blob: c95a4dadd730333809af2fb38a9cb3351e226e57 [file] [log] [blame]
2018-04-25 Michael Catanzaro <mcatanzaro@igalia.com>
[GTK] Miscellaneous build cleanups
https://bugs.webkit.org/show_bug.cgi?id=184399
Reviewed by Žan Doberšek.
* PlatformGTK.cmake:
2018-04-24 Keith Miller <keith_miller@apple.com>
fromCharCode is missing some exception checks
https://bugs.webkit.org/show_bug.cgi?id=184952
Reviewed by Saam Barati.
I also removed the pointless slow path function and moved it into the
main function.
* runtime/StringConstructor.cpp:
(JSC::stringFromCharCode):
(JSC::stringFromCharCodeSlowCase): Deleted.
2018-04-24 Filip Pizlo <fpizlo@apple.com>
MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
https://bugs.webkit.org/show_bug.cgi?id=184923
Reviewed by Saam Barati.
If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
(i.e. we know that the object has one of those structures), then previously we would still emit a
switch with a case per structure along with a default case. That would mean one extra redundant
branch to check that whatever structure we wound up with belongs to the set. In that case, we
were already making the default case be an Oops.
One possible solution would be to say that the default case being Oops means that B3 doesn't need
to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
trap.
So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
extra branch.
This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
read.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
2018-04-24 Filip Pizlo <fpizlo@apple.com>
DFG CSE should know how to decay a MultiGetByOffset
https://bugs.webkit.org/show_bug.cgi?id=159859
Reviewed by Keith Miller.
This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
clobberize() can report a def() for MultiGetByOffset.
This is a slight improvement to codegen in splay because splay is a heavy user of
MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
"splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
splay's time.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::remove):
(JSC::DFG::Node::removeWithoutChecks):
(JSC::DFG::Node::replaceWith):
(JSC::DFG::Node::replaceWithWithoutChecks):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::replaceWith): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-04-24 Keith Miller <keith_miller@apple.com>
Update API docs with information on which run loop the VM will use
https://bugs.webkit.org/show_bug.cgi?id=184900
<rdar://problem/39166054>
Reviewed by Mark Lam.
* API/JSContextRef.h:
* API/JSVirtualMachine.h:
2018-04-24 Filip Pizlo <fpizlo@apple.com>
$vm.totalGCTime() should be a thing
https://bugs.webkit.org/show_bug.cgi?id=184916
Reviewed by Sam Weinig.
When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
time spent in GC to determine if the regression is because the GC got slower.
This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
* heap/Heap.cpp:
(JSC::Heap::runEndPhase):
* heap/Heap.h:
(JSC::Heap::totalGCTime const):
* tools/JSDollarVM.cpp:
(JSC::functionTotalGCTime):
(JSC::JSDollarVM::finishCreation):
2018-04-23 Zalan Bujtas <zalan@apple.com>
[LayoutFormattingContext] Initial commit.
https://bugs.webkit.org/show_bug.cgi?id=184896
Reviewed by Antti Koivisto.
* Configurations/FeatureDefines.xcconfig:
2018-04-23 Filip Pizlo <fpizlo@apple.com>
Unreviewed, revert accidental change to verbose flag.
* dfg/DFGByteCodeParser.cpp:
2018-04-23 Filip Pizlo <fpizlo@apple.com>
Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
Rubber stamped by Saam Barati.
This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
Seems sensible to just roll it out.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parse):
2018-04-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove ModuleLoaderPrototype
https://bugs.webkit.org/show_bug.cgi?id=184784
Reviewed by Mark Lam.
When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::proxyRevokeStructure const):
(JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
* runtime/JSModuleLoader.cpp:
(JSC::moduleLoaderParseModule):
(JSC::moduleLoaderRequestedModules):
(JSC::moduleLoaderModuleDeclarationInstantiation):
(JSC::moduleLoaderResolve):
(JSC::moduleLoaderResolveSync):
(JSC::moduleLoaderFetch):
(JSC::moduleLoaderGetModuleNamespaceObject):
(JSC::moduleLoaderEvaluate):
* runtime/JSModuleLoader.h:
* runtime/ModuleLoaderPrototype.cpp: Removed.
* runtime/ModuleLoaderPrototype.h: Removed.
2018-04-20 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] All API tests fail in debug builds
https://bugs.webkit.org/show_bug.cgi?id=184813
Reviewed by Mark Lam.
This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
* API/glib/JSCContext.cpp:
(JSCContextExceptionHandler::JSCContextExceptionHandler):
(JSCContextExceptionHandler::~JSCContextExceptionHandler):
(jscContextConstructed):
(ExceptionHandler::ExceptionHandler): Deleted.
(ExceptionHandler::~ExceptionHandler): Deleted.
2018-04-20 Tim Horton <timothy_horton@apple.com>
Adjust geolocation feature flag
https://bugs.webkit.org/show_bug.cgi?id=184856
Reviewed by Wenson Hsieh.
* Configurations/FeatureDefines.xcconfig:
2018-04-20 Brian Burg <bburg@apple.com>
Web Inspector: remove some dead code in IdentifiersFactory
https://bugs.webkit.org/show_bug.cgi?id=184839
Reviewed by Timothy Hatcher.
This was never used on non-Chrome ports, so the identifier always has a
prefix of '0.'. We may change this in the future, but for now remove this.
Using a PID for this purpose is problematic anyway.
* inspector/IdentifiersFactory.cpp:
(Inspector::addPrefixToIdentifier):
(Inspector::IdentifiersFactory::createIdentifier):
(Inspector::IdentifiersFactory::requestId):
(Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
* inspector/IdentifiersFactory.h:
2018-04-20 Mark Lam <mark.lam@apple.com>
Add the ability to use a hash for setting PtrTag enum values.
https://bugs.webkit.org/show_bug.cgi?id=184852
<rdar://problem/39613891>
Reviewed by Saam Barati.
* runtime/PtrTag.h:
2018-04-20 Mark Lam <mark.lam@apple.com>
Some JSEntryPtrTags should actually be JSInternalPtrTags.
https://bugs.webkit.org/show_bug.cgi?id=184712
<rdar://problem/39507381>
Reviewed by Michael Saboff.
1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
only when needed.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ByValInfo.h:
(JSC::ByValInfo::ByValInfo):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::callReturnLocation):
(JSC::CallLinkInfo::patchableJump):
(JSC::CallLinkInfo::hotPathBegin):
(JSC::CallLinkInfo::slowPathStart):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::setCallLocations):
(JSC::CallLinkInfo::hotPathOther):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::doneLocation):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::initialize):
* ftl/FTLLazySlowPath.h:
(JSC::FTL::LazySlowPath::done const):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr):
(JSC::LLInt::getExecutableAddress): Deleted.
* llint/LLIntExceptions.cpp:
(JSC::LLInt::callToThrow):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2018-04-18 Jer Noble <jer.noble@apple.com>
Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
https://bugs.webkit.org/show_bug.cgi?id=184762
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-04-20 Daniel Bates <dabates@apple.com>
Remove code for compilers that did not support NSDMI for aggregates
https://bugs.webkit.org/show_bug.cgi?id=184599
Reviewed by Per Arne Vollan.
Remove workaround for earlier Visual Studio versions that did not support non-static data
member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
and EWS bots to a newer version that supports this feature.
* domjit/DOMJITEffect.h:
(JSC::DOMJIT::Effect::Effect): Deleted.
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
* wasm/WasmFormat.h:
(JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
2018-04-20 Mark Lam <mark.lam@apple.com>
Build fix for internal builds after r230826.
https://bugs.webkit.org/show_bug.cgi?id=184790
<rdar://problem/39301369>
Not reviewed.
* runtime/Options.cpp:
(JSC::overrideDefaults):
* tools/SigillCrashAnalyzer.cpp:
(JSC::SignalContext::dump):
2018-04-19 Tadeu Zagallo <tzagallo@apple.com>
REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
https://bugs.webkit.org/show_bug.cgi?id=184254
<rdar://problem/39140200>
Reviewed by Daniel Bates.
Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
* runtime/ArrayBuffer.h:
(JSC::ArrayBufferContents::ArrayBufferContents):
2018-04-19 Mark Lam <mark.lam@apple.com>
Apply pointer profiling to Signal pointers.
https://bugs.webkit.org/show_bug.cgi?id=184790
<rdar://problem/39301369>
Reviewed by Michael Saboff.
1. Change stackPointer, framePointer, and instructionPointer accessors to
be a pair of getter/setter functions.
2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
a pointer profiling variants of these accessors.
3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
* JavaScriptCorePrefix.h:
* runtime/MachineContext.h:
(JSC::MachineContext::stackPointerImpl):
(JSC::MachineContext::stackPointer):
(JSC::MachineContext::setStackPointer):
(JSC::MachineContext::framePointerImpl):
(JSC::MachineContext::framePointer):
(JSC::MachineContext::setFramePointer):
(JSC::MachineContext::instructionPointerImpl):
(JSC::MachineContext::instructionPointer):
(JSC::MachineContext::setInstructionPointer):
(JSC::MachineContext::linkRegisterImpl):
(JSC::MachineContext::linkRegister):
(JSC::MachineContext::setLinkRegister):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/VMTraps.cpp:
(JSC::SignalContext::SignalContext):
(JSC::VMTraps::tryInstallTrapBreakpoints):
* tools/CodeProfiling.cpp:
(JSC::profilingTimer):
* tools/SigillCrashAnalyzer.cpp:
(JSC::SignalContext::dump):
(JSC::installCrashHandler):
(JSC::SigillCrashAnalyzer::analyze):
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
2018-04-19 David Kilzer <ddkilzer@apple.com>
Enable Objective-C weak references
<https://webkit.org/b/184789>
<rdar://problem/39571716>
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
(CLANG_ENABLE_OBJC_WEAK): Enable.
* Configurations/ToolExecutable.xcconfig:
(CLANG_ENABLE_OBJC_ARC): Simplify.
2018-04-17 Filip Pizlo <fpizlo@apple.com>
The InternalFunction hierarchy should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=184721
Reviewed by Saam Barati.
This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
but subclasses that are the same size as InternalFunction share its subspace. I did this
because the subclasses appear to just override methods, which are called dynamically via the
structure or class of the object. So, I don't see a type confusion risk if UAF is used to
allocate one kind of InternalFunction over another.
* API/JSBase.h:
* API/JSCallbackFunction.h:
* API/ObjCCallbackFunction.h:
(JSC::ObjCCallbackFunction::subspaceFor):
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/IsoSubspacePerVM.cpp: Added.
(JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
(JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
(JSC::IsoSubspacePerVM::IsoSubspacePerVM):
(JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
(JSC::IsoSubspacePerVM::forVM):
* heap/IsoSubspacePerVM.h: Added.
(JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
* runtime/Error.h:
* runtime/ErrorConstructor.h:
* runtime/InternalFunction.h:
(JSC::InternalFunction::subspaceFor):
* runtime/IntlCollatorConstructor.h:
* runtime/IntlDateTimeFormatConstructor.h:
* runtime/IntlNumberFormatConstructor.h:
* runtime/JSArrayBufferConstructor.h:
* runtime/NativeErrorConstructor.h:
* runtime/ProxyRevoke.h:
* runtime/RegExpConstructor.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-04-19 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, Fix jsc shell
https://bugs.webkit.org/show_bug.cgi?id=184600
WebAssembly module loading does not finish with drainMicrotasks().
So JSNativeStdFunction's capturing variables become invalid.
This patch fixes this issue.
* jsc.cpp:
(functionDollarAgentStart):
(runWithOptions):
(runJSC):
(jscmain):
2018-04-18 Ross Kirsling <ross.kirsling@sony.com>
REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
https://bugs.webkit.org/show_bug.cgi?id=184725
Reviewed by Mark Lam.
* jit/JIT.h:
2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Import tables in wasm modules
https://bugs.webkit.org/show_bug.cgi?id=184738
Reviewed by JF Bastien.
This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
just works.
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
2018-04-18 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Fix build error and crash after PtrTag change
https://bugs.webkit.org/show_bug.cgi?id=184732
Reviewed by Mark Lam.
Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
twice with ARM-Thumb2.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Import globals from wasm modules
https://bugs.webkit.org/show_bug.cgi?id=184736
Reviewed by JF Bastien.
This patch implements a feature importing globals to/from wasm modules.
Since we are not supporting mutable globals now, we can just copy the
global data when importing. Currently we do not support importing/exporting
i64 globals. This will be supported once (1) mutable global bindings are
specified and (2) BigInt based i64 importing/exporting is specified.
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
2018-04-18 Tomas Popela <tpopela@redhat.com>
Unreviewed, fix build on ARM
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::readCallTarget):
2018-04-18 Tomas Popela <tpopela@redhat.com>
Unreviewed, fix build with GCC
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::finalizeCodeWithDisassembly):
2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, reland r230697, r230720, and r230724.
https://bugs.webkit.org/show_bug.cgi?id=184600
With CatchScope check.
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/ModuleLoaderPrototype.js:
(globalPrivate.newRegistryEntry):
(requestInstantiate):
(link):
* jsc.cpp:
(convertShebangToJSComment):
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):
(GlobalObject::moduleLoaderFetch):
(functionDollarAgentStart):
(checkException):
(runWithOptions):
* parser/NodesAnalyzeModule.cpp:
(JSC::ImportDeclarationNode::analyzeModule):
* parser/SourceProvider.h:
(JSC::WebAssemblySourceProvider::create):
(JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::resolveImport):
(JSC::AbstractModuleRecord::link):
(JSC::AbstractModuleRecord::evaluate):
(JSC::identifierToJSValue): Deleted.
* runtime/AbstractModuleRecord.h:
(JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
(JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::evaluate):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::link):
(JSC::JSModuleRecord::instantiateDeclarations):
* runtime/JSModuleRecord.h:
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
(JSC::moduleLoaderPrototypeRequestedModules):
(JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
* wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
(JSC::createSourceBufferFromValue):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::createPrivateModuleKey):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::prepareLink):
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::resolve):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::WebAssemblyPrototype::instantiate):
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyValidateFunc):
* wasm/js/WebAssemblyPrototype.h:
2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Make it possible to handle JSCClass external properties not added to the prototype
https://bugs.webkit.org/show_bug.cgi?id=184687
Reviewed by Michael Catanzaro.
Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
JSClassDefinition. This is required to implement dynamic properties that can't be added with
jsc_class_add_property() for example to implement something like imports object in seed/gjs.
* API/glib/JSCClass.cpp:
(VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
can throw exceptions.
(VTableExceptionHandler::~VTableExceptionHandler):
(getProperty): Iterate the class chain to call get_property function.
(setProperty): Iterate the class chain to call set_property function.
(hasProperty): Iterate the class chain to call has_property function.
(deleteProperty): Iterate the class chain to call delete_property function.
(getPropertyNames): Iterate the class chain to call enumerate_properties function.
(jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
jscClassCreate now.
(jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
* API/glib/JSCClass.h:
* API/glib/JSCClassPrivate.h:
* API/glib/JSCContext.cpp:
(jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
(jsc_context_register_class): Add JSCClassVTable parameter.
* API/glib/JSCContext.h:
* API/glib/JSCContextPrivate.h:
* API/glib/JSCWrapperMap.cpp:
(JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
* API/glib/JSCWrapperMap.h:
* API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
2018-04-17 Mark Lam <mark.lam@apple.com>
Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
https://bugs.webkit.org/show_bug.cgi?id=184702
<rdar://problem/35391681>
Reviewed by Filip Pizlo and Saam Barati.
1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
to take a PtrTag template argument.
2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
(JSC::AbstractMacroAssembler::linkJump):
(JSC::AbstractMacroAssembler::linkPointer):
(JSC::AbstractMacroAssembler::getLinkerAddress):
(JSC::AbstractMacroAssembler::repatchJump):
(JSC::AbstractMacroAssembler::repatchJumpToNop):
(JSC::AbstractMacroAssembler::repatchNearCall):
(JSC::AbstractMacroAssembler::repatchCompact):
(JSC::AbstractMacroAssembler::repatchInt32):
(JSC::AbstractMacroAssembler::repatchPointer):
(JSC::AbstractMacroAssembler::readPointer):
(JSC::AbstractMacroAssembler::replaceWithLoad):
(JSC::AbstractMacroAssembler::replaceWithAddressComputation):
* assembler/CodeLocation.h:
(JSC::CodeLocationCommon:: const):
(JSC::CodeLocationCommon::CodeLocationCommon):
(JSC::CodeLocationInstruction::CodeLocationInstruction):
(JSC::CodeLocationLabel::CodeLocationLabel):
(JSC::CodeLocationLabel::retagged):
(JSC::CodeLocationLabel:: const):
(JSC::CodeLocationJump::CodeLocationJump):
(JSC::CodeLocationJump::retagged):
(JSC::CodeLocationCall::CodeLocationCall):
(JSC::CodeLocationCall::retagged):
(JSC::CodeLocationNearCall::CodeLocationNearCall):
(JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
(JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
(JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
(JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
(JSC::CodeLocationCommon<tag>::instructionAtOffset):
(JSC::CodeLocationCommon<tag>::labelAtOffset):
(JSC::CodeLocationCommon<tag>::jumpAtOffset):
(JSC::CodeLocationCommon<tag>::callAtOffset):
(JSC::CodeLocationCommon<tag>::nearCallAtOffset):
(JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
(JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
(JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
(JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
(JSC::CodeLocationCommon::instructionAtOffset): Deleted.
(JSC::CodeLocationCommon::labelAtOffset): Deleted.
(JSC::CodeLocationCommon::jumpAtOffset): Deleted.
(JSC::CodeLocationCommon::callAtOffset): Deleted.
(JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
(JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
(JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
(JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
(JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
(JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
(JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
(JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::link):
(JSC::LinkBuffer::patch):
(JSC::LinkBuffer::entrypoint):
(JSC::LinkBuffer::locationOf):
(JSC::LinkBuffer::locationOfNearCall):
(JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
(JSC::LinkBuffer::finalizeCodeWithDisassembly):
(JSC::LinkBuffer::trampolineAt):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::readCallTarget):
(JSC::MacroAssemblerARM::replaceWithJump):
(JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerARM::repatchCall):
(JSC::MacroAssemblerARM::linkCall):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::replaceWithVMHalt):
(JSC::MacroAssemblerARM64::replaceWithJump):
(JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerARM64::repatchCall):
(JSC::MacroAssemblerARM64::linkCall):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::replaceWithJump):
(JSC::MacroAssemblerARMv7::readCallTarget):
(JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerARMv7::repatchCall):
(JSC::MacroAssemblerARMv7::linkCall):
* assembler/MacroAssemblerCodeRef.cpp:
(JSC::MacroAssemblerCodePtrBase::dumpWithName):
(JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
(JSC::MacroAssemblerCodeRefBase::disassembly):
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
(JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
(JSC::MacroAssemblerCodePtr::dump const): Deleted.
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
(JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
(JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
(JSC::MacroAssemblerCodeRef::dump const): Deleted.
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::retagged const):
(JSC::FunctionPtr::retaggedExecutableAddress const):
(JSC::FunctionPtr::operator== const):
(JSC::FunctionPtr::operator!= const):
(JSC::ReturnAddressPtr::ReturnAddressPtr):
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
(JSC::MacroAssemblerCodePtr::retagged const):
(JSC::MacroAssemblerCodePtr:: const):
(JSC::MacroAssemblerCodePtr::dumpWithName const):
(JSC::MacroAssemblerCodePtr::dump const):
(JSC::MacroAssemblerCodePtrHash::hash):
(JSC::MacroAssemblerCodePtrHash::equal):
(JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
(JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
(JSC::MacroAssemblerCodeRef::code const):
(JSC::MacroAssemblerCodeRef::retaggedCode const):
(JSC::MacroAssemblerCodeRef::retagged const):
(JSC::MacroAssemblerCodeRef::tryToDisassemble const):
(JSC::MacroAssemblerCodeRef::disassembly const):
(JSC::MacroAssemblerCodeRef::dump const):
(JSC::FunctionPtr<tag>::FunctionPtr):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::readCallTarget):
(JSC::MacroAssemblerMIPS::replaceWithJump):
(JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerMIPS::repatchCall):
(JSC::MacroAssemblerMIPS::linkCall):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::readCallTarget):
(JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerX86::repatchCall):
(JSC::MacroAssemblerX86::linkCall):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::repatchCompact):
(JSC::MacroAssemblerX86Common::replaceWithVMHalt):
(JSC::MacroAssemblerX86Common::replaceWithJump):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::readCallTarget):
(JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
(JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerX86_64::repatchCall):
(JSC::MacroAssemblerX86_64::linkCall):
* assembler/testmasm.cpp:
(JSC::compile):
(JSC::invoke):
(JSC::testProbeModifiesProgramCounter):
* b3/B3Compilation.cpp:
(JSC::B3::Compilation::Compilation):
* b3/B3Compilation.h:
(JSC::B3::Compilation::code const):
(JSC::B3::Compilation::codeRef const):
* b3/B3Compile.cpp:
(JSC::B3::compile):
* b3/B3LowerMacros.cpp:
* b3/air/AirDisassembler.cpp:
(JSC::B3::Air::Disassembler::dump):
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::invoke):
(JSC::B3::testInterpreter):
(JSC::B3::testEntrySwitchSimple):
(JSC::B3::testEntrySwitchNoEntrySwitch):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
(JSC::B3::testEntrySwitchLoop):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/ByValInfo.h:
(JSC::ByValInfo::ByValInfo):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::callReturnLocation):
(JSC::CallLinkInfo::patchableJump):
(JSC::CallLinkInfo::hotPathBegin):
(JSC::CallLinkInfo::slowPathStart):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::setCallLocations):
(JSC::CallLinkInfo::hotPathOther):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::dumpInContext const):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::customAccessorGetter const):
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::create):
(JSC::GetterSetterAccessCase::GetterSetterAccessCase):
(JSC::GetterSetterAccessCase::dumpImpl const):
* bytecode/GetterSetterAccessCase.h:
(JSC::GetterSetterAccessCase::customAccessor const):
(): Deleted.
* bytecode/HandlerInfo.h:
(JSC::HandlerInfo::initialize):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/InlineAccess.h:
* bytecode/JumpTable.h:
(JSC::StringJumpTable::ctiForValue):
(JSC::SimpleJumpTable::ctiForValue):
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
(JSC::AccessGenerationResult::AccessGenerationResult):
(JSC::AccessGenerationResult::code const):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::slowPathCallLocation):
(JSC::StructureStubInfo::doneLocation):
(JSC::StructureStubInfo::slowPathStartLocation):
(JSC::StructureStubInfo::patchableJumpForIn):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::appendCatchEntrypoint):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::dumpDisassembly):
* dfg/DFGDriver.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::noticeCatchEntrypoint):
* dfg/DFGJITCompiler.h:
(JSC::DFG::CallLinkRecord::CallLinkRecord):
(JSC::DFG::JITCompiler::appendCall):
(JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
(JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
(JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::JITFinalizer):
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGJITFinalizer.h:
* dfg/DFGJumpReplacement.h:
(JSC::DFG::JumpReplacement::JumpReplacement):
* dfg/DFGNode.h:
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
(JSC::DFG::prepareCatchOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::OSRExit::codeLocationForRepatch const):
(JSC::DFG::OSRExit::emitRestoreArguments):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
(JSC::DFG::slowPathCall):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMathIC):
(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::appendCall):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* dfg/DFGThunks.h:
* disassembler/ARM64Disassembler.cpp:
(JSC::tryToDisassemble):
* disassembler/ARMv7Disassembler.cpp:
(JSC::tryToDisassemble):
* disassembler/Disassembler.cpp:
(JSC::disassemble):
(JSC::disassembleAsynchronously):
* disassembler/Disassembler.h:
(JSC::tryToDisassemble):
* disassembler/UDis86Disassembler.cpp:
(JSC::tryToDisassembleWithUDis86):
* disassembler/UDis86Disassembler.h:
(JSC::tryToDisassembleWithUDis86):
* disassembler/X86Disassembler.cpp:
(JSC::tryToDisassemble):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLExceptionTarget.cpp:
(JSC::FTL::ExceptionTarget::label):
(JSC::FTL::ExceptionTarget::jumps):
* ftl/FTLExceptionTarget.h:
* ftl/FTLGeneratedFunction.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::initializeB3Code):
(JSC::FTL::JITCode::initializeAddressForCall):
(JSC::FTL::JITCode::initializeArityCheckEntrypoint):
(JSC::FTL::JITCode::addressForCall):
(JSC::FTL::JITCode::executableAddressAtOffset):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::b3Code const):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::initialize):
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLLazySlowPath.h:
(JSC::FTL::LazySlowPath::patchableJump const):
(JSC::FTL::LazySlowPath::done const):
(JSC::FTL::LazySlowPath::stub const):
* ftl/FTLLazySlowPathCall.h:
(JSC::FTL::createLazyCallGenerator):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch const):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLOSRExitHandle.cpp:
(JSC::FTL::OSRExitHandle::emitExitThunk):
* ftl/FTLOperations.cpp:
(JSC::FTL::compileFTLLazySlowPath):
* ftl/FTLPatchpointExceptionHandle.cpp:
(JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::keyWithTarget const):
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLSlowPathCall.h:
(JSC::FTL::callOperation):
* ftl/FTLSlowPathCallKey.cpp:
(JSC::FTL::SlowPathCallKey::dump const):
* ftl/FTLSlowPathCallKey.h:
(JSC::FTL::SlowPathCallKey::SlowPathCallKey):
(JSC::FTL::SlowPathCallKey::callTarget const):
(JSC::FTL::SlowPathCallKey::withCallTarget):
(JSC::FTL::SlowPathCallKey::hash const):
(JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* ftl/FTLThunks.h:
(JSC::FTL::generateIfNecessary):
(JSC::FTL::keyForThunk):
(JSC::FTL::Thunks::getSlowPathCallThunk):
(JSC::FTL::Thunks::keyForSlowPathCallThunk):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::getOpcodeID):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::emitDumbVirtualCall):
(JSC::AssemblyHelpers::debugCall):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
* jit/ExecutableAllocator.h:
(JSC::performJITMemcpy):
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
(JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
(JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
(JSC::createJITStubRoutine):
* jit/GCAwareJITStubRoutine.h:
(JSC::createJITStubRoutine):
* jit/JIT.cpp:
(JSC::ctiPatchCallByReturnAddress):
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::CallRecord::CallRecord):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCode.cpp:
(JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
(JSC::JITCodeWithCodeRef::executableAddressAtOffset):
(JSC::DirectJITCode::DirectJITCode):
(JSC::DirectJITCode::initializeCodeRef):
(JSC::DirectJITCode::addressForCall):
(JSC::NativeJITCode::NativeJITCode):
(JSC::NativeJITCode::initializeCodeRef):
(JSC::NativeJITCode::addressForCall):
* jit/JITCode.h:
* jit/JITCodeMap.h:
(JSC::JITCodeMap::Entry::Entry):
(JSC::JITCodeMap::Entry::codeLocation):
(JSC::JITCodeMap::append):
(JSC::JITCodeMap::find const):
* jit/JITDisassembler.cpp:
(JSC::JITDisassembler::dumpDisassembly):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::finalize):
* jit/JITInlines.h:
(JSC::JIT::emitNakedCall):
(JSC::JIT::emitNakedTailCall):
(JSC::JIT::appendCallWithExceptionCheck):
(JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
(JSC::JIT::appendCallWithCallFrameRollbackOnException):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOperations.cpp:
(JSC::getByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
* jit/JITStubRoutine.h:
(JSC::JITStubRoutine::JITStubRoutine):
(JSC::JITStubRoutine::createSelfManagedRoutine):
(JSC::JITStubRoutine::code const):
(JSC::JITStubRoutine::asCodePtr):
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiNativeCall):
(JSC::JITThunks::ctiNativeConstruct):
(JSC::JITThunks::ctiNativeTailCall):
(JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
(JSC::JITThunks::ctiInternalFunctionCall):
(JSC::JITThunks::ctiInternalFunctionConstruct):
(JSC::JITThunks::ctiStub):
(JSC::JITThunks::existingCTIStub):
(JSC::JITThunks::hostFunctionStub):
* jit/JITThunks.h:
* jit/PCToCodeOriginMap.cpp:
(JSC::PCToCodeOriginMap::PCToCodeOriginMap):
* jit/PCToCodeOriginMap.h:
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
* jit/PolymorphicCallStubRoutine.h:
* jit/Repatch.cpp:
(JSC::readPutICCallTarget):
(JSC::ftlThunkAwareRepatchCall):
(JSC::appropriateOptimizingGetByIdFunction):
(JSC::appropriateGetByIdFunction):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::tryCacheIn):
(JSC::repatchIn):
(JSC::linkSlowFor):
(JSC::linkFor):
(JSC::linkDirectFor):
(JSC::revertCall):
(JSC::unlinkFor):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
(JSC::resetGetByID):
(JSC::resetPutByID):
* jit/Repatch.h:
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
(JSC::SpecializedThunkJIT::callDoubleToDouble):
(JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
* jit/ThunkGenerator.h:
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::nativeCallGenerator):
(JSC::nativeTailCallGenerator):
(JSC::nativeTailCallWithoutSavedTagsGenerator):
(JSC::nativeConstructGenerator):
(JSC::internalFunctionCallGenerator):
(JSC::internalFunctionConstructGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::charCodeAtThunkGenerator):
(JSC::charAtThunkGenerator):
(JSC::fromCharCodeThunkGenerator):
(JSC::clz32ThunkGenerator):
(JSC::sqrtThunkGenerator):
(JSC::floorThunkGenerator):
(JSC::ceilThunkGenerator):
(JSC::truncThunkGenerator):
(JSC::roundThunkGenerator):
(JSC::expThunkGenerator):
(JSC::logThunkGenerator):
(JSC::absThunkGenerator):
(JSC::imulThunkGenerator):
(JSC::randomThunkGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* jit/ThunkGenerators.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::getExecutableAddress):
(JSC::LLInt::getCodePtr):
(JSC::LLInt::getCodeRef):
(JSC::LLInt::getCodeFunctionPtr):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setFunctionEntrypoint):
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
* llint/LLIntExceptions.cpp:
(JSC::LLInt::callToThrow):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setUpCall):
* llint/LLIntThunks.cpp:
(JSC::vmEntryToWasm):
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
(JSC::LLInt::moduleProgramEntryThunkGenerator):
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* profiler/ProfilerCompilation.cpp:
(JSC::Profiler::Compilation::addOSRExitSite):
* profiler/ProfilerCompilation.h:
* profiler/ProfilerOSRExitSite.cpp:
(JSC::Profiler::OSRExitSite::toJS const):
* profiler/ProfilerOSRExitSite.h:
(JSC::Profiler::OSRExitSite::OSRExitSite):
(JSC::Profiler::OSRExitSite::codeAddress const):
(JSC::Profiler::OSRExitSite:: const): Deleted.
* runtime/ExecutableBase.cpp:
(JSC::ExecutableBase::clearCode):
* runtime/ExecutableBase.h:
(JSC::ExecutableBase::entrypointFor):
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::finishCreation):
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator NativeFunction):
* runtime/PtrTag.h:
(JSC::tagCodePtr):
(JSC::untagCodePtr):
(JSC::retagCodePtr):
(JSC::tagCFunctionPtr):
(JSC::untagCFunctionPtr):
(JSC::nextPtrTagID): Deleted.
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::setCustomValue):
(JSC::PutPropertySlot::setCustomAccessor):
(JSC::PutPropertySlot::customSetter const):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
* runtime/VM.cpp:
(JSC::VM::getHostFunction):
(JSC::VM::getCTIInternalFunctionTrampolineFor):
* runtime/VM.h:
(JSC::VM::getCTIStub):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::emitExceptionCheck):
(JSC::Wasm::B3IRGenerator::emitTierUpCheck):
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::prepare):
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBBQPlan.h:
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmBinding.h:
* wasm/WasmCallee.h:
(JSC::Wasm::Callee::entrypoint const):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::setupFrameInPrologue const):
* wasm/WasmCodeBlock.h:
(JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
* wasm/WasmFormat.h:
* wasm/WasmInstance.h:
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
(JSC::Wasm::Thunks::stub):
(JSC::Wasm::Thunks::existingStub):
* wasm/WasmThunks.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WasmToJS.h:
* wasm/js/WebAssemblyFunction.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
(JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
(JSC::Yarr::YarrGenerator::compile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::set8BitCode):
(JSC::Yarr::YarrCodeBlock::set16BitCode):
(JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::execute):
(JSC::Yarr::YarrCodeBlock::clear):
2018-04-17 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r230697, r230720, and r230724.
https://bugs.webkit.org/show_bug.cgi?id=184717
These caused multiple failures on the Test262 testers.
(Requested by mlewis13 on #webkit).
Reverted changesets:
"[WebAssembly][Modules] Prototype wasm import"
https://bugs.webkit.org/show_bug.cgi?id=184600
https://trac.webkit.org/changeset/230697
"[WebAssembly][Modules] Implement function import from wasm
modules"
https://bugs.webkit.org/show_bug.cgi?id=184689
https://trac.webkit.org/changeset/230720
"[JSC] Rename runWebAssembly to runWebAssemblySuite"
https://bugs.webkit.org/show_bug.cgi?id=184703
https://trac.webkit.org/changeset/230724
2018-04-17 JF Bastien <jfbastien@apple.com>
A put is not an ExistingProperty put when we transition a structure because of an attributes change
https://bugs.webkit.org/show_bug.cgi?id=184706
<rdar://problem/38871451>
Reviewed by Saam Barati.
When putting a property on a structure and the slot is a different
type, the slot can't be said to have already been existing.
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
2018-04-17 Filip Pizlo <fpizlo@apple.com>
JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
https://bugs.webkit.org/show_bug.cgi?id=184705
Reviewed by Michael Saboff.
My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
while testing an unrelated patch, a concurrent GC thread crashed inside
JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
mode and another vector.
The fix is to lock inside visitChildren and anyone who changes those fields.
I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
this.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::neuter):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2018-04-16 Filip Pizlo <fpizlo@apple.com>
PutStackSinkingPhase should know that KillStack means ConflictingFlush
https://bugs.webkit.org/show_bug.cgi?id=184672
Reviewed by Michael Saboff.
We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
intentional - I don't know.
Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
its stack slot for the purpose of clobberize.
* dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
* dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
* ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
(JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2018-04-17 Filip Pizlo <fpizlo@apple.com>
JSWebAssemblyCodeBlock should be in an IsoSubspace
https://bugs.webkit.org/show_bug.cgi?id=184704
Reviewed by Mark Lam.
Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
protection.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-04-17 Jer Noble <jer.noble@apple.com>
Only enable useSeparatedWXHeap on ARM64.
https://bugs.webkit.org/show_bug.cgi?id=184697
Reviewed by Saam Barati.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2018-04-17 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Implement function import from wasm modules
https://bugs.webkit.org/show_bug.cgi?id=184689
Reviewed by JF Bastien.
This patch implements function import from wasm modules. We move function importing part
from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
is because linking these functions requires that all the dependent modules are created.
While we want to move all the linking functionality from JSWebAssemblyInstance to
WebAssemblyModuleRecord::link, we do not that in this patch. In this patch, we move only
function importing part because efficient compilation of WebAssembly needs to know
the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
or attached WebAssembly memory object. So we cannot defer this linking to
WebAssemblyModuleRecord::link now.
The largest difference from JS module linking is that WebAssembly module linking links
function from the module by snapshotting. When you have a cyclic module graph like this,
-> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
^ |
+--------------------------------------------------+
we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
is described in [1], and tested in this patch.
[1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
* JavaScriptCore.xcodeproj/project.pbxproj:
* jsc.cpp:
(functionDollarAgentStart):
(checkException):
(runWithOptions):
Small fixes for wasm module loading.
* parser/NodesAnalyzeModule.cpp:
(JSC::ImportDeclarationNode::analyzeModule):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::resolveImport):
(JSC::AbstractModuleRecord::link):
* runtime/AbstractModuleRecord.h:
(JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
(JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
Now, wasm modules can have import which is named "*". So this function does not work.
Since wasm modules never have namespace importing, we check this in JS's module analyzer.
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::instantiateDeclarations):
* wasm/WasmCreationMode.h: Added.
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::resolve):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::WebAssemblyPrototype::instantiate):
(JSC::webAssemblyInstantiateFunc):
2018-04-17 Dominik Infuehr <dinfuehr@igalia.com>
Implement setupArgumentsImpl for ARM and MIPS
https://bugs.webkit.org/show_bug.cgi?id=183786
Reviewed by Yusuke Suzuki.
Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
registers used for 64-bit values on 32-bit architectures. numCrossSources
keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::moveDouble):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::moveDouble):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupStubCrossArgs):
(JSC::CCallHelpers::ArgCollection::ArgCollection):
(JSC::CCallHelpers::ArgCollection::pushRegArg):
(JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
(JSC::CCallHelpers::ArgCollection::addGPRArg):
(JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
(JSC::CCallHelpers::ArgCollection::addStackArg):
(JSC::CCallHelpers::ArgCollection::addPoke):
(JSC::CCallHelpers::ArgCollection::argCount):
(JSC::CCallHelpers::calculatePokeOffset):
(JSC::CCallHelpers::pokeForArgument):
(JSC::CCallHelpers::stackAligned):
(JSC::CCallHelpers::marshallArgumentRegister):
(JSC::CCallHelpers::setupArgumentsImpl):
(JSC::CCallHelpers::pokeArgumentsAligned):
(JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::setupArguments):
* jit/FPRInfo.h:
(JSC::FPRInfo::toArgumentRegister):
2018-04-17 Saam Barati <sbarati@apple.com>
Add system trace points for process launch and for initializeWebProcess
https://bugs.webkit.org/show_bug.cgi?id=184669
Reviewed by Simon Fraser.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
2018-04-17 Jer Noble <jer.noble@apple.com>
Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
https://bugs.webkit.org/show_bug.cgi?id=184602
Reviewed by Beth Dakin.
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add API to clear JSCContext uncaught exception
https://bugs.webkit.org/show_bug.cgi?id=184685
Reviewed by Žan Doberšek.
Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
* API/glib/JSCContext.cpp:
(jsc_context_clear_exception):
* API/glib/JSCContext.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add API to query, delete and enumerate properties
https://bugs.webkit.org/show_bug.cgi?id=184647
Reviewed by Michael Catanzaro.
Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
* API/glib/JSCValue.cpp:
(jsc_value_object_has_property):
(jsc_value_object_delete_property):
(jsc_value_object_enumerate_properties):
* API/glib/JSCValue.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-04-16 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Prototype wasm import
https://bugs.webkit.org/show_bug.cgi?id=184600
Reviewed by JF Bastien.
This patch is an initial attempt to implement Wasm loading in module pipeline.
Currently,
1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
in whatwg HTML, we should integrate this into WebCore.
2. We only support exporting values from Wasm. Wasm module cannot import anything from
the other modules now.
When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
module loader pipeline just handles it as the same to JS. When parsing a module, we
checks the type of JSSourceCode. If the source code is Wasm source code, we create a
WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
* builtins/ModuleLoaderPrototype.js:
(globalPrivate.newRegistryEntry):
(requestInstantiate):
(link):
* jsc.cpp:
(convertShebangToJSComment):
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):
(GlobalObject::moduleLoaderFetch):
* parser/SourceProvider.h:
(JSC::WebAssemblySourceProvider::create):
(JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::link):
(JSC::AbstractModuleRecord::evaluate):
(JSC::identifierToJSValue): Deleted.
* runtime/AbstractModuleRecord.h:
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::evaluate):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::link):
(JSC::JSModuleRecord::instantiateDeclarations):
* runtime/JSModuleRecord.h:
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
(JSC::moduleLoaderPrototypeRequestedModules):
(JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
(JSC::createSourceBufferFromValue):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::createPrivateModuleKey):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::prepareLink):
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::resolve):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::WebAssemblyPrototype::instantiate):
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyValidateFunc):
* wasm/js/WebAssemblyPrototype.h:
2018-04-14 Filip Pizlo <fpizlo@apple.com>
Function.prototype.caller shouldn't return generator bodies
https://bugs.webkit.org/show_bug.cgi?id=184630
Reviewed by Yusuke Suzuki.
Function.prototype.caller no longer returns generator bodies. Those are meant to be
private.
Also added some builtin debugging tools so that it's easier to do the investigation that I
did.
* builtins/BuiltinNames.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::callerGetter):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncBuiltinDescribe):
* runtime/JSGlobalObjectFunctions.h:
2018-04-13 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove duplicate 32bit ProfileType implementation
https://bugs.webkit.org/show_bug.cgi?id=184536
Reviewed by Saam Barati.
This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileProfileType):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfUndefined):
(JSC::AssemblyHelpers::branchIfNull):
2018-04-12 Mark Lam <mark.lam@apple.com>
Consolidate some PtrTags.
https://bugs.webkit.org/show_bug.cgi?id=184552
<rdar://problem/39389404>
Reviewed by Filip Pizlo.
Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::repatchNearCall):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::readCallTarget):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::readCallTarget):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::readCallTarget):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::readCallTarget):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::readCallTarget):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::executableAddressAtOffset):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLOSRExitHandle.cpp:
(JSC::FTL::OSRExitHandle::emitExitThunk):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDumbVirtualCall):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCode.cpp:
(JSC::JITCodeWithCodeRef::executableAddressAtOffset):
(JSC::NativeJITCode::addressForCall):
* jit/JITInlines.h:
(JSC::JIT::emitNakedCall):
(JSC::JIT::emitNakedTailCall):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITThunks.cpp:
(JSC::JITThunks::hostFunctionStub):
* jit/Repatch.cpp:
(JSC::linkSlowFor):
(JSC::linkFor):
(JSC::linkPolymorphicCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setUpCall):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
(JSC::LLInt::moduleProgramEntryThunkGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::finishCreation):
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator NativeFunction):
* runtime/PtrTag.h:
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile):
2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE] Move libWPEWebInspectorResources.so to pkglibdir
https://bugs.webkit.org/show_bug.cgi?id=184379
Reviewed by Žan Doberšek.
Load the module from the new location.
* PlatformWPE.cmake:
* inspector/remote/glib/RemoteInspectorUtils.cpp:
(Inspector::backendCommands):
2018-04-12 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove compileBigIntEquality in DFG 32bit
https://bugs.webkit.org/show_bug.cgi?id=184535
Reviewed by Saam Barati.
We can have the unified implementation for compileBigIntEquality.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE] Improve include hierarchy
https://bugs.webkit.org/show_bug.cgi?id=184376
Reviewed by Žan Doberšek.
Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
/usr/include/wpe-0.1/WPE/jsc.
* PlatformWPE.cmake:
2018-04-11 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Handle strings containing null characters
https://bugs.webkit.org/show_bug.cgi?id=184450
Reviewed by Michael Catanzaro.
We should be able to evaluate scripts containing null characters and to handle strings that contains them
too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
contain null characters.
* API/OpaqueJSString.cpp:
(OpaqueJSString::create): Add a create constructor that takes the String.
* API/OpaqueJSString.h:
(OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
* API/glib/JSCContext.cpp:
(jsc_context_evaluate): Add length parameter.
(jsc_context_evaluate_with_source_uri): Ditto.
* API/glib/JSCContext.h:
* API/glib/JSCValue.cpp:
(jsc_value_new_string_from_bytes):
(jsc_value_to_string):
(jsc_value_to_string_as_bytes):
(jsc_value_object_is_instance_of): Pass length to evaluate.
* API/glib/JSCValue.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
https://bugs.webkit.org/show_bug.cgi?id=184500
Reviewed by Mark Lam.
Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
poke held GPR. The benefit from this CellValue is that we can use the same code
for 32bit and 64bit. This patch removes several ifdefs.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::CellValue::CellValue):
(JSC::CCallHelpers::CellValue::gpr const):
(JSC::CCallHelpers::setupArgumentsImpl):
2018-04-11 Mark Lam <mark.lam@apple.com>
[Build fix] Replace CompactJITCodeMap with JITCodeMap.
https://bugs.webkit.org/show_bug.cgi?id=184512
<rdar://problem/35391728>
Not reviewed.
* bytecode/CodeBlock.h:
* jit/JITCodeMap.h:
2018-04-11 Mark Lam <mark.lam@apple.com>
Replace CompactJITCodeMap with JITCodeMap.
https://bugs.webkit.org/show_bug.cgi?id=184512
<rdar://problem/35391728>
Reviewed by Filip Pizlo.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::setJITCodeMap):
(JSC::CodeBlock::jitCodeMap const):
(JSC::CodeBlock::jitCodeMap): Deleted.
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::adjustAndJumpToTarget):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
* jit/AssemblyHelpers.h:
* jit/CompactJITCodeMap.h: Removed.
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITCodeMap.h: Added.
(JSC::JITCodeMap::Entry::Entry):
(JSC::JITCodeMap::Entry::bytecodeIndex const):
(JSC::JITCodeMap::Entry::codeLocation):
(JSC::JITCodeMap::append):
(JSC::JITCodeMap::finish):
(JSC::JITCodeMap::find const):
(JSC::JITCodeMap::operator bool const):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove CompareSlowPathGenerator
https://bugs.webkit.org/show_bug.cgi?id=184492
Reviewed by Mark Lam.
Now CompareSlowPathGenerator is just calling a specified function.
This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
introducing a new constructor for GPRTemporary.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCompareSlowPathGenerator.h: Removed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::GPRTemporary::GPRTemporary):
(JSC::DFG::SpeculativeJIT::compileIsCellWithType):
(JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
(JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
(JSC::DFG::SpeculativeJIT::compileIsObject):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::GPRTemporary::GPRTemporary):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for 32bit
https://bugs.webkit.org/show_bug.cgi?id=184236
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove duplicate 32bit code more
https://bugs.webkit.org/show_bug.cgi?id=184236
Reviewed by Mark Lam.
Remove duplicate 32bit code more aggressively part 2.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCompareSlowPathGenerator.h: Added.
(JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
(JSC::DFG::SpeculativeJIT::compileLoadVarargs):
(JSC::DFG::SpeculativeJIT::compileIsObject):
(JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
(JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
(JSC::DFG::SpeculativeJIT::compilePutById):
(JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
(JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
(JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
(JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
(JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
(JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
(JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
(): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
(JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::loadValue):
(JSC::AssemblyHelpers::selectScratchGPR):
(JSC::AssemblyHelpers::constructRegisterSet):
* jit/RegisterSet.h:
(JSC::RegisterSet::setAny):
Clean up selectScratchGPR code to pass JSValueRegs.
2018-04-10 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Add support for BigInt in SpeculatedType
https://bugs.webkit.org/show_bug.cgi?id=182470
Reviewed by Saam Barati.
This patch introduces the SpecBigInt type to DFG to enable BigInt
speculation into DFG and FTL.
With SpecBigInt introduction, we can then specialize "===" operations
to BigInts. As we are doing for some cells, we first check if operands
are pointing to the same JSCell, and if it is false, we
fallback to "operationCompareStrictEqCell". The idea in further
patches is to implement BigInt equality check directly in
assembly.
We are also adding support for BigInt constant folding into
TypeOf operation.
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationFromClassInfo):
(JSC::speculationFromStructure):
(JSC::speculationFromJSType):
(JSC::speculationFromString):
* bytecode/SpeculatedType.h:
(JSC::isBigIntSpeculation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToThis):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
* dfg/DFGInferredTypeCheck.cpp:
(JSC::DFG::insertInferredTypeCheck):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateBigInt):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateBigInt):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
(JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfNotType):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfBigInt):
(JSC::AssemblyHelpers::branchIfNotBigInt):
* runtime/InferredType.cpp:
(JSC::InferredType::Descriptor::forValue):
(JSC::InferredType::Descriptor::putByIdFlags const):
(JSC::InferredType::Descriptor::merge):
(WTF::printInternal):
* runtime/InferredType.h:
* runtime/JSBigInt.h:
2018-04-10 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix cloop build.
* dfg/DFGAbstractInterpreterClobberState.cpp:
2018-04-10 Mark Lam <mark.lam@apple.com>
Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
https://bugs.webkit.org/show_bug.cgi?id=184464
<rdar://problem/39323947>
Reviewed by Saam Barati.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::sizeClassToIndex):
2018-04-09 Filip Pizlo <fpizlo@apple.com>
DFG AI and clobberize should agree with each other
https://bugs.webkit.org/show_bug.cgi?id=184440
Reviewed by Saam Barati.
One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
agree with each other. That's what this patch does: it adds an assertion that AI's structure
state tracking must be equivalent to JSCell_structureID being clobbered.
One subtlety is that AI sometimes folds away structure clobbering using information that
clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
ObservedTransitions).
This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
clobberize missing a write(Heap).
This also makes some cases more precise in order to appease the assertion. Making things more
precise might make things faster, but I didn't measure it because that wasn't the goal.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* dfg/DFGAbstractInterpreter.h:
* dfg/DFGAbstractInterpreterClobberState.cpp: Added.
(WTF::printInternal):
* dfg/DFGAbstractInterpreterClobberState.h: Added.
(JSC::DFG::mergeClobberStates):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
* dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::setClobberState):
(JSC::DFG::AtTailAbstractState::mergeClobberState):
(JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGClobberSet.cpp:
(JSC::DFG::writeSet):
* dfg/DFGClobberSet.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::clobberState const):
(JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
(JSC::DFG::InPlaceAbstractState::didClobber const):
(JSC::DFG::InPlaceAbstractState::setClobberState):
(JSC::DFG::InPlaceAbstractState::mergeClobberState):
(JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
2018-04-10 Filip Pizlo <fpizlo@apple.com>
ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
https://bugs.webkit.org/show_bug.cgi?id=184460
<rdar://problem/37610966>
Reviewed by Mark Lam.
* bytecode/ExecutableToCodeBlockEdge.cpp:
(JSC::ExecutableToCodeBlockEdge::visitChildren):
2018-04-10 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
https://bugs.webkit.org/show_bug.cgi?id=184455
Reviewed by Michael Saboff.
LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
(AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
the thing being hoisted does have effects, then we get a crash.
In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
effectful.
Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
clobberize to also think that CompareEq(Untyped:, _) is effectful.
This fixes the whole situation by teaching both clobberize and AI that the only effectful form
of CompareEq is ComapreEq(Untyped:, Untyped:).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-04-09 Filip Pizlo <fpizlo@apple.com>
Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
https://bugs.webkit.org/show_bug.cgi?id=184372
Reviewed by Saam Barati.
We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
have already proved, using techniques that are more precise than AI, that the edge has type
Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
other than a check - so we think we can call those just because we should have already
bailed. It's better to think of them as the result of folding a check. Therefore, we should
only do it if there had been a check to begin with.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Introduce @putByIdDirectPrivate
https://bugs.webkit.org/show_bug.cgi?id=184400
Reviewed by Saam Barati.
This patch adds @putByIdDirectPrivate() to use it for builtin JS.
@getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
accessing to ECMAScript internal fields.
This change removes accidental [[Put]] operation to an object whose [[Prototype]]
has internal fields (not direct properties). By using @getByIdDirectPrivate() and
@putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
fields that accessing to the internal fields does not traverse prototype chains.
* builtins/ArrayIteratorPrototype.js:
(globalPrivate.arrayIteratorValueNext):
(globalPrivate.arrayIteratorKeyNext):
(globalPrivate.arrayIteratorKeyValueNext):
* builtins/ArrayPrototype.js:
(globalPrivate.createArrayIterator):
* builtins/AsyncFromSyncIteratorPrototype.js:
(globalPrivate.AsyncFromSyncIteratorConstructor):
* builtins/AsyncFunctionPrototype.js:
(globalPrivate.asyncFunctionResume):
* builtins/AsyncGeneratorPrototype.js:
(globalPrivate.asyncGeneratorQueueEnqueue):
(globalPrivate.asyncGeneratorQueueDequeue):
(asyncGeneratorYieldAwaited):
(globalPrivate.asyncGeneratorYield):
(globalPrivate.doAsyncGeneratorBodyCall):
(globalPrivate.asyncGeneratorResumeNext):
* builtins/GeneratorPrototype.js:
(globalPrivate.generatorResume):
* builtins/MapIteratorPrototype.js:
(globalPrivate.mapIteratorNext):
* builtins/MapPrototype.js:
(globalPrivate.createMapIterator):
* builtins/ModuleLoaderPrototype.js:
(forceFulfillPromise):
* builtins/PromiseOperations.js:
(globalPrivate.newHandledRejectedPromise):
(globalPrivate.rejectPromise):
(globalPrivate.fulfillPromise):
(globalPrivate.initializePromise):
* builtins/PromisePrototype.js:
(then):
* builtins/SetIteratorPrototype.js:
(globalPrivate.setIteratorNext):
* builtins/SetPrototype.js:
(globalPrivate.createSetIterator):
* builtins/StringIteratorPrototype.js:
(next):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2018-04-09 Mark Lam <mark.lam@apple.com>
Decorate method table entries to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=184430
<rdar://problem/39296190>
Reviewed by Saam Barati.
* runtime/ClassInfo.h:
2018-04-09 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE] Don't install JSC C API headers
https://bugs.webkit.org/show_bug.cgi?id=184375
Reviewed by Žan Doberšek.
None of the functions declared in these headers are exported in WPE. Use the new jsc API
instead.
* PlatformWPE.cmake:
2018-04-08 Mark Lam <mark.lam@apple.com>
Add pointer profiling to the FTL and supporting code.
https://bugs.webkit.org/show_bug.cgi?id=184395
<rdar://problem/39264019>
Reviewed by Michael Saboff and Filip Pizlo.
* assembler/CodeLocation.h:
(JSC::CodeLocationLabel::retagged):
(JSC::CodeLocationJump::retagged):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::locationOf):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLExceptionTarget.cpp:
(JSC::FTL::ExceptionTarget::label):
(JSC::FTL::ExceptionTarget::jumps):
* ftl/FTLExceptionTarget.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::executableAddressAtOffset):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::~LazySlowPath):
(JSC::FTL::LazySlowPath::initialize):
(JSC::FTL::LazySlowPath::generate):
(JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
* ftl/FTLLazySlowPath.h:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLOSRExitHandle.cpp:
(JSC::FTL::OSRExitHandle::emitExitThunk):
* ftl/FTLOperations.cpp:
(JSC::FTL::compileFTLLazySlowPath):
* ftl/FTLOutput.h:
(JSC::FTL::Output::callWithoutSideEffects):
(JSC::FTL::Output::operation):
* ftl/FTLPatchpointExceptionHandle.cpp:
(JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLSlowPathCallKey.h:
(JSC::FTL::SlowPathCallKey::withCallTarget):
(JSC::FTL::SlowPathCallKey::callPtrTag const):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/Repatch.cpp:
(JSC::readPutICCallTarget):
(JSC::ftlThunkAwareRepatchCall):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::repatchIn):
(JSC::resetGetByID):
(JSC::resetPutByID):
(JSC::readCallTarget): Deleted.
* jit/Repatch.h:
* runtime/PtrTag.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, attempt to fix Windows build
https://bugs.webkit.org/show_bug.cgi?id=183508
* jit/JIT.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for Windows by suppressing padding warning for JIT
https://bugs.webkit.org/show_bug.cgi?id=183508
* jit/JIT.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Use alignas instead of compiler-specific attributes
https://bugs.webkit.org/show_bug.cgi?id=183508
Reviewed by Mark Lam.
Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
* heap/RegisterState.h:
* jit/JIT.h:
(JSC::JIT::compile): Deleted.
(JSC::JIT::compileGetByVal): Deleted.
(JSC::JIT::compileGetByValWithCachedId): Deleted.
(JSC::JIT::compilePutByVal): Deleted.
(JSC::JIT::compileDirectPutByVal): Deleted.
(JSC::JIT::compilePutByValWithCachedId): Deleted.
(JSC::JIT::compileHasIndexedProperty): Deleted.
(JSC::JIT::appendCall): Deleted.
(JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
(JSC::JIT::exceptionCheck): Deleted.
(JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
(JSC::JIT::emitInt32Load): Deleted.
(JSC::JIT::emitInt32GetByVal): Deleted.
(JSC::JIT::emitInt32PutByVal): Deleted.
(JSC::JIT::emitDoublePutByVal): Deleted.
(JSC::JIT::emitContiguousPutByVal): Deleted.
(JSC::JIT::emitStoreCell): Deleted.
(JSC::JIT::getSlowCase): Deleted.
(JSC::JIT::linkSlowCase): Deleted.
(JSC::JIT::linkDummySlowCase): Deleted.
(JSC::JIT::linkAllSlowCases): Deleted.
(JSC::JIT::callOperation): Deleted.
(JSC::JIT::callOperationWithProfile): Deleted.
(JSC::JIT::callOperationWithResult): Deleted.
(JSC::JIT::callOperationNoExceptionCheck): Deleted.
(JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
(JSC::JIT::emitEnterOptimizationCheck): Deleted.
(JSC::JIT::sampleCodeBlock): Deleted.
(JSC::JIT::canBeOptimized): Deleted.
(JSC::JIT::canBeOptimizedOrInlined): Deleted.
(JSC::JIT::shouldEmitProfiling): Deleted.
* runtime/VM.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, follow-up patch for DFG 32bit
https://bugs.webkit.org/show_bug.cgi?id=183970
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Fix incorrect assertion for VM's regexp buffer lock
https://bugs.webkit.org/show_bug.cgi?id=184398
Reviewed by Mark Lam.
isLocked check before taking a lock is incorrect.
* runtime/VM.cpp:
(JSC::VM::acquireRegExpPatternContexBuffer):
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Introduce op_get_by_id_direct
https://bugs.webkit.org/show_bug.cgi?id=183970
Reviewed by Filip Pizlo.
This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
in all the tiers, so using this opcode does not lead to inefficiency.
Main purpose of this op_get_by_id_direct is using it for private properties. We are using
properties indexed with private symbols to implement ECMAScript internal fields. Before this
patch, we just use get and put operations. However, it is not the correct semantics: accessing
to the internal fields should not traverse prototype chain, which is specified in the spec.
We use op_get_by_id_direct to access to properties which are used internal fields, so that
prototype chains are not traversed.
To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
bytecode `op_get_by_id_direct, object, @name`.
* builtins/ArrayIteratorPrototype.js:
(next):
(globalPrivate.arrayIteratorValueNext):
(globalPrivate.arrayIteratorKeyNext):
(globalPrivate.arrayIteratorKeyValueNext):
* builtins/AsyncFromSyncIteratorPrototype.js:
* builtins/AsyncFunctionPrototype.js:
(globalPrivate.asyncFunctionResume):
* builtins/AsyncGeneratorPrototype.js:
(globalPrivate.asyncGeneratorQueueIsEmpty):
(globalPrivate.asyncGeneratorQueueEnqueue):
(globalPrivate.asyncGeneratorQueueDequeue):
(globalPrivate.asyncGeneratorDequeue):
(globalPrivate.isExecutionState):
(globalPrivate.isSuspendYieldState):
(globalPrivate.asyncGeneratorReject):
(globalPrivate.asyncGeneratorResolve):
(globalPrivate.doAsyncGeneratorBodyCall):
(globalPrivate.asyncGeneratorEnqueue):
* builtins/GeneratorPrototype.js:
(globalPrivate.generatorResume):
(next):
(return):
(throw):
* builtins/MapIteratorPrototype.js:
(next):
* builtins/PromiseOperations.js:
(globalPrivate.isPromise):
(globalPrivate.rejectPromise):
(globalPrivate.fulfillPromise):
* builtins/PromisePrototype.js:
(then):
* builtins/SetIteratorPrototype.js:
(next):
* builtins/StringIteratorPrototype.js:
(next):
* builtins/TypedArrayConstructor.js:
(of):
(from):
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeFor):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
(JSC::appropriateOptimizingGetByIdFunction):
(JSC::appropriateGenericGetByIdFunction):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDirectGetById):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToGetByOffset):
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetById):
(JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
(JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
(JSC::FTL::DFG::LowerDFGToB3::getById):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id_direct):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id_direct):
* jit/Repatch.cpp:
(JSC::appropriateOptimizingGetByIdFunction):
(JSC::appropriateGetByIdFunction):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::appropriateGenericGetByIdFunction): Deleted.
* jit/Repatch.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::getOwnPropertySlot const):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::getOwnPropertySlotInline):
2018-04-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove several asXXX functions
https://bugs.webkit.org/show_bug.cgi?id=184355
Reviewed by JF Bastien.
Remove asActivation, asInternalFunction, and asGetterSetter.
Use jsCast<> / jsDynamicCast<> consistently.
* runtime/ArrayConstructor.cpp:
(JSC::constructArrayWithSizeQuirk):
* runtime/AsyncFunctionConstructor.cpp:
(JSC::callAsyncFunctionConstructor):
(JSC::constructAsyncFunctionConstructor):
* runtime/AsyncGeneratorFunctionConstructor.cpp:
(JSC::callAsyncGeneratorFunctionConstructor):
(JSC::constructAsyncGeneratorFunctionConstructor):
* runtime/BooleanConstructor.cpp:
(JSC::constructWithBooleanConstructor):
* runtime/DateConstructor.cpp:
(JSC::constructWithDateConstructor):
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
(JSC::Interpreter::callErrorConstructor):
* runtime/FunctionConstructor.cpp:
(JSC::constructWithFunctionConstructor):
(JSC::callFunctionConstructor):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
* runtime/GeneratorFunctionConstructor.cpp:
(JSC::callGeneratorFunctionConstructor):
(JSC::constructGeneratorFunctionConstructor):
* runtime/GetterSetter.h:
(JSC::asGetterSetter): Deleted.
* runtime/InternalFunction.h:
(JSC::asInternalFunction): Deleted.
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView):
* runtime/JSLexicalEnvironment.h:
(JSC::asActivation): Deleted.
* runtime/JSObject.cpp:
(JSC::validateAndApplyPropertyDescriptor):
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/PropertyDescriptor.cpp:
(JSC::PropertyDescriptor::setDescriptor):
* runtime/RegExpConstructor.cpp:
(JSC::constructWithRegExpConstructor):
(JSC::callRegExpConstructor):
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/StringConstructor.cpp:
(JSC::constructWithStringConstructor):
* runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
* runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::constructJSWebAssemblyCompileError):
(JSC::callJSWebAssemblyCompileError):
* wasm/js/WebAssemblyLinkErrorConstructor.cpp:
(JSC::constructJSWebAssemblyLinkError):
(JSC::callJSWebAssemblyLinkError):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::constructJSWebAssemblyRuntimeError):
(JSC::callJSWebAssemblyRuntimeError):
2018-04-05 Mark Lam <mark.lam@apple.com>
MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
https://bugs.webkit.org/show_bug.cgi?id=184347
<rdar://problem/39183165>
Reviewed by Michael Saboff.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::retagged const):
2018-04-05 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
[MIPS] Optimize generated JIT code for branches
https://bugs.webkit.org/show_bug.cgi?id=183130
Reviewed by Yusuke Suzuki.
The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
However, this adds a significant overhead for all other types of branches. Since these nop's
protect the code that is generated by branchPtrWithPatch, this function seems like a better
place to add them.
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::repatchInt32):
(JSC::MIPSAssembler::revertJumpToMove):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchMul32):
(JSC::MacroAssemblerMIPS::branchSub32):
(JSC::MacroAssemblerMIPS::branchNeg32):
(JSC::MacroAssemblerMIPS::branchPtrWithPatch):
(JSC::MacroAssemblerMIPS::branchEqual):
(JSC::MacroAssemblerMIPS::branchNotEqual):
2018-04-05 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Remove StaticLock
https://bugs.webkit.org/show_bug.cgi?id=184332
Reviewed by Mark Lam.
* API/JSValue.mm:
(handerForStructTag):
* API/JSVirtualMachine.mm:
(+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
(+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
* API/glib/JSCVirtualMachine.cpp:
(addWrapper):
(removeWrapper):
* assembler/testmasm.cpp:
* b3/air/testair.cpp:
* b3/testb3.cpp:
* bytecode/SuperSampler.cpp:
* dfg/DFGCommon.cpp:
* dfg/DFGCommonData.cpp:
* dynbench.cpp:
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::tryCopyOtherThreadStacks):
* inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
(Inspector::RemoteTargetHandleRunSourceGlobal):
(Inspector::RemoteTargetQueueTaskOnGlobalQueue):
* interpreter/CLoopStack.cpp:
* parser/SourceProvider.cpp:
* profiler/ProfilerDatabase.cpp:
* profiler/ProfilerUID.cpp:
(JSC::Profiler::UID::create):
* runtime/IntlObject.cpp:
(JSC::numberingSystemsForLocale):
* runtime/JSLock.cpp:
* runtime/JSLock.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::registerForReportAtExit):
* runtime/VM.cpp:
* wasm/WasmFaultSignalHandler.cpp:
2018-04-04 Mark Lam <mark.lam@apple.com>
Add pointer profiling support to the DFG and supporting files.
https://bugs.webkit.org/show_bug.cgi?id=184316
<rdar://problem/39188524>
Reviewed by Filip Pizlo.
1. Profile lots of pointers with PtrTags.
2. Remove PtrTag.cpp and make ptrTagName() into an inline function. It's only
used for debugging anyway, and not normally called in the code. Making it
an inline function prevents it from taking up code space in builds when not in
use.
3. Change the call to the the arityFixupThunk in DFG code to be a near call.
It doesn't need to be a far call.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* assembler/testmasm.cpp:
(JSC::testProbeModifiesProgramCounter):
* b3/B3LowerMacros.cpp:
* b3/air/AirCCallSpecial.cpp:
(JSC::B3::Air::CCallSpecial::generate):
* b3/air/AirCCallSpecial.h:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/HandlerInfo.h:
(JSC::HandlerInfo::initialize):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::noticeCatchEntrypoint):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendCall):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::OSRExit::emitRestoreArguments):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
(JSC::DFG::slowPathCall):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMathIC):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::appendCall):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDumbVirtualCall):
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::compileWithoutLinking):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emitSlow_op_loop_hint):
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::linkSlowFor):
(JSC::linkFor):
(JSC::revertCall):
(JSC::unlinkFor):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
* runtime/PtrTag.cpp: Removed.
* runtime/PtrTag.h:
(JSC::ptrTagName):
* runtime/VMEntryScope.cpp:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2018-04-04 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
https://bugs.webkit.org/show_bug.cgi?id=184319
Reviewed by Saam Barati.
In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
the ArrayPush.
But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
with a GetByVal(SaneChain), then we will hit the assertion.
This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
* dfg/DFGCSEPhase.cpp:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArrayPush):
2018-04-04 Filip Pizlo <fpizlo@apple.com>
Remove poisoning of typed array vector
https://bugs.webkit.org/show_bug.cgi?id=184313
Reviewed by Saam Barati.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::checkArray):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/x86.rb:
* runtime/CagedBarrierPtr.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::neuter):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::offsetOfVector):
(JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
(JSC::JSArrayBufferView::poisonFor): Deleted.
(JSC::JSArrayBufferView::Poison::key): Deleted.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSObject.h:
2018-04-03 Filip Pizlo <fpizlo@apple.com>
Don't do index masking or poisoning for DirectArguments
https://bugs.webkit.org/show_bug.cgi?id=184280
Reviewed by Saam Barati.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
(JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
* dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetFromArguments):
(JSC::DFG::SpeculativeJIT::compilePutToArguments):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
(JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
* heap/SecurityKind.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
(JSC::JIT::emitDirectArgumentsGetByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::DirectArguments):
(JSC::DirectArguments::createUninitialized):
(JSC::DirectArguments::create):
(JSC::DirectArguments::createByCopying):
(JSC::DirectArguments::estimatedSize):
(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::copyToArguments):
(JSC::DirectArguments::mappedArgumentsSize):
* runtime/DirectArguments.h:
* runtime/JSCPoison.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSSymbolTableObject.h:
2018-04-03 Filip Pizlo <fpizlo@apple.com>
JSArray::appendMemcpy seems to be missing a barrier
https://bugs.webkit.org/show_bug.cgi?id=184290
Reviewed by Mark Lam.
If you write to an array that may contain pointers and you didn't just allocate it, then you need to
barrier right after.
I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
2018-04-03 Filip Pizlo <fpizlo@apple.com>
GC shouldn't do object distancing
https://bugs.webkit.org/show_bug.cgi?id=184195
Reviewed by Saam Barati.
This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
to be a small speed-up.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::addBlock):
* heap/BlockDirectory.h:
* heap/CellAttributes.cpp:
(JSC::CellAttributes::dump const):
* heap/CellAttributes.h:
(JSC::CellAttributes::CellAttributes):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
* heap/SecurityKind.cpp: Removed.
* heap/SecurityKind.h: Removed.
* heap/SecurityOriginToken.cpp: Removed.
* heap/SecurityOriginToken.h: Removed.
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
* heap/ThreadLocalCache.h:
(JSC::ThreadLocalCache::securityOriginToken const): Deleted.
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const): Deleted.
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-04-02 Saam Barati <sbarati@apple.com>
bmalloc should compute its own estimate of its footprint
https://bugs.webkit.org/show_bug.cgi?id=184121
Reviewed by Filip Pizlo.
* heap/IsoAlignedMemoryAllocator.cpp:
(JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
2018-04-02 Mark Lam <mark.lam@apple.com>
We should not trash the stack pointer on OSR entry.
https://bugs.webkit.org/show_bug.cgi?id=184243
<rdar://problem/39114319>
Reviewed by Filip Pizlo.
In the DFG OSR entry path, we momentarily over-write the stack pointer with
returnValueGPR2. returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
Hence, this assignment is wrong, and it turns out to be unnecessary as well.
The stack pointer does get corrected later in the thunk (generated by
osrEntryThunkGenerator()) that we jump to. This is why we don't see ill-effects
so far.
This bug only poses an issue if interrupts use the user stack for their stack
frame (e.g. linux), and when we do stack alignment tests during debugging.
The fix is simply to remove the assignment.
* dfg/DFGThunks.cpp:
(JSC::DFG::osrEntryThunkGenerator):
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
2018-04-02 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
[MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
https://bugs.webkit.org/show_bug.cgi?id=183740
Reviewed by Yusuke Suzuki.
In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
first generated and a register operand variant of the same method is called to generate the rest
of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
generate more efficient code using MIPS instructions with immediate operand.
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::slti):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::lshift32):
(JSC::MacroAssemblerMIPS::xor32):
(JSC::MacroAssemblerMIPS::branch8):
(JSC::MacroAssemblerMIPS::compare8):
(JSC::MacroAssemblerMIPS::branch32):
(JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
(JSC::MacroAssemblerMIPS::branchTest32):
(JSC::MacroAssemblerMIPS::mask8OnTest):
(JSC::MacroAssemblerMIPS::branchTest8):
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchNeg32):
(JSC::MacroAssemblerMIPS::compare32):
(JSC::MacroAssemblerMIPS::test8):
2018-04-02 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] More aggressive removal of duplicate 32bit DFG code
https://bugs.webkit.org/show_bug.cgi?id=184089
Reviewed by Saam Barati.
This patch more aggressively removes duplicate 32bit DFG code
by leveraging JSValueRegs and meta-programmed callOperation.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
(JSC::DFG::SpeculativeJIT::compileArithMinMax):
(JSC::DFG::SpeculativeJIT::compileNewArray):
(JSC::DFG::SpeculativeJIT::compileCheckCell):
(JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
(JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
(JSC::DFG::SpeculativeJIT::compileGetClosureVar):
(JSC::DFG::SpeculativeJIT::compilePutClosureVar):
(JSC::DFG::SpeculativeJIT::compileGetByOffset):
(JSC::DFG::SpeculativeJIT::compilePutByOffset):
(JSC::DFG::SpeculativeJIT::compileGetExecutable):
(JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
(JSC::DFG::SpeculativeJIT::compileToThis):
(JSC::DFG::SpeculativeJIT::compileIdentity):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-04-01 Filip Pizlo <fpizlo@apple.com>
Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
https://bugs.webkit.org/show_bug.cgi?id=184228
Reviewed by Yusuke Suzuki.
* runtime/Options.h:
2018-03-31 Filip Pizlo <fpizlo@apple.com>
JSObject shouldn't do index masking
https://bugs.webkit.org/show_bug.cgi?id=184194
Reviewed by Yusuke Suzuki.
Remove index masking, because it's not the way we'll mitigate Spectre.
* API/tests/JSObjectGetProxyTargetTest.cpp:
(testJSObjectGetProxyTarget):
* b3/B3LowerToAir.cpp:
* b3/B3Validate.cpp:
* b3/B3WasmBoundsCheckValue.cpp:
(JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
(JSC::B3::WasmBoundsCheckValue::dumpMeta const):
* b3/B3WasmBoundsCheckValue.h:
(JSC::B3::WasmBoundsCheckValue::bounds const):
(JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
* b3/testb3.cpp:
(JSC::B3::testWasmBoundsCheck):
(JSC::B3::run):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileCreateActivation):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::compileNewStringObject):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
(JSC::AssemblyHelpers::emitAllocateDestructibleObject):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Butterfly.h:
(JSC::ContiguousData::at const):
(JSC::ContiguousData::at):
(JSC::Butterfly::computeIndexingMask const): Deleted.
* runtime/ButterflyInlines.h:
(JSC::ContiguousData<T>::at const): Deleted.
(JSC::ContiguousData<T>::at): Deleted.
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
* runtime/JSArrayInlines.h:
(JSC::JSArray::pushInline):
* runtime/JSFixedArray.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::putByIndex):
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::createInitialForValueAndSet):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::countElements):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::getEnumerableLength):
* runtime/JSObject.h:
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::initializeIndexWithoutBarrier):
(JSC::JSObject::butterflyOffset):
(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):
(JSC::JSObject::JSObject):
(JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
(JSC::JSObject::butterflyIndexingMask const): Deleted.
(JSC::JSObject::setButterflyWithIndexingMask): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::prepareToPutDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::load):
(JSC::Wasm::B3IRGenerator::store):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::updateCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemorySize):
(JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::grow):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::size const):
(JSC::Wasm::Memory::offsetOfSize):
(JSC::Wasm::Memory::indexingMask): Deleted.
(JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
* wasm/WasmMemoryInformation.cpp:
(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
* wasm/WasmMemoryInformation.h:
(JSC::Wasm::PinnedRegisterInfo::toSave const):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
2018-03-31 Filip Pizlo <fpizlo@apple.com>
JSC crash in JIT code with for-of loop and Array/Set iterators
https://bugs.webkit.org/show_bug.cgi?id=183174
Reviewed by Saam Barati.
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
2018-03-30 Filip Pizlo <fpizlo@apple.com>
Strings and Vectors shouldn't do index masking
https://bugs.webkit.org/show_bug.cgi?id=184193
Reviewed by Mark Lam.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
* jit/ThunkGenerators.cpp:
(JSC::stringCharLoad):
2018-03-30 Mark Lam <mark.lam@apple.com>
Add pointer profiling support in baseline JIT and supporting files.
https://bugs.webkit.org/show_bug.cgi?id=184200
<rdar://problem/39057300>
Reviewed by Filip Pizlo.
1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
the code via the arity check entry.
2. To accommodate (1), all JITCode must now populate their arity check entry code
pointers as well. For native code, programs, evals, and modules that don't
do arity check, we set the normal entry as the arity check entry (though with
the CodeEntryWithArityCheckPtrTag profile instead).
* assembler/AbstractMacroAssembler.h:
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::locationOfNearCall):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::linkCall):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::addJITAddIC):
(JSC::CodeBlock::addJITMulIC):
(JSC::CodeBlock::addJITSubIC):
(JSC::CodeBlock::addJITNegIC):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addMathIC):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
(): Deleted.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
* disassembler/ARM64Disassembler.cpp:
(JSC::tryToDisassemble):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
* heap/JITStubRoutineSet.h:
(JSC::JITStubRoutineSet::mark):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::debugCall):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitFunctionPrologue):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::prepareForTailCallSlow):
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::prepareForTailCall):
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
* jit/ExecutableAllocator.h:
(JSC::performJITMemcpy):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_negate):
(JSC::JIT::emit_op_add):
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
(JSC::JIT::emit_op_mul):
(JSC::JIT::emit_op_sub):
* jit/JITCode.cpp:
(JSC::JITCode::execute):
(JSC::JITCodeWithCodeRef::executableAddressAtOffset):
(JSC::DirectJITCode::DirectJITCode):
(JSC::DirectJITCode::initializeCodeRef):
(JSC::NativeJITCode::addressForCall):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
(JSC::JITBinaryMathIC::JITBinaryMathIC):
(JSC::JITUnaryMathIC::JITUnaryMathIC):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOperations.cpp:
(JSC::getByVal):
(JSC::tryGetByValOptimize):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITThunks.cpp:
(JSC::JITThunks::hostFunctionStub):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::appropriateOptimizingPutByIdFunction):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::linkFor):
(JSC::revertCall):
(JSC::linkPolymorphicCall):
(JSC::resetGetByID):
(JSC::resetPutByID):
* jit/Repatch.h:
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
(JSC::SpecializedThunkJIT::callDoubleToDouble):
* jit/ThunkGenerators.cpp:
(JSC::emitPointerValidation):
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::linkCallThunkGenerator): Deleted.
(JSC::linkPolymorphicCallThunkGenerator): Deleted.
(JSC::virtualThunkFor): Deleted.
(JSC::nativeForGenerator): Deleted.
(JSC::nativeCallGenerator): Deleted.
(JSC::nativeTailCallGenerator): Deleted.
(JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
(JSC::nativeConstructGenerator): Deleted.
(JSC::internalFunctionCallGenerator): Deleted.
(JSC::internalFunctionConstructGenerator): Deleted.
(JSC::arityFixupGenerator): Deleted.
(JSC::unreachableGenerator): Deleted.
(JSC::stringCharLoad): Deleted.
(JSC::charToString): Deleted.
(JSC::charCodeAtThunkGenerator): Deleted.
(JSC::charAtThunkGenerator): Deleted.
(JSC::fromCharCodeThunkGenerator): Deleted.
(JSC::clz32ThunkGenerator): Deleted.
(JSC::sqrtThunkGenerator): Deleted.
(JSC::floorThunkGenerator): Deleted.
(JSC::ceilThunkGenerator): Deleted.
(JSC::truncThunkGenerator): Deleted.
(JSC::roundThunkGenerator): Deleted.
(JSC::expThunkGenerator): Deleted.
(JSC::logThunkGenerator): Deleted.
(JSC::absThunkGenerator): Deleted.
(JSC::imulThunkGenerator): Deleted.
(JSC::randomThunkGenerator): Deleted.
(JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ExecutableBase.h:
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::finishCreation):
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator NativeFunction):
* runtime/PropertySlot.h:
(JSC::PropertySlot::setCustom):
(JSC::PropertySlot::setCacheableCustom):
* runtime/PtrTag.h:
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::setCustomValue):
(JSC::PutPropertySlot::setCustomAccessor):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/VMTraps.cpp:
(JSC::SignalContext::SignalContext):
(JSC::VMTraps::tryInstallTrapBreakpoints):
* tools/SigillCrashAnalyzer.cpp:
(JSC::installCrashHandler):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
(JSC::Yarr::YarrGenerator::generateEnter):
2018-03-30 Devin Rousso <webkit@devinrousso.com>
Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
https://bugs.webkit.org/show_bug.cgi?id=175223
Reviewed by Matt Baker.
* inspector/protocol/Canvas.json:
Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
is called. The blend is removed and the previous value is applied once the draw is complete.
2018-03-30 JF Bastien <jfbastien@apple.com>
WebAssembly: support DataView compilation
https://bugs.webkit.org/show_bug.cgi?id=183342
Reviewed by Mark Lam.
Compiling a module from a DataView was incorrectly dealing with
DataView's offset.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
(JSC::createSourceBufferFromValue):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::webAssemblyValidateFunc):
2018-03-30 Filip Pizlo <fpizlo@apple.com>
Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
https://bugs.webkit.org/show_bug.cgi?id=184189
Reviewed by JF Bastien.
* bytecompiler/NodesCodegen.cpp:
(JSC::ResolveNode::emitBytecode):
2018-03-30 Mark Lam <mark.lam@apple.com>
Add pointer profiling support to Wasm.
https://bugs.webkit.org/show_bug.cgi?id=184175
<rdar://problem/39027923>
Reviewed by JF Bastien.
* runtime/PtrTag.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addGrowMemory):
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::prepare):
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmBinding.h:
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/js/WebAssemblyFunction.h:
2018-03-30 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r230102.
Caused assertion failures on JSC bots.
Reverted changeset:
"A stack overflow in the parsing of a builtin (called by
createExecutable) cause a crash instead of a catchable js
exception"
https://bugs.webkit.org/show_bug.cgi?id=184074
https://trac.webkit.org/changeset/230102
2018-03-30 Robin Morisset <rmorisset@apple.com>
Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
https://bugs.webkit.org/show_bug.cgi?id=183812
Reviewed by Keith Miller.
The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::allocateTargetableBlock):
(JSC::DFG::ByteCodeParser::inlineCall):
2018-03-30 Robin Morisset <rmorisset@apple.com>
A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
https://bugs.webkit.org/show_bug.cgi?id=184074
<rdar://problem/37165897>
Reviewed by Keith Miller.
Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
Two other minor changes:
- I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
- I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/builtins/builtins_generate_combined_header.py:
(BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
(ParserError):
(generate_section_for_object): Deleted.
(generate_externs_for_object): Deleted.
(generate_macros_for_object): Deleted.
(generate_section_for_code_table_macro): Deleted.
(generate_section_for_code_name_macro): Deleted.
(generate_section_for_global_private_code_name_macro): Deleted.
* Scripts/builtins/builtins_generate_separate_header.py:
(generate_secondary_header_includes):
* Scripts/builtins/builtins_templates.py:
* Sources.txt:
* builtins/BuiltinExecutableCreator.cpp: Removed.
* builtins/BuiltinExecutableCreator.h: Removed.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createDefaultConstructor):
(JSC::BuiltinExecutables::createBuiltinExecutable):
(JSC::createBuiltinExecutable):
(JSC::BuiltinExecutables::createExecutableOrCrash):
(JSC::BuiltinExecutables::createExecutable):
* builtins/BuiltinExecutables.h:
* bytecompiler/BytecodeGenerator.h:
* parser/ParserError.cpp: Added.
(JSC::ParserError::toErrorObject):
(JSC::ParserError::throwStackOverflowOrOutOfMemory):
(WTF::printInternal):
* parser/ParserError.h:
(JSC::ParserError::toErrorObject): Deleted.
(WTF::printInternal): Deleted.
* runtime/AsyncIteratorPrototype.cpp:
(JSC::AsyncIteratorPrototype::finishCreation):
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnStaticPropertySlot):
(JSC::JSObject::reifyAllStaticProperties):
* runtime/JSObject.h:
(JSC::JSObject::getOwnNonIndexPropertySlot):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
* runtime/JSObjectInlines.h:
(JSC::JSObject::getNonIndexPropertySlot):
* runtime/JSTypedArrayViewPrototype.cpp:
(JSC::JSTypedArrayViewPrototype::finishCreation):
* runtime/Lookup.cpp:
(JSC::reifyStaticAccessor):
(JSC::setUpStaticFunctionSlot):
* runtime/Lookup.h:
(JSC::getStaticPropertySlotFromTable):
(JSC::reifyStaticProperty):
* runtime/MapPrototype.cpp:
(JSC::MapPrototype::finishCreation):
* runtime/SetPrototype.cpp:
(JSC::SetPrototype::finishCreation):
* tools/JSDollarVM.cpp:
(JSC::functionCreateBuiltin):
2018-03-30 Robin Morisset <rmorisset@apple.com>
Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
https://bugs.webkit.org/show_bug.cgi?id=183657
<rdar://problem/38464399>
Reviewed by Keith Miller.
There was just a missing check in unshiftCountForIndexingType.
I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
* runtime/ArrayPrototype.cpp:
(JSC::unshift):
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithAnyIndexingType):
* runtime/JSObject.h:
(JSC::JSObject::ensureLength):
2018-03-29 Mark Lam <mark.lam@apple.com>
Add some pointer profiling support to B3 and Air.
https://bugs.webkit.org/show_bug.cgi?id=184165
<rdar://problem/39022125>
Reviewed by JF Bastien.
* b3/B3LowerMacros.cpp:
* b3/B3LowerMacrosAfterOptimizations.cpp:
* b3/B3MathExtras.cpp:
* b3/B3ReduceStrength.cpp:
* b3/air/AirCCallSpecial.cpp:
(JSC::B3::Air::CCallSpecial::generate):
* b3/air/AirCCallSpecial.h:
* b3/testb3.cpp:
(JSC::B3::testCallSimple):
(JSC::B3::testCallRare):
(JSC::B3::testCallRareLive):
(JSC::B3::testCallSimplePure):
(JSC::B3::testCallFunctionWithHellaArguments):
(JSC::B3::testCallFunctionWithHellaArguments2):
(JSC::B3::testCallFunctionWithHellaArguments3):
(JSC::B3::testCallSimpleDouble):
(JSC::B3::testCallSimpleFloat):
(JSC::B3::testCallFunctionWithHellaDoubleArguments):
(JSC::B3::testCallFunctionWithHellaFloatArguments):
(JSC::B3::testLinearScanWithCalleeOnStack):
(JSC::B3::testInterpreter):
(JSC::B3::testLICMPure):
(JSC::B3::testLICMPureSideExits):
(JSC::B3::testLICMPureWritesPinned):
(JSC::B3::testLICMPureWrites):
(JSC::B3::testLICMReadsLocalState):
(JSC::B3::testLICMReadsPinned):
(JSC::B3::testLICMReads):
(JSC::B3::testLICMPureNotBackwardsDominant):
(JSC::B3::testLICMPureFoiledByChild):
(JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
(JSC::B3::testLICMExitsSideways):
(JSC::B3::testLICMWritesLocalState):
(JSC::B3::testLICMWrites):
(JSC::B3::testLICMFence):
(JSC::B3::testLICMWritesPinned):
(JSC::B3::testLICMControlDependent):
(JSC::B3::testLICMControlDependentNotBackwardsDominant):
(JSC::B3::testLICMControlDependentSideExits):
(JSC::B3::testLICMReadsPinnedWritesPinned):
(JSC::B3::testLICMReadsWritesDifferentHeaps):
(JSC::B3::testLICMReadsWritesOverlappingHeaps):
(JSC::B3::testLICMDefaultCall):
(JSC::B3::testShuffleDoesntTrashCalleeSaves):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
* jit/GPRInfo.h:
* runtime/PtrTag.h:
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
2018-03-29 JF Bastien <jfbastien@apple.com>
Use Forward.h instead of forward-declaring WTF::String
https://bugs.webkit.org/show_bug.cgi?id=184172
<rdar://problem/39026146>
Reviewed by Yusuke Suzuki.
As part of #184164 I'm changing WTF::String, and the forward
declarations are just wrong because I'm making it templated. We
should use Forward.h anyways, so do that instead.
