show_bug.cgi?id=162530
Reviewed by Saam Barati.
ECMA-262 only adds "prototype" properties to specific syntactic function forms.
Specific items which do not contain "prototype" include (most) built-in functions (such as Math.pow),
MethodDefinitions which are not either class "constructor" methods or GeneratorMethods, AsyncFunctions,
and ArrowFunctions.
For details, see the following spec text, and the difference between GeneratorMethod evaluation and
the evaluation of other MethodDefinition forms.
- https://tc39.github.io/ecma262/#sec-method-definitions-runtime-semantics-propertydefinitionevaluation
- https://tc39.github.io/ecma262/#sec-arrow-function-definitions-runtime-semantics-evaluation
- https://tc39.github.io/ecmascript-asyncawait/#async-function-instances
- https://tc39.github.io/ecma262/#sec-generator-function-definitions-runtime-semantics-propertydefinitionevaluation
* runtime/Executable.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::callerGetter):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::deleteProperty):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::makeFunction):
* runtime/Executable.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::put):
(JSC::JSFunction::deleteProperty):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
2016-10-17 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Use NativeCallFrameTracer for operations used for DOMJIT slow calls
https://bugs.webkit.org/show_bug.cgi?id=163586
Reviewed by Saam Barati.
C functions called from the DOMJIT slow path calls should use NativeCallFrameTracer.
This fixes the debug assertion caused in r207427.
* bytecode/DOMJITAccessCasePatchpointParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
(JSC::DOMJITAccessCasePatchpointParams::emitSlowPathCalls):
* bytecode/DOMJITAccessCasePatchpointParams.h:
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::emitDOMJITGetter):
* jsc.cpp:
(WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall):
(WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall):
2016-10-17 Keith Miller <keith_miller@apple.com>
Add support for WASM Memory.
https://bugs.webkit.org/show_bug.cgi?id=161710
Reviewed by Geoffrey Garen.
This patch add initial support for WASM memory operations. First,
it adds the concept of a WASM Module memory management object.
This object currently mmaps a 32-bit address space for WASM use,
although it marks all the memory outside the current breakpoint as
PROT_NONE. For now, we do a range check on each store and load. In
the future, we should change this to be an signal handler that
checks what module the program trapped in.
Additionally, this patch changes the way that our temporary tests
call into WASM code. There is now a true "thunk" that relocates
arguments and calls into WASM. This thunk does not tail call
because we use pinned values to memory base-pointer and
size. We use the new B3 pinned register api to pin the values.
* CMakeLists.txt:
* Configurations/ToolExecutable.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
* testWASM.cpp:
(runWASMTests):
(main):
* wasm/WASMB3IRGenerator.cpp:
(JSC::WASM::createJSWrapper):
(JSC::WASM::parseAndCompile):
* wasm/WASMB3IRGenerator.h:
* wasm/WASMCallingConvention.h:
(JSC::WASM::CallingConvention::iterate):
(JSC::WASM::CallingConvention::setupCall):
(JSC::WASM::nextJSCOffset):
* wasm/WASMFormat.h:
* wasm/WASMFunctionParser.h:
(JSC::WASM::FunctionParser<Context>::parseExpression):
* wasm/WASMMemory.cpp: Copied from Source/JavaScriptCore/wasm/WASMPlan.cpp.
(JSC::WASM::Memory::Memory):
* wasm/WASMMemory.h: Copied from Source/JavaScriptCore/wasm/WASMModuleParser.h.
(JSC::WASM::Memory::~Memory):
(JSC::WASM::Memory::memory):
(JSC::WASM::Memory::size):
(JSC::WASM::Memory::pinnedRegisters):
(JSC::WASM::Memory::mode):
(JSC::WASM::Memory::growMemory):
(JSC::WASM::Memory::offsetOfSize):
* wasm/WASMModuleParser.cpp:
(JSC::WASM::ModuleParser::parse):
(JSC::WASM::ModuleParser::parseMemory):
* wasm/WASMModuleParser.h:
(JSC::WASM::ModuleParser::functionInformation):
(JSC::WASM::ModuleParser::memory):
* wasm/WASMOps.h:
* wasm/WASMPlan.cpp:
(JSC::WASM::Plan::Plan):
* wasm/WASMPlan.h:
* wasm/WASMSections.h:
2016-10-17 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Add toggles for debugger pauses at console.assert failures
https://bugs.webkit.org/show_bug.cgi?id=139542
<rdar://problem/19281600>
Reviewed by Timothy Hatcher.
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::disable):
(Inspector::InspectorDebuggerAgent::setPauseOnAssertions):
Toggle pause on assertions state. Default is disabled,
and disable it when frontends disconnect.
(Inspector::InspectorDebuggerAgent::handleConsoleAssert):
Instead of using the PauseOnAllExceptions state, use this
new state specific to assertions.
* inspector/protocol/Debugger.json:
New protocol method to toggle pausing on assertions.
2016-10-17 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT][JSC] Add Option::useDOMJIT
https://bugs.webkit.org/show_bug.cgi?id=163457
Reviewed by Saam Barati.
Add an option to switch the DOMJIT optimization.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
2016-10-17 Filip Pizlo <fpizlo@apple.com>
Air::IRC doesn't need to have a special-case for uncolored Tmps since they all get colored
https://bugs.webkit.org/show_bug.cgi?id=163548
<rdar://problem/28804381>
Reviewed by Geoffrey Garen.
Before r207408, IRC had a mode where it would silently assign the first assignable register (so
%rax, %xmm0, etc) to any tmp that was not colorable due to a pathological interference fencepost.
We reason about interference at instruction boundaries. This means that if you have, for example,
an instruction that clobbers all registers late followed by an instruction that has an early def
in the same register file, then the early def will not be colorable because it interferes with
all registers. This already happens in our tests, but IRC silently returns the first assignable
register to such tmps. For some reason the resulting code works OK - probably because this tends
to only be hit by fuzzing, which may not then stress that code enough to shake out the register
corruption. Also, this can only happen for floating point registers, so it's hard to get an
exciting crash. The worst case is that your numbers get all messed up.
This change fixes the issue:
- IRC will now crash if it can't color a tmp.
- IRC doesn't crash on our tests anymore because I added a padInterference() utility that works
around the interference problem by inserting Nops to pad between those instructions where
conflating their early and late actions into one interference fencepost could create an
uncolorable graph.
See https://bugs.webkit.org/show_bug.cgi?id=163548#c2 for a detailed discussion of how the
problem can arise.
This problem almost made me want to abandon our use of interference at instruction boundaries,
and introduce something more comprehensive, like interference at various stages of an
instruction's execution. The reason why I didn't do this is that this problem only arises in well
confined corner cases: you need an instruction that does a late use or def followed by an
instruction that does an early def. Register clobbers count as defs for this equation.
Fortunately, early defs are rare, and even when they do happen, you still need the previous
instruction to have a late something. Late uses are rare and many instructions don't have defs at
all, which means that it's actually pretty common for an instruction to not have anything late.
This means that the padInterference() strategy is ideal: our algorithms stay simple because they
only have to worry about interference at boundaries, and we rarely insert any Nops in
padInterference() so the IR stays nice and compact. Those Nops get removed by any phase that does
DCE, which includes eliminateDeadCode(), allocateStack(), and reportUsedRegisters(). In practice
allocateStack() kills them.
This also finally refactors our passing of RegisterSet to pass it by value, since it's small
enough that we're not gaining anything by using references. On x86, RegisterSet ought to be
smaller than a pointer.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::extraClobberedRegs):
(JSC::B3::StackmapSpecial::extraEarlyClobberedRegs):
* b3/B3StackmapSpecial.h:
* b3/air/AirCCallSpecial.cpp:
(JSC::B3::Air::CCallSpecial::extraEarlyClobberedRegs):
(JSC::B3::Air::CCallSpecial::extraClobberedRegs):
* b3/air/AirCCallSpecial.h:
* b3/air/AirInst.h:
* b3/air/AirInstInlines.h:
(JSC::B3::Air::Inst::extraClobberedRegs):
(JSC::B3::Air::Inst::extraEarlyClobberedRegs):
* b3/air/AirIteratedRegisterCoalescing.cpp:
(JSC::B3::Air::iteratedRegisterCoalescing):
* b3/air/AirPadInterference.cpp: Added.
(JSC::B3::Air::padInterference):
* b3/air/AirPadInterference.h: Added.
* b3/air/AirSpecial.h:
* b3/air/AirSpillEverything.cpp:
(JSC::B3::Air::spillEverything):
* jit/RegisterSet.h:
(JSC::RegisterSet::isEmpty):
2016-10-17 JF Bastien <jfbastien@apple.com>
WebAssembly JS API: implement basic stub
Implement the global WebAssembly JavaScript object, and its constructor +
function properties as described in:
https://github.com/WebAssembly/design/blob/master/JS.md
These don't do anything at the moment, the parent bug will take care of adding
more functionality and associated tests.
WebAssembly JS API: implement basic stub
https://bugs.webkit.org/show_bug.cgi?id=163404
Reviewed by Keith Miller.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinNames.h: register the new WebAssembly object's name and its constructor properties
* jsc.cpp: remove useless include
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): add the WebAssembly global object and its constructor properties, but only if the JSC option enables it
* runtime/Options.h: add the useWebAssembly (alias: enableWebAssembly) option, defaulting to false
* wasm/WebAssemblyObject.cpp: Added.
(JSC::WebAssemblyObject::create): boilerplate
(JSC::WebAssemblyObject::createStructure): boilerplate
(JSC::WebAssemblyObject::finishCreation): boilerplate
(JSC::WebAssemblyObject::WebAssemblyObject): boilerplate
(JSC::wasmObjectFuncvalidate): auto-throws for now
(JSC::wasmObjectFunccompile): auto-throws for now
* wasm/WebAssemblyObject.h: Added.
2016-10-17 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix after r207428
https://bugs.webkit.org/show_bug.cgi?id=163223
Previous build fix r207428 broke all the builds.
* bytecode/PolymorphicAccess.h:
2016-10-17 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for GTK and Windows
https://bugs.webkit.org/show_bug.cgi?id=163223
Attempt to fix build failures in GTK port and Windows port.
* bytecode/PolymorphicAccess.cpp:
* bytecode/PolymorphicAccess.h:
(JSC::AccessGenerationState::SpillState::SpillState):
2016-10-17 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Use DOMJIT::Patchpoint in IC
https://bugs.webkit.org/show_bug.cgi?id=163223
Reviewed by Saam Barati.
This patch uses DOMJIT::Patchpoint to inline DOM accesses even in IC!
It is useful for Baseline JIT cases and GetById cases in DFG and FTL.
In AccessCase, we construct the environment that allows DOMJIT::Patchpoint
to emit code and make DOMJIT accessors inlined in IC.
To allow DOMJIT::Patchpoint to emit code, we create a mechanism to emit calls
required in DOMJIT::Patchpoint. This system is useful when we create the super-
polymorphic support[1] later. And inlining mechanism is useful even after
introducing super-polymorphic support since it can work even after we fire the
watchpoint for super-polymorphic handling.
This patch improves Dromaeo dom-traverse 8% (263.95 runs/s v.s. 244.07 runs/s).
[1]: https://bugs.webkit.org/show_bug.cgi?id=163226
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/DOMJITAccessCasePatchpointParams.cpp: Added.
(JSC::SlowPathCallGeneratorWithArguments::SlowPathCallGeneratorWithArguments):
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
(JSC::DOMJITAccessCasePatchpointParams::emitSlowPathCalls):
* bytecode/DOMJITAccessCasePatchpointParams.h: Copied from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
(JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
(JSC::DOMJITAccessCasePatchpointParams::SlowPathCallGenerator::~SlowPathCallGenerator):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::liveRegistersForCall):
(JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
(JSC::calleeSaveRegisters):
(JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
(JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
(JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
(JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
(JSC::AccessGenerationState::originalExceptionHandler):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::emitDOMJITGetter):
(JSC::PolymorphicAccess::regenerate):
(JSC::AccessGenerationState::preserveLiveRegistersToStackForCall): Deleted.
* bytecode/PolymorphicAccess.h:
(JSC::AccessGenerationState::SpillState::isEmpty):
(JSC::AccessGenerationState::setSpillStateForJSGetterSetter):
(JSC::AccessGenerationState::spillStateForJSGetterSetter):
(JSC::AccessGenerationState::liveRegistersForCall): Deleted.
(JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation): Deleted.
(JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite): Deleted.
* dfg/DFGDOMJITPatchpointParams.cpp:
* dfg/DFGDOMJITPatchpointParams.h:
* domjit/DOMJITPatchpoint.h:
* domjit/DOMJITPatchpointParams.h:
(JSC::DOMJIT::PatchpointParams::addSlowPathCall):
* ftl/FTLDOMJITPatchpointParams.cpp:
* ftl/FTLDOMJITPatchpointParams.h:
* jsc.cpp:
(WTF::DOMJITNode::checkDOMJITNode):
(WTF::DOMJITGetterComplex::DOMJITGetterComplex):
(WTF::DOMJITGetterComplex::createStructure):
(WTF::DOMJITGetterComplex::create):
(WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT):
(WTF::DOMJITGetterComplex::domJITNodeGetterSetter):
(WTF::DOMJITGetterComplex::finishCreation):
(WTF::DOMJITGetterComplex::functionEnableException):
(WTF::DOMJITGetterComplex::customGetter):
(GlobalObject::finishCreation):
(functionCreateDOMJITGetterComplexObject):
2016-10-17 Saam Barati <sbarati@apple.com>
Build fix for HasOwnPropertyCache::Entry caused slowdown by introducing a constructor that doesn't use move semantics for the RefPtr<UniquedStringImpl> parameter
https://bugs.webkit.org/show_bug.cgi?id=163490
Reviewed by Darin Adler.
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::Entry::Entry):
(JSC::HasOwnPropertyCache::tryAdd):
2016-10-17 Mark Lam <mark.lam@apple.com>
Use the reject() helper function for conditionally throwing TypeErrors.
https://bugs.webkit.org/show_bug.cgi?id=163491
Reviewed by Filip Pizlo.
In some places where we may conditionally throw a TypeError (e.g. when in strict
mode), we already use the reject() helper function to conditionally throw the
TypeError. Doing so makes the code mode compact. This patch applies this idiom
consistently in all places that throws TypeError where appropriate.
This patch also does the following:
1. Make the reject() helper function take an ASCIILiteral instead of a const char*
because we always pass it a literal string anyway.
2. Change the reject helper() to take a ThrowScope&. This allows the thrown
error to be attributed to its caller.
3. When an error message string is instantiated repeatedly in more than 1 place,
create a common copy of that literal string in JSObject.cpp (if one doesn't
already exist) and use that common string in all those places.
4. Since I was auditing call sites of throwTypeError() to check if they should be
using the reject() helper instead, I also fixed those up to pass the error
message as an ASCIILiteral where appropriate.
5. In functions that I touched, change the code to not recompute the VM& when it
is already available.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ArrayPrototype.cpp:
(JSC::shift):
(JSC::unshift):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncReverse):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/GetterSetter.cpp:
(JSC::callSetter):
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::setLengthWithArrayStorage):
(JSC::JSArray::pop):
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::put):
(JSC::JSArrayBuffer::defineOwnProperty):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSDataView.cpp:
(JSC::JSDataView::put):
(JSC::JSDataView::defineOwnProperty):
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::setIndex):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::speciesConstruct):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::defineOwnProperty):
* runtime/JSObject.cpp:
(JSC::ordinarySetSlow):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::validateAndApplyPropertyDescriptor):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::putInline):
* runtime/JSProxy.cpp:
(JSC::JSProxy::setPrototype):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::defineOwnProperty):
* runtime/RegExpObject.h:
(JSC::RegExpObject::setLastIndex):
* runtime/Reject.h:
(JSC::reject):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayValueMap::putDirect):
(JSC::SparseArrayEntry::put):
* runtime/StringObject.cpp:
(JSC::StringObject::put):
(JSC::StringObject::putByIndex):
* runtime/SymbolConstructor.cpp:
(JSC::symbolConstructorKeyFor):
2016-10-16 Filip Pizlo <fpizlo@apple.com>
Air::IRC needs to place all Tmps on some worklist, even if they have no interference edges
https://bugs.webkit.org/show_bug.cgi?id=163509
Reviewed by Mark Lam.
The worklist building function in IRC skips temporaries that have no degree. This doesn't appear
to be necessary. This has been there since the original IRC commit. It hasn't caused bugs because
ordinarily, the only way to have a tmp with no degree is to not have any mention of that tmp. But
while working on bug 163371, I hit a crazy corner case where a temporary would have no
interference edges (i.e. no degree). Here's how it happens:
A spill tmp from a previous iteration of IRC may have no degree: imagine a tmp that is live
everywhere and interferes with everyone, but has one use like:
Move %ourTmp, %someOtherTmp
Where there are no other tmps live. After spill conversion, this may look like:
Move (ourSpill), %newTmp
Move %newTmp, %someOtherTmp
Of course, we'd rather not get this kind of spill code but it's totally possible because we now
have a bunch of random conditions under which we won't slap the spill address directly into the
Move.
After this happens, assuming that the only thing live was %someOtherTmp, we will have zero degree
for %newTmp because the Move is coalescable and does not contribute to interference.
Then, we might coalesce %someOtherTmp with %newTmp. Once this happens, if we make the %newTmp be
the master, we're in deep trouble because %newTmp is not on any worklist.
I don't know how to reproduce this except through the patch in bug 163371. Removing the two lines
of code that skipped no-degree tmps causes no regressions, and resolves the problem I was having.
* b3/air/AirIteratedRegisterCoalescing.cpp:
2016-10-15 Mark Lam <mark.lam@apple.com>
Add a $vm.getpid() method.
https://bugs.webkit.org/show_bug.cgi?id=163493
Reviewed by Saam Barati.
This is especially useful when we need to know the pid of an instance of jsc in
the foreground that we're trying to attach a debugger to while the JSC tests are
running in the background with a gazillion other jsc processes live at the same
time.
Currently, $vm.getpid() is only supported on non-Windows platforms.
According to https://msdn.microsoft.com/en-us/library/ms235372.aspx, getpid() is
deprecated. According to https://msdn.microsoft.com/en-us/library/t2y34y40.aspx,
_getpid() cannot be used in applications that execute in the Windows Runtime.
Since this is only a debugging tool and is not a required feature, I'll defer
the Windows implementation of this function till the time when someone actually
needs it.
* tools/JSDollarVMPrototype.cpp:
(JSC::functionGetPID):
(JSC::JSDollarVMPrototype::finishCreation):
2016-10-15 Saam Barati <sbarati@apple.com>
Assertion failed under operationToLowerCase with a rope with zero length
https://bugs.webkit.org/show_bug.cgi?id=163314
Reviewed by Mark Lam.
There are some ways to get JSC to create empty rope strings. ToLowerCase
inside the DFG/FTL goes to the slow path when the argument is a rope.
operationToLowerCase was calling into a WTF string function that
assumed we are passing it a this value that has non-zero length.
However, we were calling it with a string that did have zero length.
To fix this, we make operationToLowerCase return the empty JSString
if it is going to make a string with zero length.
* dfg/DFGOperations.cpp:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionIsRope):
2016-10-14 Benjamin Poulain <bpoulain@apple.com>
[JSC] op_negate should with any type
https://bugs.webkit.org/show_bug.cgi?id=162587
Reviewed by Saam Barati.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
ArithNegate is quite simple. If the input is double, the output
is double. The other cases are set from the LLInt slow case.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
Tweak a bit the IntegerRangeOptimizationPhase when simplifying
ArithAbs to ArithNegate.
We should not do the conversion if the target nodes OSR Exits
on different input than the source node.
In particular, Checked ArithNegate exits on zero while
ArithAbs has not problem with it.
Unchecked ArithAbs() do not OSR Exit on INT_MIN, ArithNeg
should not either.
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileMathIC):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
* jit/JITNegGenerator.cpp:
(JSC::JITNegGenerator::generateFastPath):
* jit/JITOperations.cpp:
Add result profiling in baseline to have types we can use
in DFG and FTL.
2016-10-14 Keith Miller <keith_miller@apple.com>
B3 needs a special WasmAddress Opcode
https://bugs.webkit.org/show_bug.cgi?id=163394
Reviewed by Filip Pizlo.
This patch adds support for WasmAddress. WasmAddress will be used by
Wasm to compute the address of a memory operation from the pinned
base pointer. WasmAddress takes an IntPtr so we can avoid emitting
unnecessary Move32s in Air. This could happen in the following case:
@ptr = Trunc(...)
WasmAddress(@ptr, pinnedGPR)
...
PatchPoint(...) // Do Wasm call
WasmAddress(@ptr, pinnedGPR)
...
