Google Git
Sign in
webkit / WebKit / 4a2ed9748095d9d9d9c83cc3fc134461dc7ac0b6 / . / Source / JavaScriptCore / ChangeLog
blob: ec8b6c593c59413b3237f27b7199165a2eccdaa2 [file] [log] [blame]
2021-09-02 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Fix WebKitAdditions directory traversal in offlineasm
https://bugs.webkit.org/show_bug.cgi?id=229841
Reviewed by Mark Lam.
When DEPLOYMENT_LOCATION is YES, WebKitAdditions directory becomes /usr/local/include/WebKitAdditions.
This patch adds --use-deployment-location option to generate_offset_extractor.rb, generate_settings_extractor.rb,
and asm.rb. And they pass it to parser to change the include directory.
* JavaScriptCore.xcodeproj/project.pbxproj:
* offlineasm/asm.rb:
* offlineasm/generate_offset_extractor.rb:
* offlineasm/generate_settings_extractor.rb:
* offlineasm/parser.rb:
2021-09-02 Ross Kirsling <ross.kirsling@sony.com>
[JSC] ScriptExecutable::newCodeBlockFor should handle exceptions more predictably
https://bugs.webkit.org/show_bug.cgi?id=229787
Reviewed by Mark Lam.
ScriptExecutable::newCodeBlockFor has four codepaths -- one for each of EvalExecutable, ProgramExecutable,
ModuleProgramExecutable, and FunctionExecutable. These all end up in bool CodeBlock::finishCreation(...),
but the first three overwrite the current exception with an OOM error while the last does not.
Furthermore, newCodeBlockFor handles exceptions via an out param, which is then returned by its single caller,
prepareForExecutionImpl.
Altogether, this results in some questionable checking of the returned exception against throwScope.exception()
at prepareForExecution's callsites in Interpreter and elsewhere.
This patch aims to make this exception handling clearer and more consistent by:
1. not overwriting an existing exception with an OOM error
2. doing away with the out param in favor of RETURN_IF_EXCEPTION
* bytecode/CodeBlock.h:
(JSC::ScriptExecutable::prepareForExecution):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::execute):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
(JSC::virtualForWithFunction):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::newCodeBlockFor):
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/ScriptExecutable.h:
2021-09-02 Mikhail R. Gadelha <mikhail@igalia.com>
Fix IndexedDoubleStore InlineAccess for 32 bits
https://bugs.webkit.org/show_bug.cgi?id=229772
Reviewed by Caio Araujo Neponoceno de Lima.
In IndexedDoubleStore inline access, the path if the value is NaN
is only being handled in 64 bits, thus introducing some wrong
results in 32 bits. This patch fixes:
stress/double-add-sub-mul-can-produce-nan.js
stress/pow-stable-results.js
stress/math-pow-stable-results.js
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
2021-09-02 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Fix invalid exception checks in Temporal classes
https://bugs.webkit.org/show_bug.cgi?id=229793
Reviewed by Yusuke Suzuki.
* runtime/TemporalCalendarPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/TemporalDuration.cpp:
(JSC::TemporalDuration::fromObject):
(JSC::TemporalDuration::toDuration):
(JSC::TemporalDuration::with const):
* runtime/TemporalDurationPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-09-02 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, annotate executeJSCJITProbe with REFERENCED_FROM_ASM WTF_INTERNAL
* assembler/ProbeContext.h:
2021-09-02 Mark Lam <mark.lam@apple.com>
Add more support for JIT operation validation testing.
https://bugs.webkit.org/show_bug.cgi?id=229534
rdar://81526335
Reviewed by Saam Barati.
1. Added a JITOperationValidation.h to tidy up the code for supporting JIT
operation validation.
2. Introduce a JITOperationAnnotation struct to record JIT operation function
pointers, with an extra pointer field for a validation test function.
3. Changed JSC_ANNOTATE_JIT_OPERATION to capture a JITOperationAnnotation struct
instead of just a single operation pointer.
4. Converted the static addPointers() function in JITOperationList.cpp into a
member function of JITOperationList. This allows for the code to be more
terse, as well as enables the use of an inverse map mechanism on debug builds
only.
5. Added more macros to help differentiate between different types of JIT
operation functions.
6. Made all JIT operation functions use extern "C" linkage to make it possible to
write validation tests in assembly so that we can run them on a release build
as well without taking too much time.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/JITOperationList.cpp:
(JSC::JITOperationList::addInverseMap):
(JSC::JITOperationList::addPointers):
(JSC::JITOperationList::populatePointersInJavaScriptCore):
(JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):
(JSC::JITOperationList::populatePointersInEmbedder):
(JSC::addPointers): Deleted.
* assembler/JITOperationList.h:
(JSC::JITOperationList::map const):
(JSC::JITOperationList::inverseMap const):
(JSC::JITOperationList::assertIsJITOperation):
(JSC::JITOperationList::assertIsJITOperationWithvalidation):
* assembler/JITOperationValidation.h: Added.
* assembler/MacroAssemblerARM64.cpp:
* assembler/MacroAssemblerARM64.h:
* assembler/MacroAssemblerARM64E.h:
* assembler/MacroAssemblerARMv7.cpp:
* assembler/MacroAssemblerMIPS.cpp:
* assembler/MacroAssemblerX86Common.cpp:
* b3/testb3.h:
* b3/testb3_1.cpp:
* b3/testb3_5.cpp:
* b3/testb3_7.cpp:
* dfg/DFGOSRExit.h:
* ftl/FTLLowerDFGToB3.cpp:
* jit/ExecutableAllocator.cpp:
(JSC::initializeJITPageReservation):
* jit/Repatch.cpp:
(JSC::retagOperationWithValidation):
(JSC::retagCallTargetWithValidation):
(JSC::readPutICCallTarget):
* jit/ThunkGenerators.cpp:
* jsc.cpp:
* llint/LLIntData.cpp:
* llint/LLIntThunks.cpp:
* runtime/CommonSlowPaths.h:
* runtime/JSCPtrTag.h:
(JSC::tagJSCCodePtrImpl):
(JSC::untagJSCCodePtrImpl):
(JSC::isTaggedJSCCodePtrImpl):
* runtime/MathCommon.h:
* runtime/Options.cpp:
(JSC::canUseJITCage):
* tools/JSDollarVM.cpp:
* yarr/YarrJIT.cpp:
2021-09-01 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed exception scope verification fix for r241171.
* runtime/TemporalDurationConstructor.cpp:
Add missing RELEASE_AND_RETURN.
2021-09-01 Myles C. Maxfield <mmaxfield@apple.com>
Fix the Xcode build after r281838
Unreviewed.
* DerivedSources-input.xcfilelist:
* DerivedSources-output.xcfilelist:
2021-09-01 Zan Dobersek <zdobersek@igalia.com>
REGRESSION(r279256): Crash in JSC::FTL::saveAllRegisters
https://bugs.webkit.org/show_bug.cgi?id=229235
<rdar://problem/82337517>
Reviewed by Mark Lam.
Avoid out-of-bounds access into RegisterSet's underlying Bitmap that
occurs in FTL::saveAllRegisters() and FTL::restoreAllRegisters(). Helper
Regs::nextRegister() and Regs::nextFPRegister() methods can increase the
register ID values beyond the valid values, at which point there's a
possibility of misuse if these register ID values are used to index into
the Bitmap.
To avoid this, iterating over RegisterID and FPRegisterID ranges is
simplified yet kept efficient, and access into the RegisterSet is now
only done if the register ID values are valid.
This enables removing Regs::nextFPRegister(). Regs::nextRegister() is
still used but is not adjusted to also use a for-loop to iterate across
the valid RegisterID values, and only for those values the access into
the RegisterSet is possible.
* ftl/FTLSaveRestore.cpp:
(JSC::FTL::saveAllRegisters):
(JSC::FTL::restoreAllRegisters):
2021-08-31 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Implement Temporal.Duration
https://bugs.webkit.org/show_bug.cgi?id=228532
Reviewed by Yusuke Suzuki.
This patch implements the Duration class for the upcoming Temporal API (currently at stage 3 in TC39).
Spec: https://tc39.es/proposal-temporal/#sec-temporal-duration-objects
Docs: https://tc39.es/proposal-temporal/docs/duration.html
A Duration is ultimately an array of doubles (years, months, weeks, days, hours, minutes, seconds, ms, μs, ns)
which can be converted to and from an ISO string representation (e.g. "-P1Y2M3W4DT5H6M7.123456789S")
and which supports various calculations.
The spec is still in flux and certain issues were identified in the course of preparing this patch.
This code aims to be "as correct as possible" for the moment; small corrections are expected in the near future.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/CommonIdentifiers.h:
* runtime/ISO8601.cpp: Added.
* runtime/ISO8601.h: Added.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::durationStructure):
* runtime/TemporalDuration.cpp: Added.
* runtime/TemporalDuration.h: Added.
* runtime/TemporalDurationConstructor.cpp: Added.
* runtime/TemporalDurationConstructor.h: Added.
* runtime/TemporalDurationPrototype.cpp: Added.
* runtime/TemporalDurationPrototype.h: Added.
* runtime/TemporalObject.cpp:
(JSC::createDurationConstructor):
(JSC::singularUnit):
(JSC::temporalUnitType):
(JSC::temporalLargestUnit):
(JSC::temporalSmallestUnit):
(JSC::temporalFractionalSecondDigits):
(JSC::secondsStringPrecision):
(JSC::maximumRoundingIncrement):
(JSC::temporalRoundingIncrement):
(JSC::roundNumberToIncrement):
* runtime/TemporalObject.h:
* runtime/VM.cpp:
* runtime/VM.h:
2021-08-31 Lauro Moura <lmoura@igalia.com>
Non-unified build partial fixes, late late August 2021
https://bugs.webkit.org/show_bug.cgi?id=229741
Unreviewed non-unified build fixes.
* bytecode/PutByStatus.cpp: Add missing header.
* bytecode/PutByVariant.h: Ditto.
* runtime/TemporalCalendar.cpp: Ditto.
* runtime/TemporalCalendarPrototype.cpp: Ditto.
2021-08-31 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Enable Object.hasOwn
https://bugs.webkit.org/show_bug.cgi?id=229730
Reviewed by Saam Barati.
Enable Object.hasOwn implementation. And cleaning up feature flag list.
* runtime/OptionsList.h:
2021-08-31 Saam Barati <sbarati@apple.com>
Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell
https://bugs.webkit.org/show_bug.cgi?id=229725
Reviewed by Keith Miller.
If the base isn't a cell, we're calling the slow path with a random value
in the property. This works, because the slow paths first branch on if
the base is a cell or not, and throw an exception. But we fix this for our
own sanity, since it's never a good idea to go to a slow path with a
JSValue argument containing unknown bits.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitHasPrivate):
2021-08-31 Aditi Singh <asingh@igalia.com>
Implement Object.hasOwn()
https://bugs.webkit.org/show_bug.cgi?id=226291
Reviewed by Alexey Shvayka.
This patch implements Object.hasOwn() method which is a stage 3 proposal. The method is disabled by default and can be enabled using the feature flag.
The proposal details can be found here: https://github.com/tc39/proposal-accessible-object-hasownproperty.
The patch also refines objectPrototypeHasOwnProperty() to accept JSObject* base rather than JSValue.
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* runtime/CommonIdentifiers.h:
* runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* runtime/ObjectConstructor.cpp:
(JSC::ObjectConstructor::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectPrototype.cpp:
(JSC::objectPrototypeHasOwnProperty):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectPrototype.h:
* runtime/OptionsList.h:
2021-08-26 Darin Adler <darin@apple.com>
Cut down on use of CFGetTypeID, using dynamic_cf_cast instead; related streamlining
https://bugs.webkit.org/show_bug.cgi?id=229414
Reviewed by Tim Horton.
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::deserializeMessage): Use
dynamic_cf_cast to check type instead of CFGetTypeID. Also do the
check at runtime rather than asserting. Not really sufficient to
assert correct type for something that comes over an XPC connection.
2021-08-30 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Host functions and custom getters should be lowerCamelCase
https://bugs.webkit.org/show_bug.cgi?id=229695
Reviewed by Yusuke Suzuki.
For some reason, the host functions and custom getters for Intl (and JSONObject) were written in UpperCamelCase.
* runtime/IntlCollatorConstructor.cpp:
* runtime/IntlCollatorPrototype.cpp:
* runtime/IntlDateTimeFormatConstructor.cpp:
* runtime/IntlDateTimeFormatPrototype.cpp:
* runtime/IntlDisplayNamesConstructor.cpp:
* runtime/IntlDisplayNamesPrototype.cpp:
* runtime/IntlListFormatConstructor.cpp:
* runtime/IntlListFormatPrototype.cpp:
* runtime/IntlLocalePrototype.cpp:
* runtime/IntlNumberFormatConstructor.cpp:
* runtime/IntlNumberFormatPrototype.cpp:
* runtime/IntlPluralRulesConstructor.cpp:
* runtime/IntlPluralRulesPrototype.cpp:
* runtime/IntlRelativeTimeFormatConstructor.cpp:
* runtime/IntlRelativeTimeFormatPrototype.cpp:
* runtime/IntlSegmentIteratorPrototype.cpp:
* runtime/IntlSegmenterConstructor.cpp:
* runtime/IntlSegmenterPrototype.cpp:
* runtime/IntlSegmentsPrototype.cpp:
* runtime/JSONObject.cpp:
2021-08-30 Ross Kirsling <ross.kirsling@sony.com>
[JSC][Intl] Errors for .call({}) are too verbose
https://bugs.webkit.org/show_bug.cgi?id=229694
Reviewed by Yusuke Suzuki.
* runtime/IntlCollatorPrototype.cpp:
* runtime/IntlDateTimeFormatPrototype.cpp:
* runtime/IntlDisplayNamesPrototype.cpp:
* runtime/IntlListFormatPrototype.cpp:
* runtime/IntlLocalePrototype.cpp:
* runtime/IntlNumberFormatPrototype.cpp:
* runtime/IntlPluralRulesPrototype.cpp:
* runtime/IntlRelativeTimeFormatPrototype.cpp:
* runtime/IntlSegmentIteratorPrototype.cpp:
* runtime/IntlSegmenterPrototype.cpp:
* runtime/IntlSegmentsPrototype.cpp:
2021-08-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Implement Temporal.Calendar
https://bugs.webkit.org/show_bug.cgi?id=229651
Reviewed by Ross Kirsling.
This patch implements Temporal.Calendar's simple part. Currently, we do not implement many part of Temporal.Calendar since
we do not have Temporal Date-like structures yet, but this patch implemented core part of Temporal.Calendar: keeping calendar
identifier.
We also defer implementing Temporal.Calendar.from's calendar ID parsing part since it requires full-fledged ISO 8601 parser,
which will be implemented in a separate patch.
We use `unsigned` for CalendarID, and this id corresponds to the array index of intlAvailableCalendars, which returns array
of String from ICU.
* CMakeLists.txt:
* DerivedSources-input.xcfilelist:
* DerivedSources-output.xcfilelist:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/CommonIdentifiers.h:
* runtime/IntlObject.cpp:
(JSC::intlAvailableCalendars):
(JSC::iso8601CalendarIDSlow):
(JSC::availableCalendars):
(JSC::createArrayFromStringVector): Deleted.
* runtime/IntlObject.h:
(JSC::iso8601CalendarID):
* runtime/IntlObjectInlines.h:
(JSC::createArrayFromStringVector):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::calendarStructure):
* runtime/TemporalCalendar.cpp: Added.
(JSC::TemporalCalendar::create):
(JSC::TemporalCalendar::createStructure):
(JSC::TemporalCalendar::TemporalCalendar):
(JSC::TemporalCalendar::isBuiltinCalendar):
(JSC::parseTemporalCalendarString):
(JSC::TemporalCalendar::from):
* runtime/TemporalCalendar.h: Added.
* runtime/TemporalCalendarConstructor.cpp: Added.
(JSC::TemporalCalendarConstructor::create):
(JSC::TemporalCalendarConstructor::createStructure):
(JSC::TemporalCalendarConstructor::TemporalCalendarConstructor):
(JSC::TemporalCalendarConstructor::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/TemporalCalendarConstructor.h: Added.
* runtime/TemporalCalendarPrototype.cpp: Added.
(JSC::TemporalCalendarPrototype::create):
(JSC::TemporalCalendarPrototype::createStructure):
(JSC::TemporalCalendarPrototype::TemporalCalendarPrototype):
(JSC::TemporalCalendarPrototype::finishCreation):
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::defaultMergeFields):
* runtime/TemporalCalendarPrototype.h: Added.
* runtime/TemporalObject.cpp:
(JSC::createCalendarConstructor):
* runtime/VM.cpp:
* runtime/VM.h:
2021-08-30 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed, add missing include to pre-empt unified source shift.
* runtime/IntlObject.cpp:
2021-08-30 Angelos Oikonomopoulos <angelos@igalia.com>
resolve-asm-file-conflicts.rb build failure after upgrade to CMake 3.21.0; DWARF 5 incompatibility
https://bugs.webkit.org/show_bug.cgi?id=228267
Reviewed by Adrian Perez de Castro.
Implement the fix suggested by Adrian Vovk: any .file 0 directive
should pass through unchanged.
While here
- if the file path is an absolute path, don't concat it with the working directory
- also accept 'md5 0xhash' in the .file directive.
* Scripts/resolve-asm-file-conflicts.rb:
2021-08-30 Zan Dobersek <zdobersek@igalia.com>
RISCV64 support in LLInt
https://bugs.webkit.org/show_bug.cgi?id=229035
<rdar://problem/82120908>
Reviewed by Yusuke Suzuki.
Introduce RISCV64 support at the LLint level. Along with the necessary
offlineasm backend, plenty of miscellaneous code around MacroAssembler
infrastructure is also introduced.
Of the existing supported architectures, RISCV64 is most similar to
ARM64, with the same word size and similar register abundance. This is
mirrored in most changes around the MacroAssembler infrastructure as
well as using same or similar codepaths in LLint for the two ISAs.
For the MacroAssembler infrastructure, it won't be used until proper JIT
support is introduced, but the basic facilities are still necessary to
keep things compiling without complicating the configuration matrix.
MacroAssemblerRISCV64 class provides no-op methods through C++ templates
while RISCV64Assembler is also added in a limited form.
The riscv64 offlineasm backend covers assembly generation for
instructions that are exhibited by LLInt in the current configuration.
It doesn't cover instructions that e.g. are only used in the WebAssembly
opcodes, and WebAssembly won't be enabled until the higher JIT tiers are
supported anyway.
The offlineasm backend's assembly generation for specific instructions
uses pattern matching of operand types for better overview of how
resulting assembly is constructed. There's still certain improvements
possible, e.g. in how scratch registers for more expansive operations
are allocated.
* CMakeLists.txt:
* Sources.txt:
* assembler/AbstractMacroAssembler.h:
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerRISCV64.cpp: Added.
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerRISCV64.h: Added.
Distorted auto-generated method list removed. Necessary methods are
introduced through no-op templates until actually needed for JIT
generation.
* assembler/MaxFrameExtentForSlowPathCall.h:
* assembler/PerfLog.cpp:
* assembler/ProbeContext.h:
* assembler/RISCV64Assembler.h: Added.
(JSC::RISCV64Assembler::firstRegister):
(JSC::RISCV64Assembler::lastRegister):
(JSC::RISCV64Assembler::numberOfRegisters):
(JSC::RISCV64Assembler::firstSPRegister):
(JSC::RISCV64Assembler::lastSPRegister):
(JSC::RISCV64Assembler::numberOfSPRegisters):
(JSC::RISCV64Assembler::firstFPRegister):
(JSC::RISCV64Assembler::lastFPRegister):
(JSC::RISCV64Assembler::numberOfFPRegisters):
(JSC::RISCV64Assembler::gprName):
(JSC::RISCV64Assembler::sprName):
(JSC::RISCV64Assembler::fprName):
(JSC::RISCV64Assembler::RISCV64Assembler):
(JSC::RISCV64Assembler::buffer):
(JSC::RISCV64Assembler::invert):
(JSC::RISCV64Assembler::getRelocatedAddress):
(JSC::RISCV64Assembler::codeSize const):
(JSC::RISCV64Assembler::getCallReturnOffset):
(JSC::RISCV64Assembler::labelIgnoringWatchpoints):
(JSC::RISCV64Assembler::labelForWatchpoint):
(JSC::RISCV64Assembler::label):
(JSC::RISCV64Assembler::linkJump):
(JSC::RISCV64Assembler::linkCall):
(JSC::RISCV64Assembler::linkPointer):
(JSC::RISCV64Assembler::maxJumpReplacementSize):
(JSC::RISCV64Assembler::patchableJumpSize):
(JSC::RISCV64Assembler::repatchPointer):
(JSC::RISCV64Assembler::relinkJump):
(JSC::RISCV64Assembler::relinkJumpToNop):
(JSC::RISCV64Assembler::relinkCall):
(JSC::RISCV64Assembler::debugOffset):
(JSC::RISCV64Assembler::cacheFlush):
(JSC::RISCV64Assembler::fillNops):
* assembler/RISCV64Registers.h: Added.
* jit/FPRInfo.h:
(JSC::FPRInfo::toRegister):
(JSC::FPRInfo::toArgumentRegister):
(JSC::FPRInfo::toIndex):
(JSC::FPRInfo::debugName):
* jit/GPRInfo.h:
(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toArgumentRegister):
(JSC::GPRInfo::toIndex):
(JSC::GPRInfo::debugName):
* jit/RegisterSet.cpp:
(JSC::RegisterSet::vmCalleeSaveRegisters):
(JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
* llint/LLIntData.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/backends.rb: Reference the riscv64 backend as required.
* offlineasm/registers.rb: List additional possible registers.
* offlineasm/riscv64.rb: Added.
2021-08-29 Keith Miller <keith_miller@apple.com>
Add openFile function to jsc.cpp that links to file backed memory
https://bugs.webkit.org/show_bug.cgi?id=229621
Reviewed by Saam Barati.
This patch uses fopen directly rather than use WTF::MappedFileData so there were less changes to
readline.
* jsc.cpp:
(computeFilePath):
(JSC_DEFINE_HOST_FUNCTION):
(JSFileDescriptor::subspaceFor):
(JSFileDescriptor::createStructure):
(JSFileDescriptor::create):
(JSFileDescriptor::finishCreation):
(JSFileDescriptor::destroy):
(JSFileDescriptor::descriptor const):
(JSFileDescriptor::JSFileDescriptor):
(JSFileDescriptor::~JSFileDescriptor):
2021-08-29 Joonghun Park <jh718.park@samsung.com>
Unreviewed. Remove the build warning below since r281615.
warning: control reaches end of non-void function [-Wreturn-type]
* bytecode/PutByStatus.cpp:
(JSC::PutByStatus::makesCalls const):
2021-08-28 Cameron McCormack <heycam@apple.com>
Miscellaneous typo fixes
https://bugs.webkit.org/show_bug.cgi?id=229642
Reviewed by Fujii Hironori.
* API/JSValue.h:
* runtime/RegExp.cpp:
(JSC::RegExp::matchCompareWithInterpreter):
2021-08-27 Stephan Szabo <stephan.szabo@sony.com>
[PlayStation][CMake] Add control over whether JavaScriptCore should be shared
https://bugs.webkit.org/show_bug.cgi?id=229591
Reviewed by Don Olmstead.
Make LowLevelInterpreterLib objects get added via _PRIVATE_LIBRARIES when
using JavaScriptCore as an object library in order to propogate them
correctly.
* CMakeLists.txt:
2021-08-27 Russell Epstein <repstein@apple.com>
Land Windows build fixes from safari-612.1.29.14-branch.
https://bugs.webkit.org/show_bug.cgi?id=229627.
Reviewed by Per Arne Vollan.
* JavaScriptCore.vcxproj/JavaScriptCore.proj:
2021-08-27 Mark Lam <mark.lam@apple.com>
Changed ARM64 probe trampoline to do ptr auth the standard way.
https://bugs.webkit.org/show_bug.cgi?id=229629
rdar://problem/82453220
Reviewed by Saam Barati.
Also fix a comment, and add back 2 lines that I accidentally deleted in r281718.
* assembler/MacroAssemblerARM64.cpp:
2021-08-27 Mark Lam <mark.lam@apple.com>
Make ARM64 and X86_64 probe code a little bit more efficient.
https://bugs.webkit.org/show_bug.cgi?id=229618
rdar://82445743
Reviewed by Yusuke Suzuki.
We were using an unnecessary indirect call to call Probe::executeProbe() when we
can be using a direct call, which emits less JIT code. This patch changes the
ARM64 and X86_64 ports to use a direct call now.
Also rename executeProbe to executeJSCJITProbe to make it more unique since we're
switching to extern "C" linkage for this function now.
For MacroAssemblerX86Common.cpp, we left the X86 and MSVC implementations unchanged.
For X86, I don't know the stack alignment requirements (if any) plus we might want
to delete this code eventually since we're not supporting the X86 JIT anymore.
For MSVC, I don't know the way to express a direct call in MSVC assembly, and have
no way to test it. Will leave that as an exercise for folks working on the Windows
ports if they are interested.
Also remove JITProbeExecutorPtrTag since it's no longer needed.
* assembler/MacroAssemblerARM64.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerARMv7.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerMIPS.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerX86Common.cpp:
(JSC::ctiMasmProbeTrampoline):
(JSC::MacroAssembler::probe):
* assembler/ProbeContext.cpp:
(JSC::Probe::executeJSCJITProbe):
(JSC::Probe::executeProbe): Deleted.
* assembler/ProbeContext.h:
* runtime/JSCPtrTag.h:
2021-08-27 Saam Barati <sbarati@apple.com>
Update ARM64EHash
https://bugs.webkit.org/show_bug.cgi?id=228962
<rdar://79883337>
Reviewed by Mark Lam.
* assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::ARM64EHash):
(JSC::ARM64EHash::update):
(JSC::ARM64EHash::makeDiversifier):
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::bitsForDiversifier):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
(JSC::AssemblerBuffer::AssemblerBuffer):
(JSC::AssemblerBuffer::putIntegralUnchecked):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
2021-08-27 Mikhail R. Gadelha <mikhail@igalia.com>
Avoid increasing required alignment of target type warning on ARM 32 bits
https://bugs.webkit.org/show_bug.cgi?id=229151
Reviewed by Mark Lam.
Same approach as https://bugs.webkit.org/show_bug.cgi?id=38045
cast pointers to void* to bypass warning about increasing pointer
alingment. reinterpret_cast_ptr has custom behaviour only on ARM and
MIPS 32 bits, and doesn't change the behaviour in 64 bits archs
(reinterpret_cast_ptr is preprocessed to reinterpret_cast in 64 bits
archs)
* bytecode/Instruction.h:
(JSC::BaseInstruction::asKnownWidth const):
* llint/LLIntCommon.h:
2021-08-27 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r281587.
https://bugs.webkit.org/show_bug.cgi?id=229609
stress test failed on ARM64
Reverted changeset:
"[ARM64] Fix pre-index address mode"
https://bugs.webkit.org/show_bug.cgi?id=229175
https://commits.webkit.org/r281587
2021-08-26 Yusuke Suzuki <ysuzuki@apple.com>
Intl.DateTimeFormat incorrectly parses patterns with 'h' literal
https://bugs.webkit.org/show_bug.cgi?id=229313
rdar://82414310
Reviewed by Ross Kirsling.
While DateTimeFormat pattern and skeleton can include single-quoted literal texts,
we are not respecting that when parsing them to extract information. As a result,
we are incorrectly extracting hour-cycle information for "fr" locale since it can
include "HH 'h'" pattern text. This patch fixes that by skipping literal text
correctly.
* runtime/IntlDateTimeFormat.cpp:
(JSC::skipLiteralText):
(JSC::IntlDateTimeFormat::setFormatsFromPattern):
(JSC::IntlDateTimeFormat::hourCycleFromPattern):
(JSC::IntlDateTimeFormat::replaceHourCycleInSkeleton):
(JSC::IntlDateTimeFormat::replaceHourCycleInPattern):
* runtime/IntlDateTimeFormat.h:
* runtime/IntlLocale.cpp:
(JSC::IntlLocale::hourCycles):
2021-08-26 Yusuke Suzuki <ysuzuki@apple.com>
Float32Arrays.sort() return undefined when length < 2
https://bugs.webkit.org/show_bug.cgi?id=229575
Reviewed by Saam Barati.
TypedArray#sort should return |this| even when we don't perform sorting.
* builtins/TypedArrayPrototype.js:
(sort):
2021-08-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] op_put_private_name should use modern IC and remove ByValInfo
https://bugs.webkit.org/show_bug.cgi?id=229544
Reviewed by Saam Barati.
This patch makes op_put_private_name use new PutByVal IC. This allows op_put_private_name to support
polymorphic properties, and we can finally remove Baseline's adhoc IC and ByValInfo completely.
Added microbenchmark showed 3x improvement due to polymorphic PutPrivateName IC.
ToT Patched
class-private-field-polymorphic 9.3666+-0.0332 ^ 3.1199+-0.0182 ^ definitely 3.0022x faster
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ByValInfo.cpp: Removed.
* bytecode/ByValInfo.h: Removed.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::getICStatusMap):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::findByValInfo): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
* bytecode/CodeBlock.h:
* bytecode/ICStatusMap.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetPrivateName):
(JSC::DFG::SpeculativeJIT::compilePutPrivateName):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::ByValCompilationInfo::ByValCompilationInfo): Deleted.
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfileStoreToHoleSpecialCase): Deleted.
(JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase): Deleted.
* jit/JITOperations.cpp:
(JSC::putPrivateNameOptimize):
(JSC::putPrivateName):
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_private_name):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::emitPutByValWithCachedId): Deleted.
(JSC::JIT::emitPutPrivateNameWithCachedId): Deleted.
(JSC::JIT::emitByValIdentifierCheck): Deleted.
(JSC::JIT::privateCompilePutPrivateNameWithCachedId): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_private_name):
(JSC::JIT::emitSlow_op_put_private_name):
* jit/Repatch.cpp:
(JSC::appropriateGenericPutByFunction):
(JSC::appropriateOptimizingPutByFunction):
(JSC::resetPutBy):
2021-08-26 Saam Barati <sbarati@apple.com>
r281485 was not sufficient in where it called disablePeepholeOptimization
https://bugs.webkit.org/show_bug.cgi?id=229582
<rdar://82346980>
Reviewed by Yusuke Suzuki.
r281485 accidentally deleted a place where we called disablePeepholeOptimization
that was necessary. Basically, after we seek where the current instruction
in BytecodeGenerator is, we need to disablePeepholeOptimization.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::ForInContext::finalize):
2021-08-26 Per Arne Vollan <pvollan@apple.com>
[AppleWin] JSC build failure
https://bugs.webkit.org/show_bug.cgi?id=229578
Reviewed by Don Olmstead.
Add new build dependency between LLIntOffsetsExtractor and JSCBuiltins targets.
* CMakeLists.txt:
2021-08-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Segfault in stress/typedarray-every.js (32bit)
https://bugs.webkit.org/show_bug.cgi?id=229546
Reviewed by Saam Barati.
ARMv7 does not have enough registers. Adding workaround by using getEffectiveAddress.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
2021-08-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DataIC should not embed StructureStubInfo pointer
https://bugs.webkit.org/show_bug.cgi?id=229541
Reviewed by Mark Lam.
We should not embed pointer to StructureStubInfo::countdown if DataIC is used.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::store8):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::offsetOfCountdown):
2021-08-25 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Polymorphic PutByVal
https://bugs.webkit.org/show_bug.cgi?id=229229
Reviewed by Saam Barati.
This patch changes PutByVal IC to modern style. This polymorphic PutByVal can handle multiple array types and multiple identifiers.
Also, this removes adhoc IC code in Baseline so that it paves the way to unlinked Baseline JIT by cleaning up IC.
Several interesting points of the design.
1. We need to pass ArrayProfile* via GPRReg to IC since we need to profile mayStoreToHole, which is still important to avoid the slow path.
2. Transition / Replace IC need to record propertyRegs if it exists not to clobber these registers. This is important in DFG / FTL since
IC should not clobber these registers unless it is flushed. It also makes Baseline code smaller since we do not reload them in the slow path call.
3. Added a path folding String/Symbol when emitting PutByVal in DFG / FTL. This edge-case is found via a microbenchmark. Let's consider the case: one
put_by_val site has one identifier "foo", but it has so many different Structures. Previously, we emit JITPutByIdGenerator adhocly, and still we
cache this "foo" identifier in cachedId. In DFG / FTL, while we cannot make it PutByOffset, we can emit PutById since we know that identifier is
always "foo". But after this patch's change, such a site becomes slow-path. And then this identifier information is missed, and we were emitting
PutByVal for that. For now, we attempt to fold to one identifier in DFGByteCodeParser so that we can still attempt to make it PutById, which
can be PutByOffset in constant folding phase. We would like to handle this one identifier slow-path case in PutByStatus / GetByStatus in the future
patch.
4. Now, DFG OSR exit does not query to ByValInfo for setter calls since JITPutByValGenerator use StructureStubInfo in Baseline.
Results of Microbenchmarks look good.
ToT Patched
put-by-val-direct-large-index 94.6265+-0.9076 93.4550+-0.7121 might be 1.0125x faster
inlined-put-by-val-with-string-transition
23.7131+-0.3282 ^ 22.7679+-0.1137 ^ definitely 1.0415x faster
put-by-val-with-string-slightly-polymorphic
1.9852+-0.0284 1.9580+-0.0224 might be 1.0139x faster
get-and-put-by-val-double-index-dont-fall-off-a-cliff
185.4762+-0.5737 ? 185.6325+-0.5819 ?
polymorphic-put-by-val-with-string 30.9903+-0.1207 30.8097+-0.1285
put-by-val-machine-int 1.8803+-0.0384 1.8707+-0.0440
fold-put-by-val-with-symbol-to-multi-put-by-offset
4.8463+-0.1148 4.7839+-0.0547 might be 1.0130x faster
put-by-val-with-string-replace-and-transition
8.8730+-1.5934 ^ 6.2276+-0.0585 ^ definitely 1.4248x faster
fold-put-by-val-with-string-to-multi-put-by-offset
4.8183+-0.0841 ? 4.8233+-0.0892 ?
put-by-val-direct 0.2845+-0.0091 ? 0.2901+-0.0088 ? might be 1.0196x slower
put-by-val-with-symbol-replace-and-transition
6.3527+-0.0686 ? 6.3933+-0.0961 ?
put-by-val-with-symbol 9.3556+-3.1421 7.1509+-0.1019 might be 1.3083x faster
put-by-val-with-symbol-slightly-polymorphic
2.0052+-0.0309 1.9781+-0.0397 might be 1.0137x faster
put-by-val-negative-array-index 14.9572+-0.1221 ^ 14.5636+-0.1044 ^ definitely 1.0270x faster
put-by-val-with-string 11.6345+-4.3048 ^ 7.0919+-0.0918 ^ definitely 1.6405x faster
put-by-val-large-index-blank-indexing-type
3.1425+-0.1165 3.1236+-0.0378
inlined-put-by-val-with-symbol-transition
23.4932+-0.3186 ^ 22.8469+-0.0873 ^ definitely 1.0283x faster
polymorphic-put-by-val-with-symbol 36.6046+-1.6519 ^ 30.8597+-0.1474 ^ definitely 1.1862x faster
Speedometer2 showed roughly 0.2-0.3% progression.
----------------------------------------------------------------------------------------------------------------------------------
| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |
----------------------------------------------------------------------------------------------------------------------------------
| Elm-TodoMVC |121.916667 |121.958333 |1.000342 | 0.876802 |
| VueJS-TodoMVC |26.263333 |26.006667 |0.990227 | 0.263868 |
| EmberJS-TodoMVC |127.080000 |127.866667 |1.006190 | 0.011497 (significant) |
| BackboneJS-TodoMVC |48.920000 |49.318333 |1.008143 | 0.003395 (significant) |
| Preact-TodoMVC |19.828333 |19.828333 |1.000000 | 1.000000 |
| AngularJS-TodoMVC |134.011667 |132.080000 |0.985586 | 0.000000 (significant) |
| Vanilla-ES2015-TodoMVC |63.726667 |63.838333 |1.001752 | 0.408404 |
| Inferno-TodoMVC |65.153333 |63.753333 |0.978512 | 0.000000 (significant) |
| Flight-TodoMVC |78.133333 |78.780000 |1.008276 | 0.097794 |
| Angular2-TypeScript-TodoMVC |40.415000 |40.100000 |0.992206 | 0.287630 |
| VanillaJS-TodoMVC |51.931667 |52.500000 |1.010944 | 0.004149 (significant) |
| jQuery-TodoMVC |226.056667 |225.073333 |0.995650 | 0.007796 (significant) |
| EmberJS-Debug-TodoMVC |341.210000 |340.978333 |0.999321 | 0.623386 |
| React-TodoMVC |87.198333 |86.893333 |0.996502 | 0.042189 |
| React-Redux-TodoMVC |146.506667 |145.958333 |0.996257 | 0.018801 (significant) |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |61.450000 |61.870000 |1.006835 | 0.000049 (significant) |
----------------------------------------------------------------------------------------------------------------------------------
a mean = 254.85111
b mean = 255.25735
pValue = 0.1856561656
(Bigger means are better.)
1.002 times better
Results ARE NOT significant
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::needsScratchFPR const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::toTypedArrayType):
(JSC::AccessCase::canBeShared):
* bytecode/AccessCase.h:
(JSC::SharedJITStubSet::Hash::Key::Key):
(JSC::SharedJITStubSet::Hash::Key::operator==):
(JSC::SharedJITStubSet::Searcher::Translator::equal):
* bytecode/ArrayProfile.h:
(JSC::ArrayProfile::offsetOfMayStoreToHole):
(JSC::ArrayProfile::offsetOfLastSeenStructureID):
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::emitDOMJITGetter):
* bytecode/ICStatusMap.h:
* bytecode/InlineAccess.cpp:
(JSC::getScratchRegister):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
(WTF::printInternal):
* bytecode/PutByStatus.cpp: Renamed from Source/JavaScriptCore/bytecode/PutByIdStatus.cpp.
(JSC::PutByStatus::appendVariant):
(JSC::PutByStatus::shrinkToFit):
(JSC::PutByStatus::computeFromLLInt):
(JSC::PutByStatus::PutByStatus):
(JSC::PutByStatus::computeFor):
(JSC::PutByStatus::computeForStubInfo):
(JSC::PutByStatus::makesCalls const):
(JSC::PutByStatus::slowVersion const):
(JSC::PutByStatus::singleIdentifier const):
(JSC::PutByStatus::visitAggregateImpl):
(JSC::PutByStatus::markIfCheap):
(JSC::PutByStatus::finalize):
(JSC::PutByStatus::merge):
(JSC::PutByStatus::filter):
(JSC::PutByStatus::dump const):
* bytecode/PutByStatus.h: Renamed from Source/JavaScriptCore/bytecode/PutByIdStatus.h.
* bytecode/PutByVariant.cpp: Renamed from Source/JavaScriptCore/bytecode/PutByIdVariant.cpp.
(JSC::PutByVariant::PutByVariant):
(JSC::PutByVariant::operator=):
(JSC::PutByVariant::replace):
(JSC::PutByVariant::transition):
(JSC::PutByVariant::setter):
(JSC::PutByVariant::oldStructureForTransition const):
(JSC::PutByVariant::fixTransitionToReplaceIfNecessary):
(JSC::PutByVariant::writesStructures const):
(JSC::PutByVariant::reallocatesStorage const):
(JSC::PutByVariant::makesCalls const):
(JSC::PutByVariant::attemptToMerge):
(JSC::PutByVariant::attemptToMergeTransitionWithReplace):
(JSC::PutByVariant::visitAggregateImpl):
(JSC::PutByVariant::markIfCheap):
(JSC::PutByVariant::finalize):
(JSC::PutByVariant::dump const):
(JSC::PutByVariant::dumpInContext const):
* bytecode/PutByVariant.h: Renamed from Source/JavaScriptCore/bytecode/PutByIdVariant.h.
(JSC::PutByVariant::PutByVariant):
(JSC::PutByVariant::identifier const):
(JSC::PutByVariant::overlaps):
* bytecode/RecordedStatuses.cpp:
(JSC::RecordedStatuses::addPutByStatus):
(JSC::RecordedStatuses::visitAggregateImpl):
(JSC::RecordedStatuses::addPutByIdStatus): Deleted.
* bytecode/RecordedStatuses.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::load):
(JSC::DFG::ByteCodeParser::store):
(JSC::DFG::ByteCodeParser::emitPutById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::handlePutPrivateNameById):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handlePutByVal):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addPutByVal):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasPutByStatus):
(JSC::DFG::Node::putByStatus):
(JSC::DFG::Node::hasPutByIdStatus): Deleted.
(JSC::DFG::Node::putByIdStatus): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::callerReturnPC):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* dfg/DFGValidate.cpp:
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
* generator/DSL.rb:
* jit/ICStats.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
(JSC::JITPutByValGenerator::JITPutByValGenerator):
(JSC::JITPutByValGenerator::generateFastPath):
(JSC::JITPutByValGenerator::finalize):
* jit/JITInlineCacheGenerator.h:
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfilingSiteWithCell):
(JSC::JIT::chooseArrayMode): Deleted.
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
(JSC::putByVal):
(JSC::directPutByVal):
(JSC::putByValOptimize):
(JSC::directPutByValOptimize):
(JSC::tryPutByValOptimize): Deleted.
(JSC::tryDirectPutByValOptimize): Deleted.
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::slow_op_put_by_val_prepareCallGenerator):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::emitGenericContiguousPutByVal): Deleted.
(JSC::JIT::emitArrayStoragePutByVal): Deleted.
(JSC::JIT::privateCompilePutByVal): Deleted.
(JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
(JSC::JIT::emitIntTypedArrayPutByVal): Deleted.
(JSC::JIT::emitFloatTypedArrayPutByVal): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitGenericContiguousPutByVal): Deleted.
(JSC::JIT::emitArrayStoragePutByVal): Deleted.
* jit/Repatch.cpp:
(JSC::appropriateGenericPutByFunction):
(JSC::appropriateOptimizingPutByFunction):
(JSC::tryCachePutBy):
(JSC::repatchPutBy):
(JSC::tryCacheArrayPutByVal):
(JSC::repatchArrayPutByVal):
(JSC::tryCacheInBy):
(JSC::resetPutBy):
(JSC::appropriateGenericPutByIdFunction): Deleted.
(JSC::appropriateOptimizingPutByIdFunction): Deleted.
(JSC::tryCachePutByID): Deleted.
(JSC::repatchPutByID): Deleted.
(JSC::resetPutByID): Deleted.
* jit/Repatch.h:
* llint/LowLevelInterpreter.h:
2021-08-25 Yusuke Suzuki <ysuzuki@apple.com>
REGRESSION(r281513?): [ JSC Catalina+ Debug ] 16 stress/intl-enumeration.js (JSC Tests) are flaky failing
https://bugs.webkit.org/show_bug.cgi?id=229526
Reviewed by Mark Lam.
Fix debug JSC test failures by using RELEASE_AND_RETURN.
* runtime/IntlObject.cpp:
(JSC::availableCalendars):
(JSC::availableCollations):
(JSC::availableCurrencies):
(JSC::availableNumberingSystems):
(JSC::availableTimeZones):
2021-08-25 Yijia Huang <yijia_huang@apple.com>
[ARM64] Fix pre-index address mode
https://bugs.webkit.org/show_bug.cgi?id=229175
Reviewed by Saam Barati.
This patch fixes the canonicalization phase for pre/post-increment address mode
due to the potential bugs commented on in the previous patch
https://bugs.webkit.org/show_bug.cgi?id=228538. And this patch removed the
temporary fix in https://bugs.webkit.org/show_bug.cgi?id=229211.
Previously, the pre-index address mode for Load instruction convert the pattern
to the canonical form like this:
address = Add(base, offset) address = Add(base, offset)
... --> newMemory = Load(base, offset)
... ...
memory = Load(base, offset) memory = Identity(newMemory)
which is wrong. Assume "..." contains a store to a memory location that aliases for address:
address = Add(base, offset) address = Add(base, offset)
... --> newMemory = Load(base, offset)
... ...
Store(value1, address) Store(value1, address)
memory = Load(base, offset) memory = Identity(newMemory)
The loaded value should always be value1 which is not true after the conversion.
So, moving the load above the store is semantically incorrect because it's not identical to
the behavior of the original program. In this case, maybe we should apply alias analysis to
detect the violations of reference updating.
To solve this problem, we moves the address value to just before the memory value instead of
moving memory value upward.
Convert Pre-Index Load Pattern to the Canonical Form:
address = Add(base, offset) address = Nop
... ...
... newAddress = Add(base, offset)
memory = Load(base, offset) --> memory = Load(base, offset)
... ...
parent = B3Opcode(address, ...) parent = B3Opcode(newAddress, ...)
Convert Pre-Index Store Pattern to the Canonical Form:
address = Add(base, offset) address = Nop
... ...
... newAddress = Add(base, offset)
memory = Store(value1, base, offset) --> memory = Store(value1, base, offset)
... ...
parent = B3Opcode(address, ...) parent = B3Opcode(newAddress, ...)
To move the address value downward, we need to make sure that no use reference of address between
the address and memory values.
* b3/B3CanonicalizePrePostIncrements.cpp:
(JSC::B3::canonicalizePrePostIncrements):
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/B3ValueKey.h:
* b3/B3ValueKeyInlines.h:
(JSC::B3::ValueKey::ValueKey):
* b3/testb3.h:
* b3/testb3_3.cpp:
(testLoadWithStorePreIndex32):
(testStorePreIndex32):
(testStorePreIndex64):
(testStorePostIndex32):
(testStorePostIndex64):
(addShrTests):
* runtime/OptionsList.h:
2021-08-25 Xan Lopez <xan@igalia.com>
[JSC] Infinite loop in for...in after r280760
https://bugs.webkit.org/show_bug.cgi?id=229493
Reviewed by Yusuke Suzuki.
A missing instruction in the 32bit branch can potentially cause
infinite loops when using for-in. No new test, this is already
covered by (among others) LayoutTests/js/reserved-words.html.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode):
2021-08-25 Keith Miller <keith_miller@apple.com>
Add for-in OwnStructureMode optimizations to LLInt
https://bugs.webkit.org/show_bug.cgi?id=229038
Reviewed by Saam Barati.
This patch adds the optimizations we have for OwnStructureMode in
the Baseline to the LLInt. The patch also adds redundant self move
(i.e. move a, a) elimination to arm64. Finally, a bunch of the
property offset functions are now marked constexpr and return
intptr_t rather than size_t as the values can be negative.
There's also a minor fix to disable MSVC's signed to unsigned
cast warning for LLIntOffsetsExtractor as we don't care about
signedness for extracting constants.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_enumerator_get_by_val):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/generate_offset_extractor.rb:
* runtime/Butterfly.h:
(JSC::Butterfly::indexOfPropertyStorage):
* runtime/JSObject.h:
(JSC::offsetInButterfly):
* runtime/PropertyOffset.h:
(JSC::checkOffset):
(JSC::validateOffset):
(JSC::isValidOffset):
(JSC::isInlineOffset):
(JSC::isOutOfLineOffset):
(JSC::offsetInInlineStorage):
(JSC::offsetInOutOfLineStorage):
(JSC::offsetInRespectiveStorage):
(JSC::numberOfOutOfLineSlotsForMaxOffset):
(JSC::numberOfSlotsForMaxOffset):
(JSC::offsetForPropertyNumber):
2021-08-25 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r281523.
https://bugs.webkit.org/show_bug.cgi?id=229494
broke cloop build
Reverted changeset:
"Add for-in OwnStructureMode optimizations to LLInt"
https://bugs.webkit.org/show_bug.cgi?id=229038
https://commits.webkit.org/r281523
2021-08-24 Mark Lam <mark.lam@apple.com>
Refactor ENABLE(JIT_OPERATION_VALIDATION) code to emit no code when disabled.
https://bugs.webkit.org/show_bug.cgi?id=229482
rdar://82318317
Reviewed by Yusuke Suzuki.
* assembler/JITOperationList.cpp:
(JSC::addPointers):
(JSC::JITOperationList::populatePointersInJavaScriptCore):
(JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):
(JSC::JITOperationList::populatePointersInEmbedder):
* assembler/JITOperationList.h:
(JSC::JITOperationList::map const):
(JSC::JITOperationList::assertIsJITOperation):
(JSC::JITOperationList::initialize):
(JSC::JITOperationList::populatePointersInJavaScriptCore):
(JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):
* runtime/JSCPtrTag.h:
(JSC::tagJSCCodePtrImpl):
(JSC::untagJSCCodePtrImpl):
2021-08-24 Mark Lam <mark.lam@apple.com>
[Re-landing] Add some offlineasm enhancements.
https://bugs.webkit.org/show_bug.cgi?id=229332
rdar://82163923
Reviewed by Keith Miller.
1. Enhance "include" offlineasm Instruction to always attempt to include an asm
file from <build-products>/usr/local/include/WebKitAdditions/ first. If the
specified file is not available there, then it will attempt to include the file
from the same directory as the current source file (which in practice, means
Source/JavaScriptCore/llint/).
2. Enhance "include" offlineasm Instruction to allow an optional file to be
included if it exists. For example, the following offlineasm code:
include? LowLevelInterpreterAdditions
... will attempt to include a file LowLevelInterpreterAdditions.asm. If the
file does not exist, this will be a no-op. Note: the "?" after the "include"
means the include is optional.
3. Enhanced "emit" offlineasm Instruction to be able to take more than one operand.
"emit" used to just copy the string operand that follows into the generated
LLIntAssembly.h. Now, "emit" can take multiple comma separated operands, and
will concatenate all the operands.
Additionally, "emit" can now take a LocalLabelReference as an operand. For
example, this offline asm code:
emit "b ", .done
...
.done:
... will generate this inline asm code in LLIntAssembly.h:
"b " LOCAL_LABEL_STRING(_offlineasm_someLabel_done) "\n"
This makes it easier to emit branches to local labels.
4. Also fixed LLInt code alignment for ARM_THUMB2 and ARM64.
Previously, it was aligned using ".align 4" which means aligned on a 4
instruction boundary. Note: the interpretation of .align varies for different
target CPU architectures.
Now, we do the alignment using ".balign 4" which means align on a 4 byte
boundary. This is the intended alignment because ARM64 instruction size is
4 bytes, and ARM_THUMB2 instruction size is either 2 bytes or 4 bytes.
Using .align before was potentially wasting some code space.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
* offlineasm/ast.rb:
* offlineasm/parser.rb:
2021-08-24 Mark Lam <mark.lam@apple.com>
testb3_6 should be using JSSwitchPtrTag instead of JITCompilationPtrTag.
https://bugs.webkit.org/show_bug.cgi?id=229479
rdar://82316967
Reviewed by Yusuke Suzuki.
This is in testInterpreter() which is emitting code for a jump table.
JSSwitchPtrTag is the right tag to use here.
* b3/testb3_6.cpp:
(testInterpreter):
2021-08-24 Keith Miller <keith_miller@apple.com>
Add for-in OwnStructureMode optimizations to LLInt
https://bugs.webkit.org/show_bug.cgi?id=229038
Reviewed by Saam Barati.
This patch adds the optimizations we have for OwnStructureMode in
the Baseline to the LLInt. The patch also adds redundant self move
(i.e. move a, a) elimination to arm64. Finally, a bunch of the
property offset functions are now marked constexpr and return
intptr_t rather than size_t as the values can be negative.
There's also a minor fix to disable MSVC's signed to unsigned
cast warning for LLIntOffsetsExtractor as we don't care about
signedness for extracting constants.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_enumerator_get_by_val):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/generate_offset_extractor.rb:
* runtime/Butterfly.h:
(JSC::Butterfly::indexOfPropertyStorage):
* runtime/JSObject.h:
(JSC::offsetInButterfly):
* runtime/PropertyOffset.h:
(JSC::checkOffset):
(JSC::validateOffset):
(JSC::isValidOffset):
(JSC::isInlineOffset):
(JSC::isOutOfLineOffset):
(JSC::offsetInInlineStorage):
(JSC::offsetInOutOfLineStorage):
(JSC::offsetInRespectiveStorage):
(JSC::numberOfOutOfLineSlotsForMaxOffset):
(JSC::numberOfSlotsForMaxOffset):
(JSC::offsetForPropertyNumber):
2021-08-24 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add Intl Enumeration APIs
https://bugs.webkit.org/show_bug.cgi?id=214795
Reviewed by Ross Kirsling.
This patch implements Intl enumeration API[1] which is in stage-3.
Supported keys are, "calendar", "collation", "currency", "numberingSystem", "timeZone", and "unit".
[1]: https://github.com/tc39/proposal-intl-enumeration
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::localeData):
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
* runtime/IntlLocale.cpp:
(JSC::createArrayFromStringVector): Deleted.
* runtime/IntlNumberFormat.cpp:
(JSC::sanctionedSimpleUnitIdentifier):
* runtime/IntlObject.cpp:
(JSC::IntlObject::finishCreation):
(JSC::mapICUCalendarKeywordToBCP47):
(JSC::availableCalendars):
(JSC::availableCollations):
(JSC::availableCurrencies):
(JSC::availableNumberingSystems):
(JSC::canonicalizeTimeZoneNameFromICUTimeZone):
(JSC::availableTimeZones):
(JSC::availableUnits):
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::createArrayFromStringVector):
* runtime/IntlObject.h:
* runtime/OptionsList.h:
2021-08-24 Keith Miller <keith_miller@apple.com>
(r281473) stress/for-in-has-own-property-shouldnt-flush-registers.js failing on Debug
https://bugs.webkit.org/show_bug.cgi?id=229448
Reviewed by Mark Lam.
Add missing exception checks.
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
2021-08-24 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r281321.
https://bugs.webkit.org/show_bug.cgi?id=229449
causes crashes on ARM64
Reverted changeset:
"Add some offlineasm enhancements."
https://bugs.webkit.org/show_bug.cgi?id=229332
https://commits.webkit.org/r281321
2021-08-23 Saam Barati <sbarati@apple.com>
Disable peephole optimizations in the byte code generator after rewriting instructions for for-in
https://bugs.webkit.org/show_bug.cgi?id=229420
<rdar://82020528>
Reviewed by Keith Miller.
The final instruction in a for-in loop might be the get by val that
we're rewriting because there was an escape. We won't ever actually
do peephole optimizations on this get_by_val today, but it breaks
some bookkeeping that the bytecode generator does. This patch makes
sure the bookkeeping is up to date.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::ForInContext::finalize):
2021-08-23 Saam Barati <sbarati@apple.com>
compileEnumeratorHasProperty uses flushRegisters incorrectly
https://bugs.webkit.org/show_bug.cgi?id=229412
<rdar://82020767>
Reviewed by Keith Miller.
We were calling flushRegisters() inside code that isn't always runs inside the
EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
flushRegisters() must be used, since flushRegisters() updates global register
allocation state, and therefore must run each time a node is run. To fix, we
move flushRegisters() before the code starts emitting branches.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
2021-08-23 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] emitArrayProfilingSiteWithCell should not load indexingType unnecessarily
https://bugs.webkit.org/show_bug.cgi?id=229396
Reviewed by Saam Barati.
emitArrayProfilingSiteWithCell is always loading indexingType after profiling a cell.
But (possibly) this is old code, and there is no reason to do that. This patch removes it.
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfilingSiteWithCell):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emit_op_enumerator_get_by_val):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_in_by_val):
2021-08-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove already-shipped wasm option flags
https://bugs.webkit.org/show_bug.cgi?id=229386
Reviewed by Ross Kirsling.