* runtime/DateConversion.h:
2018-03-29 Mark Lam <mark.lam@apple.com>
Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
https://bugs.webkit.org/show_bug.cgi?id=184163
<rdar://problem/39020397>
Reviewed by JF Bastien.
With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
Also renamed some structs, methods, and variable names to be more accurate.
Previously, there is some confusion between a code pointer and the address of a
code pointer (sometimes referred to in the code as a "LoadLocation"). We now name
the LoadLocation variables appropriately to distinguish them from code pointers.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmCodeBlock.cpp:
(JSC::Wasm::CodeBlock::CodeBlock):
* wasm/WasmCodeBlock.h:
(JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
(JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
* wasm/WasmFormat.h:
(JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
(JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
(JSC::Wasm::CallableFunction::CallableFunction): Deleted.
(JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
(JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
(JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
(JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::clearFunction):
(JSC::Wasm::Table::setFunction):
* wasm/WasmTable.h:
(JSC::Wasm::Table::offsetOfFunctions):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::setFunction):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::WebAssemblyFunction):
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
(JSC::WebAssemblyWrapperFunction::create):
* wasm/js/WebAssemblyWrapperFunction.h:
2018-03-29 Yusuke Suzuki <utatane.tea@gmail.com>
Remove WTF_EXPORTDATA and JS_EXPORTDATA
https://bugs.webkit.org/show_bug.cgi?id=184170
Reviewed by JF Bastien.
Replace WTF_EXPORTDATA and JS_EXPORTDATA with
WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
* heap/WriteBarrierSupport.h:
* jit/ExecutableAllocator.cpp:
* jit/ExecutableAllocator.h:
* runtime/JSCPoison.h:
* runtime/JSCell.h:
* runtime/JSExportMacros.h:
* runtime/JSGlobalObject.h:
* runtime/JSObject.h:
* runtime/Options.h:
* runtime/PropertyDescriptor.h:
* runtime/PropertyMapHashTable.h:
* runtime/SamplingCounter.h:
2018-03-29 Ross Kirsling <ross.kirsling@sony.com>
MSVC __forceinline slows down JSC release build fivefold after r229391
https://bugs.webkit.org/show_bug.cgi?id=184062
Reviewed by Alex Christensen.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::marshallArgumentRegister):
Exempt MSVC from a single forced inline used within recursive templates.
2018-03-29 Keith Miller <keith_miller@apple.com>
ArrayMode should not try to get the DFG to think it can convert TypedArrays
https://bugs.webkit.org/show_bug.cgi?id=184137
Reviewed by Saam Barati.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):
2018-03-29 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r230062.
https://bugs.webkit.org/show_bug.cgi?id=184128
Broke mac port. web content process crashes while loading any
web page (Requested by rniwa on #webkit).
Reverted changeset:
"MSVC __forceinline slows down JSC release build fivefold
after r229391"
https://bugs.webkit.org/show_bug.cgi?id=184062
https://trac.webkit.org/changeset/230062
2018-03-28 Ross Kirsling <ross.kirsling@sony.com>
MSVC __forceinline slows down JSC release build fivefold after r229391
https://bugs.webkit.org/show_bug.cgi?id=184062
Reviewed by Alex Christensen.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::marshallArgumentRegister):
Exempt MSVC from a single forced inline used within recursive templates.
2018-03-28 Mark Lam <mark.lam@apple.com>
Enhance ARM64 probe to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=184069
<rdar://problem/38939879>
Reviewed by JF Bastien.
* assembler/MacroAssemblerARM64.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::popPair):
(JSC::MacroAssemblerX86Common::pushPair):
* assembler/testmasm.cpp:
(JSC::testProbeReadsArgumentRegisters):
(JSC::testProbeWritesArgumentRegisters):
* runtime/PtrTag.h:
(JSC::tagForPtr):
2018-03-28 Robin Morisset <rmorisset@apple.com>
appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
https://bugs.webkit.org/show_bug.cgi?id=183894
Reviewed by Saam Barati.
Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):
2018-03-28 Carlos Garcia Campos <cgarcia@igalia.com>
[JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
https://bugs.webkit.org/show_bug.cgi?id=184073
Reviewed by Yusuke Suzuki.
We currently have duplicated code in Obj and GLib implementations.
* API/JSManagedValue.mm:
(managedValueHandleOwner):
(-[JSManagedValue initWithValue:]):
* API/JSWeakValue.cpp: Added.
(JSC::JSWeakValue::~JSWeakValue):
(JSC::JSWeakValue::clear):
(JSC::JSWeakValue::isClear const):
(JSC::JSWeakValue::setPrimitive):
(JSC::JSWeakValue::setObject):
(JSC::JSWeakValue::setString):
* API/JSWeakValue.h: Added.
(JSC::JSWeakValue::isSet const):
(JSC::JSWeakValue::isPrimitive const):
(JSC::JSWeakValue::isObject const):
(JSC::JSWeakValue::isString const):
(JSC::JSWeakValue::object const):
(JSC::JSWeakValue::primitive const):
(JSC::JSWeakValue::string const):
* API/glib/JSCWeakValue.cpp:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
2018-03-27 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add JSCWeakValue to JavaScriptCore GLib API
https://bugs.webkit.org/show_bug.cgi?id=184041
Reviewed by Michael Catanzaro.
This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
jsc_weak_value_get_value() will always return nullptr.
* API/glib/JSCWeakValue.cpp: Added.
(WeakValueRef::~WeakValueRef):
(WeakValueRef::clear):
(WeakValueRef::isClear const):
(WeakValueRef::isSet const):
(WeakValueRef::isPrimitive const):
(WeakValueRef::isObject const):
(WeakValueRef::isString const):
(WeakValueRef::setPrimitive):
(WeakValueRef::setObject):
(WeakValueRef::setString):
(WeakValueRef::object const):
(WeakValueRef::primitive const):
(WeakValueRef::string const):
(weakValueHandleOwner):
(jscWeakValueInitialize):
(jscWeakValueSetProperty):
(jscWeakValueDispose):
(jsc_weak_value_class_init):
(jsc_weak_value_new):
(jsc_weak_value_get_value):
* API/glib/JSCWeakValue.h: Added.
* API/glib/docs/jsc-glib-4.0-sections.txt:
* API/glib/docs/jsc-glib-docs.sgml:
* API/glib/jsc.h:
* GLib.cmake:
2018-03-27 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
https://bugs.webkit.org/show_bug.cgi?id=181292
Reviewed by Saam Barati.
By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
(JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2018-03-27 Yusuke Suzuki <utatane.tea@gmail.com>
Add Load16Z for B3 and use it in WebAssembly
https://bugs.webkit.org/show_bug.cgi?id=165884
Reviewed by JF Bastien.
We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
spec-tests/memory.wast.js already covered this change.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitLoadOp):
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove repeated iteration of ElementNode
https://bugs.webkit.org/show_bug.cgi?id=183987
Reviewed by Keith Miller.
BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
While it is OK for small arrays, this repeated iteration takes much time
if the array is very large. For example, Kraken's initialization code includes
very large array with numeric literals. This makes bytecode compiling so long.
This patch carefully removes unnecessary iteration when emitting arrays.
This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
to 9.988050 ms.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewArrayBuffer):
(JSC::BytecodeGenerator::emitNewArray):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ArrayPatternNode::bindValue const):
(JSC::ArrayPatternNode::emitDirectBinding):
2018-03-26 Ross Kirsling <ross.kirsling@sony.com>
JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
https://bugs.webkit.org/show_bug.cgi?id=183655
Reviewed by Keith Miller.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::ArgCollection::argCount):
(JSC::CCallHelpers::marshallArgumentRegister):
(JSC::CCallHelpers::setupArgumentsImpl):
On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
* jit/JIT.h:
(JSC::JIT::callOperation):
(JSC::JIT::is64BitType):
(JSC::JIT::is64BitType<void>):
On Win64, ensure special call is used for SlowPathReturnType.
* jit/JITOperations.h:
Update changed type.
2018-03-26 Yusuke Suzuki <utatane.tea@gmail.com>
We should have SSE4 detection in the X86 MacroAssembler.
https://bugs.webkit.org/show_bug.cgi?id=165363
Reviewed by JF Bastien.
This patch adds popcnt support to WASM in x86_64 environment.
To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
Our spec-tests already cover popcnt.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::supportsCountPopulation):
* assembler/MacroAssemblerX86Common.cpp:
(JSC::MacroAssemblerX86Common::getCPUID):
(JSC::MacroAssemblerX86Common::getCPUIDEx):
(JSC::MacroAssemblerX86Common::collectCPUFeatures):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::countPopulation32):
(JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
(JSC::MacroAssemblerX86Common::supportsCountPopulation):
(JSC::MacroAssemblerX86Common::supportsAVX):
(JSC::MacroAssemblerX86Common::supportsLZCNT):
(JSC::MacroAssemblerX86Common::supportsBMI1):
(JSC::MacroAssemblerX86Common::isSSE2Present):
(JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::countPopulation64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::popcnt_rr):
(JSC::X86Assembler::popcnt_mr):
(JSC::X86Assembler::popcntq_rr):
(JSC::X86Assembler::popcntq_mr):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2018-03-26 Filip Pizlo <fpizlo@apple.com>
DFG should know that CreateThis can be effectful
https://bugs.webkit.org/show_bug.cgi?id=184013
Reviewed by Saam Barati.
As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
is a proxy.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-03-25 Saam Barati <sbarati@apple.com>
Fix typo in JSC option name
https://bugs.webkit.org/show_bug.cgi?id=184001
Reviewed by Mark Lam.
enableJITDebugAssetions => enableJITDebugAssertions.
* assembler/MacroAssembler.cpp:
(JSC::MacroAssembler::jitAssert):
* runtime/Options.h:
2018-03-25 Saam Barati <sbarati@apple.com>
r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
https://bugs.webkit.org/show_bug.cgi?id=183995
Reviewed by Filip Pizlo.
The removal of this line of code was unintended and happened during some
refactoring Fil was doing. The consequence of removing this line of code
is that the m_emptyCursor became a monotonically increasing integer, leading
the cursor to usually being out of bounds of the block range (depending on
what the program is doing). This made the functionality of finding an empty
block to steal almost always fail.
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::prepareForAllocation):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Introduces fused compare and jump
https://bugs.webkit.org/show_bug.cgi?id=177100
Reviewed by Mark Lam.
This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
It offers 3 benefit.
1. They are introduced due to the similar purpose to op_jless etc. It aligns
op_eq families to op_jless families.
2. It reduces the size of bytecode to represent the typical code sequence.
3. It offers the way to fuse check and jump in DFG code generation. Since
we have MovHint between Branch and CompareEq/CompareStrictEq previously,
we cannot do this optimization. It reduces the machine code size in DFG too.
It slightly improves Octane/boyer.
boyer 6.18038+-0.05002 ^ 6.06990+-0.04176 ^ definitely 1.0182x faster
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/Opcode.h:
(JSC::isBranch):
* bytecode/PreciseJumpTargetsInlines.h:
(JSC::extractStoredJumpTargetsForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitJumpIfTrue):
(JSC::BytecodeGenerator::emitJumpIfFalse):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_jeq):
(JSC::JIT::emit_op_neq):
(JSC::JIT::emit_op_jneq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_stricteq):
(JSC::JIT::emit_op_nstricteq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_jstricteq):
(JSC::JIT::emit_op_jnstricteq):
(JSC::JIT::emitSlow_op_jstricteq):
(JSC::JIT::emitSlow_op_jnstricteq):
(JSC::JIT::emitSlow_op_jeq):
(JSC::JIT::emitSlow_op_jneq):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emit_op_jeq):
(JSC::JIT::compileOpEqJumpSlow):
(JSC::JIT::emitSlow_op_jeq):
(JSC::JIT::emit_op_jneq):
(JSC::JIT::emitSlow_op_jneq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_stricteq):
(JSC::JIT::emit_op_nstricteq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_jstricteq):
(JSC::JIT::emit_op_jnstricteq):
(JSC::JIT::emitSlow_op_jstricteq):
(JSC::JIT::emitSlow_op_jnstricteq):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Improve constants and add comments for CodeBlockHash
https://bugs.webkit.org/show_bug.cgi?id=183982
Rubber-stamped by Mark Lam.
* bytecode/CodeBlockHash.cpp:
(JSC::CodeBlockHash::CodeBlockHash):
* bytecode/ParseHash.cpp:
(JSC::ParseHash::ParseHash):
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add options to report parsing and bytecode compiling times
https://bugs.webkit.org/show_bug.cgi?id=183982
Reviewed by Mark Lam.
This patch adds reportParseTimes and reportBytecodeCompileTimes options.
When they are enabled, JSC reports times consumed for parsing and bytecode
compiling.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ParseHash.cpp: Added.
(JSC::ParseHash::ParseHash):
* bytecode/ParseHash.h: Added.
(JSC::ParseHash::hashForCall const):
(JSC::ParseHash::hashForConstruct const):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::generate):
* parser/Parser.h:
(JSC::parse):
* runtime/CodeCache.h:
(JSC::generateUnlinkedCodeBlock):
* runtime/Options.h:
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JIT] Drop ENABLE_JIT_VERBOSE flag
https://bugs.webkit.org/show_bug.cgi?id=183983
Reviewed by Mark Lam.
Just use JITInternal::verbose value.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
2018-03-23 Tim Horton <timothy_horton@apple.com>
Fix the build with no pasteboard
https://bugs.webkit.org/show_bug.cgi?id=183973
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
2018-03-23 Mark Lam <mark.lam@apple.com>
LLInt TypeArray pointer poisoning should not pick its poison dynamically.
https://bugs.webkit.org/show_bug.cgi?id=183942
<rdar://problem/38798018>
Reviewed by JF Bastien.
1. Move the LLInt TypedArray unpoisoning to just before the array access after
all the branches.
2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
3. Remove a useless instruction in the implementation of emitX86Lea for a global
label.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/x86.rb:
2018-03-23 Mark Lam <mark.lam@apple.com>
Add more support for pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183943
<rdar://problem/38799068>
Reviewed by JF Bastien.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::linkJumpOrCall):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::repatchNearCall):
(JSC::AbstractMacroAssembler::tagReturnAddress):
(JSC::AbstractMacroAssembler::untagReturnAddress):
2018-03-23 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Add standard containers with FastAllocator specialization
https://bugs.webkit.org/show_bug.cgi?id=183789
Reviewed by Darin Adler.
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::testDoubleLiteralComparison):
(JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
* dfg/DFGGraph.h:
* dfg/DFGIntegerCheckCombiningPhase.cpp:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
* runtime/FunctionHasExecutedCache.h:
* runtime/TypeLocationCache.h:
2018-03-23 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
https://bugs.webkit.org/show_bug.cgi?id=182960
Reviewed by Saam Barati.
This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
It should always touch ArrayStorage_vector. To unify
vector setting code for the real ArrayStorage_vector and
ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
annotate this.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2018-03-23 Zan Dobersek <zdobersek@igalia.com>
Unreviewed build fix for GCC 4.9 builds.
* assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
supported in 4.9 libstdc++, so wrap the static assert using it in a
COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
as is done in bitwise_cast() in StdLibExtras.h.
2018-03-22 Tim Horton <timothy_horton@apple.com>
Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
https://bugs.webkit.org/show_bug.cgi?id=183930
<rdar://problem/38782249>
Reviewed by Dan Bernstein.
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-03-22 Mark Lam <mark.lam@apple.com>
Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
https://bugs.webkit.org/show_bug.cgi?id=183914
<rdar://problem/38763536>
Reviewed by Saam Barati and JF Bastien.
This is in preparation for supporting pointer profiling work.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::jump):
(JSC::MacroAssemblerARM::call):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::jump):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::jump):
(JSC::MacroAssemblerARMv7::call):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::jump):
(JSC::MacroAssemblerMIPS::call):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::call):
(JSC::MacroAssemblerX86::jump):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::jump):
(JSC::MacroAssemblerX86Common::call):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::jump):
2018-03-22 Tim Horton <timothy_horton@apple.com>
Improve readability of WebCore's OTHER_LDFLAGS
https://bugs.webkit.org/show_bug.cgi?id=183909
<rdar://problem/38760992>
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
* Configurations/FeatureDefines.xcconfig:
2018-03-22 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Thumb: Do not decorate bottom bit twice
https://bugs.webkit.org/show_bug.cgi?id=183906
Reviewed by Mark Lam.
Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
a thumb pointer.
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
https://bugs.webkit.org/show_bug.cgi?id=183559
Reviewed by Mark Lam.
When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
to clear NodeMustGenerate for this ToString. It should be since it does not have
any user-observable side effect. This patch clears NodeMustGenerate.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] List up all candidates in DFGCapabilities and FTLCapabilities
https://bugs.webkit.org/show_bug.cgi?id=183897
Reviewed by Mark Lam.
We should not use `default:` clause here since it accidentally catches
the opcode and DFG nodes which should be optimized. For example,
op_super_sampler_begin and op_super_sampler_end are not listed while
they have DFG and FTL backend.
This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
And we also clean up unnecessary checks in FTLCapabilities. Since we
already handles all the possible array types for these nodes (which can
be checked in DFG's code), we do not need to check array types.
We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Drop op_put_by_index
https://bugs.webkit.org/show_bug.cgi?id=183899
Reviewed by Mark Lam.
This patch drops op_put_by_index.
1. This functionality can be just covered by direct put_by_val.
2. put_by_index is not well optimized. It is just calling a C
function. And it does not have DFG handling.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitPutByIndex): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ArrayPatternNode::emitDirectBinding):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_index): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_index): Deleted.
* llint/LLIntSlowPaths.cpp:
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
2018-03-22 Michael Saboff <msaboff@apple.com>
Race Condition in arrayProtoFuncReverse() causes wrong results or crash
https://bugs.webkit.org/show_bug.cgi?id=183901
Reviewed by Keith Miller.
Added write barriers to ensure the reversed contents are properly marked.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncReverse):
2018-03-21 Filip Pizlo <fpizlo@apple.com>
ScopedArguments should do poisoning and index masking
https://bugs.webkit.org/show_bug.cgi?id=183863
Reviewed by Mark Lam.
This outlines the ScopedArguments overflow storage and adds poisoning.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitScopedArgumentsGetByVal):
* runtime/JSCPoison.h:
* runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::ScopedArguments):
(JSC::ScopedArguments::createUninitialized):
(JSC::ScopedArguments::visitChildren):
* runtime/ScopedArguments.h:
2018-03-21 Mark Lam <mark.lam@apple.com>
Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
https://bugs.webkit.org/show_bug.cgi?id=183861
<rdar://problem/38716822>
Reviewed by Filip Pizlo.
Also added ptrTagName() to aid debugging. ptrTagName() is implemented using this
new PtrTag macro list.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/PtrTag.cpp: Added.
(JSC::ptrTagName):
* runtime/PtrTag.h:
2018-03-21 Mark Lam <mark.lam@apple.com>
Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
https://bugs.webkit.org/show_bug.cgi?id=183857
<rdar://problem/38712184>
Reviewed by JF Bastien.
We should avoid doing pointer math with CodeBlock::instructions().begin().
Instead, we should use the operator[] that comes with CodeBlock::instructions()
for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
the bytecode offset of a given Instruction*. These methods will do assertions
which helps catch bugs sooner, plus they are more descriptive of the operation
we're trying to do.
* bytecode/BytecodeKills.h:
(JSC::BytecodeKills::operandIsKilled const):
(JSC::BytecodeKills::forEachOperandKilledAt const):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::arithProfileForBytecodeOffset):
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
(JSC::CallFrame::currentVPC const):
(JSC::CallFrame::setCurrentVPC):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::updateTopCallFrame):
(JSC::JIT::copiedInstruction):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_trace_operand):
(JSC::LLInt::llint_trace_value):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
(JSC::LLInt::getByVal): Deleted.
(JSC::LLInt::handleHostCall): Deleted.
(JSC::LLInt::setUpCall): Deleted.
(JSC::LLInt::genericCall): Deleted.
(JSC::LLInt::varargsSetup): Deleted.
(JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
(JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
(JSC::LLInt::llint_write_barrier_slow): Deleted.
(JSC::LLInt::llint_crash): Deleted.
* runtime/SamplingProfiler.cpp:
(JSC::tryGetBytecodeIndex):
2018-03-21 Keith Miller <keith_miller@apple.com>
btjs should print the bytecode offset in the stack trace for JS frames
https://bugs.webkit.org/show_bug.cgi?id=183856
Reviewed by Filip Pizlo.
* interpreter/CallFrame.cpp:
(JSC::CallFrame::bytecodeOffset):
(JSC::CallFrame::dump):
2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com>
Unreviewed. Fix GTK and WPE debug build after r229798.
Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
* API/glib/JSCCallbackFunction.cpp:
(JSC::JSCCallbackFunction::JSCCallbackFunction):
* API/glib/JSCContext.cpp:
(jscContextSetVirtualMachine):
(jscContextGetJSContext):
(wrapperMap):
(jscContextHandleExceptionIfNeeded):
* API/glib/JSCValue.cpp:
(jscValueCallFunction):
* API/glib/JSCVirtualMachine.cpp:
(addWrapper):
(removeWrapper):
(jscVirtualMachineSetContextGroup):
(jscVirtualMachineAddContext):
(jscVirtualMachineRemoveContext):
* API/glib/JSCWrapperMap.cpp:
(JSC::WrapperMap::gobjectWrapper):
(JSC::WrapperMap::unwrap):
(JSC::WrapperMap::registerClass):
(JSC::WrapperMap::createJSWrappper):
(JSC::WrapperMap::wrappedObject const):
2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] JSC bindings not introspectable
https://bugs.webkit.org/show_bug.cgi?id=136989
Reviewed by Michael Catanzaro.
Make it possible to include individual headers when building WebKit layer.
* API/glib/JSCAutocleanups.h:
* API/glib/JSCClass.h:
* API/glib/JSCContext.h:
* API/glib/JSCException.h:
* API/glib/JSCValue.h:
* API/glib/JSCVersion.h.in:
* API/glib/JSCVirtualMachine.h:
2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] Initial implementation of JavaScriptCore glib bindings
https://bugs.webkit.org/show_bug.cgi?id=164061
Reviewed by Michael Catanzaro.
Add initial GLib API for JavaScriptCore.
* API/JSAPIWrapperObject.h:
* API/glib/JSAPIWrapperObjectGLib.cpp: Added.
(jsAPIWrapperObjectHandleOwner):
(JSAPIWrapperObjectHandleOwner::finalize):
(JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
(JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
(JSC::JSAPIWrapperObject::JSAPIWrapperObject):
(JSC::JSAPIWrapperObject::finishCreation):
(JSC::JSAPIWrapperObject::setWrappedObject):
(JSC::JSAPIWrapperObject::visitChildren):
* API/glib/JSCAutocleanups.h: Added.
* API/glib/JSCCallbackFunction.cpp: Added.
(JSC::callAsFunction):
(JSC::callAsConstructor):
(JSC::JSCCallbackFunction::create):
(JSC::JSCCallbackFunction::JSCCallbackFunction):
(JSC::JSCCallbackFunction::call):
(JSC::JSCCallbackFunction::construct):
(JSC::JSCCallbackFunction::destroy):
* API/glib/JSCCallbackFunction.h: Added.
(JSC::JSCCallbackFunction::createStructure):
(JSC::JSCCallbackFunction::functionCallback):
(JSC::JSCCallbackFunction::constructCallback):
* API/glib/JSCClass.cpp: Added.
(jscClassGetProperty):
(jscClassSetProperty):
(jscClassDispose):
(jscClassConstructed):
(jsc_class_class_init):
(jscClassCreate):
(jscClassGetJSClass):
(jscClassGetOrCreateJSWrapper):
(jscClassInvalidate):
(jsc_class_get_name):
(jsc_class_get_parent):
(jsc_class_add_constructor):
(jsc_class_add_method):
(jsc_class_add_property):
* API/glib/JSCClass.h: Added.
* API/glib/JSCClassPrivate.h: Added.
* API/glib/JSCContext.cpp: Added.
(ExceptionHandler::ExceptionHandler):
(ExceptionHandler::~ExceptionHandler):
(jscContextSetVirtualMachine):
(jscContextGetProperty):
(jscContextSetProperty):
(jscContextConstructed):
(jscContextDispose):
(jsc_context_class_init):
(jscContextGetOrCreate):
(jscContextGetJSContext):
(wrapperMap):
(jscContextGetOrCreateValue):
(jscContextValueDestroyed):
(jscContextGetJSWrapper):
(jscContextGetOrCreateJSWrapper):
(jscContextWrappedObject):
(jscContextPushCallback):
(jscContextPopCallback):
(jscContextGArrayToJSArray):
(jscContextJSArrayToGArray):
(jscContextGValueToJSValue):
(jscContextJSValueToGValue):
(jsc_context_new):
(jsc_context_new_with_virtual_machine):
(jsc_context_get_virtual_machine):
(jsc_context_get_exception):
(jsc_context_throw):
(jsc_context_throw_exception):
(jsc_context_push_exception_handler):
(jsc_context_pop_exception_handler):
(jscContextHandleExceptionIfNeeded):
(jsc_context_get_current):
(jsc_context_evaluate):
(jsc_context_evaluate_with_source_uri):
(jsc_context_set_value):
(jsc_context_get_value):
(jsc_context_register_class):
* API/glib/JSCContext.h: Added.
* API/glib/JSCContextPrivate.h: Added.
* API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
* API/glib/JSCException.cpp: Added.
(jscExceptionDispose):
(jsc_exception_class_init):
(jscExceptionCreate):
(jscExceptionGetJSValue):
(jscExceptionEnsureProperties):
(jsc_exception_new):
(jsc_exception_get_message):
(jsc_exception_get_line_number):
(jsc_exception_get_source_uri):
* API/glib/JSCException.h: Added.
* API/glib/JSCExceptionPrivate.h: Added.
* API/glib/JSCGLibWrapperObject.h: Added.
(JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
(JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
(JSC::JSCGLibWrapperObject::object const):
* API/glib/JSCValue.cpp: Added.
(jscValueGetProperty):
(jscValueSetProperty):
(jscValueDispose):
(jsc_value_class_init):
(jscValueGetJSValue):
(jscValueCreate):
(jsc_value_get_context):
(jsc_value_new_undefined):
(jsc_value_is_undefined):
(jsc_value_new_null):
(jsc_value_is_null):
(jsc_value_new_number):
(jsc_value_is_number):
(jsc_value_to_double):
(jsc_value_to_int32):
(jsc_value_new_boolean):
(jsc_value_is_boolean):
(jsc_value_to_boolean):
(jsc_value_new_string):
(jsc_value_is_string):
(jsc_value_to_string):
(jsc_value_new_array):
(jsc_value_new_array_from_garray):
(jsc_value_is_array):
(jsc_value_new_object):
(jsc_value_is_object):
(jsc_value_object_is_instance_of):
(jsc_value_object_set_property):
(jsc_value_object_get_property):
(jsc_value_object_set_property_at_index):
(jsc_value_object_get_property_at_index):
(jscValueCallFunction):
(jsc_value_object_invoke_method):
(jsc_value_object_define_property_data):
(jsc_value_object_define_property_accessor):
(jsc_value_new_function):
(jsc_value_is_function):
(jsc_value_function_call):
(jsc_value_is_constructor):
(jsc_value_constructor_call):
* API/glib/JSCValue.h: Added.
* API/glib/JSCValuePrivate.h: Added.
* API/glib/JSCVersion.cpp: Added.
(jsc_get_major_version):
(jsc_get_minor_version):
(jsc_get_micro_version):
* API/glib/JSCVersion.h.in: Added.
* API/glib/JSCVirtualMachine.cpp: Added.
(addWrapper):
(removeWrapper):
(jscVirtualMachineSetContextGroup):
(jscVirtualMachineEnsureContextGroup):
(jscVirtualMachineDispose):
(jsc_virtual_machine_class_init):
(jscVirtualMachineGetOrCreate):
(jscVirtualMachineGetContextGroup):
(jscVirtualMachineAddContext):
(jscVirtualMachineRemoveContext):
(jscVirtualMachineGetContext):
(jsc_virtual_machine_new):
* API/glib/JSCVirtualMachine.h: Added.
* API/glib/JSCVirtualMachinePrivate.h: Added.
* API/glib/JSCWrapperMap.cpp: Added.
(JSC::WrapperMap::WrapperMap):
(JSC::WrapperMap::~WrapperMap):
(JSC::WrapperMap::gobjectWrapper):
(JSC::WrapperMap::unwrap):
(JSC::WrapperMap::registerClass):
(JSC::WrapperMap::createJSWrappper):
(JSC::WrapperMap::jsWrapper const):
(JSC::WrapperMap::wrappedObject const):
* API/glib/JSCWrapperMap.h: Added.
* API/glib/docs/jsc-glib-4.0-sections.txt: Added.
* API/glib/docs/jsc-glib-4.0.types: Added.
* API/glib/docs/jsc-glib-docs.sgml: Added.
* API/glib/jsc.h: Added.
* CMakeLists.txt:
* GLib.cmake: Added.
* JavaScriptCore.gir.in: Removed.
* PlatformGTK.cmake:
* PlatformWPE.cmake:
* heap/Heap.cpp:
(JSC::Heap::releaseDelayedReleasedObjects):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::releaseSoon):
* javascriptcoregtk.pc.in:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::setWrapperMap):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::glibCallbackFunctionStructure const):
(JSC::JSGlobalObject::glibWrapperObjectStructure const):
(JSC::JSGlobalObject::wrapperMap const):
2018-03-21 Christopher Reid <chris.reid@sony.com>
Windows 64-bit build fix after r229767
https://bugs.webkit.org/show_bug.cgi?id=183810
Reviewed by Mark Lam.
Removing an extra parameter in the call to m_assember::call.
* assembler/MacroAssemblerX86_64.h:
2018-03-20 Dan Bernstein <mitz@apple.com>
[Xcode] JSVALUE_MODEL is unused
https://bugs.webkit.org/show_bug.cgi?id=183809
Reviewed by Tim Horton.
* Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
2018-03-20 Tim Horton <timothy_horton@apple.com>
Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
https://bugs.webkit.org/show_bug.cgi?id=183808
<rdar://problem/38692079>
Reviewed by Dan Bernstein.
* Configurations/JavaScriptCore.xcconfig:
2018-03-20 Tim Horton <timothy_horton@apple.com>
Enable the minimal simulator feature flag when appropriate
https://bugs.webkit.org/show_bug.cgi?id=183807
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
2018-03-20 Saam Barati <sbarati@apple.com>
We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
https://bugs.webkit.org/show_bug.cgi?id=183795
<rdar://problem/38298694>
Reviewed by JF Bastien.
We were just assuming that the constants we were inserting were
always exitOK=true. However, this breaks validation. The exitOK
we emit for the constants in the NewArrayBuffer should respect
the current exit state of the IR we've emitted. This is just IR
bookkeeping since JSConstant is a non-exiting node.
* dfg/DFGArgumentsEliminationPhase.cpp:
2018-03-20 Guillaume Emont <guijemont@igalia.com>
MIPS+Armv7 builds are broken since r229391
https://bugs.webkit.org/show_bug.cgi?id=183474
Reviewed by Yusuke Suzuki.
Add missing armv7 and mips operations and fix arguments to a call to
operationGetByValCell. This should fix compilation on MIPS and Armv7
(though it does not implement the missing setupArguments stuff in
CCallHelpers).
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::swap):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::swap):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/FPRInfo.h:
2018-03-20 Tim Horton <timothy_horton@apple.com>
Add and adopt WK_PLATFORM_NAME and adjust default feature defines
https://bugs.webkit.org/show_bug.cgi?id=183758
<rdar://problem/38017644>
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
2018-03-20 Mark Lam <mark.lam@apple.com>
Improve FunctionPtr and use it in the JIT CallRecord.
https://bugs.webkit.org/show_bug.cgi?id=183756
<rdar://problem/38641335>
Reviewed by JF Bastien.
1. FunctionPtr hold a C/C++ function pointer by default. Change its default
PtrTag to reflect that.
2. Delete the FunctionPtr::value() method. It is effectively a duplicate of
executableAddress().
3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
take "any" pointer. "any" in this case means that the pointer may not be typed
as a C/C++ function to the C++ compiler (due to upstream casting or usage of
void* as a storage type), but it is still expected to be pointing to a C/C++
function.
4. Added a FunctionPtr constructor that takes another FunctionPtr. This is a
convenience constructor that lets us retag the underlying pointer. The other
FunctionPtr is still expected to point to a C/C++ function.
5. Added PtrTag assertion placeholder functions to be implemented later.
6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
pointer. This improves type safety, and assists in getting pointer tagging
right later.
7. Added versions of JIT callOperations methods that will take a PtrTag.
This is preparation for more more pointer tagging work later.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::linkCall):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::linkCall):
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::operator bool const):
(JSC::FunctionPtr::operator! const):
(JSC::ReturnAddressPtr::ReturnAddressPtr):
(JSC::MacroAssemblerCodePtr::retagged const):
(JSC::MacroAssemblerCodeRef::retaggedCode const):
(JSC::FunctionPtr::value const): Deleted.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::linkCall):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::linkCall):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
(JSC::MacroAssemblerX86_64::linkCall):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLSlowPathCall.h:
(JSC::FTL::callOperation):
* ftl/FTLThunks.cpp:
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/JIT.cpp:
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::CallRecord::CallRecord):
(JSC::JIT::appendCall):
(JSC::JIT::appendCallWithSlowPathReturnType):
(JSC::JIT::callOperation):
(JSC::JIT::callOperationWithProfile):
(JSC::JIT::callOperationWithResult):
(JSC::JIT::callOperationNoExceptionCheck):
(JSC::JIT::callOperationWithCallFrameRollbackOnException):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITInlines.h:
(JSC::JIT::emitNakedCall):
(JSC::JIT::emitNakedTailCall):
(JSC::JIT::appendCallWithExceptionCheck):
(JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
(JSC::JIT::appendCallWithCallFrameRollbackOnException):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::JITSlowPathCall):
(JSC::JITSlowPathCall::call):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
* runtime/PtrTag.h:
(JSC::nextPtrTagID):
(JSC::assertIsCFunctionPtr):
(JSC::assertIsNullOrCFunctionPtr):
(JSC::assertIsNotTagged):
(JSC::assertIsTagged):
(JSC::assertIsNullOrTagged):
(JSC::assertIsTaggedWith):
(JSC::assertIsNullOrTaggedWith):
(JSC::uniquePtrTagID): Deleted.
2018-03-20 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
[MIPS] Optimize generated JIT code for loads/stores
https://bugs.webkit.org/show_bug.cgi?id=183243
Reviewed by Yusuke Suzuki.
JIT generates three MIPS instructions for a load/store from/to an absolute address:
lui adrTmpReg, address >> 16
ori adrTmpReg, address & 0xffff
lw dataReg, 0(adrTmpReg)
Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
be encoded into the load/store and ori instruction can be removed:
lui adrTmpReg, (address + 0x8000) >> 16
lw dataReg, (address & 0xffff)(adrTmpReg)
Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::add32):
(JSC::MacroAssemblerMIPS::add64):
(JSC::MacroAssemblerMIPS::or32):
(JSC::MacroAssemblerMIPS::sub32):
(JSC::MacroAssemblerMIPS::convertibleLoadPtr):
(JSC::MacroAssemblerMIPS::load8):
(JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
(JSC::MacroAssemblerMIPS::load32):
(JSC::MacroAssemblerMIPS::store8):
(JSC::MacroAssemblerMIPS::store32):
(JSC::MacroAssemblerMIPS::branchTest8):
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::storeDouble):
2018-03-16 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Add vectorLengthHint for NewArray
https://bugs.webkit.org/show_bug.cgi?id=183694
Reviewed by Saam Barati.
While the following code is a common, it is not so efficient.
var array = [];
for (...) {
...
array.push(...);
}
The array is always allocated with 0 vector length. And it is eventually grown.
We have ArrayAllocationProfile, and it tells us that the vector length hint for
the allocated arrays. This hint is already used for NewArrayBuffer. This patch
extends this support for NewArray DFG node.
This patch improves Kraken/stanford-crypto-aes 4%.
baseline patched
stanford-crypto-aes 64.069+-1.352 61.589+-1.274 might be 1.0403x faster
NewArray can be optimized.
baseline patched
vector-length-hint-new-array 21.8157+-0.0882 ^ 13.1764+-0.0942 ^ definitely 1.6557x faster
vector-length-hint-array-constructor 21.9076+-0.0987 ? 22.1168+-0.4814 ?
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasVectorLengthHint):
(JSC::DFG::Node::vectorLengthHint):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2018-03-13 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Make ArraySlice(0) code tight
https://bugs.webkit.org/show_bug.cgi?id=183590
Reviewed by Saam Barati.
This patch tightens ArraySlice code, in particular, startIndex = 0 case.
1. We support array.slice() call. This is a well-used way to clone array.
For example, underscore.js uses this technique.
2. We remove several checks if the given index value is a proven constant.
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
We can skip some of checks if the given value is a proven constant.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
Change below to belowOrEqual. It does not change meaning in the code. But it allows us
to fold BelowEqual(0, x) to true.
2018-03-19 Yusuke Suzuki <utatane.tea@gmail.com>
Drop s_exceptionInstructions static initializer
https://bugs.webkit.org/show_bug.cgi?id=183732
Reviewed by Darin Adler.
Make Instruction constructor constexpr to drop the static constructor
of LLInt::Data::s_exceptionInstructions.
* bytecode/Instruction.h:
(JSC::Instruction::Instruction):
2018-03-19 Dan Bernstein <mitz@apple.com>
Investigate why __cpu_indicator_init is used
https://bugs.webkit.org/show_bug.cgi?id=183736
Reviewed by Tim Horton.
__cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
we were passing the -all_load option to the linker, causing it to bring in all members of
every static library being linked in, including the compiler runtime library. We only need
to load all members of WTF. The linker option for doing that is -force_load, and it requires
a path to the library. To support building against libWTF.a built locally as well as against
the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
reexporting libobjc.
* Configurations/JavaScriptCore.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-03-19 Jiewen Tan <jiewen_tan@apple.com>
Unreviewed, another quick fix for r229699
Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
* Configurations/FeatureDefines.xcconfig:
2018-03-19 Mark Lam <mark.lam@apple.com>
FunctionPtr should be passed by value.
https://bugs.webkit.org/show_bug.cgi?id=183746
<rdar://problem/38625311>
Reviewed by JF Bastien.
It's meant to be an encapsulation of a C/C++ function pointer. There are cases
where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
treated as if they are C/C++ functions.
Regardless, there's no need to pass it by reference.
* assembler/MacroAssemblerCodeRef.h:
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendCall):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::appendCall):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* jit/JIT.h:
(JSC::JIT::appendCall):
(JSC::JIT::appendCallWithSlowPathReturnType):
* jit/JITInlines.h:
(JSC::JIT::appendCallWithExceptionCheck):
(JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
(JSC::JIT::appendCallWithCallFrameRollbackOnException):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
2018-03-15 Ross Kirsling <ross.kirsling@sony.com>
Fix MSVC run-time check after r229391.
https://bugs.webkit.org/show_bug.cgi?id=183673
Reviewed by Keith Miller.
Replaces attempted fix from r229424/r229432.
Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::clampArrayToSize):
2018-03-15 Tim Horton <timothy_horton@apple.com>
Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
https://bugs.webkit.org/show_bug.cgi?id=183675
<rdar://problem/38515281>
Reviewed by Dan Bernstein.
* JavaScriptCore.xcodeproj/project.pbxproj:
Don't install the JSC alias if we're installing to an alternate location.
This should have been a part of r229637.
2018-03-15 Tim Horton <timothy_horton@apple.com>
Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=183649
<rdar://problem/38480526>
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-03-14 Mark Lam <mark.lam@apple.com>
Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183623
<rdar://problem/38443314>
Reviewed by Michael Saboff.
1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
emitters to support pointer profiling.
2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
4. Updated clients to pass a PtrTag. For the most part, I just apply NoPtrTag as
a placeholder until we have time to analyze what pointer profile each client
site has later.
5. Apply PtrTags to the YarrJIT.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::linkJumpOrCall):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::getLinkerAddress):
(JSC::AbstractMacroAssembler::tagPtr):
(JSC::AbstractMacroAssembler::untagPtr):
(JSC::AbstractMacroAssembler::removePtrTag):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
(JSC::LinkBuffer::finalizeCodeWithDisassembly):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::link):
(JSC::LinkBuffer::locationOfNearCall):
(JSC::LinkBuffer::locationOf):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::jump):
(JSC::MacroAssemblerARM::call):
(JSC::MacroAssemblerARM::readCallTarget):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::jump):
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::linkCall):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::jump):
(JSC::MacroAssemblerARMv7::relativeTableJump):
(JSC::MacroAssemblerARMv7::call):
(JSC::MacroAssemblerARMv7::readCallTarget):
* assembler/MacroAssemblerCodeRef.cpp:
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::value const):
(JSC::MacroAssemblerCodePtr:: const):
(JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
(JSC::MacroAssemblerCodeRef::retaggedCode const):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::jump):
(JSC::MacroAssemblerMIPS::call):
(JSC::MacroAssemblerMIPS::readCallTarget):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::call):
(JSC::MacroAssemblerX86::jump):
(JSC::MacroAssemblerX86::readCallTarget):
* assembler/MacroAssemblerX86Common.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::jump):
(JSC::MacroAssemblerX86Common::call):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::jump):
(JSC::MacroAssemblerX86_64::readCallTarget):
* assembler/testmasm.cpp:
(JSC::compile):
(JSC::invoke):
* b3/B3Compile.cpp:
(JSC::B3::compile):
* b3/B3LowerMacros.cpp:
* b3/air/AirCCallSpecial.cpp:
(JSC::B3::Air::CCallSpecial::generate):
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::invoke):
(JSC::B3::testInterpreter):
(JSC::B3::testEntrySwitchSimple):
(JSC::B3::testEntrySwitchNoEntrySwitch):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
(JSC::B3::testEntrySwitchLoop):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::noticeCatchEntrypoint):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendCall):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::emitRestoreArguments):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::debugCall):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::jumpToExceptionHandler):
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::JIT::appendCall):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
* jit/JITStubRoutine.h:
* jit/Repatch.cpp:
(JSC::readCallTarget):
(JSC::appropriateOptimizingPutByIdFunction):
(JSC::linkPolymorphicCall):
(JSC::resetPutByID):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
(JSC::SpecializedThunkJIT::callDoubleToDouble):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
(JSC::LLInt::moduleProgramEntryThunkGenerator):
* runtime/PtrTag.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
(JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
(JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::execute):
2018-03-14 Caitlin Potter <caitp@igalia.com>
[JSC] fix order of evaluation for ClassDefinitionEvaluation
https://bugs.webkit.org/show_bug.cgi?id=183523
Reviewed by Keith Miller.
Computed property names need to be evaluated in source order during class
definition evaluation, as it's observable (and specified to work this way).
This change improves compatibility with Chromium.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitDefineClassElements):
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitBytecode):
(JSC::ClassExprNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createClassExpr):
(JSC::ASTBuilder::createGetterOrSetterProperty):
(JSC::ASTBuilder::createProperty):
* parser/NodeConstructors.h:
(JSC::PropertyNode::PropertyNode):
(JSC::ClassExprNode::ClassExprNode):
* parser/Nodes.cpp:
(JSC::PropertyListNode::hasStaticallyNamedProperty):
* parser/Nodes.h:
(JSC::PropertyNode::isClassProperty const):
(JSC::PropertyNode::isStaticClassProperty const):
(JSC::PropertyNode::isInstanceClassProperty const):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseProperty):
(JSC::Parser<LexerType>::parseGetterSetter):
* parser/Parser.h:
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createClassExpr):
(JSC::SyntaxChecker::createProperty):
(JSC::SyntaxChecker::createGetterOrSetterProperty):
2018-03-14 Keith Miller <keith_miller@apple.com>
Move jsc CLI breakpoint function to $vm
https://bugs.webkit.org/show_bug.cgi?id=183512
Reviewed by Yusuke Suzuki.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionBreakpoint): Deleted.