In this case we will not be able to CSE the WasmAddresses since the
call writes to pinnedGPR. Thus if WasmAddress took an Int32 we would need
to emit an extra Move32 at the second WasmAddress to ensure it saw a proper
32-bit value. If Wasm ensures that there there is a leading ZExt32 then
the duplicated moves become unnecessary.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::effectiveAddr):
(JSC::B3::Air::LowerToAir::lower):
* b3/B3Opcode.cpp:
(WTF::printInternal):
* b3/B3Opcode.h:
* b3/B3Validate.cpp:
* b3/B3Value.cpp:
(JSC::B3::Value::effects):
* b3/B3WasmAddressValue.cpp: Added.
(JSC::B3::WasmAddressValue::~WasmAddressValue):
(JSC::B3::WasmAddressValue::dumpMeta):
(JSC::B3::WasmAddressValue::cloneImpl):
(JSC::B3::WasmAddressValue::WasmAddressValue):
* b3/B3WasmAddressValue.h: Added.
* b3/testb3.cpp:
(JSC::B3::testWasmAddress):
(JSC::B3::run):
2016-10-14 Joseph Pecoraro <pecoraro@apple.com>
test262: @isConstructor incorrectly thinks Math.cos is a constructor
https://bugs.webkit.org/show_bug.cgi?id=163437
Reviewed by Saam Barati.
* runtime/JSFunction.cpp:
(JSC::JSFunction::getConstructData):
By default, Host JSFunctions are not constructable. They get
the default callHostFunctionAsConstructor native constructor.
When getting construct data we can return ConstructType::None
in these cases instead of indicating it might be constructable
and later throwing an exception when construction is attempted.
2016-10-14 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r207322.
This change caused JSC test failures
Reverted changeset:
"Fix Array.prototype.splice ES6 compliance."
https://bugs.webkit.org/show_bug.cgi?id=163372
http://trac.webkit.org/changeset/207322
2016-10-14 Mark Lam <mark.lam@apple.com>
JSON.parse should not modify frozen objects.
https://bugs.webkit.org/show_bug.cgi?id=163430
Reviewed by Saam Barati.
The ES6 spec for JSON.parse (https://tc39.github.io/ecma262/#sec-json.parse and
https://tc39.github.io/ecma262/#sec-internalizejsonproperty) states that it uses
CreateDataProperty() (https://tc39.github.io/ecma262/#sec-createdataproperty) to
set values returned by a reviver. The spec for CreateDataPropertyOrThrow states:
"This abstract operation creates a property whose attributes are set to the same
defaults used for properties created by the ECMAScript language assignment
operator. Normally, the property will not already exist. If it does exist and is
not configurable or if O is not extensible, [[DefineOwnProperty]] will return
false."
Note: CreateDataProperty() will not throw a TypeError.
Since the properties of frozen objects are not extensible, not configurable, and
not writeable, JSON.parse should fail to write to any frozen objects. Similarly,
JSON.parse should fail to delete properties in frozen objects.
In JSON.parse(), we previously write to array elements using the form of
putDirectIndex() that uses mode PutDirectIndexLikePutDirect. This makes it so
that the write (i.e. put) is always successful. We've now fixed this to use
PutDirectIndexShouldNotThrow mode instead, which will fail to put the element if
the array is not writeable.
Also changed Walker::walk() to use the version of methodTable() that takes a VM&
since the VM& is already available.
* runtime/JSONObject.cpp:
(JSC::Walker::walk):
2016-10-14 Joseph Pecoraro <pecoraro@apple.com>
test262: Failure with RegExp.prototype.compile when pattern is undefined
https://bugs.webkit.org/show_bug.cgi?id=163431
Reviewed by Yusuke Suzuki.
If pattern is undefined let P be the empty String.
https://tc39.github.io/ecma262/#sec-regexpinitialize
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
2016-10-13 Joseph Pecoraro <pecoraro@apple.com>
Exception message for expressions with multiple bracket accesses is inconsistent / incorrect
https://bugs.webkit.org/show_bug.cgi?id=163426
Reviewed by Geoffrey Garen.
* bytecompiler/NodesCodegen.cpp:
(JSC::BracketAccessorNode::emitBytecode):
It matters where emitExpressionInfo is called since it gathers
info about where we are in the instruction stream. We need to
emit it before the bytecode that we want to associate the data
with. In this case, before the getById / getByVal.
2016-10-13 Mark Lam <mark.lam@apple.com>
Fix Array.prototype.splice ES6 compliance.
https://bugs.webkit.org/show_bug.cgi?id=163372
Reviewed by Geoffrey Garen and Yusuke Suzuki.
Our Array.prototype.splice implementation neglected to set length on the result
array (step 12 of https://tc39.github.io/ecma262/#sec-array.prototype.splice) in
a certain code path. This is now fixed.
I'm deferring the implementation of step 8 till later because it requires more
careful consideration and the fix is of a lesser value (and therefore, of less
urgency). See https://bugs.webkit.org/show_bug.cgi?id=163417
Also added some needed exception checks and assertions.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
2016-10-13 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Stepping highlight for dot/bracket expressions in if statements highlights subset of the expression
https://bugs.webkit.org/show_bug.cgi?id=163378
<rdar://problem/28749376>
Reviewed by Saam Barati.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseAssignmentExpression):
Since each expression builds on the previous, always keep the starting
location the first location.
2016-10-13 Per Arne Vollan <pvollan@apple.com>
[Win64] Compile fix.
https://bugs.webkit.org/show_bug.cgi?id=163384
Reviewed by Brent Fulgham.
Fix use of potentially uninitialized variable.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2016-10-12 Chris Dumez <cdumez@apple.com>
[Web IDL] Drop support for legacy [ConstructorConditional=*]
https://bugs.webkit.org/show_bug.cgi?id=163368
Reviewed by Ryosuke Niwa.
Drop ENABLE_DOM4_EVENTS_CONSTRUCTOR compiler flag.
* Configurations/FeatureDefines.xcconfig:
2016-10-12 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: step-into `console.log(o)` should not step through inspector javascript
https://bugs.webkit.org/show_bug.cgi?id=161656
<rdar://problem/28181123>
Reviewed by Timothy Hatcher.
* debugger/Debugger.h:
* debugger/Debugger.cpp:
(JSC::Debugger::pauseIfNeeded):
If the Script is blacklisted skip checking if we need to pause.
(JSC::Debugger::isBlacklisted):
(JSC::Debugger::addToBlacklist):
(JSC::Debugger::clearBlacklist):
Add the ability to add a Script to a blacklist. Currently the blacklist
only prevents pausing in the Script.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::isWebKitInjectedScript):
(Inspector::InspectorDebuggerAgent::didParseSource):
Always add Internal InjectedScripts to the Debugger's blacklist.
(Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
Clear blacklists when clearing debugger state.
2016-10-12 Keith Miller <keith_miller@apple.com>
B3 needs a special WasmBoundsCheck Opcode
https://bugs.webkit.org/show_bug.cgi?id=163246
Reviewed by Filip Pizlo.
This patch adds a new Opcode, WasmBoundsCheck, as well as a B3::Value subclass for it,
WasmBoundsCheckValue. WasmBoundsCheckValue takes three pieces of information. The first is
the Int32 pointer value used to be used by the Load. Next is the pinned register. The
pinned register must be pinned by calling proc.setPinned() prior to compiling the
Procedure. Lastly, the WasmBoundsCheckValue takes an offset. The WasmBoundsCheckValue is
will then emit code that side-exits if the Int64 sum of the offset and pointer is greater
than or equal to the value in the pinnedRegister. Instead of taking a generator for each
value like Check/Patchpoint, WasmBoundsCheck gets its generator directly off Air::Code. In
Air this patch adds a new Custom opcode, WasmBoundsCheck.
In the future we should add WasmBoundsCheck to CSE so it can eliminate redundant bounds
checks. At the first cut, we can remove any WasmBoundsCheck dominated by another
WasmBoundsCheck with the same pointer and pinnedGPR, and a larger offset.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::imm):
(JSC::B3::Air::LowerToAir::lower):
* b3/B3Opcode.cpp:
(WTF::printInternal):
* b3/B3Opcode.h:
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::setWasmBoundsCheckGenerator):
* b3/B3Procedure.h:
(JSC::B3::Procedure::setWasmBoundsCheckGenerator):
* b3/B3Validate.cpp:
* b3/B3Value.cpp:
(JSC::B3::Value::effects):
(JSC::B3::Value::typeFor):
* b3/B3WasmBoundsCheckValue.cpp: Added.
(JSC::B3::WasmBoundsCheckValue::~WasmBoundsCheckValue):
(JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
(JSC::B3::WasmBoundsCheckValue::dumpMeta):
* b3/B3WasmBoundsCheckValue.h: Added.
(JSC::B3::WasmBoundsCheckValue::accepts):
(JSC::B3::WasmBoundsCheckValue::pinnedGPR):
(JSC::B3::WasmBoundsCheckValue::offset):
* b3/air/AirCode.h:
(JSC::B3::Air::Code::setWasmBoundsCheckGenerator):
(JSC::B3::Air::Code::wasmBoundsCheckGenerator):
* b3/air/AirCustom.cpp:
(JSC::B3::Air::WasmBoundsCheckCustom::isValidForm):
* b3/air/AirCustom.h:
(JSC::B3::Air::WasmBoundsCheckCustom::forEachArg):
(JSC::B3::Air::WasmBoundsCheckCustom::isValidFormStatic):
(JSC::B3::Air::WasmBoundsCheckCustom::admitsStack):
(JSC::B3::Air::WasmBoundsCheckCustom::isTerminal):
(JSC::B3::Air::WasmBoundsCheckCustom::hasNonArgNonControlEffects):
(JSC::B3::Air::WasmBoundsCheckCustom::generate):
* b3/air/AirOpcode.opcodes:
* b3/testb3.cpp:
(JSC::B3::testWasmBoundsCheck):
(JSC::B3::run):
2016-10-12 Filip Pizlo <fpizlo@apple.com>
The blackening of CellState is a bad way of tracking if the object is being marked for the first time
https://bugs.webkit.org/show_bug.cgi?id=163343
Reviewed by Mark Lam.
When I first added the concept of NewGrey/OldGrey, I had the SlotVisitor store the old cell
state in itself, so that it could use it to decide what to do for reportExtraMemoryVisited().
Then I changed it in a recent commit, because I wanted the freedom to have SlotVisitor visit
multiple objects in tandem. But I never ended up using this capability. Still, I liked the
new way better: instead of the SlotVisitor rembemering the state-before-blackening, we would
make the object's state reflect whether it was black for the first time or not. That seemed
convenient.
Unfortunately it's wrong. After we blacken the object, a concurrent barrier could instantly
grey it. Then we would forget that we are visiting this object for the first time.
Subsequent visits will think that they are not the first. So, we will fail to do the right
thing in reportExtraMemoryVisited().
So, this reverts that change. This is a little more than just a revert, though. I've changed
the terminology a bit. For example, I got tired of reading Black and having to remind myself
that it really means that the object has begun being visited, instead of the more strict
meaning that implies that it has already been visited. We want to say that it's Black or
currently being scanned. I'm going to adopt Siebert's term for this: Anthracite [1]. So, our
black CellState is now called AnthraciteOrBlack.
[1] https://pdfs.semanticscholar.org/7ae4/633265aead1f8835cf7966e179d02c2c8a4b.pdf
* heap/CellState.h:
(JSC::isBlack): Deleted.
(JSC::blacken): Deleted.
* heap/Heap.cpp:
(JSC::Heap::addToRememberedSet):
(JSC::Heap::writeBarrierSlowPath):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::reportExtraMemoryVisited):
(JSC::Heap::reportExternalMemoryVisited):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::visitChildren):
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::reportExtraMemoryVisited):
(JSC::SlotVisitor::reportExternalMemoryVisited):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
2016-10-12 Mark Lam <mark.lam@apple.com>
Rename variables in arrayProtoFuncSplice() to match names in the spec.
https://bugs.webkit.org/show_bug.cgi?id=163354
Reviewed by Saam Barati.
This will make it easier to see whether the code matches the spec or not.
Ref: https://tc39.github.io/ecma262/#sec-array.prototype.splice
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
2016-10-12 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT][JSC] Explore the way to embed nodeType into JSC::JSType in WebCore
https://bugs.webkit.org/show_bug.cgi?id=163245
Reviewed by Filip Pizlo.
We reserve the highest bit of JSC::JSType for extensions outside JSC.
JSC does not use JSType bits so many: only 52 types are defined.
And we extend CallDOM patchpoint to claim that it does not require a global object.
This global object is used to generate a DOM wrapper. However, nodeType does not require
it since it just returns integer. In the future, we will extend CallDOM to claim
its result type. And we can decide this `requireGlobalObject` condition automatically
according to the result type.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCheckDOMPatchpoint):
(JSC::DFG::Node::checkDOMPatchpoint):
(JSC::DFG::Node::hasCallDOMPatchpoint):
(JSC::DFG::Node::callDOMPatchpoint):
(JSC::DFG::Node::hasDOMJIT): Deleted.
(JSC::DFG::Node::domJIT): Deleted.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCheckDOM):
* domjit/DOMJITCallDOMPatchpoint.h: Copied from Source/JavaScriptCore/domjit/DOMJITGetterSetter.h.
(JSC::DOMJIT::CallDOMPatchpoint::create):
* domjit/DOMJITGetterSetter.h:
* domjit/DOMJITPatchpoint.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
* jsc.cpp:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
* runtime/JSType.h:
2016-10-12 Keith Miller <keith_miller@apple.com>
Handle non-function, non-undefined comparator in Array.prototype.sort
https://bugs.webkit.org/show_bug.cgi?id=163085
Reviewed by Yusuke Suzuki.
* builtins/ArrayPrototype.js:
(sort.comparatorSort):
(sort.stringSort):
(sort):
2016-10-12 Filip Pizlo <fpizlo@apple.com>
REGRESSION (r207179): ASSERTION FAILED: node.cell != previousCell
https://bugs.webkit.org/show_bug.cgi?id=163337
Reviewed by Mark Lam.
It turns out that HeapSnapshot was not down with revisiting. The concurrent GC is going to be
built around the idea that we can revisit objects many times. This means that any action that
should only take place once per object must check the object's state. This fixes the snapshot
code to do this.
While writing this code, I realized that we're actually doing this check incorrectly, so I
filed bug 163343. That bug requires a race, so we aren't going to see it yet.
* heap/HeapSnapshot.cpp:
(JSC::HeapSnapshot::finalize):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::visitChildren):
2016-10-12 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Improve support for logging Proxy objects in console
https://bugs.webkit.org/show_bug.cgi?id=163323
<rdar://problem/28432553>
Reviewed by Timothy Hatcher.
This is based off of similiar patches in Blink for Proxy handling.
* bindings/ScriptValue.cpp:
(Deprecated::ScriptValue::isEqual):
Use strict equality. This is the intent, and it prevents the possibility of triggering
primitive conversion on objects in previous ConsoleMessage argument lists.
* inspector/InjectedScriptSource.js:
(InjectedScript.prototype._propertyDescriptors):
Bail if the object is a Proxy.
(InjectedScript.prototype._describe):
Provide a friendlier name, "Proxy" instead of "ProxyObject".
(InjectedScript.RemoteObject):
When generating a preview for a Proxy object, generate it from the final target
and mark it as lossy so that the object can always be expanded to get the internal
target/handler properties.
* inspector/JSInjectedScriptHost.h:
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::subtype):
New subtype for Proxy objects.
(Inspector::JSInjectedScriptHost::proxyTargetValue):
Resolve the final target value for a Proxy.
* inspector/JSInjectedScriptHostPrototype.cpp:
(Inspector::JSInjectedScriptHostPrototype::finishCreation):
(Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue):
Add the new method.
* inspector/ScriptArguments.cpp:
(Inspector::ScriptArguments::getFirstArgumentAsString):
Avoid triggering Proxy traps on a Proxy object when getting a quick
string description for ConsoleMessages.
* inspector/protocol/Runtime.json:
Add new "proxy" subtype.
2016-10-12 Joseph Pecoraro <pecoraro@apple.com>
Emit DebugHooks uniformly with pause locations instead of having separate pause locations and op_debug emits
https://bugs.webkit.org/show_bug.cgi?id=162809
Reviewed by Geoffrey Garen.
Change how BytecodeGeneration emits debug hooks to be more consistent.
Previously most nodes individually generated their own debug hook
and we asserted that it matched a breakpoint location identified
by the parser. This could get out of sync, or nodes could forget to
emit debug hooks expected by the parser.
With this change, we always check and emit a debug hook for any
node. The default behavior is for BytecodeGenerator::emitNode
to emit the debug hook when emitting the node itself. This covers
the majority of cases (statements).
There are a few exceptions where we continue to need to customize
emitting debug hooks:
1. Nodes with emitBytecodeInConditionContext
- non-Expression nodes customize how they emit their children
- constants conditions may emit nothing, but we had recorded a breakpoint location so emit a debug hook
- always emit one debug hook in case we recorded a breakpoint location, but avoid emitting multiple
in nodes which may call up to the ExpressionNode::emitBytecodeInConditionContext base impl.
2. Specialized Debug Hooks
- such as hooks for Program start/end, debugger statements, etc.
3. Debug Hooks in for..of / for..in that don't correspond to re-emitting nodes
- such as pausing on the assignment expression inside these loops
The majority of nodes no longer have custom emits.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitNodeInTailPosition):
(JSC::BytecodeGenerator::emitNodeInConditionContext):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDebugHook):
(JSC::BytecodeGenerator::emitEnumeration):
By default, when emitting a node check if we should also emit an op_debug for it.
This default DebugHook is WillExecuteStatement, which is a normal pause point.
* bytecompiler/NodesCodegen.cpp:
(JSC::ConstantNode::emitBytecodeInConditionContext):
(JSC::LogicalNotNode::emitBytecodeInConditionContext):
(JSC::BinaryOpNode::emitBytecodeInConditionContext):
(JSC::LogicalOpNode::emitBytecodeInConditionContext):
The parser would have generated a pause location for these conditions
no matter what constant folding and re-writing these nodes may perform.
So, when emitting these nodes in condition context check if they need
emit their own debug hook.
(JSC::EmptyStatementNode::emitBytecode):
(JSC::ExprStatementNode::emitBytecode):
(JSC::DeclarationStatement::emitBytecode):
(JSC::IfElseNode::emitBytecode):
(JSC::DoWhileNode::emitBytecode):
(JSC::WhileNode::emitBytecode):
(JSC::ForNode::emitBytecode):
(JSC::ContinueNode::emitBytecode):
(JSC::BreakNode::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::WithNode::emitBytecode):
(JSC::SwitchNode::emitBytecode):
(JSC::ThrowNode::emitBytecode):
No longer need to custom emit debug hooks. The default emitNode will handle these.
(JSC::ForInNode::emitBytecode):
Include extra debug hooks the user expects to return back to the assignment
expression in the loop header before starting the body again. The same is done
for for..of with emitEnumeration.
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createExportDefaultDeclaration):
(JSC::ASTBuilder::createExportLocalDeclaration):
These are no longer needed to fake-satisfy assertions. We never wanted to
emit debug hooks for these inner statements because the export statement
will already have the debug hooks.
(JSC::ASTBuilder::createForInLoop):
(JSC::ASTBuilder::createForOfLoop):
Include the correct location where the declaration starts.
(JSC::ASTBuilder::breakpointLocation):
Simplify to a general implementation for Node.
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createForInLoop):
(JSC::SyntaxChecker::createForOfLoop):
Ignore the new extra parameter.
* parser/Nodes.h:
(JSC::Node::needsDebugHook):
(JSC::Node::setNeedsDebugHook):
(JSC::ExpressionNode::needsDebugHook): Deleted.
(JSC::ExpressionNode::setNeedsDebugHook): Deleted.
(JSC::StatementNode::isEmptyStatement): Deleted.
(JSC::StatementNode::needsDebugHook): Deleted.
(JSC::StatementNode::setNeedsDebugHook): Deleted.
Move debug hook logic into the base Node class.
(JSC::StatementNode::isDebuggerStatement):
Provide a way to distinguish a debugger statement.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseForStatement):
Provide the location before the declaration starts.
2016-10-12 Mark Lam <mark.lam@apple.com>
Array.prototype.slice should not modify frozen objects.
https://bugs.webkit.org/show_bug.cgi?id=163338
Reviewed by Filip Pizlo.
1. The ES6 spec for Array.prototype.slice
(https://tc39.github.io/ecma262/#sec-array.prototype.slice) states that it uses
the CreateDataPropertyOrThrow()
(https://tc39.github.io/ecma262/#sec-createdatapropertyorthrow) to add items to
the result array. The spec for CreateDataPropertyOrThrow states:
"This abstract operation creates a property whose attributes are set to the
same defaults used for properties created by the ECMAScript language assignment
operator. Normally, the property will not already exist. If it does exist and
is not configurable or if O is not extensible, [[DefineOwnProperty]] will
return false causing this operation to throw a TypeError exception."
2. Array.prototype.slice also uses a Set function
(https://tc39.github.io/ecma262/#sec-set-o-p-v-throw) to set the "length"
property and passes true for the Throw argument. Ultimately, it ends up
calling the OrdinarySet function
(https://tc39.github.io/ecma262/#sec-ordinaryset) that will fail if the
property is not writable. This failure should result in a TypeError being
thrown in Set.