This patch removes some wasm option flags which are already shipped.
* runtime/OptionsList.h:
* wasm/WasmFormat.h:
(JSC::Wasm::isValueType):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
* wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* wasm/WasmParser.h:
(JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
* wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseElement):
(JSC::Wasm::SectionParser::parseData):
(JSC::Wasm::SectionParser::parseDataCount):
* wasm/js/JSWebAssembly.cpp:
(JSC::JSWebAssembly::finishCreation):
* wasm/js/WebAssemblyGlobalConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyTableConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-08-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove already-shipped JS feature flags
https://bugs.webkit.org/show_bug.cgi?id=229387
Reviewed by Ross Kirsling.
These features are already shipped. So removing these runtime flags to clean up source code and
remove untested path.
* API/JSObjectRef.cpp:
(JSObjectMakeError):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionCallValueNode::emitBytecode):
* parser/Lexer.cpp:
(JSC::Lexer<T>::lexWithoutClearingLineTerminator):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseForStatement):
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseBinaryExpression):
(JSC::Parser<LexerType>::parseGetterSetter):
(JSC::Parser<LexerType>::parsePrimaryExpression):
(JSC::Parser<LexerType>::parseUnaryExpression):
* runtime/AggregateErrorConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ErrorConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObject.h:
* runtime/NativeErrorConstructor.cpp:
(JSC::NativeErrorConstructor<errorType>::constructImpl):
(JSC::NativeErrorConstructor<errorType>::callImpl):
* runtime/Options.cpp:
(JSC::Options::recomputeDependentOptions):
* runtime/OptionsList.h:
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyLinkErrorConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-08-22 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r280984 and r280996.
https://bugs.webkit.org/show_bug.cgi?id=229384
Speedometer2 0.3-0.5% regression
Reverted changesets:
"Update ARM64EHash"
https://bugs.webkit.org/show_bug.cgi?id=228962
https://commits.webkit.org/r280984
"Refactor some ARM64EHash code."
https://bugs.webkit.org/show_bug.cgi?id=229054
https://commits.webkit.org/r280996
2021-08-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove Intl runtime feature flags for already shipped ones
https://bugs.webkit.org/show_bug.cgi?id=229371
Reviewed by Ross Kirsling.
Since they are already shipped, we should remove these runtime flags.
* builtins/DatePrototype.js:
(globalPrivate.toDateTimeOptionsAnyAll):
(globalPrivate.toDateTimeOptionsTimeTime):
* bytecode/BytecodeIntrinsicRegistry.cpp:
(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
* bytecode/BytecodeIntrinsicRegistry.h:
* runtime/IntlDateTimeFormat.cpp:
(JSC::toDateTimeOptionsAnyDate):
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
(JSC::IntlDateTimeFormat::resolvedOptions const):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatPrototype::finishCreation):
* runtime/OptionsList.h:
2021-08-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Intl.DisplayNames v2
https://bugs.webkit.org/show_bug.cgi?id=227832
Reviewed by Ross Kirsling.
This patch implements Intl.DisplayNames v2[1].
Newly added names are calendar names and date time field names.
For the language name, language display option is added.
[1]: https://github.com/tc39/intl-displaynames-v2
* runtime/CommonIdentifiers.h:
* runtime/IntlCache.cpp:
(JSC::IntlCache::getFieldDisplayName):
* runtime/IntlCache.h:
* runtime/IntlDisplayNames.cpp:
(JSC::IntlDisplayNames::initializeDisplayNames):
(JSC::IntlDisplayNames::of const):
(JSC::IntlDisplayNames::resolvedOptions const):
(JSC::IntlDisplayNames::typeString):
(JSC::IntlDisplayNames::languageDisplayString):
* runtime/IntlDisplayNames.h:
* runtime/IntlObject.cpp:
(JSC::isUnicodeLocaleIdentifierType):
(JSC::canonicalizeUnicodeLocaleID):
(JSC::canonicalizeLocaleList):
(JSC::defaultLocale):
(JSC::mapBCP47ToICUCalendarKeyword):
(JSC::mapICUCollationKeywordToBCP47):
(JSC::canonicalizeLanguageTag): Deleted.
* runtime/IntlObject.h:
2021-08-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Intl Locale Info
https://bugs.webkit.org/show_bug.cgi?id=227830
Reviewed by Ross Kirsling.
This patch implements Intl.Locale's extension (Intl Locale Info proposal)[1], which is already stage 3.
Intl.Locale#{calendars,collations,hourCycles,numberingSystems,timeZones} can return array of preferred
configuration for the given locale. And Intl.Locale#textInfo can return text layout direction and Intl.Locale#weekInfo
can return weekday information (e.g. when weekend starts).
[1]: https://github.com/tc39/proposal-intl-locale-info
* runtime/IntlLocale.cpp:
(JSC::createArrayFromStringVector):
(JSC::IntlLocale::calendars):
(JSC::IntlLocale::collations):
(JSC::IntlLocale::hourCycles):
(JSC::IntlLocale::numberingSystems):
(JSC::IntlLocale::timeZones):
(JSC::IntlLocale::textInfo):
(JSC::IntlLocale::weekInfo):
* runtime/IntlLocale.h:
* runtime/IntlLocalePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
2021-08-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Extend Intl TimeZoneName Option
https://bugs.webkit.org/show_bug.cgi?id=227831
Reviewed by Ross Kirsling.
https://github.com/tc39/proposal-intl-extend-timezonename
This patch implements Extend Intl TimeZoneName proposal, which adds "shortOffset", "longOffset", "shortGeneric", "longGeneric"
timeZoneName variants.
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::setFormatsFromPattern):
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
(JSC::IntlDateTimeFormat::timeZoneNameString):
* runtime/IntlDateTimeFormat.h:
2021-08-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Enable String,TypedArray#at
https://bugs.webkit.org/show_bug.cgi?id=229354
Reviewed by Saam Barati.
Enable String and TypedArray's `at` method.
* runtime/OptionsList.h:
2021-08-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Enable Array#findLast method
https://bugs.webkit.org/show_bug.cgi?id=229355
Reviewed by Saam Barati.
This patch enables Array#findLast and Array#findLastIndex methods.
* runtime/ArrayPrototype.cpp: Order of unscopables is alphabet ordering (https://tc39.es/ecma262/#sec-array.prototype-@@unscopables)
(JSC::ArrayPrototype::finishCreation):
* runtime/OptionsList.h:
2021-08-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Simplify moveIntsToDouble
https://bugs.webkit.org/show_bug.cgi?id=229351
Reviewed by Saam Barati.
MacroAssembler::moveIntsToDouble required scratch FPRReg. But it was only required for MacroAssemblerX86, and it is already removed.
This means that we no longer need this scratch FPRReg. This change makes a lot of IC code, property access code simpler.
This patch removes that scratch FPRReg, and removed scratch FPRReg of many arithmetic ICs. This patch is important for PutByVal modern
IC since some of property access requires FPRReg because of MacroAssembler::moveIntsToDouble, and it requires adding new m_scratch2FPR
to AccessCase. But after this simplification, this is no longer necessary.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::moveIntsToDouble):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::moveIntsToDouble):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::emitUntypedOrBigIntRightShiftBitOp):
(JSC::DFG::SpeculativeJIT::compileValueAdd):
(JSC::DFG::SpeculativeJIT::compileValueSub):
(JSC::DFG::SpeculativeJIT::compileMathIC):
(JSC::DFG::SpeculativeJIT::compileValueNegate):
(JSC::DFG::SpeculativeJIT::compileValueMul):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::unboxDouble):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitConvertValueToBoolean):
(JSC::AssemblyHelpers::branchIfValue):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::unboxDoubleNonDestructive):
(JSC::AssemblyHelpers::unboxDouble):
* jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateFastPath):
* jit/JITAddGenerator.h:
(JSC::JITAddGenerator::JITAddGenerator):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitRightShiftFastPath):
(JSC::JIT::emitMathICFast):
* jit/JITDivGenerator.cpp:
(JSC::JITDivGenerator::loadOperand):
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
(JSC::JITMulGenerator::generateFastPath):
* jit/JITMulGenerator.h:
(JSC::JITMulGenerator::JITMulGenerator):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitGenericContiguousPutByVal):
* jit/JITRightShiftGenerator.cpp:
(JSC::JITRightShiftGenerator::generateFastPath):
* jit/JITRightShiftGenerator.h:
(JSC::JITRightShiftGenerator::JITRightShiftGenerator):
* jit/JITSubGenerator.cpp:
(JSC::JITSubGenerator::generateInline):
(JSC::JITSubGenerator::generateFastPath):
* jit/JITSubGenerator.h:
(JSC::JITSubGenerator::JITSubGenerator):
2021-08-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove unnecessary moves in Yarr's sub32 / add32 related code
https://bugs.webkit.org/show_bug.cgi?id=228813
Reviewed by Mark Lam.
This patch adds three operand sub32 to X64 masm so that we can use it in all masms.
We use add32 and sub32 in YarrJIT to remove unnecessary mov instructions in ARM64.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::sub32):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::sub32):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::sub32):
* assembler/testmasm.cpp:
(JSC::testSub32ArgImm):
* yarr/YarrJIT.cpp:
2021-08-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove MacroAssemblerX86
https://bugs.webkit.org/show_bug.cgi?id=229331
Reviewed by Mark Lam.
This patch removes MacroAssemblerX86, which allows simplifying some 32bit MacroAssembler code
in a subsequent patch.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerX86.h: Removed.
2021-08-20 Mikhail R. Gadelha <mikhail@igalia.com>
Fix DFG compilation of StringCharAt in 32 bits jsc debug build
https://bugs.webkit.org/show_bug.cgi?id=229293
Reviewed by Keith Miller.
In SpeculativeJIT::compileGetByValOnString the format can be either DataFormatJS
or DataFormatCell so assert either value when compiling it in 32 bits.
It's the same assert already present in the DFG 64 bits counterpart
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2021-08-20 Mark Lam <mark.lam@apple.com>
Add some offlineasm enhancements.
https://bugs.webkit.org/show_bug.cgi?id=229332
rdar://82163923
Reviewed by Keith Miller.
1. Enhance "include" offlineasm Instruction to always attempt to include an asm
file from <build-products>/usr/local/include/WebKitAdditions/ first. If the
specified file is not available there, then it will attempt to include the file
from the same directory as the current source file (which in practice, means
Source/JavaScriptCore/llint/).
2. Enhance "include" offlineasm Instruction to allow an optional file to be
included if it exists. For example, the following offlineasm code:
include? LowLevelInterpreterAdditions
... will attempt to include a file LowLevelInterpreterAdditions.asm. If the
file does not exist, this will be a no-op. Note: the "?" after the "include"
means the include is optional.
3. Enhanced "emit" offlineasm Instruction to be able to take more than one operand.
"emit" used to just copy the string operand that follows into the generated
LLIntAssembly.h. Now, "emit" can take multiple comma separated operands, and
will concatenate all the operands.
Additionally, "emit" can now take a LocalLabelReference as an operand. For
example, this offline asm code:
emit "b ", .done
...
.done:
... will generate this inline asm code in LLIntAssembly.h:
"b " LOCAL_LABEL_STRING(_offlineasm_someLabel_done) "\n"
This makes it easier to emit branches to local labels.
4. Also fixed LLInt code alignment for ARM_THUMB2 and ARM64.
Previously, it was aligned using ".align 4" which means aligned on a 4
instruction boundary. Note: the interpretation of .align varies for different
target CPU architectures.
Now, we do the alignment using ".balign 4" which means align on a 4 byte
boundary. This is the intended alignment because ARM64 instruction size is
4 bytes, and ARM_THUMB2 instruction size is either 2 bytes or 4 bytes.
Using .align before was potentially wasting some code space.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
* offlineasm/ast.rb:
* offlineasm/parser.rb:
2021-08-20 Mark Lam <mark.lam@apple.com>
Reduce StructureID entropy bits to 5 to make room for more StructureIDs.
https://bugs.webkit.org/show_bug.cgi?id=229326
rdar://60141624
Reviewed by Yusuke Suzuki.
* runtime/StructureIDTable.h:
2021-08-19 Tim Nguyen <ntim@apple.com>
Implement ::backdrop pseudo element
https://bugs.webkit.org/show_bug.cgi?id=227801
Reviewed by Antti Koivisto.
This adds UA styles, RenderTreeBuilder support and WebInspector support for ::backdrop.
Some imported blink tests now start passing, some still need proper top layer support.
* inspector/protocol/CSS.json:
2021-08-18 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove op_has_indexed_property related code
https://bugs.webkit.org/show_bug.cgi?id=229271
Reviewed by Saam Barati.
After our new for-in protocol, op_has_indexed_property is removed.
As a result, we can remove many ByValInfo code that is used only
for op_has_indexed_property.
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::emitLoadForArrayMode): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad): Deleted.
(JSC::JIT::emitContiguousLoad): Deleted.
(JSC::JIT::emitArrayStorageLoad): Deleted.
2021-08-18 Michael Catanzaro <mcatanzaro@gnome.org>
REGRESSION(r280382): [GTK] 2.33.3 does not build with gtk-doc enabled, installs broken pkg-config files
https://bugs.webkit.org/show_bug.cgi?id=229152
Reviewed by Philippe Normand.
* PlatformGTK.cmake:
* javascriptcoregtk.pc.in:
2021-08-17 Saam Barati <sbarati@apple.com>
Add an option for canonicalizePrePostIncrements
https://bugs.webkit.org/show_bug.cgi?id=229211
<rdar://problem/82050126>
Reviewed by Mark Lam.
The current phase has bugs. Let's disable it for now until the bugs
are fixed. See discussion about the bugs I spotted in:
https://bugs.webkit.org/show_bug.cgi?id=228538
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/testb3_3.cpp:
(addShrTests):
* runtime/OptionsList.h:
2021-08-16 Mark Lam <mark.lam@apple.com>
Ensure that unused LLInt opcodes are not inadvertently used.
https://bugs.webkit.org/show_bug.cgi?id=229161
Reviewed by Robin Morisset.
The op macro is used for generating LLInt asm code for some entry points to the
LLInt, where we don't need 16 bits and 32 bit wide versions of the entry point.
For example, we use it for llint_program_prologue.
Note that llint_program_prologue is generated using:
op(llint_program_prologue, macro () ...
where op is:
macro op(l, fn)
commonOp(l, macro () end, macro (size)
size(fn, macro() end, macro() end, macro(gen) gen() end)
# ^ ^----- wide32 generator
# `------------------ wide16 generator
end)
end
Note that the generators for the wide16 and wide32 versions of the entry point
currently emit nothing. As a result, if we ever have a bug that ends up
dispatching to llint_program_prologue_wide16 or llint_program_prologue_wide32,
we'll end up falling thru to llint_module_program_prologue, which just happens
to be the entry point positioned after those labels.
This patch adds breakpoints in those 2 unused generators so that we won't
inadvertently execute code for something else.
* llint/LowLevelInterpreter.asm:
2021-08-15 Yijia Huang <yijia_huang@apple.com>
[ARM64] Add Pre/Post-Indexed Address Mode to Air for ARM64 (Store Instruction)
https://bugs.webkit.org/show_bug.cgi?id=228538
Reviewed by Filip Pizlo.
The previous patch has introduced the pre/post-index address mode for Load instruction,
which benefits loop program. Here, this patch adds the corresponding mode for Store
instruction. Store Register (immediate) stores a word or a doubleword from a register
to memory. The address that is used for the store is calculated from a base register
and an immediate offset.
######################################
## Pre-Index Address Mode For Store ##
######################################
STR Wt, [Xn, #imm]!
In B3 Reduction Strength, since we have this reduction rule:
Turns this: Store(value, Add(address, offset1), offset = offset2)
Into this: Store(value, address, offset = offset1 + offset2)
The equivalent pattern is:
address = Add(base, offset)
...
memory = Store(value, base, offset)
Here, we only consider the pattern:
address = Add(base, offset)
memory = Store(value, base, offset)
And, this patch directly treats it as the canonical form. Ideally, we should move
memory to just after the address like what we did for PreIndex Load in the previous
patch. But, we cannot provide a better way to do that since the value may be
used between address and memory. To move value upward, we must move all descendants
of the value along with it to prevent B3 IR index violations, which is risky and expensive.
Next, lower to Air:
Move %base, %address
Move %value, (%address, prefix(offset))
######################################
## Post-Index Address Mode For Load ##
######################################
STR Wt, [Xn], #imm
Then, the equivalent pattern is:
memory = Store(value, base, 0)
...
address = Add(base, offset)
First, we convert it to the canonical form:
newOffset = Constant
newAddress = Add(base, offset)
memory = Store(value, base, 0) // move the offset and address to just before the memory
...
offset = Identity(newOffset)
address = Identity(newAddress)
Next, lower to Air:
Move %base, %newAddress
Move %value, (%newAddress, postfix(offset))
##############################################
## Test for Pre/Post-Increment Address Mode ##
##############################################
B3 IR:
------------------------------------------------------
Int64 b@0 = ArgumentReg(%x0)
Int64 b@1 = ArgumentReg(%x1)
Int64 b@2 = Const64(8)
Int64 b@3 = Add(b@0, $8(b@2))
Void b@4 = Store(b@1, b@3, ControlDependent|Writes:Top)
Void b@5 = Return(b@3, Terminal)
------------------------------------------------------
W/O Pre-Increment Address Mode:
------------------------------------------------------
Move %x0, %x2, b@0
Add64 $8, %x2, %x0, b@3
Move %x1, 8(%x2), b@4
Ret64 %x0, b@5
------------------------------------------------------
W/ Pre-Increment Address Mode:
------------------------------------------------------
MoveWithIncrement64 %x1, (%x0,Pre($8)), b@4
Ret64 %x0, b@5
------------------------------------------------------
B3 IR:
------------------------------------------------------
Int64 b@0 = ArgumentReg(%x0)
Int64 b@1 = ArgumentReg(%x1)
Void b@2 = Store(b@1, b@0, ControlDependent|Writes:Top)
Int64 b@3 = Const64(8)
Int64 b@4 = Add(b@0, $8(b@3))
Void b@5 = Return(b@4, Terminal)
------------------------------------------------------
W/O Post-Increment Address Mode:
------------------------------------------------------
Move %x1, (%x0), b@2
Add64 $8, %x0, %x0, b@4
Ret64 %x0, b@5
------------------------------------------------------
W/ Post-Increment Address Mode:
------------------------------------------------------
MoveWithIncrement64 %x1, (%x0,Post($8)), b@2
Ret64 %x0, b@5
------------------------------------------------------
* b3/B3CanonicalizePrePostIncrements.cpp:
(JSC::B3::canonicalizePrePostIncrements):
* b3/B3LowerToAir.cpp:
* b3/testb3.h:
* b3/testb3_3.cpp:
(testStorePreIndex32):
(testStorePreIndex64):
(testStorePostIndex32):
(testStorePostIndex64):
(addShrTests):
2021-08-13 Keith Miller <keith_miller@apple.com>
EnumeratorNextUpdatePropertyName always needs to be able to handle IndexedMode
https://bugs.webkit.org/show_bug.cgi?id=229087
Reviewed by Filip Pizlo.
Right now, this operation incorrectly assumes that EnumeratorNextUpdateIndexAndMode will guarantee
the mode matches the seen mode set. But no speculation is guaranteed and adding such a guarantee
would require adding checkpoints, which is likely not worth it. Instead, this patch just makes
sure we always handle the allocation for IndexedMode.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2021-08-12 Mark Lam <mark.lam@apple.com>
Refactor some ARM64EHash code.
https://bugs.webkit.org/show_bug.cgi?id=229054
Reviewed by Keith Miller and Robin Morisset.
This patch only refactors ARM64EHash code by moving some methods into the private
section, and removing some unneeded static_casts.
Verified with a diff of `otool -tv` dumps of the built JavaScriptCore binaries,
that there are no diffs in the generated code from this change.
* assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::ARM64EHash):
(JSC::ARM64EHash::update):
(JSC::ARM64EHash::makeDiversifier):
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::bitsForDiversifier):
(JSC::ARM64EHash::currentHash):
2021-08-12 Saam Barati <sbarati@apple.com>
Update ARM64EHash
https://bugs.webkit.org/show_bug.cgi?id=228962
<rdar://79883337>
Reviewed by Mark Lam.
* assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::makeDiversifier):
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::bitsForDiversifier):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
(JSC::ARM64EHash::ARM64EHash):
(JSC::ARM64EHash::update):
(JSC::ARM64EHash::finalize):
(JSC::AssemblerBuffer::AssemblerBuffer):
(JSC::AssemblerBuffer::putIntegralUnchecked):
(JSC::AssemblerBuffer::hash const):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
2021-08-11 Yusuke Suzuki <ysuzuki@apple.com>
WTFCrash in JSC::Lexer<char16_t>::append8
https://bugs.webkit.org/show_bug.cgi?id=228982
Reviewed by Mark Lam.
sourceURL / sourceMapURL directive should not assume Latin1 characters.
* parser/Lexer.cpp:
(JSC::Lexer<T>::parseCommentDirectiveValue):
2021-08-10 Keith Miller <keith_miller@apple.com>
CallFrame::returnPC should untag the return address before passing it to ReturnAddressPtr
https://bugs.webkit.org/show_bug.cgi?id=228931
Reviewed by Mark Lam.
Right now current debugging code expects that the JS return PC on
the stack is already unsigned. This is not true on arm64e.
This patch now properly unsigns the return PC before passing it to
the ReturnAddressPC constructor.
* assembler/MacroAssemblerCodeRef.h:
(JSC::ReturnAddressPtr::fromTaggedPC):
* interpreter/AbstractPC.cpp:
(JSC::AbstractPC::AbstractPC):
* interpreter/AbstractPC.h:
(JSC::AbstractPC::AbstractPC):
(JSC::AbstractPC::jitReturnAddress const):
* interpreter/CallFrame.h:
(JSC::CallFrame::returnPC const):
2021-08-10 Kimmo Kinnunen <kkinnunen@apple.com>
Scripts/generate-derived-sources.sh: line 19: [: binary operator expected while building Source/WebKit
https://bugs.webkit.org/show_bug.cgi?id=228908
Reviewed by Per Arne Vollan.
* Scripts/generate-derived-sources.sh:
Quote the use of CC so that future copy-paste does not make the same mistake
as this bug.
2021-08-09 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] super-Latin1 white space and line terminator after regular expression literal misinterpreted as flags
https://bugs.webkit.org/show_bug.cgi?id=227944
Reviewed by Alexey Shvayka.
There are non-Latin1 white-spaces and line-terminators, but Lexer::scanRegExp's code did not assume that.
As a result, if there is a non-Latin1 white-spaces or line-terminators after RegExp, we raise SyntaxError
while this is valid. This patch fixes that.
* parser/Lexer.cpp:
(JSC::Lexer<T>::scanRegExp):
2021-08-09 Michael Catanzaro <mcatanzaro@gnome.org>
Fix yet another -Wreturn-type warning
https://bugs.webkit.org/show_bug.cgi?id=228928
Unreviewed.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByValImpl):
2021-08-09 Yijia Huang <yijia_huang@apple.com>
[ARM64] Clean up and fix Pre/Post-Indexed Address Mode to Air for ARM64 (Load Instruction)
https://bugs.webkit.org/show_bug.cgi?id=228890
Reviewed by Keith Miller.
This patch cleans up and does minor fix to the previous patch (https://bugs.webkit.org/show_bug.cgi?id=228047).
For the modifications in b3/B3Generate.cpp and b3/B3CanonicalizePrePostIncrements.cpp, we
need to convert post-index candidates to the canonical form. So, the address value needs to
be moved immediately before the load. This is subject to the dominance constraints that add
must be controlled equivalent to the load. So, similarly, if we need to move the offset to
just before the load, the dominance constraints must be satisfied. Since it is a constant
value, a better approach is to add a new constant value before the memory value. Then,
eliminate the dead code.
There is a bug in b3/B3CanonicalizePrePostIncrements.cpp. The insertionSet.execute(BasicBlock)
will reorder value indexes in the basic block. So, we should re-search for the value index in
the block every time after the execution.
In b3/B3LowerToAir.cpp, we need m_locked checks on address and base values. If they are already
locked, there is no need to convert the Load instruction to the pre/post-increment form.
* b3/B3CanonicalizePrePostIncrements.cpp:
(JSC::B3::canonicalizePrePostIncrements):
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/B3LowerToAir.cpp:
* b3/air/AirArg.h:
(JSC::B3::Air::Arg::isValidIncrementIndexForm):
(JSC::B3::Air::Arg::isValidForm const):
(JSC::B3::Air::Arg::isValidPreIndexForm): Deleted.
(JSC::B3::Air::Arg::isValidPostIndexForm): Deleted.
* b3/air/opcode_generator.rb:
2021-08-09 Keith Miller <keith_miller@apple.com>
Revert bad assert about the number of upsilons going into a phi
https://bugs.webkit.org/show_bug.cgi?id=228922
Reviewed by Yusuke Suzuki.
This assert was invalid because we sometimes emit unreachable phis
that don't have any incoming upsilons. Specifically for MultiGetByOffset.
* ftl/FTLOutput.h:
(JSC::FTL::Output::phi):
2021-08-09 Michael Catanzaro <mcatanzaro@gnome.org>
Adding missing REFERENCED_FROM_ASM annotations to facilitate LTO
https://bugs.webkit.org/show_bug.cgi?id=228865
Reviewed by Yusuke Suzuki.
When investigating why WebKitGTK fails to build with LTO (link-time optimization) enabled,
one of the GCC developers noticed that we are missing __attribute__ (("used")) on several
C++ functions declared in LLIntSlowPaths.h and WasmSlowPaths.h that are called only from
asm. Without this attribute, GCC assumes the functions are unused and drops them, then
linking fails because they really are used.
* llint/LLIntSlowPaths.h:
* wasm/WasmSlowPaths.h:
2021-08-07 Michael Catanzaro <mcatanzaro@gnome.org>
Fix ODR violations in JSC
https://bugs.webkit.org/show_bug.cgi?id=228876
Reviewed by Yusuke Suzuki.
When built with LTO enabled, GCC will warn about violations of C++'s one-definition rule.
JSC currently has two violations. The first is JSC::SpeciesConstructResult, which has two
different declarations, one in ArrayPrototype.cpp and the other in
JSArrayBufferPrototype.cpp. I decided to change the version in ArrayPrototype.cpp to make
the declarations match.
The next problem is JSC::SignalContext. We have two different versions of this struct, one
in VMTraps.cpp and the other in SigillCrashAnalyzer.cpp. In this case, I decided to change
the one in VMTraps.cpp from JSC::SignalContext to JSC::VMTraps::SignalContext.
* runtime/ArrayPrototype.cpp:
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
* runtime/VMTraps.h:
2021-08-07 Keith Miller <keith_miller@apple.com>
for-in should only emit one loop in bytecode
https://bugs.webkit.org/show_bug.cgi?id=227989
Reviewed by Yusuke Suzuki.
This patch redesigns how we implement for-in loops. Before this patch we would emit three copies of the for-in loop body. One for the indexed properties, one for the named-own properties, and one for generic properties (anything else). This had a couple of problems. Firstly, it meant bytecode size grew exponentially to number of nested for-in loops. This in turn meant DFG/FTL compilation took much longer.
Going off our experience with fast for-of, this patch turns for-in loops specializations into
a "fused" opcode that internally switches on the enumeration mode it currently sees. For example, if we are enumerating an own-named property, the new enumerator_get_by_val bytecode will check the enumerator cell's cached structure matches the base's then load the property offset directly.
There are four new opcodes this patch adds, which replace the various operations we had for the specialized loops previously. The new opcodes are EnumeratorGetByVal, EnumeratorInByVal, EnumeratorHasOwnProperty, and EnumeratorNext. The first three correspond to GetByVal, InByVal, and HasOwnProperty respectively. The EnumeratorNext opcode has three results in bytecode, the next enumeration value's mode, the index of the property name, and the property name string itself. When enumeration is done EnumeratorNext returns JS null as the property name string. Since the DFG doesn't support tuples yet this opcode is spilt into four new nodes. The first computes the updated index and mode for the next enumeration key, which is encoded into a single JS number. Then there are two nodes that extract the mode and index. Finally, the last new node produces the property name string or null based on the extracted mode and index.
Since, in most benchmarks, any given enumeration opcode tends to profile exactly one enumeration mode. This patch focuses primarily on reimplementing all the optimizations we have for any one specific mode. This means there are still potential optimizations for the multi-mode flavors of each new opcode.
The main optimizations implemented for each new opcode are:
EnumeratorNext:
1) IndexedMode loops are loaded and checked for presence inline (DFG/FTL).
2) NamedMode is computed inline as long as the cached structure on the enumerator cell matches the base (Baseline+). This can only differ if there's a transition.
3) property names are extracted from the cached buffer inline (Baseline+).
EnumeratorGetByVal:
EnumeratorInByVal:
EnumeratorHasOwnProperty:
1) IndexedMode has all the optimizations of a normal XByVal on indexed properties (DFG/FTL).
2) NamedMode will extract the value directly from the inline/out-of-line offset if the structure matches the enumerator's (Baseline+).
There are also a few interesting changes worth mentioning here:
1) If a for-in loop would produce an empty enumerator we now always
return the VMs empty enumerator. This has two benefits, most importantly, it distingishes between an unprofiled for-in loop and empty enumeration, which prevents OSR exit loops. Also, it means that the various Enumerator opcodes no longer need to handle undefined/null when `toObject`ing the base value.
2) The enumerator now contains a bit set of all the modes it will produce. This removes a few extra branches when speculating on the modes we will see in EnumeratorNext.
3) In the DFG, enumerator GetByVal relies on compileGetByVal to set the result it also passes a prefix callback which emits code after the various cases set up their operands but before code is emitting to help satisfy the branch over register allocation validation. Also, the array mode branch in compileGetByVal passes the data format that it would prefer, which for normal GetByVal is returned. For EnumeratorGetByVal, that preference is completely ignored and it always returns DataFormatJS.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::or8):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::or8):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::or8): Deleted.
* builtins/BuiltinNames.h:
* bytecode/BytecodeList.rb:
* bytecode/BytecodeUseDef.cpp:
(JSC::computeUsesForBytecodeIndexImpl):
(JSC::computeDefsForBytecodeIndexImpl):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/LinkTimeConstant.h:
* bytecode/Opcode.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::recordHasOwnPropertyInForInLoop):
(JSC::BytecodeGenerator::emitInByVal):
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::emitEnumeratorNext):
(JSC::BytecodeGenerator::emitEnumeratorHasOwnProperty):
(JSC::BytecodeGenerator::pushForInScope):
(JSC::BytecodeGenerator::popForInScope):
(JSC::rewriteOp):
(JSC::ForInContext::finalize):
(JSC::BytecodeGenerator::findForInContext):
(JSC::BytecodeGenerator::recordHasOwnStructurePropertyInForInLoop): Deleted.
(JSC::BytecodeGenerator::emitGetEnumerableLength): Deleted.
(JSC::BytecodeGenerator::emitHasEnumerableIndexedProperty): Deleted.
(JSC::BytecodeGenerator::emitHasEnumerableStructureProperty): Deleted.
(JSC::BytecodeGenerator::emitHasEnumerableProperty): Deleted.
(JSC::BytecodeGenerator::emitHasOwnStructureProperty): Deleted.
(JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName): Deleted.
(JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName): Deleted.
(JSC::BytecodeGenerator::emitToIndexString): Deleted.
(JSC::BytecodeGenerator::pushIndexedForInScope): Deleted.
(JSC::BytecodeGenerator::popIndexedForInScope): Deleted.
(JSC::BytecodeGenerator::pushStructureForInScope): Deleted.
(JSC::BytecodeGenerator::popStructureForInScope): Deleted.
(JSC::StructureForInContext::finalize): Deleted.
(JSC::IndexedForInContext::finalize): Deleted.
(JSC::BytecodeGenerator::findStructureForInContext): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::isValid const):
(JSC::ForInContext::invalidate):
(JSC::ForInContext::local const):
(JSC::ForInContext::propertyName const):
(JSC::ForInContext::propertyOffset const):
(JSC::ForInContext::enumerator const):
(JSC::ForInContext::mode const):
(JSC::ForInContext::ForInContext):
(JSC::ForInContext::bodyBytecodeStartOffset const):
(JSC::ForInContext::type const): Deleted.
(JSC::ForInContext::isIndexedForInContext const): Deleted.
(JSC::ForInContext::isStructureForInContext const): Deleted.
(JSC::ForInContext::asIndexedForInContext): Deleted.
(JSC::ForInContext::asStructureForInContext): Deleted.
(JSC::StructureForInContext::StructureForInContext): Deleted.
(JSC::StructureForInContext::index const): Deleted.
(JSC::StructureForInContext::property const): Deleted.
(JSC::StructureForInContext::enumerator const): Deleted.
(JSC::StructureForInContext::baseVariable const): Deleted.
(JSC::StructureForInContext::addGetInst): Deleted.
(JSC::StructureForInContext::addInInst): Deleted.
(JSC::StructureForInContext::addHasOwnPropertyJump): Deleted.
(JSC::IndexedForInContext::IndexedForInContext): Deleted.
(JSC::IndexedForInContext::index const): Deleted.
(JSC::IndexedForInContext::addGetInst): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode):
(JSC::ForInNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::isSaneChain const):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::injectOSR):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::setJSArraySaneChainIfPossible):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasStorageChild const):
(JSC::DFG::Node::storageChildIndex):
(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::hasEnumeratorMetadata const):
(JSC::DFG::Node::enumeratorMetadata):
* dfg/DFGNodeType.h:
* dfg/DFGOpInfo.h:
(JSC::DFG::OpInfo::OpInfo):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractIndex):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractMode):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName):
(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal):
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
(JSC::DFG::SpeculativeJIT::compileEnumeratorInByVal):
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasOwnProperty):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
(JSC::DFG::SpeculativeJIT::compileGetEnumerableLength): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasEnumerableProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileToIndexString): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasEnumerableStructureProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasOwnStructurePropertyImpl): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasOwnStructureProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileInStructureProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetEnumeratorPname): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetDirectPname): Deleted.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::allocate):
(JSC::DFG::JSValueOperand::regs):
(JSC::DFG::JSValueOperand::gpr):
(JSC::DFG::StorageOperand::StorageOperand):
(JSC::DFG::StorageOperand::~StorageOperand):
(JSC::DFG::StorageOperand::emplace):
(JSC::DFG::JSValueRegsTemporary::operator bool):
(JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByValImpl):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* ftl/FTLOutput.h:
(JSC::FTL::Output::phi):
* generator/DSL.rb:
* interpreter/Register.h:
* interpreter/RegisterInlines.h:
(JSC::Register::operator=):
* jit/AssemblyHelpers.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_structure_propertyImpl): Deleted.
(JSC::JIT::emit_op_has_enumerable_structure_property): Deleted.
(JSC::JIT::emit_op_has_own_structure_property): Deleted.
(JSC::JIT::emit_op_in_structure_property): Deleted.
(JSC::JIT::emit_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emitSlow_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emit_op_get_direct_pname): Deleted.
(JSC::JIT::emit_op_enumerator_structure_pname): Deleted.
(JSC::JIT::emit_op_enumerator_generic_pname): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_structure_propertyImpl): Deleted.
(JSC::JIT::emit_op_has_enumerable_structure_property): Deleted.
(JSC::JIT::emit_op_has_own_structure_property): Deleted.
(JSC::JIT::emit_op_in_structure_property): Deleted.
(JSC::JIT::emit_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emitSlow_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emit_op_get_direct_pname): Deleted.
(JSC::JIT::emit_op_enumerator_structure_pname): Deleted.
(JSC::JIT::emit_op_enumerator_generic_pname): Deleted.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::generateGetByValSlowCase):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_enumerator_next):
(JSC::JIT::emit_op_enumerator_get_by_val):
(JSC::JIT::emitSlow_op_enumerator_get_by_val):
(JSC::JIT::emit_enumerator_has_propertyImpl):
(JSC::JIT::emit_op_enumerator_in_by_val):
(JSC::JIT::emit_op_enumerator_has_own_property):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_enumerator_next):
(JSC::JIT::emit_op_enumerator_get_by_val):
(JSC::JIT::emitSlow_op_enumerator_get_by_val):
(JSC::JIT::emit_op_enumerator_in_by_val):
(JSC::JIT::emit_op_enumerator_has_own_property):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* runtime/CommonSlowPaths.h:
* runtime/FileBasedFuzzerAgent.cpp:
(JSC::FileBasedFuzzerAgent::getPredictionInternal):
* runtime/FileBasedFuzzerAgentBase.cpp:
(JSC::FileBasedFuzzerAgentBase::opcodeAliasForLookupKey):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
(JSC::JSPropertyNameEnumerator::computeNext):
* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):
* runtime/PredictionFileCreatingFuzzerAgent.cpp:
(JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal):
2021-08-06 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, build fix on Debug build
https://bugs.webkit.org/show_bug.cgi?id=228810
* yarr/YarrJIT.h:
(JSC::Yarr::BoyerMooreBitmap::addCharacters):
(JSC::Yarr::BoyerMooreBitmap::addRanges):
2021-08-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Yarr's character tracking for BoyerMoore search should be more precise
https://bugs.webkit.org/show_bug.cgi?id=228810
Reviewed by Saam Barati.
We should track up to 2 candidate characters without masking, so
that we can search a character without masking. To track candidates,
we introduce BoyerMooreCharacterCandidates.
We also add support for m_table because m_table can be used
for important CharacterClass like `\s`, and still that does not have
many character candidates if the mode is Char8.
To make `\s` work on Char8 case, we use Char8 / Char16 information
to filter characters that never appears in BoyreMoore search bitmap
construction.
* yarr/YarrJIT.cpp:
(JSC::Yarr::BoyerMooreInfo::BoyerMooreInfo):
(JSC::Yarr::BoyerMooreInfo::set):
(JSC::Yarr::BoyerMooreInfo::addCharacters):
(JSC::Yarr::BoyerMooreInfo::addRanges):
(JSC::Yarr::BoyerMooreInfo::create):
(JSC::Yarr::BoyerMooreInfo::createCandidateBitmap const):
* yarr/YarrJIT.h:
(JSC::Yarr::BoyerMooreCharacterCandidates::isValid const):
(JSC::Yarr::BoyerMooreCharacterCandidates::invalidate):
(JSC::Yarr::BoyerMooreCharacterCandidates::isEmpty const):
(JSC::Yarr::BoyerMooreCharacterCandidates::size const):
(JSC::Yarr::BoyerMooreCharacterCandidates::at const):
(JSC::Yarr::BoyerMooreCharacterCandidates::add):
(JSC::Yarr::BoyerMooreCharacterCandidates::merge):
(JSC::Yarr::BoyerMooreBitmap::characterCandidates const):
(JSC::Yarr::BoyerMooreBitmap::add):
(JSC::Yarr::BoyerMooreBitmap::addCharacters):
(JSC::Yarr::BoyerMooreBitmap::addRanges):
(JSC::Yarr::BoyerMooreBitmap::isMaskEffective const): Deleted.
2021-08-05 Mikhail R. Gadelha <mikhail@igalia.com>
Assertion failure when checking array in DFG (32 bits)
https://bugs.webkit.org/show_bug.cgi?id=228839
Reviewed by Yusuke Suzuki.
Since empty values don't pass the cell check in 32 bits, we need to
guard the SpecEmpty check to only happen in 64 bits archs
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
2021-08-05 Robin Morisset <rmorisset@apple.com>
REGRESSION (r280507): ASSERTION FAILED: !undominatedPhis.contains(value) in JSC::B3::(anonymous namespace)::Validater::validatePhisAreDominatedByUpsilons()
https://bugs.webkit.org/show_bug.cgi?id=228838
<rdar://problem/81579314>
Reviewed by Geoffrey Garen.
When I added validation of the dominance of Phis by their Upsilons, I checked two things:
- There is no path from the entry point to a Phi without going through a corresponding Upsilon (the actual dominance check)
- There is no way to execute a Phi twice without going through a corresponding Upsilon in between
The second property is not actually true in B3 IR, I had misunderstood that part of the meaning of Phis/Upsilons.
So this patch just removes this second check.
It has no security/stability/performance implication: this is validation code, which runs automatically in debug mode, but should not run at all on customer machines.
* b3/B3Validate.cpp:
2021-08-05 Michael Catanzaro <mcatanzaro@gnome.org>
GCC 11 builds should use -Wno-array-bounds, -Wno-nonnull
https://bugs.webkit.org/show_bug.cgi?id=228601
Reviewed by Carlos Garcia Campos.
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
2021-08-05 Zan Dobersek <zdobersek@igalia.com>
Use reinterpret_cast_ptr in KeywordLookupGenerator, PropertyMapHashTable
https://bugs.webkit.org/show_bug.cgi?id=228819
Reviewed by Adrian Perez de Castro.
Switch to using reinterpret_cast_ptr in KeywordLookupGenerator (which
generates the KeywordLookup.h header) and PropertyMapHashTable, reducing
a bit the GCC warning spewage when compiling for targets benefitting
from the reinterpret_cast_ptr workaround.
* KeywordLookupGenerator.py:
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::table):
(JSC::PropertyTable::table const):
2021-08-04 Yijia Huang <yijia_huang@apple.com>
[ARM64] Fix Zoom black screen during video meeting on Safari
https://bugs.webkit.org/show_bug.cgi?id=228776
Reviewed by Saam Barati.
The problem (rdar://81434487) reports that Zoom turns to a black screen during the video
meeting on Safari. The reproduction of this problem is verified and bisected to the previous patch
(https://bugs.webkit.org/show_bug.cgi?id=228057). Previously, we introduce a pattern
matching for instruction EON-with-shift on ARM64, where the pattern is d = n ^ ((m ShiftType amount) ^ -1).
x = m ShiftType amount
y = x ^ -1
z = n ^ y
We check canBeInternal() on x but not on y based on the computing cost analysis in that patch,
which is totally wrong. If the pattern matching is triggered, then the compiler would not emit
the corresponding Air of x after lowering, leading to data corruption or system crash since y
depends on x.
In the real world example (Zoom video meeting), we find the B3 IR:
...
Int32 b@528 = SShr(b@526, $31(b@527), Wasm: {opcode: I32ShrS, location: 0x26b})
Int32 b@529 = BitXor(b@528, $-1(b@144), Wasm: {opcode: I32Xor, location: 0x26e})
...
Int32 b@551 = BitXor(b@446, b@529, Wasm: {opcode: I32Xor, location: 0x28e})
...
After Lowering to Air:
...
Not32 %fp, %x2, b@529
...
XorNotRightShift32 %tmp199, %tmp211, $31, %tmp209, b@551
...
Since the implementation of the previous patch does commitInternal() on b@528, the operand of
b@529 turns to a frame pointer. To resolve this problem, we should either check canBeInternal()
on both b@528 and b@529 or not at all.
* b3/B3LowerToAir.cpp:
2021-08-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r280609.
https://bugs.webkit.org/show_bug.cgi?id=228791
Broke JSC tests on iOS.
Reverted changeset:
"[ARM64] Use link register instead of pinning a register for
materializing big load constants"
https://bugs.webkit.org/show_bug.cgi?id=228710
https://commits.webkit.org/r280609
2021-08-03 Yijia Huang <yijia_huang@apple.com>
[ARM64] Use link register instead of pinning a register for materializing big load constants
https://bugs.webkit.org/show_bug.cgi?id=228710
Reviewed by Mark Lam.
Previously, we pin a register as a temp for materializing a large constant that cannot fit in
Load/Store imm form. This is not efficient since the register allocator has one less register
to allocate from. To solve this problem, we should switch to using the link register as the temp
on ARM64.
* b3/B3Common.cpp:
(JSC::B3::linkRegister):
(JSC::B3::pinnedExtendedOffsetAddrRegister): Deleted.
* b3/B3Common.h:
* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
(JSC::B3::Air::callFrameAddr):
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::Code):
* b3/air/AirLowerStackArgs.cpp:
(JSC::B3::Air::lowerStackArgs):
2021-08-02 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to utilize UMULL supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=228721
Reviewed by Saam Barati.
Unsigned Multiply Long (UMULL) multiplies two 32-bit register values, and writes the
result to the destination register. This instruction is an alias of the UMADDL instruction.
umull xd wn wm
The equivalent pattern is: d = ZExt32(n) * ZExt32(m)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = Trunc(@0)
Int @2 = ArgumentReg(%x1)
Int @3 = Trunc(@2)
Int @4 = ZExt32(@1)
Int @5 = ZExt32(@3)
Int @6 = Mul(@4, @5)
Void@7 = Return(@6, Terminal)
// Old optimized AIR
Move %x0, %x0, @4
Move %x1, %x1, @5
Mul %x0, %x1, %x0, @6
Ret %x0, @7
// New optimized AIR
MultiplyZeroExtend %x0, %x1, %x0, @6
Ret %x0, @7
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::multiplyZeroExtend32):
* assembler/testmasm.cpp:
(JSC::testMultiplyZeroExtend32):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testMulArgs32SignExtend):
(testMulArgs32ZeroExtend):
* b3/testb3_3.cpp:
(addArgTests):
2021-08-02 Yijia Huang <yijia_huang@apple.com>
Add new patterns to instruction selector to utilize AND/EOR/ORR-with-shift supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=228675
Reviewed by Saam Barati.
Bitwise AND (shifted register) performs a bitwise AND of a register value and an optionally-shifted
register value, and writes the result to the destination register.
and wd wn wm ShiftType #amount
The equivalent pattern is: n & (m ShiftType amount)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = Const32(63)
Int @3 = Shl(@1, $63(@2))
Int @4 = BitAnd(@0, @3)
Void@5 = Return(@4, Terminal)
// Old optimized AIR
Lshift %x1, $63, %x1, @3
And %x0, %x1, %x0, @4
Ret %x0, @5
// New optimized AIR
AndLeftShift %x0, %x1, $63, %x0, @4
Ret %x0, @5
Bitwise Exclusive OR (shifted register) performs a bitwise Exclusive OR of a register value and an
optionally-shifted register value, and writes the result to the destination register.
eor wd wn wm ShiftType #amount
The equivalent pattern is: n ^ (m ShiftType amount)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = Const32(63)
Int @3 = Shl(@1, $63(@2))
Int @4 = BitXor(@0, @3)
Void@5 = Return(@4, Terminal)
// Old optimized AIR
Lshift %x1, $63, %x1, @3
Xor %x0, %x1, %x0, @4
Ret %x0, @5
// New optimized AIR
XorLeftShift %x0, %x1, $63, %x0, @4
Ret %x0, @5
Bitwise OR (shifted register) performs a bitwise (inclusive) OR of a register value and an
optionally-shifted register value, and writes the result to the destination register.
orr wd wn wm ShiftType #amount
The equivalent pattern is: n | (m ShiftType amount)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = Const32(63)
Int @3 = Shl(@1, $63(@2))
Int @4 = BitOr(@0, @3)
Void@5 = Return(@4, Terminal)
// Old optimized AIR
Lshift %x1, $63, %x1, @3
Or %x0, %x1, %x0, @4
Ret %x0, @5
// New optimized AIR
OrLeftShift %x0, %x1, $63, %x0, @4
Ret %x0, @5
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::andLeftShift32):
(JSC::MacroAssemblerARM64::andRightShift32):
(JSC::MacroAssemblerARM64::andUnsignedRightShift32):
(JSC::MacroAssemblerARM64::andLeftShift64):
(JSC::MacroAssemblerARM64::andRightShift64):
(JSC::MacroAssemblerARM64::andUnsignedRightShift64):
(JSC::MacroAssemblerARM64::xorLeftShift32):
(JSC::MacroAssemblerARM64::xorRightShift32):
(JSC::MacroAssemblerARM64::xorUnsignedRightShift32):
(JSC::MacroAssemblerARM64::xorLeftShift64):
(JSC::MacroAssemblerARM64::xorRightShift64):
(JSC::MacroAssemblerARM64::xorUnsignedRightShift64):
(JSC::MacroAssemblerARM64::orLeftShift32):
(JSC::MacroAssemblerARM64::orRightShift32):
(JSC::MacroAssemblerARM64::orUnsignedRightShift32):
(JSC::MacroAssemblerARM64::orLeftShift64):
(JSC::MacroAssemblerARM64::orRightShift64):
(JSC::MacroAssemblerARM64::orUnsignedRightShift64):
* assembler/testmasm.cpp:
(JSC::testAndLeftShift32):
(JSC::testAndRightShift32):
(JSC::testAndUnsignedRightShift32):
(JSC::testAndLeftShift64):
(JSC::testAndRightShift64):
(JSC::testAndUnsignedRightShift64):
(JSC::testXorLeftShift32):
(JSC::testXorRightShift32):
(JSC::testXorUnsignedRightShift32):
(JSC::testXorLeftShift64):
(JSC::testXorRightShift64):
(JSC::testXorUnsignedRightShift64):
(JSC::testOrLeftShift32):
(JSC::testOrRightShift32):
(JSC::testOrUnsignedRightShift32):
(JSC::testOrLeftShift64):
(JSC::testOrRightShift64):
(JSC::testOrUnsignedRightShift64):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testAndLeftShift32):
(testAndRightShift32):
(testAndUnsignedRightShift32):
(testAndLeftShift64):
(testAndRightShift64):
(testAndUnsignedRightShift64):
(testXorLeftShift32):
(testXorRightShift32):
(testXorUnsignedRightShift32):
(testXorLeftShift64):
(testXorRightShift64):
(testXorUnsignedRightShift64):
(testOrLeftShift32):
(testOrRightShift32):
(testOrUnsignedRightShift32):
(testOrLeftShift64):
(testOrRightShift64):
(testOrUnsignedRightShift64):
(addBitTests):
2021-08-02 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use loadPair / storePair in YarrJIT
https://bugs.webkit.org/show_bug.cgi?id=228687
Reviewed by Mark Lam.
Use loadPair / storePair if possible in YarrJIT. Currently, we are not
deploying Spooler in YarrJIT, but we should do that in the future too.
In this patch, we also add appropriate fallback code in loadPair / storePair:
the offset of these functions are small enough so that we should consider
overflowing case. If it overflows, we use two loads or stores.
This patch also adds loadPair32 and storePair32 to all macro assembler so that
we can call it without CPU(ARM64). Internally, two loads or stores are combined.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::loadPair32):
(JSC::MacroAssemblerARM64::loadPair64):
(JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
(JSC::MacroAssemblerARM64::storePair32):
(JSC::MacroAssemblerARM64::storePair64):
(JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::loadPair32):
(JSC::MacroAssemblerARMv7::storePair32):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::loadPair32):
(JSC::MacroAssemblerMIPS::storePair32):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::loadPair32):
(JSC::MacroAssemblerX86Common::storePair32):
* assembler/testmasm.cpp:
(JSC::testLoadStorePair32):
(JSC::testLoadStorePair64Int64):
* yarr/YarrJIT.cpp:
2021-08-02 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, fix accidental narrowing
https://bugs.webkit.org/show_bug.cgi?id=228613
Note that this narrowing does not matter semantically since we mask this value with 0x7f.
* yarr/YarrJIT.h:
(JSC::Yarr::BoyerMooreBitmap::addCharacters):
2021-08-02 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Yarr BoyerMoore search should support character-class
https://bugs.webkit.org/show_bug.cgi?id=228613
Reviewed by Saam Barati.
This patch adds character-class support for BoyerMoore lookahead search in Yarr.
Currently, we only support fixed-sized character-class. We can extend it for repeat cases in the future.
To apply this character-class thing to jQuery's RegExp, we also allow non-fixed-sized disjunction.
For example, /aaaa.*|bbbb/'s disjunction is not fixed-sized. But still we can use (aaaa|bbbb) prefix since
this part is fixed-sized and we know minimum-size of this disjunction is 4.
Plus, instead of giving up BoyerMoore search when we found non-supported terms, we shorten BoyerMoore search
length not to include this term so that we can still have a chance to leverage BoyerMoore search. In the case
of /aaaa|bbbb|ccc(d|e|f)/, we previously gave up since it finds `(d|e|f)`. But now, instead we shorten the length
from 4 to 3, and construct search pattern with `aaa|bbb|ccc`.
This patch improves jquery-todomvc-regexp by 20%.
ToT Patched
jquery-todomvc-regexp 545.3561+-0.6968 ^ 451.6117+-0.4613 ^ definitely 1.2076x faster
This improves Speedometer2/jQuery-TodoMVC by 2%.
----------------------------------------------------------------------------------------------------------------------------------
| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |
----------------------------------------------------------------------------------------------------------------------------------
| Elm-TodoMVC |123.470833 |123.550000 |1.000641 | 0.841600 |
| VueJS-TodoMVC |26.883333 |26.950000 |1.002480 | 0.846732 |
| EmberJS-TodoMVC |127.708333 |127.754167 |1.000359 | 0.934206 |
| BackboneJS-TodoMVC |50.545833 |50.445833 |0.998022 | 0.679610 |
| Preact-TodoMVC |20.879167 |20.791667 |0.995809 | 0.796541 |
| AngularJS-TodoMVC |137.479167 |137.275000 |0.998515 | 0.729817 |
| Vanilla-ES2015-TodoMVC |69.079167 |68.912500 |0.997587 | 0.524325 |
| Inferno-TodoMVC |65.604167 |66.120833 |1.007876 | 0.145549 |
| Flight-TodoMVC |77.029167 |76.708333 |0.995835 | 0.518562 |
| Angular2-TypeScript-TodoMVC |40.516667 |40.812500 |1.007302 | 0.513386 |
| VanillaJS-TodoMVC |54.762500 |54.895833 |1.002435 | 0.647381 |
| jQuery-TodoMVC |255.950000 |250.425000 |0.978414 | 0.000000 (significant) |
| EmberJS-Debug-TodoMVC |341.745833 |342.804167 |1.003097 | 0.219937 |
| React-TodoMVC |88.854167 |88.700000 |0.998265 | 0.568405 |
| React-Redux-TodoMVC |151.266667 |150.804167 |0.996942 | 0.256403 |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |65.783333 |65.645833 |0.997910 | 0.437464 |
----------------------------------------------------------------------------------------------------------------------------------
a mean = 246.52898
b mean = 246.85128
pValue = 0.3927330278
(Bigger means are better.)
1.001 times better
Results ARE NOT significant
* yarr/YarrJIT.cpp:
(JSC::Yarr::BoyerMooreInfo::shortenLength):
(JSC::Yarr::BoyerMooreInfo::setAll):
(JSC::Yarr::BoyerMooreInfo::addCharacters):
(JSC::Yarr::BoyerMooreInfo::addRanges):
* yarr/YarrJIT.h:
(JSC::Yarr::BoyerMooreBitmap::add):
(JSC::Yarr::BoyerMooreBitmap::addCharacters):
(JSC::Yarr::BoyerMooreBitmap::addRanges):
(JSC::Yarr::BoyerMooreBitmap::setAll):
(JSC::Yarr::BoyerMooreBitmap::isAllSet const):
2021-08-02 Stephan Szabo <stephan.szabo@sony.com>
[PlayStation] Make C files in testapi compile with a C standard rather than C++ one
https://bugs.webkit.org/show_bug.cgi?id=228701
Reviewed by Ross Kirsling.
* shell/PlatformPlayStation.cmake: Set standard for C files in testapi
2021-08-02 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Yarr should use Bitmap instead of ByteVector for BoyerMoore search
https://bugs.webkit.org/show_bug.cgi?id=228676
Reviewed by Saam Barati.