* tools/JSDollarVM.cpp:
(JSC::functionBreakpoint):
(JSC::JSDollarVM::finishCreation):
2018-03-14 Tim Horton <timothy_horton@apple.com>
Fix the build after r229567
* Configurations/FeatureDefines.xcconfig:
2018-03-12 Mark Lam <mark.lam@apple.com>
Gardening: speculative build fix for WinCairo.
https://bugs.webkit.org/show_bug.cgi?id=183573
Not reviewed.
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
2018-03-12 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix obsolete ASSERT
https://bugs.webkit.org/show_bug.cgi?id=183310
Now NewObject can be conereted from CallObjectConstructor and CreateThis.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToNewObject):
2018-03-12 Tim Horton <timothy_horton@apple.com>
Stop using SDK conditionals to control feature definitions
https://bugs.webkit.org/show_bug.cgi?id=183430
<rdar://problem/38251619>
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
* Configurations/WebKitTargetConditionals.xcconfig: Renamed.
2018-03-12 Yoav Weiss <yoav@yoav.ws>
Runtime flag for link prefetch and remove link subresource.
https://bugs.webkit.org/show_bug.cgi?id=183540
Reviewed by Chris Dumez.
Remove the LINK_PREFETCH build time flag.
* Configurations/FeatureDefines.xcconfig:
2018-03-12 Mark Lam <mark.lam@apple.com>
Gardening: speculative build fix for Windows.
https://bugs.webkit.org/show_bug.cgi?id=183573
Not reviewed.
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
2018-03-12 Mark Lam <mark.lam@apple.com>
Add another PtrTag.
https://bugs.webkit.org/show_bug.cgi?id=183580
<rdar://problem/38390584>
Reviewed by Keith Miller.
* runtime/PtrTag.h:
2018-03-12 Mark Lam <mark.lam@apple.com>
Make a NativeFunction into a class to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183573
<rdar://problem/38384697>
Reviewed by Filip Pizlo.
1. NativeFunction is now a class, and introducing RawNativeFunction and
TaggedNativeFunction.
RawNativeFunction is the raw pointer type (equivalent
to the old definition of NativeFunction). This is mainly used for underlying
storage inside the NativeFunction class, and also for global data tables that
cannot embed non-trivially constructed objects.
NativeFunction's role is mainly to encapsulate a pointer to a C function that
we pass into the VM.
TaggedNativeFunction encapsulates the tagged version of a pointer to a C
function that we track in the VM.
2. Added a convenience constructor for TrustedImmPtr so that we don't have to
cast function pointers to void* anymore when constructing a TrustedImmPtr.
3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
4. Added more PtrTag utility functions.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
* create_hash_table:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::getOpcodeID):
* jit/JITThunks.cpp:
(JSC::JITThunks::hostFunctionStub):
* jit/JITThunks.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* llint/LowLevelInterpreter64.asm:
* offlineasm/ast.rb:
* runtime/CallData.h:
* runtime/CommonSlowPaths.cpp:
* runtime/ConstructData.h:
* runtime/InternalFunction.h:
(JSC::InternalFunction::nativeFunctionFor):
* runtime/JSCell.cpp:
(JSC::JSCell::getCallData):
(JSC::JSCell::getConstructData):
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::nativeFunction):
(JSC::JSFunction::nativeConstructor):
(JSC::isHostFunction):
* runtime/Lookup.h:
(JSC::HashTableValue::function const):
(JSC::HashTableValue::accessorGetter const):
(JSC::HashTableValue::accessorSetter const):
(JSC::nonCachingStaticFunctionGetter):
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::create):
(JSC::NativeExecutable::NativeExecutable):
* runtime/NativeExecutable.h:
* runtime/NativeFunction.h: Added.
(JSC::NativeFunction::NativeFunction):
(JSC::NativeFunction::operator intptr_t const):
(JSC::NativeFunction::operator bool const):
(JSC::NativeFunction::operator! const):
(JSC::NativeFunction::operator== const):
(JSC::NativeFunction::operator!= const):
(JSC::NativeFunction::operator()):
(JSC::NativeFunction::rawPointer const):
(JSC::NativeFunctionHash::hash):
(JSC::NativeFunctionHash::equal):
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator bool const):
(JSC::TaggedNativeFunction::operator! const):
(JSC::TaggedNativeFunction::operator== const):
(JSC::TaggedNativeFunction::operator!= const):
(JSC::TaggedNativeFunction::operator()):
(JSC::TaggedNativeFunction::operator NativeFunction):
(JSC::TaggedNativeFunction::rawPointer const):
(JSC::TaggedNativeFunctionHash::hash):
(JSC::TaggedNativeFunctionHash::equal):
* runtime/PtrTag.h:
(JSC::tagCFunctionPtr):
(JSC::untagCFunctionPtr):
* runtime/VM.h:
(JSC::VM::targetMachinePCForThrowOffset): Deleted.
2018-03-12 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2018-03-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
https://bugs.webkit.org/show_bug.cgi?id=183310
Reviewed by Filip Pizlo.
This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
This contributes to 6% win in Octane/raytrace.
baseline patched
raytrace x2 1.19915+-0.01862 ^ 1.13156+-0.01589 ^ definitely 1.0597x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
2018-03-11 Wenson Hsieh <wenson_hsieh@apple.com>
Disable Sigill crash analyzer on watchOS
https://bugs.webkit.org/show_bug.cgi?id=183548
<rdar://problem/38338032>
Reviewed by Mark Lam.
Sigill is not supported on watchOS.
* runtime/Options.cpp:
(JSC::overrideDefaults):
2018-03-09 Filip Pizlo <fpizlo@apple.com>
Split DirectArguments into JSValueOOB and JSValueStrict parts
https://bugs.webkit.org/show_bug.cgi?id=183458
Reviewed by Yusuke Suzuki.
Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
to read and write within a Spectre mitigation window. Writes are important, because within the
window, a write could appear to be made speculatively and rolled out later. This means that:
- JSValue objects cannot have lengths, masks, or anything else inline.
- JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
check, unless that type is in the form of a poison key.
This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
means that it's wrong for DirectArguments to have an inline length.
This changes DirectArguments to use poisoning according to the universal formula:
- The random accessed portions are out-of-line, pointed to by a poisoned pointer.
- No inline length.
Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
amortize whatever cost there was.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
(JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
* dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
(JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetFromArguments):
(JSC::DFG::SpeculativeJIT::compilePutToArguments):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
(JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
* heap/SecurityKind.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
(JSC::JIT::emitDirectArgumentsGetByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::DirectArguments):
(JSC::DirectArguments::createUninitialized):
(JSC::DirectArguments::create):
(JSC::DirectArguments::createByCopying):
(JSC::DirectArguments::estimatedSize):
(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::copyToArguments):
(JSC::DirectArguments::mappedArgumentsSize):
* runtime/DirectArguments.h:
* runtime/JSCPoison.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSSymbolTableObject.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-03-11 Yusuke Suzuki <utatane.tea@gmail.com>
[B3] Above/Below should be strength-reduced for comparison with 0
https://bugs.webkit.org/show_bug.cgi?id=183543
Reviewed by Filip Pizlo.
Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
be converted to `0`. This patch adds such a folding to comparisons.
We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
failure with this B3Const32/64Value change. With this patch, we create a flipped value only
when we fail to fold it to a constant.
* b3/B3Const32Value.cpp:
(JSC::B3::Const32Value::lessThanConstant const):
(JSC::B3::Const32Value::greaterThanConstant const):
(JSC::B3::Const32Value::lessEqualConstant const):
(JSC::B3::Const32Value::greaterEqualConstant const):
(JSC::B3::Const32Value::aboveConstant const):
(JSC::B3::Const32Value::belowConstant const):
(JSC::B3::Const32Value::aboveEqualConstant const):
(JSC::B3::Const32Value::belowEqualConstant const):
* b3/B3Const64Value.cpp:
(JSC::B3::Const64Value::lessThanConstant const):
(JSC::B3::Const64Value::greaterThanConstant const):
(JSC::B3::Const64Value::lessEqualConstant const):
(JSC::B3::Const64Value::greaterEqualConstant const):
(JSC::B3::Const64Value::aboveConstant const):
(JSC::B3::Const64Value::belowConstant const):
(JSC::B3::Const64Value::aboveEqualConstant const):
(JSC::B3::Const64Value::belowEqualConstant const):
* b3/B3ReduceStrength.cpp:
* b3/testb3.cpp:
(JSC::B3::int64Operands):
(JSC::B3::int32Operands):
2018-03-10 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
https://bugs.webkit.org/show_bug.cgi?id=181848
Reviewed by Sam Weinig.
In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
optimized since it sets `lastIndex` value before performing RegExp operation.
This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
in object allocation sinking phase.
Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
has a global flag. And it improves the performance.
baseline patched
regexp-u-global-es5 44.1298+-4.6128 ^ 33.7920+-2.0110 ^ definitely 1.3059x faster
regexp-u-global-es6 182.3272+-2.2861 ^ 154.3414+-7.6769 ^ definitely 1.1813x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpMatchFastGlobal):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
* runtime/RegExpObject.cpp:
(JSC::collectMatches): Deleted.
* runtime/RegExpObject.h:
* runtime/RegExpObjectInlines.h:
(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):
(JSC::advanceStringUnicode):
(JSC::collectMatches):
(JSC::RegExpObject::advanceStringUnicode): Deleted.
* runtime/RegExpPrototype.cpp:
(JSC::advanceStringIndex):
2018-03-10 Yusuke Suzuki <utatane.tea@gmail.com>
B3::reduceStrength should canonicalize integer comparisons
https://bugs.webkit.org/show_bug.cgi?id=150958
Reviewed by Filip Pizlo.
This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
canonicalize comparisons to have constant value at least on the right hand side, we can
remove pattern matchings checking leftImm in B3LowerToAir.
Since this flipping changes the opcode of the value, to achieve safely, we just create a
new value which has flipped opcode and swapped operands. If we can fold it to a constant,
we replace m_value with this constant. If we fail to fold it to constant, we replace
m_value with the flipped one.
These comparisons are already handled in testb3.
* b3/B3LowerToAir.cpp:
* b3/B3ReduceStrength.cpp:
2018-03-09 Mark Lam <mark.lam@apple.com>
offlineasm should reset the Assembler's working state before doing another pass for a new target.
https://bugs.webkit.org/show_bug.cgi?id=183538
<rdar://problem/38325955>
Reviewed by Michael Saboff.
* llint/LowLevelInterpreter.cpp:
* offlineasm/asm.rb:
* offlineasm/cloop.rb:
2018-03-09 Brian Burg <bburg@apple.com>
Web Inspector: there should only be one way for async backend commands to send failure
https://bugs.webkit.org/show_bug.cgi?id=183524
Reviewed by Timothy Hatcher.
If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
This change only affects interfaces generated for C++ backend dispatchers.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
(CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2018-03-09 Mark Lam <mark.lam@apple.com>
Build fix after r229476.
https://bugs.webkit.org/show_bug.cgi?id=183488
Not reviewed.
* runtime/StackAlignment.h:
2018-03-09 Mark Lam <mark.lam@apple.com>
[Re-landing] Add support for ARM64E.
https://bugs.webkit.org/show_bug.cgi?id=183398
<rdar://problem/38212621>
Reviewed by Michael Saboff.
* assembler/MacroAssembler.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/backends.rb:
2018-03-09 Mark Lam <mark.lam@apple.com>
[Re-landing] Prepare LLInt code to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183387
<rdar://problem/38199678>
Reviewed by JF Bastien.
1. Introduced PtrTag enums for supporting pointer profiling later.
2. Also introduced tagging, untagging, retagging, and tag removal placeholder
template functions for the same purpose.
3. Prepare the offlineasm for supporting pointer profiling later.
4. Tagged some pointers in LLInt asm code. Currently, these should have no
effect on behavior.
5. Removed returnToThrowForThrownException() because it is not used anywhere.
6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
easier to view and edit these files in Xcode.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::returnToThrowForThrownException): Deleted.
* llint/LLIntExceptions.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/ast.rb:
* offlineasm/instructions.rb:
* offlineasm/risc.rb:
* runtime/PtrTag.h: Added.
(JSC::uniquePtrTagID):
(JSC::ptrTag):
(JSC::tagCodePtr):
(JSC::untagCodePtr):
(JSC::retagCodePtr):
(JSC::removeCodePtrTag):
2018-03-09 Mark Lam <mark.lam@apple.com>
Remove unused LLINT_STATS feature.
https://bugs.webkit.org/show_bug.cgi?id=183522
<rdar://problem/38313139>
Rubber-stamped by Keith Miller.
We haven't used this in a while, and it is one more option that makes offlineasm
build slower. We can always re-introduce this later if we need it.
* jsc.cpp:
* llint/LLIntCommon.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
(JSC::LLInt::Data::finalizeStats): Deleted.
(JSC::LLInt::compareStats): Deleted.
(JSC::LLInt::Data::dumpStats): Deleted.
(JSC::LLInt::Data::ensureStats): Deleted.
(JSC::LLInt::Data::loadStats): Deleted.
(JSC::LLInt::Data::resetStats): Deleted.
(JSC::LLInt::Data::saveStats): Deleted.
* llint/LLIntData.h:
(): Deleted.
(JSC::LLInt::Data::opcodeStats): Deleted.
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntSlowPaths.cpp:
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Options.cpp:
(JSC::Options::isAvailable):
(JSC::recomputeDependentOptions):
* runtime/Options.h:
* runtime/TestRunnerUtils.cpp:
(JSC::finalizeStatsAtEndOfTesting):
2018-03-09 Michael Saboff <msaboff@apple.com>
Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
https://bugs.webkit.org/show_bug.cgi?id=183488
It applied and built just fine locally.
* assembler/testmasm.cpp:
(JSC::testBranchTruncateDoubleToInt32):
2018-03-09 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, remove WebAssemblyFunctionType
https://bugs.webkit.org/show_bug.cgi?id=183429
Drop WebAssemblyFunctionType since it is no longer used. This breaks
JSCast assumption that all the derived classes of JSFunction use
JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
* runtime/JSFunction.cpp:
(JSC::JSFunction::finishCreation):
* runtime/JSType.h:
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::createStructure):
* wasm/js/WebAssemblyFunction.h:
2018-03-09 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r229446.
This change relies on changes that have been rolled out.
Reverted changeset:
"testmasm crashes in testBranchTruncateDoubleToInt32() on
ARM64"
https://bugs.webkit.org/show_bug.cgi?id=183488
https://trac.webkit.org/changeset/229446
2018-03-08 Chris Dumez <cdumez@apple.com>
Safari not handling undefined global variables with same name as element Id correctly.
https://bugs.webkit.org/show_bug.cgi?id=183087
<rdar://problem/37927596>
Reviewed by Ryosuke Niwa.
global variables (var foo;) should not be hidden by:
- Named properties
- Properties on the prototype chain
Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
if !hasOwnProperty() instead of !hasProperty.
This aligns our behavior with Chrome and Firefox.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::addVar):
2018-03-08 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r229354 and r229364.
https://bugs.webkit.org/show_bug.cgi?id=183492
Breaks internal builds (Requested by ryanhaddad on #webkit).
Reverted changesets:
"Prepare LLInt code to support pointer profiling."
https://bugs.webkit.org/show_bug.cgi?id=183387
https://trac.webkit.org/changeset/229354
"Add support for ARM64E."
https://bugs.webkit.org/show_bug.cgi?id=183398
https://trac.webkit.org/changeset/229364
2018-03-08 Michael Saboff <msaboff@apple.com>
testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
https://bugs.webkit.org/show_bug.cgi?id=183488
Reviewed by Mark Lam.
Using stackAlignmentBytes() will keep the stack properly aligned.
* assembler/testmasm.cpp:
(JSC::testBranchTruncateDoubleToInt32):
2018-03-08 Michael Saboff <msaboff@apple.com>
Emit code to zero the stack frame on function entry
Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
Reviewed by Mark Lam.
Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
The default setting of the option is off.
Did some minor refactoring of the YarrJIT stack alignment code.
* b3/air/AirCode.cpp:
(JSC::B3::Air::defaultPrologueGenerator):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::clearStackFrame):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
* llint/LowLevelInterpreter.asm:
* runtime/Options.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
(JSC::Yarr::YarrGenerator::initCallFrame):
(JSC::Yarr::YarrGenerator::removeCallFrame):
2018-03-08 Keith Miller <keith_miller@apple.com>
Unreviewed, another attempt at fixing the Windows build.
I guess the pragma must be outside the function...
* jit/CCallHelpers.h:
(JSC::CCallHelpers::clampArrayToSize):
2018-03-08 Keith Miller <keith_miller@apple.com>
Unreviewed, one last try at fixing the windows build before rollout.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::clampArrayToSize):
2018-03-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize inherits<T> if T is final type
https://bugs.webkit.org/show_bug.cgi?id=183435
Reviewed by Mark Lam.
If the type T is a final type (`std::is_final<T>::value == true`), there is no
classes which is derived from T. It means that `jsDynamicCast<T>` only needs
to check the given cell's `classInfo(vm)` is `T::info()`.
This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
final type. And we also add `final` annotations to JS cell types in JSC. This
offers,
1. Readability. If the given class is annotated with `final`, we do not need to
consider about the derived classes of T.
2. Static Checking. If your class is not intended to be used as a base class, attaching
`final` can ensure this invariant.
3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
be smaller.
* API/JSCallbackConstructor.h:
(JSC::JSCallbackConstructor::create): Deleted.
(JSC::JSCallbackConstructor::classRef const): Deleted.
(JSC::JSCallbackConstructor::callback const): Deleted.
(JSC::JSCallbackConstructor::createStructure): Deleted.
(JSC::JSCallbackConstructor::constructCallback): Deleted.
* API/JSCallbackFunction.h:
(JSC::JSCallbackFunction::createStructure): Deleted.
(JSC::JSCallbackFunction::functionCallback): Deleted.
* API/JSCallbackObject.h:
(JSC::JSCallbackObject::create): Deleted.
(JSC::JSCallbackObject::destroy): Deleted.
(JSC::JSCallbackObject::classRef const): Deleted.
(JSC::JSCallbackObject::getPrivateProperty const): Deleted.
(JSC::JSCallbackObject::setPrivateProperty): Deleted.
(JSC::JSCallbackObject::deletePrivateProperty): Deleted.
(JSC::JSCallbackObject::visitChildren): Deleted.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/ExecutableToCodeBlockEdge.h:
(JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
(JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
(JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
* debugger/DebuggerScope.h:
(JSC::DebuggerScope::createStructure): Deleted.
(JSC::DebuggerScope::iterator::iterator): Deleted.
(JSC::DebuggerScope::iterator::get): Deleted.
(JSC::DebuggerScope::iterator::operator++): Deleted.
(JSC::DebuggerScope::iterator::operator== const): Deleted.
(JSC::DebuggerScope::iterator::operator!= const): Deleted.
(JSC::DebuggerScope::isValid const): Deleted.
(JSC::DebuggerScope::jsScope const): Deleted.
* inspector/JSInjectedScriptHost.h:
(Inspector::JSInjectedScriptHost::createStructure): Deleted.
(Inspector::JSInjectedScriptHost::create): Deleted.
(Inspector::JSInjectedScriptHost::impl const): Deleted.
* inspector/JSInjectedScriptHostPrototype.h:
(Inspector::JSInjectedScriptHostPrototype::create): Deleted.
(Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
(Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
* inspector/JSJavaScriptCallFrame.h:
(Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
(Inspector::JSJavaScriptCallFrame::create): Deleted.
(Inspector::JSJavaScriptCallFrame::impl const): Deleted.
* inspector/JSJavaScriptCallFramePrototype.h:
(Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
(Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
(Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
* runtime/ArrayConstructor.h:
(JSC::ArrayConstructor::create): Deleted.
(JSC::ArrayConstructor::createStructure): Deleted.
* runtime/ArrayIteratorPrototype.h:
(JSC::ArrayIteratorPrototype::create): Deleted.
(JSC::ArrayIteratorPrototype::createStructure): Deleted.
(JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
* runtime/ArrayPrototype.h:
(JSC::ArrayPrototype::createStructure): Deleted.
* runtime/AsyncFromSyncIteratorPrototype.h:
(JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
* runtime/AsyncFunctionConstructor.h:
(JSC::AsyncFunctionConstructor::create): Deleted.
(JSC::AsyncFunctionConstructor::createStructure): Deleted.
* runtime/AsyncFunctionPrototype.h:
(JSC::AsyncFunctionPrototype::create): Deleted.
(JSC::AsyncFunctionPrototype::createStructure): Deleted.
* runtime/AsyncGeneratorFunctionConstructor.h:
(JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
(JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
* runtime/AsyncGeneratorFunctionPrototype.h:
(JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
(JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
* runtime/AsyncGeneratorPrototype.h:
(JSC::AsyncGeneratorPrototype::create): Deleted.
(JSC::AsyncGeneratorPrototype::createStructure): Deleted.
(JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
* runtime/AsyncIteratorPrototype.h:
(JSC::AsyncIteratorPrototype::create): Deleted.
(JSC::AsyncIteratorPrototype::createStructure): Deleted.
(JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
* runtime/AtomicsObject.h:
* runtime/BigIntConstructor.h:
(JSC::BigIntConstructor::create): Deleted.
(JSC::BigIntConstructor::createStructure): Deleted.
* runtime/BigIntObject.h:
(JSC::BigIntObject::create): Deleted.
(JSC::BigIntObject::internalValue const): Deleted.
(JSC::BigIntObject::createStructure): Deleted.
* runtime/BigIntPrototype.h:
(JSC::BigIntPrototype::create): Deleted.
(JSC::BigIntPrototype::createStructure): Deleted.
* runtime/BooleanConstructor.h:
(JSC::BooleanConstructor::create): Deleted.
(JSC::BooleanConstructor::createStructure): Deleted.
* runtime/BooleanPrototype.h:
(JSC::BooleanPrototype::create): Deleted.
(JSC::BooleanPrototype::createStructure): Deleted.
* runtime/ConsoleObject.h:
(JSC::ConsoleObject::create): Deleted.
(JSC::ConsoleObject::createStructure): Deleted.
* runtime/DOMAttributeGetterSetter.h:
(JSC::isDOMAttributeGetterSetter): Deleted.
* runtime/DateConstructor.h:
(JSC::DateConstructor::create): Deleted.
(JSC::DateConstructor::createStructure): Deleted.
* runtime/DateInstance.h:
(JSC::DateInstance::create): Deleted.
(JSC::DateInstance::internalNumber const): Deleted.
(JSC::DateInstance::gregorianDateTime const): Deleted.
(JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
(JSC::DateInstance::createStructure): Deleted.
* runtime/DatePrototype.h:
(JSC::DatePrototype::create): Deleted.
(JSC::DatePrototype::createStructure): Deleted.
* runtime/Error.h:
(JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
(JSC::StrictModeTypeErrorFunction::create): Deleted.
(JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
(JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
(JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
* runtime/ErrorConstructor.h:
(JSC::ErrorConstructor::create): Deleted.
(JSC::ErrorConstructor::createStructure): Deleted.
(JSC::ErrorConstructor::stackTraceLimit const): Deleted.
* runtime/Exception.h:
(JSC::Exception::valueOffset): Deleted.
(JSC::Exception::value const): Deleted.
(JSC::Exception::stack const): Deleted.
(JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
(JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
* runtime/FunctionConstructor.h:
(JSC::FunctionConstructor::create): Deleted.
(JSC::FunctionConstructor::createStructure): Deleted.
* runtime/FunctionPrototype.h:
(JSC::FunctionPrototype::create): Deleted.
(JSC::FunctionPrototype::createStructure): Deleted.
* runtime/FunctionRareData.h:
(JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
(JSC::FunctionRareData::objectAllocationProfile): Deleted.
(JSC::FunctionRareData::objectAllocationStructure): Deleted.
(JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
(JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
(JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
(JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
(JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
(JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
(JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
(JSC::FunctionRareData::hasReifiedLength const): Deleted.
(JSC::FunctionRareData::setHasReifiedLength): Deleted.
(JSC::FunctionRareData::hasReifiedName const): Deleted.
(JSC::FunctionRareData::setHasReifiedName): Deleted.
(JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
(JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
(JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
* runtime/GeneratorFunctionConstructor.h:
(JSC::GeneratorFunctionConstructor::create): Deleted.
(JSC::GeneratorFunctionConstructor::createStructure): Deleted.
* runtime/GeneratorFunctionPrototype.h:
(JSC::GeneratorFunctionPrototype::create): Deleted.
(JSC::GeneratorFunctionPrototype::createStructure): Deleted.
* runtime/GeneratorPrototype.h:
(JSC::GeneratorPrototype::create): Deleted.
(JSC::GeneratorPrototype::createStructure): Deleted.
(JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
* runtime/InferredValue.h:
(JSC::InferredValue::subspaceFor): Deleted.
(JSC::InferredValue::inferredValue): Deleted.
(JSC::InferredValue::state const): Deleted.
(JSC::InferredValue::isStillValid const): Deleted.
(JSC::InferredValue::hasBeenInvalidated const): Deleted.
(JSC::InferredValue::add): Deleted.
(JSC::InferredValue::notifyWrite): Deleted.
(JSC::InferredValue::invalidate): Deleted.
* runtime/InspectorInstrumentationObject.h:
(JSC::InspectorInstrumentationObject::create): Deleted.
(JSC::InspectorInstrumentationObject::createStructure): Deleted.
* runtime/IntlCollator.h:
(JSC::IntlCollator::boundCompare const): Deleted.
* runtime/IntlCollatorConstructor.h:
(JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
* runtime/IntlCollatorPrototype.h:
* runtime/IntlDateTimeFormat.h:
(JSC::IntlDateTimeFormat::boundFormat const): Deleted.
* runtime/IntlDateTimeFormatConstructor.h:
(JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
* runtime/IntlDateTimeFormatPrototype.h:
* runtime/IntlNumberFormat.h:
(JSC::IntlNumberFormat::boundFormat const): Deleted.
* runtime/IntlNumberFormatConstructor.h:
(JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
* runtime/IntlNumberFormatPrototype.h:
* runtime/IntlObject.h:
* runtime/IteratorPrototype.h:
(JSC::IteratorPrototype::create): Deleted.
(JSC::IteratorPrototype::createStructure): Deleted.
(JSC::IteratorPrototype::IteratorPrototype): Deleted.
* runtime/JSAPIValueWrapper.h:
(JSC::JSAPIValueWrapper::value const): Deleted.
(JSC::JSAPIValueWrapper::createStructure): Deleted.
(JSC::JSAPIValueWrapper::create): Deleted.
(JSC::JSAPIValueWrapper::finishCreation): Deleted.
(JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
* runtime/JSArrayBufferConstructor.h:
(JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
* runtime/JSArrayBufferPrototype.h:
* runtime/JSAsyncFunction.h:
(JSC::JSAsyncFunction::subspaceFor): Deleted.
(JSC::JSAsyncFunction::allocationSize): Deleted.
(JSC::JSAsyncFunction::createStructure): Deleted.
* runtime/JSAsyncGeneratorFunction.h:
(JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
(JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
(JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
* runtime/JSBigInt.h:
(JSC::JSBigInt::setSign): Deleted.
(JSC::JSBigInt::sign const): Deleted.
(JSC::JSBigInt::setLength): Deleted.
(JSC::JSBigInt::length const): Deleted.
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::subspaceFor): Deleted.
(JSC::JSBoundFunction::targetFunction): Deleted.
(JSC::JSBoundFunction::boundThis): Deleted.
(JSC::JSBoundFunction::boundArgs): Deleted.
(JSC::JSBoundFunction::createStructure): Deleted.
(JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
(JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
* runtime/JSCast.h:
(JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
(JSC::JSCastingHelpers::inheritsJSTypeImpl):
(JSC::JSCastingHelpers::InheritsTraits::inherits):
(JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
* runtime/JSCustomGetterSetterFunction.cpp:
(JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
* runtime/JSCustomGetterSetterFunction.h:
(JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
(JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
(JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
(JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
(JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
* runtime/JSDataView.h:
(JSC::JSDataView::possiblySharedBuffer const): Deleted.
(JSC::JSDataView::unsharedBuffer const): Deleted.
* runtime/JSDataViewPrototype.h:
* runtime/JSFixedArray.h:
(JSC::JSFixedArray::createStructure): Deleted.
(JSC::JSFixedArray::tryCreate): Deleted.
(JSC::JSFixedArray::create): Deleted.
(JSC::JSFixedArray::createFromArray): Deleted.
(JSC::JSFixedArray::get const): Deleted.
(JSC::JSFixedArray::set): Deleted.
(JSC::JSFixedArray::buffer): Deleted.
(JSC::JSFixedArray::buffer const): Deleted.
(JSC::JSFixedArray::values const): Deleted.
(JSC::JSFixedArray::size const): Deleted.
(JSC::JSFixedArray::length const): Deleted.
(JSC::JSFixedArray::offsetOfSize): Deleted.
(JSC::JSFixedArray::offsetOfData): Deleted.
(JSC::JSFixedArray::JSFixedArray): Deleted.
(JSC::JSFixedArray::allocationSize): Deleted.
* runtime/JSGeneratorFunction.h:
(JSC::JSGeneratorFunction::subspaceFor): Deleted.
(JSC::JSGeneratorFunction::allocationSize): Deleted.
(JSC::JSGeneratorFunction::createStructure): Deleted.
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::byteLength const): Deleted.
(JSC::JSGenericTypedArrayView::byteSize const): Deleted.
(JSC::JSGenericTypedArrayView::typedVector const): Deleted.
(JSC::JSGenericTypedArrayView::typedVector): Deleted.
(JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
(JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
(JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
(JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
(JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::setIndex): Deleted.
(JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
(JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
(JSC::JSGenericTypedArrayView::sort): Deleted.
(JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
(JSC::JSGenericTypedArrayView::createStructure): Deleted.
(JSC::JSGenericTypedArrayView::info): Deleted.
(JSC::JSGenericTypedArrayView::purifyArray): Deleted.
(JSC::JSGenericTypedArrayView::sortComparison): Deleted.
(JSC::JSGenericTypedArrayView::sortFloat): Deleted.
* runtime/JSGenericTypedArrayViewConstructor.h:
* runtime/JSGenericTypedArrayViewPrototype.h:
* runtime/JSInternalPromise.h:
* runtime/JSInternalPromiseConstructor.h:
* runtime/JSInternalPromisePrototype.h:
* runtime/JSMapIterator.h:
(JSC::JSMapIterator::createStructure): Deleted.
(JSC::JSMapIterator::create): Deleted.
(JSC::JSMapIterator::advanceIter): Deleted.
(JSC::JSMapIterator::next): Deleted.
(JSC::JSMapIterator::nextKeyValue): Deleted.
(JSC::JSMapIterator::kind const): Deleted.
(JSC::JSMapIterator::iteratedValue const): Deleted.
(JSC::JSMapIterator::JSMapIterator): Deleted.
(JSC::JSMapIterator::setIterator): Deleted.
* runtime/JSModuleLoader.h:
(JSC::JSModuleLoader::create): Deleted.
(JSC::JSModuleLoader::createStructure): Deleted.
* runtime/JSModuleNamespaceObject.h:
(JSC::isJSModuleNamespaceObject): Deleted.
* runtime/JSModuleRecord.h:
(JSC::JSModuleRecord::sourceCode const): Deleted.
(JSC::JSModuleRecord::declaredVariables const): Deleted.
(JSC::JSModuleRecord::lexicalVariables const): Deleted.
* runtime/JSNativeStdFunction.h:
(JSC::JSNativeStdFunction::subspaceFor): Deleted.
(JSC::JSNativeStdFunction::createStructure): Deleted.
(JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
* runtime/JSONObject.h:
(JSC::JSONObject::create): Deleted.
(JSC::JSONObject::createStructure): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::fillCustomGetterPropertySlot):
* runtime/JSScriptFetchParameters.h:
(JSC::JSScriptFetchParameters::createStructure): Deleted.
(JSC::JSScriptFetchParameters::create): Deleted.
(JSC::JSScriptFetchParameters::parameters const): Deleted.
(JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
* runtime/JSScriptFetcher.h:
(JSC::JSScriptFetcher::createStructure): Deleted.
(JSC::JSScriptFetcher::create): Deleted.
(JSC::JSScriptFetcher::fetcher const): Deleted.
(JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
* runtime/JSSetIterator.h:
(JSC::JSSetIterator::createStructure): Deleted.
(JSC::JSSetIterator::create): Deleted.
(JSC::JSSetIterator::advanceIter): Deleted.
(JSC::JSSetIterator::next): Deleted.
(JSC::JSSetIterator::kind const): Deleted.
(JSC::JSSetIterator::iteratedValue const): Deleted.
(JSC::JSSetIterator::JSSetIterator): Deleted.
(JSC::JSSetIterator::setIterator): Deleted.
* runtime/JSSourceCode.h:
(JSC::JSSourceCode::createStructure): Deleted.
(JSC::JSSourceCode::create): Deleted.
(JSC::JSSourceCode::sourceCode const): Deleted.
(JSC::JSSourceCode::JSSourceCode): Deleted.
* runtime/JSStringIterator.h:
(JSC::JSStringIterator::createStructure): Deleted.
(JSC::JSStringIterator::create): Deleted.
(JSC::JSStringIterator::JSStringIterator): Deleted.
* runtime/JSTemplateObjectDescriptor.h:
(JSC::isTemplateObjectDescriptor): Deleted.
* runtime/JSTypedArrayViewConstructor.h:
(JSC::JSTypedArrayViewConstructor::create): Deleted.
* runtime/JSTypedArrayViewPrototype.h:
* runtime/MapConstructor.h:
(JSC::MapConstructor::create): Deleted.
(JSC::MapConstructor::createStructure): Deleted.
* runtime/MapIteratorPrototype.h:
(JSC::MapIteratorPrototype::create): Deleted.
(JSC::MapIteratorPrototype::createStructure): Deleted.
(JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
* runtime/MapPrototype.h:
(JSC::MapPrototype::create): Deleted.
(JSC::MapPrototype::createStructure): Deleted.
(JSC::MapPrototype::MapPrototype): Deleted.
* runtime/MathObject.h:
(JSC::MathObject::create): Deleted.
(JSC::MathObject::createStructure): Deleted.
* runtime/ModuleLoaderPrototype.h:
(JSC::ModuleLoaderPrototype::create): Deleted.
(JSC::ModuleLoaderPrototype::createStructure): Deleted.
* runtime/NativeErrorConstructor.h:
(JSC::NativeErrorConstructor::create): Deleted.
(JSC::NativeErrorConstructor::createStructure): Deleted.
(JSC::NativeErrorConstructor::errorStructure): Deleted.
* runtime/NativeErrorPrototype.h:
(JSC::NativeErrorPrototype::create): Deleted.
* runtime/NativeStdFunctionCell.h:
(JSC::NativeStdFunctionCell::createStructure): Deleted.
(JSC::NativeStdFunctionCell::function const): Deleted.
* runtime/NullGetterFunction.h:
(JSC::NullGetterFunction::create): Deleted.
(JSC::NullGetterFunction::createStructure): Deleted.
* runtime/NullSetterFunction.h:
(JSC::NullSetterFunction::create): Deleted.
(JSC::NullSetterFunction::createStructure): Deleted.
* runtime/NumberConstructor.h:
(JSC::NumberConstructor::create): Deleted.
(JSC::NumberConstructor::createStructure): Deleted.
(JSC::NumberConstructor::isIntegerImpl): Deleted.
* runtime/NumberPrototype.h:
(JSC::NumberPrototype::create): Deleted.
(JSC::NumberPrototype::createStructure): Deleted.
* runtime/ObjectConstructor.h:
(JSC::ObjectConstructor::create): Deleted.
(JSC::ObjectConstructor::createStructure): Deleted.
* runtime/ObjectPrototype.h:
(JSC::ObjectPrototype::createStructure): Deleted.
* runtime/ProxyConstructor.h:
(JSC::ProxyConstructor::createStructure): Deleted.
* runtime/ProxyRevoke.h:
(JSC::ProxyRevoke::createStructure): Deleted.
(JSC::ProxyRevoke::proxy): Deleted.
(JSC::ProxyRevoke::setProxyToNull): Deleted.
* runtime/ReflectObject.h:
(JSC::ReflectObject::create): Deleted.
(JSC::ReflectObject::createStructure): Deleted.
* runtime/RegExpConstructor.cpp:
(JSC::regExpConstructorDollar):
(JSC::regExpConstructorInput):
(JSC::regExpConstructorMultiline):
(JSC::regExpConstructorLastMatch):
(JSC::regExpConstructorLastParen):
(JSC::regExpConstructorLeftContext):
(JSC::regExpConstructorRightContext):
* runtime/RegExpConstructor.h:
(JSC::RegExpConstructor::create): Deleted.
(JSC::RegExpConstructor::createStructure): Deleted.
(JSC::RegExpConstructor::setMultiline): Deleted.
(JSC::RegExpConstructor::multiline const): Deleted.
(JSC::RegExpConstructor::setInput): Deleted.
(JSC::RegExpConstructor::input): Deleted.
(JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
(JSC::asRegExpConstructor): Deleted.
* runtime/RegExpPrototype.h:
(JSC::RegExpPrototype::create): Deleted.
(JSC::RegExpPrototype::createStructure): Deleted.
(JSC::RegExpPrototype::emptyRegExp const): Deleted.
* runtime/SetConstructor.h:
(JSC::SetConstructor::create): Deleted.
(JSC::SetConstructor::createStructure): Deleted.
* runtime/SetIteratorPrototype.h:
(JSC::SetIteratorPrototype::create): Deleted.
(JSC::SetIteratorPrototype::createStructure): Deleted.
(JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
* runtime/SetPrototype.h:
(JSC::SetPrototype::create): Deleted.
(JSC::SetPrototype::createStructure): Deleted.
(JSC::SetPrototype::SetPrototype): Deleted.
* runtime/StringConstructor.h:
(JSC::StringConstructor::create): Deleted.
(JSC::StringConstructor::createStructure): Deleted.
* runtime/StringIteratorPrototype.h:
(JSC::StringIteratorPrototype::create): Deleted.
(JSC::StringIteratorPrototype::createStructure): Deleted.
(JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
* runtime/StringPrototype.h:
(JSC::StringPrototype::createStructure): Deleted.
* runtime/SymbolConstructor.h:
(JSC::SymbolConstructor::create): Deleted.
(JSC::SymbolConstructor::createStructure): Deleted.
* runtime/SymbolObject.h:
(JSC::SymbolObject::create): Deleted.
(JSC::SymbolObject::internalValue const): Deleted.
(JSC::SymbolObject::createStructure): Deleted.
* runtime/SymbolPrototype.h:
(JSC::SymbolPrototype::create): Deleted.
(JSC::SymbolPrototype::createStructure): Deleted.
* runtime/WeakMapConstructor.h:
(JSC::WeakMapConstructor::create): Deleted.
(JSC::WeakMapConstructor::createStructure): Deleted.
* runtime/WeakMapPrototype.h:
(JSC::WeakMapPrototype::create): Deleted.
(JSC::WeakMapPrototype::createStructure): Deleted.
(JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
* runtime/WeakSetConstructor.h:
(JSC::WeakSetConstructor::create): Deleted.
(JSC::WeakSetConstructor::createStructure): Deleted.
* runtime/WeakSetPrototype.h:
(JSC::WeakSetPrototype::create): Deleted.
(JSC::WeakSetPrototype::createStructure): Deleted.
(JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
* tools/JSDollarVM.h:
(JSC::JSDollarVM::createStructure): Deleted.
(JSC::JSDollarVM::create): Deleted.
(JSC::JSDollarVM::JSDollarVM): Deleted.
* wasm/js/JSWebAssembly.h:
* wasm/js/JSWebAssemblyCompileError.h:
(JSC::JSWebAssemblyCompileError::create): Deleted.
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::instance): Deleted.
(JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
(JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
(JSC::JSWebAssemblyInstance::memory): Deleted.
(JSC::JSWebAssemblyInstance::setMemory): Deleted.
(JSC::JSWebAssemblyInstance::memoryMode): Deleted.
(JSC::JSWebAssemblyInstance::table): Deleted.
(JSC::JSWebAssemblyInstance::setTable): Deleted.
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
(JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
(JSC::JSWebAssemblyInstance::module const): Deleted.
* wasm/js/JSWebAssemblyLinkError.h:
(JSC::JSWebAssemblyLinkError::create): Deleted.
* wasm/js/JSWebAssemblyMemory.h:
(JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
(JSC::JSWebAssemblyMemory::memory): Deleted.
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyRuntimeError.h:
(JSC::JSWebAssemblyRuntimeError::create): Deleted.
* wasm/js/JSWebAssemblyTable.h:
(JSC::JSWebAssemblyTable::isValidLength): Deleted.
(JSC::JSWebAssemblyTable::maximum const): Deleted.
(JSC::JSWebAssemblyTable::length const): Deleted.
(JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
(JSC::JSWebAssemblyTable::table): Deleted.
* wasm/js/WebAssemblyCompileErrorConstructor.h:
* wasm/js/WebAssemblyCompileErrorPrototype.h:
* wasm/js/WebAssemblyInstanceConstructor.h:
* wasm/js/WebAssemblyInstancePrototype.h:
* wasm/js/WebAssemblyLinkErrorConstructor.h:
* wasm/js/WebAssemblyLinkErrorPrototype.h:
* wasm/js/WebAssemblyMemoryConstructor.h:
* wasm/js/WebAssemblyMemoryPrototype.h:
* wasm/js/WebAssemblyModuleConstructor.h:
* wasm/js/WebAssemblyModulePrototype.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.h:
* wasm/js/WebAssemblyRuntimeErrorConstructor.h:
* wasm/js/WebAssemblyRuntimeErrorPrototype.h:
* wasm/js/WebAssemblyTableConstructor.h:
* wasm/js/WebAssemblyTablePrototype.h:
2018-03-07 Filip Pizlo <fpizlo@apple.com>
Make it possible to randomize register allocation
https://bugs.webkit.org/show_bug.cgi?id=183416
Reviewed by Keith Miller.
This is disabled by default for now, because it reveals a regalloc bug in wasm.
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::Code):
* b3/air/AirCode.h:
(JSC::B3::Air::Code::weakRandom):
* runtime/Options.h:
2018-03-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add inherits<T>(VM&) leveraging JSCast fast path
https://bugs.webkit.org/show_bug.cgi?id=183429
Reviewed by Mark Lam.
Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&).
They depends on jsDynamicCast<T> implementation and leverage JSType-based fast
paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
and construct jsDynamicCast and JSCell::inherits based on this.
And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
The embedder can add their extended object types after that.
* API/JSObjectRef.cpp:
(JSObjectGetPrivateProperty):
(JSObjectSetPrivateProperty):
(JSObjectDeletePrivateProperty):
* API/JSValue.mm:
(isDate):
(isArray):
* API/JSValueRef.cpp:
(JSValueIsArray):
(JSValueIsDate):
(JSValueIsObjectOfClass):
* API/JSWeakObjectMapRefPrivate.cpp:
* API/JSWrapperMap.mm:
(tryUnwrapObjcObject):
* API/ObjCCallbackFunction.mm:
(tryUnwrapConstructor):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGOperations.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::subtype):
(Inspector::JSInjectedScriptHost::functionDetails):
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::getPreview):
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JITOperations.cpp:
(JSC::operationNewFunctionCommon):
* jsc.cpp:
(checkException):
* runtime/BooleanObject.h:
(JSC::asBooleanObject): Deleted.