Since the properties of frozen objects are not extensible, not configurable,
and not writeable, Array.prototype.slice should fail to write to the result
array if it is frozen.
If the source array being sliced has 1 or more elements, (1) will take effect
when we try to set the element in the non-writeable result obj.
If the source array being sliced has 0 elements, we will not set any elements and
(1) will not trigger. Subsequently, (2) will take effect when we will try to
set the length of the result obj.
* runtime/ArrayPrototype.cpp:
(JSC::putLength):
(JSC::setLength):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
2016-10-12 Filip Pizlo <fpizlo@apple.com>
Remove JITWriteBarrier.h
https://bugs.webkit.org/show_bug.cgi?id=163334
Reviewed by Mark Lam.
I guess that the idea of JITWriteBarrier was to make sure that if you slap some heap pointer
bits into machine code, then you better execute a barrier on the code block. But it's a
complicated piece of code, and I can never remember how it quite works. These days it looks
vestigial, particularly since only the CallLinkInfo patchable callee immediate uses it. It's
not really necessary to have something like this, since our convention is that any pointer
stored in machine code must always be shadowed in the GC heap. I think that convention has
won by overwhelming majority, so we should finally remove JITWriteBarrier.
A practical outcome of this change is that it makes it easier to implement DirectCall ICs,
which will have to store the callee in the CallLinkInfo but not in the machine code.
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::setCallee):
(JSC::CallLinkInfo::clearCallee):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::setCallee): Deleted.
(JSC::CallLinkInfo::clearCallee): Deleted.
* heap/SlotVisitor.h:
* jit/JITWriteBarrier.h: Removed.
2016-10-12 Csaba Osztrogonác <ossy@webkit.org>
Unreviewed buildfix for GCC 4.9 after r207186.
https://bugs.webkit.org/show_bug.cgi?id=163255
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::Entry::Entry):
2016-10-11 Saam Barati <sbarati@apple.com>
HasOwnPropertyCache needs to ref the UniquedStringImpls it sees
https://bugs.webkit.org/show_bug.cgi?id=163255
Reviewed by Geoffrey Garen.
The cache needs to be responsible for ensuring that things
in the cache stay alive. Before, it wasn't doing this, and
that was wrong.
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::Entry::operator=):
(JSC::HasOwnPropertyCache::operator delete):
(JSC::HasOwnPropertyCache::create):
(JSC::HasOwnPropertyCache::get):
(JSC::HasOwnPropertyCache::tryAdd):
(JSC::HasOwnPropertyCache::clear):
(JSC::HasOwnPropertyCache::zeroBuffer):
2016-10-06 Filip Pizlo <fpizlo@apple.com>
MarkedBlock should know what objects are live during marking
https://bugs.webkit.org/show_bug.cgi?id=162309
Reviewed by Geoffrey Garen.
It used to be that we would forget which objects are live the moment we started collection.
That's because the flip at the beginning clears all mark bits.
But we already have a facility for tracking objects that are live-but-not-marked. It's called
newlyAllocated. So, instead of clearing mark bits, we want to just transfer them to
newlyAllocated. Then we want to clear all newlyAllocated after GC.
This implements such an approach, along with a versioning optimization for newlyAllocated.
Instead of walking the whole heap to clear newlyAllocated bits at the end of the GC, we bump
the newlyAllocatedVersion, which causes MarkedBlock to treat newlyAllocated as if it was
clear.
We could have even avoided allocating newlyAllocated in most cases, since empirically most
blocks are either completely empty or completely full. An earlier version of this patch did
this, but it was not better than this patch. In fact, it seemed to actually be worse for PLT
and membuster.
To validate this change, we now run the conservative scan after the beginMarking flip. And it
totally works!
This is a huge step towards concurrent GC. It means that we ought to be able to run the
allocator while marking. Since we already separately made it possible to run the barrier
while marking, this means that we're pretty much ready for some serious concurrency action.
This appears to be perf-neutral and space-neutral.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
* bytecode/CodeBlock.h:
(JSC::CodeBlockSet::mark): Deleted.
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::writeBarrierCurrentlyExecuting):
(JSC::CodeBlockSet::clearCurrentlyExecuting):
(JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks): Deleted.
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h: Added.
(JSC::CodeBlockSet::mark):
* heap/ConservativeRoots.cpp:
* heap/Heap.cpp:
(JSC::Heap::markRoots):
(JSC::Heap::beginMarking):
(JSC::Heap::collectImpl):
(JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
(JSC::Heap::clearCurrentlyExecutingCodeBlocks):
* heap/Heap.h:
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::isPagedOut):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::Handle):
(JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::resetAllocated):
(JSC::MarkedBlock::resetMarks):
(JSC::MarkedBlock::setNeedsDestruction):
(JSC::MarkedBlock::Handle::didAddToAllocator):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::isLiveCell):
(JSC::MarkedBlock::clearMarks): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::newlyAllocatedVersion):
(JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::cellsPerBlock):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::isLiveCell):
(JSC::MarkedBlock::Handle::isNewlyAllocatedStale):
(JSC::MarkedBlock::Handle::hasAnyNewlyAllocatedWithSweep):
(JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
(JSC::MarkedBlock::heap):
(JSC::MarkedBlock::space):
(JSC::MarkedBlock::Handle::space):
(JSC::MarkedBlock::resetMarkingVersion): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::beginMarking):
(JSC::MarkedSpace::endMarking):
(JSC::MarkedSpace::clearNewlyAllocated): Deleted.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::nextVersion):
(JSC::MarkedSpace::newlyAllocatedVersion):
(JSC::MarkedSpace::markingVersion): Deleted.
* runtime/SamplingProfiler.cpp:
2016-10-11 Mark Lam <mark.lam@apple.com>
Array.prototype.concat should not modify frozen objects.
https://bugs.webkit.org/show_bug.cgi?id=163302
Reviewed by Filip Pizlo.
The ES6 spec for Array.prototype.concat states that it uses the
CreateDataPropertyOrThrow() to add items to the result array. The spec for
CreateDataPropertyOrThrow states:
"This abstract operation creates a property whose attributes are set to the same
defaults used for properties created by the ECMAScript language assignment
operator. Normally, the property will not already exist. If it does exist and is
not configurable or if O is not extensible, [[DefineOwnProperty]] will return
false causing this operation to throw a TypeError exception."
Since the properties of frozen objects are not extensible, not configurable, and
not writable, Array.prototype.concat should fail to write to the result array if
it is frozen.
Ref: https://tc39.github.io/ecma262/#sec-array.prototype.concat,
https://tc39.github.io/ecma262/#sec-createdatapropertyorthrow, and
https://tc39.github.io/ecma262/#sec-createdataproperty.
The fix consists of 2 parts:
1. moveElement() should use the PutDirectIndexShouldThrow mode when invoking
putDirectIndex(), and
2. SparseArrayValueMap::putDirect() should check for the case where the property
is read only.
(2) ensures that we don't write into a non-writable property.
(1) ensures that we throw a TypeError for attempts to write to a non-writeable
property.
* runtime/ArrayPrototype.cpp:
(JSC::moveElements):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putDirect):
2016-10-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
https://bugs.webkit.org/show_bug.cgi?id=163224
Reviewed by Filip Pizlo.
We use the GetGlobalObject DFG node to retrieve a global object from a DOM node.
This global object is necessary to check whether the world is normal before entering
the fast path of looking up the DOM wrapper cache.
We can sometimes constant-fold this GetGlobalObject. For example, if we performed
CheckStructure, the structure can offer the information about the possible result
of GetGlobalObject. By using this constant-folded global object, we can drop some
checks.
This patch introduces the way to tell the constant-folded values to DOMJIT::Patchpoint.
We pass DOMJIT::Value instead of DOMJIT::Reg as a parameter of DOMJIT::PatchpointParams.
This DOMJIT::Value is a pair of DOMJIT::Reg and JSValue. If the given parameter has a
constant value, this JSValue is filled with it.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGDOMJITPatchpointParams.h:
(JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCheckDOM):
* domjit/DOMJITPatchpointParams.h:
(JSC::DOMJIT::PatchpointParams::at):
(JSC::DOMJIT::PatchpointParams::operator[]):
(JSC::DOMJIT::PatchpointParams::PatchpointParams):
* domjit/DOMJITValue.h: Copied from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
(JSC::DOMJIT::Value::Value):
(JSC::DOMJIT::Value::isGPR):
(JSC::DOMJIT::Value::isFPR):
(JSC::DOMJIT::Value::isJSValueRegs):
(JSC::DOMJIT::Value::gpr):
(JSC::DOMJIT::Value::fpr):
(JSC::DOMJIT::Value::jsValueRegs):
(JSC::DOMJIT::Value::reg):
(JSC::DOMJIT::Value::value):
* ftl/FTLDOMJITPatchpointParams.h:
(JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
2016-10-10 Filip Pizlo <fpizlo@apple.com>
Air should be able to replace constant materializations with adds
https://bugs.webkit.org/show_bug.cgi?id=162749
Reviewed by Yusuke Suzuki.
We have a lot of defenses against emitting code that materializes huge contants. But if we do
end up with such code in the backend, it's better to convert those materializations into add
instructions by checking if other registers are known to contain nearby constants. That's
what this patch does.
* b3/air/AirFixObviousSpills.cpp:
* b3/testb3.cpp:
2016-10-11 Filip Pizlo <fpizlo@apple.com>
B3->Air lowering needs the same defenses in effectiveAddr() that it has in tryAppendLea()
https://bugs.webkit.org/show_bug.cgi?id=163264
Reviewed by Mark Lam.
When writing the lea patch (r207039), I was very careful about how I convert a Shl into a
BaseIndex scale. But I forgot to check if the older code for creating BaseIndexes for
effectiveAddr() got this right. It turns out that the older code missed the <<32 corner
case.
It's sad that the two paths can't share all of their code, but it's somewhat inevitable due
to how matching an address and matching a lea have to do very different things. Matching a
lea means creating an instruction that is distinct from other instructions to do multiple
math operations at once. Matching an address means making some instruction do extra work
for free. Also, address matching can take advantage of the fact that the offset is already
associated with the memory operation by strength reduction - lea matching can't do this; it
has to figure out Add(@value, $const) on its own. This change makes the situation slightly
more sane by adding a scaleForShl() helper that handles this weird case. It's based on the
new Shl handling from r207039, and exposes it as an API for effectiveAddr() to use.
The testLoadBaseIndexShift32() used to crash. I don't think that this case affects JS
content, since <<32 is such a bizarre outlier. I don't think we even have a path along
which the FTL would emit a 64-bit <<32. It probably won't even affect WebAssembly since
that uses 32-bit pointers, so we won't see 64-bit <<32 in effectiveAddr() there.
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::scaleForShl):
(JSC::B3::Air::LowerToAir::effectiveAddr):
(JSC::B3::Air::LowerToAir::tryAppendLea):
(JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
* b3/testb3.cpp:
(JSC::B3::testLoadBaseIndexShift2):
(JSC::B3::testLoadBaseIndexShift32):
(JSC::B3::run):
2016-10-11 Saam Barati <sbarati@apple.com>
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String
https://bugs.webkit.org/show_bug.cgi?id=163182
Reviewed by Filip Pizlo.
This code pattern shows up in Dromaeo, so it's worth optimizing for.
This might also show up in real world JS code due to inlining and other
types of constant folding.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::getValue):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
2016-10-10 Zan Dobersek <zdobersek@igalia.com>
Add ENABLE_ENCRYPTED_MEDIA configuration option
https://bugs.webkit.org/show_bug.cgi?id=163219
Reviewed by Darin Adler.
* Configurations/FeatureDefines.xcconfig:
Add the ENABLE_ENCRYPTED_MEDIA configuration option. It will be used
to enable or disable the new EME implementation at build-time.
2016-10-10 Filip Pizlo <fpizlo@apple.com>
B3->Air lowering should be able to emit complex leas on x86
https://bugs.webkit.org/show_bug.cgi?id=163234
Reviewed by Saam Barati.
This adds comprehensive support for emitting lea on x86.
When adding this, I found that it was useful to also finally add more reassociation. That
reduces the amount of patterns that the instruction selector has to deal with.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::lea32):
(JSC::MacroAssembler::lea64):
(JSC::MacroAssembler::lea): Deleted.
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::commitInternal):
(JSC::B3::Air::LowerToAir::tryAppendLea):
(JSC::B3::Air::LowerToAir::lower):
(JSC::B3::Air::LowerToAir::createSelect): Deleted.
* b3/B3ReduceStrength.cpp:
* b3/B3Value.h:
* b3/B3ValueInlines.h:
(JSC::B3::Value::isRepresentableAs):
(JSC::B3::Value::representableAs): Deleted.
* b3/air/AirOpcode.opcodes:
* b3/testb3.cpp: Lots of tests for lea and reassociation.
2016-10-10 Mark Lam <mark.lam@apple.com>
Change ArrayPrototype.cpp's putLength() and setLength() to take a VM& so that we can use vm.propertyNames.
https://bugs.webkit.org/show_bug.cgi?id=163260
Reviewed by Saam Barati.
In all cases where we call these, we already have the VM& anyway.
* runtime/ArrayPrototype.cpp:
(JSC::putLength):
(JSC::setLength):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
2016-10-10 Mark Lam <mark.lam@apple.com>
Rename the StrictModeReadonlyPropertyWriteError string to ReadonlyPropertyWriteError.
https://bugs.webkit.org/show_bug.cgi?id=163239
Reviewed by Filip Pizlo.
This string is also used for reporting the same error in cases which have nothing
to do with strict mode.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/GetterSetter.cpp:
(JSC::callSetter):
* runtime/JSArray.cpp:
(JSC::JSArray::setLengthWithArrayStorage):
(JSC::JSArray::pop):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::put):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::put):
(JSC::JSModuleNamespaceObject::putByIndex):
* runtime/JSObject.cpp:
(JSC::ordinarySetSlow):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::putInline):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/RegExpObject.h:
(JSC::RegExpObject::setLastIndex):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayEntry::put):
* runtime/StringObject.cpp:
(JSC::StringObject::put):
(JSC::StringObject::putByIndex):
2016-10-10 Saam Barati <sbarati@apple.com>
compileCheckStringIdent in the FTL is wrong
https://bugs.webkit.org/show_bug.cgi?id=163215
Reviewed by Mark Lam and Filip Pizlo.
lowStringIdent() returns the StringImpl pointer. The compileCheckStringIdent()
was treating its return value as the actual JSString. This is wrong.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2016-10-10 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Implement Node accessors in DOMJIT
https://bugs.webkit.org/show_bug.cgi?id=163005
Reviewed by Filip Pizlo.
Add some helper methods and offsetOfXXX for JSC::Weak since it is used
for DOM wrapper caching.
And make DOMJIT::Patchpoint in FTL closer to one in DFG. We add resultConstraint
to avoid the situation that the same register is allocated to child and result.
We also extend DOMJIT::Patchpoint to tell useTagTypeNumberRegister / useTagMaskRegister.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* domjit/DOMJITSlowPathCalls.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
* heap/WeakImpl.h:
(JSC::WeakImpl::offsetOfJSValue):
(JSC::WeakImpl::offsetOfWeakHandleOwner):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::boxCell):
(JSC::AssemblyHelpers::boxInt32): Deleted.
* jit/JITOperations.h:
2016-10-09 Filip Pizlo <fpizlo@apple.com>
Air should expose API for pinning registers
https://bugs.webkit.org/show_bug.cgi?id=163175
Reviewed by Keith Miller.
You can now call Procedure::pinRegister(), or Code::pinRegister(), and it will make this
register behave as follows:
- B3 and Air will emit no code that modifies the value in this register, except if that
happens via a Patchpoint or stackmap constraint (i.e. the user explicitly asked for it).
- B3 and Air will allow others to modify the register. For example, if the register is not
callee-save, then the compiler knows that the register's value will be trashed by any
C-style call.
- Air will be happy to emit code that reads from this register, including coalescing tmps
with it, so longer as there is no interference (i.e. no chance of the register's value
changing). For example, if we went back to having pinned tag registers, we would tell B3
to use them by (1) excluding them from any clobber set (easy, since they're callee save)
and (2) emitting ArgumentReg to grab their value. There's a test that does this.
This is accomplished by taking regsInPriorityOrder() and making it a method of Code. Air
already used this API when choosing registers in register allocation. Code now also vends a
mutableRegs() set, which is derived from regsInPriorityOrder(), that can quickly tell you if
a register can be mutated. Doing it this way means that most of this is a purely mechanical
change. The calls to mutableRegs() are the places where we had to change logic:
- The register allocators needs to know that coalescing with a precolored pinned tmp is free.
- The callee-save handler needs to know that we're not supposed to save/restore pinned
registers.
Note that in this scheme, pinned registers are simply registers that do not appear in
regsInPriorityOrder(). This means, for example, that we will now say that FP is pinned. So,
this means that you can also pin registers by calling setRegsInPriorityOrder() and passing a
vector that excludes some registers. More generally, this means that clients can now tweak
the register allocator's register preferences, since the ordering in that list reflects the
order in which the allocator will try registers.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::pinRegister):
* b3/B3Procedure.h:
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::Code):
(JSC::B3::Air::Code::setRegsInPriorityOrder):
(JSC::B3::Air::Code::pinRegister):
* b3/air/AirCode.h:
(JSC::B3::Air::Code::regsInPriorityOrder):
(JSC::B3::Air::Code::mutableRegs):
(JSC::B3::Air::Code::isPinned):
(JSC::B3::Air::Code::regsInPriorityOrderImpl):
(JSC::B3::Air::Code::proc): Deleted.
* b3/air/AirEmitShuffle.cpp:
(JSC::B3::Air::emitShuffle):
* b3/air/AirEmitShuffle.h:
* b3/air/AirHandleCalleeSaves.cpp:
(JSC::B3::Air::handleCalleeSaves):
* b3/air/AirIteratedRegisterCoalescing.cpp:
* b3/air/AirLowerAfterRegAlloc.cpp:
(JSC::B3::Air::lowerAfterRegAlloc):
* b3/air/AirRegisterPriority.cpp: Removed.
* b3/air/AirRegisterPriority.h: Removed.
* b3/air/AirSpillEverything.cpp:
(JSC::B3::Air::spillEverything):
* b3/air/testair.cpp:
(JSC::B3::Air::testShuffleBroadcastAllRegs):
(JSC::B3::Air::testShuffleShiftAllRegs):
(JSC::B3::Air::testShuffleRotateAllRegs):
(JSC::B3::Air::testShuffleShiftMemoryAllRegs):
(JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
(JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
(JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
(JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
* b3/testb3.cpp:
(JSC::B3::testPinRegisters):
(JSC::B3::run):
* jit/RegisterSet.h:
2016-10-08 Filip Pizlo <fpizlo@apple.com>
B3 should know about mutable pinned registers
https://bugs.webkit.org/show_bug.cgi?id=163172
Reviewed by Keith Miller.
If we have mutable pinned registers then we need to know which operations mutate them. At
first I considered making this into a heap range thing, but I think that this would be very
confusing. Also, in the future, we might want to make Effects track register sets of
clobbered registers (see bug 163173).
* b3/B3Effects.cpp:
(JSC::B3::Effects::interferes):
(JSC::B3::Effects::operator==):
(JSC::B3::Effects::dump):
* b3/B3Effects.h:
(JSC::B3::Effects::forCall):
(JSC::B3::Effects::mustExecute):
2016-10-08 Saam Barati <sbarati@apple.com>
HasIndexedProperty clobberize rule is wrong for Array::ForceOSRExit
https://bugs.webkit.org/show_bug.cgi?id=159942
<rdar://problem/27328836>
Reviewed by Filip Pizlo.
When HasIndexedProperty has a ForceOSRExit array mode, it should
report to write to side state, like the ForceOSRExit node, and the
other nodes with ForceOSRExit array mode.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2016-10-07 Mark Lam <mark.lam@apple.com>
Object.freeze() and seal() should throw if [[PreventExtensions]]() fails.
https://bugs.webkit.org/show_bug.cgi?id=163160
Reviewed by Saam Barati.
See https://tc39.github.io/ecma262/#sec-object.freeze,
https://tc39.github.io/ecma262/#sec-object.seal, and
https://tc39.github.io/ecma262/#sec-setintegritylevel. We need to call
preventExtensions first before proceeding to freeze / seal the object. If
preventExtensions fails, we should throw a TypeError.
* runtime/ObjectConstructor.cpp:
(JSC::setIntegrityLevel):
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
2016-10-06 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Support slow path call
https://bugs.webkit.org/show_bug.cgi?id=162978
Reviewed by Saam Barati.
One of the most important features required in DOMJIT::Patchpoint is slow path calls.
DOM operation typically returns DOMWrapper object. At that time, if wrapper cache hits, we can go
to the fast path. However, if we cannot use the cache, we need to go to the slow path to call toJS function.