We observed that using Bitmap instead of ByteVector does not pose performance
issue. It was neutral in jquery-todomvc-regexp.js. In that case, we should use
Bitmap since it is 8x smaller.
We also search reusable Bitmap from Vector since comparing 128bit Bitmap is
super fast so we do not need to bother about linear search here (# of Bitmap
is currently up to 4).
To make code simplified, we add regT2 to ARMv7 and MIPS backend of YarrJIT.
ToT Patched
jquery-todomvc-regexp 555.9566+-0.8856 555.0737+-0.9717
* yarr/YarrJIT.cpp:
(JSC::Yarr::BoyerMooreInfo::index const): Deleted.
(JSC::Yarr::BoyerMooreInfo::setIndex): Deleted.
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::set8BitCode):
(JSC::Yarr::YarrCodeBlock::set16BitCode):
(JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::tryReuseBoyerMooreBitmap const):
(JSC::Yarr::BoyerMooreByteVector::BoyerMooreByteVector): Deleted.
(JSC::Yarr::YarrCodeBlock::tryReuseBoyerMooreByteVector const): Deleted.
2021-07-31 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Move JIT_UNICODE_EXPRESSIONS to ENABLE(YARR_JIT_UNICODE_EXPRESSIONS) in PlatformEnable.h
https://bugs.webkit.org/show_bug.cgi?id=228669
Reviewed by Alexey Shvayka.
Move JIT_UNICODE_EXPRESSIONS to PlatformEnable.h to align to the other YarrJIT flags.
This makes it easy to read that this is enabled on ARM64 and X86_64.
* yarr/YarrJIT.cpp:
2021-07-31 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Clean up Yarr by using `static constexpr`
https://bugs.webkit.org/show_bug.cgi?id=228678
Reviewed by Alexey Shvayka.
Modernize Yarr code by using static constexpr.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32):
* yarr/YarrCanonicalizeUCS2.cpp:
* yarr/YarrCanonicalizeUCS2.js:
(set characters.hex.set string_appeared_here):
* yarr/YarrErrorCode.cpp:
(JSC::Yarr::errorMessage):
* yarr/YarrJIT.cpp:
2021-07-31 Joonghun Park <jh718.park@samsung.com>
Unreviewed. Remove the build warning below since r280493.
warning: variable ‘block’ set but not used [-Wunused-but-set-variable]
* b3/B3CanonicalizePrePostIncrements.cpp:
(JSC::B3::canonicalizePrePostIncrements):
2021-07-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] branchTest8 should not emit tst for Zero/NonZero cases
https://bugs.webkit.org/show_bug.cgi?id=228674
Reviewed by Mark Lam.
Previously, branchTest8(NonZero, BaseIndex) emits `tst` instruction
unnecessarily. This is because the mask is truncated into 8bit, which
makes branchTest32 (which is internally used in branchTest8) emits tst.
We observed many unnecessary tst in YarrJIT.
This patch removes this unnecessary truncation since Zero/NonZero does
not care high bits of mask in branchTest8. This is ok because the
ResultCondition version of mask8OnCondition() is always used to generate
a mask that is only used against a value that is loaded with
MacroAssemblerHelpers::load8OnCondition(). For Zero/NonZero conditions,
load8OnCondition() will always zero fill the upper bytes. The 0 filled
upper bytes will not affect the result of a branch on zero or branch on
not zero.
Before:
0x10a8068b0: ldrb w16, [x7, x6]
0x10a8068b4: tst w16, #0xff
0x10a8068b8: b.ne 0x10a8068cc
After:
0x1070068b0: ldrb w16, [x7, x6]
0x1070068b4: cbnz w16, 0x1070068c8
* assembler/MacroAssemblerHelpers.h:
(JSC::MacroAssemblerHelpers::mask8OnCondition):
2021-07-30 Robin Morisset <rmorisset@apple.com>
Improve OSR entry into Wasm loops with arguments
https://bugs.webkit.org/show_bug.cgi?id=228595
Reviewed by Yusuke Suzuki.
This patch has two parts:
- improve the Wasm OSR code to fully support loop arguments (just some plumbing to make sure that the right values are propagated)
- improve the B3 validator to fix a hole I noticed while writing the first part: we were not detecting code that introduce Upsilons in the wrong blocks.
Naturally, this caused hard to debug issues, as B3 has no well-defined semantics for a Phi that is reached before the corresponding Upsilon(s).
* b3/B3Validate.cpp:
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
(JSC::Wasm::AirIRGenerator::addLoop):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
(JSC::Wasm::B3IRGenerator::addLoop):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addLoop):
2021-07-30 Philip Chimento <pchimento@igalia.com>
[JSC] Rename Temporal.now to Temporal.Now
https://bugs.webkit.org/show_bug.cgi?id=228658
Reviewed by Yusuke Suzuki.
See https://github.com/tc39/proposal-temporal/pull/1645. In the July
2021 meeting TC39 achieved consensus to rename Temporal.now to
Temporal.Now since it is a namespace.
* runtime/TemporalNow.cpp: Change Now[@@toStringTag] accordingly.
* runtime/TemporalObject.cpp: Rename now property to Now.
2021-07-30 Tadeu Zagallo <tzagallo@apple.com>
putInlineFastReplacingStaticPropertyIfNeeded should handle custom values
https://bugs.webkit.org/show_bug.cgi?id=227963
Reviewed by Alexey Shvayka.
Follow up after r280463: as it turns out, putInlineFastReplacingStaticPropertyIfNeeded also needs to handle
custom values, similar to how definePropertyOnReceiverSlow was updated. This function will be called when the
target property of the receiver is a custom value and isn't reified. The previous test case was expanded to
test both the reified and non-reified cases.
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
* tools/JSDollarVM.cpp:
2021-07-30 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, fix wrong access width
https://bugs.webkit.org/show_bug.cgi?id=228301
rdar://81341472
* yarr/YarrJIT.cpp:
2021-07-30 Yijia Huang <yijia_huang@apple.com>
Add Pre/Post-Indexed Address Mode to Air for ARM64
https://bugs.webkit.org/show_bug.cgi?id=228047
Reviewed by Phil Pizlo.
Pre-indexed addressing means that the address is the sum of the value in the 64-bit base register
and an offset, and the address is then written back to the base register. And post-indexed
addressing means that the address is the value in the 64-bit base register, and the sum of the
address and the offset is then written back to the base register. They are relatively common for
loops to iterate over an array by increasing/decreasing a pointer into the array at each iteration.
With such an addressing mode, the instruction selector can merge the increment and access the array.
#####################################
## Pre-Index Address Mode For Load ##
#####################################
LDR Wt, [Xn, #imm]!
In B3 Reduction Strength, since we have this reduction rule:
Turn this: Load(Add(address, offset1), offset = offset2)
Into this: Load(address, offset = offset1 + offset2)
Then, the equivalent pattern is:
address = Add(base, offset)
...
memory = Load(base, offset)
First, we convert it to the canonical form:
address = Add(base, offset)
newMemory = Load(base, offset) // move the memory to just after the address
...
memory = Identity(newMemory)
Next, lower to Air:
Move %base, %address
Move (%address, prefix(offset)), %newMemory
######################################
## Post-Index Address Mode For Load ##
######################################
LDR Wt, [Xn], #imm
Then, the equivalent pattern is:
memory = Load(base, 0)
...
address = Add(base, offset)
First, we convert it to the canonical form:
newOffset = Constant
newAddress = Add(base, offset)
memory = Load(base, 0) // move the offset and address to just before the memory
...
offset = Identity(newOffset)
address = Identity(newAddress)
Next, lower to Air:
Move %base, %newAddress
Move (%newAddress, postfix(offset)), %memory
#############################
## Pattern Match Algorithm ##
#############################
To detect the pattern for prefix/postfix increment address is tricky due to the structure in B3 IR. The
algorithm used in this patch is to collect the first valid values (add/load), then search for any
paired value (load/add) to match all of them. In worst case, the runtime complexity is O(n^2)
when n is the number of all values.
After collecting two sets of candidates, we match the prefix incremental address first since it seems
more beneficial to the compiler (shown in the next section). And then, go for the postfix one.
##############################################
## Test for Pre/Post-Increment Address Mode ##
##############################################
Given Loop with Pre-Increment:
int64_t ldr_pre(int64_t *p) {
int64_t res = 0;
while (res < 10)
res += *++p;
return res;
}
B3 IR:
------------------------------------------------------
BB#0: ; frequency = 1.000000
Int64 b@0 = Const64(0)
Int64 b@2 = ArgumentReg(%x0)
Void b@20 = Upsilon($0(b@0), ^18, WritesLocalState)
Void b@21 = Upsilon(b@2, ^19, WritesLocalState)
Void b@4 = Jump(Terminal)
Successors: #1
BB#1: ; frequency = 1.000000
Predecessors: #0, #2
Int64 b@18 = Phi(ReadsLocalState)
Int64 b@19 = Phi(ReadsLocalState)
Int64 b@7 = Const64(10)
Int32 b@8 = AboveEqual(b@18, $10(b@7))
Void b@9 = Branch(b@8, Terminal)
Successors: Then:#3, Else:#2
BB#2: ; frequency = 1.000000
Predecessors: #1
Int64 b@10 = Const64(8)
Int64 b@11 = Add(b@19, $8(b@10))
Int64 b@13 = Load(b@11, ControlDependent|Reads:Top)
Int64 b@14 = Add(b@18, b@13)
Void b@22 = Upsilon(b@14, ^18, WritesLocalState)
Void b@23 = Upsilon(b@11, ^19, WritesLocalState)
Void b@16 = Jump(Terminal)
Successors: #1
BB#3: ; frequency = 1.000000
Predecessors: #1
Void b@17 = Return(b@18, Terminal)
Variables:
Int64 var0
Int64 var1
------------------------------------------------------
W/O Pre-Increment Address Mode:
------------------------------------------------------
...
BB#2: ; frequency = 1.000000
Predecessors: #1
Move $8, %x3, $8(b@12)
Add64 $8, %x0, %x1, b@11
Move (%x0,%x3), %x0, b@13
Add64 %x0, %x2, %x2, b@14
Move %x1, %x0, b@23
Jump b@16
Successors: #1
...
------------------------------------------------------
W/ Pre-Increment Address Mode:
------------------------------------------------------
...
BB#2: ; frequency = 1.000000
Predecessors: #1
MoveWithIncrement64 (%x0,Pre($8)), %x2, b@13
Add64 %x2, %x1, %x1, b@14
Jump b@16
Successors: #1
...
------------------------------------------------------
Given Loop with Post-Increment:
int64_t ldr_pre(int64_t *p) {
int64_t res = 0;
while (res < 10)
res += *p++;
return res;
}
B3 IR:
------------------------------------------------------
BB#0: ; frequency = 1.000000
Int64 b@0 = Const64(0)
Int64 b@2 = ArgumentReg(%x0)
Void b@20 = Upsilon($0(b@0), ^18, WritesLocalState)
Void b@21 = Upsilon(b@2, ^19, WritesLocalState)
Void b@4 = Jump(Terminal)
Successors: #1
BB#1: ; frequency = 1.000000
Predecessors: #0, #2
Int64 b@18 = Phi(ReadsLocalState)
Int64 b@19 = Phi(ReadsLocalState)
Int64 b@7 = Const64(10)
Int32 b@8 = AboveEqual(b@18, $10(b@7))
Void b@9 = Branch(b@8, Terminal)
Successors: Then:#3, Else:#2
BB#2: ; frequency = 1.000000
Predecessors: #1
Int64 b@10 = Load(b@19, ControlDependent|Reads:Top)
Int64 b@11 = Add(b@18, b@10)
Int64 b@12 = Const64(8)
Int64 b@13 = Add(b@19, $8(b@12))
Void b@22 = Upsilon(b@11, ^18, WritesLocalState)
Void b@23 = Upsilon(b@13, ^19, WritesLocalState)
Void b@16 = Jump(Terminal)
Successors: #1
BB#3: ; frequency = 1.000000
Predecessors: #1
Void b@17 = Return(b@18, Terminal)
Variables:
Int64 var0
Int64 var1
------------------------------------------------------
W/O Post-Increment Address Mode:
------------------------------------------------------
...
BB#2: ; frequency = 1.000000
Predecessors: #1
Move (%x0), %x2, b@10
Add64 %x2, %x1, %x1, b@11
Add64 $8, %x0, %x0, b@13
Jump b@16
Successors: #1
...
------------------------------------------------------
W/ Post-Increment Address Mode:
------------------------------------------------------
...
BB#2: ; frequency = 1.000000
Predecessors: #1
MoveWithIncrement64 (%x0,Post($8)), %x2, b@10
Add64 %x2, %x1, %x1, b@11
Jump b@16
Successors: #1
...
------------------------------------------------------
* Sources.txt:
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::PreIndexAddress::PreIndexAddress):
(JSC::AbstractMacroAssembler::PostIndexAddress::PostIndexAddress):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::load64):
(JSC::MacroAssemblerARM64::load32):
(JSC::MacroAssemblerARM64::store64):
(JSC::MacroAssemblerARM64::store32):
* assembler/testmasm.cpp:
(JSC::testStorePrePostIndex32):
(JSC::testStorePrePostIndex64):
(JSC::testLoadPrePostIndex32):
(JSC::testLoadPrePostIndex64):
* b3/B3CanonicalizePrePostIncrements.cpp: Added.
(JSC::B3::canonicalizePrePostIncrements):
* b3/B3CanonicalizePrePostIncrements.h: Copied from Source/JavaScriptCore/b3/B3ValueKeyInlines.h.
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/B3LowerToAir.cpp:
* b3/B3ValueKey.h:
* b3/B3ValueKeyInlines.h:
(JSC::B3::ValueKey::ValueKey):
* b3/air/AirArg.cpp:
(JSC::B3::Air::Arg::jsHash const):
(JSC::B3::Air::Arg::dump const):
(WTF::printInternal):
* b3/air/AirArg.h:
(JSC::B3::Air::Arg::preIndex):
(JSC::B3::Air::Arg::postIndex):
(JSC::B3::Air::Arg::isPreIndex const):
(JSC::B3::Air::Arg::isPostIndex const):
(JSC::B3::Air::Arg::isMemory const):
(JSC::B3::Air::Arg::base const):
(JSC::B3::Air::Arg::offset const):
(JSC::B3::Air::Arg::isGP const):
(JSC::B3::Air::Arg::isFP const):
(JSC::B3::Air::Arg::isValidPreIndexForm):
(JSC::B3::Air::Arg::isValidPostIndexForm):
(JSC::B3::Air::Arg::isValidForm const):
(JSC::B3::Air::Arg::forEachTmpFast):
(JSC::B3::Air::Arg::forEachTmp):
(JSC::B3::Air::Arg::asPreIndexAddress const):
(JSC::B3::Air::Arg::asPostIndexAddress const):
* b3/air/AirOpcode.opcodes:
* b3/air/opcode_generator.rb:
* b3/testb3.h:
* b3/testb3_3.cpp:
(testLoadPreIndex32):
(testLoadPreIndex64):
(testLoadPostIndex32):
(testLoadPostIndex64):
(addShrTests):
* jit/ExecutableAllocator.cpp:
(JSC::jitWriteThunkGenerator):
2021-07-30 Alexey Shvayka <shvaikalesh@gmail.com>
REGRESSION (r280460): 42 JSC test failures on Debug arm64 with ASSERTION FAILED: !m_needExceptionCheck
https://bugs.webkit.org/show_bug.cgi?id=228652
Unreviewed unchecked exception fix.
Release scope before calling RegExpGlobalData::getBackref().
* runtime/RegExpConstructor.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
2021-07-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use UCPURegister argument to remove zero extension in JIT code
https://bugs.webkit.org/show_bug.cgi?id=228625
Reviewed by Robin Morisset.
Yarr JIT code emits zeroExtend32ToWord for some arguments, but this is not necessary if
argument is defined as UCPURegister. In that case, caller guarantees that top 32bits are
cleared.
* yarr/YarrJIT.cpp:
* yarr/YarrJIT.h:
2021-07-29 Myles C. Maxfield <mmaxfield@apple.com>
Stop building WebGPU and the WHLSL compiler to decrease binary size
https://bugs.webkit.org/show_bug.cgi?id=228179
Reviewed by Dean Jackson, Robin Morisset, and Devin Rousso.
This patch deletes the existing implementation just to reduce binary size in releases of WebKit
which don't enable WebGPU by default. It doesn't represent a change in direction or policy or
anything regarding WebGPU. It's a (somewhat temporary) pragmatic change.
Our current implementation of WebGPU:
1. Is off by default on all platforms
2. Is extremely outdated
3. Has no notion of the GPU Process, and therefore needs to be redesigned and largely rewritten
4. Only implements a fraction of what is in the spec
Removing the code from the tree doesn't delete it from existence; it's still in source control.
The benefit of reducing binary size seems to outweigh having this code in the tree.
* inspector/protocol/Canvas.json:
* inspector/scripts/codegen/generator.py:
2021-07-29 Carlos Alberto Lopez Perez <clopez@igalia.com>
[WPE][GTK] build broken with python2 after r280382
https://bugs.webkit.org/show_bug.cgi?id=228629
Reviewed by Philippe Normand.
Call {PYTHON_EXECUTABLE} instead of python3.
* PlatformGTK.cmake:
2021-07-29 Tadeu Zagallo <tzagallo@apple.com>
definePropertyOnReceiver should check if receiver canPerformFastPutInline
https://bugs.webkit.org/show_bug.cgi?id=227963
<rdar://80259710>
Reviewed by Alexey Shvayka.
definePropertyOnReceiver has a fast path if the slot is not opaque and the receiver doesn't
have a custom defineOwnProperty implementation, in which case it calls putInlineFast (and
transitively putDirectInternal<PutModePut>). The issue is that putDirectInternal does not
handle customValues correctly: it just overwrites the property without changing the attributes.
To fix that, we should first check if the property might be a custom value, and if that's the case
we now call `definePropertyOnReceiverSlow`, which has been updated to handle custom values correctly.
I also added assertions to putInlineFastReplacingStaticPropertyIfNeeded and putDirectInternal
to make sure we don't accidentally overwrite custom values in the future.
* runtime/JSObject.cpp:
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
2021-07-29 Yusuke Suzuki <ysuzuki@apple.com> and Alexey Shvayka <shvaikalesh@gmail.com>
[JSC] Legacy RegExp fields should be accessors
https://bugs.webkit.org/show_bug.cgi?id=220233
Reviewed by Tadeu Zagallo.
This patch implements a part of Legacy RegExp features proposal [1], replacing
custom values with custom accessors that require |this| value to be RegExp
constructor of the same realm.
Apart from fixing property descriptors, this change brings legacy RegExpConstructor
fields in compliance with invariants of internal methods [2] (described in #151348),
aligning JSC with V8 and SpiderMonkey.
It doesn't, however, implement [[LegacyFeaturesEnabled]] and RegExp.prototype.compile
changes.
[1]: https://github.com/tc39/proposal-regexp-legacy-features
[2]: https://tc39.es/ecma262/#sec-invariants-of-the-essential-internal-methods
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* runtime/RegExpConstructor.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::JSC_DEFINE_CUSTOM_SETTER):
(JSC::regExpConstructorDollarImpl): Deleted.
* tools/JSDollarVM.cpp:
2021-07-29 Myles C. Maxfield <mmaxfield@apple.com>
Add WebGPU to webkit.org/status
https://bugs.webkit.org/show_bug.cgi?id=228623
Reviewed by Robin Morisset.
* features.json:
2021-07-28 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Yarr should perform BoyerMoore search
https://bugs.webkit.org/show_bug.cgi?id=228301
Reviewed by Saam Barati.
This patch emits skipping fast-path at the beginning of body alternatives with a large stride. So we can quickly discard unrelated characters
and attempt to find possibly related sequence in the long sequence. The method is derived from V8's implementation (with some extensions).
If we have a searching pattern /abcdef/, then we can check the 6th character against a set of {a, b, c, d, e, f}.
If it does not match, we can shift 6 characters. We use this strategy since this way can be extended easily to support
disjunction, character-class, and ignore-cases. For example, in the case of /(?:abc|def)/, we can check 3rd character
against {a, b, c, d, e, f} and shift 3 characters if it does not match.
Then, the best way to perform the above shifting is that finding the longest character sequence which does not have
many candidates. In the case of /[a-z]aaaaaaa[a-z]/, we can extract "aaaaaaa" sequence and check 8th character against {a}.
If it does not match, then we can shift 7 characters (length of "aaaaaaa"). This shifting is better than using "[a-z]aaaaaaa[a-z]"
sequence and {a-z} set since {a-z} set will almost always match.
We first collect possible characters for each character position. Then, apply heuristics to extract good character sequence from
that and construct fast searching with long stride.
Microbenchmark which performs RegExp ops in Speedometer2/jQuery-TodoMVC shows 25% improvement.
ToT Patched
jquery-todomvc-regexp 723.9739+-1.3997 ^ 579.1698+-1.2505 ^ definitely 1.2500x faster
This improves Speedometer2/jQuery-TodoMVC by 3%.
----------------------------------------------------------------------------------------------------------------------------------
| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |
----------------------------------------------------------------------------------------------------------------------------------
| Elm-TodoMVC |123.365625 |123.456250 |1.000735 | 0.804077 |
| VueJS-TodoMVC |26.912500 |26.925000 |1.000464 | 0.969603 |
| EmberJS-TodoMVC |127.540625 |127.562500 |1.000172 | 0.960474 |
| BackboneJS-TodoMVC |50.606250 |50.518750 |0.998271 | 0.670313 |
| Preact-TodoMVC |21.018750 |20.850000 |0.991971 | 0.563818 |
| AngularJS-TodoMVC |136.943750 |137.271875 |1.002396 | 0.531513 |
| Vanilla-ES2015-TodoMVC |68.521875 |68.593750 |1.001049 | 0.701376 |
| Inferno-TodoMVC |65.559375 |65.803125 |1.003718 | 0.414418 |
| Flight-TodoMVC |77.284375 |76.715625 |0.992641 | 0.219870 |
| Angular2-TypeScript-TodoMVC |40.725000 |40.318750 |0.990025 | 0.281212 |
| VanillaJS-TodoMVC |55.209375 |54.715625 |0.991057 | 0.056921 |
| jQuery-TodoMVC |266.396875 |258.471875 |0.970251 | 0.000000 (significant) |
| EmberJS-Debug-TodoMVC |341.550000 |341.856250 |1.000897 | 0.618140 |
| React-TodoMVC |88.731250 |88.871875 |1.001585 | 0.512407 |
| React-Redux-TodoMVC |150.340625 |150.065625 |0.998171 | 0.412940 |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |65.390625 |65.362500 |0.999570 | 0.834760 |
----------------------------------------------------------------------------------------------------------------------------------
a mean = 245.96997
b mean = 246.86366
pValue = 0.0061448402
(Bigger means are better.)
1.004 times better
Results ARE significant
* runtime/OptionsList.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::BoyerMooreInfo::BoyerMooreInfo):
(JSC::Yarr::BoyerMooreInfo::length const):
(JSC::Yarr::BoyerMooreInfo::set):
(JSC::Yarr::BoyerMooreInfo::index const):
(JSC::Yarr::BoyerMooreInfo::setIndex):
(JSC::Yarr::BoyerMooreInfo::create):
(JSC::Yarr::BoyerMooreInfo::findBestCharacterSequence const):
(JSC::Yarr::BoyerMooreInfo::findWorthwhileCharacterSequenceForLookahead const):
(JSC::Yarr::BoyerMooreInfo::createCandidateBitmap const):
* yarr/YarrJIT.h:
(JSC::Yarr::BoyerMooreBitmap::count const):
(JSC::Yarr::BoyerMooreBitmap::map const):
(JSC::Yarr::BoyerMooreBitmap::isMaskEffective const):
(JSC::Yarr::BoyerMooreBitmap::add):
(JSC::Yarr::BoyerMooreByteVector::BoyerMooreByteVector):
(JSC::Yarr::YarrCodeBlock::set8BitCode):
(JSC::Yarr::YarrCodeBlock::set16BitCode):
(JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::clear):
(JSC::Yarr::YarrCodeBlock::findSameVector const):
2021-07-28 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] load/store with BaseIndex is inefficient in ARM64
https://bugs.webkit.org/show_bug.cgi?id=228543
Reviewed by Mark Lam.
While we are frequently using load + BaseIndex (with offset) in RegExp code,
we emit 3 instructions in ARM64. This can be represented in 2 instructions.
This patch adds that path to make generated code tight in ARM64 RegExp.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::load64):
(JSC::MacroAssemblerARM64::load32):
(JSC::MacroAssemblerARM64::load16):
(JSC::MacroAssemblerARM64::load16SignedExtendTo32):
(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::load8SignedExtendTo32):
(JSC::MacroAssemblerARM64::store64):
(JSC::MacroAssemblerARM64::store32):
(JSC::MacroAssemblerARM64::store16):
(JSC::MacroAssemblerARM64::store8):
(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::loadFloat):
(JSC::MacroAssemblerARM64::storeDouble):
(JSC::MacroAssemblerARM64::storeFloat):
(JSC::MacroAssemblerARM64::tryFoldBaseAndOffsetPart):
* assembler/testmasm.cpp:
(JSC::testLoadBaseIndex):
(JSC::testStoreBaseIndex):
2021-07-28 Philippe Normand <pnormand@igalia.com>
[WPE][GTK] SVN_REVISION drifting away if bots don't re-run cmake
https://bugs.webkit.org/show_bug.cgi?id=228290
Reviewed by Michael Catanzaro.
* PlatformGTK.cmake: Expand ${BUILD_REVISION} with apply-build-revision-to-files.py for
non-tarball builds, or let CMake do it for tarball builds.
* javascriptcoregtk.pc.in: Switch revision var to ${} format, so that we can choose to
either let CMake expand it or do it ourselves.
2021-07-27 Patrick Angle <pangle@apple.com>
Web Inspector: [Cocoa] "RemoteInspector XPC connection to relay failed." messages are confusing in StdErr
https://bugs.webkit.org/show_bug.cgi?id=228303
Reviewed by Darin Adler.
Remove overly verbose and confusing `WTFLogAlways` messages added in r278413, which can confuse applications
listening to stderr of a process using JavaScriptCore.
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::RemoteInspector::xpcConnectionFailed):
2021-07-27 Alexey Shvayka <shvaikalesh@gmail.com>
ProxyObject callees should be skipped during Function.prototype.caller resolution
https://bugs.webkit.org/show_bug.cgi?id=228341
Reviewed by Yusuke Suzuki.
Just like a bound function, a Proxy with nullish "apply" handler merely forwards
[[Call]] to its target [1], without pushing onto the execution context stack.
This fact is also noted in Function.prototype.{caller,arguments} reflection proposal [2].
This patch aligns JSC with V8 and SpiderMonkey if Proxy's "apply" handler is userland
or nullish. However, since JSC implements proper tail calls, `Function.prototype.caller`
result is divergent from other engines if the handler is `Reflect.apply`, which performs
a tail call that gets optimized away [2] (unless called by another Proxy).
[1]: https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist (step 8)
[2]: https://github.com/claudepache/es-legacy-function-reflection/blob/master/spec.md#get-functionprototypecaller (see notes)
* runtime/FunctionPrototype.cpp:
(JSC::RetrieveCallerFunctionFunctor::operator() const):
2021-07-26 Yusuke Suzuki <ysuzuki@apple.com>
Add Temporal to features.json
https://bugs.webkit.org/show_bug.cgi?id=228292
Reviewed by Myles C. Maxfield.
* features.json:
2021-07-25 Alexey Shvayka <shvaikalesh@gmail.com>
Partly implement Function.prototype.{caller,arguments} reflection proposal
https://bugs.webkit.org/show_bug.cgi?id=158116
Reviewed by Yusuke Suzuki.
To ensure web-compatibility, only the safe subset of Function.prototype.{caller,arguments}
reflection proposal [1] is implemented, which is currently shipped in SpiderMonkey.
Complete list of differences from the proposed spec:
1. Cross-realm receiver function is allowed instead of throwing a TypeError.
Throwing is likely safe to ship, but #225997 needs to be fixed first for
custom properties to receive correct global object.
2. Cross-realm caller function is returned instead of `null`.
Hiding cross-realm caller may break things: we currently have a test for
the opposite behavior.
3. Defines "caller" and "arguments" setters that throw for disallowed receivers,
instead failing silently in sloppy mode.
This is actually more restrictive than the spec, which is preferable,
and aligns with V8 and SM.
Most importantly, this patch removes own "caller" and "arguments" properties from
sloppy mode ES5 functions. They were non-configurable, making it harder to use
their holder as a [[ProxyTarget]]. They were also non-writable, with a constantly
changing [[Value]], which violated the invariants of internal methods [2].
As a result, JSFunction methods are greatly simplified, especially defineOwnProperty()
and getOwnSpecialPropertyNames(). The latter is now 2.1x faster according to the
provided microbenchmark. Also, removes double "prototype" lookup from [[Get]],
which is a 10% progression.
[1]: https://github.com/claudepache/es-legacy-function-reflection
[2]: https://tc39.es/ecma262/#sec-invariants-of-the-essential-internal-methods
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::getOwnPropertySlot):
(JSC::ClonedArguments::materializeSpecials):
* runtime/FunctionExecutable.h:
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
(JSC::isAllowedReceiverFunctionForCallerAndArguments):
(JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
(JSC::RetrieveArgumentsFunctor::result const):
(JSC::RetrieveArgumentsFunctor::operator() const):
(JSC::retrieveArguments):
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
(JSC::RetrieveCallerFunctionFunctor::result const):
(JSC::RetrieveCallerFunctionFunctor::operator() const):
(JSC::retrieveCallerFunction):
(JSC::JSC_DEFINE_CUSTOM_SETTER):
(JSC::FunctionPrototype::initRestrictedProperties): Deleted.
* runtime/FunctionPrototype.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::getOwnSpecialPropertyNames):
(JSC::JSFunction::put):
(JSC::JSFunction::deleteProperty):
(JSC::JSFunction::defineOwnProperty):
(JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor): Deleted.
(JSC::RetrieveArgumentsFunctor::result const): Deleted.
(JSC::RetrieveArgumentsFunctor::operator() const): Deleted.
(JSC::retrieveArguments): Deleted.
(JSC::JSC_DEFINE_CUSTOM_GETTER): Deleted.
(JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): Deleted.
(JSC::RetrieveCallerFunctionFunctor::result const): Deleted.
(JSC::RetrieveCallerFunctionFunctor::operator() const): Deleted.
(JSC::retrieveCallerFunction): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* runtime/JSGlobalObject.h:
Remove unused m_throwTypeErrorGetterSetter and make [[ThrowTypeError]] lazily-created.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObjectFunctions.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectCustomGetterSetterWithoutTransition):
* runtime/JSObject.h:
2021-07-24 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Change most of enum in Yarr to enum-class
https://bugs.webkit.org/show_bug.cgi?id=228264
Reviewed by Mark Lam.
This patch simply changes most of enum to enum-class in Yarr.
We also remove YarrJIT YarrGenerator's template parameter since
it is not worth doubling code. We can just hold Yarr::JITCompileMode as m_compileMode.
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::compileMatchOnly):
* runtime/RegExp.h:
* runtime/RegExpInlines.h:
(JSC::RegExp::hasCodeFor):
(JSC::RegExp::compileIfNecessary):
(JSC::RegExp::matchInline):
(JSC::RegExp::hasMatchOnlyCodeFor):
(JSC::RegExp::compileIfNecessaryMatchOnly):
* yarr/Yarr.h:
(): Deleted.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackPatternCharacter):
(JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):
(JSC::Yarr::Interpreter::matchCharacterClass):
(JSC::Yarr::Interpreter::backtrackCharacterClass):
(JSC::Yarr::Interpreter::matchBackReference):
(JSC::Yarr::Interpreter::backtrackBackReference):
(JSC::Yarr::Interpreter::parenthesesDoBacktrack):
(JSC::Yarr::Interpreter::matchParenthesesOnceBegin):
(JSC::Yarr::Interpreter::matchParenthesesOnceEnd):
(JSC::Yarr::Interpreter::backtrackParenthesesOnceBegin):
(JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
(JSC::Yarr::Interpreter::matchParenthesesTerminalBegin):
(JSC::Yarr::Interpreter::matchParenthesesTerminalEnd):
(JSC::Yarr::Interpreter::backtrackParenthesesTerminalBegin):
(JSC::Yarr::Interpreter::matchParentheticalAssertionBegin):
(JSC::Yarr::Interpreter::matchParentheticalAssertionEnd):
(JSC::Yarr::Interpreter::backtrackParentheticalAssertionBegin):
(JSC::Yarr::Interpreter::backtrackParentheticalAssertionEnd):
(JSC::Yarr::Interpreter::matchParentheses):
(JSC::Yarr::Interpreter::backtrackParentheses):
(JSC::Yarr::Interpreter::matchDisjunction):
(JSC::Yarr::Interpreter::matchNonZeroDisjunction):
(JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin):
(JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin):
(JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin):
(JSC::Yarr::ByteCompiler::atomParentheticalAssertionBegin):
(JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
(JSC::Yarr::ByteCompiler::closeAlternative):
(JSC::Yarr::ByteCompiler::closeBodyAlternative):
(JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
(JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
(JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
(JSC::Yarr::ByteCompiler::emitDisjunction):
(JSC::Yarr::ByteCompiler::dumpDisjunction):
* yarr/YarrInterpreter.h:
(JSC::Yarr::ByteTerm::ByteTerm):
(JSC::Yarr::ByteTerm::BOL):
(JSC::Yarr::ByteTerm::CheckInput):
(JSC::Yarr::ByteTerm::UncheckInput):
(JSC::Yarr::ByteTerm::EOL):
(JSC::Yarr::ByteTerm::WordBoundary):
(JSC::Yarr::ByteTerm::BackReference):
(JSC::Yarr::ByteTerm::BodyAlternativeBegin):
(JSC::Yarr::ByteTerm::BodyAlternativeDisjunction):
(JSC::Yarr::ByteTerm::BodyAlternativeEnd):
(JSC::Yarr::ByteTerm::AlternativeBegin):
(JSC::Yarr::ByteTerm::AlternativeDisjunction):
(JSC::Yarr::ByteTerm::AlternativeEnd):
(JSC::Yarr::ByteTerm::SubpatternBegin):
(JSC::Yarr::ByteTerm::SubpatternEnd):
(JSC::Yarr::ByteTerm::DotStarEnclosure):
* yarr/YarrJIT.cpp:
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
* yarr/YarrParser.h:
(JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
(JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
(JSC::Yarr::Parser::CharacterClassParserDelegate::atomBuiltInCharacterClass):
(JSC::Yarr::Parser::CharacterClassParserDelegate::end):
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
(JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
(JSC::Yarr::YarrPatternConstructor::atomBackReference):
(JSC::Yarr::YarrPatternConstructor::copyTerm):
(JSC::Yarr::YarrPatternConstructor::quantifyAtom):
(JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
(JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
(JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
(JSC::Yarr::PatternTerm::dumpQuantifier):
(JSC::Yarr::PatternTerm::dump):
* yarr/YarrPattern.h:
(JSC::Yarr::PatternTerm::PatternTerm):
(JSC::Yarr::PatternTerm::ForwardReference):
(JSC::Yarr::PatternTerm::BOL):
(JSC::Yarr::PatternTerm::EOL):
(JSC::Yarr::PatternTerm::WordBoundary):
(JSC::Yarr::PatternTerm::isFixedWidthCharacterClass const):
(JSC::Yarr::PatternTerm::containsAnyCaptures):
(JSC::Yarr::PatternTerm::quantify):
2021-07-23 Alexey Shvayka <shvaikalesh@gmail.com>
[WebIDL] Properly validate and merge descriptors in [Replaceable] setter
https://bugs.webkit.org/show_bug.cgi?id=227662
Reviewed by Sam Weinig.
Extracts createDataProperty() method to keep WebIDL code generator as simple as possible,
and also to emphasize a subtle difference between
{ [[Value]]: X } and
{ [[Value]]: X, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true }.
* runtime/JSONObject.cpp:
(JSC::Walker::walk):
* runtime/JSObject.cpp:
(JSC::definePropertyOnReceiverSlow):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::createDataProperty):
* runtime/Lookup.h:
(JSC::replaceStaticPropertySlot): Deleted.
2021-07-23 Alexey Shvayka <shvaikalesh@gmail.com>
[JSC] Call custom accessors / values with their holder's global object
https://bugs.webkit.org/show_bug.cgi?id=225997
Reviewed by Yusuke Suzuki.
Just like JS built-ins, getter / setter functions of WebIDL attributes are created in realm
of their holder interface [1][2], which is their _current_ realm for throwing an error [3].
With this patch, custom properties get correct global object instead of lexical, including
when inline cached, aligning them with functions and regular accessors.
The latter allowed switching JS built-ins to CustomAccessor (e.g. Symbol#description),
which is slightly more efficient to call from C++, doesn't need reification on first access,
and has nicer signature.
Also, renames WASM accessors to drop "func" and removes unused function length parameter.
[1]: https://heycam.github.io/webidl/#dfn-attribute-getter (step 2)
[2]: https://heycam.github.io/webidl/#dfn-attribute-setter (step 5)
[3]: https://heycam.github.io/webidl/#ecmascript-throw
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* create_hash_table:
* interpreter/CallFrame.cpp:
(JSC::CallFrame::globalObjectOfClosestCodeBlock):
* interpreter/CallFrame.h:
* runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/IntlLocalePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/JSDataViewPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::customGetter const):
* runtime/PropertySlot.h:
(JSC::PropertySlot::getValue const):
* runtime/SymbolPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* tools/JSDollarVM.cpp:
* wasm/js/WebAssemblyInstancePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::JSC_DEFINE_HOST_FUNCTION): Deleted.
* wasm/js/WebAssemblyMemoryPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
2021-07-22 Saam Barati <sbarati@apple.com>
AirStackSlot's uint16_t byte size is too small
https://bugs.webkit.org/show_bug.cgi?id=228193
<rdar://80888059>
Reviewed by Mark Lam.
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::addStackSlot):
* b3/B3Procedure.h:
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::addStackSlot):
* b3/air/AirCode.h:
* b3/air/AirStackSlot.cpp:
(JSC::B3::Air::StackSlot::StackSlot):
* b3/air/AirStackSlot.h:
(JSC::B3::Air::StackSlot::ensureSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::lockedStackSlot):
* ftl/FTLOutput.h:
2021-07-22 Saam Barati <sbarati@apple.com>
Fix uses of Dependency::fence with respect to the compiler outsmarting us
https://bugs.webkit.org/show_bug.cgi?id=227757
<rdar://problem/80280931>
Reviewed by Robin Morisset.
We were running into issues on arm64 with respect to the memory model
ordering of loads, and how the compiler optimized code around Dependency::fence.
The issue manifested as calls to isMarked incorrectly returning true.
To see the issue, let's consider a program like this:
a = load(p1)
b = load(p2)
if (a != b) return;
d = Dependency::fence(b)
At the point of defining the dependency, the compiler has proven
a == b. So, instead of building the dependency on the register used
for b, we end up using the register for a. So the actual compiled
code ends up with a dependency on load(p1), not load(p2).
To fix this, we end up adding a new API, Dependency::loadEndFence(pointer,
result), which is defined as:
template<typename T>
static Dependency loadAndFence(T* pointer, T& output)
{
T value = *opaque(pointer);
Dependency dependency = Dependency::fence(value);
output = opaque(value);
return dependency;
}
The reason for this is that it split "b" in the above program into two values,
and the "b" the program compares against is not known to the compiler to be
the same value that we build a dependency on.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::aboutToMark):
(JSC::MarkedBlock::isMarked):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
* runtime/JSObject.h:
(JSC::JSObject::fencedButterfly):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayEntry::getConcurrently):
(JSC::SparseArrayEntry::getConcurrently const): Deleted.
* runtime/SparseArrayValueMap.h:
* runtime/Structure.h:
(JSC::Structure::fencedIndexingMode):
* runtime/StructureIDBlob.h:
(JSC::StructureIDBlob::fencedIndexingModeIncludingHistory):
2021-07-22 Keith Miller <keith_miller@apple.com>
useProfiler option should automatically disable concurrent JIT
https://bugs.webkit.org/show_bug.cgi?id=228152
Reviewed by Saam Barati.
The bytecode profiler is not thread safe so we should have
recomputeDependentOptions() disable concurrent JIT. Also, fix the
jsc CLI to set the useProfiler option rather than have its own
state. Note, we call Options::setOption() rather than setting the
Options::useProfiler() option directly as setOption calls
recomputeDependentOptions() for us.
* jsc.cpp:
(CommandLine::parseArguments):
(runJSC):
* runtime/Options.cpp:
(JSC::Options::recomputeDependentOptions):
(JSC::Options::ensureOptionsAreCoherent):
2021-07-21 Yijia Huang <yijia_huang@apple.com>
Fix type check error in testb3
https://bugs.webkit.org/show_bug.cgi?id=228166
Reviewed by Saam Barati.
* b3/testb3_2.cpp:
(testXorNotWithLeftShift32):
(testXorNotWithRightShift32):
(testXorNotWithUnsignedRightShift32):
2021-07-21 Keith Miller <keith_miller@apple.com>
speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch
https://bugs.webkit.org/show_bug.cgi?id=228146
Reviewed by Robin Morisset.
Since StringType and HeapBigIntType are adjacent JSTypes
we can do an integer range check rather than two separate
JSType checks.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2021-07-20 Yijia Huang <yijia_huang@apple.com>
Add ARM64 EON opcode and select it in AIR
https://bugs.webkit.org/show_bug.cgi?id=228057
Reviewed by Saam Barati.
EON Rd Rn Rm <shift> #amount
Bitwise Exclusive OR NOT (shifted register) performs a bitwise Exclusive OR NOT
of a register value Rn and an optionally-shifted register value Rm, and writes the
result to the destination register. The instruction selector can utilize this to
lowering certain patterns in B3 IR before further Air optimization.
The equivalent pattern of EON Rd Rn Rm is d = n ^ (m ^ -1)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = -1
Int @3 = BitXor(@1, @2)
Int @4 = BitXor(@0, b@3)
Void@5 = Return(@4, Terminal)
// Old optimized AIR
Not %x1, %x1, @3
Xor %x0, %x1, %x0, @4
Ret %x0, @5
// New optimized AIR
XorNot %x0, %x1, %x0, @4
Ret %x0, @5
The equivalent pattern of EON-with-shift is d = n ^ ((m ShiftType amount) ^ -1)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = amount
Int @3 = -1
Int @4 = Shl(@1, @2)
Int @5 = BitXor(@4, @3)
Int @6 = BitXor(@0, @5)
Void b@7 = Return(b@6, Terminal)
// Old optimized AIR
Lshift %x1, amount, %x1, @4
Not %x1, %x1, @5
Xor %x0, %x1, %x0, @6
Ret %x0, @7
// New optimized AIR
XorNotLeftShift %x0, %x1, $63, %x0, @6
Ret %x0, @7
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::xorNot32):
(JSC::MacroAssemblerARM64::xorNot64):
(JSC::MacroAssemblerARM64::xorNotLeftShift32):
(JSC::MacroAssemblerARM64::xorNotRightShift32):
(JSC::MacroAssemblerARM64::xorNotUnsignedRightShift32):
(JSC::MacroAssemblerARM64::xorNotLeftShift64):
(JSC::MacroAssemblerARM64::xorNotRightShift64):
(JSC::MacroAssemblerARM64::xorNotUnsignedRightShift64):
* assembler/testmasm.cpp:
(JSC::testXorNot32):
(JSC::testXorNot64):
(JSC::testXorNotWithLeftShift32):
(JSC::testXorNotWithRightShift32):
(JSC::testXorNotWithUnsignedRightShift32):
(JSC::testXorNotWithLeftShift64):
(JSC::testXorNotWithRightShift64):
(JSC::testXorNotWithUnsignedRightShift64):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testXorNot32):
(testXorNot64):
(testXorNotWithLeftShift32):
(testXorNotWithRightShift32):
(testXorNotWithUnsignedRightShift32):
(testXorNotWithLeftShift64):
(testXorNotWithRightShift64):
(testXorNotWithUnsignedRightShift64):
(addBitTests):
2021-07-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
https://bugs.webkit.org/show_bug.cgi?id=228075
rdar://80762879
Reviewed by Frédéric Wang.
invalidParameterInstanceofSourceAppender can be invoked without `instanceof` expression since we can call
`[Symbol.hasInstance]` function directly, but the implementation did not assume that. This patch fixes
it to handle this direct call.
* runtime/ExceptionHelpers.cpp:
(JSC::invalidParameterInstanceofSourceAppender):
2021-07-19 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] StructureStubInfo's m_identifier should follow to the same protocol of inlineAccessBaseStructure
https://bugs.webkit.org/show_bug.cgi?id=228092
Reviewed by Saam Barati.
In r279813, we fixed a race condition related to inlineAccessBaseStructure: while we clear inlineAccessBaseStructure,
we still run code relying on this field's value until stub version of the code is generated. As a result,
we run the code which relies on the cells that are already collected. And we have the same problem with
m_identifier field too. This patch makes m_identifier follow to the same protocol of inlineAccessBaseStructure
so that we fix this race issue too: both fields will be alive until we switch to the code that are not relying on these
fields.
We also make inlineAccessBaseStructure to m_inlineAccessBaseStructure to easily find that this is member field.
And we also use setWithoutWriteBarrier for m_inlineAccessBaseStructure since we emit codeBlock->vm().heap.writeBarrier(codeBlock)
immediately after that.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::fromStructureStubInfo):
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/InByStatus.cpp:
(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::initGetByIdSelf):
(JSC::StructureStubInfo::initArrayLength):
(JSC::StructureStubInfo::initStringLength):
(JSC::StructureStubInfo::initPutByIdReplace):
(JSC::StructureStubInfo::initInByIdSelf):
(JSC::StructureStubInfo::addAccessCase):
(JSC::StructureStubInfo::reset):
(JSC::StructureStubInfo::visitAggregateImpl):
(JSC::StructureStubInfo::visitWeakReferences):
(JSC::StructureStubInfo::propagateTransitions):
(JSC::StructureStubInfo::setCacheType): Deleted.
* bytecode/StructureStubInfo.h:
2021-07-19 Mark Lam <mark.lam@apple.com>
DFG's parseIntResult() should check for negative zero.
https://bugs.webkit.org/show_bug.cgi?id=228068
rdar://80788603
Reviewed by Yusuke Suzuki.
We have to check for negative zero explicitly because C++ evaluates 0.0 == -0.0
as true.
* dfg/DFGOperations.cpp:
(JSC::DFG::parseIntResult):
2021-07-19 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] InByStatus / InByVariant should visit CacheableIdentifier
https://bugs.webkit.org/show_bug.cgi?id=228088
rdar://80794604
Reviewed by Mark Lam.
After r278445, InByVariant holds CacheableIdentifier. And this can have
String/Symbol cells if this variant is generated by in_by_val. In that
case, we must visit this cell as GetByStatus / GetByVariant are doing.
* bytecode/InByStatus.cpp:
(JSC::InByStatus::visitAggregateImpl):
* bytecode/InByStatus.h:
* bytecode/InByVariant.cpp:
(JSC::InByVariant::visitAggregateImpl):
* bytecode/InByVariant.h:
* bytecode/RecordedStatuses.cpp:
(JSC::RecordedStatuses::visitAggregateImpl):
2021-07-16 Yijia Huang <yijia_huang@apple.com>
Add ExtendType to Air::Arg Index to fully utilize address computation in memory instruction for ARM64
https://bugs.webkit.org/show_bug.cgi?id=227970
Reviewed by Saam Barati.
The pattern recognition of address computation in the instructions, e.g., Load
Resistor (LDR), Store Register (STR), etc., can benefit the instruction selector.
Then, the Air operand BaseIndex containing base, index, and scale is introduced
to Air opcode. However, the <extend> option of index address is not fully leveraged
in the previous implementation.
To fill that gap, this patch adds a new member, MacroAssembler::Extend, to the current
design of BaseIndex to trigger zero/sign extension on the Index address. And this is
enabled for Store/Load with valid index address and shift amount.
Maybe, the ideal approach is to introduce a decorator (Index@EXT) to the Air operand
to provide an extension opportunity for the specific form of the Air opcode.
Load Register (LDR) calculates an address from a base register value and an
offset register value, loads a word from memory, and writes it to a register.
The offset register value can optionally be shifted and extended.
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = Z/SExt32(Trunc(ArgumentReg(%x1)))
Int @2 = scale
Int @3 = Shl(@1, @2)
Int @4 = Add(@0, @3)
Int @5 = Load(@4, ControlDependent|Reads:Top)
Void@6 = Return(@5, Terminal)
// Old optimized AIR
Move %x1, %x1, @1
Move (%x0,%x1,2^scale), %x0, @5
Ret %x0, @6
// New optimized AIR
Move (%x0,%x1,2^scale), %x0, @5
Ret %x0, @6
Store Register (STR) calculates an address from a base register value and an
offset register value, and stores a 32-bit word or a 64-bit doubleword to the
calculated address, from a register.
Given B3 IR:
Int @0 = value
Int @1 = ArgumentReg(%x0)
Int @2 = Z/SExt32(Trunc(ArgumentReg(%x1))
Int @3 = scale
Int @4 = Shl(@2, @3)
Int @5 = Add(@1, @4)
Void@6 = Store(@0, @5, ControlDependent|Writes:Top)
Void@7 = Return(@0, Terminal)
// Old optimized AIR
Move32 %x1, %x1, @2
Store32 %xzr, (%x0,%x1,2^scale), @6
Move $0, %x0, @7
Ret32 %x0, @7
// New optimized AIR
Store32 %xzr, (%x0,%x1,2^scale), @6
Move $0, %x0, @7
Ret32 %x0, @7
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::BaseIndex::BaseIndex):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::indexExtendType):
(JSC::MacroAssemblerARM64::load64):
(JSC::MacroAssemblerARM64::load32):
(JSC::MacroAssemblerARM64::load16):
(JSC::MacroAssemblerARM64::load16SignedExtendTo32):
(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::load8SignedExtendTo32):
(JSC::MacroAssemblerARM64::store64):
(JSC::MacroAssemblerARM64::store32):
(JSC::MacroAssemblerARM64::store16):
(JSC::MacroAssemblerARM64::store8):
(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::loadFloat):
(JSC::MacroAssemblerARM64::storeDouble):
(JSC::MacroAssemblerARM64::storeFloat):
* b3/B3LowerToAir.cpp:
* b3/air/AirArg.h:
(JSC::B3::Air::Arg::index):
(JSC::B3::Air::Arg::asBaseIndex const):
* b3/testb3.h:
* b3/testb3_2.cpp:
(testLoadZeroExtendIndexAddress):
(testLoadSignExtendIndexAddress):
(testStoreZeroExtendIndexAddress):
(testStoreSignExtendIndexAddress):
(addBitTests):
2021-07-16 Saam Barati <sbarati@apple.com>
Grab the lock in FTL::Thunks::keyForSlowPathCallThunk
https://bugs.webkit.org/show_bug.cgi?id=227988
<rdar://problem/80627901>
Reviewed by Mark Lam.
Both FTL::Thunks::keyForSlowPathCallThunk and FTL::Thunks::getSlowPathCallThunk
both touch the thunks hash map. In r278030, when I added the lock, I grabbed it
in getSlowPathCallThunk, but forgot to also grab it in keyForSlowPathCallThunk.
* ftl/FTLThunks.h:
(JSC::FTL::Thunks::keyForSlowPathCallThunk):
2021-07-16 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r279916.
https://bugs.webkit.org/show_bug.cgi?id=228037
some of tests are timing out
Reverted changeset:
"Convert small JIT pool tests into executable fuzzing"
https://bugs.webkit.org/show_bug.cgi?id=226279
https://commits.webkit.org/r279916
2021-07-16 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] RegExp::dumpToStream must not ref Strings since it is called concurrently
https://bugs.webkit.org/show_bug.cgi?id=228031
rdar://80686425
Reviewed by Mark Lam.
RegExp::dumpToStream's escapedPattern can return m_pattern. In that case, it is refed in the concurrent thread.
This is wrong since StringImpl must not be ref-ed concurrently. This patch just revert this function to the old behavior.
* runtime/RegExp.cpp:
(JSC::RegExp::dumpToStream):
2021-07-15 Keith Miller <keith_miller@apple.com>
Alias JSC graph dumping options
https://bugs.webkit.org/show_bug.cgi?id=228015
Reviewed by Yusuke Suzuki.
My brain seems to associate the phases with the tier we are compiling in
rather than the type of graph we are processing. At this point it's
probably easier to just add an alias rather than convince me otherwise.
* runtime/OptionsList.h:
2021-07-15 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] SamplingProfiler should recognize RegExp execution
https://bugs.webkit.org/show_bug.cgi?id=201702
Reviewed by Saam Barati.
This patch extends SamplingProfiler to recognize RegExp execution. We record
executing RegExp in VM via MatchingContextHolder so that SamplingProfiler can detect it.
We use MatchingContextHolder even if the RegExp is interpreter mode so that we can still
catch non-JIT RegExp in SamplingProfiler.
The example output is the following.