* runtime/BooleanPrototype.cpp:
(JSC::booleanProtoFuncToString):
(JSC::booleanProtoFuncValueOf):
* runtime/DateConstructor.cpp:
(JSC::constructDate):
* runtime/DateInstance.h:
(JSC::asDateInstance): Deleted.
* runtime/DatePrototype.cpp:
(JSC::formateDateInstance):
(JSC::dateProtoFuncToISOString):
(JSC::dateProtoFuncToLocaleString):
(JSC::dateProtoFuncToLocaleDateString):
(JSC::dateProtoFuncToLocaleTimeString):
(JSC::dateProtoFuncGetTime):
(JSC::dateProtoFuncGetFullYear):
(JSC::dateProtoFuncGetUTCFullYear):
(JSC::dateProtoFuncGetMonth):
(JSC::dateProtoFuncGetUTCMonth):
(JSC::dateProtoFuncGetDate):
(JSC::dateProtoFuncGetUTCDate):
(JSC::dateProtoFuncGetDay):
(JSC::dateProtoFuncGetUTCDay):
(JSC::dateProtoFuncGetHours):
(JSC::dateProtoFuncGetUTCHours):
(JSC::dateProtoFuncGetMinutes):
(JSC::dateProtoFuncGetUTCMinutes):
(JSC::dateProtoFuncGetSeconds):
(JSC::dateProtoFuncGetUTCSeconds):
(JSC::dateProtoFuncGetMilliSeconds):
(JSC::dateProtoFuncGetUTCMilliseconds):
(JSC::dateProtoFuncGetTimezoneOffset):
(JSC::dateProtoFuncSetTime):
(JSC::setNewValueFromTimeArgs):
(JSC::setNewValueFromDateArgs):
(JSC::dateProtoFuncSetYear):
(JSC::dateProtoFuncGetYear):
* runtime/ExceptionHelpers.cpp:
(JSC::isTerminatedExecutionException):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
* runtime/InternalFunction.h:
(JSC::asInternalFunction):
* runtime/JSArray.h:
(JSC::asArray):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpForBacktrace const):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::inherits const):
* runtime/JSCast.h:
(JSC::JSCastingHelpers::inheritsGenericImpl):
(JSC::JSCastingHelpers::inheritsJSTypeImpl):
(JSC::JSCastingHelpers::InheritsTraits::inherits):
(JSC::JSCastingHelpers::inherits):
(JSC::jsDynamicCast):
(JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
(JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
(JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::inherits const):
* runtime/JSFunction.cpp:
(JSC::RetrieveCallerFunctionFunctor::operator() const):
(JSC::JSFunction::callerGetter):
(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::reifyLazyBoundNameIfNeeded):
* runtime/JSGlobalObject.cpp:
(JSC::enqueueJob):
* runtime/JSGlobalObject.h:
(JSC::asGlobalObject): Deleted.
* runtime/JSInternalPromiseDeferred.cpp:
(JSC::JSInternalPromiseDeferred::create):
* runtime/JSLexicalEnvironment.h:
(JSC::asActivation):
* runtime/JSONObject.cpp:
(JSC::unwrapBoxedPrimitive):
(JSC::Stringifier::Stringifier):
(JSC::Walker::walk):
* runtime/JSPromise.cpp:
(JSC::JSPromise::resolve):
* runtime/JSPromiseDeferred.cpp:
(JSC::JSPromiseDeferred::create):
* runtime/JSType.h:
* runtime/ProxyObject.h:
(JSC::ProxyObject::create): Deleted.
(JSC::ProxyObject::createStructure): Deleted.
(JSC::ProxyObject::target const): Deleted.
(JSC::ProxyObject::handler const): Deleted.
* runtime/RegExpConstructor.cpp:
(JSC::constructRegExp):
* runtime/RegExpConstructor.h:
(JSC::asRegExpConstructor):
(JSC::isRegExp):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::finishCreation):
(JSC::RegExpObject::getOwnPropertySlot):
(JSC::RegExpObject::defineOwnProperty):
(JSC::regExpObjectSetLastIndexStrict):
(JSC::regExpObjectSetLastIndexNonStrict):
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
(JSC::RegExpObject::create): Deleted.
(JSC::RegExpObject::setRegExp): Deleted.
(JSC::RegExpObject::regExp const): Deleted.
(JSC::RegExpObject::setLastIndex): Deleted.
(JSC::RegExpObject::getLastIndex const): Deleted.
(JSC::RegExpObject::test): Deleted.
(JSC::RegExpObject::testInline): Deleted.
(JSC::RegExpObject::createStructure): Deleted.
(JSC::RegExpObject::offsetOfRegExp): Deleted.
(JSC::RegExpObject::offsetOfLastIndex): Deleted.
(JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
(JSC::RegExpObject::allocationSize): Deleted.
(JSC::asRegExpObject): Deleted.
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncTestFast):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncMatchFast):
(JSC::regExpProtoFuncCompile):
(JSC::regExpProtoGetterGlobal):
(JSC::regExpProtoGetterIgnoreCase):
(JSC::regExpProtoGetterMultiline):
(JSC::regExpProtoGetterDotAll):
(JSC::regExpProtoGetterSticky):
(JSC::regExpProtoGetterUnicode):
(JSC::regExpProtoGetterSource):
(JSC::regExpProtoFuncSearchFast):
(JSC::regExpProtoFuncSplitFast):
* runtime/StringObject.h:
(JSC::asStringObject): Deleted.
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replace):
(JSC::stringProtoFuncReplaceUsingRegExp):
(JSC::stringProtoFuncToString):
* runtime/SymbolPrototype.cpp:
(JSC::symbolProtoFuncToString):
(JSC::symbolProtoFuncValueOf):
* tools/JSDollarVM.cpp:
(WTF::customGetValue):
(WTF::customSetValue):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::isWebAssemblyHostFunction):
* wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::create):
2018-03-07 Tim Horton <timothy_horton@apple.com>
Sort and separate FeatureDefines.xcconfig
https://bugs.webkit.org/show_bug.cgi?id=183427
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
Sort and split FeatureDefines into paragraphs
(to make it easier to sort later).
2018-03-07 Keith Miller <keith_miller@apple.com>
Unreviewed, fix 32-bit build.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2018-03-07 Keith Miller <keith_miller@apple.com>
Meta-program setupArguments and callOperation
https://bugs.webkit.org/show_bug.cgi?id=183263
Rubber-stamped by Filip Pizlo.
This patch removes all the custom overrides of callOperation and setupArguments
throughout the JITs. In their place there is a new setupArguments that marshalls
the arguments into place based on the type of the operation's function pointer.
There were a couple of design choices in the implementation of setupArguments:
1) We assume that no TrustedImm floating point values are passed.
2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
The new callOperation/setupArguments do their best to make sure
it's hard to call a function with the wrong parameters. They will
only try to pattern match if the types match up with the next
passed argument. Additionally, the base case should static_assert
of the number of inferred arguments does not match the arity of
the operation's function pointer.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
(JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::poke):
(JSC::MacroAssembler::move):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::swap):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::storeDouble):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::loadDouble):
(JSC::MacroAssemblerX86Common::swap):
(JSC::MacroAssemblerX86Common::move):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
* dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
* dfg/DFGNode.h:
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::emitRestoreArguments):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSlowPathGenerator.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
(JSC::DFG::SpeculativeJIT::compileArithMod):
(JSC::DFG::SpeculativeJIT::compileArithRounding):
(JSC::DFG::SpeculativeJIT::compileArithSqrt):
(JSC::DFG::SpeculativeJIT::compileCreateActivation):
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLSlowPathCall.h:
(JSC::FTL::callOperation):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgument):
(JSC::CCallHelpers::setupStubArgs):
(JSC::CCallHelpers::ArgCollection::ArgCollection):
(JSC::CCallHelpers::ArgCollection::pushRegArg):
(JSC::CCallHelpers::ArgCollection::addGPRArg):
(JSC::CCallHelpers::ArgCollection::addStackArg):
(JSC::CCallHelpers::ArgCollection::addPoke):
(JSC::CCallHelpers::ArgCollection::argCount):
(JSC::CCallHelpers::clampArrayToSize):
(JSC::CCallHelpers::pokeForArgument):
(JSC::CCallHelpers::marshallArgumentRegister):
(JSC::CCallHelpers::setupArgumentsImpl):
(JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::setupArguments):
(JSC::CCallHelpers::prepareForTailCallSlow):
(JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
(JSC::CCallHelpers::resetCallArguments): Deleted.
(JSC::CCallHelpers::addCallArgument): Deleted.
(JSC::CCallHelpers::setupArgumentsExecState): Deleted.
(JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
(JSC::CCallHelpers::setupStubArguments): Deleted.
(JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
(JSC::CCallHelpers::setupStubArguments134): Deleted.
(JSC::CCallHelpers::setupStubArgsGPR): Deleted.
* jit/FPRInfo.h:
(JSC::toInfoFromReg):
* jit/GPRInfo.h:
(JSC::JSValueRegs::JSValueRegs):
(JSC::toInfoFromReg):
* jit/JIT.h:
(JSC::JIT::callOperation):
(JSC::JIT::callOperationWithProfile):
(JSC::JIT::callOperationWithResult):
(JSC::JIT::callOperationNoExceptionCheck):
(JSC::JIT::callOperationWithCallFrameRollbackOnException):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emit_compareAndJumpSlow):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileSetupVarargsFrame):
* jit/JITInlines.h:
(JSC::JIT::callOperation): Deleted.
(JSC::JIT::callOperationNoExceptionCheck): Deleted.
(JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_array_with_size):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_set_function_name):
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emitSlow_op_neq):
(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_get_from_scope):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_index):
(JSC::JIT::emit_op_put_setter_by_id):
(JSC::JIT::emit_op_put_getter_setter_by_id):
(JSC::JIT::emit_op_put_getter_by_val):
(JSC::JIT::emit_op_put_setter_by_val):
(JSC::JIT::emit_op_del_by_id):
(JSC::JIT::emit_op_del_by_val):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::emitSlow_op_get_from_scope):
* jit/RegisterSet.h:
(JSC::RegisterSet::RegisterSet):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionBreakpoint):
* runtime/JSCJSValue.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2018-03-07 Mark Lam <mark.lam@apple.com>
Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
https://bugs.webkit.org/show_bug.cgi?id=183414
<rdar://problem/38231678>
Reviewed by Michael Saboff.
* interpreter/ProtoCallFrame.cpp:
(JSC::ProtoCallFrame::init):
* interpreter/ProtoCallFrame.h:
2018-03-07 Mark Lam <mark.lam@apple.com>
Simplify the variants of FunctionPtr constructors.
https://bugs.webkit.org/show_bug.cgi?id=183399
<rdar://problem/38212980>
Reviewed by Yusuke Suzuki.
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
2018-03-06 Filip Pizlo <fpizlo@apple.com>
MarkedArgumentsBuffer should allocate from the JSValue Gigacage
https://bugs.webkit.org/show_bug.cgi?id=183377
Reviewed by Michael Saboff.
That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::expandCapacity):
2018-03-07 Mark Lam <mark.lam@apple.com>
Add support for ARM64E.
https://bugs.webkit.org/show_bug.cgi?id=183398
<rdar://problem/38212621>
Reviewed by Michael Saboff.
* assembler/MacroAssembler.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/backends.rb:
2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com>
HTML `pattern` attribute should set `u` flag for regular expressions
https://bugs.webkit.org/show_bug.cgi?id=151598
Reviewed by Chris Dumez.
Add UnicodeMode for JSC::Yarr::RegularExpression.
* yarr/RegularExpression.cpp:
(JSC::Yarr::RegularExpression::Private::create):
(JSC::Yarr::RegularExpression::Private::Private):
(JSC::Yarr::RegularExpression::Private::compile):
(JSC::Yarr::RegularExpression::RegularExpression):
* yarr/RegularExpression.h:
2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add more JSType based fast path for jsDynamicCast
https://bugs.webkit.org/show_bug.cgi?id=183403
Reviewed by Mark Lam.
We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
are used for jsDynamicCast in JSC, arguments types, and scope types.
We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/ClonedArguments.h:
(JSC::ClonedArguments::specialsMaterialized const): Deleted.
* runtime/DirectArguments.h:
(JSC::DirectArguments::subspaceFor): Deleted.
(JSC::DirectArguments::internalLength const): Deleted.
(JSC::DirectArguments::length const): Deleted.
(JSC::DirectArguments::isMappedArgument const): Deleted.
(JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
(JSC::DirectArguments::getIndexQuickly const): Deleted.
(JSC::DirectArguments::setIndexQuickly): Deleted.
(JSC::DirectArguments::callee): Deleted.
(JSC::DirectArguments::argument): Deleted.
(JSC::DirectArguments::overrodeThings const): Deleted.
(JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
(JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
(JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
(JSC::DirectArguments::offsetOfCallee): Deleted.
(JSC::DirectArguments::offsetOfLength): Deleted.
(JSC::DirectArguments::offsetOfMinCapacity): Deleted.
(JSC::DirectArguments::offsetOfMappedArguments): Deleted.
(JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
(JSC::DirectArguments::storageOffset): Deleted.
(JSC::DirectArguments::offsetOfSlot): Deleted.
(JSC::DirectArguments::allocationSize): Deleted.
(JSC::DirectArguments::storage): Deleted.
* runtime/JSCast.h:
* runtime/JSGlobalLexicalEnvironment.h:
(JSC::JSGlobalLexicalEnvironment::create): Deleted.
(JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
(JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
(JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::finishCreation):
* runtime/JSMap.h:
(JSC::isJSMap): Deleted.
* runtime/JSModuleEnvironment.h:
(JSC::JSModuleEnvironment::create): Deleted.
(JSC::JSModuleEnvironment::createStructure): Deleted.
(JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
(JSC::JSModuleEnvironment::allocationSize): Deleted.
(JSC::JSModuleEnvironment::moduleRecord): Deleted.
(JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
* runtime/JSObject.cpp:
(JSC::canDoFastPutDirectIndex):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
* runtime/JSObject.h:
(JSC::JSFinalObject::allocationSize): Deleted.
(JSC::JSFinalObject::typeInfo): Deleted.
(JSC::JSFinalObject::defaultInlineCapacity): Deleted.
(JSC::JSFinalObject::maxInlineCapacity): Deleted.
(JSC::JSFinalObject::createStructure): Deleted.
(JSC::JSFinalObject::finishCreation): Deleted.
(JSC::JSFinalObject::JSFinalObject): Deleted.
(JSC::isJSFinalObject): Deleted.
* runtime/JSScope.cpp:
* runtime/JSScope.h:
* runtime/JSSegmentedVariableObject.cpp:
* runtime/JSSegmentedVariableObject.h:
* runtime/JSSet.h:
(JSC::isJSSet): Deleted.
* runtime/JSType.h:
* runtime/JSWeakMap.h:
(JSC::isJSWeakMap): Deleted.
* runtime/JSWeakSet.h:
(JSC::isJSWeakSet): Deleted.
* runtime/JSWithScope.h:
(JSC::JSWithScope::object): Deleted.
* runtime/MapConstructor.cpp:
(JSC::constructMap):
(JSC::mapPrivateFuncMapBucketHead):
* runtime/MapPrototype.cpp:
(JSC::getMap):
* runtime/NumberObject.cpp:
(JSC::NumberObject::finishCreation):
* runtime/NumberPrototype.cpp:
(JSC::toThisNumber):
(JSC::numberProtoFuncToExponential):
(JSC::numberProtoFuncToFixed):
(JSC::numberProtoFuncToPrecision):
(JSC::numberProtoFuncToString):
(JSC::numberProtoFuncToLocaleString):
(JSC::numberProtoFuncValueOf):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::finishCreation):
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::subspaceFor): Deleted.
(JSC::ScopedArguments::internalLength const): Deleted.
(JSC::ScopedArguments::length const): Deleted.
(JSC::ScopedArguments::isMappedArgument const): Deleted.
(JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
(JSC::ScopedArguments::getIndexQuickly const): Deleted.
(JSC::ScopedArguments::setIndexQuickly): Deleted.
(JSC::ScopedArguments::callee): Deleted.
(JSC::ScopedArguments::overrodeThings const): Deleted.
(JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
(JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
(JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
(JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
(JSC::ScopedArguments::offsetOfTotalLength): Deleted.
(JSC::ScopedArguments::offsetOfTable): Deleted.
(JSC::ScopedArguments::offsetOfScope): Deleted.
(JSC::ScopedArguments::overflowStorageOffset): Deleted.
(JSC::ScopedArguments::allocationSize): Deleted.
(JSC::ScopedArguments::overflowStorage const): Deleted.
* runtime/SetConstructor.cpp:
(JSC::constructSet):
(JSC::setPrivateFuncSetBucketHead):
* runtime/SetPrototype.cpp:
(JSC::getSet):
* runtime/StrictEvalActivation.h:
(JSC::StrictEvalActivation::create): Deleted.
(JSC::StrictEvalActivation::createStructure): Deleted.
* runtime/WeakMapPrototype.cpp:
(JSC::getWeakMap):
* runtime/WeakSetPrototype.cpp:
(JSC::getWeakSet):
2018-03-07 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] offlineasm: fix indentation in armOpcodeReversedOperands
https://bugs.webkit.org/show_bug.cgi?id=183400
Reviewed by Mark Lam.
* offlineasm/arm.rb:
2018-03-06 Mark Lam <mark.lam@apple.com>
Prepare LLInt code to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183387
<rdar://problem/38199678>
Reviewed by JF Bastien.
1. Introduced PtrTag enums for supporting pointer profiling later.
2. Also introduced tagging, untagging, retagging, and tag removal placeholder
template functions for the same purpose.
3. Prepare the offlineasm for supporting pointer profiling later.
4. Tagged some pointers in LLInt asm code. Currently, these should have no
effect on behavior.
5. Removed returnToThrowForThrownException() because it is not used anywhere.
6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
easier to view and edit these files in Xcode.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::returnToThrowForThrownException): Deleted.
* llint/LLIntExceptions.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/ast.rb:
* offlineasm/instructions.rb:
* offlineasm/risc.rb:
* runtime/PtrTag.h: Added.
(JSC::uniquePtrTagID):
(JSC::ptrTag):
(JSC::tagCodePtr):
(JSC::untagCodePtr):
(JSC::retagCodePtr):
(JSC::removeCodePtrTag):
2018-03-06 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Assembler warnings: "use of r13 is deprecated"
https://bugs.webkit.org/show_bug.cgi?id=183286
Reviewed by Mark Lam.
Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
sometimes generates assembly code that triggers this warning. Prevent
this by simply switching operands.
* offlineasm/arm.rb:
2018-03-06 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix incorrect assertion after r229309
https://bugs.webkit.org/show_bug.cgi?id=182975
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::TypeProfilerLog):
2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
Fix std::make_unique / new[] using system malloc
https://bugs.webkit.org/show_bug.cgi?id=182975
Reviewed by JF Bastien.
Use Vector, FAST_ALLOCATED, or UniqueArray instead.
* API/JSStringRefCF.cpp:
(JSStringCreateWithCFString):
* bytecode/BytecodeKills.h:
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::BytecodeLivenessAnalysis::computeKills):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::dumpDisassembly):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
* jit/PolymorphicCallStubRoutine.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jsc.cpp:
(currentWorkingDirectory):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* runtime/ArgList.h:
* runtime/StructureChain.h:
* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::StructureIDTable):
(JSC::StructureIDTable::resize):
* runtime/StructureIDTable.h:
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::TypeProfilerLog):
(JSC::TypeProfilerLog::initializeLog): Deleted.
* runtime/TypeProfilerLog.h:
(JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::acquireRegExpPatternContexBuffer):
* runtime/VM.h:
* testRegExp.cpp:
(runFromFiles):
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::HeapVerifier):
* tools/HeapVerifier.h:
2018-03-05 Mark Lam <mark.lam@apple.com>
JITThunk functions should only be called when the JIT is enabled.
https://bugs.webkit.org/show_bug.cgi?id=183351
<rdar://problem/38160091>
Reviewed by Keith Miller.
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiNativeCall):
(JSC::JITThunks::ctiNativeConstruct):
(JSC::JITThunks::ctiInternalFunctionCall):
(JSC::JITThunks::ctiInternalFunctionConstruct):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getCTIInternalFunctionTrampolineFor):
2018-03-05 Mark Lam <mark.lam@apple.com>
Gardening: build fix.
Not reviewed.
* interpreter/AbstractPC.h:
(JSC::AbstractPC::AbstractPC):
2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
https://bugs.webkit.org/show_bug.cgi?id=183324
Reviewed by JF Bastien.
We have WTF::ArithmeticOperations which has operations with overflow checking.
This is suitable for CLoop's overflow checking operations. This patch emits
WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
lowered to optimized code using CPU's overflow flag.
* offlineasm/cloop.rb:
2018-03-05 Don Olmstead <don.olmstead@sony.com>
[CMake] Split JSC header copying into public and private targets
https://bugs.webkit.org/show_bug.cgi?id=183251
Reviewed by Konstantin Tokarev.
* CMakeLists.txt:
2018-03-04 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
https://bugs.webkit.org/show_bug.cgi?id=183312
Reviewed by Mark Lam.
Remove wtf/CurrentTime.h include pragma.
* API/tests/ExecutionTimeLimitTest.cpp:
(currentCPUTimeAsJSFunctionCallback):
(testExecutionTimeLimit):
* bytecode/SuperSampler.cpp:
* dfg/DFGPlan.cpp:
* heap/BlockDirectory.cpp:
* heap/Heap.cpp:
* heap/IncrementalSweeper.cpp:
* inspector/agents/InspectorConsoleAgent.cpp:
* inspector/agents/InspectorRuntimeAgent.cpp:
* profiler/ProfilerDatabase.cpp:
* runtime/CodeCache.h:
* runtime/JSDateMath.cpp:
* runtime/TypeProfilerLog.cpp:
* runtime/VM.cpp:
* runtime/Watchdog.cpp:
(JSC::Watchdog::shouldTerminate):
(JSC::Watchdog::startTimer):
* testRegExp.cpp:
* wasm/js/JSWebAssemblyCodeBlock.cpp:
2018-03-04 Tim Horton <timothy_horton@apple.com>
Make !ENABLE(DATA_DETECTION) iOS build actually succeed
https://bugs.webkit.org/show_bug.cgi?id=183283
<rdar://problem/38062148>
Reviewed by Sam Weinig.
* Configurations/FeatureDefines.xcconfig:
2018-03-02 Mark Lam <mark.lam@apple.com>
Make the LLInt probe work for ARM64.
https://bugs.webkit.org/show_bug.cgi?id=183298
<rdar://problem/38077413>
Reviewed by Filip Pizlo.
* llint/LowLevelInterpreter.asm:
2018-03-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
https://bugs.webkit.org/show_bug.cgi?id=183279
Reviewed by JF Bastien.
* bytecode/BytecodeIntrinsicRegistry.h:
* ftl/FTLThunks.h:
* heap/CodeBlockSet.h:
* heap/GCSegmentedArray.h:
* heap/MachineStackMarker.h:
* heap/MarkingConstraintSet.h:
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
Remove monotonicallyIncreasingTime
https://bugs.webkit.org/show_bug.cgi?id=182911
Reviewed by Michael Catanzaro.
* debugger/Debugger.cpp:
(JSC::Debugger::willEvaluateScript):
(JSC::Debugger::didEvaluateScript):
* debugger/Debugger.h:
* debugger/ScriptProfilingScope.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::breakpointActionProbe):
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::snapshot):
(Inspector::InspectorHeapAgent::didGarbageCollect):
(Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
* inspector/agents/InspectorHeapAgent.h:
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::startTracking):
(Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
(Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
(Inspector::InspectorScriptProfilerAgent::addEvent):
(Inspector::buildSamples):
* inspector/agents/InspectorScriptProfilerAgent.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/SamplingProfiler.h:
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
https://bugs.webkit.org/show_bug.cgi?id=183173
Reviewed by Saam Barati.
Classifier could propagate an error which does not occur at the first token
of the given expression. We should check whether the given token is "async"
instead of assertion.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseAssignmentExpression):
2018-03-01 Saam Barati <sbarati@apple.com>
We need to clear cached structures when having a bad time
https://bugs.webkit.org/show_bug.cgi?id=183256
<rdar://problem/36245022>
Reviewed by Mark Lam.
This patch makes both InternalFunctionAllocationProfile and the VM's
structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
we clear them when they'd produce an object with a bad indexing type.
For the VM's Structure cache, we conservatively clear the entire cache
since it may be housing Structures with bad indexing types.
* runtime/FunctionRareData.h:
(JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::haveABadTime):
* runtime/StructureCache.h:
(JSC::StructureCache::clear):
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix exception check for ExceptionScope
https://bugs.webkit.org/show_bug.cgi?id=183175
* jsc.cpp:
(GlobalObject::moduleLoaderFetch):
2018-02-28 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Fix compile error in debug builds by invoking unpoisoned().
Reviewed by Mark Lam.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
(JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
2018-02-28 JF Bastien <jfbastien@apple.com>
GC should sweep code block before deleting
https://bugs.webkit.org/show_bug.cgi?id=183229
<rdar://problem/32767615>
Reviewed by Saam Barati, Fil Pizlo.
Stub routines shouldn't get deleted before codeblocks have been
swept, otherwise there's a small race window where the codeblock
thinks it's still reachable.
* heap/Heap.cpp:
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
2018-02-28 Yusuke Suzuki <utatane.tea@gmail.com>
JSC crash with `import("")`
https://bugs.webkit.org/show_bug.cgi?id=183175
Reviewed by Saam Barati.
Add file existence and file type check for module loader implementation in jsc.cpp.
This is not safe for TOCTOU, but it is OK since this functionality is used for the
JSC shell (jsc.cpp): testing purpose.
* jsc.cpp:
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):
2018-02-27 Keith Miller <keith_miller@apple.com>
Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
https://bugs.webkit.org/show_bug.cgi?id=183195
Reviewed by Mark Lam.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::patchableBranchPtr):
(JSC::MacroAssembler::patchableBranchPtrWithPatch):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branchPtrWithPatch):
(JSC::MacroAssemblerARM::storePtrWithPatch):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::tailRecursiveCall):
(JSC::MacroAssemblerARM64::branchPtrWithPatch):
(JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
(JSC::MacroAssemblerARM64::storePtrWithPatch):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchPtrWithPatch):
(JSC::MacroAssemblerARMv7::patchableBranchPtr):
(JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
(JSC::MacroAssemblerARMv7::storePtrWithPatch):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchPtrWithPatch):
(JSC::MacroAssemblerMIPS::storePtrWithPatch):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::branchPtrWithPatch):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::tailRecursiveCall):
(JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
(JSC::MacroAssemblerX86_64::branchPtrWithPatch):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileToLowerCase):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::debugCall):
(JSC::AssemblyHelpers::sanitizeStackInline):
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/ScratchRegisterAllocator.cpp:
(JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::initParenContextFreeList):
(JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
(JSC::Yarr::YarrGenerator::generate):
2018-02-26 Mark Lam <mark.lam@apple.com>
Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
https://bugs.webkit.org/show_bug.cgi?id=183159
<rdar://problem/37930837>
Reviewed by Keith Miller.
* assembler/LinkBuffer.h:
* assembler/testmasm.cpp:
(JSC::compile):
* b3/B3Compile.cpp:
(JSC::B3::compile):
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::testEntrySwitchSimple):
(JSC::B3::testEntrySwitchNoEntrySwitch):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
(JSC::B3::testEntrySwitchLoop):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/ExecutableAllocator.cpp:
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
* jit/JITStubRoutine.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile):
2018-02-25 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
https://bugs.webkit.org/show_bug.cgi?id=182965
Reviewed by Saam Barati.
This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
for InBounds case, we do not have OutOfBounds check for that case.
This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
But except for SlowPutArrayStorage case, basically it is meaningless since
we do not have indexed accessors.
2018-02-26 Saam Barati <sbarati@apple.com>
validateStackAccess should not validate if the offset is within the stack bounds
https://bugs.webkit.org/show_bug.cgi?id=183067
<rdar://problem/37749988>
Reviewed by Mark Lam.
The validation rule was saying that any load from the stack must be
within the stack bounds of the frame. However, it's natural for a user
of B3 to emit code that may be outside of B3's stack bounds, but guard
such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
B3 is wrong to assert that this is a static property about all stack loads.
* b3/B3Validate.cpp:
2018-02-23 Saam Barati <sbarati@apple.com>
Make Number.isInteger an intrinsic
https://bugs.webkit.org/show_bug.cgi?id=183088
Reviewed by JF Bastien.
When profiling the ML subtest in ARES, I noticed it was spending some
time in Number.isInteger. This patch makes that operation an intrinsic
in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
it's likely not an aggregate speedup on ARES. However, it is definitely
faster than calling into a builtin function, so we might as well have
it as an intrinsic.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
(JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation):
(JSC::numberConstructorFuncIsInteger):
* runtime/NumberConstructor.h:
(JSC::NumberConstructor::isIntegerImpl):
2018-02-23 Oleksandr Skachkov <gskachkov@gmail.com>
WebAssembly: cache memory address / size on instance
https://bugs.webkit.org/show_bug.cgi?id=177305
Reviewed by JF Bastien.
Cache memory address/size in wasm:Instance to avoid load wasm:Memory
object during access to memory and memory size property in JiT
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCurrentMemory):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::cachedMemory const):
(JSC::Wasm::Instance::cachedMemorySize const):
(JSC::Wasm::Instance::createWeakPtr):
(JSC::Wasm::Instance::setMemory):
(JSC::Wasm::Instance::updateCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemorySize):
(JSC::Wasm::Instance::offsetOfCachedIndexingMask):
(JSC::Wasm::Instance::allocationSize):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::grow):
(JSC::Wasm::Memory::registerInstance):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::indexingMask):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
2018-02-23 Saam Barati <sbarati@apple.com>
ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
https://bugs.webkit.org/show_bug.cgi?id=182982
Reviewed by Yusuke Suzuki.
I don't know why this check was not always an assert. When we see
a GetByOffset on an eliminated allocation, that allocation *must*
be a PhantomClonedArguments. If it weren't, the GetByOffset would
have escaped it. Because this transformation happens by visiting
blocks in pre-order, and by visiting nodes in a block starting from
index zero to index block->size() - 1, we're guaranteed that eliminated
allocations get transformed before users of it, since we visit nodes
in dominator order.
* dfg/DFGArgumentsEliminationPhase.cpp:
2018-02-23 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement $vm.ftlTrue function for FTL testing
https://bugs.webkit.org/show_bug.cgi?id=183071
Reviewed by Mark Lam.
Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
This is useful for testing whether the caller function is compiled in FTL.
We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionFalse1):
(functionFalse2): Deleted.
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* tools/JSDollarVM.cpp:
(JSC::functionFTLTrue):
(JSC::JSDollarVM::finishCreation):
2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182792
Reviewed by Mark Lam.
This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
in web-tooling-benchmarks.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2018-02-22 Mark Lam <mark.lam@apple.com>
Refactor MacroAssembler code to improve reuse and extensibility.
https://bugs.webkit.org/show_bug.cgi?id=183054
<rdar://problem/37797337>
Reviewed by Saam Barati.
* assembler/ARM64Assembler.h:
* assembler/MacroAssembler.cpp:
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::canCompact):
(JSC::MacroAssemblerARM64::computeJumpType):
(JSC::MacroAssemblerARM64::jumpSizeDelta):
(JSC::MacroAssemblerARM64::link):
(JSC::MacroAssemblerARM64::load64):
(JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::load32):
(JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::load16):
(JSC::MacroAssemblerARM64::load16SignedExtendTo32):
(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::load8SignedExtendTo32):
(JSC::MacroAssemblerARM64::store64):
(JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::store32):
(JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::store16):
(JSC::MacroAssemblerARM64::store8):
(JSC::MacroAssemblerARM64::getEffectiveAddress):
(JSC::MacroAssemblerARM64::branchDoubleNonZero):
(JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
(JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::loadFloat):
(JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::storeDouble):
(JSC::MacroAssemblerARM64::storeFloat):
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::jump):
(JSC::MacroAssemblerARM64::tailRecursiveCall):
(JSC::MacroAssemblerARM64::setCarry):
(JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
(JSC::MacroAssemblerARM64::isBreakpoint):
(JSC::MacroAssemblerARM64::invert):
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::replaceWithVMHalt):
(JSC::MacroAssemblerARM64::replaceWithJump):
(JSC::MacroAssemblerARM64::maxJumpReplacementSize):
(JSC::MacroAssemblerARM64::patchableJumpSize):
(JSC::MacroAssemblerARM64::repatchCall):
(JSC::MacroAssemblerARM64::makeBranch):
(JSC::MacroAssemblerARM64::makeCompareAndBranch):
(JSC::MacroAssemblerARM64::makeTestBitAndBranch):
(JSC::MacroAssemblerARM64::ARM64Condition):
(JSC::MacroAssemblerARM64::moveWithFixedWidth):
(JSC::MacroAssemblerARM64::load):
(JSC::MacroAssemblerARM64::store):
(JSC::MacroAssemblerARM64::tryLoadWithOffset):
(JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
(JSC::MacroAssemblerARM64::tryStoreWithOffset):
(JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::linkCall):
* assembler/MacroAssemblerARMv7.h:
* assembler/MacroAssemblerMIPS.h:
* assembler/MacroAssemblerX86Common.h:
* assembler/ProbeStack.h:
- Removed a forward declaration of an obsolete class.
2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com>
Remove sleep(double) and sleepMS(double) interfaces
https://bugs.webkit.org/show_bug.cgi?id=183038
Reviewed by Mark Lam.
* bytecode/SuperSampler.cpp:
(JSC::initializeSuperSampler):
2018-02-21 Don Olmstead <don.olmstead@sony.com>
[CMake] Split declaration of JSC headers into public and private
https://bugs.webkit.org/show_bug.cgi?id=182980
Reviewed by Michael Catanzaro.
* CMakeLists.txt:
* PlatformGTK.cmake:
* PlatformMac.cmake:
* PlatformWPE.cmake:
* PlatformWin.cmake:
2018-02-20 Saam Barati <sbarati@apple.com>
DFG::VarargsForwardingPhase should eliminate getting argument length
https://bugs.webkit.org/show_bug.cgi?id=182959
Reviewed by Keith Miller.
This patch teaches the DFG VarargsForwardingPhase to not treat
length accesses on Cloned/Direct Arguments objects as escapes.
It teaches this phase to materialize the length in the same
way the ArgumentsEliminationPhase does.
This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
up the ML subtest by 2-4%.
This patch also extends compileGetArgumentCountIncludingThis to take
a parameter that is the inline call frame to load from (in the case
where the inline call frame is a varargs frame). This allows the
the emitCodeToGetArgumentsArrayLength helper function to just emit
a GetArgumentCountIncludingThis node instead of a GetLocal. If we
emitted a GetLocal, we'd need to rerun CPS rethreading.
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getArgumentCount):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNode.h:
(JSC::DFG::Node::argumentsInlineCallFrame):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support ArrayPush for ArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182782
Reviewed by Saam Barati.
This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support ArrayPop for ArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182783
Reviewed by Saam Barati.
This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182731
Reviewed by Saam Barati.
This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
Due to ArrayifyToStructure and CheckArray changes, necessary changes for
supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
is enough.
We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
* dfg/DFGSpeculativeJIT.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2018-02-19 Saam Barati <sbarati@apple.com>
Don't use JSFunction's allocation profile when getting the prototype can be effectful
https://bugs.webkit.org/show_bug.cgi?id=182942
<rdar://problem/37584764>
Reviewed by Mark Lam.
Prior to this patch, the create_this implementation assumed that anything
that is a JSFunction can use the object allocation profile and go down the
fast path to allocate the |this| object. Implied by this approach is that
accessing the 'prototype' property of the incoming function is not an
effectful operation. This is inherent to the ObjectAllocationProfile
data structure: it caches the prototype field. However, getting the
'prototype' property might be an effectful operation, e.g, it could
be a getter. Many variants of functions in JS have the 'prototype' property
as non-configurable. However, some functions, like bound functions, do not
have the 'prototype' field with these attributes.
This patch adds the notion of 'canUseAllocationProfile' to JSFunction
and threads it through so that we only go down the fast path and use
the allocation profile when the prototype property is non-configurable.
* bytecompiler/NodesCodegen.cpp:
(JSC::ClassExprNode::emitBytecode):
* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSFunction.cpp:
(JSC::JSFunction::prototypeForConstruction):
(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::canUseAllocationProfileNonInline):
* runtime/JSFunction.h:
(JSC::JSFunction::ensureRareDataAndAllocationProfile):
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::canUseAllocationProfile):
2018-02-19 Saam Barati <sbarati@apple.com>
Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
https://bugs.webkit.org/show_bug.cgi?id=182912
<rdar://problem/37685083>
Reviewed by Keith Miller.
In the baseline JIT and LLInt, when we loading a hole from an original array,
with the array prototype chain being normal, we end up marking the ArrayProfile
for that GetByVal as out of bounds. However, the DFG knows exactly how to
optimize this case by returning undefined when loading from a hole. Currently,
it only does this for Contiguous arrays (and sometimes Double arrays).
This patch just makes sure to not mark the ArrayProfile as out of bounds
in this scenario for Contiguous arrays, since the DFG will always optimize
this case.
However, we should extend this by profiling when a GetByVal loads a hole. By
doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
arrays. That work will happen in:
https://bugs.webkit.org/show_bug.cgi?id=182940
This patch is a 30-50% speedup on JetStream's hash-map test. This patch
speeds up JetStream by 1% when testing on my iMac.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* jit/JITOperations.cpp:
(JSC::getByVal):
(JSC::canAccessArgumentIndexQuickly): Deleted.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
2018-02-17 Filip Pizlo <fpizlo@apple.com>
GetArrayMask should support constant folding
https://bugs.webkit.org/show_bug.cgi?id=182907
Reviewed by Saam Barati.
Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was
ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been
impossible for that function to get called with a non-null value if the value was not an array view,
due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and
the fact that the other tryGetFoldableView overload made sure that the array mode was some typed
array.
This isn't a measurable progression, but it does save a register in the codegen for typed array
accesses. Hopefully these improvements add up.
* assembler/AssemblerBuffer.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetFoldableView):
2018-02-18 Dominik Inführ <dominik.infuehr@gmail.com>
Offlineasm/MIPS: immediates need to be within 16-bit signed values
https://bugs.webkit.org/show_bug.cgi?id=182890
Reviewed by Michael Catanzaro.
In Sequence.getModifiedListMIPS(), we allow immediate values within
the range -0xffff..0xffff for immediates (addresses and other
immediates), but then in Immediate.mipsOperand() and
Address.mipsOperand() we raise if immediate values are not within
-0x7fff..0x7fff. This is inconsistent, and broke compilation on mips
since r228552 made the VM structure bigger meaning we address values
with bigger offsets in llint. This change restricts the allowed range,
so that a separate load of the value is done for values outside of
that range.
* offlineasm/mips.rb:
2018-02-17 Darin Adler <darin@apple.com>
Web Inspector: get rid of remaining uses of OptOutput<T>
https://bugs.webkit.org/show_bug.cgi?id=180607
Reviewed by Brian Burg.
* inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/AsyncStackTrace.h: Ditto.
* inspector/ConsoleMessage.cpp: Ditto.
* inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
(Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
Vector instead of a unique_ptr<Vector>.
(Inspector::ContentSearchUtilities::lineEndings): Ditto.
(Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
(Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
a Vector for a fixed size array; also got rid of reinterpret_cast.
(Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
expression here since it's the only place it was used.
* inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
* inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
Removed base template for BindingTraits; we only need the specializations.
* inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/ScriptCallFrame.h: Ditto.
* inspector/ScriptCallStack.cpp: Ditto.
* inspector/ScriptCallStack.h: Ditto.
* inspector/agents/InspectorConsoleAgent.cpp: Ditto.
* inspector/agents/InspectorConsoleAgent.h: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
OptOutput* for out arguments.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
for out arguments.
* inspector/agents/InspectorHeapAgent.h: Ditto.
* inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
for out arguments.
(Inspector::InspectorRuntimeAgent::evaluate): Ditto.
(Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
(Inspector::InspectorRuntimeAgent::saveResult): Ditto.
* inspector/agents/InspectorRuntimeAgent.h: Ditto.
* inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
and removed some bogus const.
* inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
* inspector/scripts/codegen/cpp_generator.py:
(CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
(CppGenerator.cpp_type_for_type_with_name): Ditto.
(CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
Inspector::Protocol::OptOutput*.
(CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
* inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
conditional around assertion code which will now compile to nothing if ASSERT is disabled.
Build strings more simply in a few cases.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
replace OptOutput here.
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
Pass by reference instead of pointer now.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
if ASSERT is disabled.
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
(CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
more simply.
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
Rebaselined.
2018-02-16 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r228318.
The patch that this attempted to fix was rolled out already.
Reverted changeset:
"Fix build on ARMv7 traditional JSCOnly bot after r228306"
https://bugs.webkit.org/show_bug.cgi?id=182563
https://trac.webkit.org/changeset/228318
2018-02-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r228306 (custom memcpy/memset) because the bots say that it was not a
progression.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::append):
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::tryCreate):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBuffer::createInternal):
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::zeroRangeImpl):
* runtime/ArrayConventions.cpp:
(JSC::clearArrayMemset):
* runtime/ArrayConventions.h:
(JSC::clearArray):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::create):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::PropertyTable):
2018-02-16 Saam Barati <sbarati@apple.com>
Fix bugs from r228411
https://bugs.webkit.org/show_bug.cgi?id=182851
<rdar://problem/37577732>
Reviewed by JF Bastien.
There was a bug from r228411 where inside the constant folding phase,
we used an insertCheck method that didn't handle varargs. This would
lead to a crash. When thinking about the fix for that function, I realized
a made a couple of mistakes in r228411. One is probably a security bug, and
the other is a performance bug because it'll prevent CSE for certain flavors
of GetByVal nodes. Both blunders are similar in nature.
In r228411, I added code in LICM that inserted a CheckVarargs node with children
of another varargs node. However, to construct this new node's children,
I just copied the AdjacencyList. This does a shallow copy. What we needed
was a deep copy. We needed to create a new vararg AdjacencyList that points
to edges that are deep copies of the original varargs children. This patch
fixes this goof in LICM.
r228411 made it so that PureValue over a varargs node would just compare actual
AdjacencyLists structs. So, if you had two GetByVals that had equal santized
children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
have different firstChild values. Instead, we need to do a deep compare of their
adjacency lists. This patch teaches PureValue how to do that.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::copyVarargChildren):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertCheck):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGPureValue.cpp:
(JSC::DFG::PureValue::dump const):
* dfg/DFGPureValue.h:
(JSC::DFG::PureValue::PureValue):
(JSC::DFG::PureValue::op const):
(JSC::DFG::PureValue::hash const):
(JSC::DFG::PureValue::operator== const):
(JSC::DFG::PureValue::isVarargs const):
(JSC::DFG::PureValue::children const): Deleted.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2018-02-16 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r228546.
This caused a consistent crash on all macOS WK2 platforms.
Reverted changeset:
"Web Inspector: get rid of remaining uses of OptOutput<T>"
https://bugs.webkit.org/show_bug.cgi?id=180607
https://trac.webkit.org/changeset/228546
2018-02-16 Fujii Hironori <Hironori.Fujii@sony.com>
fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
https://bugs.webkit.org/show_bug.cgi?id=172952
Reviewed by Michael Catanzaro.