At that time, slow path call functionality is necessary.
This patch expose DOMJIT::PatchpointParams::addSlowPathCall. We can request slow path call code generation
through this interface. DOMJIT::PatchpointParams automatically leverages appropriate slow path call systems
in each tier. In DFG, we use slow path call system. In FTL, we implement slow path call by using addLatePath
to construct slow path call. But these details are completely hidden by DOMJIT::PatchpointParams. Users can
just use addSlowPathCall.
Since DFG and FTL slow path call systems are implemented in variadic templates, directly using this means
that we need to expose core part of DFG and FTL. For example, DFG::SpeculativeJIT need to be exposed in
such a design. That is too bad. Instead, we use magical macro in DOMJITSlowPathCalls.h. We can list up the
call signatures in DOMJIT_SLOW_PATH_CALLS. DOMJIT uses these signatures to generate an interface to request
slow path calls inside DFG and FTL instead of exposing everything.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCommon.h:
* dfg/DFGDOMJITPatchpointParams.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
(JSC::DFG::dispatch):
* dfg/DFGDOMJITPatchpointParams.h: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
(JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCheckDOM):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::extractResult): Deleted.
* domjit/DOMJITPatchpointParams.h:
(JSC::DOMJIT::PatchpointParams::addSlowPathCall):
* domjit/DOMJITSlowPathCalls.h: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
* ftl/FTLDOMJITPatchpointParams.cpp: Added.
(JSC::FTL::dispatch):
* ftl/FTLDOMJITPatchpointParams.h: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
(JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
* jit/GPRInfo.h:
(JSC::extractResult):
* jsc.cpp:
2016-10-06 Saam Barati <sbarati@apple.com>
HasOwnPropertyCache flattening dictionaries is causing insane memory usage with the uBlock Safari extension
https://bugs.webkit.org/show_bug.cgi?id=163091
Reviewed by Mark Lam.
I'm investigating a real fix for this in:
https://bugs.webkit.org/show_bug.cgi?id=163092
However, it's best to get this out of trunk for now.
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::tryAdd):
2016-10-06 Keith Miller <keith_miller@apple.com>
getInternalObjcObject should validate the JSManagedObject's value.
https://bugs.webkit.org/show_bug.cgi?id=162985
Reviewed by Geoffrey Garen.
Previously, if, for instance, the JSManagedObject's weak value had been
cleared we would call tryUnwrapObjcObject with a nil context and value.
This triggered assertions failures as those functions expect their inputs
to be valid.
* API/JSVirtualMachine.mm:
(getInternalObjcObject):
2016-10-06 Brian Burg <bburg@apple.com>
Web Inspector: RemoteInspector should cache client capabilities for off-main thread usage
https://bugs.webkit.org/show_bug.cgi?id=163039
<rdar://problem/28571460>
Reviewed by Timothy Hatcher.
The fix in r206797 was incorrect because listings are always pushed out on the XPC connection queue.
Instead of delaying the listing needlessly, RemoteInspector should cache the capabilities of its
client while on the main thread, then use the cached struct data on the XPC connection queue rather
than directly accessing m_client. This is similar to how RemoteConnectionToTarget marshalls listing
information from arbitrary queues into m_targetListingMap, which can then be read from any queue.
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::updateClientCapabilities): Cache the capabilities.
(Inspector::RemoteInspector::setRemoteInspectorClient):
Re-cache the capabilities. Scope the lock to avoid reentrant locking.
(Inspector::RemoteInspector::clientCapabilitiesDidChange): Cache the capabilities.
(Inspector::RemoteInspector::pushListingsNow): Use cached client capabilities.
(Inspector::RemoteInspector::receivedGetListingMessage): Revert the change in r206797.
(Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2016-10-06 Yusuke Suzuki <utatane.tea@gmail.com>
[WebCore][JSC] Use new @throwTypeError and @throwRangeError intrinsics
https://bugs.webkit.org/show_bug.cgi?id=163001
Reviewed by Keith Miller.
Previously, the argument of @throwXXXError intrinsics must be string literal.
But it is error-prone restriction. This patch relaxes the restriction to accept
arbitrary values. To keep emitted bytecode small, if the argument is string literal,
we generate the same bytecode as before. If the argument is not string literal,
we evaluate it and perform to_string before passing to throw_static_error.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitThrowStaticError):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_throwTypeError):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_throwRangeError):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2016-10-05 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add @throwXXXError bytecode intrinsic
https://bugs.webkit.org/show_bug.cgi?id=162995
Reviewed by Saam Barati.
Builtin JS code need to check arguments carefully since it is somewhat standard library for JS.
So bunch of `throw new @TypeError("...")` exists while usual code does not have so many.
However the above code bloats 32 instructions per site, enlarges the size of bytecodes of builtins,
and prevent us from inlining. We should have a way to reduce this size.
Fortunately, we already have such a opcode: op_throw_static_error. In this patch,
1. We extends op_throw_static_error to throw arbitrary errors. Previously, only TypeError and ReferenceError are allowed.
We can embed ErrorType enum in op_throw_static_error to throw any types of errors.
2. We introduce several new bytecode intrinsics, `@throwTypeError("...")`, `@throwRangeError("...")`,
and `@throwOutOfMemoryError()`. And use it inside builtin JS instead of `throw new @TypeError("...")` thingy.
3. DFG Node for throw_static_error is incorrectly named as "ThrowReferenceError". This patch renames it to "ThrowStaticError".
* builtins/ArrayConstructor.js:
* builtins/ArrayIteratorPrototype.js:
(next):
* builtins/ArrayPrototype.js:
(values):
(keys):
(entries):
(reduce):
(reduceRight):
(every):
(forEach):
(filter):
(map):
(some):
(fill):
(find):
(findIndex):
(includes):
(sort):
(concatSlowPath):
(copyWithin):
* builtins/DatePrototype.js:
(toLocaleString.toDateTimeOptionsAnyAll):
(toLocaleString):
(toLocaleDateString.toDateTimeOptionsDateDate):
(toLocaleDateString):
(toLocaleTimeString.toDateTimeOptionsTimeTime):
(toLocaleTimeString):
* builtins/FunctionPrototype.js:
(bind):
* builtins/GeneratorPrototype.js:
(globalPrivate.generatorResume):
* builtins/GlobalOperations.js:
(globalPrivate.speciesConstructor):
* builtins/MapPrototype.js:
(forEach):
* builtins/ModuleLoaderPrototype.js:
(provide):
* builtins/ObjectConstructor.js:
(values):
(entries):
(assign):
* builtins/PromiseConstructor.js:
(race):
(reject):
(resolve):
* builtins/PromiseOperations.js:
(globalPrivate.newPromiseCapability.executor):
(globalPrivate.newPromiseCapability):
(globalPrivate.initializePromise):
* builtins/PromisePrototype.js:
* builtins/ReflectObject.js:
(apply):
(deleteProperty):
(has):
* builtins/RegExpPrototype.js:
(globalPrivate.regExpExec):
(match):
(replace):
(search):
(split):
(intrinsic.RegExpTestIntrinsic.test):
* builtins/SetPrototype.js:
(forEach):
* builtins/StringConstructor.js:
(raw):
* builtins/StringIteratorPrototype.js:
(next):
* builtins/StringPrototype.js:
(match):
(globalPrivate.repeatSlowPath):
(repeat):
(padStart):
(padEnd):
(intrinsic.StringPrototypeReplaceIntrinsic.replace):
(localeCompare):
(search):
(split):
* builtins/TypedArrayConstructor.js:
(of):
(from):
* builtins/TypedArrayPrototype.js:
(globalPrivate.typedArraySpeciesConstructor):
(every):
(find):
(findIndex):
(forEach):
(some):
(subarray):
(reduce):
(reduceRight):
(map):
(filter):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitThrowStaticError):
(JSC::BytecodeGenerator::emitThrowReferenceError):
(JSC::BytecodeGenerator::emitThrowTypeError):
(JSC::BytecodeGenerator::emitThrowRangeError):
(JSC::BytecodeGenerator::emitThrowOutOfMemoryError):
(JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_throwTypeError):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_throwRangeError):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_throwOutOfMemoryError):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_throw_static_error):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_throw_static_error): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/Error.cpp:
(JSC::createError):
(WTF::printInternal):
* runtime/Error.h:
2016-10-05 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, attempt to fix CLoop build after r206846
https://bugs.webkit.org/show_bug.cgi?id=162941
Attempt to fix CLoop build part 2. r206847 was not valid.
* jsc.cpp:
2016-10-05 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix after r206846
https://bugs.webkit.org/show_bug.cgi?id=162941
DOMJIT::Patchpoint part should be guarded by ENABLE(JIT).
* jsc.cpp:
2016-10-05 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Add initial CheckDOM and CallDOM implementations
https://bugs.webkit.org/show_bug.cgi?id=162941
Reviewed by Filip Pizlo.
This patch implements a prototype of DOMJIT accelerated getter.
We add two new DFG nodes, CheckDOM and CallDOM.
CheckDOM is used to filter inappropriate |this| object for DOM getter. Its functionality
is equivalent to jsDynamicCast's Check. You can use like "CheckDOM, @1, JSNode::info()",
and this CheckDOM incurs a BadType exit if the class of the given @1 is not a subclass of
JSNode::info().
CallDOM is used to emit actual DOM operations. It takes GlobalObject and checked DOM
object. And it returns JSValue as its result.
Both CheckDOM and CallDOM can take a DOMJIT::Patchpoint. This is somewhat code snippet
generator, and is injectable to DFG and FTL. DFG and FTL set up registers correctly
according to DOMJIT::Patchpoint's requirement and invoke this patchpoint generator to emit code.
While CallDOM always requires a patchpoint, ideally CheckDOM does not require it since
isSubclassOf check can be implemented in DFG / FTL side. However, some classes have a
faster way to query isSubclassOf. For example, JSNode in WebCore introduces a special
JSType to optimize this query. CheckDOM's patchpoint gives us a chance to emit special
faster code for such a case.
By leveraging above nodes, we can construct DOMJIT accelerated getter. When DFG recognizes the
given getter call is CustomGetter and it has DOMJIT::GetterSetter information, DFG emits the above nodes.
We implemented a prototype in jsc.cpp shell as DOMJITGetter to test the functionality.
Notes about the future extensions.
1. Currently, we do not allow CallDOM to emit any function calls. This will be extended by
adding `addSlowPathCall` functionality to DOMJIT::Patchpoint later. Interesting thing is that
we need to create an abstraction over DFG slow path call and FTL slow path call!
2. CheckDOM is not handled in DFGTypeCheckHoistingPhase yet. And we have a chance to merge several CheckDOM into one.
For example, given CheckDOM A and CheckDOM B to the same target. If A is subclass of B, we can merge them to CheckDOM A.
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3Effects.h:
(JSC::B3::Effects::forCheck):
* b3/B3Value.cpp:
(JSC::B3::Value::effects):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByIdStatus::makesCalls):
(JSC::GetByIdStatus::dump):
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::GetByIdStatus):
(JSC::GetByIdStatus::isCustom):
(JSC::GetByIdStatus::takesSlowPath):
(JSC::GetByIdStatus::isSimple): Deleted.
* bytecode/SpeculatedType.cpp:
(JSC::speculationFromClassInfo):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::filterClassInfo):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterClassInfo):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::filterClassInfo):
* dfg/DFGAbstractValue.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
(JSC::DFG::ByteCodeParser::handleGetById):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasDOMJIT):
(JSC::DFG::Node::domJIT):
(JSC::DFG::Node::hasClassInfo):
(JSC::DFG::Node::classInfo):
(JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
(JSC::DFG::Node::OpInfoWrapper::operator=):
* dfg/DFGNodeType.h:
* dfg/DFGOpInfo.h:
(JSC::DFG::OpInfo::OpInfo):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::allocateTemporaryRegistersForPatchpoint):
(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCheckDOM):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::filterClassInfoSlow):
(JSC::DFG::StructureAbstractValue::isSubClassOf):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::filterClassInfo):
(JSC::DFG::StructureAbstractValue::filter): Deleted.
* domjit/DOMJITPatchpointParams.h: Copied from Source/JavaScriptCore/dfg/DFGOpInfo.h.
(JSC::DOMJIT::PatchpointParams::~PatchpointParams):
(JSC::DOMJIT::PatchpointParams::size):
(JSC::DOMJIT::PatchpointParams::at):
(JSC::DOMJIT::PatchpointParams::operator[]):
(JSC::DOMJIT::PatchpointParams::gpScratch):
(JSC::DOMJIT::PatchpointParams::fpScratch):
(JSC::DOMJIT::PatchpointParams::PatchpointParams):
* domjit/DOMJITReg.h: Added.
(JSC::DOMJIT::Reg::Reg):
(JSC::DOMJIT::Reg::isGPR):
(JSC::DOMJIT::Reg::isFPR):
(JSC::DOMJIT::Reg::isJSValueRegs):
(JSC::DOMJIT::Reg::gpr):
(JSC::DOMJIT::Reg::fpr):
(JSC::DOMJIT::Reg::jsValueRegs):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileUnreachable): Deleted.
* jit/AssemblyHelpers.h:
* jsc.cpp:
(WTF::DOMJITNode::DOMJITNode):
(WTF::DOMJITNode::createStructure):
(WTF::DOMJITNode::create):
(WTF::DOMJITNode::value):
(WTF::DOMJITNode::offsetOfValue):
(WTF::DOMJITGetter::DOMJITGetter):
(WTF::DOMJITGetter::createStructure):
(WTF::DOMJITGetter::create):
(WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT):
(WTF::DOMJITGetter::domJITNodeGetterSetter):
(WTF::DOMJITGetter::finishCreation):
(WTF::DOMJITGetter::customGetter):
(GlobalObject::finishCreation):
(functionCreateDOMJITNodeObject):
(functionCreateDOMJITGetterObject):
2016-10-05 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case
https://bugs.webkit.org/show_bug.cgi?id=162993
Reviewed by Filip Pizlo.
We accidentally created a Simple GetByIdStatus against self-custom-accessor case: the object has own custom accessor property and get_by_id hits.
If we returned such a result, the GetById will be turned to GetByOffset and it looks up incorrect thing like CustomGetterSetter object.
We do not hit this bug before since maybe there is no object that has own custom-accessor and this custom-accessor does not raise an error.
For example, "Node.prototype" has "firstChild" custom accessor. But since "Node.prototype" itself does not have Node::info(), "Node.prototype.firstChild"
access always raises an error. I guess all the custom accessors follow this pattern. This bug is uncovered when testing DOMJIT (This bug causes crash and
it can occur even if we disabled DOMJIT).
But such a assumption is not guaranteed. In this patch, we fix this by not returning Simple GetById.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByIdStatus::computeFor):
2016-10-05 Saam Barati <sbarati@apple.com>
PCToCodeOriginMap builder should use labelIgnoringWatchpoints() inside the DFG
https://bugs.webkit.org/show_bug.cgi?id=162936
Reviewed by Michael Saboff.
label() may insert nops because of an InvalidationPoint. It does that
because we don't want code that comes after an InvalidationPoint that isn't
effected by the invalidation point to be overwritten if we fire the
InvalidationPoint. PCToCodeOriginMap just grabs labels to build
a mapping, it never emits code that actually jumps to those labels.
Therefore, it should never cause us to emit nops.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2016-10-05 Myles C. Maxfield <mmaxfield@apple.com>
Put variation fonts work behind a compile-time flag
https://bugs.webkit.org/show_bug.cgi?id=162949
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig:
2016-10-05 Andy VanWagoner <thetalecrafter@gmail.com>
[INTL] Implement Intl.getCanonicalLocales
https://bugs.webkit.org/show_bug.cgi?id=162768
Reviewed by Benjamin Poulain.
Implement Intl.getCanonicalLocales from ECMA 402 (3rd edition)
http://ecma-international.org/ecma-402/3.0/index.html#sec-intl.getcanonicallocales
Reuse canonicalizeLocaleList and copy the results into a new JSArray.
* runtime/IntlObject.cpp:
(JSC::IntlObject::finishCreation):
(JSC::intlObjectFuncGetCanonicalLocales):
2016-10-05 Michael Saboff <msaboff@apple.com>
Bad ASSERT in ClonedArguments::createByCopyingFrom()
https://bugs.webkit.org/show_bug.cgi?id=162988
Reviewed by Keith Miller.
Removed bogus assert.
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createByCopyingFrom):
2016-10-05 Zan Dobersek <zdobersek@igalia.com>
Rename ENABLE_ENCRYPTED_MEDIA_V2 to ENABLE_LEGACY_ENCRYPTED_MEDIA
https://bugs.webkit.org/show_bug.cgi?id=162903
Reviewed by Alex Christensen.
Rename build guards for the remaining implementation of the legacy EME API
to ENABLE_LEGACY_ENCRYPTED_MEDIA. This will allow for the future implementation
of the near-finished API to be guarded with the simple ENABLE_ENCRYPTED_MEDIA guards.
* Configurations/FeatureDefines.xcconfig:
2016-10-05 Csaba Osztrogonác <ossy@webkit.org>
ARM EABI buildfix after r206778
https://bugs.webkit.org/show_bug.cgi?id=162964
Unreviewed trivial fix.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
2016-10-04 Saam Barati <sbarati@apple.com>
String.prototype.toLowerCase should be a DFG/FTL intrinsic
https://bugs.webkit.org/show_bug.cgi?id=162887
Reviewed by Filip Pizlo and Yusuke Suzuki.
This patch makes ToLowerCase an intrinsic in the DFG/FTL. On the fast
path, the intrinsic will loop over an 8-bit string ensuring it's already
lower case, and simply return the string. In the slow path, it'll call
into C code to make a new string.
This is a 7-8% speedup on ES6SampleBench/Basic.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileToLowerCase):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
* jit/JITOperations.h:
* runtime/Intrinsic.h:
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
2016-10-04 Brian Burg <bburg@apple.com>
Web Inspector: don't synchronously send a listing message if we might need to query _WKAutomationDelegate
https://bugs.webkit.org/show_bug.cgi?id=162810
<rdar://problem/28571460>
Reviewed by Timothy Hatcher.
We shouldn't ever access the _WKAutomationDelegate through RemoteInspector::Client methods
off of the main thread, because it could cause problems. This happens when we pushListingsNow()
in response to a WIRApplicationGetListingMessage XPC message. In this case, just use
pushListingsSoon() since it dispatches on the correct (main) queue to gather listing information.
This may induce a slight update delay when first connecting to the UIProcess through RemoteInspector,
but this is at most 200ms and will coalesce with other updates that happen when UIProcess gets set up.
There are no other code paths through RemoteInspector (for UIProcess) that could cause a call
to pushListingsNow(), so this only needs to be changed in the XPC message handler.
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::receivedGetListingMessage):
2016-10-04 JF Bastien <jfbastien@apple.com>
WebAssembly: handle a few corner cases
https://bugs.webkit.org/show_bug.cgi?id=162884
Reviewed by Keith Miller.
* wasm/JSWASMModule.cpp: missing include broke cmake build
* wasm/WASMFunctionParser.h:
(JSC::WASM::FunctionParser<Context>::parseBlock): check op is valid
(JSC::WASM::FunctionParser<Context>::parseExpression): switch covers all cases
* wasm/WASMOps.h:
(JSC::WASM::isValidOpType): op is valid
* wasm/WASMParser.h:
(JSC::WASM::Parser::consumeString): avoid str[i] being one-past-the-end
(JSC::WASM::Parser::parseUInt32): shift math around to avoid overflow
2016-10-04 Yusuke Suzuki <utatane.tea@gmail.com>
REGRESSION (r206778): Release JSC test ChakraCore.yaml/ChakraCore/test/Error/validate_line_column.js.default failing
https://bugs.webkit.org/show_bug.cgi?id=162937
Reviewed by Saam Barati.
We dropped expression info accidentally at r206777.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCallDefineProperty):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitPutConstantProperty):
(JSC::ClassExprNode::emitBytecode):
2016-10-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Introduce DOMJIT::GetterSetter to tell JIT information
https://bugs.webkit.org/show_bug.cgi?id=162916
Reviewed by Filip Pizlo.
In this patch, we introduce DOMJIT::GetterSetter.
This class maintains information required to emit JIT code in DFG and FTL.
DOMJIT::GetterSetter has 2 virtual functions: checkDOM and callDOM.
These functions can return a DOMJIT::Patchpoint that allows us to inject
appropriate machine code during DFG and FTL phases. DFG and FTL will invoke
these functions to get a patchpoint. And this patchpoint will be used to
emit code corresponding to CheckDOM and CallDOM DFG nodes, which will be added
in subsqeunt patch.
We propagate DOMJIT::GetterSetter through PropertySlot, AccessCase, GetByIdVariant,
and GetByIdStatus along with CustomGetter to teach DFG that this custom access
code has a chance to be inlined with this DOMJIT::GetterSetter information.