Sampling rate: 1000.000000 microseconds. Total samples: 1830
Top functions as <numSamples 'functionName#hash:sourceID'>
466 'Exec#<nil>:4'
225 '/(^|[^\\])\"\\\/Qngr\((-?[0-9]+)\)\\\/\"/g#<nil>:-1'
173 'runBlock1#<nil>:4'
88 '/NQ_VQ/g#<nil>:-1'
83 '/d2/g#<nil>:-1'
78 '/d1/g#<nil>:-1'
70 '/\s?;\s?/#<nil>:-1'
68 'replace#<nil>:3'
50 '/(((\w+):\/\/)([^\/:]*)(:(\d+))?)?([^#?]*)(\?([^#]*))?(#(.*))?/#<nil>:-1'
49 'runBlock0#<nil>:4'
46 '#<nil>:-1'
24 '/^\s*|\s*$/g#<nil>:-1'
Sampling rate: 1000.000000 microseconds. Total samples: 1830
Tier breakdown:
-----------------------------------
LLInt: 13 (0.710383%)
Baseline: 54 (2.950820%)
DFG: 187 (10.218579%)
FTL: 612 (33.442623%)
js builtin: 73 (3.989071%)
Wasm: 0 (0.000000%)
Host: 0 (0.000000%)
RegExp: 907 (49.562842%)
C/C++: 0 (0.000000%)
Unknown Executable: 57 (3.114754%)
Hottest bytecodes as <numSamples 'functionName#hash:JITType:bytecodeIndex'>
378 'Exec#<nil>:FTL:bc#27'
225 '/(^|[^\\])\"\\\/Qngr\((-?[0-9]+)\)\\\/\"/g#<nil>:RegExp:<nil>'
88 '/NQ_VQ/g#<nil>:RegExp:<nil>'
83 '/d2/g#<nil>:RegExp:<nil>'
78 '/d1/g#<nil>:RegExp:<nil>'
70 '/\s?;\s?/#<nil>:RegExp:<nil>'
62 'replace#<nil>:FTL:bc#63'
53 'Exec#<nil>:DFG:bc#27'
50 '/(((\w+):\/\/)([^\/:]*)(:(\d+))?)?([^#?]*)(\?([^#]*))?(#(.*))?/#<nil>:RegExp:<nil>'
46 '#<nil>:None:<nil>'
42 'runBlock1#<nil>:FTL:bc#1795'
29 'runBlock1#<nil>:FTL:bc#1849'
29 'runBlock1#<nil>:FTL:bc#1741'
24 '/^\s*|\s*$/g#<nil>:RegExp:<nil>'
17 'runBlock1#<nil>:DFG:bc#1741'
17 'runBlock1#<nil>:DFG:bc#1795'
16 '/\b\w+\b/g#<nil>:RegExp:<nil>'
14 '/TNQP=([^;]*)/i#<nil>:RegExp:<nil>'
13 '/%\w?$/#<nil>:RegExp:<nil>'
12 '/^ba/#<nil>:RegExp:<nil>'
11 '/^\s*(\S*(\s+\S+)*)\s*$/#<nil>:RegExp:<nil>'
10 'runBlock0#<nil>:FTL:bc#400'
10 'runBlock1#<nil>:DFG:bc#1849'
10 'Exec#<nil>:DFG:bc#16'
9 '/(?:ZFVR.(\d+\.\d+))|(?:(?:Sversbk|TenaCnenqvfb|Vprjrnfry).(\d+\.\d+))|(?:Bcren.(\d+\.\d+))|(?:NccyrJroXvg.(\d+(?:\.\d+)?))/#<nil>:RegExp:<nil>'
8 '/##yv18##/gi#<nil>:RegExp:<nil>'
8 '/([a-zA-Z]|\s)+/#<nil>:RegExp:<nil>'
7 '/JroXvg\/(\S+)/#<nil>:RegExp:<nil>'
7 'runBlock0#<nil>:FTL:bc#2671'
7 '/^([#.]?)((?:[\w\u0128-\uffff*_-]|\\.)*)/#<nil>:RegExp:<nil>'
6 '/##oe##/gi#<nil>:RegExp:<nil>'
6 'runBlock1#<nil>:FTL:bc#124'
6 '/[+, ]/#<nil>:RegExp:<nil>'
6 'runBlock1#<nil>:FTL:bc#1903'
6 'replace#<nil>:DFG:bc#63'
5 'runBlock0#<nil>:FTL:bc#3378'
5 '/'/g#<nil>:RegExp:<nil>'
5 '/##yv20##/gi#<nil>:RegExp:<nil>'
4 '/\?[\w\W]*(sevraqvq|punaaryvq|tebhcvq)=([^\&\?#]*)/i#<nil>:RegExp:<nil>'
4 'load#<nil>:None:<nil>'
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/RegExp.cpp:
(JSC::RegExp::matchCompareWithInterpreter):
(JSC::RegExp::dumpToStream):
(JSC::appendLineTerminatorEscape<LChar>):
(JSC::appendLineTerminatorEscape<UChar>):
(JSC::escapePattern):
(JSC::RegExp::escapedPattern const): Moved from RegExpPrototype.cpp to implement RegExp::toSourceString and RegExp::escapedPattern.
(JSC::RegExp::toSourceString const):
(JSC::regexpToSourceString): Deleted.
* runtime/RegExp.h:
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/RegExpPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::appendLineTerminatorEscape<LChar>): Deleted.
(JSC::appendLineTerminatorEscape<UChar>): Deleted.
(JSC::regExpProtoGetterSourceInternal): Deleted.
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
(JSC::SamplingProfiler::StackFrame::displayName):
(JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
(JSC::SamplingProfiler::StackFrame::functionStartLine):
(JSC::SamplingProfiler::StackFrame::functionStartColumn):
(JSC::SamplingProfiler::StackFrame::sourceID):
(JSC::SamplingProfiler::StackFrame::url):
(JSC::SamplingProfiler::reportTopBytecodes):
(WTF::printInternal):
* runtime/SamplingProfiler.h:
* runtime/VM.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::MatchingContextHolder::MatchingContextHolder): Deleted.
(JSC::Yarr::MatchingContextHolder::~MatchingContextHolder): Deleted.
* yarr/YarrJIT.h:
(JSC::Yarr::MatchingContextHolder::offsetOfStackLimit): Deleted.
(JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBuffer): Deleted.
(JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBufferSize): Deleted.
* yarr/YarrMatchingContextHolder.h: Added.
(JSC::Yarr::MatchingContextHolder::offsetOfStackLimit):
(JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBuffer):
(JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBufferSize):
(JSC::Yarr::MatchingContextHolder::MatchingContextHolder):
(JSC::Yarr::MatchingContextHolder::~MatchingContextHolder):
2021-07-15 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Harden defaultTimeZone retrieval
https://bugs.webkit.org/show_bug.cgi?id=227996
rdar://80540300
Reviewed by Mark Lam.
We received the report that "UTC" can appear in Intl.DateTimeFormat's default timezone.
While we cannot reproduce it, this patch attempts to avoid using TimeZone from UCalendar
so that the code gets the same to the old defaultTimeZone implementation.
* runtime/JSDateMath.cpp:
(JSC::DateCache::defaultTimeZone):
(JSC::DateCache::timeZoneCacheSlow):
2021-07-15 Mark Lam <mark.lam@apple.com>
JITWorklist::waitUntilAllPlansForVMAreReady() should also be notified when plans are cancelled.
https://bugs.webkit.org/show_bug.cgi?id=228003
rdar://78314543
Reviewed by Yusuke Suzuki.
Previously, it only gets notified when plans are done compiling. As a result, if
JITWorklist::waitUntilAllPlansForVMAreReady() found non-ready plans and started
waiting, and those plans were canceled, then JITWorklist::waitUntilAllPlansForVMAreReady()
can hang indefinitely.
This patch renames JITWorklist::::m_planCompiled to m_planCompiledOrCancelled,
and notifies it also when plans are cancelled.
* jit/JITWorklist.cpp:
(JSC::JITWorklist::waitUntilAllPlansForVMAreReady):
(JSC::JITWorklist::removeMatchingPlansForVM):
* jit/JITWorklist.h:
* jit/JITWorklistThread.cpp:
(JSC::JITWorklistThread::work):
2021-07-15 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add samplingProfilerIgnoreExternalSourceID option
https://bugs.webkit.org/show_bug.cgi?id=227985
Reviewed by Mark Lam.
We can ignore sourceID when aggregating samples. By doing so, we can open Speedometer2 style iframes
and still aggregate all the functions even though each script in iframe has different source ID.
* runtime/OptionsList.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::StackFrame::sourceID):
(JSC::SamplingProfiler::reportTopFunctions):
* runtime/SamplingProfiler.h:
2021-07-15 Adrian Perez de Castro <aperez@igalia.com>
Non-unified build fixes, mid-July 2021 edition
https://bugs.webkit.org/show_bug.cgi?id=227981
Unreviewed non-unified build fixes.
* ftl/FTLState.cpp: Add missing B3ValueInlines.h header.
* runtime/TemporalNow.cpp: Add missing JSCJSValueInlines.h and JSObjectInlines.h headers.
* runtime/TemporalObject.cpp: Ditto.
2021-07-14 Devin Rousso <drousso@apple.com>
Implement Array.prototype.findLast and Array.prototype.findLastIndex
https://bugs.webkit.org/show_bug.cgi?id=227939
Reviewed by Yusuke Suzuki.
* builtins/ArrayPrototype.js:
(findLast): Added.
(findLastIndex): Added.
(JSC::ArrayPrototype::finishCreation):
* runtime/JSTypedArrayViewPrototype.cpp:
* builtins/TypedArrayPrototype.js:
(findLast): Added.
(findLastIndex): Added.
* runtime/ArrayPrototype.cpp:
(JSC::JSTypedArrayViewPrototype::finishCreation):
* runtime/OptionsList.h:
2021-07-14 Michael Saboff <msaboff@apple.com>
[macOS] Add new entitlement to limit process to a single JIT region
https://bugs.webkit.org/show_bug.cgi?id=227956
Reviewed by Mark Lam.
This macOS entitlement limits a process to a single JIT region.
This matches the behavior on iOS.
* Scripts/process-entitlements.sh:
* entitlements.plist:
2021-07-14 Mark Lam <mark.lam@apple.com>
Speculative fix for failed scope.releaseAssertNoException() after calls to JSMap::create().
https://bugs.webkit.org/show_bug.cgi?id=227964
rdar://78013960
Reviewed by Yusuke Suzuki.
There have been reports of flaky failures on the scope.releaseAssertNoException()
after the call to JSMap::create() in JSModuleLoader::finishCreation().
The scope.releaseAssertNoException() says that we don't expect the JSMap::create()
to ever throw an exception. If the assertion is true, the only way that we can
see an exception there is if we're throwing an asynchronous TerminationException.
Since JSModuleLoader::finishCreation() does not have any long running loops, we can
just DeferTerminationForAWhile and let the next exception check site throw the
asynchronous TerminationException. We don't want to just use DeferTermination
because it will throw the TerminationException right at the end of
JSModuleLoader::finishCreation(), and the caller of JSModuleLoader::finishCreation()
may be similarly not expecting an exception to be thrown there.
Also apply the same treatment to AbstractModuleRecord::finishCreation(), and
getBackingMap() in WebCore for the same reason. Other than those, other sites that
call JSMap::create() already check for exceptions. So, those sites do not need to
DeferTerminationForAWhile.
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::finishCreation):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::finishCreation):
2021-07-14 Keith Miller <keith_miller@apple.com>
Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
Reviewed by Michael Saboff.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::numberOfDFGCompiles):
* jit/ExecutableAllocationFuzz.cpp:
(JSC::doExecutableAllocationFuzzing):
* jsc.cpp:
(runJSC):
2021-07-14 Mark Lam <mark.lam@apple.com>
Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape().
https://bugs.webkit.org/show_bug.cgi?id=227962
rdar://78392251
Reviewed by Yusuke Suzuki.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-07-14 Yusuke Suzuki <ysuzuki@apple.com>
libpas executable-allocator should reserve more than 256KB for non-fail region at least
https://bugs.webkit.org/show_bug.cgi?id=227927
Reviewed by Keith Miller.
libpas jit_heap has mediam allocator which allocates 128KB pages at once. However, our JSC stress tests are setting 100KB
for small executable memory tests. As a result, under this configuration, we fail immediately after using medium allocator.
But this test's "total size of executable memory is 100KB" is unrealistic: it is possible that only 100KB memory remains,
but it is impossible that we reserve only 25KB for non-fail reservation. In production, we are always reserving 128MB. So
this configuration is not realistic actually.
So, this patch changes,
1. If non-fail region is less than 256KB, then we add 256KB and keep this 256KB as non-fail executable allocation. If not,
use 0.25 ratio as we are doing. This means that Options::jitMemoryReservationSize configures failable region of
executable memory.
2. We also revive bytesReserved and bytesAllocated to make memoryPressureMultiplier and early-fail allocation (when there is
not enough memory and allocation can fail, then we should fail).
* jit/ExecutableAllocator.cpp:
(JSC::initializeJITPageReservation):
(JSC::ExecutableAllocator::underMemoryPressure):
(JSC::ExecutableAllocator::memoryPressureMultiplier):
(JSC::ExecutableAllocator::allocate):
(JSC::ExecutableMemoryHandle::createImpl):
(JSC::ExecutableMemoryHandle::~ExecutableMemoryHandle):
(JSC::ExecutableMemoryHandle::shrink):
(JSC::ExecutableMemoryHandle::sizeInBytes const): Deleted.
* jit/ExecutableMemoryHandle.h:
(JSC::ExecutableMemoryHandle::sizeInBytes const):
(JSC::ExecutableMemoryHandle::ExecutableMemoryHandle):
2021-07-14 Mark Lam <mark.lam@apple.com>
Placate exception checker validation in operationObjectAssignUntyped.
https://bugs.webkit.org/show_bug.cgi?id=227955
rdar://80503746
Reviewed by Michael Saboff.
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
2021-07-13 Robin Morisset <rmorisset@apple.com>
Invalid machine code emitted by SpeculativeJIT::emitObjectOrOtherBranch
https://bugs.webkit.org/show_bug.cgi?id=227869
<rdar://problem/80457566>
Reviewed by Mark Lam.
SpeculativeJIT::emitObjectOrOtherBranch used to check the validity of the masqueradesAsUndefined watchpoint twice, and assumed that it could not change in between.
That is clearly incorrect as the main thread is running concurrently with it, and so the watchpoint could fire at any time.
The fix is trivial: just check the validity once, and store the result in a boolean.
If the watchpoint triggers later that is fine: we'll notice and cancel the compilation (see WatchpointCollectionPhase, Plan::isStillValid() and Plan::finalize()).
The change only protects us from rare and hard-to-reproduce crashes on debug builds caused by an ASSERT firing.
I did not add a testcase, as I can only reproduce the bug by adding an extra wait in the middle of emitObjectOrOtherBranch.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2021-07-13 Yijia Huang <yijia_huang@apple.com>
Add a new Air::Arg kind ZeroReg to let AIR recognise the new instructions/forms accepting zero register in ARM64
https://bugs.webkit.org/show_bug.cgi?id=227510
Reviewed by Saam Barati.
B3 is designed to be portable to many kinds of CPUs. However, to effectively
compile code to different CPUs, the compiler must eventually make explicit
instruction set details. Then, Air is introduced, and it is designed to target
individual CPU architectures and generate instructions specific to those CPUs.
Previously, Air don't recognize the zero register. This problem has been pointed
out in #174821, which was trying to introduce the new opcodes to handle the zero
register.
To solve this problem in a modular reasoning approach, a new Air operand ZeroReg
should be introduced. Its goal is to closely match the CPU instructions
accepting the zero register in ARM64. Another reason is that the new overloads
of the instructions taking the zero register can benefit instruction selection
with this implementation.
Here, the ZeroReg is added as a new kind for Air::Arg, which acts as a "high
level" operand to be emitted with the associative opcodes. In ARM64, the ZeroReg
would be emitted as a zero register.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::storeZero64): Deleted.
(JSC::MacroAssemblerARM64::storeZero32): Deleted.
(JSC::MacroAssemblerARM64::storeZero16): Deleted.
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::storeZero32): Deleted.
(JSC::MacroAssemblerX86Common::storeZero16): Deleted.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::storeZero64): Deleted.
* b3/B3LowerToAir.cpp:
* b3/air/AirArg.cpp:
(JSC::B3::Air::Arg::jsHash const):
(JSC::B3::Air::Arg::dump const):
(WTF::printInternal):
* b3/air/AirArg.h:
(JSC::B3::Air::Arg::zeroReg):
(JSC::B3::Air::Arg::isZeroReg const):
(JSC::B3::Air::Arg::isGP const):
(JSC::B3::Air::Arg::isFP const):
(JSC::B3::Air::Arg::isValidForm const):
(JSC::B3::Air::Arg::asZeroReg const):
* b3/air/AirLowerStackArgs.cpp:
(JSC::B3::Air::lowerStackArgs):
* b3/air/AirOpcode.opcodes:
* b3/air/opcode_generator.rb:
* b3/testb3.h:
* b3/testb3_1.cpp:
(run):
* b3/testb3_3.cpp:
(testStoreZeroReg):
2021-07-12 Filip Pizlo <fpizlo@apple.com> and Yusuke Suzuki <ysuzuki@apple.com>
New malloc algorithm
https://bugs.webkit.org/show_bug.cgi?id=226404
Reviewed by Yusuke Suzuki.
Switch the ExecutableAllocator to the libpas jit_heap. The libpas jit_heap uses two size
categories of bitfit and a large heap, and is happy to do its approximate first-fit in any
ranges of memory you give it. Jit_heap never allocates metadata inside the memory it manages.
Allocations and deallocations take a constant-bounded amount of time except for unusual
situations, and are protected by fine-grained locking in most cases. Decommit follows libpas
scavenging policy. This alone is a speed-up on Speedometer (probably about 1% or more).
Also expose some libpas introspection via $vm.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssemblerCodeRef.h:
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::underMemoryPressure):
(JSC::ExecutableAllocator::memoryPressureMultiplier):
(JSC::ExecutableAllocator::allocate):
(JSC::ExecutableAllocator::committedByteCount):
(JSC::ExecutableMemoryHandle::createImpl):
(JSC::ExecutableMemoryHandle::~ExecutableMemoryHandle):
(JSC::ExecutableMemoryHandle::sizeInBytes const):
(JSC::ExecutableMemoryHandle::shrink):
* jit/ExecutableAllocator.h:
* jit/ExecutableMemoryHandle.h: Added.
(JSC::ExecutableMemoryHandle::start const):
(JSC::ExecutableMemoryHandle::end const):
(JSC::ExecutableMemoryHandle::startAsInteger const):
(JSC::ExecutableMemoryHandle::endAsInteger const):
(JSC::ExecutableMemoryHandle::containsIntegerAddress const):
(JSC::ExecutableMemoryHandle::contains const):
(JSC::ExecutableMemoryHandle::key const):
(JSC::ExecutableMemoryHandle::dump const):
(JSC::ExecutableMemoryHandle::ExecutableMemoryHandle):
* tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):
2021-07-12 Mark Lam <mark.lam@apple.com>
Revert r277027: breaks GC.
https://bugs.webkit.org/show_bug.cgi?id=227888
Reviewed by Saam Barati.
The patch in r277027 to make deletion of GCAwareJITStubRoutines incremental has a
bug: the routine may not be deleted yet by the incremental sweeper before the next
GC cycle, and the GC will not be happy visiting dead cell pointers in that routine.
There is also another bug with the triggering of sweeping.
For now, we're reverting the patch, and will revisit this at a later time.
* CMakeLists.txt:
* heap/Heap.cpp:
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepSynchronously):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::mayHaveJITStubRoutinesToDelete): Deleted.
(JSC::Heap::deleteDeadJITStubRoutines): Deleted.
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::doSweep):
* heap/JITStubRoutineSet.cpp:
(JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
* heap/JITStubRoutineSet.h:
(JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
(JSC::JITStubRoutineSet::traceMarkedStubRoutines):
(JSC::JITStubRoutineSet::mayHaveRoutinesToDelete): Deleted.
(JSC::JITStubRoutineSet::notifyHaveRoutinesToDelete): Deleted.
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::observeZeroRefCount):
* jit/JITStubRoutine.h:
(JSC::JITStubRoutine::createSelfManagedRoutine):
2021-07-12 Yijia Huang <yijia_huang@apple.com>
Add SMNEGL, UMNEGL, UMADDL, and UMSUBL for ARM64 and select this instruction in Air
https://bugs.webkit.org/show_bug.cgi?id=227857
Reviewed by Robin Morisset.
The previous patches have already added MNEG, MADD, MSUB, SMADDL, and SMSUBL.
This patch completes the corresponding signed or unsigned variants (SMNEGL,
UMNEGL, UMADDL, and UMSUBL) of them. In addition, this patch refactors
the implementation and the associative test cases of MADD, MSUB, and MNEG
to be more readable and maintainable w.r.t their variants.
------------------------------
### SMNEGL/UMNEGL Xd Wn Wm ###
------------------------------
Signed/Unsigned Multiply-Negate Long multiplies two 32-bit register values,
negates the product, and writes the result to the 64-bit destination register.
The equivalent patterns are
d = -(SExt32(n) * SExt32(m)) and d = -(ZExt32(n) * ZExt32(m)) respectively.
Given B3 IR:
Int @0 = S/ZExt32(Trunc(ArgumentReg(%x0)))
Int @1 = S/ZExt32(Trunc(ArgumentReg(%x1)))
Int @2 = Mul(@0, @1)
Int @3 = Neg(@2)
Void@4 = Return(@3, Terminal)
// Old optimized AIR
Move32 %x0, %x0, @0
Move32 %x1, %x1, @1
MultiplyNeg %x0, %x1, %x0, @3
Ret %x0, @4
// New optimized AIR
MultiplyNegSign/ZeroExtend %x0, %x1, %x0, @3
Ret %x0, @4
--------------------------
### UMADDL Xd Wn Wm Xa ###
--------------------------
Unsigned Multiply-Add Long multiplies two 32-bit register values, adds a 64-bit
register value, and writes the result to the 64-bit destination register. The
equivalent patterns are
d = ZExt32(n) * ZExt32(m) + a or d = a + ZExt32(n) * ZExt32(m)
Given B3 IR:
Int @0 = ZExt32(Trunc(ArgumentReg(%x0)))
Int @1 = ZExt32(Trunc(ArgumentReg(%x1)))
Int @2 = ArgumentReg(%x2)
Int @3 = Mul(@0, @1)
Int @4 = Add(@3, @2)
Void@5 = Return(@4, Terminal)
// Old optimized AIR
Move32 %x0, %x0, @1
Move32 %x1, %x1, @2
MultiplyAdd %x0, %x1, %x2, %x0, @4
Ret64 %x0, @5
// New optimized AIR
MultiplyAddZeroExtend %x0, %x1, %x2, %x0, @8
Ret %x0, @9
--------------------------
### UMSUBL Xd Wn Wm Xa ###
--------------------------
Unsigned Multiply-Subtract Long multiplies two 32-bit register values, subtracts
the product from a 64-bit register value, and writes the result to the 64-bit
destination register. The equivalent patterns are
d = a - ZExt32(n) * ZExt32(m)
Given B3 IR:
Int @0 = ZExt32(Trunc(ArgumentReg(%x0)))
Int @1 = ZExt32(Trunc(ArgumentReg(%x1)))
Int @2 = ArgumentReg(%x2)
Int @3 = Mul(@0, @1)
Int @4 = Sub(@2, @3)
Void@5 = Return(@4, Terminal)
// Old optimized AIR
Move32 %x0, %x0, @1
Move32 %x1, %x1, @2
MultiplySub %x0, %x1, %x2, %x0, @4
Ret64 %x0, @5
// New optimized AIR
MultiplySubZeroExtend %x0, %x1, %x2, %x0, @8
Ret %x0, @9
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::multiplyNeg32):
(JSC::MacroAssemblerARM64::multiplyAddZeroExtend32):
(JSC::MacroAssemblerARM64::multiplySubZeroExtend32):
(JSC::MacroAssemblerARM64::multiplyNeg64):
(JSC::MacroAssemblerARM64::multiplyNegSignExtend32):
(JSC::MacroAssemblerARM64::multiplyNegZeroExtend32):
* assembler/testmasm.cpp:
(JSC::testMultiplyAddSignExtend32):
(JSC::testMultiplyAddZeroExtend32):
(JSC::testMultiplySubSignExtend32):
(JSC::testMultiplySubZeroExtend32):
(JSC::testMultiplyNegSignExtend32):
(JSC::testMultiplyNegZeroExtend32):
(JSC::testMultiplyAddSignExtend32Left): Deleted.
(JSC::testMultiplyAddSignExtend32Right): Deleted.
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testMulAddArgsLeft):
(testMulAddArgsRight):
(testMulAddSignExtend32ArgsLeft):
(testMulAddZeroExtend32ArgsLeft):
(testMulAddZeroExtend32ArgsRight):
(testMulSubArgsLeft):
(testMulSubArgsRight):
(testMulSubArgsRight32):
(testMulSubSignExtend32):
(testMulSubZeroExtend32):
(testMulNegArgArg):
(testMulNegArgs):
(testMulNegArgs32):
(testMulNegSignExtend32):
(testMulNegZeroExtend32):
(testMulSubSignExtend32Args): Deleted.
* b3/testb3_3.cpp:
(addArgTests):
2021-07-12 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] JITCage already includes guard pages
https://bugs.webkit.org/show_bug.cgi?id=227867
Reviewed by Mark Lam.
Since JITCage already includes guard pages, we do not need to allocate that additionally.
* jit/ExecutableAllocator.cpp:
(JSC::initializeJITPageReservation):
2021-07-10 Saam Barati <sbarati@apple.com>
Continue to consult InlineAccess's Structure even after switching to a stub IC
https://bugs.webkit.org/show_bug.cgi?id=227785
Reviewed by Yusuke Suzuki.
This patch fixes a crash in: stress/class-subclassing-function.js
The bug is this:
1. We initialize a StructureStubInfo to be an inline self access doing a load based on structure S.
2. We transition to being a PolymorphicAccess based StructureStubInfo. But, we haven't
generated code yet. We're in the buffered state. So we are still running the inline access
from (1). But the StructureStubInfo thinks it's a "Stub".
3. S is collected
4. We continue to run code from (1), because when we finalize the IC during GC, it
doesn't think it's an inline access.
The fix is to always track the structure S that we used when generating the inline
access, and to only stop tracking it once we've generated code for the Stub.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::fromStructureStubInfo):
(JSC::AccessCase::propagateTransitions const):
* bytecode/AccessCase.h:
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/InByStatus.cpp:
(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::propagateTransitions const):
* bytecode/PolymorphicAccess.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::initGetByIdSelf):
(JSC::StructureStubInfo::initPutByIdReplace):
(JSC::StructureStubInfo::initInByIdSelf):
(JSC::StructureStubInfo::addAccessCase):
(JSC::StructureStubInfo::reset):
(JSC::StructureStubInfo::visitWeakReferences):
(JSC::StructureStubInfo::propagateTransitions):
* bytecode/StructureStubInfo.h:
2021-07-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Workaround test262.report bug by making $ properties enumerable
https://bugs.webkit.org/show_bug.cgi?id=227855
Reviewed by Alexey Shvayka.
test262.report's harness has a bug and it reports incorrect results for JSC on tests using $262 properties.
This patch introduces a workaround which makes properties of $ enumerable.
* jsc.cpp:
2021-07-08 Yijia Huang <yijia_huang@apple.com>
Add Air opcode add/sub-and-shift for ARM64 and select this instruction in Air
https://bugs.webkit.org/show_bug.cgi?id=227509
Reviewed by Saam Barati.
This patch includes two modifications:
1. Add add/sub-with-shift to Air opcode and the corresponding pattern match for
instruction selection.
2. Minor fix in disassembler.
Given the operation:
add/sub Rd, Rn, Rm, ShiftType, amount
ADD/SUB (shifted register), adds/subs a register value Rn and an optionally-shifted register
value Rm, and writes the result to the destination register Rd. The instruction selector
can utilize this to lowering certain patterns in B3 IR before further Air optimization.
The equivalent pattern would be:
d = n +/- (m ShiftType amount)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = amount
Int @3 = ZShr(@1, @2)
Int @4 = Add/Sub(@0, @3)
Void@5 = Return(@4, Terminal)
// Old optimized AIR
Shift %x1, amount, %x1, @3
Add/Sub %x0, %x1, %x0, @4
Ret %x0, @5
// New optimized AIR
Add(Sub)Shift %x0, %x1, amount, %x0, @4
Ret %x0, @5
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::addLeftShift32):
(JSC::MacroAssemblerARM64::addRightShift32):
(JSC::MacroAssemblerARM64::addUnsignedRightShift32):
(JSC::MacroAssemblerARM64::addLeftShift64):
(JSC::MacroAssemblerARM64::addRightShift64):
(JSC::MacroAssemblerARM64::addUnsignedRightShift64):
(JSC::MacroAssemblerARM64::subLeftShift32):
(JSC::MacroAssemblerARM64::subRightShift32):
(JSC::MacroAssemblerARM64::subUnsignedRightShift32):
(JSC::MacroAssemblerARM64::subLeftShift64):
(JSC::MacroAssemblerARM64::subRightShift64):
(JSC::MacroAssemblerARM64::subUnsignedRightShift64):
* assembler/testmasm.cpp:
(JSC::testAddWithLeftShift32):
(JSC::testAddWithRightShift32):
(JSC::testAddWithUnsignedRightShift32):
(JSC::testAddWithLeftShift64):
(JSC::testAddWithRightShift64):
(JSC::testAddWithUnsignedRightShift64):
(JSC::testSubWithLeftShift32):
(JSC::testSubWithRightShift32):
(JSC::testSubWithUnsignedRightShift32):
(JSC::testSubWithLeftShift64):
(JSC::testSubWithRightShift64):
(JSC::testSubWithUnsignedRightShift64):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
(checkUsesInstruction):
* b3/testb3_2.cpp:
(testAddWithLeftShift32):
(testAddWithRightShift32):
(testAddWithUnsignedRightShift32):
(testAddWithLeftShift64):
(testAddWithRightShift64):
(testAddWithUnsignedRightShift64):
(testSubWithLeftShift32):
(testSubWithRightShift32):
(testSubWithUnsignedRightShift32):
(testSubWithLeftShift64):
(testSubWithRightShift64):
(testSubWithUnsignedRightShift64):
(addBitTests):
* disassembler/ARM64/A64DOpcode.cpp:
* disassembler/ARM64/A64DOpcode.h:
(JSC::ARM64Disassembler::A64DOpcodeAddSubtractShiftedRegister::immediate6):
(JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::immediate6):
2021-07-08 Keith Miller <keith_miller@apple.com>
display-profiler-output should be able to print disassembly for the FTL
https://bugs.webkit.org/show_bug.cgi?id=227798
Reviewed by Saam Barati.
Right now running JSC with the bytecode profiler will not print
disassembly for FTL code. This patch adds this support. In order to get
execution counts there is a callback at the transition between each
DFG node in the Air disassembler. Since B3 code move parts of
DFG nodes to different basic blocks we don't include execution
counts in the dump. However, the DFG-only graph printed before
the disassembly will still have the counts.
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLState.cpp:
(JSC::FTL::State::dumpDisassembly):
* ftl/FTLState.h:
(JSC::FTL::State::dumpDisassembly):
2021-07-08 Yusuke Suzuki <ysuzuki@apple.com>
Use JSC::Yarr::flagsString to get string representation of RegExp flags
https://bugs.webkit.org/show_bug.cgi?id=227790
Reviewed by Keith Miller.
* yarr/YarrFlags.h:
2021-07-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Clean up RegExp flag code
https://bugs.webkit.org/show_bug.cgi?id=227786
Reviewed by Filip Pizlo.
I found a bug in regexpToSourceString (used for RegExp's dump code), and it motivates me to clean up
all RegExp flag handling code. We define RegExp flags as a macro and updating that macro updates all
RegExp flag handling code too.
* runtime/RegExp.cpp:
(JSC::RegExpFunctionalTestCollector::outputOneTest):
(JSC::regexpToSourceString):
* runtime/RegExp.h:
* runtime/RegExpPrototype.cpp:
(JSC::flagsString):
* yarr/YarrFlags.cpp:
(JSC::Yarr::parseFlags):
(JSC::Yarr::flagsString):
* yarr/YarrFlags.h:
2021-07-07 Saam Barati <sbarati@apple.com>
JSArrayBufferView::byteOffsetConcurrently has a race when using PAC
https://bugs.webkit.org/show_bug.cgi?id=227765
Reviewed by Mark Lam.
We were calling JSArrayBufferView::vector(), which does PAC validation
using the length() of the array. However, this can race with JSArrayBufferView::detach,
which sets the length to zero, leading to sadness on the compiler thread.
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vectorWithoutPACValidation const):
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::byteOffsetImpl):
2021-07-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Fix Object.assign fast path to accept undefined/null
https://bugs.webkit.org/show_bug.cgi?id=227769
rdar://80264271
Reviewed by Saam Barati.
Object.assign can accept undefined or null as a second (or latter) parameters.
If it is passed, the parameter is just ignored. Previous DFG / FTL optimization patch
does not handle this case.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileObjectAssign):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileObjectAssign):
* runtime/ObjectConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectConstructorInlines.h:
(JSC::objectAssignFast):
2021-07-07 Mark Lam <mark.lam@apple.com>
Heap::waitForCollector() needs to set m_mutatorDidRun.
https://bugs.webkit.org/show_bug.cgi?id=227782
rdar://78326474
Reviewed by Saam Barati.
Heap::waitForCollector() is one of 2 clients of Heap::stopIfNecessarySlow(unsigned oldState).
The other client, Heap::stopIfNecessarySlow() sets m_mutatorDidRun to true after
calling Heap::stopIfNecessarySlow(unsigned oldState). Heap::waitForCollector()
needs to do the same. Constraint solvers rely on this.
Without this, one fall out we've seen is that DOMGCOutputConstraint fails to
visitOutputConstraints, and as a result, opaqueRoots may not get updated. This
issue was caught by the GC verifier.
* heap/Heap.cpp:
(JSC::Heap::waitForCollector):
2021-07-07 Michael Saboff <msaboff@apple.com>
fitcored crashes at JavaScriptCore: JSC::Heap::releaseAccessSlow
https://bugs.webkit.org/show_bug.cgi?id=227767
Reviewed by Geoffrey Garen.
Speculative fix for this crash. We are crashing while destroying the VM as we are about to
release the JSLock. In JSLock::willReleaseLock(), we release heap access. Therefore we don't
need to release it again when undertaking the various shutdown steps in the VM destructor.
Added a new scope class that will only release and then acquire heap access if the caller
currently has heap access.
* heap/ReleaseHeapAccessScope.h:
(JSC::ReleaseHeapAccessIfNeededScope::ReleaseHeapAccessIfNeededScope):
(JSC::ReleaseHeapAccessIfNeededScope::~ReleaseHeapAccessIfNeededScope):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::waitUntilAllPlansForVMAreReady):
2021-07-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Do not allocate JITWorklist if JIT is disabled
https://bugs.webkit.org/show_bug.cgi?id=227734
Reviewed by Mark Lam.
Previously, this code was doing,
if (Options::useJIT())
DFG::iterateCodeBlocksForGC(visitor, m_vm, func);
But r278082 changed it to
JITWorklist::ensureGlobalWorklist().iterateCodeBlocksForGC(visitor, m_vm, func);
As a result, we are always allocating JITWorklist even JIT is not enabled.
This patch fixes the behavior not to allocate JITWorklist.
* heap/Heap.cpp:
(JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
2021-07-06 Yusuke Suzuki <ysuzuki@apple.com>
r270214 broke testb3 on arm64e
https://bugs.webkit.org/show_bug.cgi?id=227713
Reviewed by Saam Barati.
ARM64E CAS lacks isBranch case. This patch adds isBranch implementation.
We also adjust disasm scanning test to support CAS in ARM64E.
* assembler/testmasm.cpp:
(JSC::testAtomicStrongCASFill8):
(JSC::testAtomicStrongCASFill16):
* b3/B3LowerToAir.cpp:
* b3/testb3_8.cpp:
(testAtomicWeakCAS):
(testAtomicStrongCAS):
(testAtomicXchg):
2021-07-06 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, build fix after r279630
https://bugs.webkit.org/show_bug.cgi?id=223166
* DerivedSources-input.xcfilelist:
* DerivedSources-output.xcfilelist:
2021-07-06 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r279546, r279554, r279558 and r279567.
https://bugs.webkit.org/show_bug.cgi?id=227732
Speedometer/jQuery-TodoMVC 2-3% regression
Reverted changesets:
"[WebIDL] Rework runtime enabled properties leveraging
PropertyCallback"
https://bugs.webkit.org/show_bug.cgi?id=227275
https://commits.webkit.org/r279546
"[WebIDL] Generate constructor's hash table in
GenerateConstructorHelperMethods"
https://bugs.webkit.org/show_bug.cgi?id=227668
https://commits.webkit.org/r279554
"[WebIDL] Simplify generation of runtime conditionally read-
write attributes"
https://bugs.webkit.org/show_bug.cgi?id=227672
https://commits.webkit.org/r279558
"Use AbortSignal's [PrivateIdentifier] whenSignalAborted()
static method"
https://bugs.webkit.org/show_bug.cgi?id=227673
https://commits.webkit.org/r279567
2021-07-06 Philip Chimento <pchimento@igalia.com>
[JSC] Implement Temporal
https://bugs.webkit.org/show_bug.cgi?id=223166
Reviewed by Yusuke Suzuki.
Intended to be the first patch in a stack. Adds boilerplate for
Temporal in order to unblock further parallelizable work on this bug.
This patch adds a feature flag for Temporal, and a toplevel Temporal
global containing only Temporal.now, which is itself an empty object.
These objects will be further populated in later patches.
* CMakeLists.txt: Add TemporalObject and TemporalNow. Property lookup
table in TemporalObject.
* DerivedSources.make: Add TemporalObject property lookup table header.
* JavaScriptCore.xcodeproj/project.pbxproj: Add new files.
* Sources.txt: Add TemporalObject and TemporalNow.
* runtime/CommonIdentifiers.h: Add 'Temporal' property key.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): Create the Temporal global if the feature
flag is enabled.
* runtime/OptionsList.h: Add useTemporal feature flag.
* runtime/TemporalNow.cpp: Added.
(JSC::TemporalNow::TemporalNow):
(JSC::TemporalNow::create):
(JSC::TemporalNow::createStructure):
(JSC::TemporalNow::finishCreation):
* runtime/TemporalNow.h: Added.
* runtime/TemporalObject.cpp: Added.
(JSC::createNowObject):
(JSC::TemporalObject::TemporalObject):
(JSC::TemporalObject::create):
(JSC::TemporalObject::createStructure):
(JSC::TemporalObject::finishCreation):
* runtime/TemporalObject.h: Added.
2021-07-06 Yijia Huang <yijia_huang@apple.com>
Fix type error in testb3
https://bugs.webkit.org/show_bug.cgi?id=227722
Reviewed by Mark Lam.
Fix type error in testb3. Shift amount should be 32-bit constant.
* b3/testb3_3.cpp:
(testInsertSignedBitfieldInZero64):
(testExtractSignedBitfield64):
2021-07-05 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Optimize Object.assign and putDirectInternal
https://bugs.webkit.org/show_bug.cgi?id=227677
Reviewed by Filip Pizlo.
This patch improves Object.assign performance (and this requires putDirectInternal improvement).
1. Object.assign is handled by DFG / FTL as ObjectAssign node
2. We found that putDirectInternal is suboptimal. This patch removes several bottlenecks. They are super critical from the measurement of
microbenchmarks.
2.1. Creating and destroying DeferredStructureTransitionWatchpointFire is not free. We should do that only when we need it.
2.2. Before r277620, we are checking m_replacementWatchpointSets's nullptr and that was fast. But after that, we are always
calling HashMap::get, and it is not inlined. This means that if we have StructureRareData, we are always calling HashMap::get
even though there is no m_replacementWatchpointSets set. This patch adds HashMap::isNullStorage to avoid this call by inlinely
check this via `LIKELY(m_replacementWatchpointSets.isNullStorage())`.
2.3. Structure::addPropertyTransitionToExistingStructure has very cheap fast path and we must inline them to get performance benefit
for major single-transition case.
Added microbenchmarks show significant performance improvements. And Speedometer2 shows 0.6 - 1.0% improvement.
ToT Patched
object-assign-transition 105.2539+-0.2970 ^ 88.8046+-0.2029 ^ definitely 1.1852x faster
object-assign-replace 116.1568+-0.0905 ^ 75.0673+-0.0658 ^ definitely 1.5474x faster
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/Watchpoint.cpp:
(JSC::DeferredWatchpointFire::fireAllSlow):
(JSC::DeferredWatchpointFire::DeferredWatchpointFire): Deleted.
(JSC::DeferredWatchpointFire::~DeferredWatchpointFire): Deleted.
(JSC::DeferredWatchpointFire::fireAll): Deleted.
* bytecode/Watchpoint.h:
(JSC::DeferredWatchpointFire::DeferredWatchpointFire):
(JSC::DeferredWatchpointFire::fireAll):
(JSC::FireDetail::FireDetail): Deleted.
(JSC::FireDetail::~FireDetail): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileObjectAssign):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileObjectAssign):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSObject.cpp:
(JSC::JSObject::deleteProperty):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
* runtime/ObjectConstructor.cpp:
(JSC::objectAssignGeneric):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectConstructor.h:
* runtime/ObjectConstructorInlines.h: Added.
(JSC::canPerformFastPropertyEnumerationForObjectAssign):
* runtime/Structure.cpp:
(JSC::StructureTransitionTable::singleTransition const): Deleted.
(JSC::StructureTransitionTable::get const): Deleted.
(JSC::Structure::addPropertyTransitionToExistingStructureImpl): Deleted.
(JSC::Structure::addPropertyTransitionToExistingStructure): Deleted.
(JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): Deleted.
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::didReplaceProperty):
(JSC::Structure::propertyReplacementWatchpointSet):
(JSC::Structure::addPropertyTransitionToExistingStructureImpl):
(JSC::Structure::addPropertyTransitionToExistingStructure):
(JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
(JSC::StructureTransitionTable::singleTransition const):
(JSC::StructureTransitionTable::get const):
2021-07-06 Yijia Huang <yijia_huang@apple.com>
Fix instruction check failure of UBFX and SBFIZ in testb3 due to the speculative fix in bug 227554
https://bugs.webkit.org/show_bug.cgi?id=227563
Reviewed by Filip Pizlo.
This patch includes two modifications to resolve rdar://79978150:
1. Fix the bug caused by the patch introducing BFI.
2. Discard the corresponding speculative fix in https://bugs.webkit.org/show_bug.cgi?id=227554.
The previous patch, added bit field insert (BFI) to AIR opcode, causes the Gmail page
hanging issue on Safari. The root cause is the incorrect definition of register role in
BFI's AIR opcode. Since BFI inserts a bit field at the low end of the destination register
while keeping the high bit unchanged, the destination register should have both roles of
use and define simultaneously, which is not (missing use) in the previous patch.
This will result in the loss of preserving the value of the destination register,
which does happen when browsing the Gmail page on Safari.
// B3 IR snippets from Gmail
Int32 b@23 = Add(b@104, b@111, D@100)
...
Int32 b@55 = Const32(65535, D@50)
Int32 b@137 = BitAnd(b@118, $65535(b@55), D@160)
Int32 b@168 = Const32(16, D@40)
Int32 b@141 = Shl(b@137, $16(b@168), D@163)
Int32 b@143 = BitAnd(b@23, $65535(b@55), D@166)
Int32 b@144 = BitOr(b@141, b@143, D@169)
The pattern of BFI is d = ((n & mask1) << lsb) | (d & mask2). So, it is obvious that
BFI can be utilized in b@144 where the d is b@23.
// Incorrect AIR opcode of BFI
arm64: InsertBitField32 U:G:32, U:G:32, U:G:32, ZD:G:32
Tmp, Imm, Imm, Tmp
// Air w/o use role
Add32 %x3, %x7, %x7, b@23
...
InsertBitField32 %x3, $16, $16, %x4, b@144
// Generated code w/o use role
add w7, w3, w7
...
bfi w4, w3, #16, #16
In Air, the added value is stored in the w7. But the value is not preserved after
lowering with BFI. To fix this, the use role should be enabled for the destination
register.
// Correnct AIR opcode of BFI
arm64: InsertBitField32 U:G:32, U:G:32, U:G:32, UZD:G:32
Tmp, Imm, Imm, Tmp
// Air w/ use role
Add32 %x3, %x7, %x7, b@23
...
Move32 %x7, %x4, b@144
InsertBitField32 %x3, $16, $16, %x4, b@144
// Generated code w/ use role
add w7, w3, w7
...
ubfx x4, x7, #0, #32
bfi w4, w3, #16, #16
In addition, BFXIL, which has pattern d = ((n >> lsb) & mask1) | (d & mask2), also needs
the similar update.
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3_2.cpp:
(testInsertBitField32):
(testInsertBitField64):
(testExtractInsertBitfieldAtLowEnd32):
(testExtractInsertBitfieldAtLowEnd64):
* runtime/OptionsList.h:
2021-07-04 Robin Morisset <rmorisset@apple.com>
ActiveScratchBufferScope should take the buffer as argument
https://bugs.webkit.org/show_bug.cgi?id=227670
rdar://80011612
Reviewed by Mark Lam.
https://bugs.webkit.org/show_bug.cgi?id=227013 created ActiveScratchBufferScope.
It is used by operations that can cause the GC to run, to mark as roots the contents of the scratch buffer that is live during that time (if any).
The bug is that it simply asks the VM for a scratch buffer of the right size, but this will always return the last scratch buffer, and not necessarily the one that the operation is actually using.
A fairly simple fix is to pass it directly the scratch buffer, since the operation normally can get it easily enough.
In most cases the operation has access to the m_buffer field of the ScratchBuffer, but getting a pointer to the entire structure from that is fairly simple (I added ScratchBuffer::fromData() to do so).
* dfg/DFGOSRExit.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOSRExit.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewArray):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::haveABadTime):
* runtime/VM.h:
(JSC::ScratchBuffer::fromData):
* runtime/VMInlines.h:
(JSC::ActiveScratchBufferScope::ActiveScratchBufferScope):
(JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):
2021-07-04 Alexey Shvayka <shvaikalesh@gmail.com>
[WebIDL] Simplify generation of runtime conditionally read-write attributes
https://bugs.webkit.org/show_bug.cgi?id=227672
Reviewed by Sam Weinig.
* runtime/Lookup.h:
(JSC::HashTableValue::makeReadOnlyCopy const):
2021-07-03 Alexey Shvayka <shvaikalesh@gmail.com>
[WebIDL] Rework runtime enabled properties leveraging PropertyCallback
https://bugs.webkit.org/show_bug.cgi?id=227275
Reviewed by Saam Barati.
To make the implementation of WebIDL runtime enabled properties independent of eager
property reification, this change:
1. Introduces IsLazyPropertyEnabledCallback, which is needed separately from existing
value callback to maintain the invariant that reifyStaticProperty() always puts a
property, and to keep enumeration fast.
Calling disableCaching() isn't enough to achieve correct [[Get]] inline caching,
so isTaintedByOpaqueObject() is leveraged to prohibit caching of runtime disabled
properties, just like in operationTryGetByIdOptimize().
The only case that might seem weird is runtime disabled properties, which were
enabled after all static properties were reified via [[Delete]], are not appearing.
It's fixable, yet there is currently no demand for it.
2. Adds support for LazyPropertyCallback returning GetterSetter / CustomGetterSetter,
ensuring correct structure flags and slot initialization. Previously, the callback
was used to init only objects and constructors, using putDirect() unconditionally.
To avoid mixing other non-basic attributes with PropertyCallback, which would require
hoisting of checks against PropertyCallback and complicating attribute validation in
HashTableValue methods, this patch checks the type of callback's return value instead.
In the future, sticking to this approach will make returning CustomValue impossible
as it can't be distinguished from CustomAccessor. That's fine because all present
CustomValue usages merely do lazy init, which PropertyCallback is better suited for.
Also, this patch:
3. Expands setUpStaticFunctionSlot() to handle constant integers so the code using
`Node.ELEMENT_NODE` & friends doesn't regress (proven by attached microbenchmark).
4. Removes extra checks from setUpStaticPropertySlot(), which is called only on
non-reified properties.
5. Removes invariant that DOMJITAttribute property is read-only, which was broken
by `document.body` having a non-JIT custom setter. This aligns non-reified
properties with structure ones.
* jit/Repatch.cpp:
(JSC::tryCacheGetBy):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::tryAdd):
* runtime/JSObject.cpp:
(JSC::lookupPropertyForPut):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::reifyAllStaticProperties):
* runtime/JSObject.h:
(JSC::JSObject::getOwnNonIndexPropertySlot):
(JSC::JSObject::fillStructurePropertySlot):
* runtime/JSObjectInlines.h:
(JSC::JSObject::getNonReifiedStaticPropertyNames):
* runtime/Lookup.cpp:
(JSC::setUpStaticPropertySlot):
(JSC::setUpStaticFunctionSlot): Deleted.
* runtime/Lookup.h:
(JSC::HashTableValue::isLazyPropertyEnabled const):
(JSC::getStaticPropertySlotFromTable):
(JSC::reifyStaticProperty):
(JSC::reifyStaticProperties):
* tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):
2021-07-02 Keith Miller <keith_miller@apple.com>
Add 10 more unified source cpp files for JSC
https://bugs.webkit.org/show_bug.cgi?id=227643
Reviewed by Alex Christensen.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/generate-unified-sources.sh:
* UnifiedSources-output.xcfilelist:
2021-07-02 Philippe Normand <pnormand@igalia.com>
[GTK] Add new revision variable in pkgconfig file
https://bugs.webkit.org/show_bug.cgi?id=227629
Reviewed by Michael Catanzaro.
* javascriptcoregtk.pc.in: Include SVN_REVISION as revision variable, useful for apps to
know on which upstream SVN revision their WebKitGTK-based app is built on.
2021-07-01 Yijia Huang <yijia_huang@apple.com>
Remove unnecessary canBeInternal invocations to mitigate the cost of potential unmatched patterns in B3LowerToAir
https://bugs.webkit.org/show_bug.cgi?id=227508
Reviewed by Filip Pizlo.
The bit pattern doesn't cause worse code generation in the all-internals-are-captured
case. So, they don't need canBeInternal checks which might terminate potential matched
scenarios.
The equivalent pattern of SBFIZ is ((src << amount) >> amount) << lsb. Given the code:
a = x << C
b = a >> C
c = b << D
print(a)
print(b)
print(c)
The pattern won't match because of !canBeInternal for a and b (useCounts > 1).
So, this would emit three separate instructions. But if we removed canBeInternal,
it would still be just three separate instructions, and they wouldn't be any more
expensive. Suppose the print(b) is removed, above. Then, with the canBeInternal check,
it is emitting three instructions. Without the canBeInternal check, it would emit only
two (x << C and SBFIZ to compute c). And that would be less expensive.
* b3/B3LowerToAir.cpp:
2021-07-01 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to use EXTR supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=227171
Reviewed by Robin Morisset.
This patch includes two modifications:
1. Introduce a strength reduction rule to zero extend bitfield.
2. Add Extract Register (EXTR) to Air opcode to serve instruction selector.
-------------------------------------------------------
### Part A zero extend bitfield ###
-------------------------------------------------------
A new strength reduction rule is added for the canonical form of the zero-extend
bitfield.
Turn this: ZShr(Shl(value, amount)), amount)
Into this: BitAnd(value, mask)
with constraints:
1. 0 <= amount < datasize
2. width = datasize - amount
3. mask is !(mask & (mask + 1)) where bitCount(mask) == width
-------------------
### Part B EXTR ###
-------------------
Given instruction:
extr Rd, Rn, Rm, lowWidth
Extract register (EXTR) extracts a register from a pair of registers, where
concat = Rn:Rm and Rd = concat<lowWidth + datasize - 1:lowWidth>.
The equivalent pattern of this instruction is:
d = ((n & mask) << highWidth) | (m >> lowWidth)
highWidth = datasize - lowWidth
mask = (1 << lowWidth) - 1
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = mask
Int @3 = BitAnd(@0, @2)
Int @4 = highWidth
Int @5 = Shl(@3, @4)
Int @6 = lowWidth
Int @7 = ZShr(@1, @6)
Int @8 = BitOr(@7, @5)
Void@9 = Return(@10, Terminal)
Before Adding BIC:
// Old optimized AIR
InsertUnsignedBitfieldInZero %x0, highWidth, lowWidth, %x0, @5
Urshift %x1, lowWidth, %x1, @7
Or %x0, %x1, %x0, @8
Ret %x0, @9
After Adding BIC:
// New optimized AIR
ExtractRegister %x0, %x1, lowWidth, %x0, @8
Ret %x0, @9
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::extractRegister32):
(JSC::MacroAssemblerARM64::extractRegister64):
* assembler/testmasm.cpp:
(JSC::testExtractRegister32):
(JSC::testExtractRegister64):
* b3/B3LowerToAir.cpp:
* b3/B3ReduceStrength.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testBitfieldZeroExtend32):
(testBitfieldZeroExtend64):
(testExtractRegister32):
(testExtractRegister64):
(addBitTests):
2021-06-30 Saam Barati <sbarati@apple.com>
Turn off data ICs by default
https://bugs.webkit.org/show_bug.cgi?id=227334
<rdar://problem/79802812>
Reviewed by Yusuke Suzuki.
There are GC crashes that are caused by access data IC sharing. This
patch is both turning off data IC sharing by default, and turning off data
ICs by default.
We should re-enable this once we figure out the issue:
https://bugs.webkit.org/show_bug.cgi?id=227551
Some of our testing modes are still running with data ICs on, so the code doesn't
bit rot. And a select few tests are running with data IC sharing on, for
similar reasons, even though we know it has issues. If those tests start
crashing, we'll just disable sharing completely until the issue is resolved.
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* runtime/OptionsList.h:
2021-06-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Stop generating default parameter code if class constructor is called without 'new'
https://bugs.webkit.org/show_bug.cgi?id=227547
rdar://78821453
Reviewed by Mark Lam.
We already do not generate body bytecode when class constructor is called without 'new' because many features including "super()" assume
that they generate bytecode only when it is called as a constructor. But we are not doing that for default parameters' bytecode generation.
This patch stops generating bytecode for default parameters if class constructor is called without 'new'.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::BytecodeGenerator):
* runtime/ConstructorKind.h:
2021-06-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Private names should be handled by usedVariables mechanism
https://bugs.webkit.org/show_bug.cgi?id=227476
rdar://76049469
Reviewed by Saam Barati.
Private name handling in the current parser has many problems.
1. The parser backtracks when it sees destructuring assignment, arrow function etc. In that case, the discarded code
must not have any effect on the outside of that code. However, private name handling is annotating "used" of the
upper scopes, which is wrong.
2. In class expression, private name lookup intentionally skips the class-scope when parsing class heritage. But this
is not correct since CodeBlock will perform lookup on the normal scope chain and this will look into the class-scope
inconsistently. This means that we could encounter different private name at runtime. (it is tested in the added test).
3. We skip inner function parsing when it is parsed previously. At that case, we must preserve private name annotation,
but restored function information does not preserve that.
This patch changes how private name is handled.
1. We were anyway defining #XXX variables which holds private symbols. So we track "use" information by the mechanism used
for usual variables. We remove Used / Declared bits from PrivateNameEntry since they are not necessary at runtime, and
these information is handled / tracked in Parser's Scope. For backtracking, we already have a mechanism to roll-back
m_usedVariables, so using variable mechanism automatically fixes the problem.
2. We define class-head-scope separately from class-scope. class-heritage expression can see class name, but it cannot use
private names. Previously, our implementation attempted to achieve that by hacky way: skipping this class-scope for private
names only while parsing class-heritage. But this was wrong since it does not consider CodeBlock's linking phase as described
in the problem (2). Instead, we just define class-head-scope which holds class constructor name.
3. We clean up popScopeInternal to populate lexical-variables and function-stack. Previously, we are stealing them before popping
the scope when necessary, but this is a hack and a bit wrong since scope's popping operation needs to access these information
in some cases. Instead, popScopeInternal populates them after popping the scope.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::pushClassHeadLexicalScope):
(JSC::BytecodeGenerator::popClassHeadLexicalScope):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ClassExprNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createClassExpr):
(JSC::ASTBuilder::createBlockStatement):
(JSC::ASTBuilder::createForLoop):
(JSC::ASTBuilder::createForInLoop):
(JSC::ASTBuilder::createForOfLoop):
(JSC::ASTBuilder::createTryStatement):
(JSC::ASTBuilder::createSwitchStatement):
* parser/NodeConstructors.h:
(JSC::ForNode::ForNode):
(JSC::TryNode::TryNode):
(JSC::ClassExprNode::ClassExprNode):
(JSC::SwitchNode::SwitchNode):
(JSC::BlockNode::BlockNode):
(JSC::EnumerationNode::EnumerationNode):
(JSC::ForInNode::ForInNode):
(JSC::ForOfNode::ForOfNode):
* parser/Nodes.cpp:
(JSC::ScopeNode::ScopeNode):
(JSC::ProgramNode::ProgramNode):
(JSC::ModuleProgramNode::ModuleProgramNode):
(JSC::EvalNode::EvalNode):
(JSC::FunctionNode::FunctionNode):
(JSC::VariableEnvironmentNode::VariableEnvironmentNode):
* parser/Nodes.h:
(JSC::VariableEnvironmentNode::VariableEnvironmentNode): Deleted.