Null dereference of VM::topCallFrame happens in
Inspector::createScriptCallStackForConsole if the ExecState has no
call frames.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack): Do null check of topCallFrame.
(Inspector::createScriptCallStackForConsole): Ditto.
2018-02-15 Filip Pizlo <fpizlo@apple.com>
Objects that contain dangerous things should be allocated far away from objects that can do OOB
https://bugs.webkit.org/show_bug.cgi?id=182843
Reviewed by Saam Barati.
To complete our object distancing plan, we need to put objects that can contain unpoisoned data
far away from objects that cannot. Objects referenceable from JSValues cannot contain
unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for
storing mostly JSValues from data that is meant for storing anything.
This is achieved by having three SecurityKinds that are used for MarkedBlock selection and
zeroing sort of the same way SecurityOriginToken already was.
This change shouldn't make anything slower. If anything, it will be a small speed-up because it
removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of
the SecurityKinds.
* Sources.txt:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::addBlock):
* heap/BlockDirectory.h:
* heap/CellAttributes.cpp:
(JSC::CellAttributes::dump const):
* heap/CellAttributes.h:
(JSC::CellAttributes::CellAttributes):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::associateWithOrigin): Deleted.
* heap/MarkedBlock.h:
* heap/SecurityKind.cpp: Added.
(WTF::printInternal):
* heap/SecurityKind.h: Added.
* runtime/JSCellInlines.h:
(JSC::JSCell::subspaceFor):
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSObject.h:
(JSC::JSObject::subspaceFor):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/Symbol.h:
(JSC::Symbol::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-02-15 Darin Adler <darin@apple.com>
Web Inspector: get rid of remaining uses of OptOutput<T>
https://bugs.webkit.org/show_bug.cgi?id=180607
Reviewed by Brian Burg.
* inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/AsyncStackTrace.h: Ditto.
* inspector/ConsoleMessage.cpp: Ditto.
* inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
(Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
Vector instead of a unique_ptr<Vector>.
(Inspector::ContentSearchUtilities::lineEndings): Ditto.
(Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
(Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
a Vector for a fixed size array; also got rid of reinterpret_cast.
(Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
expression here since it's the only place it was used.
* inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
* inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
Removed base template for BindingTraits; we only need the specializations.
* inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/ScriptCallFrame.h: Ditto.
* inspector/ScriptCallStack.cpp: Ditto.
* inspector/ScriptCallStack.h: Ditto.
* inspector/agents/InspectorConsoleAgent.cpp: Ditto.
* inspector/agents/InspectorConsoleAgent.h: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
OptOutput* for out arguments.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
for out arguments.
* inspector/agents/InspectorHeapAgent.h: Ditto.
* inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
for out arguments.
(Inspector::InspectorRuntimeAgent::evaluate): Ditto.
(Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
(Inspector::InspectorRuntimeAgent::saveResult): Ditto.
* inspector/agents/InspectorRuntimeAgent.h: Ditto.
* inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
and removed some bogus const.
* inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
* inspector/scripts/codegen/cpp_generator.py:
(CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
(CppGenerator.cpp_type_for_type_with_name): Ditto.
(CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
Inspector::Protocol::OptOutput*.
(CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
* inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
conditional around assertion code which will now compile to nothing if ASSERT is disabled.
Build strings more simply in a few cases.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
replace OptOutput here.
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
Pass by reference instead of pointer now.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
if ASSERT is disabled.
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
(CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
more simply.
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
Rebaselined.
2018-02-15 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r228366 since it did not progress anything.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::visitChildren):
(JSC::ErrorInstance::finalizeUnconditionally): Deleted.
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::stackTrace):
(JSC::ErrorInstance::subspaceFor): Deleted.
* runtime/Exception.cpp:
(JSC::Exception::visitChildren):
(JSC::Exception::finalizeUnconditionally): Deleted.
* runtime/Exception.h:
* runtime/StackFrame.cpp:
(JSC::StackFrame::visitChildren):
(JSC::StackFrame::isFinalizationCandidate): Deleted.
(JSC::StackFrame::finalizeUnconditionally): Deleted.
* runtime/StackFrame.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-02-15 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove monotonicallyIncreasingTime and currentTime
https://bugs.webkit.org/show_bug.cgi?id=182793
Reviewed by Saam Barati.
We would like to drop monotonicallyIncreasingTime and currentTime from our tree by
replacing them with MonotonicTime and WallTime, which are well-typed alternatives,
compared to double.
This patch removes monotonicallyIncreasingTime and currentTime in JSC.
* b3/testb3.cpp:
(JSC::B3::testComplex):
* dfg/DFGPhase.h:
(JSC::DFG::runAndLog):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPlan.h:
* dynbench.cpp:
(JSC::benchmarkImpl):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::isPagedOut):
* heap/BlockDirectory.h:
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
* heap/Heap.cpp:
(JSC::Heap::isPagedOut):
(JSC::Heap::sweepSynchronously):
* heap/Heap.h:
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::isPagedOut):
* heap/MarkedSpace.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::startTiming):
(Inspector::InspectorConsoleAgent::stopTiming):
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::compileTimeStats):
* jit/JIT.h:
* jsc.cpp:
(StopWatch::start):
(StopWatch::stop):
(StopWatch::getElapsedMS):
(functionPreciseTime):
(runJSC):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::logEvent):
* profiler/ProfilerEvent.cpp:
(JSC::Profiler::Event::toJS const):
* profiler/ProfilerEvent.h:
(JSC::Profiler::Event::Event):
(JSC::Profiler::Event::time const):
* runtime/CodeCache.cpp:
(JSC::CodeCacheMap::pruneSlowCase):
* runtime/CodeCache.h:
(JSC::CodeCacheMap::CodeCacheMap):
(JSC::CodeCacheMap::prune):
* runtime/DateConstructor.cpp:
(JSC::callDate):
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::processLogEntries):
* testRegExp.cpp:
(StopWatch::start):
(StopWatch::stop):
(StopWatch::getElapsedMS):
2018-02-14 Keith Miller <keith_miller@apple.com>
We should be able to jsDynamicCast from JSType when possible
https://bugs.webkit.org/show_bug.cgi?id=182804
Reviewed by Filip Pizlo and Mark Lam.
This patch beefs up jsDynamicCast in some of the cases where we
can use the JSType to quickly determine if a cell is a subclass of
the desired type. Since all JSCells have a range of JSTypes they support,
if there is a range exclusive to a class and all subclasses we can use
that range to quickly determine if the cast should be successful.
Additionally, the JSValue versions of jsCast and jsDynamicCast now
call the JSCell version after checking the value is a cell.
Finally, the casting functions have been moved to a new header,
JSCast.h
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallVariant.h:
* bytecode/CodeBlock.h:
* bytecode/ExecutableToCodeBlockEdge.h:
* bytecode/TrackedReferences.h:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedFunctionExecutable.h:
* dfg/DFGAbstractValue.h:
* dfg/DFGCommonData.h:
* dfg/DFGFrozenValue.h:
* dfg/DFGStructureAbstractValue.h:
* heap/CellContainerInlines.h:
* heap/ConservativeRoots.cpp:
* heap/GCLogging.cpp:
* heap/HeapInlines.h:
* heap/HeapSnapshotBuilder.cpp:
* heap/MarkedBlock.cpp:
* heap/MarkedBlockInlines.h:
* heap/SubspaceInlines.h:
* heap/WeakInlines.h:
* jit/JITOpcodes.cpp:
* jit/JITOpcodes32_64.cpp:
* llint/LLIntOffsetsExtractor.cpp:
* runtime/ArrayBufferNeuteringWatchpoint.h:
* runtime/BigIntPrototype.cpp:
* runtime/ClassInfo.h:
* runtime/CustomGetterSetter.h:
* runtime/FunctionRareData.h:
* runtime/GetterSetter.h:
* runtime/InferredType.h:
* runtime/InferredTypeTable.h:
* runtime/InferredValue.h:
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::finishCreation):
* runtime/JSAPIValueWrapper.h:
* runtime/JSArray.h:
(JSC::JSArray::finishCreation):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::finishCreation):
* runtime/JSCast.h: Added.
(JSC::jsCast):
(JSC::JSCastingHelpers::jsDynamicCastGenericImpl):
(JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl):
(JSC::JSCastingHelpers::JSDynamicCastTraits::cast):
(JSC::jsDynamicCast):
* runtime/JSCell.cpp:
* runtime/JSCell.h:
(JSC::jsCast): Deleted.
(JSC::jsDynamicCast): Deleted.
* runtime/JSCellInlines.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::finishCreation):
* runtime/JSJob.h:
* runtime/JSObject.h:
(JSC::JSObject::finishCreation):
* runtime/JSPromiseDeferred.h:
* runtime/JSPropertyNameEnumerator.h:
* runtime/NativeStdFunctionCell.h:
* runtime/ScopedArgumentsTable.h:
* runtime/SparseArrayValueMap.h:
* runtime/Structure.h:
* runtime/StructureChain.h:
* runtime/StructureRareData.h:
* tools/CellProfile.h:
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-02-14 Michael Saboff <msaboff@apple.com>
Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
https://bugs.webkit.org/show_bug.cgi?id=182808
Reviewed by Keith Miller.
Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
thunk.
* wasm/WasmThunks.cpp:
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
2018-02-14 Saam Barati <sbarati@apple.com>
Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
https://bugs.webkit.org/show_bug.cgi?id=182801
Reviewed by Keith Miller.
VMTraps would sometimes install traps when it paused the JS thread when it
was in C code. This is wrong, as installing traps mallocs, and the JS thread
may have been holding the malloc lock while in C code. This could lead to a
deadlock when C code was holding the malloc lock.
This patch makes it so that we only install traps when we've proven the PC
is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that
we're not holding the malloc lock.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionMallocInALoop):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
2018-02-14 Michael Saboff <msaboff@apple.com>
REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow
https://bugs.webkit.org/show_bug.cgi?id=182705
Reviewed by Mark Lam.
Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated
buffer on the VM. Exposed when the buffer is needed to reduce likelihood that we'd allocated it.
Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a
compilation thread.
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::acquireRegExpPatternContexBuffer):
(JSC::VM::releaseRegExpPatternContexBuffer):
* runtime/VM.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generate):
(JSC::Yarr::YarrGenerator::backtrack):
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::usesPatternContextBuffer):
(JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer):
2018-02-13 Saam Barati <sbarati@apple.com>
putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>
Reviewed by Keith Miller.
putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
the object in question to a dictionary indexing mode when the index is less than
the vector length. This makes no sense. If we're defining a getter, setter, or read
only property, we must always enter the dictionary indexing mode irrespective
of the index in relation to the vector length.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2018-02-13 Saam Barati <sbarati@apple.com>
Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-02-13 Guillaume Emont <guijemont@igalia.com>
[YarrJIT][ARM] We need to save r8 as it is the initial start register
https://bugs.webkit.org/show_bug.cgi?id=182157
Reviewed by Saam Barati.
Register r8 is the initial start register since r224172, so we need to
save it. We still need to save r6 as well even though it is not the
initial start register any more, since it is used by the
MacroAssembler which we use (we get crashes in some situations if we
don't save r6). This issue was discovered because
stress/regress-174044.js crashes on a raspberry pi 2 when compiled in
-O2.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
2018-02-13 Caitlin Potter <caitp@igalia.com>
[JSC] cache TaggedTemplate arrays by callsite rather than by contents
https://bugs.webkit.org/show_bug.cgi?id=182717
Reviewed by Yusuke Suzuki.
https://github.com/tc39/ecma262/pull/890 imposes a change to template
literals, to allow template callsite arrays to be collected when the
code containing the tagged template call is collected. This spec change
has received concensus and been ratified.
This change eliminates the eternal map associating template contents
with arrays.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
2018-02-13 Yusuke Suzuki <utatane.tea@gmail.com>
Support GetArrayLength on ArrayStorage in the FTL
https://bugs.webkit.org/show_bug.cgi?id=182625
Reviewed by Saam Barati.
This patch adds GetArrayLength and CheckArray + ArrayStorage & SlowPutArrayStorage support for FTL.
The implementation is trivial; just porting one in DFG to FTL.
This fixes several FTL compilation failures in web-tooling-benchmarks while we still need to support
ArrayPush, ArrayPop, Arrayify, and PutByVal.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
2018-02-10 Filip Pizlo <fpizlo@apple.com>
Lock down JSFunction
https://bugs.webkit.org/show_bug.cgi?id=182652
Reviewed by Saam Barati.
This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
isospaces.
This is so neutral on JetStream: 0.01% slower with p = 0.969211.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileNewFunction):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::weakPointer):
(JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
* ftl/FTLOutput.h:
(JSC::FTL::Output::weakPointer):
(JSC::FTL::Output::weakPoisonedPointer):
* heap/MarkedSpace.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_this):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSAsyncFunction.h:
(JSC::JSAsyncFunction::subspaceFor):
* runtime/JSAsyncGeneratorFunction.h:
(JSC::JSAsyncGeneratorFunction::subspaceFor):
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::subspaceFor):
* runtime/JSCPoison.h:
* runtime/JSCustomGetterSetterFunction.h:
(JSC::JSCustomGetterSetterFunction::subspaceFor):
* runtime/JSFunction.h:
(JSC::JSFunction::subspaceFor):
* runtime/JSGeneratorFunction.h:
(JSC::JSGeneratorFunction::subspaceFor):
* runtime/JSNativeStdFunction.h:
(JSC::JSNativeStdFunction::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-02-12 Saam Barati <sbarati@apple.com>
Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA
https://bugs.webkit.org/show_bug.cgi?id=182633
<rdar://problem/37441037>
Reviewed by Keith Miller.
This patch introduces a GetIndexMask node to DFG SSA. This is an input to
GetByVal for the GetByVal variants that do conservative index masking.
The reason I'm adding this node is I realized there were loads of
the butterfly index mask inside loops that B3 couldn't reason about
because B3 can't arbitrarily hoist loads out of loops if those loops
have side exits (because the side exit might be protecting the safety of the
load). However, for these loops I analyzed, the DFG would be able to hoist
these loads out of loops because it knows about JS semantics to correctly
reason about the safety of hoisting the load.
This is a 1% speedup on JetStream on Mac and iOS in my testing.
This patch also adds some infrastructure for eliminating and doing CSE on
varargs nodes. Because this patch makes GetByVal a varargs node, I ran into
issues we never had before. We never had a varargs node that could be CSEd or be
hoisted out of a loop until I made GetByVal varargs. To make it all work,
I added a CheckVarargs node. This is just like Check, but it's varargs.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::AdjacencyList):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::replaceTerminal):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::findTerminal const):
* dfg/DFGBasicBlockInlines.h:
(JSC::DFG::BasicBlock::replaceTerminal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
(JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
* dfg/DFGCSEPhase.cpp:
* dfg/DFGCleanUpPhase.cpp:
(JSC::DFG::CleanUpPhase::run):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::fixUpsilons):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::fixupBlock):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::remove):
(JSC::DFG::Node::convertToIdentityOn):
* dfg/DFGNode.h:
(JSC::DFG::Node::replaceWith):
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPureValue.cpp:
(JSC::DFG::PureValue::dump const):
* dfg/DFGPureValue.h:
(JSC::DFG::PureValue::PureValue):
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierClusteringPhase.cpp:
* dfg/DFGValidate.cpp:
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
2018-02-12 Mark Lam <mark.lam@apple.com>
Miscellaneous refactoring of offlineasm.
https://bugs.webkit.org/show_bug.cgi?id=182702
<rdar://problem/37467887>
Reviewed by Filip Pizlo.
1. Refactor out the emission of $asm.comment, $asm.codeOrigin, $asm.annotation,
and $asm.debugAnnotation into a recordMetaData method. This standardizes how
we emit this metadata and makes all backends do it the same way.
2. Add the ability to include custom offlineasm scripts from WebKitAdditions in
the future.
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/ast.rb:
* offlineasm/backends.rb:
* offlineasm/cloop.rb:
* offlineasm/config.rb:
* offlineasm/mips.rb:
* offlineasm/risc.rb:
* offlineasm/x86.rb:
2018-02-12 Saam Barati <sbarati@apple.com>
DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
https://bugs.webkit.org/show_bug.cgi?id=182706
<rdar://problem/36833681>
Reviewed by Filip Pizlo.
When we added support for PhantomNewArrayBuffer, we forgot to update
the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer.
This patch adds that support. It's trivial to generate the length for
a PhantomNewArrayBuffer node since it's a constant buffer, with a constant
length.
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
2018-02-12 Mark Lam <mark.lam@apple.com>
Add more support for pointer preparations.
https://bugs.webkit.org/show_bug.cgi?id=182703
<rdar://problem/37469451>
Reviewed by Saam Barati.
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr):
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2018-02-12 Mark Lam <mark.lam@apple.com>
Fix missing exception check in RegExpObject::matchGlobal().
https://bugs.webkit.org/show_bug.cgi?id=182701
<rdar://problem/37465865>
Reviewed by Michael Saboff.
This issue was discovered when running JSC tests on an asm LLInt build with
JSC_useJIT=false.
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::matchGlobal):
2018-02-11 Guillaume Emont <guijemont@igalia.com>
[MIPS] JSC needs to be built with -latomic
https://bugs.webkit.org/show_bug.cgi?id=182610
Reviewed by Žan Doberšek.
Since r228149, on MIPS we need to link with -latomic, because
__atomic_fetch_add_8 is not available as a compiler intrinsic.
* CMakeLists.txt:
2018-02-09 Filip Pizlo <fpizlo@apple.com>
Don't waste memory for error.stack
https://bugs.webkit.org/show_bug.cgi?id=182656
Reviewed by Saam Barati.
This makes the StackFrames in ErrorInstance and Exception weak. We simply forget their
contents if we GC.
This isn't going to happen under normal operation since your callees and code blocks will
still be alive when you ask for .stack.
Bug 182650 tracks improving this so that it's not lossy. For now, I think it's worth it,
since it is likely to recover 3-5 MB on membuster.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::visitChildren):
(JSC::ErrorInstance::finalizeUnconditionally):
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::subspaceFor):
* runtime/Exception.cpp:
(JSC::Exception::visitChildren):
(JSC::Exception::finalizeUnconditionally):
* runtime/Exception.h:
(JSC::Exception::valueOffset): Deleted.
(JSC::Exception::value const): Deleted.
(JSC::Exception::stack const): Deleted.
(JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
(JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
* runtime/StackFrame.cpp:
(JSC::StackFrame::isFinalizationCandidate):
(JSC::StackFrame::finalizeUnconditionally):
(JSC::StackFrame::visitChildren): Deleted.
* runtime/StackFrame.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-02-09 Carlos Alberto Lopez Perez <clopez@igalia.com>
Fix build on ARMv7 traditional JSCOnly bot after r228306
https://bugs.webkit.org/show_bug.cgi?id=182563
Unreviewed build fix.
* assembler/AssemblerBuffer.h:
2018-02-08 Filip Pizlo <fpizlo@apple.com>
Experiment with alternative implementation of memcpy/memset
https://bugs.webkit.org/show_bug.cgi?id=182563
Reviewed by Michael Saboff and Mark Lam.
This adopts new fastCopy/fastZeroFill calls for calls to memcpy/memset that do not take a
constant size argument.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::append):
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBuffer::createInternal):
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::zeroRangeImpl):
* runtime/ArrayConventions.cpp:
* runtime/ArrayConventions.h:
(JSC::clearArray):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::create):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::PropertyTable):
2018-02-08 Don Olmstead <don.olmstead@sony.com>
Remove JavaScriptCore/ForwardingHeaders directory
https://bugs.webkit.org/show_bug.cgi?id=182594
Reviewed by Mark Lam.
* CMakeLists.txt:
* ForwardingHeaders/JavaScriptCore/APICast.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSBase.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSContextRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSObjectRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSRetainPtr.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSStringRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSStringRefCF.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSValueRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JavaScript.h: Removed.
* ForwardingHeaders/JavaScriptCore/JavaScriptCore.h: Removed.
* ForwardingHeaders/JavaScriptCore/OpaqueJSString.h: Removed.
* ForwardingHeaders/JavaScriptCore/WebKitAvailability.h: Removed.
2018-02-06 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
https://bugs.webkit.org/show_bug.cgi?id=182440
Reviewed by Darin Adler.
This patch implements Array.prototype.flatMap and Array.prototype.flatten
since they are now stage 3 [1].
[1]: https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
* builtins/ArrayPrototype.js:
(filter):
(map):
(globalPrivate.concatSlowPath):
(globalPrivate.arraySpeciesCreate):
(globalPrivate.flattenIntoArray):
(flatten):
(globalPrivate.flattenIntoArrayWithCallback):
We separate flattenIntoArray from flattenIntoArrayWithCallback due to performance reason.
We carefully keep both functions small to encourage inlining.
(flatMap):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
2018-01-13 Darin Adler <darin@apple.com>
Event improvements
https://bugs.webkit.org/show_bug.cgi?id=179591
Reviewed by Chris Dumez.
Remove all uses of ScriptValue other than in the implementation of ScriptObject.
* bindings/ScriptFunctionCall.cpp: Removed include of ScriptValue.h.
* bindings/ScriptObject.cpp: Removed unused overload of ScriptObject constructor.
* bindings/ScriptObject.h: Ditto.
* bindings/ScriptValue.cpp:
(Deprecated::ScriptValue::~ScriptValue): Deleted.
(Deprecated::ScriptValue::getString const): Deleted.
(Deprecated::ScriptValue::toString const): Deleted.
(Deprecated::ScriptValue::isEqual const): Deleted.
(Deprecated::ScriptValue::isNull const): Deleted.
(Deprecated::ScriptValue::isUndefined const): Deleted.
(Deprecated::ScriptValue::isObject const): Deleted.
(Deprecated::ScriptValue::isFunction const): Deleted.
(Deprecated::ScriptValue::toInspectorValue const): Deleted.
* bindings/ScriptValue.h: Removed many unused functions. Made the rest
protected since this is now used only in ScriptObject.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend): Stop using ScriptValue.
(Inspector::ConsoleMessage::isEqual const): Updated for change to ScriptArguments::isEqual.
* inspector/ScriptArguments.cpp:
(Inspector::ScriptArguments::create): Take a Vector of JSC::Strong, not ScriptValue,
use rvalue reference with move instead of lvalue reference with swap, and take execution
state by reference instead of pointer.
(Inspector::ScriptArguments::createEmpty): Deleted. Can now use create instead.
(Inspector::ScriptArguments::ScriptArguments): Ditto.
(Inspector::ScriptArguments::~ScriptArguments): Deleted.
(Inspector::ScriptArguments::argumentAt const): Updated to use JSC::Strong.
(Inspector::ScriptArguments::getFirstArgumentAsString): Ditto.
(Inspector::ScriptArguments::isEqual const): Ditto. Also changed to use JS internals
instead of calling through the C API.
* inspector/ScriptArguments.h: Updated for the above.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptArguments): Updated for changes to ScriptArguments.
* inspector/ScriptDebugServer.cpp: Removed include of ScriptValue.h.
* inspector/agents/InspectorAgent.cpp: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: Ditto.
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use JSC::Strong instead
of ScriptValue.
(Inspector::InspectorDebuggerAgent::currentCallFrames): Ditto.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* runtime/ConsoleClient.cpp:
(JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto.
(JSC::ConsoleClient::clear): Use ScriptArguments::create and pass an empty vector
instead of calling a separate createEmpty function.
* runtime/VM.cpp:
(JSC::VM::createLeaked): Deleted.
* runtime/VM.h: Deleted createLeaked.
2018-02-06 Brian Burg <bburg@apple.com>
Web Inspector: protocol generator should automatically deduce the correct include style to use
https://bugs.webkit.org/show_bug.cgi?id=182505
Reviewed by Timothy Hatcher.
Currently the generated imports use a mix of system header imports (powered by forwarding headers)
and framework-style includes. Since forwarding headers are going away, this patch stops
using system header includes for headers that are JavaScriptCore private headers. Instead,
use either a relative include or a framework include.
* inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
(CppAlternateBackendDispatcherHeaderGenerator.generate_output):
(CppAlternateBackendDispatcherHeaderGenerator):
(CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
(CppBackendDispatcherHeaderGenerator.generate_output):
(CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator.generate_output):
(CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
(CppFrontendDispatcherHeaderGenerator.generate_output):
(CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
(CppFrontendDispatcherImplementationGenerator.generate_output):
(CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(CppProtocolTypesHeaderGenerator.generate_output):
(CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator.generate_output):
(CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
(ObjCBackendDispatcherHeaderGenerator):
Convert existing header lists to the new entries format, which includes the
allowable target frameworks and the relative path to the header.
* inspector/scripts/codegen/generator.py:
(Generator.generate_includes_from_entries):
Copied from the same in the builtins code generator. It still works great.
* inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/domain-availability.json-result:
* inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/generic/expected/enum-values.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
* inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
* inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
* inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
Rebaseline.
2018-02-06 Keith Miller <keith_miller@apple.com>
put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
https://bugs.webkit.org/show_bug.cgi?id=182549
<rdar://problem/36189995>
Reviewed by Saam Barati.
Previously, the llint/baseline caching for put_to_scope and
get_from_scope would cache lexical environments when the
varInjectionWatchpoint had been fired for global properties. Code
in the DFG does not follow this same assumption so we could
potentially return the wrong result. Additionally, the baseline
would write barrier the global object rather than the lexical
enviroment object. This patch makes it so that we do not cache
anything other than the global object for when the resolve type is
GlobalPropertyWithVarInjectionChecks or GlobalProperty.
* assembler/MacroAssembler.cpp:
(JSC::MacroAssembler::jitAssert):
* assembler/MacroAssembler.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
(JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
* runtime/Options.h:
2018-01-28 Filip Pizlo <fpizlo@apple.com>
Global objects should be able to use TLCs to allocate from different blocks from each other
https://bugs.webkit.org/show_bug.cgi?id=182227
Reviewed by JF Bastien.
This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of
distance between objects from different origins, using the following combination of things. For
short lets refer to that constant as K.
- Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.
- Since r227718, MarkedBlock puts at least K bytes in its footer.
- Since r227617, global objects can have their own TLCs, which make them allocate from a
different set of blocks than other global objects. The TLC of a global object comes into
effect when you enter the VM via that global object.
- With this change, TLCs and blocks both have security origins. A TLC will only use blocks that
share the same security origin or empty blocks (in which case we zero the block and change
its security origin).
WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
a TLC based on their document's SecurityOrigin.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::prepareForAllocation):
* heap/BlockDirectory.h:
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/LocalAllocator.h:
(JSC::LocalAllocator::tlc const):
* heap/MarkStackMergingConstraint.cpp:
* heap/MarkStackMergingConstraint.h:
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::associateWithOrigin):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::securityOriginToken const):
* heap/SecurityOriginToken.cpp: Added.
(JSC::uniqueSecurityOriginToken):
* heap/SecurityOriginToken.h: Added.
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::installSlow):
* heap/ThreadLocalCache.h:
(JSC::ThreadLocalCache::securityOriginToken const):
* heap/ThreadLocalCacheInlines.h:
(JSC::ThreadLocalCache::install):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::createThreadLocalCache):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache):
(JSC::JSGlobalObject::threadLocalCache const): Deleted.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMEntryScope.h:
2018-02-05 Don Olmstead <don.olmstead@sony.com>
JavaScriptCore files should not be included relatively
https://bugs.webkit.org/show_bug.cgi?id=182452
Reviewed by Keith Miller.
* API/JSCallbackConstructor.h:
* CMakeLists.txt:
* disassembler/ARM64Disassembler.cpp:
* disassembler/ARMv7Disassembler.cpp:
* heap/LockDuringMarking.h:
* inspector/InjectedScriptBase.h:
* inspector/InjectedScriptHost.h:
* inspector/JavaScriptCallFrame.h:
* inspector/ScriptArguments.h:
* inspector/ScriptDebugListener.h:
* inspector/ScriptDebugServer.h:
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorHeapAgent.h:
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/agents/InspectorScriptProfilerAgent.h:
* runtime/RegExp.h:
2018-02-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r228012.
https://bugs.webkit.org/show_bug.cgi?id=182493
"It regressed ARES-6 by 2-4%" (Requested by saamyjoon on
#webkit).
Reverted changeset:
"[JSC] Clean up ArraySpeciesCreate"
https://bugs.webkit.org/show_bug.cgi?id=182434
https://trac.webkit.org/changeset/228012
2018-02-02 Ryan Haddad <ryanhaddad@apple.com>
Rebaseline bindings generator tests after r228032.
https://bugs.webkit.org/show_bug.cgi?id=182445
Unreviewed test gardening.
* Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2018-02-02 Saam Barati <sbarati@apple.com>
Make various DFG_ASSERTs provide more data to WTFCrashWithInfo
https://bugs.webkit.org/show_bug.cgi?id=182453
<rdar://problem/37174236>
Reviewed by JF Bastien and Mark Lam.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGFlowIndexing.h:
(JSC::DFG::FlowIndexing::shadowIndex const):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGLoopPreHeaderCreationPhase.cpp:
(JSC::DFG::LoopPreHeaderCreationPhase::run):
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithAbs):
(JSC::DFG::SpeculativeJIT::compileArithRounding):
(JSC::DFG::SpeculativeJIT::compileToPrimitive):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierClusteringPhase.cpp:
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
(JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
(JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
(JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
(JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
(JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::compilePutById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::compare):
(JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):
(JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2018-02-02 Don Olmstead <don.olmstead@sony.com>
JS Builtins should include JavaScriptCore headers directly
https://bugs.webkit.org/show_bug.cgi?id=182445
Reviewed by Yusuke Suzuki.
* Scripts/builtins/builtins_generator.py:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2018-02-02 Saam Barati <sbarati@apple.com>
When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
https://bugs.webkit.org/show_bug.cgi?id=182368
<rdar://problem/36932466>
Reviewed by Mark Lam.
When preserving liveness when inserting Unreachable nodes after ForceOSRExit,
we must add the VariableAccessData to the given argument position. Otherwise,
we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit.
If we end up with such a situation, it can lead to invalid IR after the
arguments elimination phase optimizes a GetByVal to a GetStack.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):
2018-02-02 Mark Lam <mark.lam@apple.com>
More ARM64_32 fixes.
https://bugs.webkit.org/show_bug.cgi?id=182441
<rdar://problem/37162310>
Reviewed by Dan Bernstein.
I also disabled more dynamicPoisoning code in ARM64_32. This code assumes a
64-bit pointer which is not applicable here.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDynamicPoison):
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
(JSC::AssemblyHelpers::emitDynamicPoisonOnType):
2018-02-02 Saam Barati <sbarati@apple.com>
MapHash should return true to doesGC in the DFG depending on useKind because it might resolve a rope
https://bugs.webkit.org/show_bug.cgi?id=182402
Reviewed by Yusuke Suzuki.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
2018-02-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Clean up ArraySpeciesCreate
https://bugs.webkit.org/show_bug.cgi?id=182434
Reviewed by Saam Barati.
We have duplicate code in filter, map, concatSlowPath.
This patch creates a new global private function @arraySpeciesCreate,
and use it.
* builtins/ArrayPrototype.js:
(globalPrivate.arraySpeciesCreate):
(filter):
(map):
(globalPrivate.concatSlowPath):
2018-02-01 Mark Lam <mark.lam@apple.com>
Fix broken bounds check in FTL's compileGetMyArgumentByVal().
https://bugs.webkit.org/show_bug.cgi?id=182419
<rdar://problem/37044945>
Reviewed by Saam Barati.
In compileGetMyArgumentByVal(), it computes:
limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
...
LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
where the original "limit" is the number of arguments passed in by the caller.
If the original limit is less than numberOfArgumentsToSkip, the resultant limit
will be a large unsigned number. As a result, this will defeat the bounds check
that follows it.
Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index
value by adding numberOfArgumentsToSkip to it, in order to determine the actual
entry in the arguments array to get.
The fix is to just add numberOfArgumentsToSkip to index upfront (instead of
subtracting it from limit), and doing an overflow speculation check on that
addition before doing the bounds check.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2018-02-01 Keith Miller <keith_miller@apple.com>
Fix crashes due to mishandling custom sections.
https://bugs.webkit.org/show_bug.cgi?id=182404
<rdar://problem/36935863>
Reviewed by Saam Barati.
This also cleans up some of our validation code. We also
mistakenly, allowed unknown (different from custom sections with
id: 0) section ids.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
* wasm/WasmModuleParser.h:
* wasm/WasmSections.h:
(JSC::Wasm::isKnownSection):
(JSC::Wasm::decodeSection):
(JSC::Wasm::validateOrder):
(JSC::Wasm::makeString):
(JSC::Wasm::isValidSection): Deleted.
2018-02-01 Michael Catanzaro <mcatanzaro@igalia.com>
-Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
https://bugs.webkit.org/show_bug.cgi?id=182389
Reviewed by Yusuke Suzuki.
Fix the warning.
As a bonus, remove a couple unreachable breaks for good measure.
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-02-01 Chris Dumez <cdumez@apple.com>
Queue a microtask when a waitUntil() promise is settled
https://bugs.webkit.org/show_bug.cgi?id=182372
<rdar://problem/37101019>
Reviewed by Mark Lam.
Export a symbol so it can be used in WebCore.
* runtime/JSGlobalObject.h:
2018-01-31 Don Olmstead <don.olmstead@sony.com>
[CMake] Make JavaScriptCore headers copies
https://bugs.webkit.org/show_bug.cgi?id=182303
Reviewed by Alex Christensen.
* CMakeLists.txt:
* PlatformGTK.cmake:
* PlatformJSCOnly.cmake:
* PlatformMac.cmake:
* PlatformWPE.cmake:
* PlatformWin.cmake:
* shell/CMakeLists.txt:
* shell/PlatformWin.cmake:
2018-01-31 Saam Barati <sbarati@apple.com>
Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
https://bugs.webkit.org/show_bug.cgi?id=182064
<rdar://problem/36840132>
Reviewed by Geoffrey Garen.
This patch switches WebAssembly Memory to always use bmalloc's
zeroed virtual allocation API. This makes it so that we don't
dirty the memory to zero it. It's a huge compile time speedup
on WasmBench on iOS.
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::create):
(JSC::Wasm::Memory::~Memory):
(JSC::Wasm::Memory::addressIsInActiveFastMemory):
(JSC::Wasm::Memory::grow):
(JSC::Wasm::commitZeroPages): Deleted.
2018-01-31 Mark Lam <mark.lam@apple.com>
Build fix for CLoop after r227874.
https://bugs.webkit.org/show_bug.cgi?id=182155
<rdar://problem/36286266>
Not reviewed.
Just needed support for lea of a LabelReference in cloop.rb (just like those
added for arm64.rb and x86.rb).
* offlineasm/cloop.rb:
2018-01-31 Keith Miller <keith_miller@apple.com>
Canonicalize aquiring the JSCell lock.
https://bugs.webkit.org/show_bug.cgi?id=182320
Reviewed by Michael Saboff.
It's currently kinda annoying to figure out where
we aquire the a JSCell's lock. This patch adds a
helper to make it easier to grep...
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildren):
(JSC::UnlinkedCodeBlock::setInstructions):
(JSC::UnlinkedCodeBlock::shrinkToFit):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
(JSC::ErrorInstance::materializeErrorInfoIfNeeded):
(JSC::ErrorInstance::visitChildren):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSCell.h:
(JSC::JSCell::cellLock):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
(JSC::JSObject::convertContiguousToArrayStorage):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::remove):
(JSC::SparseArrayValueMap::visitChildren):
2018-01-31 Saam Barati <sbarati@apple.com>
JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
https://bugs.webkit.org/show_bug.cgi?id=182074
<rdar://problem/36846261>
Reviewed by Mark Lam.
This patch teaches the JSONP evaluator about the global lexical environment.
Before, it was using the global object as the global scope, but that's wrong.
The global lexical environment is the first node in the global scope chain.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
* jsc.cpp:
(GlobalObject::finishCreation):
(shellSupportsRichSourceInfo):
(functionDisableRichSourceInfo):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::tryJSONPParse):
* runtime/LiteralParser.h:
2018-01-31 Saam Barati <sbarati@apple.com>
clean up pushToSaveImmediateWithoutTouchingRegisters a bit
https://bugs.webkit.org/show_bug.cgi?id=181774
Reviewed by JF Bastien.
This function on ARM64 was considering what to do with the scratch
register. And conditionally invalidated what was in it. This is not
relevant though, since the function always recovers what was in that
register. This patch just switches it to using dataTempRegister
directly and updates the comment to describe why it can do so safely.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2018-01-30 Mark Lam <mark.lam@apple.com>
Apply poisoning to TypedArray vector pointers.
https://bugs.webkit.org/show_bug.cgi?id=182155
<rdar://problem/36286266>
Reviewed by JF Bastien.
The TypeArray's vector pointer is now poisoned. The poison value is chosen based
on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and
LastTypedArrayType. At runtime, we enforce that the index is well-behaved by
masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is
the number of TypedArray types (10) rounded up to the next power of 2.
Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
can use index masking on the index, and be guaranteed that the masked index will
be within bounds of the poisons array.
1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
do any unnecessary work if the TypedArray vector is null.
FTL's cagedMayBeNull() is no longer needed because it is only used by
compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
in a TypedArray specific way. So, might as well do the work inline in
compileGetTypedArrayByteOffset() instead.
2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
because there's already a null check above it that ensures that sizeGPR is
never null.
3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
loading of the vector for unpoisoning and uncaging. We don't need the vector
if the length is 0.
Implementation notes on the need to null check the TypeArray vector:
1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
m_poisonedVector null check because the function is a null check.
2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
m_poisonedVector null check because it is followed by a call to
cageTypedArrayStorage() which assumes that storageReg cannot be null.
3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
m_poisonedVector null check.
4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
check because the poisoning code is preceded by a sizeGPR null check, which
ensures that the storageGPR (vector to be poisoned) is not null.
5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
check because it is followed by a call to caged() which assumes that the
vector cannot be null.
6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
7. FTL's compileNewTypedArray() does not need a vector null check because the
poisoning code is preceded by a size null check, which ensures that the
storage (vector to be poisoned) is not null.
8. FTL's speculateTypedArrayIsNotNeutered() does not need a
m_poisonedVector null check because the function is a null check.
9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
case needs a null check so that it does not try to unpoison a null vector.
10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
we already do a length check even before loading the vector.
11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
we already do a length check even before loading the vector.
12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
we already do a length check even before loading the vector.
13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
we already do a length check even before loading the vector.
14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
client will do a TypedArray length check before calling it.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::checkArray):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
(JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/x86.rb:
* runtime/CagedBarrierPtr.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::neuter):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::offsetOfPoisonedVector):
(JSC::JSArrayBufferView::poisonFor):
(JSC::JSArrayBufferView::Poison::key):
(JSC::JSArrayBufferView::offsetOfVector): Deleted.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSObject.h:
2018-01-30 Fujii Hironori <Hironori.Fujii@sony.com>
[Win] Warning fix.
https://bugs.webkit.org/show_bug.cgi?id=177007
Reviewed by Yusuke Suzuki.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::dump const):
Changed the type of locationRawBits from unsigned to uintptr_t.
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::createNumberFormat):
Initialize 'style' to avoid potentially uninitialized local variable warning.
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement trimStart and trimEnd
https://bugs.webkit.org/show_bug.cgi?id=182233
Reviewed by Mark Lam.
String.prototype.{trimStart,trimEnd} are now stage 3[1].
String.prototype.{trimLeft,trimRight} are alias to these functions.
We rename these functions to trimStart and trimEnd, and put them as
trimLeft and trimRight too.
[1]: https://tc39.github.io/proposal-string-left-right-trim/
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::trimString):
(JSC::stringProtoFuncTrim):
(JSC::stringProtoFuncTrimStart):
(JSC::stringProtoFuncTrimEnd):
(JSC::stringProtoFuncTrimLeft): Deleted.
(JSC::stringProtoFuncTrimRight): Deleted.
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Relax line terminators in String to make JSON subset of JS
https://bugs.webkit.org/show_bug.cgi?id=182232
Reviewed by Keith Miller.
"Subsume JSON" spec is now stage 3[1]. Before this spec change,
JSON can accept \u2028 / \u2029 in string while JS cannot do that.
It accidentally made JSON non subset of JS.
Now we extend our JS string to accept \u2028 / \u2029 to make JSON
subset of JS in this spec change.
[1]: https://github.com/tc39/proposal-json-superset
* parser/Lexer.cpp:
(JSC::Lexer<T>::parseStringSlowCase):
2018-01-29 Jiewen Tan <jiewen_tan@apple.com>
[WebAuthN] Add a compile-time feature flag
https://bugs.webkit.org/show_bug.cgi?id=182211
<rdar://problem/36936365>
Reviewed by Brent Fulgham.
* Configurations/FeatureDefines.xcconfig:
2018-01-29 Michael Saboff <msaboff@apple.com>
REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
https://bugs.webkit.org/show_bug.cgi?id=182249
Reviewed by Keith Miller.
Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
Untyped and Object values when compared against built in types. Such comparisons can
invoke toNumber() or other methods.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-01-29 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r227725.
This caused internal failures.
Reverted changeset:
"JSC Sampling Profiler: Detect tester and testee when sampling
in RegExp JIT"
https://bugs.webkit.org/show_bug.cgi?id=152729
https://trac.webkit.org/changeset/227725
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
https://bugs.webkit.org/show_bug.cgi?id=152729
Reviewed by Saam Barati.
This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
executing RegExp in VM so that SamplingProfiler can detect it. This is better
than the previous VM::isExecutingInRegExpJIT flag approach since
1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
if we suspend the thread just before executing this flag, or just after clearing
this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
should set such a flag before and after executing JIT RegExp code.
2. This removes VM dependency from YarrJIT which is not essential one.
We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
is done in non JS thread.
* bytecode/BytecodeDumper.cpp:
(JSC::regexpName):
(JSC::BytecodeDumper<Block>::dumpRegExps):
(JSC::regexpToSourceString): Deleted.
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::match):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::compileMatchOnly):
(JSC::RegExp::toSourceString const):
* runtime/RegExp.h:
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::SamplingProfiler):
(JSC::SamplingProfiler::timerLoop):
(JSC::SamplingProfiler::takeSample):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
(JSC::SamplingProfiler::StackFrame::displayName):
(JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
(JSC::SamplingProfiler::StackFrame::functionStartLine):
(JSC::SamplingProfiler::StackFrame::functionStartColumn):
(JSC::SamplingProfiler::StackFrame::sourceID):
(JSC::SamplingProfiler::StackFrame::url):
(WTF::printInternal):
(JSC::SamplingProfiler::~SamplingProfiler): Deleted.
* runtime/SamplingProfiler.h:
* runtime/VM.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] WeakMap#set should have DFG node
https://bugs.webkit.org/show_bug.cgi?id=180015
Reviewed by Saam Barati.
This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
the subsequent WeakMapGet if CSE allows.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addVarArgChild):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
WeakMap operations do not cause GC.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
(JSC::DFG::SpeculativeJIT::compileWeakMapSet):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
* jit/JITOperations.h:
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/WeakMapPrototype.cpp:
(JSC::WeakMapPrototype::finishCreation):
* runtime/WeakSetPrototype.cpp:
(JSC::WeakSetPrototype::finishCreation):
2018-01-28 Filip Pizlo <fpizlo@apple.com>
LargeAllocation should do the same distancing as MarkedBlock
https://bugs.webkit.org/show_bug.cgi?id=182226
Reviewed by Saam Barati.