Instead of propagating CustomGetterSetter holding DOMJIT::GetterSetter and CustomGetter,
we propagate CustomGetter and DOMJIT::GetterSetter. This is because of the current
CustomGetterSetter design that we reify CustomGetterSetters only when we need to reify
all the properties. This design allows us to avoid frequent CustomGetterSetter allocations
and structure transitions.
Currently, domJIT field is always nullptr since there is no DOMJITAttribute user.
When we add this, we will add code handling this DOMJIT::GetterSetter in DFG::ByteCodeParser.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::operator=):
(JSC::GetByIdVariant::attemptToMerge):
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::domJIT):
(JSC::GetByIdVariant::intrinsic): Deleted.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::get):
(JSC::AccessCase::clone):
* bytecode/PolymorphicAccess.h:
(JSC::AccessCase::domJIT):
(JSC::AccessCase::RareData::RareData):
* dfg/DFGNode.h:
* domjit/DOMJITGetterSetter.h: Added.
(JSC::DOMJIT::GetterSetter::GetterSetter):
(JSC::DOMJIT::GetterSetter::~GetterSetter):
(JSC::DOMJIT::GetterSetter::getter):
(JSC::DOMJIT::GetterSetter::setter):
(JSC::DOMJIT::GetterSetter::thisClassInfo):
* domjit/DOMJITPatchpoint.h: Added.
(JSC::DOMJIT::Patchpoint::create):
(JSC::DOMJIT::Patchpoint::setGenerator):
(JSC::DOMJIT::Patchpoint::generator):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
* runtime/CustomGetterSetter.h:
* runtime/JSObject.h:
(JSC::JSObject::fillCustomGetterPropertySlot):
* runtime/Lookup.h:
(JSC::HashTableValue::domJIT):
(JSC::getStaticPropertySlotFromTable):
(JSC::putEntry):
(JSC::reifyStaticProperty):
* runtime/PropertySlot.h:
(JSC::PropertySlot::domJIT):
(JSC::PropertySlot::setCacheableCustom):
2016-09-27 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add a new byte code op_define_property instead of calling defineProperty
https://bugs.webkit.org/show_bug.cgi?id=162108
Reviewed by Saam Barati.
To construct ES6 class, we emitted bytecode that performs the following operations.
1. construct a new object
2. put "configurable", "enumerable" etc. fields
3. call "defineProperty" function
However, this approach has problems. Every time we define a class method, we need to create
a new object to represent property descriptor. This can be removed if we can introduce
a special bytecode or special function.
This patch introduces new bytecodes, op_define_data_property and op_define_accessor_property.
Instead of taking an object, they takes several registers to avoid object allocations.
We're planning to use this bytecode to implement Object.defineProperty in builtin JS next.
This allows us to leverage object allocation sinking. And it also gives us a chance to use
faster ::get and ::hasProperty in JS.
Originally, I attempted to create one bytecode, op_define_property. However, it takes too many
children in DFG and uses so many registers in DFG. This leads tricky program in 32bit platforms.
Furthermore, it does not fit to the number of x64 argument registers. So instead, we introduce
two bytecodes.
And for op_define_accessor_property, we perform CellUse edge filter to getter and setter children.
This edge filter makes us possible to use SpeculateCellOperand and reduce the number of used registers
in comparison with JSValueOperand. To make children Cells even if we do not specify some accessors (for
example, { get: func, set: null } case), we fill registers with special throwTypeErrorFunction.
The attributes bitset keep information like "This property descriptor only has getter slot".
In these two bytecodes, we take attributes (configurable, enumerable, writable, hasGetter etc.) as
register instead of embedding constant int value because we will use these bytecodes to implement
Object.defineProperty next. In Object.defineProperty case, an attributes are not statically defined
at bytecode compiling time.
Run ES6SampleBench/Air 20 times. The result shows ~2% performance improvement.
Baseline:
firstIteration: 84.05 ms +- 4.37 ms
averageWorstCase: 40.54 ms +- 2.81 ms
steadyState: 3317.49 ms +- 48.25 ms
summary: 223.51 ms +- 5.07 ms
Patched:
firstIteration: 84.46 ms +- 4.22 ms
averageWorstCase: 41.48 ms +- 2.33 ms
steadyState: 3253.48 ms +- 29.31 ms
summary: 224.40 ms +- 4.72 ms
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/SpecialPointer.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitMoveLinkTimeConstant):
(JSC::BytecodeGenerator::emitCallDefineProperty):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitPutConstantProperty):
(JSC::BitwiseNotNode::emitBytecode):
(JSC::ClassExprNode::emitBytecode):
(JSC::ObjectPatternNode::bindValue):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDefineDataProperty):
(JSC::DFG::SpeculativeJIT::compileDefineAccessorProperty):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
(JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): Deleted.
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupFourStubArgsGPR):
(JSC::CCallHelpers::setupFiveStubArgsGPR):
(JSC::CCallHelpers::setupArgumentsWithExecState):
(JSC::CCallHelpers::setupStubArgsGPR):
(JSC::CCallHelpers::prepareForTailCallSlow): Deleted.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_define_data_property):
(JSC::JIT::emit_op_define_accessor_property):
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/DefinePropertyAttributes.h: Added.
(JSC::DefinePropertyAttributes::DefinePropertyAttributes):
(JSC::DefinePropertyAttributes::rawRepresentation):
(JSC::DefinePropertyAttributes::hasValue):
(JSC::DefinePropertyAttributes::setValue):
(JSC::DefinePropertyAttributes::hasGet):
(JSC::DefinePropertyAttributes::setGet):
(JSC::DefinePropertyAttributes::hasSet):
(JSC::DefinePropertyAttributes::setSet):
(JSC::DefinePropertyAttributes::writable):
(JSC::DefinePropertyAttributes::configurable):
(JSC::DefinePropertyAttributes::enumerable):
(JSC::DefinePropertyAttributes::setWritable):
(JSC::DefinePropertyAttributes::setConfigurable):
(JSC::DefinePropertyAttributes::setEnumerable):
(JSC::DefinePropertyAttributes::fillWithTriState):
(JSC::DefinePropertyAttributes::extractTriState):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::throwTypeErrorFunction):
(JSC::JSGlobalObject::definePropertyFunction): Deleted.
* runtime/ObjectConstructor.cpp:
(JSC::ObjectConstructor::addDefineProperty): Deleted.
* runtime/ObjectConstructor.h:
* runtime/PropertyDescriptor.h:
(JSC::toPropertyDescriptor):
2016-10-04 Saam Barati <sbarati@apple.com>
Follow up fix to GetMapBucket and MapHash speculating on child node types.
To fix this, on 32-bit platforms, we do not speculate on the child
type since we just call into C code for these nodes.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
2016-10-03 Saam Barati <sbarati@apple.com>
GetMapBucket node should speculate on the type of its 'key' child
https://bugs.webkit.org/show_bug.cgi?id=161638
Reviewed by Filip Pizlo.
This eliminates type-check branches when we've already
proven the type of the incoming key. Also, it reduces
the branches we emit when type checking the bucket's key.
This is a 2-3% speedup on ES6SampleBench/Basic.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2016-10-03 Christopher Reid <Christopher.Reid@am.sony.com>
Offline asm should not output masm assembly when using a x86_64 asm backend
https://bugs.webkit.org/show_bug.cgi?id=162705
When cross compiling on windows to Clang, masm was being generated simply because
the os was windows. This change adds a command line parameter --assembler=MASM
to set the output assembly to masm.
The functions isGCC and isCompilingToWindows were removed as they are no longer called.
Reviewed by Mark Lam.
* CMakeLists.txt:
* offlineasm/asm.rb:
* offlineasm/x86.rb:
2016-10-03 JF Bastien <jfbastien@apple.com>
Auto-generate WASMOps.h, share with testing JSON file
https://bugs.webkit.org/show_bug.cgi?id=162870
Reviewed by Keith Miller.
Add a few new opcodes, but keep this mostly as-is for now. I want
to generate smarter code but will do so in a later update to
reduce disruption.
* wasm/WASMOps.h: auto-generated from ./JSTests/stress/wasm/to-c++.js
2016-10-03 Michael Saboff <msaboff@apple.com>
Creating pcToOriginMap in FTL shouldn't insert unnecessary NOPs
https://bugs.webkit.org/show_bug.cgi?id=162879
Reviewed by Filip Pizlo.
If there is a recent watchpoint label, using MacroAssembler::label() will pad
the instruction stream with NOPs to provide space for a jump. This changes
Air::generate() to use labelIgnoringWatchpoints() to create pcToOriginMap
entries to eliminate unneccesary NOPs.
* b3/air/AirGenerate.cpp:
(JSC::B3::Air::generate):
* b3/testb3.cpp:
(JSC::B3::testPCOriginMapDoesntInsertNops): New test.
(JSC::B3::run):
2016-10-03 Saam Barati <sbarati@apple.com>
MapHash should speculate on the type of its child node
https://bugs.webkit.org/show_bug.cgi?id=161922
Reviewed by Filip Pizlo.
This allows us to remove runtime type checks when we've already
proven the type of the incoming value.
This is a 2-3% speedup on ES6SampleBench/Basic.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::wangsInt64Hash):
(JSC::FTL::DFG::LowerDFGToB3::mapHashString):
(JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2016-10-03 Filip Pizlo <fpizlo@apple.com>
B3 trapping memory accesses should be documented
https://bugs.webkit.org/show_bug.cgi?id=162845
Reviewed by Geoffrey Garen.
While writing some documentation, I found some small holes in the code.
* b3/B3Effects.cpp:
(JSC::B3::Effects::operator==): Need this to write tests.
(JSC::B3::Effects::operator!=): Need this to write tests.
* b3/B3Effects.h:
* b3/B3HeapRange.h:
* b3/B3MemoryValue.cpp:
(JSC::B3::MemoryValue::dumpMeta): Sometimes the heap range dump won't show you the memory value's actual range. This makes the dump show you the actual range in that case.
* b3/B3Value.cpp:
(JSC::B3::Value::effects): While documenting this, I remembered that trapping also has to imply reading top. I fixed this.
* b3/testb3.cpp:
(JSC::B3::testTrappingLoad): Added checks for the effects of trapping loads.
(JSC::B3::testTrappingStore): Added checks for the effects of trapping stores.
(JSC::B3::testMoveConstants): Made this not crash with validation.
2016-10-03 Yusuke Suzuki <utatane.tea@gmail.com>
[ES6] GeneratorFunction (a.k.a. GeneratorWrapperFunction)'s prototype object does not have constructor property
https://bugs.webkit.org/show_bug.cgi?id=162849
Reviewed by Geoffrey Garen.
Since GeneratorFunction is not constructible, GeneratorFunction.prototype does not have "constructor" property.
function* generatorFunction() { }
generatorFunction.prototype.constructor // undefined
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnPropertySlot):
2016-10-03 Nicolas Breidinger <Nicolas.Breidinger@sony.com>
JSStringRef should define JSChar without platform checks
https://bugs.webkit.org/show_bug.cgi?id=162808
Reviewed by Mark Lam.
* API/JSStringRef.h:
2016-10-01 Yusuke Suzuki <utatane.tea@gmail.com>
[ES6] Align attributes of Generator related properties to spec
https://bugs.webkit.org/show_bug.cgi?id=162839
Reviewed by Saam Barati.
This patch fixes attributes of Generator related properties.
These fixes are covered by test262.
* runtime/GeneratorFunctionConstructor.cpp:
(JSC::GeneratorFunctionConstructor::finishCreation):
* runtime/GeneratorFunctionConstructor.h:
* runtime/GeneratorFunctionPrototype.cpp:
(JSC::GeneratorFunctionPrototype::finishCreation):
* runtime/GeneratorFunctionPrototype.h:
* runtime/GeneratorPrototype.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
2016-10-01 Yusuke Suzuki <utatane.tea@gmail.com>
[ES6] GeneratorFunction constructor should instantiate generator function
https://bugs.webkit.org/show_bug.cgi?id=162838
Reviewed by Saam Barati.
GeneratorFunction's constructor should return an instance of JSGeneratorFunction
instead of JSFunction. In this patch, we fix the following 2 things.
1. GeneratorFunction constructor should use JSGeneratorFunction
Previously, we used JSFunction to construct a result. It's wrong. We use JSGeneratorFunction.
2. Pass newTarget into GeneratorFunction constructor to make it subclassible
We did not leverage newTarget when using GeneratorFunction constructor.
Using it correctly to create the subclass Structure and making GeneratorFunction subclassible.
Test262 test covers (1), but (2) is not covered. We add tests that covers both to stress tests.
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/GeneratorFunctionConstructor.cpp:
(JSC::constructGeneratorFunctionConstructor):
* runtime/JSGeneratorFunction.cpp:
(JSC::JSGeneratorFunction::JSGeneratorFunction):
(JSC::JSGeneratorFunction::createImpl):
(JSC::JSGeneratorFunction::create):
(JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
* runtime/JSGeneratorFunction.h:
2016-10-01 Filip Pizlo <fpizlo@apple.com>
Get rid of isMarkedOrNewlyAllocated
https://bugs.webkit.org/show_bug.cgi?id=162842
Reviewed by Dan Bernstein.
This function has become dead code. This change removes it.
* heap/CellContainer.h:
* heap/CellContainerInlines.h:
(JSC::CellContainer::isMarkedOrNewlyAllocated): Deleted.
* heap/LargeAllocation.h:
(JSC::LargeAllocation::isLive):
(JSC::LargeAllocation::isMarkedOrNewlyAllocated): Deleted.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated): Deleted.
(JSC::MarkedBlock::isMarkedOrNewlyAllocated): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated): Deleted.
(JSC::MarkedBlock::isMarkedOrNewlyAllocated): Deleted.
2016-10-01 Joseph Pecoraro <pecoraro@apple.com>
Rename DebugHookID to DebugHookType
https://bugs.webkit.org/show_bug.cgi?id=162820
Reviewed by Alex Christensen.
* bytecode/CodeBlock.cpp:
(JSC::debugHookName):
(JSC::CodeBlock::dumpBytecode):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDebugHook):
* bytecompiler/BytecodeGenerator.h:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::debug):
* interpreter/Interpreter.h:
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
2016-09-30 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Stepping to a line with an autoContinue breakpoint should still pause
https://bugs.webkit.org/show_bug.cgi?id=161712
<rdar://problem/28193970>
Reviewed by Brian Burg.
* debugger/Debugger.cpp:
(JSC::Debugger::pauseIfNeeded):
If we stepped to an auto-continue breakpoint we should continue
stepping, not just continue.
2016-09-30 Filip Pizlo <fpizlo@apple.com>
B3 should support trapping memory accesses
https://bugs.webkit.org/show_bug.cgi?id=162689
Reviewed by Geoffrey Garen.
This adds a traps flag to B3::Kind. It also makes B3::Kind work more like Air::Kind, in the
sense that it's a bag of distinct bits - it doesn't need to be a union unless we get enough
things that it would make a difference.
The only analysis that needs to know about traps is effects. It now knows that traps implies
sideExits, which means that this turns off DCE. The only optimization that needs to know
about traps is eliminateCommonSubexpressions(), which needs to pessimize its store
elimination if the store traps.
The hard part of this change is teaching the instruction selector to faithfully carry the
traps flag down to Air. I got this to work by making ArgPromise a non-copyable object that
knows whether you've used it in an instruction. It knows when you call consume(). If you do
this then ArgPromise cannot be destructed without first passing your inst through it. This,
along with a few other hacks, means that all of the load-op and load-op-store fusions
correctly carry the trap bit: if any of the B3 loads or stores involved traps then you get
traps in Air.
This framework also sets us up to do bug 162688, since the ArgPromise::inst() hook is
powerful enough to allow wrapping the instruction with a Patch.
I added some tests to testb3 that verify that optimizations are appropriately inhibited and
that the traps flag survives until the bitter end of Air.
* b3/B3EliminateCommonSubexpressions.cpp:
* b3/B3Kind.cpp:
(JSC::B3::Kind::dump):
* b3/B3Kind.h:
(JSC::B3::Kind::Kind):
(JSC::B3::Kind::hasExtraBits):
(JSC::B3::Kind::isChill):
(JSC::B3::Kind::setIsChill):
(JSC::B3::Kind::hasTraps):
(JSC::B3::Kind::traps):
(JSC::B3::Kind::setTraps):
(JSC::B3::Kind::operator==):
(JSC::B3::Kind::hash):
(JSC::B3::trapping):
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::ArgPromise::swap):
(JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise):
(JSC::B3::Air::LowerToAir::ArgPromise::operator=):
(JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise):
(JSC::B3::Air::LowerToAir::ArgPromise::setTraps):
(JSC::B3::Air::LowerToAir::ArgPromise::consume):
(JSC::B3::Air::LowerToAir::ArgPromise::inst):
(JSC::B3::Air::LowerToAir::trappingInst):
(JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode):
(JSC::B3::Air::LowerToAir::appendUnOp):
(JSC::B3::Air::LowerToAir::appendBinOp):
(JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
(JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
(JSC::B3::Air::LowerToAir::appendStore):
(JSC::B3::Air::LowerToAir::append):
(JSC::B3::Air::LowerToAir::createGenericCompare):
(JSC::B3::Air::LowerToAir::createBranch):
(JSC::B3::Air::LowerToAir::createCompare):
(JSC::B3::Air::LowerToAir::createSelect):
(JSC::B3::Air::LowerToAir::lower):
* b3/B3Validate.cpp:
* b3/B3Value.cpp:
(JSC::B3::Value::effects):
* b3/B3Value.h:
* b3/air/AirCode.h:
* b3/testb3.cpp:
(JSC::B3::testTrappingLoad):
(JSC::B3::testTrappingStore):
(JSC::B3::testTrappingLoadAddStore):
(JSC::B3::testTrappingLoadDCE):
(JSC::B3::testTrappingStoreElimination):
(JSC::B3::run):
2016-09-30 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Stepping over/out of a function sometimes resumes instead of taking you to caller
https://bugs.webkit.org/show_bug.cgi?id=162802
<rdar://problem/28569982>
Reviewed by Mark Lam.
* debugger/Debugger.cpp:
(JSC::Debugger::stepOverStatement):
(JSC::Debugger::stepOutOfFunction):
Enable stepping mode when we start stepping.
2016-09-30 Filip Pizlo <fpizlo@apple.com>
B3::moveConstants should be able to edit code to minimize the number of constants
https://bugs.webkit.org/show_bug.cgi?id=162764
Reviewed by Saam Barati.
There are some interesting cases where we can reduce the number of constant materializations if
we teach moveConstants() how to edit code. The two examples that this patch supports are:
- Loads and stores from a constant pointer. Since loads and stores get an offset for free
and the instruction selector is really good at handling it, and since we can query Air to
see what kinds of offsets are legal, we can sometimes avoid using a constant pointer that
is specific to the absolute address of that load and instead pick some other constant
that is within offset distance of ours.
- Add and Sub by a constant (x + c, x - c). Since x + c = x - -c and x - c = x + -c, we can
flip Add to Sub or vice versa if the negated constant is available.
This change makes moveConstants() pick the most dominant constant that works for an value. In
the case of memory accesses, it uses Air::Arg::isValidAddrForm() to work out what other
constants would work. In the case of Add/Sub, it simply looks for the negated constant. This
should result in something like a minimal number of constants since these rules always pick the
most dominant constant that works - so if an Add's constant is already most dominant then
nothing changes, but if the negated one is more dominant then it becomes a Sub.
This is a 0.5% speed-up on LongSpider and neutral elsewhere. It's a speed-up because the
absolute address thing reduces the number of address materializations that we have to do, while
the add/sub thing prevents us from having to materialize 0x1000000000000 to box doubles.
However, this may introduce a pathology, which I've filed a bug for: bug 162796.
* b3/B3MoveConstants.cpp:
* b3/B3MoveConstants.h:
* b3/B3UseCounts.h:
* b3/air/AirFixObviousSpills.cpp:
* b3/testb3.cpp:
(JSC::B3::testMoveConstants):
(JSC::B3::run):
2016-09-30 Joseph Pecoraro <pecoraro@apple.com>
Fix modules tests after r206653 handle breakpoint locations in import/export statements
https://bugs.webkit.org/show_bug.cgi?id=162807
Reviewed by Mark Lam.
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createExportDefaultDeclaration):
(JSC::ASTBuilder::createExportLocalDeclaration):
Don't record an extra breakpoint location for the statement
within an export statement.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseModuleSourceElements):
Record a pause location for import/export statements.
2016-09-30 Mark Lam <mark.lam@apple.com>
Remove the dumping of the stack back trace in VM::verifyExceptionCheckNeedIsSatisfied().
https://bugs.webkit.org/show_bug.cgi?id=162797
Reviewed by Geoffrey Garen.
This is because the RELEASE_ASSERT() that follows immediately after will also
dump the stack back trace. Hence, the first dump will be redundant.
Also removed an extra space in the dataLog output.
* runtime/VM.cpp:
(JSC::VM::verifyExceptionCheckNeedIsSatisfied):
2016-09-30 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Stepping through `a(); b(); c();` it is unclear where we are and what is about to execute
https://bugs.webkit.org/show_bug.cgi?id=161658
<rdar://problem/28181254>
Reviewed by Geoffrey Garen.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseAssignmentExpression):
Updated pause location for unary expressions.