* parser/Parser.cpp:
(JSC::isPrivateFieldName):
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseForStatement):
(JSC::Parser<LexerType>::parseSwitchStatement):
(JSC::Parser<LexerType>::parseTryStatement):
(JSC::Parser<LexerType>::parseBlockStatement):
(JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
(JSC::Parser<LexerType>::parseFunctionInfo):
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseBinaryExpression):
(JSC::Parser<LexerType>::parseMemberExpression):
(JSC::Parser<LexerType>::usePrivateName): Deleted.
* parser/Parser.h:
(JSC::Scope::finalizeLexicalEnvironment):
(JSC::Scope::takeLexicalEnvironment):
(JSC::Scope::takeDeclaredVariables):
(JSC::Scope::takeFunctionDeclarations):
(JSC::Scope::forEachUsedVariable):
(JSC::Scope::usePrivateName):
(JSC::Scope::currentUsedVariablesSize):
(JSC::Parser::popScopeInternal):
(JSC::Parser::popScope):
(JSC::Parser<LexerType>::parse):
(JSC::Scope::copyUndeclaredPrivateNamesTo): Deleted.
(JSC::Scope::hasUsedButUndeclaredPrivateNames const): Deleted.
(JSC::Parser::privateNameScope): Deleted.
(JSC::Parser::copyUndeclaredPrivateNamesToOuterScope): Deleted.
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createClassExpr):
(JSC::SyntaxChecker::createBlockStatement):
(JSC::SyntaxChecker::createForLoop):
(JSC::SyntaxChecker::createForInLoop):
(JSC::SyntaxChecker::createForOfLoop):
(JSC::SyntaxChecker::createTryStatement):
(JSC::SyntaxChecker::createSwitchStatement):
* parser/VariableEnvironment.cpp:
(JSC::VariableEnvironmentEntry::dump const):
(JSC::VariableEnvironment::declarePrivateField):
(JSC::VariableEnvironment::declarePrivateAccessor):
(JSC::VariableEnvironment::declarePrivateMethod):
(JSC::VariableEnvironment::dump const):
* parser/VariableEnvironment.h:
(JSC::VariableEnvironment::declarePrivateField):
(JSC::VariableEnvironment::privateNameEnvironment):
(JSC::VariableEnvironment::addPrivateNamesFrom):
(JSC::PrivateNameEntry::isUsed const): Deleted.
(JSC::PrivateNameEntry::isDeclared const): Deleted.
(JSC::PrivateNameEntry::setIsUsed): Deleted.
(JSC::PrivateNameEntry::setIsDeclared): Deleted.
(JSC::VariableEnvironment::usePrivateName): Deleted.
(JSC::VariableEnvironment::copyPrivateNamesTo const): Deleted.
(JSC::VariableEnvironment::copyUndeclaredPrivateNamesTo const): Deleted.
2021-06-30 Mark Lam <mark.lam@apple.com>
ARM64: Disable selection of BFI instruction variants by default.
https://bugs.webkit.org/show_bug.cgi?id=227554
rdar://79978150
Reviewed by Saam Barati.
We suspect that this may have caused some hangs. Disabling while we investigate.
* b3/B3LowerToAir.cpp:
* b3/testb3_2.cpp:
(testInsertBitField32):
(testInsertBitField64):
* runtime/OptionsList.h:
2021-06-29 Joonghun Park <jh718.park@samsung.com>
Remove "function declared ‘static’ but never defined" build warnings since r278971.
https://bugs.webkit.org/show_bug.cgi?id=227436
This patch removes the build warnings below.
warning: ‘bool JSC::cannotBeIdentPartOrEscapeStart(LChar)’ declared ‘static’ but never defined [-Wunused-function]
Reviewed by Michael Catanzaro.
* runtime/LiteralParser.cpp: Add definitions for cannotBeIdentPartOrEscapeStart.
(JSC::cannotBeIdentPartOrEscapeStart):
2021-06-29 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to use SBX and SBFIZ supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=227203
Reviewed by Filip Pizlo.
This patch includes two modifications:
1. Introduce a strength reduction rule for sign extending bitfield.
2. Add Signed Bitfield Extract (SBFX) and Signed Bitfield Insert
in Zero (SBFIZ) to Air opcode to serve instruction selector.
-------------------------------------------------------
### Part A Sign extending from a variable bit-width ###
-------------------------------------------------------
According to Bit Twiddling Hacks, there are two ways to sign extend bitfield.
(https://graphics.stanford.edu/~seander/bithacks.html#VariableSignExtend)
int bf; // sign extend this width-bit number to bfsx
int width; // number of bits representing the number in bf
int bfsx; // resulting sign-extended number
Approach 1
mask1 = (1 << width) - 1
mask2 = 1 << (width - 1)
bf = bf & mask1 // zero bits in bf above position width
bfsx = (bf ^ mask2) - mask2
Approach 2
amount = CHAR_BIT * sizeof(bf) - width
bfsx = (bf << amount) >> amount
Then, a new strength reduction rule is introduced:
Turn this: ((bf & mask1) ^ mask2) - mask2
Into this: (bf << amount) >> amount
-------------------
### Part B SBFX ###
-------------------
Given instruction:
sbfx Rd, Rn, lsb, width
Signed Bitfield Extract (SBFX) extracts width number of adjacent bits at lsb position
from a register Rn, sign-extends them to the size of the register, and writes the
result to the destination register Rd.
The equivalent patterns of this instruction are:
Pattern 1:
bf = src >> lsb
dst = ((bf & mask1) ^ mask2) - mask2
mask1 = (1 << width) - 1
mask2 = 1 << (width - 1) // (mask2 << 1) - 1 = mask1
Pattern 2:
bf = src >> lsb
amount = CHAR_BIT * sizeof(bf) - width
dst = (bf << amount) >> amount
Then, (bf << amount) >> amount is selected as the canonical form with the strength reduction
rule introduced above.
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = lsb
Int @2 = amount
Int @3 = ZShr(@0, @1)
Int @4 = Shl(@3, @2)
Int @5 = SShr(@4, @2)
Void@6 = Return(@5, Terminal)
Before Adding BIC:
// Old optimized AIR
Urshift %x0, lsb, %x0, @3
Lshift %x0, amount, %x0, @4
Rshift %x0, amount, %x0, @5
Ret %x0, @6
After Adding BIC:
// New optimized AIR
ExtractSignedBitfield %x0, lsb, width, %x0, @5
Ret %x0, @6
--------------------
### Part B SBFIZ ###
--------------------
Given instruction:
sbfiz Rd, Rn, lsb, width
Signed Bitfield Insert in Zero (SBFIZ) zeroes the destination register Rd and copies
width number of contiguous bits from a source register Rn into lsb position in the
destination register, sign-extending the most significant bit of the transferred value.
The equivalent patterns of this instruction are:
Pattern 1:
bfsx = ((src & mask1) ^ mask2) - mask2
dst = bfsx << lsb
mask1 = (1 << width) - 1
mask2 = 1 << (width - 1) // (mask2 << 1) - 1 = mask1
Pattern 2:
amount = CHAR_BIT * sizeof(bf) - width
bfsx = (src << amount) >> amount
dst = bfsx << lsb
Then, ((src << amount) >> amount) << lsb is selected as the canonical form with the
strength reduction rule introduced above.
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = lsb
Int @2 = amount
Int @3 = Shl(@0, @2)
Int @4 = SShr(@3, @2)
Int @5 = Shl(@4, @1)
Void@6 = Return(@5, Terminal)
Before Adding BIC:
// Old optimized AIR
Lshift %x0, amount, %x0, @3
Rshift %x0, amount, %x0, @4
Lshift %x0, lsb, %x0, @5
Ret %x0, @6
After Adding BIC:
// New optimized AIR
InsertSignedBitfieldInZero %x0, lsb, width, %x0, @5
Ret %x0, @6
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::insertSignedBitfieldInZero32):
(JSC::MacroAssemblerARM64::insertSignedBitfieldInZero64):
(JSC::MacroAssemblerARM64::extractSignedBitfield32):
(JSC::MacroAssemblerARM64::extractSignedBitfield64):
* assembler/testmasm.cpp:
(JSC::testInsertSignedBitfieldInZero32):
(JSC::testInsertSignedBitfieldInZero64):
(JSC::testExtractSignedBitfield32):
(JSC::testExtractSignedBitfield64):
* b3/B3LowerToAir.cpp:
* b3/B3ReduceStrength.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(addBitTests):
* b3/testb3_3.cpp:
(testInsertSignedBitfieldInZero32):
(testInsertSignedBitfieldInZero64):
(testExtractSignedBitfield32):
(testExtractSignedBitfield64):
2021-06-28 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to use BIC supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=227202
Reviewed by Filip Pizlo.
This patch includes three modifications:
1. Add bit clear (BIC), or not (ORN), and extract and insert bitfield at the
lower end (BFXIL) to Air opcode to serve instruction selector.
2. Add bitfield clear (BFC) to MacroAssembler.
4. Do refactoring - rename Air opcodes added in the previous patches.
------------------
### Part A BIC ###
------------------
Given the operation:
bic Rd, Rn, Rm
The BIC (Bit Clear) instruction performs an AND operation on the bits in Rn with the
complements of the corresponding bits in the value of Rm. The instruction selector can
utilize this to lowering certain patterns in B3 IR before further Air optimization.
The equivalent patterns of this instruction are:
Pattern 1:
d = n & (-m - 1)
Pattern 2:
d = n & (m ^ -1)
In order to get benefits for complement operation, the current instruction selector uses
mvn instruction to lower the pattern value ^ -1. Then, a new strength reduction rule is
introduced:
Turn this: -value - 1
Into this: value ^ -1
So, d = n & (m ^ -1) is selected as the canonical form.
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = -1
Int @3 = BitXor(@1, @2)
Int @4 = BitAnd(@0, @3)
Void@5 = Return(@4, Terminal)
Before Adding BIC:
// Old optimized AIR
Not %x1, %x1, @3
And %x0, %x1, %x0, @4
Ret %x0, @5
After Adding BIC:
// New optimized AIR
Bic %x0, %x1, %x0, @4
Ret %x0, @5
------------------
### Part A ORN ###
------------------
Given the operation:
orn Rd, Rn, Rm
Bitwise OR NOT (shifted register) performs a bitwise (inclusive) OR of a register value
Rn and the complement of an optionally-shifted register value Rm, and writes the result
to the destination register Rd.
The equivalent patterns of this instruction are:
Pattern 1:
d = n | (-m - 1)
Pattern 2:
d = n | (m ^ -1)
Then, d = n | (m ^ -1) is selected as the canonical form.
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = -1
Int @3 = BitXor(@1, @2)
Int @4 = BitOr(@0, @3)
Void@5 = Return(@4, Terminal)
Before Adding BIC:
// Old optimized AIR
Not %x1, %x1, @3
Or %x0, %x1, %x0, @4
Ret %x0, @5
After Adding BIC:
// New optimized AIR
Orn %x0, %x1, %x0, @4
Ret %x0, @5
--------------------
### Part A BFXIL ###
--------------------
Given the operation:
bfxil Rd, Rn, lsb, width
Bitfield extract and insert at low end(BFXIL) copies any number of low-order bits
from a source register into the same number of adjacent bits at the low end in
the destination register, leaving other bits unchanged.
The equivalent patterns of this instruction are:
Pattern 1:
mask1 = (1 << width) - 1
mask2 = ~mask1
((n >> lsb) & mask1) | (d & mask2)
Pattern 2:
mask1 = ((1 << width) - 1) << lsb
mask2 = ~(mask1 >> lsb)
((n & mask1) >> lsb) | (d & mask2)
Then, introduce a strength reduction rule for easier recognization.
Turn this: (v & maskShift) >> shiftAmount
Into this: (v >> shiftAmount) & mask
with constraints:
1. maskShift = mask << lsb
2. mask = (1 << width) - 1
3. 0 <= shiftAmount < datasize
4. 0 < width < datasize
5. shiftAmount + width <= datasize
The canonical form to match BFXIL is d = ((n >> lsb) & mask1) | (d & mask2).
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = lsb
Int @3 = mask1
Int @4 = mask2
Int @5 = BitAnd(@1, @3)
Int @6 = BitAnd(@0, @4))
Int @7 = ZShr(@5, @2)
Int @8 = BitOr(@7, @6)
Void@9 = Return(@8, Terminal)
Before Adding BIC:
// Old optimized AIR
And mask2, %x0, %x0, @6
ExtractUnsignedBitfield %x1, lsb, width, %x1, @7
Or %x0, %x1, %x0, @8
Ret %x0, @9
After Adding BIC:
// New optimized AIR
ExtractInsertBitfieldAtLowEnd %x1, lsb, width, %x0, @8
Ret64 %x0, @9
--------------
### Part B ###
--------------
The Bitfield Clear (BFC), leaving other bits unchanged, is similar to BFI which is an
alias of BFM. Given the operation:
bfc Rd, lsb, width
The equivalent pattern of this instruction is:
mask = ((1 << width) - 1) << lsb
d = d & ~mask
Since mask is a constant and B3 performs constant fold in the optimization phase, this
pattern will directly lower to the BitAnd binary operation. So, no need to match this pattern.
--------------
### Part C ###
--------------
At MacroAssembler level, the emitters are exepected to be expressed in english
(e.g. something like clearBitField for BFC). Do refactoring to rename Air opcode for
UBFX, UBFIZ, BFI, and BIC.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::bfc):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::extractUnsignedBitfield32):
(JSC::MacroAssemblerARM64::extractUnsignedBitfield64):
(JSC::MacroAssemblerARM64::insertUnsignedBitfieldInZero32):
(JSC::MacroAssemblerARM64::insertUnsignedBitfieldInZero64):
(JSC::MacroAssemblerARM64::insertBitField32):
(JSC::MacroAssemblerARM64::insertBitField64):
(JSC::MacroAssemblerARM64::clearBitField32):
(JSC::MacroAssemblerARM64::clearBitField64):
(JSC::MacroAssemblerARM64::clearBitsWithMask32):
(JSC::MacroAssemblerARM64::clearBitsWithMask64):
(JSC::MacroAssemblerARM64::orNot32):
(JSC::MacroAssemblerARM64::orNot64):
(JSC::MacroAssemblerARM64::ubfx32): Deleted.
(JSC::MacroAssemblerARM64::ubfx64): Deleted.
(JSC::MacroAssemblerARM64::ubfiz32): Deleted.
(JSC::MacroAssemblerARM64::ubfiz64): Deleted.
(JSC::MacroAssemblerARM64::bitFieldInsert32): Deleted.
(JSC::MacroAssemblerARM64::bitFieldInsert64): Deleted.
* assembler/testmasm.cpp:
(JSC::testMultiplySignExtend32):
(JSC::testMultiplySubSignExtend32):
(JSC::testExtractUnsignedBitfield32):
(JSC::testExtractUnsignedBitfield64):
(JSC::testInsertUnsignedBitfieldInZero32):
(JSC::testInsertUnsignedBitfieldInZero64):
(JSC::testInsertBitField32):
(JSC::testInsertBitField64):
(JSC::testClearBitField32):
(JSC::testClearBitField64):
(JSC::testClearBitsWithMask32):
(JSC::testClearBitsWithMask64):
(JSC::testOrNot32):
(JSC::testOrNot64):
(JSC::testMul32SignExtend): Deleted.
(JSC::testMulSubSignExtend32): Deleted.
(JSC::testUbfx32): Deleted.
(JSC::testUbfx64): Deleted.
(JSC::testUbfiz32): Deleted.
(JSC::testUbfiz64): Deleted.
(JSC::testBitFieldInsert32): Deleted.
(JSC::testBitFieldInsert64): Deleted.
* b3/B3LowerToAir.cpp:
* b3/B3ReduceStrength.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testInsertBitField32):
(testInsertBitField64):
(testBIC32):
(testBIC64):
(testOrNot32):
(testOrNot64):
(addBitTests):
(testBitFieldInsert32): Deleted.
(testBitFieldInsert64): Deleted.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):
2021-06-28 Mikhail R. Gadelha <mikhail@igalia.com>
Add LLInt fast path for less, lesseq, greater and greatereq
https://bugs.webkit.org/show_bug.cgi?id=226266
Reviewed by Tadeu Zagallo.
The motivation is to add fast path for integers and doubles
in LLInt, so we don't need to go to slow path for those cases.
This patch implements the less, lesseq, greater, greatereq
instruction for ARMv7, MIPS and CLoop.
Microbenchmarking results:
* x86_64: number-comparison-inline definitely 1.3520x faster
* ARMv7: number-comparison-inline definitely 1.3520x faster
JetStream2 results:
* x86_64 jit: 1.015 times better
* x86_64 no-jit: 1.018 times better
* ARMv7 no-jit: 1.004 times worse
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm.rb:
* offlineasm/cloop.rb:
* offlineasm/mips.rb:
2021-06-28 Mikhail R. Gadelha <mikhail@igalia.com>
Prevent sign-extended casts for 32 bits arch
https://bugs.webkit.org/show_bug.cgi?id=227170
Reviewed by Yusuke Suzuki.
In a number of places, addresses are reinterpreted as uint64, which can
lead to wrong addresses in 32 bits arch.
* assembler/testmasm.cpp:
(JSC::testBranchTruncateDoubleToInt32):
* disassembler/ARM64/A64DOpcode.h:
(JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
* runtime/JSCell.cpp:
(JSC::reportZappedCellAndCrash):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
(JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
2021-06-25 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r279266.
https://bugs.webkit.org/show_bug.cgi?id=227402
Causes crash loop
Reverted changeset:
"Remove references to order files"
https://bugs.webkit.org/show_bug.cgi?id=227377
https://trac.webkit.org/changeset/279266
2021-06-24 Sihui Liu <sihui_liu@apple.com>
Remove references to order files
https://bugs.webkit.org/show_bug.cgi?id=227377
rdar://76070556
Reviewed by Mark Lam.
* Configurations/JavaScriptCore.xcconfig:
2021-06-24 Asumu Takikawa <asumu@igalia.com>
[WASM-Function-References] Add support for (ref null? $t) type constructor
https://bugs.webkit.org/show_bug.cgi?id=226296
Reviewed by Yusuke Suzuki.
Adds the `ref` type constructor from the typed function references proposal:
https://github.com/WebAssembly/function-references/blob/master/proposals/function-references/Overview.md
It's also required for the type imports and GC proposals as well. Ref types represent
references to any heap type (including existing funcref and externref) with a specified
nullability.
This requires a new isNullable flag in the type representation. This flag also enables
non-null externref and funcrefs, and hence this commit also adds the necessary checks
at Wasm/JS boundaries.
Non-null reference types also generally cannot be used as function locals.
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::gTypeIdx):
(JSC::Wasm::AirIRGenerator::tmpForType):
(JSC::Wasm::AirIRGenerator::emitCCall):
(JSC::Wasm::AirIRGenerator::moveOpForValueType):
(JSC::Wasm::AirIRGenerator::AirIRGenerator):
(JSC::Wasm::AirIRGenerator::addLocal):
(JSC::Wasm::AirIRGenerator::addConstant):
(JSC::Wasm::AirIRGenerator::addRefFunc):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::WasmCallingConvention::marshallLocation const):
(JSC::Wasm::JSCallingConvention::marshallLocation const):
* wasm/WasmFormat.h:
(JSC::Wasm::isSubtype):
(JSC::Wasm::isValidHeapTypeKind):
(JSC::Wasm::isDefaultableType):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parse):
(JSC::Wasm::FunctionParser<Context>::parseAnnotatedSelectImmediates):
(JSC::Wasm::FunctionParser<Context>::checkBranchTarget):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* wasm/WasmGlobal.cpp:
(JSC::Wasm::Global::get const):
(JSC::Wasm::Global::set):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::callInformationForCaller):
(JSC::Wasm::LLIntGenerator::callInformationForCallee):
(JSC::Wasm::LLIntGenerator::addArguments):
* wasm/WasmParser.h:
(JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
(JSC::Wasm::Parser<SuccessType>::parseValueType):
(JSC::Wasm::Parser<SuccessType>::parseRefType):
* wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseElement):
(JSC::Wasm::SectionParser::parseInitExpr):
(JSC::Wasm::SectionParser::parseElementSegmentVectorOfExpressions):
(JSC::Wasm::SectionParser::parseGlobalType):
* wasm/WasmSignature.cpp:
(JSC::Wasm::computeHash):
* wasm/generateWasmOpsHeader.py:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
* wasm/js/WebAssemblyFunctionBase.h:
(JSC::WebAssemblyFunctionBase::offsetOfSignatureIndex):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::linkImpl):
* wasm/wasm.json:
2021-06-24 Mark Lam <mark.lam@apple.com>
Use ldp and stp more for saving / restoring registers on ARM64.
https://bugs.webkit.org/show_bug.cgi?id=227039
rdar://79354736
Reviewed by Saam Barati.
This patch introduces a spooler abstraction in AssemblyHelpers. The spooler
basically batches up load / store operations and emit them as pair instructions
if appropriate.
There are 4 spooler classes:
a. Spooler
- template base class for LoadRegSpooler and StoreRegSpooler.
- encapsulates the batching strategy for load / store pairs.
b. LoadRegSpooler - specializes Spooler to handle load pairs.
b. StoreRegSpooler - specializes Spooler to handle store pairs.
d. CopySpooler
- handles matching loads with stores.
- tries to emit loads as load pairs if possible.
- tries to emot stores as store pairs if possible.
- ensures that pre-requisite loads are emitted before stores are emitted.
- other than loads, also support constants and registers as sources of values
to be stored. This is useful in OSR exit ramps where we may materialize a
stack value to store from constants or registers in addition to values we
load from the old stack frame or from a scratch buffer.
In this patch, we also do the following:
1. Use spoolers in many places so that we can emit load / store pairs instead of
single load / stores. This helps shrink JIT code side, and also potentially
improves performance.
2. In DFG::OSRExit::compileExit(), we used to recover constants into a scratch
buffer, and then later, load from that scratch buffer to store into the
new stack frame(s).
This patch changes it so that we defer constant recovery until the final
loop where we store the recovered value directly into the new stack frame(s).
This saves us the work (and JIT code space) for storing into a scratch buffer
and then reloading from the scratch buffer.
There is one exception: tmp values used by active checkpoints. We need to call
operationMaterializeOSRExitSideState() to materialize the active checkpoint
side state before the final loop where we now recover constants. Hence, we
need these tmp values recovered before hand.
So, we check upfront if we have active checkpoint side state to materialize.
If so, we'll eagerly recover the constants for initializing those tmps.
We also use the CopySpooler in the final loop to emit load / store pairs for
filling in the new stack frame(s).
One more thing: it turns out that the vast majority of constants to be recovered
is simply the undefined value. So, as an optimization, the final loop keeps
the undefined value in a register, and has the spooler store directly from
that register when appropriate. This saves on JIT code to repeatedly materialize
the undefined JSValue constant.
3. In reifyInlinedCallFrames(), replace the use of GPRInfo::nonArgGPR0 with
GPRInfo::regT4. nonArgGPRs are sometimes map to certain regTXs on certain ports.
Replacing with regT4 makes it easier to ensure that we're not trashing the
register when we use more temp registers.
reifyInlinedCallFrames() will be using emitSaveOrCopyLLIntBaselineCalleeSavesFor()
later where we need more temp registers.
4. Move the following functions to AssemblyHelpers.cpp. They don't need to be
inline functions. Speedometer2 and JetStream2 shows that making these non
inline does not hurt performance:
AssemblyHelpers::emitSave(const RegisterAtOffsetList&);
AssemblyHelpers::emitRestore(const RegisterAtOffsetList&);
AssemblyHelpers::emitSaveCalleeSavesFor(const RegisterAtOffsetList*);
AssemblyHelpers::emitSaveOrCopyCalleeSavesFor(...);
AssemblyHelpers::emitRestoreCalleeSavesFor(const RegisterAtOffsetList*);
AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer(...);
Also renamed emitSaveOrCopyCalleeSavesFor() to emitSaveOrCopyLLIntBaselineCalleeSavesFor()
because it is only used with baseline codeBlocks.
Results:
Cummulative LinkBuffer profile sizes shrunk by ~2M in aggregate:
base new
==== ===
BaselineJIT: 83827048 (79.943703 MB) => 83718736 (79.840408 MB)
DFG: 56594836 (53.973042 MB) => 56603508 (53.981312 MB)
InlineCache: 33923900 (32.352352 MB) => 33183156 (31.645924 MB)
FTL: 6770956 (6.457287 MB) => 6568964 (6.264652 MB)
DFGOSRExit: 5212096 (4.970642 MB) => 3728088 (3.555382 MB)
CSSJIT: 748428 (730.886719 KB) => 748428 (730.886719 KB)
FTLOSRExit: 692276 (676.050781 KB) => 656884 (641.488281 KB)
YarrJIT: 445280 (434.843750 KB) => 512988 (500.964844 KB)
FTLThunk: 22908 (22.371094 KB) => 22556 (22.027344 KB)
BoundFunctionThunk: 8400 (8.203125 KB) => 10088 (9.851562 KB)
ExtraCTIThunk: 6952 (6.789062 KB) => 6824 (6.664062 KB)
SpecializedThunk: 4508 (4.402344 KB) => 4508 (4.402344 KB)
Thunk: 3912 (3.820312 KB) => 3784 (3.695312 KB)
LLIntThunk: 2908 (2.839844 KB) => 2908 (2.839844 KB)
VirtualThunk: 1248 (1.218750 KB) => 1248 (1.218750 KB)
DFGThunk: 1084 (1.058594 KB) => 444
DFGOSREntry: 216 => 184
JumpIsland: 0
WasmThunk: 0
Wasm: 0
Uncategorized: 0
Total: 188266956 (179.545361 MB) => 185773296 (177.167221 MB)
Speedometer2 and JetStream2 results shows that performance is neutral for this
patch (as measured on an M1 Mac):
Speedometer2:
----------------------------------------------------------------------------------------------------------------------------------
| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |
----------------------------------------------------------------------------------------------------------------------------------
| Elm-TodoMVC |129.037500 |127.212500 |0.985857 | 0.012706 |
| VueJS-TodoMVC |28.312500 |27.525000 |0.972185 | 0.240315 |
| EmberJS-TodoMVC |132.550000 |132.025000 |0.996039 | 0.538034 |
| Flight-TodoMVC |80.762500 |80.875000 |1.001393 | 0.914749 |
| BackboneJS-TodoMVC |51.637500 |51.175000 |0.991043 | 0.285427 |
| Preact-TodoMVC |21.025000 |22.075000 |1.049941 | 0.206140 |
| AngularJS-TodoMVC |142.900000 |142.887500 |0.999913 | 0.990681 |
| Inferno-TodoMVC |69.300000 |69.775000 |1.006854 | 0.505201 |
| Vanilla-ES2015-TodoMVC |71.500000 |71.225000 |0.996154 | 0.608650 |
| Angular2-TypeScript-TodoMVC |43.287500 |43.275000 |0.999711 | 0.987926 |
| VanillaJS-TodoMVC |57.212500 |57.812500 |1.010487 | 0.333357 |
| jQuery-TodoMVC |276.150000 |276.775000 |1.002263 | 0.614404 |
| EmberJS-Debug-TodoMVC |353.612500 |352.762500 |0.997596 | 0.518836 |
| React-TodoMVC |93.637500 |92.637500 |0.989321 | 0.036277 |
| React-Redux-TodoMVC |158.237500 |156.587500 |0.989573 | 0.042154 |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |68.050000 |68.087500 |1.000551 | 0.897149 |
----------------------------------------------------------------------------------------------------------------------------------
a mean = 236.26950
b mean = 236.57964
pValue = 0.7830785938
(Bigger means are better.)
1.001 times better
Results ARE NOT significant
JetStream2:
-------------------------------------------------------------------------------------------------------------------------
| subtest | pts | pts | b / a | pValue (significance using False Discovery Rate) |
-------------------------------------------------------------------------------------------------------------------------
| gaussian-blur |542.570057 |542.671885 |1.000188 | 0.982573 |
| HashSet-wasm |57.710498 |64.406371 |1.116025 | 0.401424 |
| gcc-loops-wasm |44.516009 |44.453535 |0.998597 | 0.973651 |
| json-parse-inspector |241.275085 |240.720491 |0.997701 | 0.704732 |
| prepack-wtb |62.640114 |63.754878 |1.017796 | 0.205840 |
| date-format-xparb-SP |416.976817 |448.921409 |1.076610 | 0.052977 |
| WSL |1.555257 |1.570233 |1.009629 | 0.427924 |
| OfflineAssembler |177.052352 |179.746511 |1.015217 | 0.112114 |
| cdjs |192.517586 |194.598906 |1.010811 | 0.025807 |
| UniPoker |514.023694 |526.111500 |1.023516 | 0.269892 |
| json-stringify-inspector |227.584725 |223.619390 |0.982576 | 0.102714 |
| crypto-sha1-SP |980.728788 |984.192104 |1.003531 | 0.838618 |
| Basic |685.148483 |711.590247 |1.038593 | 0.142952 |
| chai-wtb |106.256376 |106.590318 |1.003143 | 0.865894 |
| crypto-aes-SP |722.308829 |728.702310 |1.008851 | 0.486766 |
| Babylon |655.857561 |654.204901 |0.997480 | 0.931520 |
| string-unpack-code-SP |407.837271 |405.710752 |0.994786 | 0.729122 |
| stanford-crypto-aes |456.906021 |449.993856 |0.984872 | 0.272994 |
| raytrace |883.911335 |902.887238 |1.021468 | 0.189785 |
| multi-inspector-code-load |409.997347 |405.643639 |0.989381 | 0.644447 |
| hash-map |593.590160 |601.576332 |1.013454 | 0.249414 |
| stanford-crypto-pbkdf2 |722.178638 |728.283532 |1.008453 | 0.661195 |
| coffeescript-wtb |42.393544 |41.869545 |0.987640 | 0.197441 |
| Box2D |452.034685 |454.104868 |1.004580 | 0.535342 |
| richards-wasm |140.873688 |148.394050 |1.053384 | 0.303651 |
| lebab-wtb |61.671318 |62.119403 |1.007266 | 0.620998 |
| tsf-wasm |108.592794 |119.498398 |1.100427 | 0.504710 |
| base64-SP |629.744643 |603.425565 |0.958207 | 0.049997 |
| navier-stokes |740.588523 |739.951662 |0.999140 | 0.871445 |
| jshint-wtb |51.938359 |52.651104 |1.013723 | 0.217137 |
| regex-dna-SP |459.251148 |463.492489 |1.009235 | 0.371891 |
| async-fs |235.853820 |236.031189 |1.000752 | 0.938459 |
| first-inspector-code-load |275.298325 |274.172125 |0.995909 | 0.623403 |
| segmentation |44.002842 |43.445960 |0.987344 | 0.207134 |
| typescript |26.360161 |26.458820 |1.003743 | 0.609942 |
| octane-code-load |1126.749036 |1087.132024 |0.964840 | 0.524171 |
| float-mm.c |16.691935 |16.721354 |1.001762 | 0.194425 |
| quicksort-wasm |461.630091 |450.161127 |0.975156 | 0.371394 |
| Air |392.442375 |412.201810 |1.050350 | 0.046887 |
| splay |510.111886 |475.131657 |0.931426 | 0.024732 |
| ai-astar |607.966974 |626.573181 |1.030604 | 0.468711 |
| acorn-wtb |67.510766 |68.143956 |1.009379 | 0.481663 |
| gbemu |144.133842 |145.620304 |1.010313 | 0.802154 |
| richards |963.475078 |946.658879 |0.982546 | 0.231189 |
| 3d-cube-SP |549.426784 |550.479154 |1.001915 | 0.831307 |
| espree-wtb |68.707483 |73.762202 |1.073569 | 0.033603 |
| bomb-workers |96.882596 |96.116121 |0.992089 | 0.687952 |
| tagcloud-SP |309.888767 |303.538511 |0.979508 | 0.187768 |
| mandreel |133.667031 |135.009929 |1.010047 | 0.075232 |
| 3d-raytrace-SP |491.967649 |492.528992 |1.001141 | 0.957842 |
| delta-blue |1066.718312 |1080.230772 |1.012667 | 0.549382 |
| ML |139.617293 |140.088630 |1.003376 | 0.661651 |
| regexp |351.773956 |351.075935 |0.998016 | 0.769250 |
| crypto |1510.474663 |1519.218842 |1.005789 | 0.638420 |
| crypto-md5-SP |795.447899 |774.082493 |0.973140 | 0.079728 |
| earley-boyer |812.574545 |870.678372 |1.071506 | 0.044081 |
| octane-zlib |25.162470 |25.660261 |1.019783 | 0.554591 |
| date-format-tofte-SP |395.296135 |398.008992 |1.006863 | 0.650475 |
| n-body-SP |1165.386611 |1150.525110 |0.987248 | 0.227908 |
| pdfjs |189.060252 |191.015628 |1.010343 | 0.633777 |
| FlightPlanner |908.426192 |903.636642 |0.994728 | 0.838821 |
| uglify-js-wtb |34.029399 |34.164342 |1.003965 | 0.655652 |
| babylon-wtb |81.329869 |80.855680 |0.994170 | 0.854393 |
| stanford-crypto-sha256 |826.850533 |838.494164 |1.014082 | 0.579636 |
-------------------------------------------------------------------------------------------------------------------------
a mean = 237.91084
b mean = 239.92670
pValue = 0.0657710897
(Bigger means are better.)
1.008 times better
Results ARE NOT significant
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::pushToSaveByteOffset):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::pushToSaveByteOffset):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
* ftl/FTLSaveRestore.cpp:
(JSC::FTL::saveAllRegisters):
(JSC::FTL::restoreAllRegisters):
* ftl/FTLSaveRestore.h:
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
(JSC::AssemblyHelpers::emitSave):
(JSC::AssemblyHelpers::emitRestore):
(JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
(JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
(JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::emitSaveOrCopyLLIntBaselineCalleeSavesFor):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::emitSave): Deleted.
(JSC::AssemblyHelpers::emitRestore): Deleted.
(JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor): Deleted.
* jit/AssemblyHelpersSpoolers.h: Added.
(JSC::AssemblyHelpers::Spooler::Spooler):
(JSC::AssemblyHelpers::Spooler::handleGPR):
(JSC::AssemblyHelpers::Spooler::finalizeGPR):
(JSC::AssemblyHelpers::Spooler::handleFPR):
(JSC::AssemblyHelpers::Spooler::finalizeFPR):
(JSC::AssemblyHelpers::Spooler::op):
(JSC::AssemblyHelpers::LoadRegSpooler::LoadRegSpooler):
(JSC::AssemblyHelpers::LoadRegSpooler::loadGPR):
(JSC::AssemblyHelpers::LoadRegSpooler::finalizeGPR):
(JSC::AssemblyHelpers::LoadRegSpooler::loadFPR):
(JSC::AssemblyHelpers::LoadRegSpooler::finalizeFPR):
(JSC::AssemblyHelpers::LoadRegSpooler::handlePair):
(JSC::AssemblyHelpers::LoadRegSpooler::handleSingle):
(JSC::AssemblyHelpers::StoreRegSpooler::StoreRegSpooler):
(JSC::AssemblyHelpers::StoreRegSpooler::storeGPR):
(JSC::AssemblyHelpers::StoreRegSpooler::finalizeGPR):
(JSC::AssemblyHelpers::StoreRegSpooler::storeFPR):
(JSC::AssemblyHelpers::StoreRegSpooler::finalizeFPR):
(JSC::AssemblyHelpers::StoreRegSpooler::handlePair):
(JSC::AssemblyHelpers::StoreRegSpooler::handleSingle):
(JSC::RegDispatch<GPRReg>::get):
(JSC::RegDispatch<GPRReg>::temp1):
(JSC::RegDispatch<GPRReg>::temp2):
(JSC::RegDispatch<GPRReg>::regToStore):
(JSC::RegDispatch<GPRReg>::invalid):
(JSC::RegDispatch<GPRReg>::regSize):
(JSC::RegDispatch<GPRReg>::isValidLoadPairImm):
(JSC::RegDispatch<GPRReg>::isValidStorePairImm):
(JSC::RegDispatch<FPRReg>::get):
(JSC::RegDispatch<FPRReg>::temp1):
(JSC::RegDispatch<FPRReg>::temp2):
(JSC::RegDispatch<FPRReg>::regToStore):
(JSC::RegDispatch<FPRReg>::invalid):
(JSC::RegDispatch<FPRReg>::regSize):
(JSC::RegDispatch<FPRReg>::isValidLoadPairImm):
(JSC::RegDispatch<FPRReg>::isValidStorePairImm):
(JSC::AssemblyHelpers::CopySpooler::Source::getReg):
(JSC::AssemblyHelpers::CopySpooler::CopySpooler):
(JSC::AssemblyHelpers::CopySpooler::temp1 const):
(JSC::AssemblyHelpers::CopySpooler::temp2 const):
(JSC::AssemblyHelpers::CopySpooler::regToStore):
(JSC::AssemblyHelpers::CopySpooler::invalid):
(JSC::AssemblyHelpers::CopySpooler::regSize):
(JSC::AssemblyHelpers::CopySpooler::isValidLoadPairImm):
(JSC::AssemblyHelpers::CopySpooler::isValidStorePairImm):
(JSC::AssemblyHelpers::CopySpooler::load):
(JSC::AssemblyHelpers::CopySpooler::move):
(JSC::AssemblyHelpers::CopySpooler::copy):
(JSC::AssemblyHelpers::CopySpooler::store):
(JSC::AssemblyHelpers::CopySpooler::flush):
(JSC::AssemblyHelpers::CopySpooler::loadGPR):
(JSC::AssemblyHelpers::CopySpooler::copyGPR):
(JSC::AssemblyHelpers::CopySpooler::moveConstant):
(JSC::AssemblyHelpers::CopySpooler::storeGPR):
(JSC::AssemblyHelpers::CopySpooler::finalizeGPR):
(JSC::AssemblyHelpers::CopySpooler::loadFPR):
(JSC::AssemblyHelpers::CopySpooler::copyFPR):
(JSC::AssemblyHelpers::CopySpooler::storeFPR):
(JSC::AssemblyHelpers::CopySpooler::finalizeFPR):
(JSC::AssemblyHelpers::CopySpooler::loadPair):
(JSC::AssemblyHelpers::CopySpooler::storePair):
* jit/ScratchRegisterAllocator.cpp:
(JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
(JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
(JSC::ScratchRegisterAllocator::preserveRegistersToStackForCall):
(JSC::ScratchRegisterAllocator::restoreRegistersFromStackForCall):
* jit/ScratchRegisterAllocator.h:
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::addReturn):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addReturn):
2021-06-24 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, build fix for ARM64
https://bugs.webkit.org/show_bug.cgi?id=227201
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):
2021-06-24 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to utilize BFI supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=227201
Reviewed by Filip Pizlo.
Bitfield insert(BFI), leaving other bits unchanged. The instruction selector
can utilize this to lowering certain patterns in B3 IR before further Air
optimization. Given the operation:
bfi d, n, lsb, width
The equivalent pattern would be:
Pattern 1:
mask1 = ((1 << width) - 1) << lsb
mask2 = ~mask1
d = ((n << lsb) & mask1) | (d & mask2);
Pattern 2:
mask1 = (1 << width) - 1
mask2 = ~(mask1 << lsb)
d = ((n & mask1) << lsb) | (d & mask2)
Current optimizer already has the strength reduction rule:
Turn This: (n << lsb) & mask1)
Into This: (n & mask1) << lsb)
Then, d = ((n & mask1) << lsb) | (d & mask2) is the canonical form.
With constraints:
1. 0 <= lsb < datasize
2. 0 < width < datasize
3. lsb + width <= dataszie
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = ArgumentReg(%x1)
Int @2 = lsb
Int @3 = mask
Int @4 = BitAnd(@1, @3)
Int @5 = Shl(@4, @2)
Int @6 = BitOr(@0, @5)
Int @7 = Return(@6, Terminal)
Before Adding BFI:
// Old optimized AIR
And mask, %x1, %x1, @4
Lshift %x1, lsb, %x1, @5
Or %x1, %x0, %x0, @6
Ret %x0, @7
After Adding BFI:
// New optimized AIR
BitFieldInsert %x1, lsb, width, %x0, @6
Ret %x0, @7
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::bitFieldInsert32):
(JSC::MacroAssemblerARM64::bitFieldInsert64):
* assembler/testmasm.cpp:
(JSC::testUbfx32):
(JSC::testUbfx64):
(JSC::testUbfiz32):
(JSC::testUbfiz64):
(JSC::testBitFieldInsert32):
(JSC::testBitFieldInsert64):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testBitFieldInsert32):
(testBitFieldInsert64):
(addBitTests):
2021-06-24 Xan López <xan@igalia.com>
[JSC] Implement returnEarlyFromInfiniteLoopsForFuzzing for 32bits
https://bugs.webkit.org/show_bug.cgi?id=227290
Reviewed by Mark Lam.
Mostly a matter of changing the counter type to uintptr_t and
making the baseline/dfg/ftl code generation work on both 32 and
64bits, most of it can be shared with minor tweaks.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileLoopHint):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_loop_hint):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* runtime/VM.cpp:
(JSC::VM::addLoopHintExecutionCounter):
(JSC::VM::getLoopHintExecutionCounter):
* runtime/VM.h:
2021-06-23 Mark Lam <mark.lam@apple.com>
Base Options::useWebAssemblyFastMemory's default value on Gigacage::hasCapacityToUseLargeGigacage.
https://bugs.webkit.org/show_bug.cgi?id=227328
Reviewed by Saam Barati.
Gigacage::hasCapacityToUseLargeGigacage is determined based on EFFECTIVE_ADDRESS_WIDTH.
If we have enough address range to potentially use a large gigacage, then we have
enough address range to useWebAssemblyFastMemory.
* runtime/Options.cpp:
(JSC::canUseWebAssemblyFastMemory):
* runtime/OptionsList.h:
2021-06-23 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to utilize UBFIZ supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=227204
Reviewed by Filip Pizlo.
This patch includes three parts:
A) Add UBFIZ to instruction selector.
B) Fix UBFX, introduced in https://bugs.webkit.org/show_bug.cgi?id=226984,
to match all patterns.
C) Fix error condition in one strength reduction rule introduced
in https://bugs.webkit.org/show_bug.cgi?id=227138.
Part A
Unsigned Bitfield Insert in Zero(UBFIZ), supported by ARM64, zeros the
destination register and copies any number of contiguous bits from a
source register into any position in the destination register. The
instruction selector can utilize this to lowering certain patterns in
B3 IR before further Air optimization.
Given the operation: ubfiz d, n, lsb, width
This is equivalent to "d = (n << lsb) & (((1 << width) - 1) << lsb)".
Since wasm introduces constant folding, then the matched patterns would be:
1.1 d = (n << lsb) & maskShift
1.2 d = maskShift & (n << lsb)
2.1 d = (n & mask) << lsb
2.2 d = (mask & n) << lsb
Where:
maskShift = mask << lsb
mask = (1 << width) - 1
To make the pattern matching in instruction selection beneficial to JIT, these
constraints should be introduced:
1. 0 <= lsb < datasize
2. 0 < width < datasize
3. lsb + width <= datasize
Choose (n & mask) << lsb as the canonical form and introduce a strength reduction.
Turn this: (n << lsb) & maskShift
Into this: (n & mask) << lsb
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = lsb
Int @2 = 0b0110
Int @3 = Shl(@0, @1)
Int @4 = BitAnd(@3, @2)
Void@5 = Return(@4, Terminal)
Before Adding UBFIZ Pattern:
// Old optimized AIR
Lshift %x0, $62, %x0, @3
And 0b0110, %x0, %x0, @4
Ret %x0, @5
After Adding UBFIZ Pattern:
// New optimized AIR
Ubfiz %x0, lsb, 2, %x0, @4
Ret %x0, @5
Part B
Fix UBFX to match both patterns:
dest = (src >> lsb) & mask
dest = mask & (src >> lsb)
Where:
1. mask = (1 << width) - 1
2. 0 <= lsb < datasize
3. 0 < width < datasize
4. lsb + width <= datasize
Part C
Fix one B3 strength reduction.
Turn this: (src >> shiftAmount) & mask
Into this: src >> shiftAmount
With updated constraints:
1. mask = (1 << width) - 1
2. 0 <= shiftAmount < datasize
3. 0 < width < datasize
4. shiftAmount + width >= datasize
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::ubfiz32):
(JSC::MacroAssemblerARM64::ubfiz64):
* assembler/testmasm.cpp:
(JSC::testUbfiz32):
(JSC::testUbfiz64):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testUbfx32ArgLeft):
(testUbfx32ArgRight):
(testUbfx64ArgLeft):
(testUbfx64ArgRight):
(testUbfiz32ArgLeft):
(testUbfiz32ArgRight):
(testUbfiz64ArgLeft):
(testUbfiz64ArgRight):
(addBitTests):
(testUbfx32): Deleted.
(testUbfx32PatternMatch): Deleted.
(testUbfx64): Deleted.
(testUbfx64PatternMatch): Deleted.
2021-06-23 Keith Miller <keith_miller@apple.com>
add/removeManagedReference:withOwner: should have autoreleasepools
https://bugs.webkit.org/show_bug.cgi?id=227308
Reviewed by Darin Adler.
Since these APIs create autoreleased objects as an implementation detail
but don't return any to the caller there's no indication such autoreleased
objects could be accumulating. Additionally, it's entirely reasonable to
call these methods in a loop an a large set of objects, which further
exacerbates the problem.
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine addManagedReference:withOwner:]):
(-[JSVirtualMachine removeManagedReference:withOwner:]):
2021-06-23 Saam Barati <sbarati@apple.com>
Run lazy properties initializers under a DeferTerminationForAWhile scope
https://bugs.webkit.org/show_bug.cgi?id=227271
Reviewed by Mark Lam.
We don't expect that exceptions can be thrown when initializing
a lazy property. Termination exceptions were preventing this from
being true. The latest example found is inside JSModuleLoader when
it asserts that no exception is thrown when creating its JSMap field.
This patch makes it so termination exceptions can't be thrown when
running lazy property initializers.
* runtime/LazyPropertyInlines.h:
(JSC::ElementType>::initLater):
(JSC::ElementType>::callFunc):
2021-06-22 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to utilize SMADDL supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=227188
Reviewed by Saam Barati.
Signed Multiply-Add Long(SMADDL), supported by ARM64, multiplies two 32-bit
register values, adds a 64-bit register value, and writes the result to the
64-bit destination register. The instruction selector can utilize this to
lowering certain patterns in B3 IR before further Air optimization.
Given the operation:
smaddl d, n, m, a
The equivalent patterns would be:
d = a + SExt32(n) * SExt32(m)
d = SExt32(n) * SExt32(m) + a
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = SExt32(Trunc(ArgumentReg(%x1)))
Int @2 = SExt32(Trunc(ArgumentReg(%x2)))
Int @3 = Mul(@1, @2)
Int @4 = Add(@0, @3)
Void@5 = Return(@4, Terminal)
Before Adding SMADDL:
// Old optimized AIR
SignExtend32ToPtr %x1, %x1, @1
SignExtend32ToPtr %x2, %x2, @2
MultiplyAdd64 %x1, %x2, %x0, %x0, @4
Ret64 %x0, @5
After Adding SMADDL:
// New optimized AIR
MultiplyAddSignExtend32 %x1, %x2, %x0, %x0, @8
Ret64 %x0, @9
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::multiplyAddSignExtend32):
* assembler/testmasm.cpp:
(JSC::testMultiplyAddSignExtend32Left):
(JSC::testMultiplyAddSignExtend32Right):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testMulAddArg):
(testMulAddArgsLeft):
(testMulAddArgsRight):
(testMulAddSignExtend32ArgsLeft):
(testMulAddSignExtend32ArgsRight):
(testMulAddArgsLeft32):
(testMulAddArgsRight32):
* b3/testb3_3.cpp:
(addArgTests):
2021-06-22 Saam Barati <sbarati@apple.com>
jitCompileAndSetHeuristics shouldn't return true when we fail to compile
https://bugs.webkit.org/show_bug.cgi?id=227155
Reviewed by Tadeu Zagallo.
jitCompileAndSetHeuristics should only return true when we've successfully
compiled a baseline JIT CodeBlock. However, with the rewrite to using a
unified JIT worklist, the code was changed to returning true when a
compilation finished, regardless of it being successful or not. This patch
fixes that error.
This bug was found by our existing executable allocation fuzzer, but at a low
hit rate. That fuzzer only ran a single test case. This patch also introduces
a new form of the executable fuzzer where we fail to allocate JIT code
randomly, and the crash manifests more reliably. And this patch also hooks
the new fuzzer into more JSC stress tests.
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* jit/ExecutableAllocationFuzz.cpp:
(JSC::doExecutableAllocationFuzzing):
* jsc.cpp:
(runJSC):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::jitCompileAndSetHeuristics):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/OptionsList.h:
2021-06-22 Angelos Oikonomopoulos <angelos@igalia.com>
Properly set numFPRs on ARM with NEON/VFP_V3_D32
https://bugs.webkit.org/show_bug.cgi?id=227212
Reviewed by Filip Pizlo.
Don't hardcode the number of FP regs on ARMv7 to 16; when targetting a
CPU with NEON or VFP_V3_d32, the number of FP regs is 32.
This also reverts the recent change to add an extra word to RegisterSet
which essentially covered up for this mismatch. The reason this bug only
manifested on certain compiler versions was that GCC 8.4/8.5 where built using
our buildroot infrastructure, whereas the other GCC versions we tested with
were debian system toolchains, targetting a lowest common denominator.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::std::initializer_list<int>):
* jit/RegisterSet.h:
2021-06-21 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Add JIT ICs for `#x in obj` feature
https://bugs.webkit.org/show_bug.cgi?id=226146
Reviewed by Saam Barati.
This patch implements JIT ICs for the new `#x in obj` feature and turns the feature on by default.
Implementation closely follows InByVal, though HasPrivateBrand has a few subtleties
(namely, it cannot be viewed in terms of a PropertySlot and should not be converted to InById).
Microbenchmarks:
has-private-name 46.5777+-0.1374 ^ 6.0589+-0.0296 ^ definitely 7.6875x faster
has-private-brand 25.8823+-0.0561 ^ 19.1509+-0.0447 ^ definitely 1.3515x faster
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInByAsMatchStructure):
(JSC::DFG::ByteCodeParser::handleInById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInByVal):
(JSC::DFG::SpeculativeJIT::compileHasPrivate):
(JSC::DFG::SpeculativeJIT::compileHasPrivateName):
(JSC::DFG::SpeculativeJIT::compileHasPrivateBrand):
* dfg/DFGSpeculativeJIT.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITInByValGenerator::JITInByValGenerator):
* jit/JITInlineCacheGenerator.h:
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitHasPrivate):
(JSC::JIT::emitHasPrivateSlow):
(JSC::JIT::emit_op_has_private_name):
(JSC::JIT::emitSlow_op_has_private_name):
(JSC::JIT::emit_op_has_private_brand):
(JSC::JIT::emitSlow_op_has_private_brand):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitHasPrivate):
(JSC::JIT::emitHasPrivateSlow):
(JSC::JIT::emit_op_has_private_name):
(JSC::JIT::emitSlow_op_has_private_name):
(JSC::JIT::emit_op_has_private_brand):
(JSC::JIT::emitSlow_op_has_private_brand):
* jit/Repatch.cpp:
(JSC::appropriateOptimizingInByFunction):
(JSC::appropriateGenericInByFunction):
(JSC::tryCacheInBy):
(JSC::repatchInBy):
(JSC::tryCacheHasPrivateBrand):
(JSC::repatchHasPrivateBrand):
(JSC::resetInBy):
(JSC::resetHasPrivateBrand):
* jit/Repatch.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
* runtime/CommonSlowPaths.h:
* runtime/OptionsList.h:
2021-06-21 Don Olmstead <don.olmstead@sony.com>
Non-unified build fixes late June 2021 edition
https://bugs.webkit.org/show_bug.cgi?id=227241
Unreviewed non-unified build fixes.
* dfg/DFGDriver.h:
2021-06-21 Xan Lopez <xan@igalia.com>
[JSC] Fix consistency check during stack splitting in Wasm::LLIntGenerator::addLoop
https://bugs.webkit.org/show_bug.cgi?id=226012
Reviewed by Tadeu Zagallo.
It is possible for the wasm llint generator to call
checkConsistency() on a stack that is only halfway through being
properly setup. Specifically, when generating a loop block, we use
splitStack() to pop the arguments for the loop into a new stack,
and materializeConstantsAndLocals() to materialize the constants
and aliases in the loop arguments, but the arguments won't be
added back to the stack until the very end of the loop code
generation. Since materializeConstantsAndLocals() will check the
correctness of the expression stack, which isn't yet fully formed,
we'll fail its ASSERT. To workaround this, we create a variant of
materializeConstantsAndLocals() that does not check for
correctness (similar to what we do in push()), and manually check
the correctness of the new split stack in
Wasm::LLIntGenerator::addLoop(), which is the place that knows the
details of this intermediate state.
For more details, see: https://bugs.webkit.org/show_bug.cgi?id=226012#c8
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::checkConsistencyOfExpressionStack):
(JSC::Wasm::LLIntGenerator::checkConsistency):
(JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals):
(JSC::Wasm::LLIntGenerator::addLoop):
2021-06-21 Yusuke Suzuki <ysuzuki@apple.com>
Release assert memory in JSC::Wasm::Memory::growShared(JSC::Wasm::PageCount)::<lambda()>
https://bugs.webkit.org/show_bug.cgi?id=227180
Reviewed by Keith Miller.
When Wasm.Memory is shared, we should allocate bound growable memory even if initial size is 0 bytes,
since this range can be later extended by mprotect. If maximum size is also 0 byte, we already have
a path that does not allocate anything.
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::tryCreate):
2021-06-21 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to utilize SMSUBL supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=227195
Reviewed by Keith Miller.
Signed Multiply-Subtract Long(SMSUBL), supported by ARM64, multiplies two
32-bit register values, subtracts the product from a 64-bit register value,
and writes the result 64-bit destination register. The instruction selector
can utilize this to lowering certain patterns in B3 IR before further Air
optimization. Given the operation:
smsubl d, n, m, a
The equivalent pattern would be:
d = a - SExt32(n) * SExt32(m)
Given B3 IR:
Int @0 = ArgumentReg(%x0)
Int @1 = SExt32(Trunc(ArgumentReg(%x1)))
Int @2 = SExt32(Trunc(ArgumentReg(%x2)))
Int @3 = Mul(@1, @2)
Int @4 = Sub(@0, @3)
Void@5 = Return(@4, Terminal)
Before Adding SMSUBL:
// Old optimized AIR
SignExtend32ToPtr %x1, %x1, @1
SignExtend32ToPtr %x2, %x2, @2
MultiplySub64 %x1, %x2, %x0, %x0, @4
Ret64 %x0, @5
After Adding SMSUBL:
// New optimized AIR
MultiplySubSignExtend32 %x1, %x2, %x0, %x0, @4
Ret64 %x0, @5
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::multiplySubSignExtend32):
* assembler/testmasm.cpp:
(JSC::testMulSubSignExtend32):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testMulSubArgsLeft):
(testMulSubArgsRight):
(testMulSubArgsLeft32):
(testMulSubArgsRight32):
(testMulSubSignExtend32Args):
* b3/testb3_3.cpp:
(addArgTests):
2021-06-21 Kimmo Kinnunen <kkinnunen@apple.com>
makeUnique cannot be used to instantiate function-local classes
https://bugs.webkit.org/show_bug.cgi?id=227163
Reviewed by Antti Koivisto.
Make JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED
consistent with WTF_MAKE_FAST_ALLOCATED behavior
with respect to unused typedefs inside the macro.