This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
is doing:
- I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
keeps the old way just for a static_assert.
- The promised amount of distancing is now codified in HeapCell.h as
minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
as big as this. I didn't want to just use footer size for this constant because then, if
you increased the size of the footer, you'd also add padding to every large allocation.
Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
allocation. It also zeroes that slice of memory to prevent any information leaks that way.
This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
smaller objects, and diminishing overhead for larger objects. We allocate very few large
objects, so we shouldn't have any real space overhead from this.
* heap/HeapCell.h:
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::tryCreate):
* heap/MarkedBlock.h:
* heap/MarkedSpace.h:
2018-01-27 Filip Pizlo <fpizlo@apple.com>
Make MarkedBlock::Footer bigger
https://bugs.webkit.org/show_bug.cgi?id=182220
Reviewed by JF Bastien.
This makes the block footer larger by moving the newlyAllocated bits from the handle into
the footer.
It used to be profitable to put anything we could into the handle because that would free up
payload space inside the block. But now that we want to use the footer for padding, it's
profitable to put GC state information - especially data that is used by the GC itself and so
is not useful for a Spectre attack - into the footer to increase object distancing.
* heap/CellContainer.cpp:
(JSC::CellContainer::isNewlyAllocated const):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::sweepToFreeList):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::Handle):
(JSC::MarkedBlock::Footer::Footer):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::resetAllocated):
(JSC::MarkedBlock::Handle::resetAllocated): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::newlyAllocatedVersion const):
(JSC::MarkedBlock::isNewlyAllocated):
(JSC::MarkedBlock::setNewlyAllocated):
(JSC::MarkedBlock::clearNewlyAllocated):
(JSC::MarkedBlock::newlyAllocated const):
(JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
(JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::isNewlyAllocatedStale const):
(JSC::MarkedBlock::hasAnyNewlyAllocated):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::newlyAllocatedMode):
(JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
(JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::endMarking):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
2018-01-27 Filip Pizlo <fpizlo@apple.com>
MarkedBlock should have a footer instead of a header
https://bugs.webkit.org/show_bug.cgi?id=182217
Reviewed by JF Bastien.
This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
change anything except for some compile-time constants, so it should not affect performance.
This change is to help protect against Spectre attacks on structure checks, which allow for
small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
OOBs will only get to other objects in the same block or the block footer. The block footer
is not super interesting. So, if we combine this with the TLC change (r227617), this means we
can use blocks as the mechanism of achieving distance between objects from different origins.
We just need to avoid ever putting objects from different origins in the same block. That's
what bug 181636 is about.
* heap/BlockDirectory.cpp:
(JSC::blockHeaderSize): Deleted.
(JSC::BlockDirectory::blockSizeForBytes): Deleted.
* heap/BlockDirectory.h:
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::~MarkedBlock):
(JSC::MarkedBlock::Footer::Footer):
(JSC::MarkedBlock::Footer::~Footer):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::resetMarks):
(JSC::MarkedBlock::assertMarksNotStale):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::markCount):
(JSC::MarkedBlock::clearHasAnyMarked):
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::didRemoveFromDirectory):
(JSC::MarkedBlock::Handle::sweep):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::markingVersion const):
(JSC::MarkedBlock::lock):
(JSC::MarkedBlock::subspace const):
(JSC::MarkedBlock::footer):
(JSC::MarkedBlock::footer const):
(JSC::MarkedBlock::handle):
(JSC::MarkedBlock::handle const):
(JSC::MarkedBlock::Handle::blockFooter):
(JSC::MarkedBlock::isAtomAligned):
(JSC::MarkedBlock::Handle::cellAlign):
(JSC::MarkedBlock::blockFor):
(JSC::MarkedBlock::vm const):
(JSC::MarkedBlock::weakSet):
(JSC::MarkedBlock::cellSize):
(JSC::MarkedBlock::attributes const):
(JSC::MarkedBlock::atomNumber):
(JSC::MarkedBlock::areMarksStale):
(JSC::MarkedBlock::aboutToMark):
(JSC::MarkedBlock::isMarkedRaw):
(JSC::MarkedBlock::isMarked):
(JSC::MarkedBlock::testAndSetMarked):
(JSC::MarkedBlock::marks const):
(JSC::MarkedBlock::isAtom):
(JSC::MarkedBlock::Handle::forEachCell):
(JSC::MarkedBlock::hasAnyMarked const):
(JSC::MarkedBlock::noteMarked):
(WTF::MarkedBlockHash::hash):
(JSC::MarkedBlock::firstAtom): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::marksConveyLivenessDuringMarking):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::forEachLiveCell):
(JSC::MarkedBlock::Handle::forEachDeadCell):
(JSC::MarkedBlock::Handle::forEachMarkedCell):
* heap/MarkedSpace.cpp:
* heap/MarkedSpace.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-01-27 Yusuke Suzuki <utatane.tea@gmail.com>
DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
https://bugs.webkit.org/show_bug.cgi?id=182213
Reviewed by Mark Lam.
toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
* runtime/NumberPrototype.cpp:
(JSC::toStringWithRadixInternal):
2018-01-26 Saam Barati <sbarati@apple.com>
Fix emitAllocateWithNonNullAllocator to work on arm
https://bugs.webkit.org/show_bug.cgi?id=182187
<rdar://problem/36906550>
Reviewed by Filip Pizlo.
This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
register on ARM.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2018-01-26 Joseph Pecoraro <pecoraro@apple.com>
Rebaselining builtin generator tests after r227685.
Unreviewed.
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
It used to be that the builtins generator was minifying by default. That was an accident
and we now only minify on Release builds. The generator tests are now getting the
default unminified output behavior so they need to update their expectations
for some extra whitespace.
2018-01-26 Mark Lam <mark.lam@apple.com>
We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
https://bugs.webkit.org/show_bug.cgi?id=182180
<rdar://problem/36460697>
Reviewed by Michael Saboff.
Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
but not as the Node's first base class. ParserArena::m_deletableObjects is
expecting pointers to objects of the shape of ParserArenaDeletable. We ensure
this by allocating the Node subclass, and casting it to ParserArenaDeletable to
get the correct pointer to append to ParserArena::m_deletableObjects.
To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED
(analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
ParserArenaDeletable.
* parser/NodeConstructors.h:
(JSC::ParserArenaDeletable::operator new):
* parser/Nodes.h:
* parser/ParserArena.h:
(JSC::ParserArena::allocateDeletable):
2018-01-26 Joseph Pecoraro <pecoraro@apple.com>
JavaScriptCore builtins should be partially minified in Release builds not Debug builds
https://bugs.webkit.org/show_bug.cgi?id=182165
Reviewed by Keith Miller.
* Scripts/builtins/builtins_model.py:
(BuiltinFunction.fromString):
Apply minifications on Release builds instead of Debug builds.
Also eliminate leading whitespace.
2018-01-26 Filip Pizlo <fpizlo@apple.com>
Disable TLS-based TLCs
https://bugs.webkit.org/show_bug.cgi?id=182175
Reviewed by Saam Barati.
Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::~BlockDirectory):
* heap/BlockDirectory.h:
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
* heap/ThreadLocalCache.h:
* heap/ThreadLocalCacheInlines.h:
(JSC::ThreadLocalCache::getImpl):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
* runtime/VM.cpp:
(JSC::VM::~VM):
* runtime/VM.h:
2018-01-25 Yusuke Suzuki <utatane.tea@gmail.com>
imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
https://bugs.webkit.org/show_bug.cgi?id=181980
Reviewed by Ryosuke Niwa.
We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
correctly.
* builtins/ModuleLoaderPrototype.js:
(requestInstantiate):
(requestSatisfy):
2018-01-25 Mark Lam <mark.lam@apple.com>
Gardening: fix 32-bit build after r227643.
https://bugs.webkit.org/show_bug.cgi?id=182086
Not reviewed.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
2018-01-24 Filip Pizlo <fpizlo@apple.com>
DirectArguments should protect itself using dynamic poisoning and precise index masking
https://bugs.webkit.org/show_bug.cgi?id=182086
Reviewed by Saam Barati.
This implements dynamic poisoning and precise index masking in DirectArguments, using the
helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
We use dynamic poisoning for DirectArguments since this object did not have any additional
indirection inside it that could have been poisoned. So, we use the xor of the expected type
and the actual type as an additional input into the pointer.
We use precise index masking for bounds checks, because it's not worth doing index masking
unless we know that precise index masking is too slow.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::lshiftPtr):
(JSC::MacroAssembler::rshiftPtr):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
(JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
(JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitPreciseIndexMask32):
(JSC::AssemblyHelpers::emitDynamicPoison):
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
(JSC::AssemblyHelpers::emitDynamicPoisonOnType):
* jit/AssemblyHelpers.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDirectArgumentsGetByVal):
* runtime/DirectArguments.h:
(JSC::DirectArguments::getIndexQuickly const):
(JSC::DirectArguments::setIndexQuickly):
(JSC::DirectArguments::argument):
* runtime/GenericArgumentsInlines.h:
2018-01-25 Mark Lam <mark.lam@apple.com>
Rename some local vars from type to typedArrayType for greater clarity.
https://bugs.webkit.org/show_bug.cgi?id=182148
<rdar://problem/36882310>
Reviewed by Saam Barati.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2018-01-25 Filip Pizlo <fpizlo@apple.com>
JSC GC should support TLCs (thread local caches)
https://bugs.webkit.org/show_bug.cgi?id=181559
Reviewed by Mark Lam and Saam Barati.
This is a big step towards object distancing by site origin. This patch implements TLCs, or
thread-local caches, which allow each thread to allocate from its own free lists. It also
means that any given thread can context-switch TLCs. This will allow us to do separate
allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
will allow us to have a hard distancing constraint between objects from different origins.
In this new design, every "size class" is represented as a BlockDirectory (formerly known as
MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
aligned memory allocator (which roughly represents which cage you came out of), and anyone
using the same allocator can share those blocks - but so long as they are in that
BlockDirectory, they will have the size and type of that directory. Previously, each
BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
LocalAllocators, each of which has a FreeList.
To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
starts by figuring out what Allocator it wants (often we have this information at JIT time).
Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
offsets as opposed to indices to make it easy to do the math on each allocation (if
LocalAllocator had a weird size then every allocation would have to do an imul).
This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
something there, but it's not significant according to our threshold).
Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
function needs to be careful to avoid using the scratch register because the FTL will call it
in disallow-scratch-register mode.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3LowerToAir.cpp:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::admitsStack):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):
* b3/B3StackmapValue.cpp:
(JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
* b3/B3StackmapValue.h:
* b3/B3Validate.cpp:
* b3/B3ValueRep.cpp:
(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):
* b3/B3ValueRep.h:
(JSC::B3::ValueRep::ValueRep):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::clear):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* heap/Allocator.cpp: Added.
(JSC::Allocator::cellSize const):
* heap/Allocator.h: Added.
(JSC::Allocator::Allocator):
(JSC::Allocator::offset const):
(JSC::Allocator::operator== const):
(JSC::Allocator::operator!= const):
(JSC::Allocator::operator bool const):
* heap/AllocatorInlines.h: Added.
(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::isFreeListedCell):
(JSC::BlockDirectory::didConsumeFreeList): Deleted.
(JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
(JSC::BlockDirectory::allocateIn): Deleted.
(JSC::BlockDirectory::tryAllocateIn): Deleted.
(JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
(JSC::BlockDirectory::allocateSlowCase): Deleted.
* heap/BlockDirectory.h:
(JSC::BlockDirectory::cellKind const):
(JSC::BlockDirectory::allocator const):
(JSC::BlockDirectory::freeList const): Deleted.
(JSC::BlockDirectory::offsetOfFreeList): Deleted.
(JSC::BlockDirectory::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h:
(JSC::BlockDirectory::isFreeListedCell const): Deleted.
(JSC::BlockDirectory::allocate): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/FreeList.h:
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
* heap/Heap.h:
(JSC::Heap::threadLocalCacheLayout):
* heap/IsoCellSet.h:
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LocalAllocator.cpp: Added.
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::stopAllocating):
(JSC::LocalAllocator::resumeAllocating):
(JSC::LocalAllocator::prepareForAllocation):
(JSC::LocalAllocator::stopAllocatingForGood):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::didConsumeFreeList):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
(JSC::LocalAllocator::doTestCollectionsIfNeeded):
(JSC::LocalAllocator::isFreeListedCell const):
* heap/LocalAllocator.h: Added.
(JSC::LocalAllocator::offsetOfFreeList):
(JSC::LocalAllocator::offsetOfCellSize):
* heap/LocalAllocatorInlines.h: Added.
(JSC::LocalAllocator::allocate):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::stopAllocatingForGood):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
* heap/SlotVisitor.h:
* heap/Subspace.h:
* heap/ThreadLocalCache.cpp: Added.
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::~ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::destroyData):
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
(JSC::ThreadLocalCache::allocatorSlow):
(JSC::ThreadLocalCache::destructor):
* heap/ThreadLocalCache.h: Added.
(JSC::ThreadLocalCache::offsetOfSize):
(JSC::ThreadLocalCache::offsetOfFirstAllocator):
* heap/ThreadLocalCacheInlines.h: Added.
(JSC::ThreadLocalCache::getImpl):
(JSC::ThreadLocalCache::get):
(JSC::ThreadLocalCache::install):
(JSC::ThreadLocalCache::allocator):
(JSC::ThreadLocalCache::tryGetAllocator):
* heap/ThreadLocalCacheLayout.cpp: Added.
(JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::allocateOffset):
(JSC::ThreadLocalCacheLayout::snapshot):
(JSC::ThreadLocalCacheLayout::directory):
* heap/ThreadLocalCacheLayout.h: Added.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::vm):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
(JSC::AssemblyHelpers::emitAllocate): Deleted.
(JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::create):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSCellInlines.h:
(JSC::tryAllocateCellHelper):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
2018-01-25 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r227592.
https://bugs.webkit.org/show_bug.cgi?id=182110
it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
#webkit).
Reverted changeset:
"JSC GC should support TLCs (thread local caches)"
https://bugs.webkit.org/show_bug.cgi?id=181559
https://trac.webkit.org/changeset/227592
2018-01-25 Alejandro G. Castro <alex@igalia.com>
undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
https://bugs.webkit.org/show_bug.cgi?id=180637
Reviewed by Michael Catanzaro.
We need to make sure the implementation of the inline functions is
compiled when we compile the code using the function, now that the
compilation is divided, or we could end up with undefined symbols
when the declaration is not inlined, at least with some compilers
and optimizations enabled -O2.
* b3/B3SwitchValue.cpp: replace the include.
2018-01-20 Filip Pizlo <fpizlo@apple.com>
JSC GC should support TLCs (thread local caches)
https://bugs.webkit.org/show_bug.cgi?id=181559
Reviewed by Mark Lam and Saam Barati.
This is a big step towards object distancing by site origin. This patch implements TLCs, or
thread-local caches, which allow each thread to allocate from its own free lists. It also
means that any given thread can context-switch TLCs. This will allow us to do separate
allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
will allow us to have a hard distancing constraint between objects from different origins.
In this new design, every "size class" is represented as a BlockDirectory (formerly known as
MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
aligned memory allocator (which roughly represents which cage you came out of), and anyone
using the same allocator can share those blocks - but so long as they are in that
BlockDirectory, they will have the size and type of that directory. Previously, each
BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
LocalAllocators, each of which has a FreeList.
To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
starts by figuring out what Allocator it wants (often we have this information at JIT time).
Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
offsets as opposed to indices to make it easy to do the math on each allocation (if
LocalAllocator had a weird size then every allocation would have to do an imul).
This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
something there, but it's not significant according to our threshold).
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3LowerToAir.cpp:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::admitsStack):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):
* b3/B3StackmapValue.cpp:
(JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
* b3/B3StackmapValue.h:
* b3/B3Validate.cpp:
* b3/B3ValueRep.cpp:
(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):
* b3/B3ValueRep.h:
(JSC::B3::ValueRep::ValueRep):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::clear):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* heap/Allocator.cpp: Added.
(JSC::Allocator::cellSize const):
* heap/Allocator.h: Added.
(JSC::Allocator::Allocator):
(JSC::Allocator::offset const):
(JSC::Allocator::operator== const):
(JSC::Allocator::operator!= const):
(JSC::Allocator::operator bool const):
* heap/AllocatorInlines.h: Added.
(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::isFreeListedCell):
(JSC::BlockDirectory::didConsumeFreeList): Deleted.
(JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
(JSC::BlockDirectory::allocateIn): Deleted.
(JSC::BlockDirectory::tryAllocateIn): Deleted.
(JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
(JSC::BlockDirectory::allocateSlowCase): Deleted.
* heap/BlockDirectory.h:
(JSC::BlockDirectory::cellKind const):
(JSC::BlockDirectory::allocator const):
(JSC::BlockDirectory::freeList const): Deleted.
(JSC::BlockDirectory::offsetOfFreeList): Deleted.
(JSC::BlockDirectory::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h:
(JSC::BlockDirectory::isFreeListedCell const): Deleted.
(JSC::BlockDirectory::allocate): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/FreeList.h:
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
* heap/Heap.h:
(JSC::Heap::threadLocalCacheLayout):
* heap/IsoCellSet.h:
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LocalAllocator.cpp: Added.
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::stopAllocating):
(JSC::LocalAllocator::resumeAllocating):
(JSC::LocalAllocator::prepareForAllocation):
(JSC::LocalAllocator::stopAllocatingForGood):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::didConsumeFreeList):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
(JSC::LocalAllocator::doTestCollectionsIfNeeded):
(JSC::LocalAllocator::isFreeListedCell const):
* heap/LocalAllocator.h: Added.
(JSC::LocalAllocator::offsetOfFreeList):
(JSC::LocalAllocator::offsetOfCellSize):
* heap/LocalAllocatorInlines.h: Added.
(JSC::LocalAllocator::allocate):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::stopAllocatingForGood):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
* heap/SlotVisitor.h:
* heap/Subspace.h:
* heap/ThreadLocalCache.cpp: Added.
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::~ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::destroyData):
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
(JSC::ThreadLocalCache::allocatorSlow):
(JSC::ThreadLocalCache::destructor):
* heap/ThreadLocalCache.h: Added.
(JSC::ThreadLocalCache::offsetOfSize):
(JSC::ThreadLocalCache::offsetOfFirstAllocator):
* heap/ThreadLocalCacheInlines.h: Added.
(JSC::ThreadLocalCache::getImpl):
(JSC::ThreadLocalCache::get):
(JSC::ThreadLocalCache::install):
(JSC::ThreadLocalCache::allocator):
(JSC::ThreadLocalCache::tryGetAllocator):
* heap/ThreadLocalCacheLayout.cpp: Added.
(JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::allocateOffset):
(JSC::ThreadLocalCacheLayout::snapshot):
(JSC::ThreadLocalCacheLayout::directory):
* heap/ThreadLocalCacheLayout.h: Added.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::vm):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
(JSC::AssemblyHelpers::emitAllocate): Deleted.
(JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::create):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSCellInlines.h:
(JSC::tryAllocateCellHelper):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
2018-01-24 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
https://bugs.webkit.org/show_bug.cgi?id=182067
Reviewed by Brian Burg.
* inspector/scripts/codegen/models.py:
(Framework.fromString):
(Frameworks):
* inspector/scripts/generate-inspector-protocol-bindings.py:
(generate_from_specification):
Allow framework WebInspectorUI to generate just the backend commands files.
2018-01-23 Mark Lam <mark.lam@apple.com>
Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
https://bugs.webkit.org/show_bug.cgi?id=182017
<rdar://problem/36795513>
Reviewed by Filip Pizlo and JF Bastien.
Removed the POISON() macro. Now that we have Poison types, we can just use the
the Poison type instead and make the code a bit nicer to read.
* API/JSAPIWrapperObject.h:
* API/JSCallbackFunction.h:
* API/JSCallbackObject.h:
* b3/B3LowerMacros.cpp:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
* jit/JIT.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* parser/UnlinkedSourceCode.h:
* runtime/ArrayPrototype.h:
* runtime/CustomGetterSetter.h:
* runtime/DateInstance.h:
* runtime/InternalFunction.h:
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGlobalObject.h:
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/NativeExecutable.h:
* runtime/StructureTransitionTable.h:
* runtime/WriteBarrier.h:
(JSC::WriteBarrier::poison): Deleted.
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::poison):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, suppress GCC warnings
https://bugs.webkit.org/show_bug.cgi?id=181976
* runtime/TypedArrayType.h:
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
[YARR] Add diagnosis for YarrJIT failures
https://bugs.webkit.org/show_bug.cgi?id=181927
Reviewed by Sam Weinig.
It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateTerm):
(JSC::Yarr::YarrGenerator::backtrackTerm):
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::dumpCompileFailure):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::setFallBack):
(JSC::Yarr::YarrCodeBlock::fallBack):
(JSC::Yarr::YarrCodeBlock::clear):
(JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
(JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
(JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
2018-01-23 Alex Christensen <achristensen@webkit.org>
Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=182028
Reviewed by Keith Miller.
* inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::handleEvent):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
Use precise index masking for FTL GetByArgumentByVal
https://bugs.webkit.org/show_bug.cgi?id=182006
Reviewed by Keith Miller.
This protects speculative out-of-bounds on arguments[index].
Making this work right involved fixing a possible overflow situation with
numberOfArgumentsToSkip.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasNumberOfArgumentsToSkip):
(JSC::DFG::Node::numberOfArgumentsToSkip):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2018-01-23 David Kilzer <ddkilzer@apple.com>
Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
<https://webkit.org/b/181871>
<rdar://problem/36669691>
Address feedback for this change.
* CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
feedback from Konstantin Tokarev.
2018-01-23 Robin Morisset <rmorisset@apple.com>
Rollout r219636
https://bugs.webkit.org/show_bug.cgi?id=181997
<rdar://problem/35883022>
Unreviewed, as it is a rollout.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSObject.cpp:
(JSC::JSObject::ensureLengthSlow):
2018-01-23 Mark Lam <mark.lam@apple.com>
Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
https://bugs.webkit.org/show_bug.cgi?id=181976
<rdar://problem/36766936>
Reviewed by Filip Pizlo.
1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
list. I also added static asserts in TypedArrayType.h to enforce this.
Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
2. Define 4 new values:
a. FirstTypedArrayType
b. LastTypedArrayType
c. NumberOfTypedArrayTypesExcludingDataView
d. NumberOfTypedArrayTypes
Use these everywhere where we iterate or bisect the TypedArray JSTypes.
3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
4. Simplify the code that converts between TypedArrayType and JSType.
Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
instead of TypeDataView. Now, it converts to TypeDataView.
This does not result in any change of behavior because typedArrayTypeForType()
is only called in Structure::hasIndexingHeader(), and its result is passed to
isTypedView(), which handles TypeDataView correctly.
5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
If the vector is null, we can skip the rest of the checks. While the current
code does not result in incorrect behavior, it is inefficient, and communicates
wrong information to the reader i.e. implying that there's something in the
dataGPR when there's not. The dataGPR should also be null in this case.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
* ftl/FTLOSRExit.cpp:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::visitChildren):
* runtime/JSType.h:
* runtime/TypedArrayType.cpp:
(JSC::typeForTypedArrayType): Deleted.
* runtime/TypedArrayType.h:
(JSC::typedArrayTypeForType):
(JSC::typeForTypedArrayType):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
DFG should always flush `this`
https://bugs.webkit.org/show_bug.cgi?id=181999
Reviewed by Saam Barati and Mark Lam.
This is going to make it possible to use precise index masking for arguments-on-the-stack
accesses with an index adjusted so that 0 is this. Without this change, we would have no way
of masking when the argument count is 0, unless we padded the argument area so that there was
always an argument slot after `this` and it was always initialized.
This is neutral on all benchmarks.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::parse):
(JSC::DFG::flushImpl): Deleted.
(JSC::DFG::flushForTerminalImpl): Deleted.
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
JSC should use a speculation fence on VM entry/exit
https://bugs.webkit.org/show_bug.cgi?id=181991
Reviewed by JF Bastien and Mark Lam.
This adds a WTF::speculationFence on VM entry and exit.
For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
(JSC::JSLock::willReleaseLock):
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] JIT requires sizeof(bool) == 1
https://bugs.webkit.org/show_bug.cgi?id=181150
Reviewed by Saam Barati.
LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
* runtime/InitializeThreading.cpp:
2018-01-23 Robin Morisset <rmorisset@apple.com>
Update the argument count in DFGByteCodeParser::handleRecursiveCall
https://bugs.webkit.org/show_bug.cgi?id=181739
<rdar://problem/36627662>
Reviewed by Saam Barati.
When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
into a jump, we should update that stack slot as there is no guarantee that the function was originally
called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
as its first OpInfo field, and stores it to the stack at the right place.
We must be a bit careful in where we put this new node, as it ClobbersExit.
We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::argumentCountIncludingThis):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
2018-01-22 Michael Saboff <msaboff@apple.com>
DFG abstract interpreter needs to properly model effects of some Math ops
https://bugs.webkit.org/show_bug.cgi?id=181886
Reviewed by Saam Barati.
Reviewed the processing of the various ArithXXX and CompareXXX and found that
several nodes don't handle UntypedUse. Added clobberWorld() for those cases.
* dfg/DFGAbstractInterpreter.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2018-01-21 Wenson Hsieh <wenson_hsieh@apple.com>
Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
https://bugs.webkit.org/show_bug.cgi?id=181918
Reviewed by Tim Horton.
Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
* Configurations/FeatureDefines.xcconfig:
2018-01-20 Caio Lima <ticaiolima@gmail.com>
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182
Reviewed by Darin Adler.
Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size,
according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined
behavior.
[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractToStringRadixArgument):
(JSC::extractRadixFromArgs): Deleted.
* runtime/NumberPrototype.h:
2018-01-19 Saam Barati <sbarati@apple.com>
Kill ArithNegate's ArithProfile assert inside BytecodeParser
https://bugs.webkit.org/show_bug.cgi?id=181877
<rdar://problem/36630552>
Reviewed by Mark Lam.
Before this patch, we used to assert that op_negate's result ArithProfile
only produces number. It's logically true that negate only produces a number.
However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
profiling. So we'll end up profiling something that's likely the input to
negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
is entirely heuristic based, potentially leading to profiling results being imprecise.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
2018-01-19 David Kilzer <ddkilzer@apple.com>
oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
<https://webkit.org/b/181871>
Rubber-stamped by JF Bastien.
* CMakeLists.txt: Add ICU header search path to
LLIntOffsetsExtractor target by reusing
JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
2018-01-19 Saam Barati <sbarati@apple.com>
Spread's effects are modeled incorrectly both in AI and in Clobberize
https://bugs.webkit.org/show_bug.cgi?id=181867
<rdar://problem/36290415>
Reviewed by Michael Saboff.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-01-19 Keith Miller <keith_miller@apple.com>
HaveInternalSDK includes should be "#include?"
https://bugs.webkit.org/show_bug.cgi?id=179670
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
2018-01-18 JF Bastien <jfbastien@apple.com>
Set the minimum executable allocator size properly
https://bugs.webkit.org/show_bug.cgi?id=181816
<rdar://problem/36635533>
Reviewed by Saam Barati.
Executable allocator expects at least two page size's worth of
allocation in certain conditions, and that causes some tests to
now fail because they ask for less. Set that minimum correctly. We
were already rounding up to a page size, so having a minimum of 2
page sizes is fine.
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2018-01-18 Michael Saboff <msaboff@apple.com>
Unreviewed build fix for Windows
* interpreter/FrameTracers.h:
(JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
on Windows.
2018-01-18 Mark Lam <mark.lam@apple.com>
Poisons should be initialized after Options are initialized.
https://bugs.webkit.org/show_bug.cgi?id=181807
<rdar://problem/36629138>
Reviewed by Keith Miller.
This is because poison initialization may depend on options.
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
2018-01-18 Dan Bernstein <mitz@apple.com>
[Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
https://bugs.webkit.org/show_bug.cgi?id=181803
Reviewed by Tim Horton.
* Configurations/Base.xcconfig: Updated.
* Configurations/DebugRelease.xcconfig: Ditto.
* Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
* Configurations/Version.xcconfig: Updated.
* Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
useful for defining settings that depend on the target macOS version.
2018-01-18 Michael Saboff <msaboff@apple.com>
REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
https://bugs.webkit.org/show_bug.cgi?id=181802
Reviewed by Filip Pizlo.
There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
The other place was when we call into the operationOSRWriteBarrier().
Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
This helped find the other cases beyond the original problem.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
* interpreter/FrameTracers.h:
(JSC::assertStackPointerIsAligned):
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
(JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
* llint/LowLevelInterpreter32_64.asm:
2018-01-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r227096.
https://bugs.webkit.org/show_bug.cgi?id=181788
"it caused a 15% octane regression" (Requested by saamyjoon on
#webkit).
Reverted changeset:
"Support MultiGetByOffset in the DFG"
https://bugs.webkit.org/show_bug.cgi?id=181466
https://trac.webkit.org/changeset/227096
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
https://bugs.webkit.org/show_bug.cgi?id=181535
Reviewed by Saam Barati.
When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
information. So we should not create RegExpObject for this typical case.
This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
`lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
in this patch.
We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
instead of RegExpObject. This offers the chance to make NewRegExp unused.
We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
since they are the same behavior.
The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
somewhat pure execution time of our Yarr implementation.
baseline patched
regex-u.es5 34.8557+-0.5963 ^ 6.1507+-0.5526 ^ definitely 5.6670x faster
regex-u.es6 89.1919+-3.3851 ^ 32.0917+-0.4260 ^ definitely 2.7793x faster
This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
this patch right now. We should support StringReplace node in subsequent patches.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPhantomNewRegexp):
(JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::isPhantomAllocation):
(JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
(JSC::DFG::Node::ignoreLastIndexIsWritable):
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPromotedHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGPromotedHeapLocation.h:
(JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
(JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
(JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
(JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
* jit/JITOperations.h:
* runtime/RegExpObject.h:
(JSC::RegExpObject::create):
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Remove unused helper functions to convert node to PutHint
https://bugs.webkit.org/show_bug.cgi?id=181775
Reviewed by Saam Barati.
We are using PromotedHeapLocation::createHint. So they are not necessary.
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToPutHint): Deleted.
(JSC::DFG::Node::convertToPutStructureHint): Deleted.
(JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
(JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
* dfg/DFGNode.h:
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, suppress warnings on GCC
Since `length` and `p` are always positive or zero,
static_cast<unsigned>() does what we want.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
2018-01-17 Saam Barati <sbarati@apple.com>
Disable Atomics when SharedArrayBuffer isn’t enabled
https://bugs.webkit.org/show_bug.cgi?id=181572
<rdar://problem/36553206>
Reviewed by Michael Saboff.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::createAtomicsProperty): Deleted.
2018-01-17 Saam Barati <sbarati@apple.com>
Support MultiGetByOffset in the DFG
https://bugs.webkit.org/show_bug.cgi?id=181466
Reviewed by Keith Miller.
This seems to benefit Speedometer in my local testing. It seems like this
might be around a 0.5% improvement.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::supportsMultiGetByOffset):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-01-17 Saam Barati <sbarati@apple.com>
DFG::Node::convertToConstant needs to clear the varargs flags
https://bugs.webkit.org/show_bug.cgi?id=181697
<rdar://problem/36497332>
Reviewed by Yusuke Suzuki.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToConstant):
2018-01-16 JF Bastien <jfbastien@apple.com>
Allow dangerous disabling of poison
https://bugs.webkit.org/show_bug.cgi?id=181685
<rdar://problem/36546265>
Reviewed by Keith Miller.
Some tools such as leak detectors and such like to look at real
pointers, and poisoned ones confuse them. Add a JSC option to
disable poisoning, but log to the console when this is done.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/Options.h:
2018-01-16 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r226937.
Tests added with this change are failing due to a missing
exception check.
Reverted changeset:
"[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
double to int32_t"
https://bugs.webkit.org/show_bug.cgi?id=181182
https://trac.webkit.org/changeset/226937
2018-01-16 Michael Catanzaro <mcatanzaro@igalia.com>
Test programs should only be built in developer mode
https://bugs.webkit.org/show_bug.cgi?id=181653
Reviewed by Carlos Garcia Campos.
Build test programs only in developer mode, and fix code style.
* shell/CMakeLists.txt:
2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com>
Improve use of ExportMacros
https://bugs.webkit.org/show_bug.cgi?id=181652
Reviewed by Konstantin Tokarev.
* API/JSBase.h: Update a comment.
* inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
* runtime/JSExportMacros.h: Simplify the #defines in this file.
2018-01-15 JF Bastien <jfbastien@apple.com>
Remove makePoisonedUnique
https://bugs.webkit.org/show_bug.cgi?id=181630
<rdar://problem/36498623>
Reviewed by Mark Lam.
I added a conversion from std::unique_ptr, so we can just use
std::make_unique and it'll auto-poison when converted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::makePoisonedUnique): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::makePoisonedUnique): Deleted.
2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com>
REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
https://bugs.webkit.org/show_bug.cgi?id=181438
<rdar://problem/36376724>
Reviewed by Carlos Garcia Campos.
Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
cleanup, but we have to switch back to building JSC only as a shared library, and we have to
get rid of the version script.
* PlatformGTK.cmake:
* javascriptcoregtk-symbols.map: Removed.
2018-01-14 Saam Barati <sbarati@apple.com>
Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeExitSiteData):
2018-01-13 Mark Lam <mark.lam@apple.com>
Replace all use of ConstExprPoisoned with Poisoned.
https://bugs.webkit.org/show_bug.cgi?id=181542
<rdar://problem/36442138>
Reviewed by JF Bastien.
1. All JSC poisons are now defined in JSCPoison.h.
2. Change all clients to use the new poison values via the POISON() macro.
3. The LLInt code has been updated to handle CodeBlock poison. Some of this code
uses the t5 temp register, which is not available on the Windows port.
Fortunately, we don't currently do poisoning on the Windows port yet. So,
it will just work for now.
When poisoning is enabled for the Windows port, this LLInt code will need a
Windows specific implementation to workaround its lack of a t5 register.
* API/JSAPIWrapperObject.h:
* API/JSCallbackFunction.h:
* API/JSCallbackObject.h:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::emptyValue):
(JSC::MacroAssemblerCodePtr::deletedValue):
* b3/B3LowerMacros.cpp:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::makePoisonedUnique):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
* jit/JIT.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/UnlinkedSourceCode.h:
* runtime/ArrayPrototype.h:
* runtime/CustomGetterSetter.h:
* runtime/DateInstance.h:
* runtime/InternalFunction.h:
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
(JSC::initializePoison):
* runtime/JSCPoison.h:
(): Deleted.
* runtime/JSCPoisonedPtr.cpp: Removed.
* runtime/JSCPoisonedPtr.h: Removed.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::makePoisonedUnique):
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/NativeExecutable.h:
* runtime/StructureTransitionTable.h:
(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
* runtime/WriteBarrier.h:
(JSC::WriteBarrier::poison):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-13 Caio Lima <ticaiolima@gmail.com>
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182
Reviewed by Darin Adler.
Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size, according C++
spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined behavior.
[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractRadixFromArgs): Deleted.
(JSC::extractToStringRadixArgument): Added.
2018-01-12 Saam Barati <sbarati@apple.com>
Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
https://bugs.webkit.org/show_bug.cgi?id=181545
Reviewed by Michael Saboff.
This patch follows the theme of putting optimization profiling information on
UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
pulled from the code cache, making better compilation decisions, usually
resulting in fewer exits, and fewer recompilations.
This is a 1% Speedometer progression in my testing.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeDFGStatuses):
* bytecode/CallLinkStatus.h:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite const): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
* bytecode/DFGExitProfile.cpp:
(JSC::DFG::ExitProfile::add):
(JSC::DFG::QueryableExitProfile::initialize):
* bytecode/DFGExitProfile.h:
(JSC::DFG::ExitProfile::hasExitSite const):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::hasExitSite):
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::hasExitSite):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::hasExitSite const):
(JSC::UnlinkedCodeBlock::hasExitSite):
(JSC::UnlinkedCodeBlock::exitProfile):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::hasGlobalExitSite):
(JSC::DFG::Graph::hasExitSite):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGOSRExitBase.cpp:
(JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2018-01-12 JF Bastien <jfbastien@apple.com>
PoisonedWriteBarrier
https://bugs.webkit.org/show_bug.cgi?id=181599
<rdar://problem/36474351>
Reviewed by Mark Lam.
Allow poisoning of WriteBarrier objects, and use this for
WebAssembly because it is perf-neutral, at least on WasmBench on
my MBP. If it indeed is perf-neutral according to the bots, start
using it in more performance-sensitive places.
* heap/HandleTypes.h:
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::append):
(JSC::SlotVisitor::appendHidden):
* runtime/JSCJSValue.h:
* runtime/JSCPoison.h:
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::setPrototypeWithoutTransition):
(JSC::Structure::setGlobalObject):
(JSC::Structure::setPreviousID):
* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase::copyFrom):
(JSC::WriteBarrierBase::get const):
(JSC::WriteBarrierBase::operator* const):
(JSC::WriteBarrierBase::operator-> const):
(JSC::WriteBarrierBase::clear):
(JSC::WriteBarrierBase::slot):
(JSC::WriteBarrierBase::operator bool const):
(JSC::WriteBarrierBase::setWithoutWriteBarrier):
(JSC::WriteBarrierBase::unvalidatedGet const):
(JSC::operator==):
* runtime/WriteBarrierInlines.h:
(JSC::Traits>::set):
(JSC::Traits>::setMayBeNull):
(JSC::Traits>::setEarlyValue):
(JSC::DumbValueTraits<Unknown>>::set):
* wasm/WasmInstance.h:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::finishCreation):
(JSC::JSWebAssemblyInstance::visitChildren):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::clearFunction):
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::materializeImportJSCell):
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-12 Saam Barati <sbarati@apple.com>
CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
https://bugs.webkit.org/show_bug.cgi?id=181177
<rdar://problem/36205704>
Reviewed by Yusuke Suzuki.
The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
have semantic consequences when validation is turned off. However, with validation on, this trips up
our OSR exit machinery that says when an exit is allowed to happen.
Consider the following IR:
a: GetClosureVar // Or any other node that produces BytecodeTop
...
c: CheckStructure(Cell:@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
...
f: CheckStructureOrEmpty(@a, {s2})
c: CheckStructure(Cell:@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
This will cause constant folding to change the IR to:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
...
f: CheckStructureOrEmpty(@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
Our mayExit analysis determines that the PutByOffset should not exit. Note
that AI will determine the only value the PutByOffset can see in @a is
the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
when lowering the PutByOffset, we reach a contradiction in AI and emit
an OSR exit. However, because mayExit said we couldn't exit, we assert.
Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
would have determined we would OSR exit at the second CheckStructure.
This patch makes it so constant folding produces the following IR:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
g: AssertNotEmpty(@a)
...
f: CheckStructureOrEmpty(@a, {s2})
h: AssertNotEmpty(@a)
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
This modification will cause AI to know we will OSR exit before even reaching
the PutByOffset. Note that in the original IR, the GetClosureVar won't
actually produce the TDZ value. If it did, bytecode would have caused us
to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
why this bug is about IR bookkeeping and not an actual error in IR analysis.
This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
more congruous with CheckStructure's semantics of crashing on the empty value
as input (on 64 bit platforms).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2018-01-12 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
https://bugs.webkit.org/show_bug.cgi?id=181579
<rdar://problem/36193759>
Reviewed by Brian Burg.
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::clearMessages):
(Inspector::InspectorConsoleAgent::addConsoleMessage):
Switch from a raw pointer to m_consoleMessages.last().
Also move the expiration check into the if block since it can only
happen inside here when the number of console messages changes.
(Inspector::InspectorConsoleAgent::discardValues):
Also clear the expired message count when messages are cleared.
2018-01-12 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Create parallel SlotVisitors apriori
https://bugs.webkit.org/show_bug.cgi?id=180907
Reviewed by Saam Barati.
The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
Then we do not need to grab locks while iterating all the SlotVisitors.
In addition, we do not need to consider the case that the number of SlotVisitors increases
after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
does not increase any more.
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::runBeginPhase):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachSlotVisitor):
(JSC::Heap::numberOfSlotVisitors): Deleted.
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::didVisitSomething const):
2018-01-12 Saam Barati <sbarati@apple.com>
Each variant of a polymorphic inlined call should be exitOK at the top of the block
https://bugs.webkit.org/show_bug.cgi?id=181562
<rdar://problem/36445624>
Reviewed by Yusuke Suzuki.
Before this patch, the very first block in the switch for polymorphic call
inlining will have exitOK at the top. The others are not guaranteed to.
That was just a bug. They're all exitOK at the top. This will lead to crashes
in FixupPhase because we won't have a node in a block that has ExitOK, so
when we fixup various type checks, we assert out.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
2018-01-11 Keith Miller <keith_miller@apple.com>
Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
https://bugs.webkit.org/show_bug.cgi?id=181573
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig:
* runtime/Options.h:
2018-01-11 Michael Saboff <msaboff@apple.com>
REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
https://bugs.webkit.org/show_bug.cgi?id=181570
Reviewed by Keith Miller.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
Reverting these functions to use dataTempRegister and memoryTempRegister as they are
JIT release asserts that will crash the program.
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
Changed this so that it invalidates any cached dataTmpRegister contents if temp register
caching is enabled.
2018-01-11 Filip Pizlo <fpizlo@apple.com>
Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
https://bugs.webkit.org/show_bug.cgi?id=181543
Rubber stamped by Michael Saboff.
In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
really have anything to do with allocation anymore. The allocation will be done by something
in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
place to find blocks (a "block directory").
Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
attributes of the HeapCellType. So let's call them CellAttributes.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
* heap/AlignedMemoryAllocator.cpp:
(JSC::AlignedMemoryAllocator::registerDirectory):
(JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
* heap/AlignedMemoryAllocator.h:
(JSC::AlignedMemoryAllocator::firstDirectory const):
(JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
* heap/AllocatorAttributes.cpp: Removed.
* heap/AllocatorAttributes.h: Removed.
* heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::setSubspace):
(JSC::BlockDirectory::isPagedOut):
(JSC::BlockDirectory::findEmptyBlockToSteal):
(JSC::BlockDirectory::didConsumeFreeList):
(JSC::BlockDirectory::tryAllocateWithoutCollecting):
(JSC::BlockDirectory::allocateIn):
(JSC::BlockDirectory::tryAllocateIn):
(JSC::BlockDirectory::doTestCollectionsIfNeeded):
(JSC::BlockDirectory::allocateSlowCase):
(JSC::BlockDirectory::blockSizeForBytes):
(JSC::BlockDirectory::tryAllocateBlock):
(JSC::BlockDirectory::addBlock):
(JSC::BlockDirectory::removeBlock):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::lastChanceToFinalize):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::beginMarkingForFullCollection):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
(JSC::BlockDirectory::snapshotUnsweptForFullCollection):
(JSC::BlockDirectory::findBlockToSweep):
(JSC::BlockDirectory::sweep):
(JSC::BlockDirectory::shrink):
(JSC::BlockDirectory::assertNoUnswept):
(JSC::BlockDirectory::parallelNotEmptyBlockSource):
(JSC::BlockDirectory::dump const):
(JSC::BlockDirectory::dumpBits):
(JSC::BlockDirectory::markedSpace const):
(JSC::MarkedAllocator::MarkedAllocator): Deleted.
(JSC::MarkedAllocator::setSubspace): Deleted.
(JSC::MarkedAllocator::isPagedOut): Deleted.
(JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
(JSC::MarkedAllocator::didConsumeFreeList): Deleted.
(JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
(JSC::MarkedAllocator::allocateIn): Deleted.
(JSC::MarkedAllocator::tryAllocateIn): Deleted.
(JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
(JSC::MarkedAllocator::allocateSlowCase): Deleted.
(JSC::MarkedAllocator::blockSizeForBytes): Deleted.
(JSC::MarkedAllocator::tryAllocateBlock): Deleted.
(JSC::MarkedAllocator::addBlock): Deleted.
(JSC::MarkedAllocator::removeBlock): Deleted.
(JSC::MarkedAllocator::stopAllocating): Deleted.
(JSC::MarkedAllocator::prepareForAllocation): Deleted.
(JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
(JSC::MarkedAllocator::resumeAllocating): Deleted.
(JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
(JSC::MarkedAllocator::endMarking): Deleted.
(JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
(JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
(JSC::MarkedAllocator::findBlockToSweep): Deleted.
(JSC::MarkedAllocator::sweep): Deleted.
(JSC::MarkedAllocator::shrink): Deleted.
(JSC::MarkedAllocator::assertNoUnswept): Deleted.
(JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
(JSC::MarkedAllocator::dump const): Deleted.
(JSC::MarkedAllocator::dumpBits): Deleted.
(JSC::MarkedAllocator::markedSpace const): Deleted.
* heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
(JSC::BlockDirectory::attributes const):
(JSC::BlockDirectory::forEachBitVector):
(JSC::BlockDirectory::forEachBitVectorWithName):
(JSC::BlockDirectory::nextDirectory const):
(JSC::BlockDirectory::nextDirectoryInSubspace const):
(JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
(JSC::BlockDirectory::setNextDirectory):
(JSC::BlockDirectory::setNextDirectoryInSubspace):
(JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
(JSC::BlockDirectory::offsetOfFreeList):
(JSC::BlockDirectory::offsetOfCellSize):
(JSC::MarkedAllocator::cellSize const): Deleted.
(JSC::MarkedAllocator::attributes const): Deleted.
(JSC::MarkedAllocator::needsDestruction const): Deleted.
(JSC::MarkedAllocator::destruction const): Deleted.
(JSC::MarkedAllocator::cellKind const): Deleted.
(JSC::MarkedAllocator::heap): Deleted.
(JSC::MarkedAllocator::bitvectorLock): Deleted.
(JSC::MarkedAllocator::forEachBitVector): Deleted.
(JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
(JSC::MarkedAllocator::nextAllocator const): Deleted.
(JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
(JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
(JSC::MarkedAllocator::setNextAllocator): Deleted.
(JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
(JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
(JSC::MarkedAllocator::subspace const): Deleted.
(JSC::MarkedAllocator::freeList const): Deleted.
(JSC::MarkedAllocator::offsetOfFreeList): Deleted.
(JSC::MarkedAllocator::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
(JSC::BlockDirectory::isFreeListedCell const):
(JSC::BlockDirectory::allocate):
(JSC::BlockDirectory::forEachBlock):
(JSC::BlockDirectory::forEachNotEmptyBlock):
(JSC::MarkedAllocator::isFreeListedCell const): Deleted.
(JSC::MarkedAllocator::allocate): Deleted.
(JSC::MarkedAllocator::forEachBlock): Deleted.
(JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
* heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
(JSC::CellAttributes::dump const):
(JSC::AllocatorAttributes::dump const): Deleted.
* heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
(JSC::CellAttributes::CellAttributes):
(JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::updateAllocationLimits):
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::cellAttributes const):
(JSC::HeapCell::destructionMode const):
(JSC::HeapCell::cellKind const):
(JSC::HeapCell::allocatorAttributes const): Deleted.
* heap/HeapCellType.cpp:
(JSC::HeapCellType::HeapCellType):
* heap/HeapCellType.h:
(JSC::HeapCellType::attributes const):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::IncrementalSweeper):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::stopSweeping):
* heap/IncrementalSweeper.h:
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::IsoCellSet):
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
(JSC::IsoCellSet::addSlow):
(JSC::IsoCellSet::didRemoveBlock):
(JSC::IsoCellSet::sweepToFreeList):
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCell):
(JSC::IsoCellSet::forEachLiveCell):
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::attributes const):
* heap/MarkedAllocator.cpp: Removed.
* heap/MarkedAllocator.h: Removed.
* heap/MarkedAllocatorInlines.h: Removed.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::~Handle):
(JSC::MarkedBlock::Handle::setIsFreeListed):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::noteMarkedSlow):
(JSC::MarkedBlock::Handle::removeFromDirectory):
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::didRemoveFromDirectory):
(JSC::MarkedBlock::Handle::dumpState):
(JSC::MarkedBlock::Handle::subspace const):
(JSC::MarkedBlock::Handle::sweep):
(JSC::MarkedBlock::Handle::isFreeListedCell const):
(JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
(JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
(JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::directory const):
(JSC::MarkedBlock::Handle::attributes const):
(JSC::MarkedBlock::attributes const):
(JSC::MarkedBlock::Handle::allocator const): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::isAllocated):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::isEmpty):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::sweep):
(JSC::MarkedSpace::stopAllocating):
(JSC::MarkedSpace::resumeAllocating):
(JSC::MarkedSpace::isPagedOut):
(JSC::MarkedSpace::freeBlock):
(JSC::MarkedSpace::shrink):
(JSC::MarkedSpace::beginMarking):
(JSC::MarkedSpace::endMarking):
(JSC::MarkedSpace::snapshotUnswept):
(JSC::MarkedSpace::assertNoUnswept):
(JSC::MarkedSpace::dumpBits):
(JSC::MarkedSpace::addBlockDirectory):
(JSC::MarkedSpace::addMarkedAllocator): Deleted.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::firstDirectory const):
(JSC::MarkedSpace::directoryLock):
(JSC::MarkedSpace::forEachBlock):
(JSC::MarkedSpace::forEachDirectory):
(JSC::MarkedSpace::firstAllocator const): Deleted.
(JSC::MarkedSpace::allocatorLock): Deleted.
(JSC::MarkedSpace::forEachAllocator): Deleted.
* heap/MarkedSpaceInlines.h:
* heap/Subspace.cpp:
(JSC::Subspace::initialize):
(JSC::Subspace::prepareForAllocation):
(JSC::Subspace::findEmptyBlockToSteal):
(JSC::Subspace::parallelDirectorySource):
(JSC::Subspace::parallelNotEmptyMarkedBlockSource):
(JSC::Subspace::sweep):
(JSC::Subspace::parallelAllocatorSource): Deleted.
* heap/Subspace.h:
(JSC::Subspace::attributes const):
(JSC::Subspace::didCreateFirstDirectory):
(JSC::Subspace::didCreateFirstAllocator): Deleted.
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachDirectory):
(JSC::Subspace::forEachMarkedBlock):
(JSC::Subspace::forEachNotEmptyMarkedBlock):
(JSC::Subspace::forEachAllocator): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/VM.cpp:
(JSC::VM::VM):
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-01-11 Saam Barati <sbarati@apple.com>
When inserting Unreachable in byte code parser we need to flush all the right things
https://bugs.webkit.org/show_bug.cgi?id=181509
<rdar://problem/36423110>
Reviewed by Mark Lam.
I added code in r226655 that had its own mechanism for preserving liveness when
inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
I got some of these values wrong, which was leading to a crash when recovering the
callee value from an inlined frame. Instead of making the same mistake and repeating
similar code again, this patch refactors this logic to be shared with the other
liveness preservation code in the DFG bytecode parser. This is what I should have
done in my initial patch.
* bytecode/InlineCallFrame.h:
(JSC::remapOperand):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::flushImpl):
(JSC::DFG::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::parse):
2018-01-11 Saam Barati <sbarati@apple.com>
JITMathIC code in the FTL is wrong when code gets duplicated
https://bugs.webkit.org/show_bug.cgi?id=181525
<rdar://problem/36351993>
Reviewed by Michael Saboff and Keith Miller.
B3/Air may duplicate code for various reasons. Patchpoint generators inside
FTLLower must be aware that they can be called multiple times because of this.
The patchpoint for math ICs was not aware of this, and shared state amongst
all invocations of the patchpoint's generator. This patch fixes this bug so
that each invocation of the patchpoint's generator gets a unique math IC.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addMathIC):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
2018-01-11 Michael Saboff <msaboff@apple.com>
Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
https://bugs.webkit.org/show_bug.cgi?id=181512
Reviewed by Saam Barati.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
All current uses of dataTempRegister in these functions are safe, but it makes sense to
fix them in case they might be used elsewhere.
2018-01-04 Filip Pizlo <fpizlo@apple.com>
CodeBlocks should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=180884
Reviewed by Saam Barati.
This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
WeakReferenceHarvester or UnconditionalFinalizer. Instead:
- Code block sweeping is now just eager sweeping. This means that it automatically takes
advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
its eden set for.
- Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
longer has to clear the set of weakly visited code blocks. This also means that
determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
has IsoCellSets to tell us which edges have output constraints (what we used to call
CodeBlock's weak reference harvester) and which have unconditional finalizers.
- CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
- CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to
handle requests from the sampler, debugger, and other facilities. They may want to ask
if some pointer corresponds to a CodeBlock during stages of execution during which the
GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
There is no way that the GC's isLive could tell us of a CodeBlock that had already been
allocated has now been full constructed.
Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
happening before and after this change, but we misread the revision numbers at first and
thought that this was the cause.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finishCreationCommon):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
(JSC::CodeBlock::installVMTrapBreakpoints):
(JSC::CodeBlock::dumpMathICStats):
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::subspaceFor):
(JSC::CodeBlock::ownerEdge const):
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
* bytecode/EvalCodeBlock.h:
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
(JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
* bytecode/ExecutableToCodeBlockEdge.cpp: Added.
(JSC::ExecutableToCodeBlockEdge::createStructure):
(JSC::ExecutableToCodeBlockEdge::create):
(JSC::ExecutableToCodeBlockEdge::visitChildren):
(JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
(JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
(JSC::ExecutableToCodeBlockEdge::activate):
(JSC::ExecutableToCodeBlockEdge::deactivate):
(JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
(JSC::ExecutableToCodeBlockEdge::wrap):
(JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
(JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
(JSC::ExecutableToCodeBlockEdge::runConstraint):
* bytecode/ExecutableToCodeBlockEdge.h: Added.
(JSC::ExecutableToCodeBlockEdge::subspaceFor):
(JSC::ExecutableToCodeBlockEdge::codeBlock const):
(JSC::ExecutableToCodeBlockEdge::unwrap):
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor):
(JSC::FunctionCodeBlock::createStructure):
* bytecode/ModuleProgramCodeBlock.h:
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
* bytecode/ProgramCodeBlock.h:
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
* debugger/Debugger.cpp:
(JSC::Debugger::SetSteppingModeFunctor::operator() const):
(JSC::Debugger::ToggleBreakpointFunctor::operator() const):
(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
(JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
(JSC::CodeBlockSet::dump const):
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::remove):
(JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
(JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
(JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
(JSC::CodeBlockSet::iterateViaSubspaces):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
(JSC::DummyMarkHook::markKnownJSCell):
(JSC::CompositeMarkHook::mark):
(JSC::CompositeMarkHook::markKnownJSCell):
* heap/ConservativeRoots.h:
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeMarkedUnconditionalFinalizers):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::beginMarking):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
(JSC::Heap::forEachCodeBlockImpl):
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
(JSC::Heap::addCoreConstraints):
(JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::subspace const):
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
* heap/IsoCellSet.h:
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCellInParallel):
(JSC::IsoCellSet::forEachLiveCell):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::subspace const):
* heap/MarkStackMergingConstraint.cpp:
(JSC::MarkStackMergingConstraint::executeImpl):
* heap/MarkStackMergingConstraint.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::parallelNotEmptyBlockSource):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToAllocator):
(JSC::MarkedBlock::Handle::didRemoveFromAllocator):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::subspace const):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::forEachLiveCell):
* heap/MarkedSpaceInlines.h:
(JSC::MarkedSpace::forEachLiveCell):
* heap/MarkingConstraint.cpp:
(JSC::MarkingConstraint::execute):
(JSC::MarkingConstraint::doParallelWork):
(JSC::MarkingConstraint::finishParallelWork): Deleted.
(JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
(JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
* heap/MarkingConstraint.h:
* heap/MarkingConstraintSet.cpp:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSet.h:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::execute):
(JSC::MarkingConstraintSolver::addParallelTask):
(JSC::MarkingConstraintSolver::runExecutionThread):
(JSC::MarkingConstraintSolver::didExecute): Deleted.
* heap/MarkingConstraintSolver.h:
(JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
(JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
* heap/SimpleMarkingConstraint.cpp:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
(JSC::SimpleMarkingConstraint::executeImpl):
* heap/SimpleMarkingConstraint.h:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addParallelConstraintTask):
* heap/SlotVisitor.h:
* heap/Subspace.cpp:
(JSC::Subspace::sweep):
* heap/Subspace.h:
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachLiveCell):
* llint/LowLevelInterpreter.asm:
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::codeBlock):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionExecutable.h:
* runtime/JSType.h:
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/ModuleProgramExecutable.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ProgramExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
(JSC::ScriptExecutable::newReplacementCodeBlockFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
(JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
(JSC::VM::forEachCodeBlockSpace):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* tools/VMInspector.cpp:
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::VMInspector::isValidCodeBlock):
2018-01-11 Michael Saboff <msaboff@apple.com>
Add a DOM gadget for Spectre testing
https://bugs.webkit.org/show_bug.cgi?id=181351
Reviewed by Ryosuke Niwa.
* runtime/Options.h:
2018-01-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] regExpMatchFast should be handled
https://bugs.webkit.org/show_bug.cgi?id=180988
Reviewed by Mark Lam.
RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
slow path part to `@matchSlow()` private function.
It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
this regExpMatchFast function.
baseline patched
regex-u.es5 55.3835+-6.3002 ^ 36.2431+-2.0797 ^ definitely 1.5281x faster
regex-u.es6 110.4624+-6.2896 ^ 94.1012+-7.2433 ^ definitely 1.1739x faster
* builtins/RegExpPrototype.js:
(globalPrivate.matchSlow):
(overriddenName.string_appeared_here.match):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileRegExpMatch):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncMatchFast):
2018-01-11 Saam Barati <sbarati@apple.com>
Our for-in caching is wrong when we add indexed properties on things in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=181508
Reviewed by Yusuke Suzuki.
Our for-in caching would cache structure chains that had prototypes with
indexed properties. Clearly this is wrong. This caching breaks when a prototype
adds new indexed properties. We would continue to enumerate the old cached
state of properties, and not include the new indexed properties.
The old code used to prevent caching only if the base structure had
indexed properties. This patch extends it to prevent caching if the
base, or any structure in the prototype chain, has indexed properties.
* runtime/Structure.cpp:
(JSC::Structure::canCachePropertyNameEnumerator const):
2018-01-10 JF Bastien <jfbastien@apple.com>
Poison small JSObject derivatives which only contain pointers
https://bugs.webkit.org/show_bug.cgi?id=181483
<rdar://problem/36407127>
Reviewed by Mark Lam.
I wrote a script that finds interesting things to poison or
generally harden. These stood out because they derive from
JSObject and only contain a few pointer or pointer-like fields,
and could therefore just be poisoned. This also requires some
template "improvements" to our poisoning machinery. Worth noting
is that I'm making PoisonedUniquePtr move-assignable and
move-constructible from unique_ptr, which makes it a better
drop-in replacement because we don't need to use
makePoisonedUniquePtr. This means function-locals can be
unique_ptr and get the nice RAII pattern, and once the function is
done you can just move to the class' PoisonedUniquePtr without
worrying.
* API/JSAPIWrapperObject.h:
(JSC::JSAPIWrapperObject::wrappedObject):
* API/JSAPIWrapperObject.mm:
(JSC::JSAPIWrapperObject::JSAPIWrapperObject):
* API/JSCallbackObject.h:
* runtime/ArrayPrototype.h:
* runtime/DateInstance.h:
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::finishCreation):
(JSC::JSArrayBuffer::isShared const):
(JSC::JSArrayBuffer::sharingMode const):
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.h:
2018-01-10 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226667 and r226673.
https://bugs.webkit.org/show_bug.cgi?id=181488
This caused a flaky crash. (Requested by mlewis13 on #webkit).
Reverted changesets:
"CodeBlocks should be in IsoSubspaces"
https://bugs.webkit.org/show_bug.cgi?id=180884
https://trac.webkit.org/changeset/226667
"REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
https://bugs.webkit.org/show_bug.cgi?id=180884
https://trac.webkit.org/changeset/226673
2018-01-09 David Kilzer <ddkilzer@apple.com>
REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
<https://bugs.webkit.org/show_bug.cgi?id=180884>
Fixes the following build error:
heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
fix the build.
2018-01-09 Keith Miller <keith_miller@apple.com>
and32 with an Address source on ARM64 did not invalidate dataTempRegister
https://bugs.webkit.org/show_bug.cgi?id=181467
Reviewed by Michael Saboff.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::and32):
2018-01-04 Filip Pizlo <fpizlo@apple.com>
CodeBlocks should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=180884
Reviewed by Saam Barati.
This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
WeakReferenceHarvester or UnconditionalFinalizer. Instead:
- Code block sweeping is now just eager sweeping. This means that it automatically takes
advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
its eden set for.
- Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
longer has to clear the set of weakly visited code blocks. This also means that
determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
has IsoCellSets to tell us which edges have output constraints (what we used to call
CodeBlock's weak reference harvester) and which have unconditional finalizers.
- CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
- CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to
handle requests from the sampler, debugger, and other facilities. They may want to ask
if some pointer corresponds to a CodeBlock during stages of execution during which the
GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
There is no way that the GC's isLive could tell us of a CodeBlock that had already been
allocated has now been full constructed.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finishCreationCommon):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
(JSC::CodeBlock::installVMTrapBreakpoints):
(JSC::CodeBlock::dumpMathICStats):
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::subspaceFor):
(JSC::CodeBlock::ownerEdge const):
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
* bytecode/EvalCodeBlock.h:
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
(JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
* bytecode/ExecutableToCodeBlockEdge.cpp: Added.
(JSC::ExecutableToCodeBlockEdge::createStructure):
(JSC::ExecutableToCodeBlockEdge::create):
(JSC::ExecutableToCodeBlockEdge::visitChildren):
(JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
(JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
(JSC::ExecutableToCodeBlockEdge::activate):
(JSC::ExecutableToCodeBlockEdge::deactivate):
(JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
(JSC::ExecutableToCodeBlockEdge::wrap):
(JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
(JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
(JSC::ExecutableToCodeBlockEdge::runConstraint):
* bytecode/ExecutableToCodeBlockEdge.h: Added.
(JSC::ExecutableToCodeBlockEdge::subspaceFor):
(JSC::ExecutableToCodeBlockEdge::codeBlock const):
(JSC::ExecutableToCodeBlockEdge::unwrap):
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor):
(JSC::FunctionCodeBlock::createStructure):
* bytecode/ModuleProgramCodeBlock.h:
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
* bytecode/ProgramCodeBlock.h:
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
* debugger/Debugger.cpp:
(JSC::Debugger::SetSteppingModeFunctor::operator() const):
(JSC::Debugger::ToggleBreakpointFunctor::operator() const):
(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
(JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
(JSC::CodeBlockSet::dump const):
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::remove):
(JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
(JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
(JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
(JSC::CodeBlockSet::iterateViaSubspaces):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
(JSC::DummyMarkHook::markKnownJSCell):
(JSC::CompositeMarkHook::mark):
(JSC::CompositeMarkHook::markKnownJSCell):
* heap/ConservativeRoots.h:
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeMarkedUnconditionalFinalizers):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::beginMarking):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
(JSC::Heap::forEachCodeBlockImpl):
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
(JSC::Heap::addCoreConstraints):
(JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::subspace const):
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
* heap/IsoCellSet.h:
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCellInParallel):
(JSC::IsoCellSet::forEachLiveCell):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::subspace const):
* heap/MarkStackMergingConstraint.cpp:
(JSC::MarkStackMergingConstraint::executeImpl):
* heap/MarkStackMergingConstraint.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::parallelNotEmptyBlockSource):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToAllocator):
(JSC::MarkedBlock::Handle::didRemoveFromAllocator):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::subspace const):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::forEachLiveCell):
* heap/MarkedSpaceInlines.h:
(JSC::MarkedSpace::forEachLiveCell):
* heap/MarkingConstraint.cpp:
(JSC::MarkingConstraint::execute):
(JSC::MarkingConstraint::doParallelWork):
(JSC::MarkingConstraint::finishParallelWork): Deleted.
(JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
(JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
* heap/MarkingConstraint.h:
* heap/MarkingConstraintSet.cpp:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSet.h:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::execute):
(JSC::MarkingConstraintSolver::addParallelTask):
(JSC::MarkingConstraintSolver::runExecutionThread):
(JSC::MarkingConstraintSolver::didExecute): Deleted.
* heap/MarkingConstraintSolver.h:
(JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
(JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
* heap/SimpleMarkingConstraint.cpp:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
(JSC::SimpleMarkingConstraint::executeImpl):
* heap/SimpleMarkingConstraint.h:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addParallelConstraintTask):
* heap/SlotVisitor.h:
* heap/Subspace.cpp:
(JSC::Subspace::sweep):
* heap/Subspace.h:
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachLiveCell):
* llint/LowLevelInterpreter.asm:
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::codeBlock):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionExecutable.h:
* runtime/JSType.h:
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/ModuleProgramExecutable.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ProgramExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
(JSC::ScriptExecutable::newReplacementCodeBlockFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
(JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
(JSC::VM::forEachCodeBlockSpace):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* tools/VMInspector.cpp:
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::VMInspector::isValidCodeBlock):
2018-01-09 Michael Saboff <msaboff@apple.com>
Unreviewed, rolling out r226600 and r226603
https://bugs.webkit.org/show_bug.cgi?id=181351
Add a DOM gadget for Spectre testing
* runtime/Options.h:
2018-01-09 Saam Barati <sbarati@apple.com>
Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
https://bugs.webkit.org/show_bug.cgi?id=181409
Reviewed by Keith Miller.
When I was looking at profiler data for Speedometer, I noticed that one of
the hottest functions in Speedometer is around 1100 bytecode operations long.
Only about 100 of those bytecode ops ever execute. However, we ended up
spending a lot of time compiling basic blocks that never executed. We often
plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
This is the case when such a node never executes.
This patch makes it so that anytime a block has a ForceOSRExit, we replace its
terminal node with an Unreachable node (and remove all nodes after the
ForceOSRExit). This will cut down on graph size when such a block dominates
other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
in certain programs. When doing this transformation, we also insert
Flushes/PhantomLocals to ensure we can recover values that are bytecode
live-in to the ForceOSRExit.
Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
does not get rid of all the CFG that it could. If we decide it's worth
it, we could use additional inputs into this mechanism. For example, we could
profile if a basic block ever executes inside the LLInt/Baseline, and
remove parts of the CFG based on that.
When running Speedometer with the concurrent JIT turned off, this patch
improves DFG/FTL compile times by around 5%.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parse):
2018-01-09 Mark Lam <mark.lam@apple.com>
ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
https://bugs.webkit.org/show_bug.cgi?id=181388
<rdar://problem/36349351>
Reviewed by Saam Barati.
When there are duplicate setters or getters, we may end up overwriting a getter
with a setter, or vice versa. This patch adds tracking for getters/setters that
have been overwritten with duplicates and ignore them.
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitBytecode):
* parser/NodeConstructors.h:
(JSC::PropertyNode::PropertyNode):
* parser/Nodes.h:
(JSC::PropertyNode::isOverriddenByDuplicate const):
(JSC::PropertyNode::setIsOverriddenByDuplicate):
2018-01-08 Zan Dobersek <zdobersek@igalia.com>
REGRESSION(r225913): about 30 JSC test failures on ARMv7
https://bugs.webkit.org/show_bug.cgi?id=181162
<rdar://problem/36261349>
Unreviewed follow-up to r226298. Enable the fast case in
DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
assuming in good faith that enough GP registers are available on any
such configuration. The accompanying comment is adjusted to describe
this assumption.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArraySlice):
2018-01-08 JF Bastien <jfbastien@apple.com>
WebAssembly: mask indexed accesses to Table
https://bugs.webkit.org/show_bug.cgi?id=181412
<rdar://problem/36363236>
Reviewed by Saam Barati.
WebAssembly Table indexed accesses are user-controlled and
bounds-checked. Force allocations of Table data to be a
power-of-two, and explicitly mask accesses after bounds-check
branches.
Rename misleading usage of "size" when "length" of a Table was
intended.
Rename the Spectre option from "disable" to "enable".
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
* jit/JIT.cpp:
(JSC::JIT::JIT):
* runtime/Options.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::allocatedLength):
(JSC::Wasm::Table::setLength):
(JSC::Wasm::Table::create):
(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::clearFunction):
(JSC::Wasm::Table::setFunction):
* wasm/WasmTable.h:
(JSC::Wasm::Table::length const):
(JSC::Wasm::Table::offsetOfLength):
(JSC::Wasm::Table::offsetOfMask):
(JSC::Wasm::Table::mask const):
(JSC::Wasm::Table::isValidLength):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::visitChildren):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::getFunction):
(JSC::JSWebAssemblyTable::clearFunction):
(JSC::JSWebAssemblyTable::setFunction):
* wasm/js/JSWebAssemblyTable.h:
(JSC::JSWebAssemblyTable::isValidLength):
(JSC::JSWebAssemblyTable::length const):
(JSC::JSWebAssemblyTable::allocatedLength const):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::webAssemblyTableProtoFuncLength):
(JSC::webAssemblyTableProtoFuncGrow):
(JSC::webAssemblyTableProtoFuncGet):
(JSC::webAssemblyTableProtoFuncSet):
2018-01-08 Michael Saboff <msaboff@apple.com>
Add a DOM gadget for Spectre testing
https://bugs.webkit.org/show_bug.cgi?id=181351
Reviewed by Michael Saboff.
Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
Spectre mitigations.
* runtime/Options.h:
2018-01-08 Mark Lam <mark.lam@apple.com>
Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
https://bugs.webkit.org/show_bug.cgi?id=181403
<rdar://problem/36359789>
Rubber-stamped by JF Bastien.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::vm const):
(JSC::CodeBlock::addConstant):
(JSC::CodeBlock::heap const):
(JSC::CodeBlock::replaceConstant):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-01-07 Mark Lam <mark.lam@apple.com>
Apply poisoning to more pointers in JSC.
https://bugs.webkit.org/show_bug.cgi?id=181096
<rdar://problem/36182970>
Reviewed by JF Bastien.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::xorPtr):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::xor64):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::xor64):
- Add xorPtr implementation.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::inferredName const):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::visitWeakly):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::finalizeBaselineJITInlineCaches):
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
(JSC::CodeBlock::findPC):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
(JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
(JSC::CodeBlock::stubInfoBegin):
(JSC::CodeBlock::stubInfoEnd):
(JSC::CodeBlock::callLinkInfosBegin):
(JSC::CodeBlock::callLinkInfosEnd):
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::vm const):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* jit/JIT.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* parser/UnlinkedSourceCode.h:
* runtime/JSCPoison.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/StructureTransitionTable.h:
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
(JSC::JSWebAssemblyCodeBlock::visitChildren):
(JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-01-06 Yusuke Suzuki <utatane.tea@gmail.com>
Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
https://bugs.webkit.org/show_bug.cgi?id=181321
Reviewed by Saam Barati.
According to ECMA262 16.2[1], functions created using the bind method must not have
"caller" and "arguments" own properties.
[1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::finishCreation):
2018-01-05 JF Bastien <jfbastien@apple.com>
WebAssembly: poison JS object's secrets
https://bugs.webkit.org/show_bug.cgi?id=181339
<rdar://problem/36325001>
Reviewed by Mark Lam.
Separating WebAssembly's JS objects from their non-JS
implementation means that all interesting information lives
outside of the JS object itself. This patch poisons each JS
object's pointer to non-JS implementation using the poisoning
mechanism and a unique key per JS object type origin.
* runtime/JSCPoison.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
object in a stack slot when fast TLS is disabled. This requires
that we unpoison the Wasm::Instance.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
be explicit that the pointer is poisoned.
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
2018-01-05 Michael Saboff <msaboff@apple.com>
Add ability to disable indexed property masking for testing
https://bugs.webkit.org/show_bug.cgi?id=181350
Reviewed by Keith Miller.
Made the masking of indexed properties runtime controllable via a new JSC::Option
named disableSpectreMitigations. This is done to test the efficacy of that mitigation.
The new option has a generic name as it will probably be used to disable future mitigations.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
* jit/JIT.cpp:
(JSC::JIT::JIT):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
* runtime/Options.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2018-01-05 Michael Saboff <msaboff@apple.com>
Allow JSC Config Files to set Restricted Options
https://bugs.webkit.org/show_bug.cgi?id=181352
Reviewed by Mark Lam.
* runtime/ConfigFile.cpp:
(JSC::ConfigFile::parse):
2018-01-04 Keith Miller <keith_miller@apple.com>
TypedArrays and Wasm should use index masking.
https://bugs.webkit.org/show_bug.cgi?id=181313
Reviewed by Michael Saboff.
We should have index masking for our TypedArray code in the
DFG/FTL and for Wasm when doing bounds checking. Index masking for
Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
WasmBoundsCheckValues we don't need to worry about combining a
bounds check for a load and a store. I went with fusing the
pointer masking in the WasmBoundsCheckValue since it should reduce
additional compiler overhead.
* b3/B3LowerToAir.cpp:
* b3/B3Validate.cpp:
* b3/B3WasmBoundsCheckValue.cpp:
(JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
(JSC::B3::WasmBoundsCheckValue::dumpMeta const):
* b3/B3WasmBoundsCheckValue.h:
(JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
* b3/air/AirCustom.h:
(JSC::B3::Air::WasmBoundsCheckCustom::generate):
* b3/testb3.cpp:
(JSC::B3::testWasmBoundsCheck):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
* runtime/Butterfly.h:
(JSC::Butterfly::computeIndexingMask const):
(JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::load):
(JSC::Wasm::B3IRGenerator::store):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::grow):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::offsetOfIndexingMask):
* wasm/WasmMemoryInformation.cpp:
(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
* wasm/WasmMemoryInformation.h:
(JSC::Wasm::PinnedRegisterInfo::toSave const):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
2018-01-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226434.
https://bugs.webkit.org/show_bug.cgi?id=181322
32bit JSC failure in x86 (Requested by yusukesuzuki on
#webkit).
Reverted changeset:
"[DFG] Unify ToNumber implementation in 32bit and 64bit by
changing 32bit Int32Tag and LowestTag"
https://bugs.webkit.org/show_bug.cgi?id=181134
https://trac.webkit.org/changeset/226434
2018-01-04 Devin Rousso <webkit@devinrousso.com>
Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
https://bugs.webkit.org/show_bug.cgi?id=180770
Reviewed by Joseph Pecoraro.
* inspector/protocol/Canvas.json:
2018-01-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226405.
https://bugs.webkit.org/show_bug.cgi?id=181318
Speculative rollout due to Octane/SplayLatency,Octane/Splay
regressions (Requested by yusukesuzuki on #webkit).
Reverted changeset:
"[JSC] Create parallel SlotVisitors apriori"
https://bugs.webkit.org/show_bug.cgi?id=180907
https://trac.webkit.org/changeset/226405
2018-01-04 Saam Barati <sbarati@apple.com>
Do value profiling in to_this
https://bugs.webkit.org/show_bug.cgi?id=181299
Reviewed by Filip Pizlo.
This patch adds value profiling to to_this. We use the result of the value
profiling only for strict mode code when we don't predict that the input is
of a specific type. This helps when the input is SpecCellOther. Such cells
might implement a custom ToThis, which can produce an arbitrary result. Before
this patch, in prediction propagation, we were saying that a ToThis with a
SpecCellOther input also produced SpecCellOther. However, this is incorrect,
given that the input may implement ToThis that produces an arbitrary result.
This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
Interestingly, this patch only does value profiling on the slow path. The fast
path of to_this in the LLInt/baseline just perform a structure check. If it
passes, the result is the same as the input. Therefore, doing value profiling
from the fast path wouldn't actually produce new information for the ValueProfile.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitToThis):
* bytecompiler/BytecodeGenerator.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGPredictionPropagationPhase.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
https://bugs.webkit.org/show_bug.cgi?id=181134
Reviewed by Mark Lam.
We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
an additional scratch register. We do not want to allocate an unnecessary register in 64bit
implementation.
This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
`<= LowestTag(Int32Tag)`.
We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateMisc):
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
(JSC::DFG::SpeculativeJIT::compileToNumber):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfNotType):
(JSC::AssemblyHelpers::jitAssertIsJSNumber):
(JSC::AssemblyHelpers::emitConvertValueToBoolean):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfMisc):
(JSC::AssemblyHelpers::branchIfNotMisc):
(JSC::AssemblyHelpers::branchIfNumber):
(JSC::AssemblyHelpers::branchIfNotNumber):
(JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
(JSC::AssemblyHelpers::emitTypeOf):
* jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateFastPath):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emitBinaryDoubleOp):
* jit/JITDivGenerator.cpp:
(JSC::JITDivGenerator::loadOperand):
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
(JSC::JITMulGenerator::generateFastPath):
* jit/JITNegGenerator.cpp:
(JSC::JITNegGenerator::generateInline):
(JSC::JITNegGenerator::generateFastPath):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_number):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_profile_type):
* jit/JITRightShiftGenerator.cpp:
(JSC::JITRightShiftGenerator::generateFastPath):
* jit/JITSubGenerator.cpp:
(JSC::JITSubGenerator::generateInline):
(JSC::JITSubGenerator::generateFastPath):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* runtime/JSCJSValue.h:
2018-01-04 JF Bastien <jfbastien@apple.com>
Add assembler support for x86 lfence and sfence
https://bugs.webkit.org/show_bug.cgi?id=181311
<rdar://problem/36301780>
Reviewed by Michael Saboff.
Useful for testing performance of serializing instructions (hint:
it's not good).
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::lfence):
(JSC::MacroAssemblerX86Common::sfence):
* assembler/X86Assembler.h:
(JSC::X86Assembler::lfence):
(JSC::X86Assembler::sfence):
2018-01-04 Saam Barati <sbarati@apple.com>
Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
https://bugs.webkit.org/show_bug.cgi?id=181296
Reviewed by Filip Pizlo.
Inside Speedometer's Ember test, there is a recompile loop like:
a: GetByVal(..., semanticOriginX)
b: SetLocal(Cell:@a, semanticOriginX)
where the cell check always fails. For reasons I didn't investigate, the
baseline JIT's value profiling doesn't accurately capture the GetByVal's
result.
However, when compiling this cell speculation check in the DFG, we get a null
MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
this IR pattern because both @a and @b have the same semantic origin. We
should not follow the same semantic origin heuristic when dealing with
SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
For this IR pattern, we will update the value profile for the semantic origin
for @nodeWithHeapPrediction. So, for the Speedometer example above, we
will correctly update the GetByVal's value profile, which will prevent
an OSR exit loop.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2018-01-04 Keith Miller <keith_miller@apple.com>
Array Storage operations sometimes did not update the indexing mask correctly.
https://bugs.webkit.org/show_bug.cgi?id=181301
Reviewed by Mark Lam.
I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::increaseVectorLength):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Define defs for MapSet/SetAdd to participate in CSE
https://bugs.webkit.org/show_bug.cgi?id=179911
Reviewed by Saam Barati.
With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
produce added bucket as its result. Subsequent GetMapBucket will
be removed by CSE.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetAdd):
(JSC::DFG::SpeculativeJIT::compileMapSet):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
* jit/JITOperations.h:
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::addNormalized):
(JSC::HashMapImpl::addNormalizedInternal):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove LocalScope
https://bugs.webkit.org/show_bug.cgi?id=181206
Reviewed by Geoffrey Garen.
The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
and LocalScope.
We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
JSObject* directly in their fields.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/HandleStack.cpp: Removed.
* heap/HandleStack.h: Removed.
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* heap/Heap.h:
(JSC::Heap::handleSet):
(JSC::Heap::handleStack): Deleted.
* heap/Local.h: Removed.
* heap/LocalScope.h: Removed.
* runtime/JSONObject.cpp:
(JSC::Stringifier::Holder::object const):
(JSC::gap):
(JSC::Stringifier::Stringifier):
(JSC::Stringifier::stringify):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::Holder):
(JSC::Stringifier::Holder::appendNextProperty):
(JSC::Walker::Walker):
(JSC::Walker::callReviver):
(JSC::Walker::walk):
(JSC::JSONProtoFuncParse):
(JSC::JSONProtoFuncStringify):
(JSC::JSONParse):
(JSC::JSONStringify):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
https://bugs.webkit.org/show_bug.cgi?id=180238
Reviewed by Saam Barati.
We can optimize ObjectAllocationSinking a bit by using removeIf.
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Create parallel SlotVisitors apriori
https://bugs.webkit.org/show_bug.cgi?id=180907
Reviewed by Saam Barati.
The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
Then we do not need to grab locks while iterating all the SlotVisitors.
In addition, we do not need to consider the case that the number of SlotVisitors increases
after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
does not increase any more.
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::runBeginPhase):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachSlotVisitor):
(JSC::Heap::numberOfSlotVisitors): Deleted.
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::didVisitSomething const):
2018-01-03 Ting-Wei Lan <lantw44@gmail.com>
Replace hard-coded paths in shebangs with #!/usr/bin/env
https://bugs.webkit.org/show_bug.cgi?id=181040
Reviewed by Alex Christensen.
* Scripts/UpdateContents.py:
* Scripts/cssmin.py:
* Scripts/generate-combined-inspector-json.py:
* Scripts/xxd.pl:
* create_hash_table:
* generate-bytecode-files:
* wasm/generateWasm.py:
* wasm/generateWasmOpsHeader.py:
* yarr/generateYarrCanonicalizeUnicode:
2018-01-03 Michael Saboff <msaboff@apple.com>
Disable SharedArrayBuffers from Web API
https://bugs.webkit.org/show_bug.cgi?id=181266
Reviewed by Saam Barati.
Removed SharedArrayBuffer prototype and structure from GlobalObject creation
to disable.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayBufferPrototype const):
(JSC::JSGlobalObject::arrayBufferStructure const):
2018-01-03 Michael Saboff <msaboff@apple.com>
Add "noInline" to $vm
https://bugs.webkit.org/show_bug.cgi?id=181265
Reviewed by Mark Lam.
This would be useful for web based tests.
* tools/JSDollarVM.cpp:
(JSC::getExecutableForFunction):
(JSC::functionNoInline):
(JSC::JSDollarVM::finishCreation):
2018-01-03 Michael Saboff <msaboff@apple.com>
Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
https://bugs.webkit.org/show_bug.cgi?id=181263
Reviewed by Mark Lam.
Flushing the butterfly pointer provides no benefit and slows this function.
* tools/JSDollarVM.cpp:
(JSC::functionCpuClflush):
2018-01-03 Saam Barati <sbarati@apple.com>
Fix BytecodeParser op_catch assert to work with useProfiler=1
https://bugs.webkit.org/show_bug.cgi?id=181260
Reviewed by Keith Miller.
op_catch was asserting that the current block was empty. This is only true
if the profiler isn't enabled. When the profiler is enabled, we will
insert a CountExecution node before each bytecode. This patch fixes the
assert to work with the profiler.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2018-01-03 Per Arne Vollan <pvollan@apple.com>
[Win][Debug] testapi link error.
https://bugs.webkit.org/show_bug.cgi?id=181247
<rdar://problem/36166729>
Reviewed by Brent Fulgham.
Do not set the runtime library compile flag for C files, it is already set to the correct value.
* shell/PlatformWin.cmake:
2018-01-03 Robin Morisset <rmorisset@apple.com>
Inlining of a function that ends in op_unreachable crashes
https://bugs.webkit.org/show_bug.cgi?id=181027
Reviewed by Filip Pizlo.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::allocateTargetableBlock):
(JSC::DFG::ByteCodeParser::inlineCall):
2018-01-02 Saam Barati <sbarati@apple.com>
Incorrect assertion inside AccessCase
https://bugs.webkit.org/show_bug.cgi?id=181200
<rdar://problem/35494754>
Reviewed by Yusuke Suzuki.
Consider a PutById compiled to a setter in a function like so:
```
function foo(o) { o.f = o; }
```
The DFG will often assign the same registers to the baseGPR (o in o.f) and the
valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
to the same register. However, we're asserting that they're not the same register.
This patch just removes this invalid assertion.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
2018-01-02 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
https://bugs.webkit.org/show_bug.cgi?id=175359
Reviewed by Yusuke Suzuki.
This patch is implementing BigIntConstructor and BigIntPrototype
following spec[1, 2]. As addition, we are also implementing BigIntObject
warapper to handle ToObject(v) abstract operation when "v" is a BigInt
primitive. With these classes, now it's possible to syntetize
BigInt.prototype and then call "toString", "valueOf" and
"toLocaleString" when the primitive is a BigInt.
BigIntConstructor exposes an API to parse other primitives such as
Number, Boolean and String to BigInt.
We decided to skip parseInt implementation, since it was removed from
spec.
[1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
[2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* jsc.cpp:
* runtime/BigIntConstructor.cpp: Added.
(JSC::BigIntConstructor::BigIntConstructor):
(JSC::BigIntConstructor::finishCreation):
(JSC::isSafeInteger):
(JSC::toBigInt):
(JSC::callBigIntConstructor):
(JSC::bigIntConstructorFuncAsUintN):
(JSC::bigIntConstructorFuncAsIntN):
* runtime/BigIntConstructor.h: Added.
(JSC::BigIntConstructor::create):
(JSC::BigIntConstructor::createStructure):
* runtime/BigIntObject.cpp: Added.
(JSC::BigIntObject::BigIntObject):
(JSC::BigIntObject::finishCreation):
(JSC::BigIntObject::toStringName):
(JSC::BigIntObject::defaultValue):
* runtime/BigIntObject.h: Added.
(JSC::BigIntObject::create):
(JSC::BigIntObject::internalValue const):
(JSC::BigIntObject::createStructure):
* runtime/BigIntPrototype.cpp: Added.
(JSC::BigIntPrototype::BigIntPrototype):
(JSC::BigIntPrototype::finishCreation):
(JSC::toThisBigIntValue):
(JSC::bigIntProtoFuncToString):
(JSC::bigIntProtoFuncToLocaleString):
(JSC::bigIntProtoFuncValueOf):
* runtime/BigIntPrototype.h: Added.
(JSC::BigIntPrototype::create):
(JSC::BigIntPrototype::createStructure):
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::createFrom):
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::toObject const):
* runtime/JSBigInt.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::synthesizePrototype const):
* runtime/JSCPoisonedPtr.cpp:
* runtime/JSCell.cpp:
(JSC::JSCell::toObjectSlow const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::bigIntPrototype const):
(JSC::JSGlobalObject::bigIntObjectStructure const):
* runtime/StructureCache.h:
* runtime/StructureInlines.h:
(JSC::prototypeForLookupPrimitiveImpl):
2018-01-02 Tim Horton <timothy_horton@apple.com>
Fix the MathCommon build with a recent compiler
https://bugs.webkit.org/show_bug.cgi?id=181216
Reviewed by Sam Weinig.
* runtime/MathCommon.cpp:
(JSC::fdlibmPow):
This cast drops the 'const' qualifier from the pointer to 'one',
but it doesn't have to, and it makes the compiler sad.
== Rolled over to ChangeLog-2018-01-01 ==