2016-09-30 Joseph Pecoraro <pecoraro@apple.com>
Breakpoints on blank lines or comments don't break
https://bugs.webkit.org/show_bug.cgi?id=9885
<rdar://problem/6134406>
Reviewed by Mark Lam.
This change introduces a way to perform a Debugger Parse of a script.
This debugger parse gathers a list of breakpoint locations, which
the backend uses to resolve breakpoint locations that came from the
Inspector frontend to the exact location we would actually pause.
We gather this information from the parser so that we can eagerly
get this information without requiring the code to have executed (the
real op_debugs are generated during bytecode generation when code
is actually evaluated).
If an input location was on a line with whitespace or a comment, the
resolved breakpoint location would be before the next statement that
will be executed. That may be the next line, or even later. We also
update our policy when setting breakpoints on and around function
statements to better match user expectations.
For example, when resolving breakpoints in:
1. // Comment
2. before;
3.
4. function foo() {
5. inside;
6. }
7.
8. after;
A breakpoint on line 1, a comment, resolves to line 2 the next
statement that will execute.
A breakpoint on line 3 or 7, empty lines, resolves to line 8 the next
statement that will execute. This skips past the definition of foo,
just like stepping would have done. The creation of foo would have
been hoisted, which would have happened before execution of the
other statements.
A breakpoint on line 4, a function signature, resolves to line 5,
inside the function. Users would expect to pause inside of a function
when setting a breakpoint on that function's name or opening brace.
A breakpoint on line 6, a function's closing brace, resolves to
line 6. The debugger will pause whenever execution leaves foo due to
a return and not an exception. This matches stepping behavior. An
explicit or implicit return (the implicit return undefined) will
pause on the closing brace as we leave the function, giving users
an opportunity to inspect the final state before leaving.
--
At this point, op_debug's are still emitted at custom locations during
bytecode generation of other statements / expressions. In order to
ensure the generated op_debugs correspond to locations the Parser
determined were breakpoint locations, the Parser sets a "needs debug
hook" flag on the nodes it will use for breakpoint locations, and
we assert during bytecode generation that op_debugs are only emitted
for nodes that were marked as needing debug hooks.
This still leaves open the possibility that the Parser will mark
some nodes that get missed during bytecode generation, so we might
fail to emit some op_debugs. The next step will be eliminating the
custom emitDebugHooks spread across StatementNode and ExpressionNode
subclasses, and instead always generating op_debugs whenever we
emit a flagged node.
--
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
New DebuggerParseData files.
* API/JSScriptRef.cpp:
(OpaqueJSScript::OpaqueJSScript):
* jsc.cpp:
(functionCheckModuleSyntax):
* parser/SourceCode.h:
(JSC::makeSource):
* parser/SourceProvider.cpp:
(JSC::SourceProvider::SourceProvider):
* parser/SourceProvider.h:
(JSC::SourceProvider::sourceType):
(JSC::StringSourceProvider::create):
(JSC::StringSourceProvider::StringSourceProvider):
(JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
(JSC::SourceProvider::startPosition): Deleted.
Add a new type on SourceProvider to distinguish if its script was
intended to be a Script, Module, or WebAssembly. This information
will be needed to know how to best parse this file when the
debugger decides to lazily parse.
* runtime/Executable.cpp:
(JSC::EvalExecutable::EvalExecutable):
(JSC::ProgramExecutable::ProgramExecutable):
(JSC::ModuleProgramExecutable::ModuleProgramExecutable):
(JSC::WebAssemblyExecutable::WebAssemblyExecutable):
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
ASSERT the SourceProvider type matches the executable type we are
creating for it.
* parser/ASTBuilder.h:
(JSC::ASTBuilder::breakpointLocation):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::operatorStackPop):
When gathering breakpoint positions, get the position from the
current node. In the SyntaxChecker, return an invalid position.
* parser/Nodes.h:
(JSC::ExpressionNode::needsDebugHook):
(JSC::ExpressionNode::setNeedsDebugHook):
(JSC::StatementNode::needsDebugHook):
(JSC::StatementNode::setNeedsDebugHook):
When gathering breakpoint positions, mark the node as needing
a debug hook. For now we assert op_debugs generated must come
from these nodes. Later we should just generate op_debugs for
these nodes.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::Parser):
(JSC::Parser<LexerType>::parseStatementListItem):
(JSC::Parser<LexerType>::parseDoWhileStatement):
(JSC::Parser<LexerType>::parseWhileStatement):
(JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
(JSC::Parser<LexerType>::parseForStatement):
(JSC::Parser<LexerType>::parseWithStatement):
(JSC::Parser<LexerType>::parseSwitchStatement):
(JSC::Parser<LexerType>::parseStatement):
(JSC::Parser<LexerType>::parseFunctionBody):
(JSC::Parser<LexerType>::parseFunctionInfo):
(JSC::Parser<LexerType>::parseIfStatement):
(JSC::Parser<LexerType>::parseAssignmentExpression):
* parser/Parser.h:
(JSC::parse):
Add an optional DebuggerParseData struct to the Parser. When available
the Parser will gather debugger data, and parse all functions with the
ASTBuilder instead of SyntaxChecking inner functions.
* debugger/DebuggerParseData.cpp: Added.
(JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
(JSC::DebuggerPausePositions::sort):
(JSC::gatherDebuggerParseData):
(JSC::gatherDebuggerParseDataForSource):
* debugger/DebuggerParseData.h: Copied from Source/JavaScriptCore/debugger/DebuggerPrimitives.h.
(JSC::DebuggerPausePositions::DebuggerPausePositions):
(JSC::DebuggerPausePositions::appendPause):
(JSC::DebuggerPausePositions::appendEntry):
(JSC::DebuggerPausePositions::appendLeave):
The DebuggerParseData struct currently only contains a list of pause positions.
Once populated it can resolve an input location to a pause position.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitCallVarargs):
(JSC::BytecodeGenerator::emitDebugHook):
(JSC::BytecodeGenerator::emitEnumeration):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::EmptyStatementNode::emitBytecode):
(JSC::DebuggerStatementNode::emitBytecode):
(JSC::ExprStatementNode::emitBytecode):
(JSC::DeclarationStatement::emitBytecode):
(JSC::IfElseNode::emitBytecode):
(JSC::DoWhileNode::emitBytecode):
(JSC::WhileNode::emitBytecode):
(JSC::ForNode::emitBytecode):
(JSC::ForInNode::emitBytecode):
(JSC::ContinueNode::emitBytecode):
(JSC::BreakNode::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::WithNode::emitBytecode):
(JSC::SwitchNode::emitBytecode):
(JSC::ThrowNode::emitBytecode):
Emit op_debugs for the nodes themselves. Assert when we do that the
Parser had marked them as needing a debug hook.
* debugger/Breakpoint.h:
(JSC::Breakpoint::Breakpoint):
A breakpoint may be resolved or unresolved. Debugger::resolveBreakpoint
must be used to resolve the breakpoint. Most methods now require a
resolved breakpoint.
* debugger/Debugger.h:
* debugger/Debugger.cpp:
(JSC::Debugger::detach):
(JSC::Debugger::toggleBreakpoint):
(JSC::Debugger::debuggerParseData):
(JSC::Debugger::resolveBreakpoint):
(JSC::Debugger::setBreakpoint):
(JSC::Debugger::clearParsedData):
Provide a public method to resolve a breakpoint location in a script.
This will gather debugger parse data for the script if none is available.
Ensure clients have resolved a breakpoint before attempting to set it.
Currently we allow only a single breakpoint at a location. This may
need to change if multiple breakpoints resolve to the same location
but have different actions.
* inspector/ScriptDebugListener.h:
ScriptDebugServer::Script is effectively duplicating most of the data from
a SourceProvider. We should eliminate this and just use SourceProvider.
* inspector/ScriptDebugServer.cpp:
(Inspector::ScriptDebugServer::setBreakpointActions):
(Inspector::ScriptDebugServer::removeBreakpointActions):
(Inspector::ScriptDebugServer::getActionsForBreakpoint):
(Inspector::ScriptDebugServer::clearBreakpointActions):
(Inspector::ScriptDebugServer::evaluateBreakpointAction):
(Inspector::ScriptDebugServer::dispatchDidParseSource):
(Inspector::ScriptDebugServer::handleBreakpointHit):
(Inspector::ScriptDebugServer::setBreakpoint): Deleted.
(Inspector::ScriptDebugServer::removeBreakpoint): Deleted.
(Inspector::ScriptDebugServer::clearBreakpoints): Deleted.
* inspector/ScriptDebugServer.h:
Reduce ScriptDebugServer's involvement in breakpoints to just handling
breakpoint actions. Eventually we should eliminate it alltogether and
fold breakpoint logic into Debugger or DebugAgent.
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::buildDebuggerLocation):
(Inspector::parseLocation):
(Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
(Inspector::InspectorDebuggerAgent::setBreakpoint):
(Inspector::InspectorDebuggerAgent::didSetBreakpoint):
(Inspector::InspectorDebuggerAgent::resolveBreakpoint):
(Inspector::InspectorDebuggerAgent::removeBreakpoint):
(Inspector::InspectorDebuggerAgent::continueToLocation):
(Inspector::InspectorDebuggerAgent::didParseSource):
(Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
The Inspector can set breakpoints in multiple ways.
Ensure that once we have the Script that we always
resolve the breakpoint location before setting the
breakpoint. The different paths are:
- setBreakpoint(scriptId, location)
- Here we know the SourceProvider by its SourceID
- resolve and set
- setBreakpointByURL(url, location)
- Search for existing Scripts that match the URL
- resolve in each and set
- When new Scripts are parsed that match the URL
- resolve and set
2016-09-30 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Stepping out of a function finishes the line that called it.
https://bugs.webkit.org/show_bug.cgi?id=155325
<rdar://problem/25094578>
Reviewed by Mark Lam.
Also addresses:
<https://webkit.org/b/161721> Web Inspector: Stepping all the way through program should not cause a pause on the next program that executes
<https://webkit.org/b/161716> Web Inspector: Stepping into a function / program should not require stepping to the first statement
This change introduces a new op_debug hook: WillExecuteExpression.
Currently this new hook is only used for pausing at function calls.
We may decide to add it to other places later where pausing with
finer granularity then statements (or lines) if useful.
This updates the location and behavior of some of the existing debug
hooks, to be more consistent and useful if the exact location of the
pause is displayed. For example, in control flow statements like
`if` and `while`, the pause location is the expression itself that
will be evaluated, not the location of the `if` or `while` keyword.
For example:
if (|condition)
while (|condition)
Finally, this change gets rid of some unnecessary / useless pause
locations such as on entering a function and on entering a program.
These pauses are not needed because if there is a statement, we
would pause before the statement and it is equivalent. We continue
to pause when leaving a function via stepping by uniformly jumping
to the closing brace of the function. This gives users a chance
to observe state before leaving the function.
* bytecode/CodeBlock.cpp:
(JSC::debugHookName):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::dumpLineColumnEntry):
Logging strings for the new debug hook.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCallInTailPosition):
(JSC::BytecodeGenerator::emitCallEval):
(JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
(JSC::BytecodeGenerator::emitConstructVarargs):
(JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
(JSC::BytecodeGenerator::emitCallDefineProperty):
(JSC::BytecodeGenerator::emitConstruct):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::emitIteratorNext):
(JSC::BytecodeGenerator::emitIteratorNextWithValue):
(JSC::BytecodeGenerator::emitIteratorClose):
(JSC::BytecodeGenerator::emitDelegateYield):
All emitCall variants now take an enum to decide whether or not to
emit the WillExecuteExpression debug hook.
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitCallVarargs):
In the two real implementations, actually decide to emit the debug
hook or not based on the parameter.
(JSC::BytecodeGenerator::emitEnumeration):
This is shared looping code used by for..of iteration of iterables.
When used by ForOfNode, we want to emit a pause location during
iteration.
(JSC::BytecodeGenerator::emitWillLeaveCallFrameDebugHook):
This is shared call frame leave code to emit a consistent pause
location when leaving a function.
* bytecompiler/NodesCodegen.cpp:
(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_tailCallForwardArguments):
(JSC::FunctionCallBracketNode::emitBytecode):
(JSC::FunctionCallDotNode::emitBytecode):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::TaggedTemplateNode::emitBytecode):
(JSC::ArrayPatternNode::bindValue):
All tail position calls are the function calls that we want to emit
debug hooks for. All non-tail call calls appear to be internal
implementation details, and these should not have the debug hook.
(JSC::IfElseNode::emitBytecode):
(JSC::WhileNode::emitBytecode):
(JSC::WithNode::emitBytecode):
(JSC::SwitchNode::emitBytecode):
Make the pause location consistent at the expression.
(JSC::DoWhileNode::emitBytecode):
Make the pause location consistent at the expression.
Remove the errant pause at the do's '}' when entering the do block.
(JSC::ForNode::emitBytecode):
(JSC::ForInNode::emitMultiLoopBytecode):
(JSC::ForOfNode::emitBytecode):
Make the pause location consistent at expressions.
Also allow stepping to the traditional for loop's
update expression, which was previously not possible.
(JSC::ReturnNode::emitBytecode):
(JSC::FunctionNode::emitBytecode):
Make the pause location when leaving a function consistently be the
function's closing brace. The two cases are stepping through a return
statement, or the implicit return undefined at the end of a function.
(JSC::LabelNode::emitBytecode):
(JSC::TryNode::emitBytecode):
Remove unnecessary pauses that add no value, as they contain a
statement and we will then pause at that statement.
* parser/Nodes.h:
(JSC::StatementNode::isFunctionNode):
(JSC::StatementNode::isForOfNode):
(JSC::EnumerationNode::lexpr):
(JSC::ForOfNode::isForOfNode):
New virtual methods to distinguish different nodes.
* debugger/Debugger.h:
Rename m_pauseAtNextStatement to m_pauseAtNextOpportunity.
This is the finest granularity of stepping, and it can be
pausing at a location that is not a statement.
Introduce state to properly handle step out and stepping
when there are multiple expressions in a statement.
* debugger/Debugger.cpp:
(JSC::Debugger::Debugger):
(JSC::Debugger::setPauseOnNextStatement):
(JSC::Debugger::breakProgram):
(JSC::Debugger::continueProgram):
(JSC::Debugger::stepIntoStatement):
(JSC::Debugger::exception):
(JSC::Debugger::didReachBreakpoint):
Use new variable names, and clarify if we should attempt
to pause or not.
(JSC::Debugger::stepOutOfFunction):
Set a new state to indicate a step out action.
(JSC::Debugger::updateCallFrame):
(JSC::Debugger::updateCallFrameAndPauseIfNeeded): Deleted.
(JSC::Debugger::updateCallFrameInternal):
(JSC::Debugger::pauseIfNeeded):
Allow updateCallFrame to either attempt a pause or not.
(JSC::Debugger::atStatement):
Attempt pause and reset the at first expression flag.
(JSC::Debugger::atExpression):
Attempt a pause when not stepping over. Also skip
the first expression pause, since that would be
equivalent to when we paused for the expression.
(JSC::Debugger::callEvent):
Do not pause when entering a function.
(JSC::Debugger::returnEvent):
Attempt pause when leaving a function.
If the user did a step-over and is leaving the
function, then behave like step-out.
(JSC::Debugger::unwindEvent):
Behave like return except don't change any
pausing states. If we needed to pause the
Debugger::exception will have handled it.
(JSC::Debugger::willExecuteProgram):
Do not pause when entering a program.
(JSC::Debugger::didExecuteProgram):
Attempt pause when leaving a program that has a caller.
This can be useful for exiting an eval(...) program.
Otherwise treat this like return, and step-over out
of the program should behave like step-out. We use
pause at next opportunity because there may be extra
callframes we do not know about.
When the program doesn't have a parent, clear all
our state so we don't errantly pause on the next
JavaScript microtask that gets executed.
(JSC::Debugger::clearNextPauseState):
Helper to clear all of the pause states now that
it happens in a couple places.
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
Treat unwinding slightly differently from returning.
We will not want to pause when unwinding callframes.
(JSC::Interpreter::debug):
* interpreter/Interpreter.h:
New debug hook.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::stepInto):
(Inspector::InspectorDebuggerAgent::didPause):
* inspector/agents/InspectorDebuggerAgent.h:
Remove unnecessary stepInto code notification for listeners.
The listeners are never notified if the debugger resumes,
so whatever state they were setting by this is going to
get out of date.
2016-09-30 Saam Barati <sbarati@apple.com>
Arrow functions should not allow duplicate parameter names
https://bugs.webkit.org/show_bug.cgi?id=162741
Reviewed by Filip Pizlo.
This patch makes parsing arrow function parameters throw
a syntax error when there are duplicate parameter names.
It also starts to make some syntax errors for arrow functions
better, however, this is trickier than it seems since we need
to choose between two parsing productions when we decide to
throw a syntax error. I'm going to work on this problem
in another patch specifically devoted to making the error
messages better for parsing arrow functions:
https://bugs.webkit.org/show_bug.cgi?id=162794
* parser/Parser.cpp:
(JSC::Parser<LexerType>::isArrowFunctionParameters):
(JSC::Parser<LexerType>::parseFormalParameters):
(JSC::Parser<LexerType>::parseFunctionParameters):
(JSC::Parser<LexerType>::parseAssignmentExpression):
* parser/Parser.h:
2016-09-30 Mark Lam <mark.lam@apple.com>
Use topVMEntryFrame to determine whether to skip the re-throw of a simulated throw.
https://bugs.webkit.org/show_bug.cgi?id=162793
Reviewed by Saam Barati.
Change the ThrowScope destructor to use topVMEntryFrame (instead of topCallFrame)
in the determination of whether to skip the re-throw of a simulated throw. This
is needed because the topCallFrame is not updated in operationConstructArityCheck()
(and does not need to be), whereas topVMEntryFrame is always updated properly.
Hence, we should just switch to using the more reliable topVMEntryFrame instead.
This issue was discovered by existing JSC tests when exception check validation
is enabled.
* runtime/ThrowScope.cpp:
(JSC::ThrowScope::~ThrowScope):
2016-09-30 Filip Pizlo <fpizlo@apple.com>
64-bit LLInt needs to have a concurrency-aware barrier
https://bugs.webkit.org/show_bug.cgi?id=162790
Reviewed by Mark Lam.
In a concurrent GC the barrier definitely has to be after the store, not before it.
* llint/LowLevelInterpreter64.asm:
2016-09-29 Filip Pizlo <fpizlo@apple.com>
Air should have a way of expressing additional instruction flags
https://bugs.webkit.org/show_bug.cgi?id=162699
Reviewed by Mark Lam.
This follows a similar change in B3 (r206595) and replaces Air::Opcode with Air::Kind,
which holds onto the opcode and some additional flags. Because Air is an orthogonal ISA
(the opcode tells you what the operation does but each operand is allowed to also contain
effectively instructions for what to do to read or write that operand), the flags are
meant to be orthogonal to opcode. This allows us to say things like Add32<Trap>, which
makes sense if any of the operands to the Add32 are addresses.
To demonstrate the flags facility this partly adds a trap flag to Air. B3 doesn't use it
yet, but I made sure that Air respects it. Basically that means blocking DCE when the flag
is set, by making it imply hasNonArgNonControlEffects.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3CheckSpecial.cpp:
(JSC::B3::Air::numB3Args):
(JSC::B3::CheckSpecial::Key::Key):
(JSC::B3::CheckSpecial::Key::dump):
(JSC::B3::CheckSpecial::CheckSpecial):
(JSC::B3::CheckSpecial::hiddenBranch):
(JSC::B3::CheckSpecial::forEachArg):
(JSC::B3::CheckSpecial::generate):
(JSC::B3::CheckSpecial::dumpImpl):
(JSC::B3::CheckSpecial::deepDumpImpl):
* b3/B3CheckSpecial.h:
(JSC::B3::CheckSpecial::Key::Key):
(JSC::B3::CheckSpecial::Key::operator==):
(JSC::B3::CheckSpecial::Key::kind):
(JSC::B3::CheckSpecial::Key::hash):
(JSC::B3::CheckSpecial::Key::opcode): Deleted.
* b3/B3Kind.cpp:
(JSC::B3::Kind::dump):
* b3/air/AirDumpAsJS.cpp:
(JSC::B3::Air::dumpAsJS):
* b3/air/AirFixObviousSpills.cpp:
* b3/air/AirFixPartialRegisterStalls.cpp:
* b3/air/AirGenerate.cpp:
(JSC::B3::Air::generate):
* b3/air/AirHandleCalleeSaves.cpp:
(JSC::B3::Air::handleCalleeSaves):
* b3/air/AirInst.cpp:
(JSC::B3::Air::Inst::jsHash):
(JSC::B3::Air::Inst::dump):
* b3/air/AirInst.h:
(JSC::B3::Air::Inst::Inst):
(JSC::B3::Air::Inst::kind):
(JSC::B3::Air::Inst::operator bool):
(JSC::B3::Air::Inst::opcode): Deleted.