* parser/Nodes.h:
2021-06-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add ValueOf fast path in toPrimitive
https://bugs.webkit.org/show_bug.cgi?id=226948
Reviewed by Ross Kirsling.
Add fast path for Object.prototype.valueOf function call since we
sometimes encounter this case in Speedometer2/EmberJS-Debug-TodoMVC.
ToT Patched
value-of-call 65.7169+-0.6192 ^ 45.0986+-0.0830 ^ definitely 1.4572x faster
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toStringSlowCase const):
* runtime/JSObject.cpp:
(JSC::callToPrimitiveFunction):
2021-06-20 Robin Morisset <rmorisset@apple.com>
Fix speculated type in the one-argument overload of speculateNeitherDoubleNorHeapBigIntNorString
https://bugs.webkit.org/show_bug.cgi?id=227119
Reviewed by Yusuke Suzuki.
Same problem as bug 226786: a missing check for HeapBigInt in the speculateNeitherDoubleNorHeapBigIntNorString function introduced in 226676.
I also rewrote the SpeculatedType for NeitherDoubleNorHeapBigIntNorString in typeFilterFor for readability. The old and the new SpeculatedType are perfectly identical, it is just a different (and in my view more readable) way of writing it.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
2021-06-19 Mark Lam <mark.lam@apple.com>
[Revert r278576] Put the Baseline JIT prologue and op_loop_hint code in JIT thunks.
https://bugs.webkit.org/show_bug.cgi?id=226375
Not reviewed.
Suspect regresses Speedometer2.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::untagReturnAddress):
(JSC::AbstractMacroAssembler::untagReturnAddressWithoutExtraValidation): Deleted.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::untagReturnAddress):
(JSC::MacroAssemblerARM64E::untagReturnAddressWithoutExtraValidation): Deleted.
* assembler/MacroAssemblerARMv7.h:
* assembler/MacroAssemblerMIPS.h:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addressOfNumParameters):
(JSC::CodeBlock::offsetOfNumParameters):
(JSC::CodeBlock::offsetOfInstructionsRawPointer):
(JSC::CodeBlock::offsetOfNumCalleeLocals): Deleted.
(JSC::CodeBlock::offsetOfNumVars): Deleted.
(JSC::CodeBlock::offsetOfArgumentValueProfiles): Deleted.
(JSC::CodeBlock::offsetOfShouldAlwaysBeInlined): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
(JSC::AssemblyHelpers::emitSaveCalleeSavesForBaselineJIT): Deleted.
(JSC::AssemblyHelpers::emitRestoreCalleeSavesForBaselineJIT): Deleted.
* jit/JIT.cpp:
(JSC::JIT::compileAndLinkWithoutFinalizing):
(JSC::JIT::privateCompileExceptionHandlers):
(JSC::prologueGeneratorSelector): Deleted.
(JSC::JIT::prologueGenerator): Deleted.
(JSC::JIT::arityFixupPrologueGenerator): Deleted.
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::emitNakedNearCall):
* jit/JITOpcodes.cpp:
(JSC::JIT::op_ret_handlerGenerator):
(JSC::JIT::emit_op_enter):
(JSC::JIT::op_enter_handlerGenerator):
(JSC::JIT::emit_op_loop_hint):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::op_enter_Generator): Deleted.
(JSC::JIT::op_enter_canBeOptimized_Generator): Deleted.
(JSC::JIT::op_enter_cannotBeOptimized_Generator): Deleted.
(JSC::JIT::op_loop_hint_Generator): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_enter):
* jit/ThunkGenerators.cpp:
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):
2021-06-19 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r278699.
https://bugs.webkit.org/show_bug.cgi?id=227174
Regressed JetStream2/WSL
Reverted changeset:
"[JSC] Remove useDataICInOptimizingJIT option"
https://bugs.webkit.org/show_bug.cgi?id=226862
https://trac.webkit.org/changeset/278699
2021-06-18 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to B3ReduceStrength based on Bug 226984
https://bugs.webkit.org/show_bug.cgi?id=227138
Reviewed by Filip Pizlo.
In the previous patch bug 226984, a new pattern could be introduced to
B3ReduceStrength.cpp for further optimization, which is that:
dest = (src >> shiftAmount) & mask
is equivalent to
src >> shiftAmount
under these constraints:
1. shiftAmount >= 0
2. mask has a binary format in contiguous ones starting from the
least significant bit.
3. shiftAmount + bitCount(mask) == maxBitWidth
For instance (32-bit):
(src >> 12) & 0x000fffff == src >> 12
This reduction is more beneficial than UBFX in this case.
// B3 IR
Int @0 = ArgumentReg(%0)
Int @1 = 12
Int @2 = ZShr(@0, @1)
Int @3 = 0x000fffff
Int @4 = BitAnd(@2, @3))
Void@5 = Return(@4, Terminal)
w/o the pattern:
// Old optimized AIR
Ubfx %0, $12, $20, %0, @4
Ret %0, @5
w/ the pattern:
// New optimized AIR
Urshift %0, $12, %0, @3
Ret32 %0, @6
* b3/B3ReduceStrength.cpp:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testBitAndZeroShiftRightImmMask32):
(testBitAndZeroShiftRightImmMask64):
(addBitTests):
2021-06-18 Robin Morisset <rmorisset@apple.com>
[DFG] Untyped branches should eliminate checks based on results from the AbstractInterpreter
https://bugs.webkit.org/show_bug.cgi?id=227159
Reviewed by Filip Pizlo.
We currently emit a ton of code for Untyped branches, as we use branchIfTruthy which does not know anything about the abstract interpreter.
Even worse: we call branchIfTruthy after emitting some fast paths, and branchIfTruthy replicates these fast paths (Int32 and Booleans).
While I plan to reduce the number of Untyped branches in some separate patches, there is a very long tail of predicted types visible in benchmarks, so I expect some of them to remain no matter what, justifying making the code emitted in that case more reasonable.
The implementation in this patch is fairly straightforward, as it follows very closely branchOnValue() from AssemblyHelpers (which was previously called through branchIfTruthy).
It was tested on the JSC stress tests, as well as on JetStream2.
On JetStream2, it reduced the average number of bytes emitted for Branch by the DFG from 30.1 to 27.5 (highly significant, it only changes by about 0.1 between runs).
Since only about 1.5k branches are untyped out of 34k in that benchmark, it means that this patch reduces the amount of code emitted for untyped branches by about 50 bytes on average.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::branchDoubleZeroOrNaN):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitUntypedBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
2021-06-17 Mark Lam <mark.lam@apple.com>
Rename numberOfPACBits to maxNumberOfAllowedPACBits.
https://bugs.webkit.org/show_bug.cgi?id=227156
Reviewed by Saam Barati.
Just renaming the constant to better describe what it represents. There are no
behavior changes.
* assembler/MacroAssemblerARM64E.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):
* llint/LowLevelInterpreter64.asm:
2021-06-17 Mark Lam <mark.lam@apple.com>
Define MacroAssemblerARM64E::numberOfPACBits based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH).
https://bugs.webkit.org/show_bug.cgi?id=227147
rdar://78785309
Reviewed by Saam Barati.
* assembler/MacroAssemblerARM64E.h:
* bytecode/CodeOrigin.h:
* runtime/JSString.h:
* runtime/OptionsList.h:
2021-06-17 Fujii Hironori <Hironori.Fujii@sony.com>
Reimplement JSC::CachePayload without FileSystem::unmapViewOfFile and FileSystem::MappedFileData::leakHandle
https://bugs.webkit.org/show_bug.cgi?id=227014
Reviewed by Yusuke Suzuki.
r247542 (Bug 199759) added FileSystem::unmapViewOfFile and
FileSystem::MappedFileData::leakHandle for JSC::CachePayload to
get the mapped address and to free the address.
However, Bug 227011 is going to add a file mapping handle to
FileSystem::MappedFileData for Windows port to create a
SharedMemory from a MappedFileData. Destruction of MappedFileData
should be done only by MappedFileData dtor.
* runtime/CachePayload.cpp:
(JSC::CachePayload::makeMappedPayload):
(JSC::CachePayload::makeMallocPayload):
(JSC::CachePayload::makeEmptyPayload):
(JSC::CachePayload::CachePayload):
(JSC::CachePayload::data const):
(JSC::CachePayload::size const):
(JSC::CachePayload::~CachePayload): Deleted.
(JSC::CachePayload::operator=): Deleted.
(JSC::CachePayload::freeData): Deleted.
* runtime/CachePayload.h: Use Variant for data.
(JSC::CachePayload::data const): Deleted.
(JSC::CachePayload::size const): Deleted.
(JSC::CachePayload::CachePayload): Deleted.
2021-06-17 Yijia Huang <yijia_huang@apple.com>
Add a new pattern to instruction selector to utilize UBFX supported by ARM64
https://bugs.webkit.org/show_bug.cgi?id=226984
Reviewed by Filip Pizlo.
UBFX, supported by ARM64, copies adjacent bits from the source register into
the least significant bits of a destination register in zero extension. The
instruction selector can utilize this to lowering certain patterns in B3 IR
before further Air optimization.
ubfx dest, src, lsb, width
tmp, tmp, imm, imm
This is equivalent to "dest = (src >> lsb) & ((1 << width) - 1)". Since wasm
introduces constant folding, then the pattern would be:
dest = (src >> lsb) & mask
where the mask should have a binary format in contiguous ones starting from
the least significant bit. For example:
0b00111111
To make the pattern matching in instruction selection beneficial to JIT, these
constraints should be introduced:
1. lsb >= 0
2. width > 0
3. lsb + width <= bit field limit (32 or 64)
Given:
// B3 IR
Int @0 = ArgumentReg(%0)
Int @1 = lsb
Int @2 = 0b0011
Int @3 = ZShr(@0, @1)
Int @4 = BitAnd(@3, @2)
Void@5 = Return(@4, Terminal)
w/o UBFX Pattern:
// Old optimized AIR
Urshift %x0, lsb, %x0, @3
And 0b0011, %x0, %x0, @4
Ret %x0, @5
w/ UBFX Pattern:
// New optimized AIR
Ubfx %x0, lsb, 2, %x0, @4
Ret %x0, @5
Note:
Suppose a 32-bit version of (src >> 20) & 0x0FFF, it is equivalent to src >> 20.
In this case, Logical Shift Right should be utilized instead when:
lsb + width == bit field limit (32 or 64)
This case/pattern should be added and upadated in the future patch.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::ubfx32):
(JSC::MacroAssemblerARM64::ubfx64):
* assembler/testmasm.cpp:
(JSC::testUbfx32):
(JSC::testUbfx64):
* b3/B3LowerToAir.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testUbfx64PatternMatch):
(testUbfx32PatternMatch):
(addBitTests):
2021-06-17 Angelos Oikonomopoulos <angelos@igalia.com>
[JSC] Work around apparent miscompilation on ARM/GCC >=8.4
https://bugs.webkit.org/show_bug.cgi?id=227125
Reviewed by Filip Pizlo.
This seems to be a GCC miscompilation, revealed by
https://bugs.webkit.org/show_bug.cgi?id=227078. Introduce a
workaround for the GCC versions that seem to be affected.
* jit/RegisterSet.h:
2021-06-16 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Optimize JSON.parse with small data by changing Identifier pool mechanism
https://bugs.webkit.org/show_bug.cgi?id=227101
Reviewed by Mark Lam.
Found that std::array<Identifier, 128> pool in LiteralParser is too costly for construction and destruction
if JSON.parse is invoked for small data. This patch changes this pool mechanism so that we do not waste effort
allocating null Identifiers to pre-populate the recent identifiers pool. Instead, we now use a m_recentIdentifiersIndex
uint8_t array to indicate whether there's a cached recent identifier for each given first character.
We also use KeywordLookup.h's COMPARE_XCHARS to perform "true" / "false" / "null" lexing in JSON parser.
Roughly 20% improvement in microbenchmark. And roughly 2-3% improvement in Speedometer2/Flight-TodoMVC.
ToT Patched
flight-todomvc-json 67.8755+-1.1202 ^ 56.7114+-0.5048 ^ definitely 1.1969x faster
* runtime/Identifier.cpp:
(JSC::Identifier::add):
(JSC::Identifier::add8):
* runtime/Identifier.h:
(JSC::Identifier::Identifier):
(JSC::Identifier::add):
* runtime/IdentifierInlines.h:
(JSC::Identifier::add):
(JSC::Identifier::fromString):
* runtime/LiteralParser.cpp:
(JSC::compare3Chars):
(JSC::compare4Chars):
(JSC::LiteralParser<CharType>::makeIdentifier):
(JSC::LiteralParser<CharType>::Lexer::lex):
* runtime/LiteralParser.h:
2021-06-16 Mark Lam <mark.lam@apple.com>
Adopt com.apple.security.cs.jit-write-allowlist on internal builds.
https://bugs.webkit.org/show_bug.cgi?id=222148
rdar://74284026
Reviewed by Per Arne Vollan.
This will prevent various pthread permissions switching APIs from working.
We only want to adopt this for internal builds where we use the fast permission
switching macro instead. We can't adopt it for open source builds, where we
still rely on the pthread API.
* Scripts/process-entitlements.sh:
2021-06-16 Robin Morisset <rmorisset@apple.com>
Don't look at the (non-existent) child2 of DelById
https://bugs.webkit.org/show_bug.cgi?id=227095
Reviewed by Mark Lam.
Trivial fix to a broken rebase: while it is ok to share most code between DelById and DelByVal, only the latter has a child2(), so it should not be accessed if we are compiling the former.
No new test, as it was caught by one of our existing tests.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
2021-06-16 Yijia Huang <yijia_huang@apple.com>
Add Air opcode sub32/64(Reg, Imm, Reg) form for ARM64 and select this instruction in Air
https://bugs.webkit.org/show_bug.cgi?id=226937
Reviewed by Yusuke Suzuki.
Previously, Air arm64 sub32/64 utilize sub(Imm, Tmp) at optlevel = 0 and
add(Tmp, -Imm) at optlevel > 0 to perform and optimize sub(Tmp, Imm, Tmp).
The issue with this is that we were not eliding redundant operations.
For example:
// B3 IR
@0 = Trunc(ArgumentReg(0))
@1 = Const
@2 = Sub(@0, @1)
@3 = Return(@2)
// Old optimized Air IR
// OptLevel = 0
Move %x0, %tmp1, @0
Move $Const, %tmp2, @1
Move %tmp1, %tmp0, @2 // Redundant
Sub $Const, %tmp0, @2
Move %tmp0, %x0, @3
Ret32 %x0, @3
To remove those redundant instructions, Air arm64 sub32/64 opcode should
indicate a new form sub(Tmp, Imm, Tmp).
// New optimized Air IR
// OptLevel = 0
Move %x0, %tmp1, @0
Move $Const, %tmp2, @1
Sub %tmp1, $Const, %tmp0, @2
Move %tmp0, %x0, @3
Ret32 %x0, @3
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::sub32):
(JSC::MacroAssemblerARM64::sub64):
* assembler/testmasm.cpp:
(JSC::testSub32Args):
(JSC::testSub32Imm):
(JSC::testSub32ArgImm):
(JSC::testSub64Imm32):
(JSC::testSub64ArgImm32):
(JSC::testSub64Imm64):
(JSC::testSub64ArgImm64):
* b3/B3ReduceStrength.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testSubArgs32ZeroExtend):
* b3/testb3_3.cpp:
(addArgTests):
2021-06-16 Robin Morisset <rmorisset@apple.com>
Drop the FTL(DFG) graph after lowering to B3
https://bugs.webkit.org/show_bug.cgi?id=226556
Reviewed by Phil Pizlo.
This patch originally landed as r278463, was reverted in r278463.
I believe that the bug for which it was reverted actually comes from r278371, which was also reverted at the same time. So I am now relanding this.
The challenge in this patch was dealing with all of the Patchpoints created by FTLLowerDFGToB3: they get a lambda at that time, which they execute at the end of Air, and many of these lambdas were capturing a pointer to some parts of the DFG graph and reading through it when being executed.
In all cases but one it was easily fixed: they were only reading a few bits from a given node, so I just read these bits in FTLLowerDFGToB3, and captured them (by value) instead of the pointer to the node.
The exception was compileCallOrConstructVarargsSpread(): its patchpoint generator was walking through the graph, flattening a tree of PhantomSpread/PhantomNewArrayWithSpread/PhantomNewArrayBuffer/PhantomCreateRest, emitting some code along the way.
We now do this flattening of the tree in FTLLowerDFGToB3, store just enough information to later emit the required code in a vector, and capture that vector in the lambda (through a move capture, which is allowed since C++14). See `struct VarargsSpreadArgumentToEmit` for the information that we need to store in that vector.
I tested this change by completing a full run of JetStream2 with ASAN.
I also ran the stress tests with "spread" in their name in Debug mode.
* b3/B3SparseCollection.h:
(JSC::B3::SparseCollection::clearAll):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::freeDFGIRAfterLowering):
* dfg/DFGGraph.h:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::getPrivateName):
(JSC::FTL::DFG::LowerDFGToB3::compilePrivateBrandAccess):
(JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::VarargsSpreadArgumentToEmit::VarargsSpreadArgumentToEmit):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::compileInById):
(JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
(JSC::FTL::DFG::LowerDFGToB3::getById):
(JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
(JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
(JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
(JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
(JSC::FTL::DFG::LowerDFGToB3::crash):
2021-06-16 Filip Pizlo <fpizlo@apple.com>
RegisterSet should be smaller
https://bugs.webkit.org/show_bug.cgi?id=227078
Reviewed by Geoff Garen.
Previously, every RegisterSet would have an extra 64-bit word in it just to hold state
relevant to hashtable keys.
But RegisterSet is almost never used as a hashtable key.
This patch moves the hashtable key support into a subclass, HashableRegisterSet. That class
ends up only being used in one place.
On ARM64, this makes RegisterSet use 64 bits instead of 128 bits.
On X86_64, this makes RegisterSet use 32 bits instead of 64 bits.
* JavaScriptCore.xcodeproj/project.pbxproj:
* ftl/FTLSlowPathCallKey.h:
(JSC::FTL::SlowPathCallKey::SlowPathCallKey):
* jit/HashableRegisterSet.h: Added.
(JSC::HashableRegisterSet::HashableRegisterSet):
(JSC::HashableRegisterSet::isEmptyValue const):
(JSC::HashableRegisterSet::isDeletedValue const):
(JSC::RegisterSetHash::hash):
(JSC::RegisterSetHash::equal):
* jit/RegisterSet.h:
(): Deleted.
(JSC::RegisterSet::isEmptyValue const): Deleted.
(JSC::RegisterSet::isDeletedValue const): Deleted.
(JSC::RegisterSetHash::hash): Deleted.
(JSC::RegisterSetHash::equal): Deleted.
2021-06-16 Tadeu Zagallo <tzagallo@apple.com>
AssemblyHelpers should save/restore callee save FPRs
https://bugs.webkit.org/show_bug.cgi?id=227052
<rdar://77080162>
Reviewed by Mark Lam.
We have 3 functions in AssemblyHelpers to save and restore callee save registers that were filtering
out any FPRs. This is an issue since we do have callee save FPRs in arm64 and these functions can be
called from the FTL, and FTL uses those callee saves. The test case shows how that's an issue with tail
calls on FTL: the callee saves are correctly stored in the prologue and restored in the epilogue, but
when emitting a tail call we use AssemblyHelpers::emitRestoreCalleeSaves to restore the callee saves,
which doesn't restore FPRs. This results in the callee save FPRs being trashed. To fix this we just need
to stop filtering out the FPRs, if they are listed as used by the code block they should be saved/restored
accordingly. I also changed DFGOSREntry to stop filtering out the callee save FPRs and instead assert
there aren't any, since they aren't currently used in the DFG, but it could help avoid the same issue in
the future.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
(JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
(JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
2021-06-16 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r278846.
https://bugs.webkit.org/show_bug.cgi?id=227060
Speculative revert based on failure history of Speedometer2
Reverted changeset:
"Add Air opcode sub32/64(Reg, Imm, Reg) form for ARM64 and
select this instruction in Air"
https://bugs.webkit.org/show_bug.cgi?id=226937
https://trac.webkit.org/changeset/278846
2021-06-15 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Optimize JSON.parse with small content by dropping single character Identifier pool
https://bugs.webkit.org/show_bug.cgi?id=227057
Reviewed by Sam Weinig.
Profiler results and investigation suggest interesting things.
1. Sampling profiler says Flight-TodoMVC is mostly JSON.parse benchmark.
2. Each JSON data of Flight-TodoMVC is small. And JSON.parse is super frequently called.
3. In the case of JSON.parse with small data, LiteralParser's construction / destruction costs much since
it has large Identifier pool with std::array<>.
As a simple first step, this patch removes single character Identifier pool from LiteralParser since
the exact same Identifier data can be retrieved from VM's SmallStrings.
We created a microbenchmark from Flight-TodoMVC's data, and the result is roughly 20% better.
And we observed 0.6% improvement in Speedometer2.
ToT Patched
flight-todomvc-json 81.0552+-0.8403 ^ 67.5756+-0.6221 ^ definitely 1.1995x faster
----------------------------------------------------------------------------------------------------------------------------------
| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |
----------------------------------------------------------------------------------------------------------------------------------
| Elm-TodoMVC |128.991667 |128.450000 |0.995801 | 0.278228 |
| VueJS-TodoMVC |28.487500 |27.925000 |0.980254 | 0.139315 |
| EmberJS-TodoMVC |133.950000 |134.175000 |1.001680 | 0.685021 |
| BackboneJS-TodoMVC |51.670833 |51.537500 |0.997420 | 0.628993 |
| Preact-TodoMVC |21.783333 |21.754167 |0.998661 | 0.944237 |
| AngularJS-TodoMVC |143.820833 |143.770833 |0.999652 | 0.933953 |
| Vanilla-ES2015-TodoMVC |71.608333 |71.416667 |0.997323 | 0.500591 |
| Inferno-TodoMVC |69.179167 |69.525000 |1.004999 | 0.412406 |
| Flight-TodoMVC |81.354167 |79.020833 |0.971319 | 0.000053 (significant) |
| Angular2-TypeScript-TodoMVC |42.654167 |41.887500 |0.982026 | 0.086053 |
| VanillaJS-TodoMVC |57.054167 |56.633333 |0.992624 | 0.176804 |
| jQuery-TodoMVC |274.595833 |275.670833 |1.003915 | 0.148812 |
| EmberJS-Debug-TodoMVC |358.387500 |357.595833 |0.997791 | 0.323387 |
| React-TodoMVC |93.804167 |93.329167 |0.994936 | 0.113410 |
| React-Redux-TodoMVC |157.954167 |157.266667 |0.995647 | 0.131298 |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |68.687500 |68.054167 |0.990779 | 0.002155 (significant) |
----------------------------------------------------------------------------------------------------------------------------------
a mean = 235.28964
b mean = 236.72163
pValue = 0.0121265559
(Bigger means are better.)
1.006 times better
Results ARE significant
* runtime/Identifier.h:
(JSC::Identifier::canUseSingleCharacterString):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::makeIdentifier):
* runtime/LiteralParser.h:
* runtime/SmallStrings.cpp:
(JSC::SmallStrings::singleCharacterStringRep):
* runtime/SmallStrings.h:
2021-06-15 Keith Miller <keith_miller@apple.com>
Shouldn't drain the micro task queue when calling out to ObjC
https://bugs.webkit.org/show_bug.cgi?id=161942
Unreviewed, relanding r278734.
* API/tests/testapi.cpp:
(TestAPI::promiseDrainDoesNotEatExceptions):
(testCAPIViaCpp):
* API/tests/testapi.mm:
(testMicrotaskWithFunction):
(testObjectiveCAPI):
* runtime/JSLock.cpp:
(JSC::JSLock::willReleaseLock):
* runtime/ObjectPrototype.cpp:
(JSC::isPokerBros):
* runtime/VM.cpp:
(JSC::VM::didExhaustMicrotaskQueue):
2021-06-15 Michael Catanzaro <mcatanzaro@gnome.org>
-Warray-bounds warning in Packed.h
https://bugs.webkit.org/show_bug.cgi?id=226557
<rdar://problem/79103658>
Reviewed by Darin Adler.
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
2021-06-15 Mark Lam <mark.lam@apple.com>
Move setting of scratch buffer active lengths to the runtime functions.
https://bugs.webkit.org/show_bug.cgi?id=227013
rdar://79325068
Reviewed by Keith Miller.
We previously emit JIT'ed code to set and unset the ScratchBuffer active length
around calls into C++ runtime functions. This was needed because the runtime
functions may allow GC to run, and GC needs to be able to scan the values stored
in the ScratchBuffer.
In this patch, we change it so that the runtime functions that need it will
declare an ActiveScratchBufferScope RAII object that will set the ScratchBuffer
active length, and unset it on exit. This allows us to:
1. Emit less JIT code. The runtime function can take care of it.
2. Elide setting the ScratchBuffer active length if not needed. The runtime
functions know whether they can GC or not. They only need to set the active
length if they can GC.
Note that scanning of the active ScratchBuffer is done synchronously on the
mutator thread via Heap::gatherScratchBufferRoots(), which is called as part of
the GC conservative root scan. This means there is no urgency / sequencing that
requires that the active length be set before calling into the runtime function.
Setting it in the runtime function itself is fine as long as it is done before
the function executes any operations that can GC.
This patch also made the following changes:
1. Introduce ActiveScratchBufferScope RAII object used to set/unset the
ScratchBuffer length in the runtime functions. ActiveScratchBufferScope takes
the active length in units of number of stack slots / Registers / JSValues
instead of bytes.
2. Deleted ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall()
and ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall().
These functions are unused.
The reasoning behind what values to pass to ActiveScratchBufferScope, is any:
1. AssemblyHelpers::debugCall() in AssemblyHelpers.cpp:
The ScratchBuffer is only used for operationDebugPrintSpeculationFailure(),
which now declares an ActiveScratchBufferScope.
The active length is GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters.
See scratchSize in AssemblyHelpers::debugCall().
2. genericGenerationThunkGenerator() in FTLThunks.cpp:
The scratch buffer size for determining the active length is
requiredScratchMemorySizeInBytes().
However, genericGenerationThunkGenerator() generates code to call either
operationCompileFTLOSRExit() or operationCompileFTLLazySlowPath(). Both of
these functions will DeferGCForAWhile. Hence, GC cannot run, and we don't need
to set the active length here.
3. compileArrayPush() in FTLLowerDFGToB3.cpp:
Cases Array::Int32, Array::Contiguous, or Array::Double calls
operationArrayPushMultiple() or operationArrayPushDoubleMultiple().
For operationArrayPushMultiple(), the active length is elementCount. See
computation of scratchSize.
For operationArrayPushDoubleMultiple(), we don't need to set the active length
because the ScratchBuffer only contains double values. The GC does not need
to scan those.
Case Array::ArrayStorage calls operationArrayPushMultiple().
The active length is elementCount. See computation of scratchSize.
compileNewArray() in FTLLowerDFGToB3.cpp:
Calls operationNewArray(). Active length is m_node->numChildren(), which is
passed to operationNewArray() as the size parameter. See computation of
scratchSize.
compileNewArrayWithSpread() in FTLLowerDFGToB3.cpp:
Calls operationNewArrayWithSpreadSlow(). Active length is m_node->numChildren(),
which is passes to operationNewArrayWithSpreadSlow() as the numItems parameter.
See computation of scratchSize.
4. osrExitGenerationThunkGenerator() in DFGThunks.cpp:
Calls operationCompileOSRExit(). Active length is GPRInfo::numberOfRegisters +
FPRInfo::numberOfRegisters. See computation of scratchSize.
5. compileNewArray() in DFGSpeculativeJIT.cpp:
Calls operationNewArray(). Active length is node->numChildren(), which is
passed in as the size parameter.
compileNewArrayWithSpread() in DFGSpeculativeJIT.cpp:
Calls operationNewArrayWithSpreadSlow(). Active length is node->numChildren(),
which is passed in as the numItems parameter.
compileArrayPush() in DFGSpeculativeJIT.cpp:
Calls operationArrayPushMultiple(). Active length is elementCount, which is
passed in as the elementCount parameter.
Calls operationArrayPushDoubleMultiple(). Active length is elementCount, but
we don't need to set it because the ScratchBuffer only contains double values.
* dfg/DFGOSRExit.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewArray):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
(JSC::DFG::SpeculativeJIT::compileArrayPush):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::debugCall):
* jit/ScratchRegisterAllocator.cpp:
(JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall): Deleted.
(JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): Deleted.
* jit/ScratchRegisterAllocator.h:
* runtime/VM.h:
* runtime/VMInlines.h:
(JSC::ActiveScratchBufferScope::ActiveScratchBufferScope):
(JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):
2021-06-14 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Workaround ICU uloc_addLikelySubtags / uloc_minimizeSubtags bugs
https://bugs.webkit.org/show_bug.cgi?id=226996
rdar://79250513
Reviewed by Ross Kirsling.
ICU has bugs that uloc_addLikelySubtags / uloc_minimizeSubtags cannot handle very long locale ID that exceeds ULOC_FULLNAME_CAPACITY,
while these functions can take arbitrary sized buffer for output. This can be achieved simply by (1) attaching many unicode extensions,
or (2) having many variants.
In this patch, we add a workaround: if uloc_addLikelySubtags / uloc_minimizeSubtags failed, we perform them without having locale ID
keywords part. After performing the operations, we append these keywords back.
This is workaround, and still this workaround is not complete since we could have many variants. In that case, uloc_addLikelySubtags / uloc_minimizeSubtags
still fails, and in that case, for now, we give up performing uloc_addLikelySubtags / uloc_minimizeSubtags. Fixing this needs to be
done in ICU side: https://unicode-org.atlassian.net/browse/ICU-21639
* runtime/IntlLocale.cpp:
(JSC::IntlLocale::keywordValue const):
(JSC::IntlLocale::maximal):
(JSC::IntlLocale::minimal):
(JSC::IntlLocale::baseName):
2021-06-14 Mark Lam <mark.lam@apple.com>
Add ldp and stp support for FP registers, plus some bug fixes.
https://bugs.webkit.org/show_bug.cgi?id=226998
rdar://79313717
Reviewed by Robin Morisset.
This patch does the following:
1. Add ldp and stp support for FP registers.
This simply entails providing wrappers that take FPRegisterID and passing true
for the V bit to the underlying loadStoreRegisterPairXXX encoding function.
V is for vector (aka floating point). This will cause bit 26 in the instruction
to be set indicating that it's loading / storing floating point registers.
2. Add ARM64 disassembler support ldp and stp for FP registers.
This includes fixing A64DOpcodeLoadStoreRegisterPair::mask to not exclude the
FP versions of the instructions.
3. Add ARM64Assembler query methods for determining if an immediate is encodable
as the signed 12 bit immediate of ldp and stp instructions.
4. Fix ldp and stp offset form to take an int instead of an unsigned. The
immediate it takes is a 12-bit signed int, not unsigned.
5. In loadStoreRegisterPairXXX encoding functions used by the forms of ldp and stp,
RELEASE_ASSERT that the passed in immediate is encodable. Unlike ldur / stur,
there is no form of ldp / stp that takes the offset in a register that can be
used as a fail over. Hence, if the immediate is not encodable, this is a
non-recoverable event. The client is responsible for ensuring that the offset
is encodable.
6. Added some testmasm tests for testing the offset form (as opposed to PreIndex
and PostIndex forms) of ldp and stp. We currently only use the offset form
in our JITs.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::isValidLDPImm):
(JSC::ARM64Assembler::isValidLDPFPImm):
(JSC::ARM64Assembler::ldp):
(JSC::ARM64Assembler::ldnp):
(JSC::ARM64Assembler::isValidSTPImm):
(JSC::ARM64Assembler::isValidSTPFPImm):
(JSC::ARM64Assembler::stp):
(JSC::ARM64Assembler::stnp):
(JSC::ARM64Assembler::loadStoreRegisterPairPostIndex):
(JSC::ARM64Assembler::loadStoreRegisterPairPreIndex):
(JSC::ARM64Assembler::loadStoreRegisterPairOffset):
(JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
* assembler/AssemblerCommon.h:
(JSC::isValidSignedImm7):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::loadPair64):
(JSC::MacroAssemblerARM64::storePair64):
* assembler/testmasm.cpp:
(JSC::testLoadStorePair64Int64):
(JSC::testLoadStorePair64Double):
* disassembler/ARM64/A64DOpcode.cpp:
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterPair::format):
* disassembler/ARM64/A64DOpcode.h:
2021-06-14 Yijia Huang <yijia_huang@apple.com>
Add Air opcode sub32/64(Reg, Imm, Reg) form for ARM64 and select this instruction in Air
https://bugs.webkit.org/show_bug.cgi?id=226937
Reviewed by Saam Barati.
Previously, Air arm64 sub32/64 utilize sub(Imm, Tmp) at optlevel = 0 and
add(Tmp, -Imm) at optlevel > 0 to perform and optimize sub(Tmp, Imm, Tmp).
The issue with this is that we were not eliding redundant operations.
For example:
// B3 IR
@0 = Trunc(ArgumentReg(0))
@1 = Const
@2 = Sub(@0, @1)
@3 = Return(@2)
// Old optimized Air IR
// OptLevel = 0
Move %x0, %tmp1, @0
Move $Const, %tmp2, @1
Move %tmp1, %tmp0, @2 // Redundant
Sub $Const, %tmp0, @2
Move %tmp0, %x0, @3
Ret32 %x0, @3
To remove those redundant instructions, Air arm64 sub32/64 opcode should
indicate a new form sub(Tmp, Imm, Tmp).
// New optimized Air IR
// OptLevel = 0
Move %x0, %tmp1, @0
Move $Const, %tmp2, @1
Sub %tmp1, $Const, %tmp0, @2
Move %tmp0, %x0, @3
Ret32 %x0, @3
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::sub32):
(JSC::MacroAssemblerARM64::sub64):
* assembler/testmasm.cpp:
(JSC::testSub32Args):
(JSC::testSub32Imm):
(JSC::testSub32ArgImm):
(JSC::testSub64Imm32):
(JSC::testSub64ArgImm32):
(JSC::testSub64Imm64):
(JSC::testSub64ArgImm64):
* b3/B3ReduceStrength.cpp:
* b3/air/AirOpcode.opcodes:
* b3/testb3.h:
* b3/testb3_2.cpp:
(testSubArgs32ZeroExtend):
* b3/testb3_3.cpp:
(addArgTests):
2021-06-14 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r278734.
https://bugs.webkit.org/show_bug.cgi?id=226973
broke jsc testapi
Reverted changeset:
"Shouldn't drain the micro task queue when calling out to
ObjC"
https://bugs.webkit.org/show_bug.cgi?id=161942
https://trac.webkit.org/changeset/278734
2021-06-13 Saam Barati <sbarati@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=226576
<rdar://problem/78810362>
Reviewed by Yusuke Suzuki.
ShortCircuitReadModifyResolveNode can't emit a value into
its result until after it emits a TDZ check. We were temporarily
storing the result of the get_from_scope into the dst. Then
we'd emit the TDZ check. The TDZ check can throw, and it could
lead to us returning TDZ from the eval itself. Instead, we need
to use a temporary to emit a TDZ check on. Only after the TDZ check
passes can we move the temporary into the result.
* bytecompiler/NodesCodegen.cpp:
(JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
2021-06-12 Michael Catanzaro <mcatanzaro@gnome.org>
-Wnonnull warning in JITCall.cpp
https://bugs.webkit.org/show_bug.cgi?id=226643
<rdar://problem/79197261>
Reviewed by Darin Adler.
This is a false-positive, so suppress it using
IGNORE_ERRONEOUS_GCC_NULL_CHECK_WARNINGS_BEGIN.
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
2021-06-12 Robin Morisset <rmorisset@apple.com>
We should drop B3 values while running Air
https://bugs.webkit.org/show_bug.cgi?id=226187
Reviewed by Saam Barati.
NB: this patch first landed as r278371, then was reverted in r278587 as it broke --dumpDisassembly().
I fixed the bug (a missing line setDisassembler()) and am now re-landing it. Below is a copy of the original Changelog.
We must keep the following values:
- WasmBoundsCheck, to know whether it is Pinned or Maximum, and if it is pinned find its argument.
- CCall/Patch/Check/CheckAdd/CheckSub/CheckMul and all of their children, because all of these are lowered to Air::Patchpoint, which needs to know the type of its arguments, and does so by looking at the children of its origin.
I intend to fix these in later patches if possible.
Finally we must preserve all B3 values in the following cases:
- if we dump the disassembly or the Air graph: because otherwise we cannot print the origins
- if we are using the sampling profiler, because it relies on PCToCodeOriginMap which we cannot accurately fill without these origins.
We must also keep m_tuples alive, as it is used by Patchpoints in Air to understand the types of their arguments.
We also don't touch StackSlots (in this patch), because one of them is captured by FTL::State.
Also now PCToOriginMap has a Vector with no inline capacity, since it is either quite large (if needed) or empty (otherwise).
The performance impact of this is a progression on various RAMification subtests on Mac, but is more mitigated on iPhone7, with various regressions.
I suspect these to be noise, and will monitor the performance bots post-landing to make sure of it.
* b3/B3LowerToAir.cpp:
(JSC::B3::lowerToAir):
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::freeUnneededB3ValuesAfterLowering):
* b3/B3Procedure.h:
(JSC::B3::Procedure::releasePCToOriginMap):
(JSC::B3::Procedure::setNeedsPCToOriginMap):
(JSC::B3::Procedure::needsPCToOriginMap):
* b3/B3SparseCollection.h:
(JSC::B3::SparseCollection::clearAll):
(JSC::B3::SparseCollection::filterAndTransfer):
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::Code):
* b3/air/AirCode.h:
(JSC::B3::Air::Code::shouldPreserveB3Origins const):
* b3/air/AirGenerate.cpp:
(JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
2021-06-11 Patrick Angle <pangle@apple.com>
Web Inspector: Add instrumentation to node destruction for InspectorDOMAgent
https://bugs.webkit.org/show_bug.cgi?id=226624
Reviewed by Devin Rousso.
Add new `DOM.willDestroyDOMNode` event to inform the frontend of DOM nodes that no longer exist, even if they
weren't in the DOM tree. This work serves as a prelude to <https://webkit.org/b/189687> (Web Inspector: preserve
DOM.NodeId if a node is removed and re-added) to eventually only forget about nodes upon destruction, instead of
removal from the DOM tree.
* inspector/protocol/DOM.json:
2021-06-11 Yijia Huang <yijia_huang@apple.com>
Air ARM64 sub32 opcode should indicate that it zero-extends its result
https://bugs.webkit.org/show_bug.cgi?id=226849
Reviewed by Saam Barati.
Sub32 was previously not saying that its result is zero defined. However,
sub32 on arm64 architectures zero defines its result, so the top 32 bits
are zeroed. The issue with this is what we were not eliding provably
redundant zero extend operations.
For example:
// B3 IR
@0 = Trunc(ArgumentReg(0))
@1 = Trunc(ArgumentReg(1))
@2 = Sub(@0, @1)
@3 = ZExt32(@2) // i64
@4 = Return(@3) or Store(@3, @x)
// Old optimized Air IR
Sub32 %x0, %x1, %x0, b@2
Move32 %x0, %x0, b@3
Ret64 %x0, b@4 or Move %x0, (%x), b@4
To remove that redundant zero extend instruction (Move32), Air arm64
sub32 opcode should indicate that it zero-extends its result.
// New optimized Air IR
Sub32 %x0, %x1, %x0, b@2
Ret64 %x0, b@6 or Move %x0, (%x), b@4
* b3/air/AirOpcode.opcodes:
2021-06-10 Keith Miller <keith_miller@apple.com>
Shouldn't drain the micro task queue when calling out to ObjC
https://bugs.webkit.org/show_bug.cgi?id=161942
Reviewed by Saam Barati.
It looks like the issue is that we aren't checking for the
presence of dropped locks when deciding to drain microtasks during
JSLock::unlock. This meant that when we drop all locks when
calling out to API clients we would drain our microtasks at that
point. An alternative would be to pass an extra parameter to the
unlock function that says not to drain microtasks. I chose not to
do that since it seemed a bit less robust.
This patch is very likely to break existing API users. So I'm adding
a linked on or after check to protect existing Apps.
Lastly, change our Poker Bros check to use applicationSDKVersion too
so others trying to add a linked on or after check don't use
the dyld function directly too.
* API/tests/testapi.cpp:
(TestAPI::promiseDrainDoesNotEatExceptions):
(testCAPIViaCpp):
* API/tests/testapi.mm:
(testMicrotaskWithFunction):
(testObjectiveCAPI):
* runtime/JSLock.cpp:
(JSC::JSLock::willReleaseLock):
* runtime/ObjectPrototype.cpp:
(JSC::isPokerBros):
* runtime/VM.cpp:
(JSC::VM::didExhaustMicrotaskQueue):
2021-06-10 Mark Lam <mark.lam@apple.com>
Another speculative build fix for Win32.
https://bugs.webkit.org/show_bug.cgi?id=226880
rdar://79124858
Reviewed by Keith Miller.
We're getting reports of "warning C4206: nonstandard extension used: translation
unit is empty" turning into a build error on Win32 ports. By design, we rely on
#define flags to make some translation units empty. Hence, we don't want this
warning to turn into an error.
* config.h:
2021-06-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove useDataICInOptimizingJIT option
https://bugs.webkit.org/show_bug.cgi?id=226862
Reviewed by Mark Lam.
Originally this option is added to fix performance problem when using DataIC in DFG / FTL.
But it turned out that that performance regression was caused due to disablement of InlineAccess when
using DataIC. With the configuration using DataIC and InlineAccess, we do not observe performance regression.
So, let's just drop this option.
* jit/JITCode.h:
(JSC::JITCode::useDataIC):
* runtime/Options.cpp:
(JSC::Options::recomputeDependentOptions):
* runtime/OptionsList.h:
2021-06-10 Adrian Perez de Castro <aperez@igalia.com>
Non-unified build fixes, early May 2021 edition
https://bugs.webkit.org/show_bug.cgi?id=226763
Unreviewed non-unified build fixes.
* bytecode/InlineAccess.h: Add missing forward declaration for the CodeBlock type.
* jit/JITInlineCacheGenerator.cpp: Add missing CCallHelpers.h header.
* runtime/Intrinsic.h: Add missing <optional> header.
* yarr/YarrUnicodeProperties.h: Ditto.
2021-06-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Ignore Intl.NumberFormat feature options when linked-ICU is old
https://bugs.webkit.org/show_bug.cgi?id=226861
rdar://77393100
Reviewed by Ross Kirsling.
Let's just ignore the option when Intl.NumberFormat features cannot be implemented since the linked ICU is old.
There is no way not to expose these features since Intl.NumberFormat's these changes are additional ones and Intl.NumberFormat existed before.
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
2021-06-09 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Rename *ByIdVariant to *ByVariant and *ByKind::Normal to *ByKind::ById
https://bugs.webkit.org/show_bug.cgi?id=226750
Reviewed by Yusuke Suzuki.
Cleanup patch following r278445.
1. {Get, Delete, In}ByStatus (but not `Put`) have had `Id` removed from their names; likewise, remove `Id`
from the names of {Get, Delete, In}ByIdVariant. These are used *before* ByVal has been converted to ById.
2. The {Get, Del, In}ByKind enum classes shouldn't really call ById `Normal` -- let's say `ById` explicitly.
3. Bonus: In DFGBytecodeParser, move some *Status::computeFor calls inside the conditional that uses them.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/DeleteByStatus.cpp:
(JSC::DeleteByStatus::appendVariant):
(JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::DeleteByStatus::visitAggregateImpl):
(JSC::DeleteByStatus::markIfCheap):
* bytecode/DeleteByStatus.h:
* bytecode/DeleteByVariant.cpp: Renamed from Source/JavaScriptCore/bytecode/DeleteByIdVariant.cpp.
(JSC::DeleteByVariant::DeleteByVariant):
(JSC::DeleteByVariant::~DeleteByVariant):
(JSC::DeleteByVariant::operator=):
(JSC::DeleteByVariant::attemptToMerge):
(JSC::DeleteByVariant::writesStructures const):
(JSC::DeleteByVariant::visitAggregateImpl):
(JSC::DeleteByVariant::markIfCheap):
(JSC::DeleteByVariant::dump const):
(JSC::DeleteByVariant::finalize):
(JSC::DeleteByVariant::dumpInContext const):
* bytecode/DeleteByVariant.h: Renamed from Source/JavaScriptCore/bytecode/DeleteByIdVariant.h.
(JSC::DeleteByVariant::overlaps):
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::appendVariant):
(JSC::GetByStatus::computeFromLLInt):
(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByStatus::computeFor):
(JSC::GetByStatus::merge):
(JSC::GetByStatus::visitAggregateImpl):
(JSC::GetByStatus::markIfCheap):
(JSC::GetByStatus::finalize):
* bytecode/GetByStatus.h:
* bytecode/GetByVariant.cpp: Renamed from Source/JavaScriptCore/bytecode/GetByIdVariant.cpp.
(JSC::GetByVariant::GetByVariant):
(JSC::GetByVariant::~GetByVariant):
(JSC::GetByVariant::operator=):
(JSC::GetByVariant::canMergeIntrinsicStructures const):
(JSC::GetByVariant::attemptToMerge):
(JSC::GetByVariant::visitAggregateImpl):
(JSC::GetByVariant::markIfCheap):
(JSC::GetByVariant::finalize):
(JSC::GetByVariant::dump const):
(JSC::GetByVariant::dumpInContext const):
* bytecode/GetByVariant.h: Renamed from Source/JavaScriptCore/bytecode/GetByIdVariant.h.
(JSC::GetByVariant::overlaps):
* bytecode/InByStatus.cpp:
(JSC::InByStatus::appendVariant):
(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::InByStatus::merge):
(JSC::InByStatus::markIfCheap):
(JSC::InByStatus::finalize):
* bytecode/InByStatus.h:
* bytecode/InByVariant.cpp: Renamed from Source/JavaScriptCore/bytecode/InByIdVariant.cpp.
(JSC::InByVariant::InByVariant):
(JSC::InByVariant::attemptToMerge):
(JSC::InByVariant::markIfCheap):
(JSC::InByVariant::finalize):
(JSC::InByVariant::dump const):
(JSC::InByVariant::dumpInContext const):
* bytecode/InByVariant.h: Renamed from Source/JavaScriptCore/bytecode/InByIdVariant.h.
(JSC::InByVariant::overlaps):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::reset):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handleGetPrivateNameById):
(JSC::DFG::ByteCodeParser::handleDeleteById):
(JSC::DFG::ByteCodeParser::handleInById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitDeleteByOffset):
* dfg/DFGNode.h:
* dfg/DFGValidate.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
(JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
(JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/Repatch.cpp:
(JSC::appropriateOptimizingGetByFunction):
(JSC::appropriateGetByFunction):
(JSC::tryCacheGetBy):
(JSC::repatchDeleteBy):
(JSC::tryCacheInBy):
(JSC::repatchInBy):
(JSC::resetGetBy):
(JSC::resetDelBy):
(JSC::resetInBy):
* jit/Repatch.h:
2021-06-09 Fujii Hironori <Hironori.Fujii@sony.com>
clang-cl: JIT.h(966,67): error: no viable conversion from 'JSC::AbstractMacroAssembler<JSC::X86Assembler>::Address' to 'FunctionPtr<CFunctionPtrTag>'
https://bugs.webkit.org/show_bug.cgi?id=226850
Reviewed by Yusuke Suzuki.
WinCairo clang-cl builds got broken since r278656 (Bug 226072).
* jit/JIT.h: Use the common callOperation(Address, Args...) for
x64 Windows. Added static_assert to check the return type.
2021-06-09 Mark Lam <mark.lam@apple.com>
Speculative build fix for Win32.
https://bugs.webkit.org/show_bug.cgi?id=226793
rdar://79032803
Reviewed by Saam Barati.
* API/JSCallbackObject.h:
2021-06-09 Xan Lopez <xan@igalia.com>
[JSC] Fix incorrect register reuse in 32bit after r278568
https://bugs.webkit.org/show_bug.cgi?id=226817
Reviewed by Caio Araujo Neponoceno de Lima.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNotDoubleNeitherDoubleNorHeapBigIntNorStringStrictEquality):
The JSVALUE32_64 branch potentially needs both the tag and payload
registers for both left/right nodes, so we cannot reuse any of
them for the result since the first thing the code does is set it
zero. Just remove the Reuse construction.
2021-06-09 Mikhail R. Gadelha <mikhail@igalia.com>
Fix inadvertent tag corruption in functionAddressOf
https://bugs.webkit.org/show_bug.cgi?id=226503
Reviewed by Darin Adler.
Original patch by Angelos Oikonomopoulos.
The cast was sign-extending the JSValue address in 32 bits, so that addresses
that had the most significant set gave us a sign-extended result in
asNumber which was then converted to an invalid NaN by the bitcast.
Instead, cast the address to uintptr_t, and the result will be promoted
uint64_t without sign-extending the address.
* jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
2021-06-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use DataIC for AccessCase
https://bugs.webkit.org/show_bug.cgi?id=226072
Reviewed by Saam Barati and Filip Pizlo.
This patch adds non-repatching IC for Baseline JIT in ARM64.
This does not work in non-ARM64 architectures (including X64) due to the use of link-register.
1. We add non-repatching IC, which is enabled only in Baseline due to performance reason. We are using the
existing IC in DFG and FTL. Non-repatching includes fast-path, and slow-path's operation function.
2. We still keep InlineAccess in all tiers. Removing that causes 0.3 ~ 1.0% regression in Speedometer2. This
means that we still need some repatching when we first introduce stubs.
3. We add a mechanism to share generated code stubs in non-repatching IC. Currently, getter / setter / custom
accessors are excluded since their code relies on JSGlobalObject, CodeBlock etc. which are not included in
AccessCase's data structure.
4. This patch still relies on that CodeBlock will be destroyed synchronously since we need to ensure that sharing-hash-table
does not include already-dead JIT code stubs. We can fix it (e.g. annotating epoch to these stubs, bump them in
finalizeUnconditionally), but we avoid doing that to prevent from further enlarging this patch. This patch is already
significant in its size.
5. Added callOperation(Address) support in CCallHelpers, which can save the target in nonArgGPR0, and call it so that we can use
Address including GPR which is also used for arguments.
Performance is neutral in JetStream2 and Speedometer2. But it offers the way to remove some code generation in Baseline.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::call):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::createTransition):
(JSC::AccessCase::createDelete):
(JSC::AccessCase::createCheckPrivateBrand):
(JSC::AccessCase::createSetPrivateBrand):
(JSC::AccessCase::fromStructureStubInfo):
(JSC::AccessCase::clone const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::canBeShared):
* bytecode/AccessCase.h:
(JSC::AccessCase::hash const):
(JSC::AccessCase::AccessCase):
(JSC::SharedJITStubSet::Hash::Key::Key):
(JSC::SharedJITStubSet::Hash::Key::isHashTableDeletedValue const):
(JSC::SharedJITStubSet::Hash::Key::operator==):
(JSC::SharedJITStubSet::Hash::hash):
(JSC::SharedJITStubSet::Hash::equal):
(JSC::SharedJITStubSet::Searcher::Translator::hash):
(JSC::SharedJITStubSet::Searcher::Translator::equal):
(JSC::SharedJITStubSet::PointerTranslator::hash):
(JSC::SharedJITStubSet::PointerTranslator::equal):
(JSC::SharedJITStubSet::add):
(JSC::SharedJITStubSet::remove):
(JSC::SharedJITStubSet::find):
* bytecode/ByValInfo.h:
(JSC::ByValInfo::setUp):
(JSC::ByValInfo::offsetOfSlowOperation):
(JSC::ByValInfo::offsetOfNotIndexJumpTarget):
(JSC::ByValInfo::offsetOfBadTypeJumpTarget):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::initializeDirectCall):
(JSC::CallLinkInfo::setDirectCallTarget):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::useDataIC const):
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::create):
(JSC::GetterSetterAccessCase::clone const):
(JSC::GetterSetterAccessCase::emitDOMJITGetter):
* bytecode/GetterSetterAccessCase.h:
* bytecode/InlineAccess.cpp:
(JSC::getScratchRegister):
(JSC::InlineAccess::rewireStubAsJumpInAccessNotUsingInlineAccess):
(JSC::InlineAccess::rewireStubAsJumpInAccess):
(JSC::InlineAccess::resetStubAsJumpInAccess):
(JSC::InlineAccess::resetStubAsJumpInAccessNotUsingInlineAccess):
(JSC::InlineAccess::rewireStubAsJump): Deleted.
* bytecode/InlineAccess.h:
* bytecode/InstanceOfAccessCase.cpp:
(JSC::InstanceOfAccessCase::create):
(JSC::InstanceOfAccessCase::clone const):
* bytecode/InstanceOfAccessCase.h:
* bytecode/IntrinsicGetterAccessCase.cpp:
(JSC::IntrinsicGetterAccessCase::create):
(JSC::IntrinsicGetterAccessCase::clone const):
* bytecode/IntrinsicGetterAccessCase.h:
* bytecode/ModuleNamespaceAccessCase.cpp:
(JSC::ModuleNamespaceAccessCase::create):
(JSC::ModuleNamespaceAccessCase::clone const):
* bytecode/ModuleNamespaceAccessCase.h:
* bytecode/ObjectPropertyConditionSet.h:
(JSC::ObjectPropertyConditionSet::hash const):
(JSC::ObjectPropertyConditionSet::operator==):
(JSC::ObjectPropertyConditionSet::operator!=):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::installWatchpoint):
(JSC::AccessGenerationState::succeed):
(JSC::AccessGenerationState::preserveLiveRegistersToStackForCallWithoutExceptions):
(JSC::PolymorphicAccess::addCases):
(JSC::PolymorphicAccess::addCase):
(JSC::PolymorphicAccess::visitWeak const):
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
(JSC::AccessGenerationState::AccessGenerationState):
(JSC::AccessGenerationState::preserveLiveRegistersToStackForCallWithoutExceptions):
* bytecode/ProxyableAccessCase.cpp:
(JSC::ProxyableAccessCase::create):
(JSC::ProxyableAccessCase::clone const):
* bytecode/ProxyableAccessCase.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::StructureStubInfo):
(JSC::StructureStubInfo::addAccessCase):
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::offsetOfCodePtr):
(JSC::StructureStubInfo::offsetOfSlowPathStartLocation):
(JSC::StructureStubInfo::offsetOfSlowOperation):
(JSC::StructureStubInfo::patchableJump): Deleted.
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendCall):
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::slowPathICCall):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetById):
(JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
(JSC::DFG::SpeculativeJIT::compileDeleteById):
(JSC::DFG::SpeculativeJIT::compileDeleteByVal):
(JSC::DFG::SpeculativeJIT::compileInById):
(JSC::DFG::SpeculativeJIT::compileInByVal):
(JSC::DFG::SpeculativeJIT::compileGetPrivateNameByVal):
(JSC::DFG::SpeculativeJIT::compileGetPrivateNameById):
(JSC::DFG::SpeculativeJIT::compilePutPrivateNameById):
(JSC::DFG::SpeculativeJIT::compileCheckPrivateBrand):
(JSC::DFG::SpeculativeJIT::compileSetPrivateBrand):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
(JSC::DFG::SpeculativeJIT::compileInstanceOf):
(JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
(JSC::DFG::SpeculativeJIT::compilePutById):
(JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::appendCall):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::getPrivateName):
(JSC::FTL::DFG::LowerDFGToB3::compilePrivateBrandAccess):
(JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::SlowPathCallContext):
(JSC::FTL::SlowPathCallContext::keyWithTarget const):
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLSlowPathCall.h:
(JSC::FTL::callOperation):
* ftl/FTLSlowPathCallKey.cpp:
(JSC::FTL::SlowPathCallKey::dump const):
* ftl/FTLSlowPathCallKey.h:
(JSC::FTL::SlowPathCallKey::SlowPathCallKey):
(JSC::FTL::SlowPathCallKey::indirectOffset const):
(JSC::FTL::SlowPathCallKey::withCallTarget):
(JSC::FTL::SlowPathCallKey::operator== const):
(JSC::FTL::SlowPathCallKey::hash const):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitVirtualCall):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::emitJITCodeOver):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::ArgCollection::ArgCollection):
(JSC::CCallHelpers::ArgCollection::pushRegArg):
(JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
(JSC::CCallHelpers::ArgCollection::pushNonArg):
(JSC::CCallHelpers::ArgCollection::addGPRArg):
(JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
(JSC::CCallHelpers::ArgCollection::addStackArg):
(JSC::CCallHelpers::ArgCollection::addPoke):
(JSC::CCallHelpers::calculatePokeOffset):
(JSC::CCallHelpers::pokeForArgument):
(JSC::CCallHelpers::stackAligned):
(JSC::CCallHelpers::marshallArgumentRegister):
(JSC::CCallHelpers::setupArgumentsImpl):
(JSC::CCallHelpers::pokeArgumentsAligned):
(JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::setupArgumentsEntryImpl):
(JSC::CCallHelpers::setupArguments):
(JSC::CCallHelpers::setupArgumentsForIndirectCall):
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
(JSC::GCAwareJITStubRoutine::makeGCAware):
(JSC::GCAwareJITStubRoutine::observeZeroRefCount):
(JSC::PolymorphicAccessJITStubRoutine::PolymorphicAccessJITStubRoutine):
(JSC::PolymorphicAccessJITStubRoutine::observeZeroRefCount):
(JSC::PolymorphicAccessJITStubRoutine::computeHash):
(JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
(JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
(JSC::createICJITStubRoutine):
(JSC::createJITStubRoutine): Deleted.
* jit/GCAwareJITStubRoutine.h:
(JSC::GCAwareJITStubRoutine::create):
(JSC::PolymorphicAccessJITStubRoutine::cases const):
(JSC::PolymorphicAccessJITStubRoutine::weakStructures const):
(JSC::PolymorphicAccessJITStubRoutine::hash const):
* jit/GPRInfo.h:
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::emit_op_iterator_open):
(JSC::JIT::emitSlow_op_iterator_open):
(JSC::JIT::emit_op_iterator_next):
(JSC::JIT::emitSlow_op_iterator_next):
* jit/JITCall32_64.cpp:
(JSC::JIT::emit_op_iterator_open):
(JSC::JIT::emit_op_iterator_next):
* jit/JITCode.h:
(JSC::JITCode::useDataIC):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
(JSC::JITInlineCacheGenerator::finalize):
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITByIdGenerator::finalize):
(JSC::JITByIdGenerator::generateFastCommon):
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
(JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
(JSC::JITDelByValGenerator::JITDelByValGenerator):
(JSC::JITDelByValGenerator::generateFastPath):
(JSC::JITDelByValGenerator::finalize):
(JSC::JITDelByIdGenerator::JITDelByIdGenerator):
(JSC::JITDelByIdGenerator::generateFastPath):
(JSC::JITDelByIdGenerator::finalize):
(JSC::JITInByValGenerator::JITInByValGenerator):
(JSC::JITInByValGenerator::generateFastPath):
(JSC::JITInByValGenerator::finalize):
(JSC::JITInByIdGenerator::JITInByIdGenerator):
(JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
(JSC::JITInstanceOfGenerator::generateFastPath):
(JSC::JITInstanceOfGenerator::finalize):
(JSC::JITGetByValGenerator::JITGetByValGenerator):
(JSC::JITGetByValGenerator::generateFastPath):
(JSC::JITGetByValGenerator::finalize):
(JSC::JITPrivateBrandAccessGenerator::JITPrivateBrandAccessGenerator):
(JSC::JITPrivateBrandAccessGenerator::generateFastPath):
(JSC::JITPrivateBrandAccessGenerator::finalize):
* jit/JITInlineCacheGenerator.h:
(JSC::JITGetByIdGenerator::JITGetByIdGenerator): Deleted.
(JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): Deleted.
(JSC::JITPutByIdGenerator::JITPutByIdGenerator): Deleted.
(JSC::JITDelByValGenerator::JITDelByValGenerator): Deleted.
(JSC::JITDelByValGenerator::slowPathJump const): Deleted.
(JSC::JITDelByIdGenerator::JITDelByIdGenerator): Deleted.
(JSC::JITDelByIdGenerator::slowPathJump const): Deleted.
(JSC::JITInByIdGenerator::JITInByIdGenerator): Deleted.
(JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): Deleted.
(JSC::JITGetByValGenerator::JITGetByValGenerator): Deleted.
(JSC::JITGetByValGenerator::slowPathJump const): Deleted.
(JSC::JITPrivateBrandAccessGenerator::JITPrivateBrandAccessGenerator): Deleted.
(JSC::JITPrivateBrandAccessGenerator::slowPathJump const): Deleted.
* jit/JITInlines.h:
(JSC::JIT::emitLoadForArrayMode):
(JSC::JIT::appendCallWithExceptionCheck):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_enumerable_indexed_property):
(JSC::JIT::emitSlow_op_has_enumerable_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_enumerable_indexed_property):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::slow_op_get_by_val_prepareCallGenerator):
(JSC::JIT::emit_op_get_private_name):
(JSC::JIT::emitSlow_op_get_private_name):
(JSC::JIT::slow_op_get_private_name_prepareCallGenerator):
(JSC::JIT::emit_op_set_private_brand):
(JSC::JIT::emitSlow_op_set_private_brand):
(JSC::JIT::emit_op_check_private_brand):
(JSC::JIT::emitSlow_op_check_private_brand):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::slow_op_put_by_val_prepareCallGenerator):
(JSC::JIT::emit_op_put_private_name):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::emit_op_del_by_id):
(JSC::JIT::emitSlow_op_del_by_id):
(JSC::JIT::slow_op_del_by_id_prepareCallGenerator):
(JSC::JIT::emit_op_del_by_val):
(JSC::JIT::emitSlow_op_del_by_val):
(JSC::JIT::slow_op_del_by_val_prepareCallGenerator):
(JSC::JIT::emit_op_try_get_by_id):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::slow_op_get_by_id_prepareCallGenerator):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::slow_op_get_by_id_with_this_prepareCallGenerator):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::slow_op_put_by_id_prepareCallGenerator):
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitSlow_op_in_by_val):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutPrivateNameWithCachedId):
(JSC::JIT::privateCompilePutByValWithCachedId):
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_del_by_id):
(JSC::JIT::emit_op_del_by_val):
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_get_private_name):
(JSC::JIT::emit_op_set_private_brand):
(JSC::JIT::emit_op_check_private_brand):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_try_get_by_id):
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emit_op_in_by_val):
* jit/JITStubRoutine.h:
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
* jit/Repatch.cpp:
(JSC::readPutICCallTarget):
(JSC::repatchSlowPathCall):
(JSC::tryCacheGetBy):
(JSC::repatchGetBy):
(JSC::tryCacheArrayGetByVal):
(JSC::repatchArrayGetByVal):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::tryCacheDeleteBy):
(JSC::repatchDeleteBy):
(JSC::tryCacheInBy):
(JSC::repatchInBy):
(JSC::tryCacheCheckPrivateBrand):
(JSC::repatchCheckPrivateBrand):
(JSC::tryCacheSetPrivateBrand):
(JSC::repatchSetPrivateBrand):
(JSC::tryCacheInstanceOf):
(JSC::repatchInstanceOf):
(JSC::linkSlowFor):
(JSC::linkVirtualFor):
(JSC::resetGetBy):
(JSC::resetPutByID):
(JSC::resetDelBy):
(JSC::resetInBy):
(JSC::resetInstanceOf):
(JSC::resetCheckPrivateBrand):
(JSC::resetSetPrivateBrand):
(JSC::resetPatchableJump): Deleted.
* jit/Repatch.h:
* runtime/Options.cpp:
(JSC::Options::recomputeDependentOptions):
* runtime/OptionsList.h:
* runtime/StructureIDTable.h:
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
* runtime/VM.h:
2021-06-08 Robin Morisset <rmorisset@apple.com>
Fix speculated type in speculateNeitherDoubleNorHeapBigIntNorString
https://bugs.webkit.org/show_bug.cgi?id=226786
Reviewed by Mark Lam.
I had forgotten the HeapBigInt part.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
2021-06-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use ResolvedClosureVar to get brand from scope
https://bugs.webkit.org/show_bug.cgi?id=226677
rdar://78802869
Reviewed by Saam Barati.
Private brand lookup is doing wrong way to get scope.
1. op_resolve_scope with private name (e.g. #x)
2. then, doing op_get_from_scope with (1)'s scope with different name (e.g. @privateBrand)
This is wrong in JSC. We resolve scope at link-time in CodeBlock. So we need to ensure that both op_resolve_scope and op_get_from_scope
starts with the current scope-register. As a result, private-brand lookup is broken right now. Let's see the buggy case.
class D {
#x() {}
m() {
class C {
#yy;
#z() { }
a() {
this.#x(); // <===== This point.
}
}
let c = new C();
c.a();
}
}
In the above point, we first lookup the scope with #x, and we get the D's class-scope. But our get_from_scope is using privateBrand, and
privateBrand property exists too in C's class-scope too since C also has #yy and #z. As a result, CodeBlock linking configures the offset for
C's class-scope in get_from_scope. And this offset is different from D's class-scope's privateBrand.
Only allowed case for the above usage is ResolvedClosureVar. And generatorification uses it too. In this patch,
1. We ensure that class-scope (with private name) must have @privateBrand and @privateClassBrand with offset 1 and 0.
2. Use ResolvedClosureVar with the above pre-defined offset
Since CodeBlock's linking does not resolve the scope for get_from_scope if it is ResolvedClosureVar, we can just perform the desired ResolvedClosureVar lookup
with the given scope with the compiled offset.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::instantiateLexicalVariables):
(JSC::BytecodeGenerator::pushLexicalScope):
(JSC::BytecodeGenerator::pushLexicalScopeInternal):
(JSC::BytecodeGenerator::emitCreatePrivateBrand):
(JSC::BytecodeGenerator::emitGetPrivateBrand):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BaseDotNode::emitGetPropertyValue):
(JSC::BaseDotNode::emitPutProperty):
(JSC::PostfixNode::emitDot):
(JSC::PrefixNode::emitDot):
(JSC::InNode::emitBytecode):
(JSC::BlockNode::emitBytecode):
(JSC::ForNode::emitBytecode):
(JSC::ForInNode::emitBytecode):
(JSC::ForOfNode::emitBytecode):
(JSC::SwitchNode::emitBytecode):
(JSC::ClassExprNode::emitBytecode):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):
* parser/VariableEnvironment.h:
2021-06-07 Alexey Shvayka <shvaikalesh@gmail.com>
Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
https://bugs.webkit.org/show_bug.cgi?id=226185
The API test added in r278366 revealed a flaw in JSObject::definePropertyOnReceiver()
that caused putDirectInternal() to be performed on a JSProxy instead of it's target.
Remedies that via a type check, ensuring the test and iOS apps are functional.
The issue was originally missed because the prototype chain of a global object is immutable
and none of the global object's prototypes override put(). OpaqueJSClass::prototype() sets
the [[Prototype]] directly, ignoring the IsImmutablePrototypeExoticObject type info flag.
Also, excludes an invariant from the original patch that required put() to be overriden
when implementing custom [[DefineOwnProperty]]. It is now broken by WindowProperties object.
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::put):
* API/tests/testapiScripts/testapi.js:
* debugger/DebuggerScope.h:
* runtime/ClassInfo.h:
* runtime/ClonedArguments.h:
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter): Deleted.
* runtime/CustomGetterSetter.h:
* runtime/ErrorConstructor.h:
* runtime/ErrorInstance.h:
* runtime/GenericArguments.h:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::put):
* runtime/GetterSetter.h:
* runtime/JSArray.cpp:
(JSC::JSArray::put):
* runtime/JSArray.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::put): Deleted.
* runtime/JSArrayBufferView.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCell.cpp:
(JSC::JSCell::doPutPropertySecurityCheck): Deleted.
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSFunction.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGlobalLexicalEnvironment.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::put):
* runtime/JSGlobalObject.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSModuleEnvironment.h:
* runtime/JSModuleNamespaceObject.h:
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putInlineSlow):
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
(JSC::JSObject::prototypeChainMayInterceptStoreTo): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putByIndexInline):
(JSC::JSObject::hasNonReifiedStaticProperties):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putDirect):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInlineExcludingProto):
(JSC::JSObject::putInlineForJSObject):
(JSC::JSObject::putInlineFast):
(JSC::JSObject::putDirectInternal):
* runtime/JSProxy.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::hasStaticPropertyTable const):
(JSC::TypeInfo::overridesPut const):
(JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const):
(JSC::TypeInfo::hasPutPropertySecurityCheck const): Deleted.
* runtime/Lookup.h:
(JSC::putEntry): Deleted.
(JSC::lookupPut): Deleted.
* runtime/PropertySlot.h:
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::put):
* runtime/ProxyObject.h:
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::context const):
(JSC::PutPropertySlot::isTaintedByOpaqueObject const):
(JSC::PutPropertySlot::setIsTaintedByOpaqueObject):
* runtime/ReflectObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::put):
* runtime/StringObject.h:
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):
* runtime/StringPrototype.h:
* runtime/Structure.cpp:
(JSC::Structure::validateFlags):
* runtime/Structure.h:
(JSC::Structure::hasNonReifiedStaticProperties const):
* tools/JSDollarVM.cpp:
2021-06-07 Alexey Shvayka <shvaikalesh@gmail.com>
Introduce LexicalScopeFeatures to enable future bytecode optimizations
https://bugs.webkit.org/show_bug.cgi?id=224072
Reviewed by Keith Miller.
Before this patch, BytecodeGenerator was capable of reasoning about the presence of `with`
statements, direct `eval`, or any other code features only within the current executable:
```
with (foo) {
(function() {
// There was no way to detect WithScope during generation of this function.
})();
}
```
This change is required for op_to_this rewrite (#225397): if FunctionCallResolveNode and
friends knew there is no WithScope, op_call could be emitted with |this| value of
`undefined` as per spec [1], instead of resolved scope. This would:
- simplify op_to_this on all tiers, likely resulting in minor perf boost;
- save 1 instruction per strict function by removing op_to_this;
- remove toThis() from the method table and ~30 its call sites from built-ins;
- fix built-in methods that were observably lacking toThis();
- fix __proto__ getter / setter called on global scope;
- fix WebIDL accessors called with |this| value of `undefined` and `null`.
Also, if ResolveNode knew that unforgeable global properties are not shadowed and there
is no `with` statement or sloppy mode direct `eval`, then `undefined` / `Infinity` / `NaN`
lookups could be constant-folded. This would save up to 3 bytecode ops per each usage
and allow emitting op_is_undefined_or_null for `x === undefined || x === null`.
V8 performs this optimization [2].
This patch introduces LexicalScopeFeatures to allow passing such information from Parser
to BytecodeGenerator with a minimal code diff. These features are kept separate from
CodeFeature to simplify reasoning about feature's scope and because we need to propagate
lexical features from parent to child scope.
Strict mode is the first use case of LexicalScopeFeatures, which this change carefully
fits into existing abstractions without increasing their memory usage even by 1 byte.
[1]: https://tc39.es/ecma262/#sec-evaluatecall (step 2)
[2]: https://medium.com/@bmeurer/sometimes-undefined-is-defined-7701e1c9eff8
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createExecutable):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::recordParse):
(JSC::UnlinkedCodeBlock::lexicalScopeFeatures const):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::UnlinkedFunctionExecutable::setInvalidTypeProfilingOffsets):
* bytecode/UnlinkedFunctionExecutable.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitNewClassFieldInitializerFunction):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::lexicalScopeFeatures const):
(JSC::BytecodeGenerator::generate):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createFunctionMetadata):
* parser/Nodes.cpp:
(JSC::ScopeNode::ScopeNode):
(JSC::ProgramNode::ProgramNode):
(JSC::ModuleProgramNode::ModuleProgramNode):
(JSC::EvalNode::EvalNode):
(JSC::FunctionMetadataNode::FunctionMetadataNode):
(JSC::FunctionMetadataNode::operator== const):
(JSC::FunctionMetadataNode::dump const):
(JSC::FunctionNode::FunctionNode):
* parser/Nodes.h:
(JSC::ScopeNode::lexicalScopeFeatures):
(JSC::ScopeNode::isStrictMode const):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
(JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
(JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
(JSC::Parser<LexerType>::parseFunctionBody):
(JSC::Parser<LexerType>::parseFunctionInfo):
* parser/Parser.h:
(JSC::Scope::Scope):
(JSC::Scope::lexicalScopeFeatures const):
(JSC::Scope::setStrictMode):
(JSC::Scope::strictMode const):
(JSC::Scope::fillParametersForSourceProviderCache):
(JSC::Scope::restoreFromSourceProviderCache):
(JSC::Parser::pushScope):
(JSC::Parser::lexicalScopeFeatures):
(JSC::Parser<LexerType>::parse):
* parser/ParserModes.h:
* parser/SourceProviderCacheItem.h:
(JSC::SourceProviderCacheItem::lexicalScopeFeatures const):
(JSC::SourceProviderCacheItem::SourceProviderCacheItem):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createFunctionMetadata):
* runtime/CachedBytecode.cpp:
(JSC::CachedBytecode::addFunctionUpdate):
* runtime/CachedTypes.cpp:
(JSC::CachedFunctionExecutable::lexicalScopeFeatures const):
(JSC::CachedCodeBlock::lexicalScopeFeatures const):
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::CachedFunctionExecutable::encode):
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::CachedCodeBlock<CodeBlockType>::encode):
(JSC::CachedFunctionExecutable::isInStrictContext const): Deleted.
* runtime/CachedTypes.h:
* runtime/CodeCache.cpp:
(JSC::generateUnlinkedCodeBlockImpl):
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
* runtime/ECMAMode.h:
(JSC::ECMAMode::fromBool):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::FunctionExecutable):
* runtime/GlobalExecutable.h:
(JSC::GlobalExecutable::recordParse):
(JSC::GlobalExecutable::GlobalExecutable):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::ScriptExecutable):
(JSC::ScriptExecutable::newCodeBlockFor):
(JSC::ScriptExecutable::recordParse):
* runtime/ScriptExecutable.h:
(JSC::ScriptExecutable::isInStrictContext const):
(JSC::ScriptExecutable::recordParse):
2021-06-07 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r278371 and r278463.
https://bugs.webkit.org/show_bug.cgi?id=226749
Break dumpDisassembly in JetStream2
Reverted changesets:
"We should drop B3 values while running Air"
https://bugs.webkit.org/show_bug.cgi?id=226187
https://trac.webkit.org/changeset/278371
"Drop the FTL(DFG) graph after lowering to B3"
https://bugs.webkit.org/show_bug.cgi?id=226556
https://trac.webkit.org/changeset/278463
2021-06-07 Alexey Shvayka <shvaikalesh@gmail.com>
Window should behave like a legacy platform object without indexed setter
https://bugs.webkit.org/show_bug.cgi?id=225894
Reviewed by Darin Adler.
* runtime/TypeError.h:
(JSC::typeError):
2021-06-07 Saam Barati <sbarati@apple.com>
Short circuit read modify write nodes emit byte code that uses the wrong locals
https://bugs.webkit.org/show_bug.cgi?id=226576
<rdar://problem/78810362>
Reviewed by Yusuke Suzuki.
It's never a good idea to use the wrong local :-)
This patch also adds support for dumping predecessors of basic blocks
in the bytecode dump.
* bytecode/BytecodeDumper.cpp:
(JSC::CodeBlockBytecodeDumper<Block>::dumpGraph):
* bytecompiler/NodesCodegen.cpp:
(JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
(JSC::ShortCircuitReadModifyDotNode::emitBytecode):
(JSC::ShortCircuitReadModifyBracketNode::emitBytecode):
2021-06-07 Mark Lam <mark.lam@apple.com>
Put the Baseline JIT prologue and op_loop_hint code in JIT thunks.
https://bugs.webkit.org/show_bug.cgi?id=226375
Reviewed by Keith Miller and Robin Morisset.
Baseline JIT prologue code varies in behavior based on several variables. These
variables include (1) whether the prologue does any arguments value profiling,
(2) whether the prologue is for a constructor, and (3) whether the compiled
CodeBlock will have such a large frame that it is greater than the stack reserved
zone (aka red zone) which would require additional stack check logic.
The pre-existing code would generate specialized code based on these (and other
variables). In converting to using thunks for the prologue, we opt not to
convert these specializations into runtime checks. Instead, the implementation
uses 1 of 8 possible specialized thunks to reduce the need to pass arguments for
runtime checks. The only needed argument passed to the prologue thunks is the
codeBlock pointer.
There are 8 possible thunks because we specialize based on 3 variables:
1. doesProfiling
2. isConstructor
3. hasHugeFrame
2**3 yields 8 permutations of prologue thunk specializations.
Similarly, there are also 8 analogous arity fixup prologues that work similarly.
The op_loop_hint thunk only takes 1 runtime argument: the bytecode offset.
We've tried doing the loop_hint optimization check in the thunk (in order to move
both the fast and slow path into the thunk for maximum space savings). However,
this seems to have some slight negative impact on benchmark performance. We ended
up just keeping the fast path and instead have the slow path call a thunk to do
its work. This realizes the bulk of the size savings without the perf impact.
This patch also optimizes op_enter a bit more by eliminating the need to pass any
arguments to the thunk. The thunk previously took 2 arguments: localsToInit and
canBeOptimized. localsToInit is now computed in the thunk at runtime, and
canBeOptimized is used as a specialization argument to generate 2 variants of the
op_enter thunk: op_enter_canBeOptimized_Generator and op_enter_cannotBeOptimized_Generator,
thereby removing the need to pass it as a runtime argument.
LinkBuffer size results (from a single run of Speedometer2):
BaselineJIT: 93319628 (88.996532 MB) => 83851824 (79.967331 MB) 0.90x
ExtraCTIThunk: 5992 (5.851562 KB) => 6984 (6.820312 KB) 1.17x
...
Total: 197530008 (188.379295 MB) => 188459444 (179.728931 MB) 0.95x
Speedometer2 and JetStream2 results (as measured on an M1 Mac) are neutral.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::untagReturnAddressWithoutExtraValidation):
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::untagReturnAddress):
(JSC::MacroAssemblerARM64E::untagReturnAddressWithoutExtraValidation):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchAdd32):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchAdd32):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::offsetOfNumCalleeLocals):
(JSC::CodeBlock::offsetOfNumVars):
(JSC::CodeBlock::offsetOfArgumentValueProfiles):
(JSC::CodeBlock::offsetOfShouldAlwaysBeInlined):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
(JSC::AssemblyHelpers::emitSaveCalleeSavesForBaselineJIT):
(JSC::AssemblyHelpers::emitRestoreCalleeSavesForBaselineJIT):
* jit/JIT.cpp:
(JSC::JIT::compileAndLinkWithoutFinalizing):
(JSC::JIT::prologueGenerator):
(JSC::JIT::arityFixupPrologueGenerator):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::emitNakedNearCall):
* jit/JITOpcodes.cpp:
(JSC::JIT::op_ret_handlerGenerator):
(JSC::JIT::emit_op_enter):
(JSC::JIT::op_enter_Generator):
(JSC::JIT::op_enter_canBeOptimized_Generator):
(JSC::JIT::op_enter_cannotBeOptimized_Generator):
(JSC::JIT::emit_op_loop_hint):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::op_loop_hint_Generator):
(JSC::JIT::op_enter_handlerGenerator): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_enter):
* jit/ThunkGenerators.cpp:
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):
2021-06-07 Robin Morisset <rmorisset@apple.com>
Optimize compareStrictEq when neither side is a double and at least one is neither a string nor a BigInt
https://bugs.webkit.org/show_bug.cgi?id=226676
Reviewed by Filip Pizlo.
There is exactly one case where x === y must return false despite x and y being JSValues with the same bits:
NaN === NaN
There are a few cases where x === y must return true despite x and y being JSValues with potentially different bits:
Double === Int32
String === String
HeapBigInt === HeapBigInt
HeapBigInt === BigInt32 (if they are enabled)
If we don't have a double on either side, at least one side has neither a String nor a HeapBigInt, and BigInt32 are disabled, we can clearly ignore all of these pathological cases.
This optimization was decided based on looking at DFG graphs of Speedometer2; here is a sample of the compareStrictEq(Untyped, Untyped), courtesy of Phil:
Final|Array|String|Bool, Final|Array|String|Bool
Array|String|Bool, String|Bool (twice)
Array|String|Bool, String|Int32 (once in DFG, once in FTL)
! Array|String|Bool, Array|Bool
! Final|Other, Final|Other
! Int32|Other, Int32
Final|StringIdent, Final|StringIdent (3 times)
Final|StringIdent|BoolInt32, StringIdent|BoolInt32 (twice)
String|Bool, String|Bool (4 times)
DoublePureNaN, String|Bool
! Other, Function|Other
! Final|Other, Final|Function|Other (twice)
Final|String|Bool|Other, Final|String|Bool|Other (3 times, two in the FTL)
Final|String|Int32, String|Int32 (four times)
String|Int32|Bool, Function|String|Int32|Bool (twice)
String|DoublePureNaN, String|Bool (twice)
! Final|Bool|Other, Final|Function|Other (four times, twice in FTL)
I marked with a ! those for which this optimization should apply.
The only slightly interesting part of this patch is DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString where I took care to skip every test whose result we can predict from the abstract interpreter.
Results on microbenchmarks:
poly-stricteq-not-double 45.5793+-0.5304 ? 46.0306+-0.5621 ?
poly-stricteq-not-double-nor-string 45.5829+-0.5750 ^ 16.9089+-0.3070 ^ definitely 2.6958x faster
poly-stricteq 49.9719+-0.6450 48.9855+-0.5227 might be 1.0201x faster
I also measured the amount of code that we generate in the DFG on JetStream2.
The results here are disappointing but still measurable. Before:
DFG_fast_CompareStrictEq totalBytes: 468425 count: 10951 avg: 42.774632
DFG_fast_CompareStrictEq totalBytes: 468020 count: 10917 avg: 42.870752
DFG_fast_CompareStrictEq totalBytes: 467424 count: 10888 avg: 42.930198
After:
DFG_fast_CompareStrictEq totalBytes: 463946 count: 10917 avg: 42.497573
DFG_fast_CompareStrictEq totalBytes: 474492 count: 11138 avg: 42.601185
DFG_fast_CompareStrictEq totalBytes: 467138 count: 10970 avg: 42.583227
* bytecode/SpeculatedType.h:
(JSC::isNeitherDoubleNorHeapBigIntNorStringSpeculation):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNeitherDoubleNorHeapBigIntNorString):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::compileNotDoubleNeitherDoubleNorHeapBigIntNorStringStrictEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleNotDoubleNeitherDoubleNorHeapBigIntNorStringStrictEquality):
(JSC::DFG::SpeculativeJIT::speculateNotDouble):
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::checkMayCrashIfInputIsEmpty):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateNeitherDoubleNorHeapBigIntNorString):
2021-06-07 Tuomas Karkkainen <tuomas.webkit@apple.com>
$vm should have a function for checking if security assertions are enabled similar to $vm.assertEnabled
https://bugs.webkit.org/show_bug.cgi?id=226020
<rdar://problem/78567619>
Reviewed by Mark Lam.
Add method $vm.securityAssertEnabled() which parallels $vm.assertEnabled(), and allows
checking at runtime whether the current JavaScriptCore build has security assertions enabled.
* tools/JSDollarVM.cpp:
2021-06-04 Chris Dumez <cdumez@apple.com>
FileSystem::readFromFile() should return data as `void*`
https://bugs.webkit.org/show_bug.cgi?id=226671
Reviewed by Darin Adler.
FileSystem::readFromFile() should return data as `void*` instead of `char*`. This is more flexible and
consistent with FileSystem::writeToFile().
* inspector/remote/socket/RemoteInspectorSocket.cpp:
(Inspector::RemoteInspector::backendCommands const):
2021-06-04 Devin Rousso <drousso@apple.com>
Web Inspector: mark recently added protocol commands/events as page-only
https://bugs.webkit.org/show_bug.cgi?id=226661
Reviewed by Joseph Pecoraro.
* inspector/protocol/CSS.json:
* inspector/protocol/Network.json:
These commands are not implemented in ITML. By not specifying `"targetTypes": ["page"]` it's
implicitly saying that the command/event is supported by ITML since the command/event will
fall back to the domain's `"targetTypes"`, which includes ITML.
2021-06-04 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Private static method should define privateClassBrandIdentifier in class-scope
https://bugs.webkit.org/show_bug.cgi?id=226656
rdar://78313139
Reviewed by Keith Miller.
We accidentally made `declaresStaticPrivateMethod` always `false`.
This patch fixes that so that we properly define privateClassBrandIdentifier field in the class-scope if static-private-method is defined.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):
2021-06-04 Filip Pizlo <fpizlo@apple.com>
Don't emit the NotDouble checks if we're already NotDouble.
Rubber stamped by Saam Barati.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNotDouble):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::speculateNotDouble):
2021-06-04 Mark Lam <mark.lam@apple.com>
Placate exception checker validation in objectPrototypeHasOwnProperty.
https://bugs.webkit.org/show_bug.cgi?id=226651
rdar://78861296
Reviewed by Keith Miller.
* runtime/ObjectPrototype.cpp:
(JSC::objectPrototypeHasOwnProperty):
2021-06-03 Filip Pizlo <fpizlo@apple.com>
DFG should speculate on CompareStrictEq(@x, @x)
https://bugs.webkit.org/show_bug.cgi?id=226621
Reviewed by Mark Lam.
Introduces a NotDouble: speculation. We use it to speculate on CompareStrictEq(@x, @x).
* bytecode/SpeculatedType.h:
(JSC::isNotDoubleSpeculation):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNotDouble):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNotDouble):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::checkMayCrashIfInputIsEmpty):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateNotDouble):
2021-06-04 Robin Morisset <rmorisset@apple.com>
Drop the FTL(DFG) graph after lowering to B3
https://bugs.webkit.org/show_bug.cgi?id=226556
Reviewed by Phil Pizlo.
The challenge in this patch was dealing with all of the Patchpoints created by FTLLowerDFGToB3: they get a lambda at that time, which they execute at the end of Air, and many of these lambdas were capturing a pointer to some parts of the DFG graph and reading through it when being executed.
In all cases but one it was easily fixed: they were only reading a few bits from a given node, so I just read these bits in FTLLowerDFGToB3, and captured them (by value) instead of the pointer to the node.
The exception was compileCallOrConstructVarargsSpread(): its patchpoint generator was walking through the graph, flattening a tree of PhantomSpread/PhantomNewArrayWithSpread/PhantomNewArrayBuffer/PhantomCreateRest, emitting some code along the way.
We now do this flattening of the tree in FTLLowerDFGToB3, store just enough information to later emit the required code in a vector, and capture that vector in the lambda (through a move capture, which is allowed since C++14). See `struct VarargsSpreadArgumentToEmit` for the information that we need to store in that vector.
I tested this change by completing a full run of JetStream2 with ASAN.
I also ran the stress tests with "spread" in their name in Debug mode.
* b3/B3SparseCollection.h:
(JSC::B3::SparseCollection::clearAll):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::freeDFGIRAfterLowering):
* dfg/DFGGraph.h:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::getPrivateName):
(JSC::FTL::DFG::LowerDFGToB3::compilePrivateBrandAccess):
(JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::VarargsSpreadArgumentToEmit::VarargsSpreadArgumentToEmit):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::compileInById):
(JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
(JSC::FTL::DFG::LowerDFGToB3::getById):
(JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
(JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
(JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
(JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
(JSC::FTL::DFG::LowerDFGToB3::crash):
2021-06-04 Tadeu Zagallo <tzagallo@apple.com>
Optimize Function.prototype.toString
https://bugs.webkit.org/show_bug.cgi?id=226418
<rdar://77861846>
Reviewed by Saam Barati.
Add caching to Function.prototype.toString. This is used heavily in Speedometer2, and repeatedly recomputing a
string which is a constant is costly. We cache the results of toString in all cases except for bound functions.
To make this work for bound functions, we'd need to add a new field they can use for this cache. For other
functions, we cache it on the executable (either NativeExecutable or FunctionExecutable). The reason we can't
do this on the executable for bound functions is that all bound functions share the same executable, but
individual bound functions can have different names. The reason it's valid to cache the results in general is that a
function's name field can't be changed from JS code -- it's non-writable.
This patch also makes Function.prototype.toString an intrinsic in the DFG/FTL. We emit code on the fast path
which reads the cached value if it's present. If not, we call into the slow path, which will compute
the cached value for non bound functions, or compute the result for bound functions.
I added a new microbenchmark that speeds up by >35x:
function-to-string 2197.5952+-30.7118 ^ 59.9861+-2.5550 ^ definitely 36.6350x faster
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::getExecutable):
(JSC::DFG::SpeculativeJIT::compileFunctionToString):
(JSC::DFG::SpeculativeJIT::compileGetExecutable):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::getExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::visitChildrenImpl):
(JSC::FunctionExecutable::toStringSlow):
* runtime/FunctionExecutable.h:
* runtime/FunctionExecutableInlines.h:
(JSC::FunctionExecutable::toString):
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::toString):
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::asStringConcurrently const):
* runtime/JSStringInlines.h:
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::toStringSlow):
(JSC::NativeExecutable::visitChildrenImpl):
* runtime/NativeExecutable.h:
2021-06-04 Michael Catanzaro <mcatanzaro@gnome.org>
Fix more GCC warnings
https://bugs.webkit.org/show_bug.cgi?id=226193
Reviewed by Adrian Perez de Castro.
Fix -Wreturn-type warnings due to missing RELEASE_ASSERT_NOT_REACHED() where expected.
* jit/JITPlan.cpp:
(JSC::JITPlan::tier const):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
2021-06-03 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Implement JIT ICs for InByVal
https://bugs.webkit.org/show_bug.cgi?id=226563
Reviewed by Saam Barati.
Until now, InByVal has had few optimizations implemented:
DFG would attempt to convert string index lookups to InById and int32 lookups to HasIndexedProperty,
but there has been no inline caching nor any special handling for symbol lookups.
This has become a more urgent problem now, as `#x in obj` (i.e. HasPrivateName / HasPrivateBrand)
will need to mimic InByVal's inline caching strategy in order to be deemed performant enough to ship.
This patch thus implements inline caching for InByVal at all JIT tiers.
The result is a night-and-day difference for symbols, a nice boost for string indices, and no change for int32s:
in-by-val-symbol 203.5572+-2.7647 ^ 19.1035+-0.7498 ^ definitely 10.6555x faster
in-by-val-string-index 87.0368+-44.7766 45.9971+-32.0007 might be 1.8922x faster
in-by-val-int32 110.9904+-1.7109 ? 111.3431+-1.7558 ?
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CheckPrivateBrandStatus.cpp:
(JSC::CheckPrivateBrandStatus::singleIdentifier const):
* bytecode/DeleteByStatus.cpp:
(JSC::DeleteByStatus::singleIdentifier const):
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::singleIdentifier const):
* bytecode/ICStatusMap.h:
* bytecode/ICStatusUtils.h:
(JSC::singleIdentifierForICStatus):
* bytecode/InByIdVariant.cpp:
(JSC::InByIdVariant::InByIdVariant):
(JSC::InByIdVariant::attemptToMerge):
(JSC::InByIdVariant::dumpInContext const):
* bytecode/InByIdVariant.h:
(JSC::InByIdVariant::identifier const):
(JSC::InByIdVariant::overlaps):
* bytecode/InByStatus.cpp: Renamed from Source/JavaScriptCore/bytecode/InByIdStatus.cpp.
(JSC::InByStatus::appendVariant):
(JSC::InByStatus::shrinkToFit):
(JSC::InByStatus::computeFor):
(JSC::InByStatus::computeForStubInfo):
(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::InByStatus::merge):
(JSC::InByStatus::filter):
(JSC::InByStatus::markIfCheap):
(JSC::InByStatus::finalize):
(JSC::InByStatus::singleIdentifier const):
(JSC::InByStatus::dump const):
* bytecode/InByStatus.h: Renamed from Source/JavaScriptCore/bytecode/InByIdStatus.h.
* bytecode/RecordedStatuses.cpp:
(JSC::RecordedStatuses::addInByStatus): Renamed from addInByIdStatus.
* bytecode/RecordedStatuses.h:
* bytecode/SetPrivateBrandStatus.cpp:
(JSC::SetPrivateBrandStatus::singleIdentifier const):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addInByVal):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasInByStatus): Renamed from hasInByIdStatus.
(JSC::DFG::Node::inByStatus): Renamed from inByIdStatus.
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInByVal):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileInBy):
(JSC::FTL::DFG::LowerDFGToB3::compileInById):
(JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
* jit/ICStats.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITInByValGenerator::JITInByValGenerator):
(JSC::JITInByValGenerator::generateFastPath):
(JSC::JITInByValGenerator::finalize):
(JSC::JITInByIdGenerator::JITInByIdGenerator):
* jit/JITInlineCacheGenerator.h:
(JSC::JITDelByIdGenerator::slowPathJump const):
(JSC::JITInByValGenerator::JITInByValGenerator):
(JSC::JITInByValGenerator::slowPathJump const):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitSlow_op_in_by_val):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitSlow_op_in_by_val):
* jit/Repatch.cpp:
(JSC::tryCacheInBy): Renamed from tryCacheInByID.
(JSC::repatchInBy): Renamed from repatchInByID.
(JSC::resetInBy): Renamed from resetInByID.
* jit/Repatch.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
* runtime/CommonSlowPaths.h:
2021-06-03 Mark Lam <mark.lam@apple.com>
Fix an ASSERT in objectPrototypeHasOwnProperty() to account for TerminationException.
https://bugs.webkit.org/show_bug.cgi?id=226609
rdar://78465046
Reviewed by Robin Morisset.
* runtime/ObjectPrototype.cpp:
(JSC::objectPrototypeHasOwnProperty):
2021-06-03 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Make $vm's accessor test functions robust against primitive |this|
https://bugs.webkit.org/show_bug.cgi?id=226591
Reviewed by Saam Barati.
These functions are testing-purpose, and they are not robust against passing primitive as |this|.
This patch makes them robust so that we throw an error instead of crash.
* tools/JSDollarVM.cpp:
2021-06-03 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r278356.
https://bugs.webkit.org/show_bug.cgi?id=226606
"Breaks jsc tests".
Reverted changeset:
"Convert small JIT pool tests into executable fuzzing"
https://bugs.webkit.org/show_bug.cgi?id=226279
https://trac.webkit.org/changeset/278356
2021-06-03 Filip Pizlo <fpizlo@apple.com>
DFG should eliminate obvious store barriers
https://bugs.webkit.org/show_bug.cgi?id=226604
Reviewed by Mark Lam.
This has a couple changes:
- PutByOffset doesn't GC! So let's not say that it does.
- The store barrier clustering phase is no longer called the store barrier fencing phase in
dumps.
Small Speedometer2 speed-up. Definite speed-up for Elm.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGStoreBarrierClusteringPhase.cpp:
2021-06-03 Patrick Angle <pangle@apple.com>
Web Inspector: [Cocoa] `RemoteInspector` won't connect to a new relay if it hasn't yet failed to communicate with a previously connected relay
https://bugs.webkit.org/show_bug.cgi?id=226539
Reviewed by Devin Rousso.
`RemoteInspector` communicates with a relay daemon running on the same device in order to send updates like new
or removed inspectable targets and receive changes to settings like automatic debugging. The relay daemon then
communicates with a client that connects for debugging. Only one relay daemon should ever be running at a time,
and its lifecycle is managed separately from JavaScriptCore.
RemoteInspector holds a RefPtr to its connection to this relay, and only clears this pointer upon a failure to
communicate over the XPC connection or a known disconnection. However, it is possible, and in some cases likely
(for example the relay restarting from a brief client disconnection and reconnection), that we can be informed
of a newly launched relay being available while still thinking we are connected to the old relay, as we have not
yet sent a message and triggered a failure in the interim period of time.
To correct this we now send a simple message any time `setupXPCConnectionIfNeeded` is called if we have an
existing RefPtr to a relay connection in order to verify the connection is still functional. We now also retry
to connect to a relay upon failure in order to create a new connection to the current relay.
In order to prevent entering a retry loop where every subsequent retry's failure results in another retry
forever, a flag to retry connecting is set when a call to setupXPCConnectionIfNeeded is made while we already
have a RefPtr to a relay connection. On failure if we are in this special state we will retry once to connect
but subsequent failures will not automatically reattempt a connection.
* inspector/remote/RemoteInspector.h:
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::RemoteInspector::stopInternal):
- Clear the retry connection flag when stopping in an orderly fashion.
(Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
- Set the retry connection flag and send a simple message if we already have a relay connection in order to make
sure the connection is either still valid or is torn down properly on failure.
(Inspector::RemoteInspector::xpcConnectionFailed):
- If the retry flag is set, schedule a retry and clear the retry flag.
2021-06-02 Robin Morisset <rmorisset@apple.com>
B3MoveConstants should filter directly on Values, and only create ValueKeys when useful
https://bugs.webkit.org/show_bug.cgi?id=226420
Reviewed by Phil Pizlo.
I did a few runs of JetStream2 to measure results, the time spent in B3MoveConstants goes from 160-180ms to 100-110ms.
The total time spent in B3+Air is in the 6 to 8s range, so this is approximately a 1% speedup.
* b3/B3MoveConstants.cpp:
2021-06-02 Robin Morisset <rmorisset@apple.com>
Merge B3::StackSlot and Air::StackSlot
https://bugs.webkit.org/show_bug.cgi?id=226362
Reviewed by Filip Pizlo.
This is a very simple and safe (although small) memory saving, since every B3StackSlot eventually becomes an AirStackSlot with an exact copy of all the same information.
Simply dropping the B3StackSlot past that point is tricky, because one of them might be retained by FTLState (and modified by Air).
It is much simpler to just use Air::StackSlot throughout. It saves us:
- 16 bytes per B3StackSlot (for the structure itself)
- another 8 bytes per B3StackSlot (for the pointer in the SparseCollection)
- 8 bytes per AirStackSlot (for the pointer to the B3::StackSlot)
I also took the opportunity to save an extra 8 bytes per AirStackSlot, by shrinking the bytesize field to a uint16_t (with a RELEASE_ASSERT that we never overflow it) and moving the StackSlotKind in the hole this creates.
Total savings: 16 bytes per spill slot and 40 bytes per locked (by B3) slot.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3LowerToAir.cpp:
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::addStackSlot):
(JSC::B3::Procedure::dump const):
* b3/B3Procedure.h:
* b3/B3ProcedureInlines.h:
(JSC::B3::Procedure::stackSlots):
(JSC::B3::Procedure::stackSlots const):
* b3/B3SlotBaseValue.cpp:
* b3/B3SlotBaseValue.h:
* b3/B3StackSlot.cpp: Removed.
* b3/B3StackSlot.h: Removed.
* b3/B3Value.cpp:
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::addStackSlot):
* b3/air/AirCode.h:
* b3/air/AirStackSlot.cpp:
(JSC::B3::Air::StackSlot::setOffsetFromFP):
(JSC::B3::Air::StackSlot::deepDump const):
(JSC::B3::Air::StackSlot::StackSlot):
* b3/air/AirStackSlot.h:
(JSC::B3::Air::StackSlot::ensureSize):
* b3/testb3.h:
* ftl/FTLCompile.cpp:
* ftl/FTLState.h:
2021-06-02 Pablo Saavedra <psaavedra@igalia.com>
Fix build error with ENABLE_DFG_JIT=OFF
https://bugs.webkit.org/show_bug.cgi?id=226550
Reviewed by Mark Lam.
* jit/JITPlan.cpp:
(JSC::JITPlan::compileInThread):
2021-06-02 Robin Morisset <rmorisset@apple.com>
We should drop B3 values while running Air
https://bugs.webkit.org/show_bug.cgi?id=226187
Reviewed by Saam Barati.
We must keep the following values:
- WasmBoundsCheck, to know whether it is Pinned or Maximum, and if it is pinned find its argument.
- CCall/Patch/Check/CheckAdd/CheckSub/CheckMul and all of their children, because all of these are lowered to Air::Patchpoint, which needs to know the type of its arguments, and does so by looking at the children of its origin.
I intend to fix these in later patches if possible.
Finally we must preserve all B3 values in the following cases:
- if we dump the disassembly or the Air graph: because otherwise we cannot print the origins
- if we are using the sampling profiler, because it relies on PCToCodeOriginMap which we cannot accurately fill without these origins.
We must also keep m_tuples alive, as it is used by Patchpoints in Air to understand the types of their arguments.
We also don't touch StackSlots (in this patch), because one of them is captured by FTL::State.
Also now PCToOriginMap has a Vector with no inline capacity, since it is either quite large (if needed) or empty (otherwise).
The performance impact of this is a progression on various RAMification subtests on Mac, but is more mitigated on iPhone7, with various regressions.
I suspect these to be noise, and will monitor the performance bots post-landing to make sure of it.
* b3/B3LowerToAir.cpp:
(JSC::B3::lowerToAir):
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::freeUnneededB3ValuesAfterLowering):
* b3/B3Procedure.h:
(JSC::B3::Procedure::releasePCToOriginMap):
(JSC::B3::Procedure::setNeedsPCToOriginMap):
(JSC::B3::Procedure::needsPCToOriginMap):
* b3/B3SparseCollection.h:
(JSC::B3::SparseCollection::clearAll):
(JSC::B3::SparseCollection::filterAndTransfer):
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::Code):
* b3/air/AirCode.h:
(JSC::B3::Air::Code::shouldPreserveB3Origins const):
* b3/air/AirGenerate.cpp:
(JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
2021-06-02 Chris Dumez <cdumez@apple.com>
Drop Checked::safeGet()
https://bugs.webkit.org/show_bug.cgi?id=226537
Reviewed by Geoffrey Garen.
Drop Checked::safeGet() and replace with uses of Checked::operator T() or Checked::value().
safeGet() is a bit akward, having both a return value and an out-parameter.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
* runtime/JSStringJoiner.cpp:
(JSC::JSStringJoiner::joinedLength const):
* wasm/WasmFormat.cpp:
(JSC::Wasm::Segment::create):
* wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::grow):
2021-06-02 Keith Miller <keith_miller@apple.com>
Add globalObject API set property test
https://bugs.webkit.org/show_bug.cgi?id=226542
<rdar://78287979>
Reviewed by Alexey Shvayka.
* API/tests/testapi.cpp:
(TestAPI::testJSObjectSetOnGlobalObjectSubclassDefinition):
(testCAPIViaCpp):
2021-06-02 Keith Miller <keith_miller@apple.com>
Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
Reviewed by Michael Saboff.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::numberOfDFGCompiles):
* jit/ExecutableAllocationFuzz.cpp:
(JSC::doExecutableAllocationFuzzing):
* jsc.cpp:
(runJSC):
2021-06-02 Chris Dumez <cdumez@apple.com>
Use Checked aliases instead of Checked<T, RecordOverflow>
https://bugs.webkit.org/show_bug.cgi?id=226535
Reviewed by Keith Miller.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
* runtime/JSStringJoiner.cpp:
(JSC::JSStringJoiner::joinedLength const):
* runtime/JSStringJoiner.h:
* runtime/StringPrototype.cpp:
(JSC::jsSpliceSubstringsWithSeparators):
* wasm/WasmFormat.cpp:
(JSC::Wasm::Segment::create):
* wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::grow):
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::emitDisjunction):
* yarr/YarrParser.h:
(JSC::Yarr::Parser::consumeNumber):
* yarr/YarrPattern.cpp:
2021-06-01 Darin Adler <darin@apple.com>
Remove <wtf/Optional.h>
https://bugs.webkit.org/show_bug.cgi?id=226437
Reviewed by Chris Dumez.
* <many files>: Remove include of <wtf/Optional.h>.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
(CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes): Don't generate
an include of wtf/Optional.h; including WTFString.h takes care of this anyway.
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
(CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes): Ditto.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(CppProtocolTypesHeaderGenerator._generate_secondary_header_includes): Ditto.
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator.generate_output): Generate an include of <optional>
instead of <wtf/Optional.h>.
* inspector/scripts/tests/expected/*: Regenerate.
2021-06-01 Chris Dumez <cdumez@apple.com>
Rename Checked::unsafeGet() to Checked::value()
https://bugs.webkit.org/show_bug.cgi?id=226514
Reviewed by Darin Adler.
Rename Checked::unsafeGet() to Checked::value(). The "unsafeGet" naming is confusing as this
function isn't really unsafe since it will crash if the value has overflowed. Also add an
`operator T()` to implicitly convert a Checked to its underlying type without needing to
call value().
* b3/B3Const32Value.cpp:
(JSC::B3::Const32Value::checkAddConstant const):
(JSC::B3::Const32Value::checkSubConstant const):
(JSC::B3::Const32Value::checkMulConstant const):
* b3/B3Const64Value.cpp:
(JSC::B3::Const64Value::checkAddConstant const):
(JSC::B3::Const64Value::checkSubConstant const):
(JSC::B3::Const64Value::checkMulConstant const):
* bytecompiler/BytecodeGenerator.h:
(JSC::FinallyContext::numberOfBreaksOrContinues const):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
* ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* heap/Heap.cpp:
(JSC::Heap::deprecatedReportExtraMemorySlowCase):
(JSC::Heap::extraMemorySize):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::reportExtraMemoryVisited):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::slowEnsureCapacity):
(JSC::MarkedArgumentBuffer::expandCapacity):
* runtime/ArrayPrototype.cpp:
(JSC::concatAppendOne):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* runtime/DirectArguments.h:
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::allocationSize):
(JSC::HashMapImpl::HashMapImpl):
* runtime/HashMapImplInlines.h:
(JSC::nextCapacity):
(JSC::HashMapImpl<HashMapBucketType>::finishCreation):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
* runtime/JSImmutableButterfly.h:
(JSC::JSImmutableButterfly::tryCreate):
* runtime/JSLexicalEnvironment.h:
(JSC::JSLexicalEnvironment::offsetOfVariable):
(JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
* runtime/JSObject.h:
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::create):
* runtime/JSString.h:
* runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::createUninitialized):
* runtime/StringPrototype.cpp:
(JSC::jsSpliceSubstrings):
(JSC::jsSpliceSubstringsWithSeparators):
* runtime/StructureChain.cpp:
(JSC::StructureChain::create):
* runtime/VM.h:
(JSC::ScratchBuffer::allocationSize):
* runtime/WeakMapImpl.h:
(JSC::WeakMapBuffer::allocationSize):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::AirIRGenerator):
(JSC::Wasm::AirIRGenerator::emitCallPatchpoint):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
* wasm/WasmInstance.cpp:
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::allocationSize):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::push):
(JSC::Wasm::LLIntGenerator::getDropKeepCount):
(JSC::Wasm::LLIntGenerator::walkExpressionStack):
(JSC::Wasm::LLIntGenerator::finalize):
(JSC::Wasm::LLIntGenerator::callInformationForCaller):
(JSC::Wasm::LLIntGenerator::addLoop):
(JSC::Wasm::LLIntGenerator::addTopLevel):
(JSC::Wasm::LLIntGenerator::addBlock):
(JSC::Wasm::LLIntGenerator::addIf):
(JSC::Wasm::LLIntGenerator::addElseToUnreachable):
* wasm/WasmSignature.h:
(JSC::Wasm::Signature::allocatedSize):
* wasm/WasmStreamingParser.cpp:
(JSC::Wasm::StreamingParser::addBytes):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::grow):
(JSC::Wasm::FuncRefTable::FuncRefTable):
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
(JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
(JSC::Yarr::ByteCompiler::atomCharacterClass):
(JSC::Yarr::ByteCompiler::atomBackReference):
(JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
(JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
(JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
(JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
(JSC::Yarr::ByteCompiler::emitDisjunction):
* yarr/YarrInterpreter.h:
(JSC::Yarr::ByteTerm::ByteTerm):
(JSC::Yarr::ByteTerm::CheckInput):
(JSC::Yarr::ByteTerm::UncheckInput):
* yarr/YarrJIT.cpp:
* yarr/YarrParser.h:
(JSC::Yarr::Parser::consumeNumber):
* yarr/YarrPattern.cpp:
(JSC::Yarr::PatternTerm::dumpQuantifier):
2021-06-01 Adrian Perez de Castro <aperez@igalia.com>
[WPE][GTK] Support building against uClibc
https://bugs.webkit.org/show_bug.cgi?id=226244
Reviewed by Michael Catanzaro.
* assembler/MacroAssemblerARM64.cpp:
(getauxval): Provide a fallback implementation of getauxval() for
systems which do not provide <sys/auxv.h>, like those using uClibc
as their C library.
2021-05-30 Chris Dumez <cdumez@apple.com>
Drop UncheckedCondition / UncheckedLock
https://bugs.webkit.org/show_bug.cgi?id=226432
Reviewed by Darin Adler.
Drop one remaining use of UncheckedLock in favor of Lock.
* jit/JITSafepoint.cpp:
* jit/JITWorklistThread.h:
2021-05-30 Darin Adler <darin@apple.com>
Remove WTF::Optional synonym for std::optional, using that class template directly instead
https://bugs.webkit.org/show_bug.cgi?id=226433
Reviewed by Chris Dumez.
* <many files>: Let the do-webcore-rename script rename Optional<> to std::optional<>.
* inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
(ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload): Use auto instead
of Optional<>. Also use * instead of value() and nest the definition of the local inside an if
statement in the case where it's an optional.
* inspector/scripts/tests/expected/*: Regenerated these results.
2021-05-29 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in JSC::VMInspector
https://bugs.webkit.org/show_bug.cgi?id=226427
Reviewed by Mark Lam.
Stop using UncheckedLock in JSC::VMInspector, as it is being phased out in favor
of Lock, which supports Clang thread safety analysis.
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::checkIfRecorded):
* tools/SigillCrashAnalyzer.cpp:
(JSC::SigillCrashAnalyzer::analyze):
* tools/VMInspector.cpp:
(JSC::VMInspector::isValidExecutableMemory):
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::VMInspector::lock): Deleted.
* tools/VMInspector.h:
(JSC::VMInspector::WTF_RETURNS_LOCK):
(JSC::VMInspector::WTF_REQUIRES_LOCK):
(JSC::VMInspector::getLock): Deleted.
(JSC::VMInspector::iterate): Deleted.
2021-05-29 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in JSC::ConcurrentJSLock
https://bugs.webkit.org/show_bug.cgi?id=226428
Reviewed by Darin Adler.
Stop using UncheckedLock in JSC::ConcurrentJSLock as it is being phased out in
favor of Lock, which supports Clang thread safety analysis.
* runtime/ConcurrentJSLock.h:
(JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
* runtime/Structure.cpp:
(JSC::Structure::findStructuresAndMapForMaterialization):
(JSC::Structure::materializePropertyTable):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::forEachPropertyConcurrently):
* yarr/YarrInterpreter.cpp:
2021-05-28 Darin Adler <darin@apple.com>
Clients of optional should use has_value instead of relying on hasValue macro
https://bugs.webkit.org/show_bug.cgi?id=226395
Reviewed by Chris Dumez.