* b3/air/AirInstInlines.h:
(JSC::B3::Air::Inst::extraClobberedRegs):
(JSC::B3::Air::Inst::extraEarlyClobberedRegs):
(JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
(JSC::B3::Air::Inst::reportUsedRegisters):
(JSC::B3::Air::Inst::shouldTryAliasingDef):
* b3/air/AirIteratedRegisterCoalescing.cpp:
* b3/air/AirKind.cpp: Added.
(JSC::B3::Air::Kind::dump):
* b3/air/AirKind.h: Added.
(JSC::B3::Air::Kind::Kind):
(JSC::B3::Air::Kind::operator==):
(JSC::B3::Air::Kind::operator!=):
(JSC::B3::Air::Kind::hash):
(JSC::B3::Air::Kind::operator bool):
* b3/air/AirLowerAfterRegAlloc.cpp:
(JSC::B3::Air::lowerAfterRegAlloc):
* b3/air/AirLowerEntrySwitch.cpp:
(JSC::B3::Air::lowerEntrySwitch):
* b3/air/AirLowerMacros.cpp:
(JSC::B3::Air::lowerMacros):
* b3/air/AirOptimizeBlockOrder.cpp:
(JSC::B3::Air::optimizeBlockOrder):
* b3/air/AirReportUsedRegisters.cpp:
(JSC::B3::Air::reportUsedRegisters):
* b3/air/AirSimplifyCFG.cpp:
(JSC::B3::Air::simplifyCFG):
* b3/air/AirTmpWidth.cpp:
(JSC::B3::Air::TmpWidth::recompute):
* b3/air/AirUseCounts.h:
(JSC::B3::Air::UseCounts::UseCounts):
* b3/air/AirValidate.cpp:
* b3/air/opcode_generator.rb:
* b3/testb3.cpp:
(JSC::B3::testTernarySubInstructionSelection):
(JSC::B3::testBranchBitAndImmFusion):
2016-09-29 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r206555): It made Dromaeo/jslib-style-jquery.html crash
https://bugs.webkit.org/show_bug.cgi?id=162721
Reviewed by Keith Miller.
The put_by_id-in-put_by_val optimization had the write barrier in the wrong place and
incorrectly filtered on value instead of base.
No reduced test case. You really need to run Dromaeo/jslib to catch it. I love Dromaeo's
ability to catch GC bugs.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitPutByValWithCachedId):
2016-09-29 Joseph Pecoraro <pecoraro@apple.com>
Arrow functions do not infer name from computed property but normal functions do
https://bugs.webkit.org/show_bug.cgi?id=162720
Reviewed by Saam Barati.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
Set function name on arrow functions as well.
2016-09-29 Joseph Pecoraro <pecoraro@apple.com>
test262: class and function names should be inferred in assignment
https://bugs.webkit.org/show_bug.cgi?id=146262
Reviewed by Saam Barati.
* parser/ASTBuilder.h:
(JSC::ASTBuilder::appendParameter):
(JSC::ASTBuilder::appendArrayPatternEntry):
(JSC::ASTBuilder::appendObjectPatternEntry):
(JSC::ASTBuilder::tryInferFunctionNameInPattern):
Assign names to default value functions and classes in destructuring.
(JSC::ASTBuilder::createAssignResolve):
(JSC::ASTBuilder::createProperty):
(JSC::ASTBuilder::makeAssignNode):
Assign names to both normal and arrow functions.
* parser/Nodes.h:
(JSC::ExpressionNode::isBaseFuncExprNode):
Both functions and arrow functions infer name, they both extend
this base so give the base an is check.
2016-09-28 Filip Pizlo <fpizlo@apple.com>
B3 opcodes should leave room for flags
https://bugs.webkit.org/show_bug.cgi?id=162692
Reviewed by Keith Miller.
It used to be that the main thing that determined what a Value did was the opcode. The
Opcode was how you knew what subclass of Value you had. The opcode told you what the Value
actually did. This change replaces Opcode with Kind, which is a tuple of opcode and other
stuff.
Opcodes are great, and that's how most compilers work. But opcodes are one-dimensional. Here
is how this manifests. Say you have an opcode, like Load. You will be happy if your IR has
one Load opcode. But then, you might add Load8S/Load8Z/Load16S/Load16Z opcodes, as we have
done in B3. B3 has one dimension of Load opcodes, which determines something like the C type
of the load. But in the very near future, we will want to add two more dimensions to Loads:
- A flag to say if the load traps.
- A flag to say if the load has acquire semantics.
Mapping these three dimensions (type, trap, acquire) onto the one-dimensional Opcode space
would create mayham: Load8S, Load8STrap, Load8SAcquire, Load8STrapAcquire, Load8Z,
Load8ZTrap, etc.
This happens in other parts of the IR. For example, we have a dimension of arithmetic
operations: add, sub, mul, div, mod, etc. Then we have the chill flag. But since opcodes
are one-dimensional, that means having ChillDiv and ChillMod, and tons of places in the
compiler that case on both Div and ChillDiv, or case on both Mod and ChillMod, since they
are only interested in the kind of arithmetic being done and not the chillness.
Though the examples all involve bits (chill or not, trapping or not, etc), I can imagine
other properties that behave more like small enums, like if we fill out more memory ordering
modes other than just "acquire? yes/no". There will eventually have to be something like a
std::memory_order associated with memory accesses.
One approach to this problem is to have a Value subclass that contains fields with the meta
data. I don't like this for two reasons:
- In bug 162688, I want to make trapping memory accesses have stackmaps. This means that a
trapping memory access would have a different Value subclass than a non-trapping memory
access. So, this meta-data needs to channel into ValueType::accepts(). Currently that
takes Opcode and nothing else.
- Compiler IRs are all about making common tasks easy. If it becomes commonplace for opcodes
to require a custom Value subclass just for a bit then that's not very easy.
This change addresses this problem by making the compiler pass around Kinds rather than
Opcodes. A Kind contains an Opcode as well as any number of opcode-specific bits. This
change demonstrates how Kind should be used by converting chillness to it. Kind has
hasIsChill(), isChill(), and setIsChill() methods. hasIsChill() is true only for Div and
Mod. setIsChill() asserts if !hasIsChill(). If you want to create a Chill Div, you say
chill(Div). IR dumps will print it like this:
Int32 @38 = Div<Chill>(@36, @37, DFG:@24, ControlDependent)
Where "Div<Chill>" is how a Kind that hasExtraBits() dumps itself. If a Kind does not
hasExtraBits() (the normal case) then it dumps like a normal Opcode (without the "<>").
I replaced many uses of Opcode with Kind. New code has to be mindful that Opcode may not be
the right way to summarize what a value does, and so in many cases it's better to carry
around a Kind instead - especially if you will use it to stamp out new Values. Opcode is no
longer sufficient to perform a dynamic Value cast, since that code now uses Kind. ValueKey
now wants a Kind instead of an Opcode. All Value constructors now take Kind instead of
Opcode. But most opcodes don't get any extra Kind bits, and so the code that operates on
those opcodes is largely unchanged.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* b3/B3ArgumentRegValue.h:
* b3/B3CCallValue.h:
* b3/B3CheckValue.cpp:
(JSC::B3::CheckValue::convertToAdd):
(JSC::B3::CheckValue::CheckValue):
* b3/B3CheckValue.h:
(JSC::B3::CheckValue::accepts):
* b3/B3Const32Value.h:
* b3/B3Const64Value.h:
* b3/B3ConstDoubleValue.h:
* b3/B3ConstFloatValue.h:
* b3/B3FenceValue.h:
* b3/B3Kind.cpp: Added.
(JSC::B3::Kind::dump):
* b3/B3Kind.h: Added.
(JSC::B3::Kind::Kind):
(JSC::B3::Kind::opcode):
(JSC::B3::Kind::setOpcode):
(JSC::B3::Kind::hasExtraBits):
(JSC::B3::Kind::hasIsChill):
(JSC::B3::Kind::isChill):
(JSC::B3::Kind::setIsChill):
(JSC::B3::Kind::operator==):
(JSC::B3::Kind::operator!=):
(JSC::B3::Kind::hash):
(JSC::B3::Kind::isHashTableDeletedValue):
(JSC::B3::chill):
(JSC::B3::KindHash::hash):
(JSC::B3::KindHash::equal):
* b3/B3LowerMacros.cpp:
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::lower):
* b3/B3MemoryValue.h:
* b3/B3Opcode.cpp:
(WTF::printInternal):
* b3/B3Opcode.h:
* b3/B3PatchpointValue.h:
(JSC::B3::PatchpointValue::accepts):
* b3/B3ReduceStrength.cpp:
* b3/B3SlotBaseValue.h:
* b3/B3StackmapValue.cpp:
(JSC::B3::StackmapValue::StackmapValue):
* b3/B3StackmapValue.h:
* b3/B3SwitchValue.h:
(JSC::B3::SwitchValue::accepts):
* b3/B3UpsilonValue.h:
* b3/B3Validate.cpp:
* b3/B3Value.cpp:
(JSC::B3::Value::dump):
(JSC::B3::Value::deepDump):
(JSC::B3::Value::invertedCompare):
(JSC::B3::Value::effects):
(JSC::B3::Value::key):
(JSC::B3::Value::typeFor):
(JSC::B3::Value::badKind):
(JSC::B3::Value::badOpcode): Deleted.
* b3/B3Value.h:
* b3/B3ValueInlines.h:
(JSC::B3::Value::as):
* b3/B3ValueKey.cpp:
(JSC::B3::ValueKey::dump):
(JSC::B3::ValueKey::materialize):
* b3/B3ValueKey.h:
(JSC::B3::ValueKey::ValueKey):
(JSC::B3::ValueKey::kind):
(JSC::B3::ValueKey::opcode):
(JSC::B3::ValueKey::operator==):
(JSC::B3::ValueKey::hash):
* b3/B3ValueKeyInlines.h:
(JSC::B3::ValueKey::ValueKey):
* b3/B3VariableValue.cpp:
(JSC::B3::VariableValue::VariableValue):
* b3/B3VariableValue.h:
* b3/testb3.cpp:
(JSC::B3::testChillDiv):
(JSC::B3::testChillDivTwice):
(JSC::B3::testChillDiv64):
(JSC::B3::testChillModArg):
(JSC::B3::testChillModArgs):
(JSC::B3::testChillModImms):
(JSC::B3::testChillModArg32):
(JSC::B3::testChillModArgs32):
(JSC::B3::testChillModImms32):
(JSC::B3::testSwitchChillDiv):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::chillDiv):
(JSC::FTL::Output::chillMod):
2016-09-29 Saam Barati <sbarati@apple.com>
We don't properly propagate non-simple-parameter-list when parsing a setter
https://bugs.webkit.org/show_bug.cgi?id=160483
Reviewed by Joseph Pecoraro.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseFunctionParameters):
2016-09-28 Saam Barati <sbarati@apple.com>
stringProtoFuncRepeatCharacter will return `null` when it should not
https://bugs.webkit.org/show_bug.cgi?id=161944
Reviewed by Yusuke Suzuki.
stringProtoFuncRepeatCharacter was expecting its second argument
to always be a boxed integer. This is not correct. The DFG may decide
to represent a particular value as a double instead of integer. This
function needs to have correct behavior when its second argument is
a boxed double. I also added an assertion stating that the second argument
is always a number. We can guarantee this since it's only called from
builtins.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncRepeatCharacter):
2016-09-28 Filip Pizlo <fpizlo@apple.com>
The write barrier should be down with TSO
https://bugs.webkit.org/show_bug.cgi?id=162316
Reviewed by Geoffrey Garen.
This makes our write barrier behave correctly when it races with the collector. The
collector wants to do this when visiting:
object->cellState = black
visit(object)
The mutator wants to do this when storing:
object->property = newValue
if (object->cellState == black)
remember(object)
Prior to this change, this didn't work right because the compiler would sometimes place
barriers before the store to the property and because the mutator did not have adequate
fences.
Prior to this change, the DFG and FTL would emit this:
if (object->cellState == black)
remember(object)
object->property = newValue
Which is wrong, because the object could start being scanned just after the cellState
check, at which point the store would be lost. We need to confirm that the state was not
black *after* the store! This change was harder than you'd expect: placing the barrier
after the store broke B3's ability to do its super crazy ninja CSE on some store-load
redundancies. Because the B3 CSE has some moves that the DFG CSE lacks, the DFG CSE's
ability to ignore barriers didn't help. I fixed this by having the FTL convey precise
heap ranges for the patchpoint corresponding to the barrier slow path. It reads the world
(because of the store-load fence) and it writes only cellState (because the B3 heap ranges
don't have any way to represent any of the GC's other state, which means that B3 does not
have to worry about aliasing with any of that).
The collector already uses a store-load fence on x86 just after setting the cellState and
before visiting the object. The mutator needs to do the same. But we cannot put a
store-load fence of any kind before store barriers, because that causes enormous slow
downs. In the worst case, Octane/richards slowed down by 90%! That's crazy! However, the
overall slow downs were small enough (0-15% on benchmark suite aggregates) that it would be
reasonable if the slow down only happened while the GC was running. Then, the concurrent GC
would lift throughput-while-collecting from 0% of peak to 85% of peak. This changes the
barrier so that it looks like this:
if (object->cellState <= heap.sneakyBlackThreshold)
slowPath(object)
Where sneakyBlackThreshold is the normal blackThreshold when we're not collecting, or a
tautoligical threshold (that makes everything look black) when we are collecting. This
turns out to not be any more expensive than the barrier in tip of tree when the GC is not
running, or a 0-15% slow-down when it is "running". (Of course we don't run the GC
concurrently yet. I still have more work to do.) The slowPath() does some extra work to
check if we are concurrently collecting; if so, it does a fence and rechecks if the object
really did need that barrier.
This also reintroduces elimination of redundant store barriers, which was lost in the last
store barrier change. We can only do it when there is no possibility of GC, exit, or
exceptions between the two store barriers. We could remove the exit/exception limitation if
we taught OSR exit how to buffer store barriers, which is an insane thing to do considering
that I've never been able to detect a win from redundant store barrier elimination. I just
want us to have it for stupidly obvious situations, like a tight sequence of stores to the
same object. This same optimization also sometimes strength-reduces the store barrier so
that it uses a constant black threshold rather than the sneaky one, thereby saving one
load.
Even with all of those optimizations, I still had problems with barrier cost. I found that one
of the benchmarks that was being hit particularly hard was JetStream/regexp-2010. Fortunately
that benchmark does most of its barriers in a tight C++ loop in RegExpMatchesArray.h. When we
know what we're doing, we can defer GC around a bunch of object initializations and then remove
all of the barriers between any of the objects allocated within the deferral. Unfortunately,
our GC deferral mechanism isn't really performant enough to make this be a worthwhile
optimization. The most efficient version of such an optimization that I could come up with was
to have a DeferralContext object that houses a boolean that is false by default, but the GC
writes true into it if it would have wanted to GC. You thread a pointer to the deferralContext
through all of your allocations. This kind of mechanism has the overhead of a zero
initialization on the stack on entry and a zero check on exit. This is probably even efficient
enough that we could start thinking about having the DFG use it, for example if we found a
bounded-time section of code with a lot of barriers and entry/exit sites that aren't totally
wacky. This optimization took this patch from 0.68% JetStream regressed to neutral, according
to my latest data.
Finally, an earlier version of this change put the store-load fence in B3 IR, so I ended up
adding FTLOutput support for it and AbstractHeapRepository magic for decorating the heaps.
I think we might as well keep that, it'll be useful.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::branch32):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::branch32):
(JSC::MacroAssemblerX86_64::branch64): Deleted.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::isStoreBarrier):
* dfg/DFGNodeType.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStoreBarrier):
(JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Deleted.
(JSC::DFG::SpeculativeJIT::writeBarrier): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier): Deleted.
(JSC::DFG::SpeculativeJIT::writeBarrier): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier): Deleted.
(JSC::DFG::SpeculativeJIT::writeBarrier): Deleted.
* dfg/DFGStoreBarrierClusteringPhase.cpp: Added.
(JSC::DFG::performStoreBarrierClustering):
* dfg/DFGStoreBarrierClusteringPhase.h: Added.
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* dfg/DFGStoreBarrierInsertionPhase.h:
* ftl/FTLAbstractHeap.h:
(JSC::FTL::AbsoluteAbstractHeap::at):
(JSC::FTL::AbsoluteAbstractHeap::operator[]):
* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::decorateFenceRead):
(JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
(JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileStoreBarrier):
(JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
(JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::fence):
(JSC::FTL::Output::absolute):
* ftl/FTLOutput.h:
* heap/CellState.h:
(JSC::isWithinThreshold):
(JSC::isBlack):
* heap/Heap.cpp:
(JSC::Heap::writeBarrierSlowPath):
* heap/Heap.h:
(JSC::Heap::barrierShouldBeFenced):
(JSC::Heap::addressOfBarrierShouldBeFenced):
(JSC::Heap::sneakyBlackThreshold):
(JSC::Heap::addressOfSneakyBlackThreshold):
* heap/HeapInlines.h:
(JSC::Heap::writeBarrier):
(JSC::Heap::writeBarrierWithoutFence):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::jumpIfIsRememberedOrInEdenWithoutFence):
(JSC::AssemblyHelpers::sneakyJumpIfIsRememberedOrInEden):
(JSC::AssemblyHelpers::jumpIfIsRememberedOrInEden):
(JSC::AssemblyHelpers::storeBarrierStoreLoadFence):
(JSC::AssemblyHelpers::jumpIfStoreBarrierStoreLoadFenceNotNeeded):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitWriteBarrier):
(JSC::JIT::privateCompilePutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_id):
* llint/LowLevelInterpreter.asm:
* offlineasm/x86.rb:
* runtime/Options.h:
2016-09-27 Joseph Pecoraro <pecoraro@apple.com>
Improve useCodeCache Option description string.
* runtime/Options.h:
Address late review comments and clarify description.
2016-09-28 Filip Pizlo <fpizlo@apple.com>
Optimize B3->Air lowering of Fence on ARM
https://bugs.webkit.org/show_bug.cgi?id=162342
Reviewed by Geoffrey Garen.
This gives us comprehensive support for standalone fences on x86 and ARM. The changes are as
follows:
- Sets in stone the rule that the heaps of a B3::Fence tell you what the fence protects. If the
fence reads, it protects motion of stores. If the fence writes, it protects motion of loads.
This allows us to express for example load-load fences in a portable way: on x86 they will just
block B3 optimizations and emit no code, while on ARM you will get some fence.
- Adds comprehensive support for WTF-style fences in the ARM assembler. I simplified it just a bit
to match what B3, the main client, knows. There are three fences: MemoryFence, StoreFence, and
LoadFence. On x86, MemoryFence is ortop while StoreFence and LoadFence emit no code. On ARM64,
MemoryFence and LoadFence are dmb ish while StoreFence is dmb ishst.
- Tests! To test this, I needed to teach the disassembler how to disassemble dmb ish and dmb
ishst. I think that the canonical way to do it would be to create a group for dmb and then teach
that group how to decode the operands. But I don't actually know what are all of the ways of
encoding dmb, so I'd rather that unrecognized encodings fall through to the ".long blah"
bailout. So, this creates explicit matching rules for "dmb ish" and "dmb ishst", which is the
most conservative thing we can do.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::dmbISH):
(JSC::ARM64Assembler::dmbISHST):
(JSC::ARM64Assembler::dmbSY): Deleted.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::memoryFence):
(JSC::MacroAssemblerARM64::storeFence):
(JSC::MacroAssemblerARM64::loadFence):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::storeFence):
(JSC::MacroAssemblerX86Common::loadFence):
* b3/B3FenceValue.h:
* b3/B3LowerToAir.cpp:
(JSC::B3::Air::LowerToAir::lower):
* b3/air/AirOpcode.opcodes:
* b3/testb3.cpp:
(JSC::B3::testMemoryFence):
(JSC::B3::testStoreFence):
(JSC::B3::testLoadFence):
(JSC::B3::run):
(JSC::B3::testX86MFence): Deleted.
(JSC::B3::testX86CompilerFence): Deleted.
* disassembler/ARM64/A64DOpcode.cpp:
(JSC::ARM64Disassembler::A64DOpcodeDmbIsh::format):
(JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::format):
* disassembler/ARM64/A64DOpcode.h:
(JSC::ARM64Disassembler::A64DOpcodeDmbIsh::opName):
(JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::opName):
2016-09-28 Joseph Pecoraro <pecoraro@apple.com>
Adopt #pragma once in some generated resources
https://bugs.webkit.org/show_bug.cgi?id=162666
Reviewed by Alex Christensen.
* Scripts/builtins/builtins_generate_combined_header.py:
* Scripts/builtins/builtins_generate_internals_wrapper_header.py:
* Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
* Scripts/builtins/builtins_generate_separate_header.py:
* Scripts/builtins/builtins_generate_wrapper_header.py:
* Scripts/builtins/builtins_generate_wrapper_implementation.py:
Remove headerGuard attribute unused by templates.
* Scripts/tests/builtins/expected/JavaScriptCore-Operations.Promise-Combined.js-result: Removed.
No such test exists. It was likely renamed.
* generate-bytecode-files:
Simplify header guard output.
* inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
(ObjCBackendDispatcherHeaderGenerator.generate_output):
* replay/scripts/CodeGeneratorReplayInputs.py:
(Generator.generate_header):
* replay/scripts/CodeGeneratorReplayInputsTemplates.py:
Simplify header guard output.
* replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
Rebaseline.
2016-09-28 Filip Pizlo <fpizlo@apple.com>
Store-load fences should be a lot cheaper on ARM
https://bugs.webkit.org/show_bug.cgi?id=162461
Rubber stamped by Keith Miller.
It turns out that they are already cheap enough, so this change just make us use them.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::visitChildren):
2016-09-28 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r206522.
Roll r206506 back in since the build fix landed in r206521
Reverted changeset:
"Unreviewed, rolling out r206506."
https://bugs.webkit.org/show_bug.cgi?id=162682
http://trac.webkit.org/changeset/206522
2016-09-28 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r206506.
https://bugs.webkit.org/show_bug.cgi?id=162682
Broke the Windows and WinCairo builds. (Requested by
ryanhaddad on #webkit).
Reverted changeset:
"Adopt #pragma once in JavaScriptCore"
https://bugs.webkit.org/show_bug.cgi?id=162664
http://trac.webkit.org/changeset/206506
2016-09-28 Joseph Pecoraro <pecoraro@apple.com>
Adopt #pragma once in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=162664
Reviewed by Saam Barati.
* **/**.h:
Adopt pragma once in all but API headers and generated headers.
Include some namespace closing comments for consistency.
2016-09-27 JF Bastien <jfbastien@apple.com>
Missing Atomics.h include in MarkedBlock.h
https://bugs.webkit.org/show_bug.cgi?id=162648
Missing include from my previous patch.
Reviewed by Yusuke Suzuki.
* heap/MarkedBlock.h:
2016-09-27 Mark Lam <mark.lam@apple.com>
createError() and JSObject::calculatedClassName() should not throw any exceptions.
https://bugs.webkit.org/show_bug.cgi?id=162637
Reviewed by Geoffrey Garen.
* runtime/ExceptionHelpers.cpp:
(JSC::createError):
- assert that errorDescriptionForValue() did not throw an exception.
* runtime/JSObject.cpp:
(JSC::JSObject::calculatedClassName):
- the code already ensures that we always return a non-null String. Just need to
make sure that it catches its own exceptions.
2016-09-27 Filip Pizlo <fpizlo@apple.com>
B3::lowerMacros forgets to before->updatePredecessorsAfter() when lowering ChillMod on ARM64
https://bugs.webkit.org/show_bug.cgi?id=162644
Reviewed by Keith Miller.
If you forget to update the predecessors of your successors, then bad things will happen if you
do something that requires accurate predecessors for correctness. lowerMacros() uses
BlockInsertionSet, which relies on accurate predecessors.
* b3/B3LowerMacros.cpp:
2016-09-27 JF Bastien <jfbastien@apple.com>
Speed up Heap::isMarkedConcurrently
https://bugs.webkit.org/show_bug.cgi?id=162095
Reviewed by Filip Pizlo.
Speed up isMarkedConcurrently by using WTF::consumeLoad.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::areMarksStale):
(JSC::MarkedBlock::areMarksStaleWithDependency):
(JSC::MarkedBlock::isMarkedConcurrently): do away with the load-load fence
2016-09-27 Mark Lam <mark.lam@apple.com>
Add some needed CatchScopes in code that should not throw.
https://bugs.webkit.org/show_bug.cgi?id=162584
Reviewed by Keith Miller.
Re-landing minus the jsc.cpp and ExceptionHelpers.cpp changes. I'll address
those in a subsequent patch if the need manifests again in my testing.
* API/JSObjectRef.cpp:
(JSObjectSetProperty):
- This function already handles exceptions in its own way. We're honoring this
contract and catching exceptions and passing it to the handler.
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
- The debugger should not be throwing any exceptions.
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::save):
- If an exception was thrown while saving the database, there's nothing we can
really do about it anyway. Just fail nicely and return false. This is in line
with existing error checking code in Database::save() that returns false if
it's not able to open the file to save to.
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::finishCreation):
- The existing code already RELEASE_ASSERT that no exception was thrown.
Hence, it's appropriate to use a CatchScope here.
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
- The sampling profiler is doing a VMInquiry get here. It should never throw an
exception. Hence, we'll just use a CatchScope and assert accordingly.
2016-09-27 Jer Noble <jer.noble@apple.com>
Remove deprecated ENCRYPTED_MEDIA implementation.
https://bugs.webkit.org/show_bug.cgi?id=161010
Reviewed by Eric Carlson.
Remove ENABLE_ENCRYPTED_MEDIA.
* Configurations/FeatureDefines.xcconfig:
2016-09-27 Michael Catanzaro <mcatanzaro@igalia.com>
[GTK] Install binaries to pkglibexecdir rather than bindir
https://bugs.webkit.org/show_bug.cgi?id=162602
Reviewed by Carlos Garcia Campos.
Install jsc shell to LIBEXEC_INSTALL_DIR rather than EXEC_INSTALL_DIR.
Note these locations are the same on non-GTK ports.
* shell/CMakeLists.txt:
2016-09-26 Sam Weinig <sam@webkit.org>
Make DFGSlowPathGenerator a bit more variadic
https://bugs.webkit.org/show_bug.cgi?id=162378
Reviewed by Filip Pizlo.
Make the subclass of CallSlowPathGenerator that takes arguments variadic
so it can take any number of arguments. Also updates the slowPathCall helper
function to be variadic. I had to move the spill mode and exception check
requirement parameters to before the arguments since the variadic arguments
must be at the end. As a convenience, I added an overload of slowPathCall that
doesn't take spill mode and exception check requirement parameters.
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
(JSC::DFG::slowPathCall):
(JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator): Deleted.
(JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator): Deleted.
(JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator): Deleted.
(JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator): Deleted.
(JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator): Deleted.
(JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal): Deleted.
(JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator): Deleted.
(JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal): Deleted.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileNotifyWrite):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
2016-09-26 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r206405.
https://bugs.webkit.org/show_bug.cgi?id=162588
This change caused LayoutTest crashes. (Requested by
ryanhaddad on #webkit).
Reverted changeset:
"Add some needed CatchScopes in code that should not throw."
https://bugs.webkit.org/show_bug.cgi?id=162584
http://trac.webkit.org/changeset/206405
2016-09-26 Mark Lam <mark.lam@apple.com>
Add some needed CatchScopes in code that should not throw.
https://bugs.webkit.org/show_bug.cgi?id=162584
Reviewed by Keith Miller.
* API/JSObjectRef.cpp:
(JSObjectSetProperty):
- This function already handles exceptions in its own way. We're honoring this
contract and catching exceptions and passing it to the handler.
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
- The debugger should not be throwing any exceptions.
* jsc.cpp:
(runJSC):
- the buck stops here. There's no reason an exception should propagate past here.
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::save):
- If an exception was thrown while saving the database, there's nothing we can
really do about it anyway. Just fail nicely and return false. This is in line
with existing error checking code in Database::save() that returns false if
it's not able to open the file to save to.
* runtime/ExceptionHelpers.cpp:
(JSC::createError):
- If we're not able to stringify the error value, then we'll just use the
provided message as the error string. It doesn't make sense to have the
Error factory throw an exception that shadows the intended exception that the
client probably wants to throw (assuming that that's why the client is creating
this Error object).
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::finishCreation):
- The existing code already RELEASE_ASSERT that no exception was thrown.
Hence, it's appropriate to use a CatchScope here.
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
- The sampling profiler is doing a VMInquiry get here. It should never throw an
exception. Hence, we'll just use a CatchScope and assert accordingly.
2016-09-26 Mark Lam <mark.lam@apple.com>
Exception unwinding code should use a CatchScope instead of a ThrowScope.
https://bugs.webkit.org/show_bug.cgi?id=162583
Reviewed by Geoffrey Garen.
This is because the exception unwinding code does not throw an exception.
It only inspects the thrown exception and passes it to the appropriate handler.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
2016-09-26 Joseph Pecoraro <pecoraro@apple.com>
Add an Option to disable the CodeCache
https://bugs.webkit.org/show_bug.cgi?id=162579
Reviewed by Geoffrey Garen.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getGlobalCodeBlock):
(JSC::CodeCache::getFunctionExecutableFromGlobalCode):
Do not use the cache if the Option is disabled.
* runtime/Options.h:
New option to not use the code cache.
2016-09-26 Daniel Bates <dabates@apple.com>
Rename IOS_TEXT_AUTOSIZING to TEXT_AUTOSIZING
https://bugs.webkit.org/show_bug.cgi?id=162365
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig:
2016-09-26 Benjamin Poulain <benjamin@webkit.org>
[JSC] Shrink the Math inline caches some more
https://bugs.webkit.org/show_bug.cgi?id=162485
Reviewed by Saam Barati.
This patch applies some lessons learnt from op_negate
to shrink the generated asm of the previous 3 inline
caches.
In order of importance:
-We do not need to pass the pointer to ArithProfile
on the slow path. We can just get the profile out
of the Math IC.
This saves us from materializing a 64bits value
in a register before the call on the slow path.
-We can remove a bunch of mov by setting up the registers
in the way the slow path needs them.
The slow path makes a function calls with the input
as second and third arguments, and return the result in
the "return register". By using those as target when
loading/storing from the stack, we remove 3 mov per slow path.
-When performing integer add, we can set the result directly in
the output register if that does not trashes one of the input
register. This removes one mov per integer add.
The inline cache average sizes on Sunspider change as follow:
-Adds: 147.573099->131.555556 (~10%)
-Muls: 186.882353->170.991597 (~8%)
-Subs: 139.127907->121.523256 (~12%)
* jit/JIT.h:
* jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateInline):
(JSC::JITAddGenerator::generateFastPath):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITInlines.h:
(JSC::JIT::callOperation): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
2016-09-26 Mark Lam <mark.lam@apple.com>
Added RETURN_IF_EXCEPTION() macro and use it for exception checks.
https://bugs.webkit.org/show_bug.cgi?id=162521
Reviewed by Saam Barati.
Also, where possible, if the return type is JSValue, changed the returned value
(on exception) to the empty JSValue (instead of sometimes jsUndefined, jsNull,
or the thrown exception value).
There are a few places where I had to continue to return the previously returned
value (instead of the empty JSValue) in order for tests to pass. This is needed
because there are missing exception checks that will need to be added before I
can change those to return the empty JSValue too. Identifying all the places
where those checks need to be added is beyond the scope of this patch. I will
work on adding missing exception checks in a subsequent patch.
In this patch, there is one missing exception check in replaceUsingRegExpSearch()
that was easily identified, and is necessary so that Interpreter::execute()
functions can return JSValue. I've added this missing check.
This patch has passed the JSC and layout tests.
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
(Inspector::JSInjectedScriptHost::getInternalProperties):
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetEntries):
(Inspector::JSInjectedScriptHost::iteratorEntries):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
* interpreter/Interpreter.cpp:
(JSC::eval):
(JSC::sizeOfVarargs):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::functionsOnStack):
* jit/JITOperations.cpp:
(JSC::getByVal):
* jsc.cpp:
(WTF::ImpureGetter::getOwnPropertySlot):
(functionRun):
(functionRunString):
(functionLoad):
(functionLoadString):
(functionReadFile):
(functionCheckSyntax):
(functionSetRandomSeed):
(functionLoadModule):
(functionCreateBuiltin):
(functionCheckModuleSyntax):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* profiler/ProfilerBytecodeSequence.cpp:
(JSC::Profiler::BytecodeSequence::addSequenceProperties):
* profiler/ProfilerCompilation.cpp:
(JSC::Profiler::Compilation::toJS):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::toJS):
* profiler/ProfilerOSRExitSite.cpp:
(JSC::Profiler::OSRExitSite::toJS):
* profiler/ProfilerOriginStack.cpp:
(JSC::Profiler::OriginStack::toJS):
* runtime/ArrayPrototype.cpp:
(JSC::speciesConstructArray):
(JSC::shift):
(JSC::unshift):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::slowJoin):
(JSC::fastJoin):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::moveElements):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/BooleanConstructor.cpp:
(JSC::constructWithBooleanConstructor):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
* runtime/Completion.cpp:
(JSC::loadAndEvaluateModule):
(JSC::loadModule):
* runtime/ConsoleObject.cpp:
(JSC::consoleProtoFuncAssert):
(JSC::consoleProtoFuncProfile):
(JSC::consoleProtoFuncProfileEnd):
(JSC::consoleProtoFuncTakeHeapSnapshot):
(JSC::consoleProtoFuncTime):
(JSC::consoleProtoFuncTimeEnd):
* runtime/DateConstructor.cpp:
(JSC::constructDate):
(JSC::dateParse):
* runtime/DatePrototype.cpp:
(JSC::dateProtoFuncToPrimitiveSymbol):
(JSC::dateProtoFuncToJSON):
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::sanitizedToString):
* runtime/ErrorPrototype.cpp:
(JSC::errorProtoFuncToString):
* runtime/ExceptionScope.h:
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::copyToArguments):
* runtime/GetterSetter.cpp:
(JSC::callGetter):
* runtime/HashMapImpl.h:
(JSC::jsMapHash):
(JSC::HashMapImpl::finishCreation):
(JSC::HashMapImpl::findBucket):
(JSC::HashMapImpl::add):
(JSC::HashMapImpl::rehash):
* runtime/InspectorInstrumentationObject.cpp:
(JSC::inspectorInstrumentationObjectLog):
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::createSubclassStructure):
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlCollatorConstructor.cpp:
(JSC::constructIntlCollator):
(JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorFuncCompare):
(JSC::IntlCollatorPrototypeGetterCompare):
* runtime/IntlDateTimeFormat.cpp:
(JSC::toDateTimeOptionsAnyDate):
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::constructIntlDateTimeFormat):
(JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatFuncFormatDateTime):
(JSC::IntlDateTimeFormatPrototypeGetterFormat):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::constructIntlNumberFormat):
(JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatFuncFormatNumber):
(JSC::IntlNumberFormatPrototypeGetterFormat):
* runtime/IntlObject.cpp:
(JSC::intlBooleanOption):
(JSC::intlStringOption):
(JSC::intlNumberOption):
(JSC::canonicalizeLocaleList):
(JSC::supportedLocales):
* runtime/IntlObjectInlines.h:
(JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
* runtime/IteratorOperations.cpp:
(JSC::iteratorNext):
(JSC::iteratorStep):
(JSC::iteratorClose):
(JSC::iteratorForIterable):
* runtime/IteratorOperations.h:
(JSC::forEachInIterable):
* runtime/JSArray.cpp:
(JSC::JSArray::pop):
(JSC::JSArray::copyToArguments):
* runtime/JSArrayBufferConstructor.cpp:
(JSC::constructArrayBuffer):
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice):
* runtime/JSArrayInlines.h:
(JSC::getLength):
(JSC::toLength):
* runtime/JSBoundFunction.cpp:
(JSC::getBoundFunctionStructure):
(JSC::JSBoundFunction::create):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::toStringSlowCase):
* runtime/JSCJSValueInlines.h:
(JSC::toPreferredPrimitiveType):
(JSC::JSValue::getPropertySlot):
(JSC::JSValue::equalSlowCaseInline):
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
* runtime/JSFunction.cpp:
(JSC::JSFunction::setFunctionName):
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::setIndex):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncCopyWithin):
(JSC::genericTypedArrayViewProtoFuncIncludes):
(JSC::genericTypedArrayViewProtoFuncIndexOf):
(JSC::genericTypedArrayViewProtoFuncJoin):
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* runtime/JSGlobalObject.h:
(JSC::constructEmptyArray):
(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::instantiateDeclarations):
* runtime/JSONObject.cpp:
(JSC::Stringifier::stringify):
(JSC::Stringifier::toJSON):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::appendNextProperty):
(JSC::Walker::walk):
(JSC::JSONProtoFuncParse):
* runtime/JSObject.cpp:
(JSC::ordinarySetSlow):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::defaultHasInstance):
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::toNumber):
(JSC::JSObject::toString):
(JSC::JSObject::defineOwnNonIndexProperty):
(JSC::JSObject::getGenericPropertyNames):
(JSC::JSObject::getMethod):
* runtime/JSObjectInlines.h:
(JSC::createListFromArrayLike):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
* runtime/JSPromiseConstructor.cpp:
(JSC::constructPromise):
* runtime/JSPromiseDeferred.cpp:
(JSC::JSPromiseDeferred::create):
* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::create):
* runtime/JSScope.cpp:
(JSC::isUnscopable):
* runtime/JSString.cpp:
(JSC::JSString::equalSlowCase):
* runtime/JSStringJoiner.cpp:
(JSC::JSStringJoiner::join):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
* runtime/MapBase.h:
(JSC::MapBase::finishCreation):
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/MathObject.cpp:
(JSC::mathProtoFuncClz32):
(JSC::mathProtoFuncHypot):
(JSC::mathProtoFuncIMul):
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
(JSC::moduleLoaderPrototypeRequestedModules):
(JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
* runtime/NativeErrorConstructor.cpp:
(JSC::Interpreter::constructWithNativeErrorConstructor):
* runtime/NumberConstructor.cpp:
(JSC::constructWithNumberConstructor):
* runtime/ObjectConstructor.cpp:
(JSC::constructObject):
(JSC::objectConstructorGetPrototypeOf):
(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorGetOwnPropertyDescriptors):
(JSC::objectConstructorGetOwnPropertyNames):
(JSC::objectConstructorGetOwnPropertySymbols):
(JSC::objectConstructorKeys):
(JSC::ownEnumerablePropertyKeys):
(JSC::toPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
(JSC::defineProperties):
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):
(JSC::objectConstructorIsExtensible):
(JSC::ownPropertyKeys):
* runtime/ObjectConstructor.h:
(JSC::constructObjectFromPropertyDescriptor):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncPropertyIsEnumerable):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString):
* runtime/Operations.cpp:
(JSC::jsAddSlowCase):
* runtime/PropertyDescriptor.cpp:
(JSC::PropertyDescriptor::slowGetterSetter):
* runtime/ProxyConstructor.cpp:
(JSC::makeRevocableProxy):
* runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::putByIndexCommon):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):
* runtime/ReflectObject.cpp:
(JSC::reflectObjectConstruct):
(JSC::reflectObjectDefineProperty):
(JSC::reflectObjectGet):
(JSC::reflectObjectGetOwnPropertyDescriptor):
(JSC::reflectObjectIsExtensible):
(JSC::reflectObjectPreventExtensions):
(JSC::reflectObjectSet):
(JSC::reflectObjectSetPrototypeOf):
* runtime/RegExpConstructor.cpp:
(JSC::toFlags):
(JSC::regExpCreate):
(JSC::constructRegExp):
* runtime/RegExpConstructor.h:
(JSC::isRegExp):
* runtime/RegExpObject.cpp:
(JSC::collectMatches):
(JSC::RegExpObject::matchGlobal):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
(JSC::flagsString):
(JSC::regExpProtoFuncToString):
(JSC::regExpProtoGetterFlags):
(JSC::regExpProtoFuncSearchFast):
(JSC::regExpProtoFuncSplitFast):
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/StringConstructor.cpp:
(JSC::stringFromCodePoint):
(JSC::constructWithStringConstructor):
* runtime/StringObject.cpp:
(JSC::StringObject::defineOwnProperty):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
(JSC::replaceUsingStringSearch):
(JSC::replace):
(JSC::stringProtoFuncReplaceUsingRegExp):
(JSC::stringProtoFuncReplaceUsingStringSearch):
(JSC::stringProtoFuncCodePointAt):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplitFast):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncLocaleCompare):
(JSC::toLocaleCase):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::trimString):
(JSC::stringProtoFuncStartsWith):
(JSC::stringProtoFuncEndsWith):
(JSC::stringIncludesImpl):
(JSC::stringProtoFuncIncludes):
(JSC::builtinStringIncludesInternal):
(JSC::stringProtoFuncNormalize):
* runtime/SymbolConstructor.cpp:
(JSC::symbolConstructorFor):
* runtime/TemplateRegistry.cpp:
(JSC::TemplateRegistry::getTemplateObject):
* runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
* runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
* tools/JSDollarVMPrototype.cpp:
(JSC::functionPrint):
2016-09-26 Don Olmstead <don.olmstead@am.sony.com>
[JSC] Allow fixedExecutableMemoryPoolSize to be set during build
https://bugs.webkit.org/show_bug.cgi?id=162514
Reviewed by Mark Lam.
* jit/ExecutableAllocator.h:
== Rolled over to ChangeLog-2016-09-26 ==