* bytecompiler/NodesCodegen.cpp:
(JSC::RegExpNode::emitBytecode): Don't use hasValue.
2021-05-29 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in JSC::SamplingProfiler
https://bugs.webkit.org/show_bug.cgi?id=226414
Reviewed by Darin Adler.
Stop using UncheckedLock in JSC::SamplingProfiler as it is being phased out in favor of Lock,
which supports clang thread safety analysis.
* heap/Heap.cpp:
(JSC::visitSamplingProfiler):
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::startTracking):
(Inspector::InspectorScriptProfilerAgent::trackingComplete):
(Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
* runtime/JSGlobalObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::createThreadIfNecessary):
(JSC::SamplingProfiler::timerLoop):
(JSC::SamplingProfiler::takeSample):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::start):
(JSC::SamplingProfiler::startWithLock):
(JSC::SamplingProfiler::pause):
(JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThreadWithLock):
(JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
(JSC::SamplingProfiler::noticeJSLockAcquisition):
(JSC::SamplingProfiler::noticeVMEntry):
(JSC::SamplingProfiler::clearData):
(JSC::SamplingProfiler::releaseStackTraces):
(JSC::SamplingProfiler::stackTracesAsJSON):
(JSC::SamplingProfiler::reportTopFunctions):
(JSC::SamplingProfiler::reportTopBytecodes):
* runtime/SamplingProfiler.h:
(JSC::SamplingProfiler::WTF_RETURNS_LOCK):
(JSC::SamplingProfiler::WTF_REQUIRES_LOCK):
2021-05-29 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in JSC::dumpJITMemory()
https://bugs.webkit.org/show_bug.cgi?id=226413
Reviewed by Darin Adler.
Stop using UncheckedLock in JSC::dumpJITMemory() as it is being phased out in favor of Lock,
which supports Clang thread safety analysis.
* jit/ExecutableAllocator.cpp:
(JSC::dumpJITMemory):
2021-05-29 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in JSC::WasmCalleeRegistry
https://bugs.webkit.org/show_bug.cgi?id=226412
Reviewed by Darin Adler.
Stop using UncheckedLock in JSC::WasmCalleeRegistry, as it is being phased out in favor of
Lock, which supports Clang thread safety analysis.
* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::FrameWalker):
(JSC::FrameWalker::recordJITFrame):
(JSC::CFrameWalker::CFrameWalker):
(JSC::SamplingProfiler::takeSample):
* wasm/WasmCalleeRegistry.h:
(JSC::Wasm::CalleeRegistry::WTF_RETURNS_LOCK):
(JSC::Wasm::CalleeRegistry::WTF_REQUIRES_LOCK):
(JSC::Wasm::CalleeRegistry::getLock): Deleted.
(JSC::Wasm::CalleeRegistry::isValidCallee): Deleted.
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
2021-05-29 Mark Lam <mark.lam@apple.com>
VM::isTerminationException() should only be run on a non-null exception value.
https://bugs.webkit.org/show_bug.cgi?id=226417
rdar://78646170
Reviewed by Filip Pizlo.
* jsc.cpp:
(runInteractive):
2021-05-29 Adrian Perez de Castro <aperez@igalia.com>
Non-unified build fixes, late-ish May 2021 edition redux
https://bugs.webkit.org/show_bug.cgi?id=226401
Unreviewed non-unified build fixes.
* jit/JITSizeStatistics.cpp: Add missing LinkBuffer.h header.
* jit/JITSizeStatistics.h: Add missing CCallHelpers.h and wtf/text/WTFString.h headers;
remove unneeded CCallHelpers forward declaration.
2021-05-28 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in WTF::MetaAllocator
https://bugs.webkit.org/show_bug.cgi?id=226396
Reviewed by Darin Adler.
Stop using UncheckedLock in WTF::MetaAllocator, as it is being phased out in favor on Lock,
which supports Clang thread safety analysis.
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::getLock const):
* jit/ExecutableAllocator.h:
(JSC::ExecutableAllocatorBase::WTF_RETURNS_LOCK):
* tools/VMInspector.cpp:
(JSC::VMInspector::isValidExecutableMemory):
2021-05-28 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in JSDOMGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=226281
Reviewed by Darin Adler.
Drop JSC::lockDuringMarking() and its now empty header given that it does conditional
locking and it is not compatible with Clang thread safety analysis.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/UnlinkedCodeBlock.h:
* heap/LockDuringMarking.h: Removed.
2021-05-28 Saam Barati <sbarati@apple.com>
Add the ability to dump statistics about cumulative counts and code sizes of Baseline JIT opcodes and DFG nodes
https://bugs.webkit.org/show_bug.cgi?id=226200
Reviewed by Robin Morisset.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::SlowPathGenerator::currentNode const):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::compileAndLinkWithoutFinalizing):
* jit/JITSizeStatistics.cpp: Added.
(JSC::JITSizeStatistics::markStart):
(JSC::JITSizeStatistics::markEnd):
(JSC::JITSizeStatistics::dump const):
* jit/JITSizeStatistics.h: Added.
(JSC::JITSizeStatistics::reset):
* jsc.cpp:
(runJSC):
* runtime/OptionsList.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):
2021-05-28 Saam Barati <sbarati@apple.com>
Don't sink arguments past the context of the inline call frame they were created in
https://bugs.webkit.org/show_bug.cgi?id=226363
<rdar://78392801>
Reviewed by Filip Pizlo.
DFG OSR exit isn't set up to allow materializing phantom arguments objects
when the inline call frame is no longer present in the exit metadata. There
may be multiple reasons for this, but there's at least one I discovered:
We don't analyze any locals when reconstructing the variable event stream
if that local is past the extent of the inline call frame.
This patch makes it so we treat it as an escape if between the definition and
the last use of a sink candidate (either via an IR use or bytecode liveness)
there is an exit to a place in the graph where the inline call frame of the
definition is no longer present.
* dfg/DFGVarargsForwardingPhase.cpp:
2021-05-28 Stephan Szabo <stephan.szabo@sony.com>
Regenerate builtins generator expectations after optional changes
https://bugs.webkit.org/show_bug.cgi?id=226381
Reviewed by Chris Dumez.
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2021-05-28 Mark Lam <mark.lam@apple.com>
The jsc shell should not continue executing after a termination has been received.
https://bugs.webkit.org/show_bug.cgi?id=226368
rdar://78013374
Reviewed by Saam Barati.
This patch makes the jsc shell forbid execution in all the places that it has
caught and seen a TerminationException.
* jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
(checkException):
(runWithOptions):
(runInteractive):
2021-05-27 Robin Morisset <rmorisset@apple.com>
AirAllocateStackByGraphColoring should use the optimized interference graphs from AirAllocateRegistersByGraphColoring
https://bugs.webkit.org/show_bug.cgi?id=226258
Reviewed by Phil Pizlo.
The main change in this patch is that AirAllocateStackByGraphColoring is now using the optimized datastructures in wtf/InterferenceGraph.h.
This required templating most of it over the interference graph used (Small/Large/Huge), but I tried keeping some common parts out of the templated class to minimize the impact on compile times and binary size.
A consequence of that change is that coalescableMoves and remappedStackSlots now store indices instead of direct pointers to StackSlots, resulting in a memory reduction of about 3x as well.
Another consequence is that I had to slightly alter the way that coalescing works: instead of carefully removing the interference edges of the killed slot, we simply use mayClear() which is not guaranteed to remove anything.
I believe that this is sound, because every subsequent access to m_interference checks whether a slot has been coalesced first, so dropping these edges is purely a memory saving, but has no logical effect.
The new code was tested in a few ways:
- running on JetStream2 with asan
- running on JetStream2 with TEST_OPTIMIZED_INTERFERENCE_GRAPH
- running on JetStream2 and logging the frame sizes at the end of this phase, and comparing to the results of doing the same on ToT (same average frame size)
The two functions where this code had the largest memory footprint in JetStream2 were both in tsf-wasm.
One has 751 stack slots, and had an interference graph of 2.1MB and a coalescableMoves vector of 440kB
The other has 673 stack slots, and had an interference graph of 1.9MB and a coalescableMoves vector of 421kB.
With this patch, they respectively use 79kB+146kB and 67kB+140kB
The effect on the rest of JetStream2 is less likely to matter as few functions used more than a few dozens of kB in this phase, but in percentages are just as huge.
More importantly (and the reason I wrote this patch in the first place), I checked mruby-wasm.aotoki.dev which with a few other pages forced us to lower Options::maximumTmpsForGraphColoring because of jetsams.
It has two massive functions that reach this phase if I increase Options::maximumTmpsForGraphColoring:
- about 6k stack slots -> 215MB + 6MB (interference graph + coalescableMoves)
- about 9k stack slots -> 395MB + 4MB
After this patch, they respectively use 4.5MB+2MB and 9MB+1.5MB, or roughly a 40x improvement.
Combined with the recent improvements to the register allocator, I hope to be able to increase Options::maximumTmpsForGraphColoring soon (in a different patch for easier bisection if either cause a perf regression).
This would be helpful, since its lowering cratered our performance on some other wasm application by 8x.
In terms of compile times, this patch lowered the time spent in AllocateStackByGraphColoring over the course of a run of JetStream2 from roughly 350ms to roughly 270ms.
This is almost certainly negligible, but at least it guarantees that it did not regress.
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
* b3/air/AirAllocateStackByGraphColoring.cpp:
(JSC::B3::Air::allocateStackByGraphColoring):
2021-05-27 Darin Adler <darin@apple.com>
Next step toward using std::optional directly instead of through WTF::Optional typedef
https://bugs.webkit.org/show_bug.cgi?id=226280
Reviewed by Chris Dumez.
* <many files>: Accept the renaming done by do-webcore-rename.
* yarr/YarrSyntaxChecker.cpp: Since the style checker complained about this file,
tweaked style to make it happy after the renaming done by do-webcore-rename, and
also hand-updated Optional to std::optional as long as we were touching it.
2021-05-27 Adrian Perez de Castro <aperez@igalia.com>
Non-unified build fixes, late May 2021 edition
https://bugs.webkit.org/show_bug.cgi?id=226322
Unreviewed non-unified build fixes.
* jit/JITPlan.cpp: Add missing HeapInlines.h and VMInlines.h headers.
* jit/JITWorklist.cpp: Add missing HeapInlines.h and SlotVisitorInlines.h headers,
remove SlotVisitor.h which is now unneeded.
* jit/JITWorklistThread.cpp: Add missing HeapInlines.h header.
2021-05-27 Daniel Kolesa <dkolesa@igalia.com>
[JSC] Fix crash on 32-bit big endian systems.
https://bugs.webkit.org/show_bug.cgi?id=226264
Reviewed by Caio Araujo Neponoceno de Lima.
This is an instance where properly offsetting was missed since
the issue was not present in 2.30 series and therefore not fixed
by r273104.
* llint/LowLevelInterpreter32_64.asm:
2021-05-26 Chris Dumez <cdumez@apple.com>
Leverage the new Vector(const T*, size_t) constructor
https://bugs.webkit.org/show_bug.cgi?id=226304
Reviewed by Darin Adler.
Leverage the new Vector(const T*, size_t) constructor in existing code.
* wasm/WasmStreamingParser.cpp:
(JSC::Wasm::StreamingParser::consume):
2021-05-26 Tadeu Zagallo <tzagallo@apple.com>
REGRESSION: ASSERTION FAILED: !isCompilationThread() in JSC::Profiler::Database::addCompilation()
https://bugs.webkit.org/show_bug.cgi?id=226302
<rdar://78537378>
Reviewed by Saam Barati.
We started linking the JIT code in the compiler thread, which now triggers this assertion.
The assertion was introduce before a lock was held to modify the data structures in the
profiler database, but it's safe to remove it now.
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::addCompilation):
2021-05-26 Chris Dumez <cdumez@apple.com>
Use UncheckedLock even less in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=226278
Reviewed by Darin Adler.
Use UncheckedLock even less in JavaScriptCore as it is being phased out in
favor of Lock, which supports Clang thread safety analysis.
* heap/BlockDirectory.h:
(JSC::BlockDirectory::WTF_RETURNS_LOCK):
* heap/CodeBlockSet.h:
(JSC::CodeBlockSet::WTF_RETURNS_LOCK):
* heap/Heap.h:
* heap/MarkedSpace.h:
(JSC::MarkedSpace::directoryLock):
* heap/MarkingConstraintSolver.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::donateKnownParallel):
* heap/SlotVisitor.h:
* jit/JITWorklist.cpp:
* jit/JITWorklist.h:
* jsc.cpp:
* profiler/ProfilerDatabase.h:
* runtime/DeferredWorkTimer.h:
* runtime/VMTraps.cpp:
(JSC::VMTraps::invalidateCodeBlocksOnStack):
* runtime/VMTraps.h:
* tools/FunctionOverrides.cpp:
(JSC::FunctionOverrides::FunctionOverrides):
(JSC::FunctionOverrides::reinstallOverrides):
(JSC::FunctionOverrides::parseOverridesInFile):
* tools/FunctionOverrides.h:
(JSC::FunctionOverrides::WTF_REQUIRES_LOCK):
* tools/VMInspector.cpp:
(JSC::ensureIsSafeToLock):
(JSC::VMInspector::codeBlockForMachinePC):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
(JSC::Wasm::BBQPlan::compileFunction):
(JSC::Wasm::BBQPlan::didCompleteCompilation):
* wasm/WasmBBQPlan.h:
* wasm/WasmEntryPlan.cpp:
(JSC::Wasm::EntryPlan::parseAndValidateModule):
(JSC::Wasm::EntryPlan::prepare):
(JSC::Wasm::EntryPlan::ThreadCountHolder::~ThreadCountHolder):
(JSC::Wasm::EntryPlan::complete):
* wasm/WasmEntryPlan.h:
(JSC::Wasm::EntryPlan::tryReserveCapacity):
* wasm/WasmLLIntPlan.cpp:
(JSC::Wasm::LLIntPlan::compileFunction):
(JSC::Wasm::LLIntPlan::didCompleteCompilation):
(JSC::Wasm::LLIntPlan::completeInStreaming):
(JSC::Wasm::LLIntPlan::didFailInStreaming):
* wasm/WasmLLIntPlan.h:
* wasm/WasmOMGForOSREntryPlan.cpp:
(JSC::Wasm::OMGForOSREntryPlan::work):
* wasm/WasmOMGForOSREntryPlan.h:
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmOMGPlan.h:
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::runCompletionTasks):
(JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
(JSC::Wasm::Plan::fail):
* wasm/WasmPlan.h:
* wasm/WasmStreamingCompiler.cpp:
(JSC::Wasm::StreamingCompiler::didCompileFunction):
(JSC::Wasm::StreamingCompiler::completeIfNecessary):
(JSC::Wasm::StreamingCompiler::didComplete):
(JSC::Wasm::StreamingCompiler::finalize):
* wasm/WasmStreamingCompiler.h:
* wasm/WasmStreamingPlan.cpp:
(JSC::Wasm::StreamingPlan::work):
* wasm/WasmStreamingPlan.h:
* wasm/WasmThunks.h:
2021-05-26 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in WTF::AutomaticThread
https://bugs.webkit.org/show_bug.cgi?id=226255
Reviewed by Keith Miller.
Some code in JSC had to be ported from UncheckedLock to Lock as a result of
WTF::AutomaticThread using the Lock type.
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::Worklist):
* dfg/DFGWorklist.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
* heap/Heap.h:
* jit/JITWorklist.cpp:
(JSC::JITWorklist::JITWorklist):
* jit/JITWorklist.h:
* runtime/VMTraps.cpp:
(JSC::VMTraps::VMTraps):
* runtime/VMTraps.h:
* wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::Worklist):
* wasm/WasmWorklist.h:
2021-05-26 Tadeu Zagallo <tzagallo@apple.com>
Merge all the JIT worklists into a shared worklist
https://bugs.webkit.org/show_bug.cgi?id=226207
Reviewed by Saam Barati.
Delete the DFG and FTL worklists and refactor JITWorklist to handle the compilation
for all tiers. This reduces the total number of compiler threads while allowing each
tier to use more threads whenever necessary. The default configuration is for the
worklist to have 3 threads, baseline can use up to all 3 threads and DFG and FTL follow
the previous limits set through JSC::Options. Right now, the worklist will only do work
on upper tiers when all lower tiers have no pending tasks or have exceeded the maximum
number of concurrent compilations. i.e. by default we only DFG compile when there are
no baseline tasks in the queue and we only FTL compile when we either have no DFG tasks
in the queue OR there are already 2 DFG compilations in progress.
* API/JSVirtualMachine.mm:
(+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
(+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
* API/tests/testapi.mm:
(runJITThreadLimitTests):
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::checkIfOptimizationThresholdReached):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCommon.h:
(JSC::DFG::verboseCompilationEnabled):
(JSC::DFG::logCompilationChanges):
(JSC::DFG::shouldDumpGraphAtEachPhase):
(JSC::DFG::shouldDumpDisassembly):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
(JSC::DFG::compile):
* dfg/DFGDriver.h:
* dfg/DFGGraph.h:
* dfg/DFGGraphSafepoint.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::OSRAvailabilityAnalysisPhase::run):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGOperations.cpp:
(JSC::DFG::triggerFTLReplacementCompile):
(JSC::DFG::tierUpCommon):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
(JSC::DFG::Plan::codeSize const):
(JSC::DFG::Plan::finalizeInGC):
(JSC::DFG::Plan::notifyReady):
(JSC::DFG::Plan::cancel):
(JSC::DFG::Plan::compileInThreadImpl):
(JSC::DFG::Plan::finalize):
(JSC::DFG::Plan::iterateCodeBlocksForGC):
(JSC::DFG::Plan::checkLivenessAndVisitChildren):
(JSC::DFG::Plan::isKnownToBeLiveDuringGC):
(JSC::DFG::Plan::isKnownToBeLiveAfterGC):
* dfg/DFGPlan.h:
* dfg/DFGPlanInlines.h: Removed.
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
* dfg/DFGWorklist.cpp: Removed.
* dfg/DFGWorklist.h: Removed.
* dfg/DFGWorklistInlines.h: Removed.
* ftl/FTLCompile.h:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* ftl/FTLState.h:
(JSC::FTL::verboseCompilationEnabled):
(JSC::FTL::shouldDumpDisassembly):
* heap/Heap.cpp:
(JSC::Heap::completeAllJITPlans):
(JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
(JSC::Heap::removeDeadCompilerWorklistEntries):
(JSC::Heap::stopThePeriphery):
(JSC::Heap::suspendCompilerThreads):
(JSC::Heap::resumeCompilerThreads):
(JSC::Heap::addCoreConstraints):
* heap/Heap.h:
* heap/RootMarkReason.h:
* jit/JIT.cpp:
(JSC::JIT::compileAndLinkWithoutFinalizing):
(JSC::JIT::codeSize const):
(JSC::JIT::compileTimeStats):
* jit/JIT.h:
* jit/JITBaselinePlan.cpp: Copied from Source/JavaScriptCore/ftl/FTLState.cpp.
(JSC::JITBaselinePlan::JITBaselinePlan):
(JSC::JITBaselinePlan::compileInThreadImpl):
(JSC::JITBaselinePlan::codeSize const):
(JSC::JITBaselinePlan::finalize):
* jit/JITBaselinePlan.h: Copied from Source/JavaScriptCore/dfg/DFGScannable.h.
* jit/JITCompilationKey.cpp: Renamed from Source/JavaScriptCore/dfg/DFGCompilationKey.cpp.
(JSC::JITCompilationKey::dump const):
* jit/JITCompilationKey.h: Renamed from Source/JavaScriptCore/dfg/DFGCompilationKey.h.
(JSC::JITCompilationKey::JITCompilationKey):
(JSC::JITCompilationKey::operator! const):
(JSC::JITCompilationKey::isHashTableDeletedValue const):
(JSC::JITCompilationKey::mode const):
(JSC::JITCompilationKey::operator== const):
(JSC::JITCompilationKey::hash const):
(JSC::JITCompilationKeyHash::hash):
(JSC::JITCompilationKeyHash::equal):
* jit/JITCompilationMode.cpp: Renamed from Source/JavaScriptCore/dfg/DFGCompilationMode.cpp.
(WTF::printInternal):
* jit/JITCompilationMode.h: Renamed from Source/JavaScriptCore/dfg/DFGCompilationMode.h.
(JSC::isFTL):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITPlan.cpp: Added.
(JSC::JITPlan::JITPlan):
(JSC::JITPlan::cancel):
(JSC::JITPlan::notifyCompiling):
(JSC::JITPlan::notifyReady):
(JSC::JITPlan::tier const):
(JSC::JITPlan::key):
(JSC::JITPlan::isKnownToBeLiveAfterGC):
(JSC::JITPlan::isKnownToBeLiveDuringGC):
(JSC::JITPlan::iterateCodeBlocksForGC):
(JSC::JITPlan::checkLivenessAndVisitChildren):
(JSC::JITPlan::computeCompileTimes const):
(JSC::JITPlan::reportCompileTimes const):
(JSC::JITPlan::compileInThread):
* jit/JITPlan.h: Added.
(JSC::JITPlan::~JITPlan):
(JSC::JITPlan::vm const):
(JSC::JITPlan::codeBlock const):
(JSC::JITPlan::thread const):
(JSC::JITPlan::mode const):
(JSC::JITPlan::stage const):
(JSC::JITPlan::isFTL const):
(JSC::JITPlan::finalizeInGC):
* jit/JITPlanStage.h: Renamed from Source/JavaScriptCore/dfg/DFGThreadData.cpp.
* jit/JITSafepoint.cpp: Renamed from Source/JavaScriptCore/dfg/DFGSafepoint.cpp.
(JSC::Safepoint::Safepoint):
(JSC::Safepoint::~Safepoint):
(JSC::Safepoint::begin):
(JSC::Safepoint::cancel):
* jit/JITSafepoint.h: Renamed from Source/JavaScriptCore/dfg/DFGSafepoint.h.
* jit/JITScannable.h: Copied from Source/JavaScriptCore/dfg/DFGScannable.h.
* jit/JITWorklist.cpp:
(JSC::JITWorklist::JITWorklist):
(JSC::JITWorklist::~JITWorklist):
(JSC::JITWorklist::existingGlobalWorklistOrNull):
(JSC::JITWorklist::ensureGlobalWorklist):
(JSC::JITWorklist::enqueue):
(JSC::JITWorklist::queueLength const):
(JSC::JITWorklist::suspendAllThreads):
(JSC::JITWorklist::resumeAllThreads):
(JSC::JITWorklist::compilationState):
(JSC::JITWorklist::completeAllReadyPlansForVM):
(JSC::JITWorklist::waitUntilAllPlansForVMAreReady):
(JSC::JITWorklist::completeAllPlansForVM):
(JSC::JITWorklist::cancelAllPlansForVM):
(JSC::JITWorklist::removeDeadPlans):
(JSC::JITWorklist::setMaximumNumberOfConcurrentDFGCompilations):
(JSC::JITWorklist::setMaximumNumberOfConcurrentFTLCompilations):
(JSC::JITWorklist::visitWeakReferences):
(JSC::JITWorklist::dump const):
(JSC::JITWorklist::removeAllReadyPlansForVM):
(JSC::JITWorklist::removeMatchingPlansForVM):
* jit/JITWorklist.h:
(JSC::JITWorklist::static_cast<size_t>):
* jit/JITWorklistInlines.h: Renamed from Source/JavaScriptCore/dfg/DFGScannable.h.
(JSC::JITWorklist::iterateCodeBlocksForGC):
* jit/JITWorklistThread.cpp: Added.
(JSC::JITWorklistThread::JITWorklistThread):
(JSC::JITWorklistThread::name const):
(JSC::JITWorklistThread::poll):
(JSC::JITWorklistThread::work):
(JSC::JITWorklistThread::threadDidStart):
(JSC::JITWorklistThread::threadIsStopping):
* jit/JITWorklistThread.h: Renamed from Source/JavaScriptCore/dfg/DFGThreadData.h.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::jitCompileAndSetHeuristics):
* runtime/OptionsList.h:
* runtime/VM.cpp:
(JSC::VM::~VM):
2021-05-25 Fujii Hironori <Hironori.Fujii@sony.com>
Clang can't compile Optional<GPRTemporary> since r278035 because GPRTemporary has non-const copy constructor
https://bugs.webkit.org/show_bug.cgi?id=226251
Reviewed by Chris Dumez.
WinCairo clang-cl builds reported a compilation error since r278035.
> include\optional(95,5): error: the parameter for this explicitly-defaulted copy constructor is const, but a member or base requires it to be non-const
* dfg/DFGSpeculativeJIT.h: Deleted the const copy ctor instead of the non-const copy ctor.
2021-05-25 Chris Dumez <cdumez@apple.com>
Use UncheckedLock less in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=226212
Reviewed by Saam Barati.
Use UncheckedLock less in JavaScriptCore as it is being phased out in favor of Lock, which
enables Clang thread safety analysis.
* assembler/testmasm.cpp:
* dfg/DFGCommon.cpp:
* dynbench.cpp:
* heap/Heap.cpp:
* heap/Heap.h:
* inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
* runtime/JSLock.cpp:
* runtime/JSLock.h:
* runtime/VM.h:
2021-05-25 Devin Rousso <drousso@apple.com>
[Modern Media Controls] REGRESSION(r254389) media controls needs the full list of language preferences for ordering tracks
https://bugs.webkit.org/show_bug.cgi?id=226038
Reviewed by Myles C. Maxfield and Eric Carlson.
Media controls need access to the full list of language preferences in order to properly
sort/order the list of tracks in the controls UI. For example, if a `<video>` has subtitles
for English, Spanish, and French, and the user has English (default) and French (alternate)
configured in the Language & Region view of System Preferences on macOS, WebKit should order
the subtitles list English, French, and then Spanish.
* shell/playstation/TestShell.cpp:
(preTest):
Instead of propagating the override, just clear it out.
2021-05-25 Chris Dumez <cdumez@apple.com>
Stop using UncheckedLock in JSC::PerfLog
https://bugs.webkit.org/show_bug.cgi?id=226209
Reviewed by Saam Barati.
Stop using UncheckedLock in JSC::PerfLog and use Lock instead to benefit from Clang thread
safety analysis.
* assembler/PerfLog.cpp:
(JSC::PerfLog::PerfLog):
(JSC::PerfLog::write):
(JSC::PerfLog::flush):
(JSC::PerfLog::log):
* assembler/PerfLog.h:
2021-05-24 Darin Adler <darin@apple.com>
Switch from WTF::Optional to std::optional
https://bugs.webkit.org/show_bug.cgi?id=211674
Reviewed by Chris Dumez.
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator): Use JSObject* instead of
Optional<JSObject&>.
* runtime/IntlDateTimeFormat.cpp:
(JSC::toDateTimeOptionsAnyDate): Ditto.
(JSC::IntlDateTimeFormat::initializeDateTimeFormat): Ditto.
* runtime/IntlDisplayNames.cpp:
(JSC::IntlDisplayNames::initializeDisplayNames): Ditto.
* runtime/IntlListFormat.cpp:
(JSC::IntlListFormat::initializeListFormat): Ditto.
* runtime/IntlLocale.cpp:
(JSC::IntlLocale::initializeLocale): Ditto.
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat): Ditto.
* runtime/IntlNumberFormat.h: Ditto.
* runtime/IntlNumberFormatInlines.h:
(JSC::setNumberFormatDigitOptions): Ditto.
* runtime/IntlObject.cpp:
(JSC::intlBooleanOption): Ditto.
(JSC::intlStringOption): Ditto.
(JSC::intlNumberOption): Ditto.
(JSC::supportedLocales): Ditto.
* runtime/IntlObject.h: Ditto.
* runtime/IntlObjectInlines.h:
(JSC::intlOption): Ditto.
(JSC::intlGetOptionsObject): Ditto.
(JSC::intlCoerceOptionsToObject): Ditto.
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::initializePluralRules): Ditto.
* runtime/IntlPluralRules.h: Ditto.
* runtime/IntlRelativeTimeFormat.cpp:
(JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): Ditto.
* runtime/IntlSegmenter.cpp:
(JSC::IntlSegmenter::initializeSegmenter): Ditto.
2021-05-25 Saam Barati <sbarati@apple.com>
Finalize DFG/FTL code refs on the compiler threads
https://bugs.webkit.org/show_bug.cgi?id=226096
Reviewed by Mark Lam.
Previously, link tasks that ran via the addLinkTask API were guaranteed to be
called on the main thread. This is no longer the case. Most link tasks are
happy running on a background thread, since all they're really doing is
linking branches/calls or grabbing labels. However, a few users of addLinkTask were
relying on it running on the main thread. For those users, there is a new
addMainThreadFinalizationTask API, which is now used instead.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::~LinkBuffer):
(JSC::LinkBuffer::runMainThreadFinalizationTasks):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::cancel):
(JSC::LinkBuffer::addMainThreadFinalizationTask):
(JSC::LinkBuffer::~LinkBuffer): Deleted.
* dfg/DFGFailedFinalizer.cpp:
(JSC::DFG::FailedFinalizer::finalizeFunction): Deleted.
* dfg/DFGFailedFinalizer.h:
* dfg/DFGFinalizer.h:
(JSC::DFG::Finalizer::cancel):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::cancel):
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction): Deleted.
(JSC::DFG::JITFinalizer::finalizeCommon): Deleted.
* dfg/DFGJITFinalizer.h:
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::emit const):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
(JSC::DFG::Plan::cancel):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalize):
(JSC::FTL::JITFinalizer::cancel):
(JSC::FTL::JITFinalizer::finalizeFunction): Deleted.
(JSC::FTL::JITFinalizer::finalizeCommon): Deleted.
* ftl/FTLJITFinalizer.h:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLPatchpointExceptionHandle.cpp:
(JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
* ftl/FTLThunks.h:
(JSC::FTL::Thunks::getSlowPathCallThunk):
Add a lock to FTLThunks since we now may be calling into it from more than
one thread at a time.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitVirtualCall):
(JSC::AssemblyHelpers::emitUnlinkedVirtualCall): Deleted.
* jit/AssemblyHelpers.h:
* jit/JIT.cpp:
(JSC::JIT::finalizeOnMainThread):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileCallEvalSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEvalSlowCase):
2021-05-25 Mark Lam <mark.lam@apple.com>
Reduce Baseline JIT emitted code size for op_jfalse, op_jtrue, op_get_from_scope, op_resolve_scope.
https://bugs.webkit.org/show_bug.cgi?id=226107
Reviewed by Saam Barati.
Benchmarking with JetStream2 and Speedometer2 on M1 Mac shows that performance is
neutral.
This patch reduces Baseline JIT emitted code side on a run of JetStream2 CLI by
another ~6.6M:
Base New Diff
BaselineJIT: 64955116 (61.946026 MB) 57991704 (55.305199 MB) 0.89x (reduction)
DFG: 36382012 (34.696590 MB) 36540652 (34.847881 MB) 1.00x
Thunk: 23217692 (22.142117 MB) 23115852 (22.044994 MB) 1.00x
InlineCache: 22228140 (21.198406 MB) 22262572 (21.231243 MB) 1.00x
FTL: 6025320 (5.746193 MB) 6164332 (5.878765 MB) 1.02x
Wasm: 2327604 (2.219776 MB) 2297036 (2.190624 MB) 0.99x
YarrJIT: 1547172 (1.475498 MB) 1522584 (1.452049 MB) 0.98x
CSSJIT: 0 0
Uncategorized: 0 0
Cumulative diff since the start of this effort to reduce Baseline JIT code size:
Base New Diff
BaselineJIT: 89089964 (84.962811 MB) 57991704 (55.305199 MB) 0.65x (reduction)
DFG: 39117360 (37.305222 MB) 36540652 (34.847881 MB) 0.93x (reduction)
Thunk: 23230968 (22.154778 MB) 23115852 (22.044994 MB) 1.00x
InlineCache: 22027416 (21.006981 MB) 22262572 (21.231243 MB) 1.01x
FTL: 6575772 (6.271145 MB) 6164332 (5.878765 MB) 0.94x (reduction)
Wasm: 2302724 (2.196049 MB) 2297036 (2.190624 MB) 1.00x
YarrJIT: 1538956 (1.467663 MB) 1522584 (1.452049 MB) 0.99x
CSSJIT: 0 0
Uncategorized: 0 0
* bytecode/CodeBlock.h:
(JSC::CodeBlock::offsetInMetadataTable):
(JSC::CodeBlock::offsetOfMetadataTable):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfValue):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfTruthy):
(JSC::AssemblyHelpers::branchIfFalsey):
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_jfalse):
(JSC::JIT::valueIsFalseyGenerator):
(JSC::JIT::emit_op_jtrue):
(JSC::JIT::valueIsTruthyGenerator):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::generateOpResolveScopeThunk):
(JSC::JIT::slow_op_resolve_scopeGenerator):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::generateOpGetFromScopeThunk):
(JSC::JIT::slow_op_get_from_scopeGenerator):
* jit/ThunkGenerators.cpp:
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):
* runtime/GetPutInfo.h:
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::offsetOfGlobalLexicalEnvironment):
(JSC::JSGlobalObject::offsetOfGlobalLexicalBindingEpoch):
2021-05-24 Robin Morisset <rmorisset@apple.com>
When running with --reportTotalPhaseTimes=1, we should also log the max time in a phase
https://bugs.webkit.org/show_bug.cgi?id=226196
Reviewed by Saam Barati.
It is especially useful when looking at DFG phases, since the GC may have to wait for them to finish.
* tools/CompilerTimingScope.cpp:
2021-05-24 Saam Barati <sbarati@apple.com>
Allow CTI stubs to be generated off the main thread
https://bugs.webkit.org/show_bug.cgi?id=226180
Reviewed by Mark Lam.
We make this work by tracking if we're a compiler thread when generating
the CTI stub. If so, it means that the main thread needs to issue a
crossModifyingCodeFence when it's going to run the CTI stub for the first
time.
This patch also does away with pre-generating thunks. Thunks can now generate
other thunks while they're running. To do this, we make JITThunks lock a
recursive lock. The reason this is ok is that we don't have any recursive
thunks in the thunk graph. It's a DAG.
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* jit/JITOpcodes.cpp:
(JSC::JIT::op_check_traps_handlerGenerator):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::slow_op_get_from_scopeGenerator):
(JSC::JIT::slow_op_put_to_scopeGenerator):
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiInternalFunctionCall):
(JSC::JITThunks::ctiInternalFunctionConstruct):
(JSC::JITThunks::ctiStubImpl):
(JSC::JITThunks::ctiStub):
(JSC::JITThunks::ctiSlowPathFunctionStub):
(JSC::JITThunks::existingCTIStub): Deleted.
(JSC::JITThunks::preinitializeCTIThunks): Deleted.
* jit/JITThunks.h:
* jit/SlowPathCall.cpp:
(JSC::JITSlowPathCall::generateThunk):
* jit/ThunkGenerators.cpp:
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):
(JSC::checkExceptionGenerator):
(JSC::virtualThunkFor):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getCTIInternalFunctionTrampolineFor):
* runtime/VM.h:
2021-05-24 Darin Adler <darin@apple.com>
Remove StringBuilder::appendLiteral
https://bugs.webkit.org/show_bug.cgi?id=226137
Reviewed by Chris Dumez.
* API/tests/PingPongStackOverflowTest.cpp:
(PingPongStackOverflowObject_hasInstance): Use append instead of appendLiteral.
* bindings/ScriptFunctionCall.cpp:
(Deprecated::ScriptCallArgumentHandler::appendArgument): Remove unnecessary cast
from const char* to String, which defeats optimization and has no benefit.
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayPatternNode::toString const): Use append instead of appendLiteral.
(JSC::RestParameterNode::toString const): Ditto.
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::json): Use append instead of appendLiteral.
Removed unnecesary use of appendQuotedJSONString to append the result of
snapshotTypeToString and edgeTypeToString, which return a const char* that
never contains characters that require special quoting consideration, so
can be appended efficiently with the normal append function.
* inspector/agents/InspectorAuditAgent.cpp:
(Inspector::InspectorAuditAgent::run): Use makeString instead of StringBuilder.
* inspector/agents/InspectorConsoleAgent.cpp: Use auto for the result of makeString.
* jsc.cpp: Use appned instead of appendLiteral.
* parser/ParserArena.cpp:
(JSC::IdentifierArena::makePrivateIdentifier): Use auto for the result of makeString.
* runtime/ConsoleClient.cpp:
(JSC::ConsoleClient::printConsoleMessage): Use append instead of appendLiteral.
Also use variadic append when practical for better efficiency.
(JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto.
* runtime/DateConversion.cpp:
(JSC::formatDateTime): Ditto.
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::sanitizedToString): Use makeString instead of StringBuilder.
* runtime/ExceptionHelpers.cpp:
(JSC::notAFunctionSourceAppender): Use append instead of appendLiteral.
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::initializeDateTimeFormat): Ditto.
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat): Ditto.
* runtime/JSCustomGetterFunction.cpp:
(JSC::JSCustomGetterFunction::create): Use auto and cut down on reference count
churn by using passing the StringImpl to makeString.
* runtime/JSCustomSetterFunction.cpp:
(JSC::JSCustomSetterFunction::create): Ditto.
* runtime/JSGlobalObjectFunctions.cpp: Use more const and use variadic
append for better efficiency.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue): Use append instead of appendLiteral.
(JSC::Stringifier::Holder::appendNextProperty): Ditto.
* runtime/JSStringJoiner.h: Deleted unused appendLiteral function.
Unrelated to StringBuilder::appendLiteral, but dead code.
* runtime/Options.cpp:
(JSC::Options::dumpOption): Use append instead of appendLiteral.
* runtime/RegExpPrototype.cpp:
(JSC::appendLineTerminatorEscape<UChar>): Ditto.
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::reportTopFunctions): Use auto for the result of makeString.
(JSC::SamplingProfiler::reportTopBytecodes): Ditto.
* runtime/TypeProfiler.cpp:
(JSC::TypeProfiler::typeInformationForExpressionAtOffset): Use append instead of
appendLiteral.
* runtime/TypeSet.cpp:
(JSC::TypeSet::dumpTypes const): Use append instead of appendLiteral.
(JSC::TypeSet::toJSONString const): Ditto.
(JSC::StructureShape::propertyHash): Ditto.
(JSC::StructureShape::toJSONString const): Ditto.
2021-05-24 Keith Miller <keith_miller@apple.com>
Unreviewed, revert r276610 because it causes a 1% PLT regression.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::JITData::size const): Deleted.
* bytecode/CodeBlock.h:
* jit/JITCodeMap.h:
(JSC::JITCodeMap::memorySize const): Deleted.
2021-05-24 Chris Dumez <cdumez@apple.com>
Drop CheckedLock / CheckedCondition aliases
https://bugs.webkit.org/show_bug.cgi?id=226176
Reviewed by Kate Cheney.
Drop CheckedLock / CheckedCondition aliases now that they are the default.
* API/JSVirtualMachine.mm:
* API/glib/JSCVirtualMachine.cpp:
* assembler/PerfLog.h:
* assembler/testmasm.cpp:
* bytecode/StructureStubInfo.h:
* bytecode/SuperSampler.cpp:
* dfg/DFGCommon.cpp:
* dfg/DFGCommonData.cpp:
* dfg/DFGPlan.h:
* dfg/DFGThreadData.h:
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::Worklist):
* dfg/DFGWorklist.h:
* disassembler/Disassembler.cpp:
* dynbench.cpp:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::parallelNotEmptyBlockSource):
* heap/BlockDirectory.h:
(JSC::BlockDirectory::bitvectorLock):
* heap/CodeBlockSet.h:
(JSC::CodeBlockSet::getLock):
* heap/Heap.cpp:
(JSC::Heap::Heap):
* heap/Heap.h:
* heap/IsoSubspacePerVM.h:
* heap/MarkedSpace.h:
(JSC::MarkedSpace::directoryLock):
* heap/MarkingConstraintSolver.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::donateKnownParallel):
* heap/SlotVisitor.h:
* inspector/remote/socket/RemoteInspectorConnectionClient.h:
* inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::getLock const):
(JSC::dumpJITMemory):
* jit/ExecutableAllocator.h:
(JSC::ExecutableAllocatorBase::getLock const):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::JITWorklist):
* jit/JITWorklist.h:
* jsc.cpp:
* profiler/ProfilerDatabase.h:
* runtime/ConcurrentJSLock.h:
* runtime/DeferredWorkTimer.h:
* runtime/JSLock.h:
* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::FrameWalker):
(JSC::CFrameWalker::CFrameWalker):
(JSC::SamplingProfiler::takeSample):
* runtime/SamplingProfiler.h:
(JSC::SamplingProfiler::getLock):
* runtime/VM.h:
* runtime/VMTraps.cpp:
(JSC::VMTraps::invalidateCodeBlocksOnStack):
(JSC::VMTraps::VMTraps):
* runtime/VMTraps.h:
* tools/FunctionOverrides.h:
* tools/VMInspector.cpp:
(JSC::ensureIsSafeToLock):
* tools/VMInspector.h:
(JSC::VMInspector::getLock):
* wasm/WasmCalleeRegistry.h:
(JSC::Wasm::CalleeRegistry::getLock):
* wasm/WasmPlan.h:
* wasm/WasmStreamingCompiler.h:
* wasm/WasmThunks.h:
* wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::Worklist):
* wasm/WasmWorklist.h:
2021-05-23 Chris Dumez <cdumez@apple.com>
Make CheckedLock the default Lock
https://bugs.webkit.org/show_bug.cgi?id=226157
Reviewed by Darin Adler.
Make CheckedLock the default Lock so that we get more benefits from Clang
Thread Safety Analysis. Note that CheckedLock 100% relies on the existing
Lock implementation and merely adds the clang anotations for thread
safety.
That this patch does is:
1. Rename the Lock class to UncheckedLock
2. Rename the CheckedLock class to Lock
3. Rename the Condition class to UncheckedCondition
4. Rename the CheckedCondition class to Condition
5. Update the types of certain variables from Lock / Condition to
UncheckedLock / UncheckedCondition if I got a build failure. Build
failures are usually caused by the following facts:
- Locker<CheckedLock> doesn't subclass AbstractLocker which a lot of
JSC code passes as argument
- Locker<CheckedLock> has no move constructor
- Locker<CheckedLock> cannot be constructed from a lock pointer, only
a reference
For now, CheckedLock and CheckedCondition remain as aliases to Lock and
Condition, in their respective CheckedLock.h / CheckedCondition.h headers.
I will drop them in a follow-up to reduce patch size.
I will also follow-up to try and get rid of as much usage of UncheckedLock
and UncheckedCondition as possible. I did not try very hard in this patch
to reduce patch size.
* assembler/testmasm.cpp:
* dfg/DFGCommon.cpp:
* dfg/DFGThreadData.h:
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::Worklist):
* dfg/DFGWorklist.h:
* dynbench.cpp:
* heap/BlockDirectory.h:
(JSC::BlockDirectory::bitvectorLock):
* heap/CodeBlockSet.h:
(JSC::CodeBlockSet::getLock):
* heap/Heap.cpp:
(JSC::Heap::Heap):
* heap/Heap.h:
* heap/MarkedSpace.h:
(JSC::MarkedSpace::directoryLock):
* heap/MarkingConstraintSolver.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::donateKnownParallel):
* heap/SlotVisitor.h:
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::getLock const):
(JSC::dumpJITMemory):
* jit/ExecutableAllocator.h:
(JSC::ExecutableAllocatorBase::getLock const):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::JITWorklist):
* jit/JITWorklist.h:
* jsc.cpp:
* profiler/ProfilerDatabase.h:
* runtime/ConcurrentJSLock.h:
* runtime/DeferredWorkTimer.h:
* runtime/JSLock.h:
* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::FrameWalker):
(JSC::CFrameWalker::CFrameWalker):
(JSC::SamplingProfiler::takeSample):
* runtime/SamplingProfiler.h:
(JSC::SamplingProfiler::getLock):
* runtime/VM.h:
* runtime/VMTraps.cpp:
(JSC::VMTraps::invalidateCodeBlocksOnStack):
(JSC::VMTraps::VMTraps):
* runtime/VMTraps.h:
* tools/FunctionOverrides.h:
* tools/VMInspector.cpp:
(JSC::ensureIsSafeToLock):
* tools/VMInspector.h:
(JSC::VMInspector::getLock):
* wasm/WasmCalleeRegistry.h:
(JSC::Wasm::CalleeRegistry::getLock):
* wasm/WasmPlan.h:
* wasm/WasmStreamingCompiler.h:
* wasm/WasmThunks.h:
* wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::Worklist):
* wasm/WasmWorklist.h:
2021-05-23 Mark Lam <mark.lam@apple.com>
Remove some now invalid tests in testmasm.
https://bugs.webkit.org/show_bug.cgi?id=226155
Reviewed by Yusuke Suzuki.
The ARM64E tests were checking that cageConditionallyAndUntag() would fail to
produce a caged pointer if fed invalid values. These tests are no longer feasible
because on ARM64E, feeding cageConditionallyAndUntag() invalid values will now
result in a crash. This patch removes these tests.
* assembler/testmasm.cpp:
(JSC::testCagePreservesPACFailureBit):
2021-05-23 Mark Lam <mark.lam@apple.com>
Remove ENABLE(MASM_PROBE) flag.
https://bugs.webkit.org/show_bug.cgi?id=226154
Reviewed by Yusuke Suzuki.
* assembler/MacroAssembler.cpp:
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM64.cpp:
* assembler/MacroAssemblerARMv7.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerMIPS.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerPrinter.cpp:
* assembler/MacroAssemblerPrinter.h:
* assembler/MacroAssemblerX86Common.cpp:
(JSC::MacroAssembler::probe):
* assembler/ProbeContext.cpp:
* assembler/ProbeContext.h:
* assembler/ProbeFrame.h:
* assembler/ProbeStack.cpp:
* assembler/ProbeStack.h:
* assembler/testmasm.cpp:
(JSC::isSpecialGPR):
(JSC::testClearBits64WithMask):
(JSC::testClearBits64WithMaskTernary):
(JSC::testShiftAndAdd):
(JSC::testProbeModifiesStackValues):
(JSC::run):
* b3/B3LowerToAir.cpp:
* b3/air/AirPrintSpecial.cpp:
* b3/air/AirPrintSpecial.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES):
2021-05-23 Chris Dumez <cdumez@apple.com>
Use CheckedLock in even more places
https://bugs.webkit.org/show_bug.cgi?id=226152
Reviewed by Darin Adler.
Use CheckedLock in even more places to benefit from Clang Thread Safety Analysis.
* API/JSVirtualMachine.mm:
(WTF_REQUIRES_LOCK):
* API/glib/JSCVirtualMachine.cpp:
* bytecode/StructureStubInfo.h:
* bytecode/SuperSampler.cpp:
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::~CommonData):
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::codeBlockForVMTrapPC):
* dfg/DFGPlan.h:
(JSC::DFG::Plan::WTF_GUARDED_BY_LOCK):
* disassembler/Disassembler.cpp:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::parallelNotEmptyBlockSource):
* heap/Heap.h:
* heap/IsoSubspacePerVM.h:
* inspector/remote/socket/RemoteInspectorConnectionClient.h:
2021-05-23 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed. Fix JSC Debug tests for r277926.
* jit/JITThunks.cpp:
(JSC::JITThunks::preinitializeCTIThunks):
Address oversight, made visible by the assertion added in r277850.
2021-05-23 Chris Dumez <cdumez@apple.com>
Drop WTF::tryHoldLock() as it is incompatible with Clang Thread Safety Analysis
https://bugs.webkit.org/show_bug.cgi?id=226145
Reviewed by Darin Adler.
Drop WTF::tryHoldLock() as it is incompatible with Clang Thread Safety Analysis.
Instead, use the following pattern which is supported:
```
if (lock.tryLock()) {
Locker locker { AdoptLock, lock };
// ...
}
```
* heap/Heap.cpp:
(JSC::Heap::resumeThePeriphery):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
2021-05-22 Mark Lam <mark.lam@apple.com>
Use singleton thunks for virtual calls.
https://bugs.webkit.org/show_bug.cgi?id=226149
rdar://problem/78357604
Reviewed by Yusuke Suzuki.
Change virtualThunkFor() to return 1 of 6 possible singleton thunks.
These thunks are cached via vm.jitStubs->ctiStubs().
This change saves us ~16M of executable JIT memory (for the unique thunks) on a
single run of Speedometer2. On an M1 Mac, switching to singleton thunks here also
appears to be a 1.012x speed up on Speedometer2. Performance is neutral on
JetStream2.
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiInternalFunctionCall):
(JSC::JITThunks::ctiInternalFunctionConstruct):
* jit/JITThunks.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::virtualThunkForRegularCall):
(JSC::virtualThunkForRegularConstruct):
(JSC::virtualThunkForTailCall):
(JSC::virtualThunkForTailConstruct):
(JSC::virtualThunkForConstructCall):
(JSC::virtualThunkForConstructConstruct):
* runtime/VM.cpp:
(JSC::VM::getCTIInternalFunctionTrampolineFor):
* runtime/VM.h:
2021-05-22 Mark Lam <mark.lam@apple.com>
Enhance Link Buffer stats to have more fine grain profiles, and to collect count information.
https://bugs.webkit.org/show_bug.cgi?id=226151
rdar://problem/78359436
Reviewed by Yusuke Suzuki.
And also add a total of the sizes.
Also added $vm.clearLinkBufferStats() which resets all the stats to 0.
Here's an example of that the new stats look like:
Cummulative LinkBuffer profile sizes:
BaselineJIT: 61092032 (58.261902 MB) count 11621 avg size 5257
DFG: 35387904 (33.748535 MB) count 11143 avg size 3175
InlineCache: 19639155 (18.729358 MB) count 283890 avg size 69
VirtualThunk: 14256800 (13.596344 MB) count 43900 avg size 324
DFGOSRExit: 7636736 (7.282959 MB) count 5235 avg size 1458
FTL: 4927616 (4.699341 MB) count 5269 avg size 935
Wasm: 2134688 (2.035797 MB) count 847 avg size 2520
YarrJIT: 1320928 (1.259735 MB) count 2075 avg size 636
FTLOSRExit: 1084096 (1.033875 MB) count 417 avg size 2599
WasmThunk: 41408 (40.437500 KB) count 252 avg size 164
FTLThunk: 25088 (24.500000 KB) count 426 avg size 58
ExtraCTIThunk: 5984 (5.843750 KB) count 95 avg size 62
SpecializedThunk: 3456 (3.375000 KB) count 19 avg size 181
Thunk: 1760 (1.718750 KB) count 10 avg size 176
BoundFunctionThunk: 864 count 3 avg size 288
LLIntThunk: 608 count 18 avg size 33
DFGThunk: 608 count 1 avg size 608
DFGOSREntry: 160 count 1 avg size 160
JumpIsland: 0
CSSJIT: 0
Uncategorized: 0
Total: 147559891 (140.724078 MB)
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::performFinalization):
(JSC::LinkBuffer::clearProfileStatistics):
(JSC::LinkBuffer::dumpProfileStatistics):
* assembler/LinkBuffer.h:
* dfg/DFGOSRExit.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/ExecutableAllocator.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::op_ret_handlerGenerator):
(JSC::JIT::op_throw_handlerGenerator):
(JSC::JIT::op_enter_handlerGenerator):
(JSC::JIT::op_check_traps_handlerGenerator):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::slow_op_get_by_val_prepareCallGenerator):
(JSC::JIT::slow_op_get_private_name_prepareCallGenerator):
(JSC::JIT::slow_op_put_by_val_prepareCallGenerator):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::slow_op_del_by_id_prepareCallGenerator):
(JSC::JIT::slow_op_del_by_val_prepareCallGenerator):
(JSC::JIT::slow_op_get_by_id_prepareCallGenerator):
(JSC::JIT::slow_op_get_by_id_with_this_prepareCallGenerator):
(JSC::JIT::slow_op_put_by_id_prepareCallGenerator):
(JSC::JIT::slow_op_get_from_scopeGenerator):
(JSC::JIT::slow_op_put_to_scopeGenerator):
* jit/SlowPathCall.cpp:
(JSC::JITSlowPathCall::generateThunk):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::handleExceptionGenerator):
(JSC::handleExceptionWithCallFrameRollbackGenerator):
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):
(JSC::checkExceptionGenerator):
(JSC::virtualThunkFor):
(JSC::boundFunctionCallGenerator):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::generateThunkWithJumpToPrologue):
(JSC::LLInt::generateThunkWithJumpToLLIntReturnPoint):
(JSC::LLInt::getHostCallReturnValueThunk):
(JSC::LLInt::createJSGateThunk):
(JSC::LLInt::createWasmGateThunk):
(JSC::LLInt::createTailCallGate):
(JSC::LLInt::loopOSREntryGateThunk):
(JSC::LLInt::entryOSREntryGateThunk):
(JSC::LLInt::wasmOSREntryGateThunk):
(JSC::LLInt::exceptionHandlerGateThunk):
(JSC::LLInt::returnFromLLIntGateThunk):
(JSC::LLInt::tagGateThunk):
(JSC::LLInt::untagGateThunk):
(JSC::LLInt::jitCagePtrThunk):
* tools/JSDollarVM.cpp:
(JSC::JSDollarVM::finishCreation):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2021-05-22 Ross Kirsling <ross.kirsling@sony.com>
Support Ergonomic Brand Checks proposal (`#x in obj`)
https://bugs.webkit.org/show_bug.cgi?id=221093
Reviewed by Caio Araujo Neponoceno de Lima.
This patch implements the following Stage 3 proposal (behind a runtime option):
https://github.com/tc39/proposal-private-fields-in-in
Specifically, it extends the `in` keyword to allow the LHS to be a private name,
thereby allowing users to implement Array.isArray-esque brand checks for their own classes
*without* having to wrap a private member get in a try-catch.
For example:
```
class C {
#x;
static isC(obj) { return #x in obj; }
}
```
This is done by adding two new bytecode ops, HasPrivateName and HasPrivateBrand. For the moment,
these are implemented without fast paths, as we should do so for InByVal first and then have these follow suit.
* bytecode/BytecodeList.rb:
* bytecode/BytecodeUseDef.cpp:
(JSC::computeUsesForBytecodeIndexImpl):
(JSC::computeDefsForBytecodeIndexImpl):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitHasPrivateName):
(JSC::BytecodeGenerator::emitHasPrivateBrand):
(JSC::BytecodeGenerator::emitCheckPrivateBrand):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::InNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileHasPrivateName):
(JSC::DFG::SpeculativeJIT::compileHasPrivateBrand):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileHasPrivateName):
(JSC::FTL::DFG::LowerDFGToB3::compileHasPrivateBrand):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* llint/LowLevelInterpreter.asm:
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createPrivateIdentifierNode):
* parser/NodeConstructors.h:
(JSC::PrivateIdentifierNode::PrivateIdentifierNode):
* parser/Nodes.h:
(JSC::ExpressionNode::isPrivateIdentifier const):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseBinaryExpression):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createPrivateIdentifierNode):
* parser/VariableEnvironment.h:
* runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* runtime/CommonSlowPaths.h:
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::hasPrivateField):
(JSC::JSObject::hasPrivateBrand):
(JSC::JSObject::checkPrivateBrand):
* runtime/OptionsList.h:
2021-05-22 Chris Dumez <cdumez@apple.com>
Replace LockHolder with Locker in local variables
https://bugs.webkit.org/show_bug.cgi?id=226133
Reviewed by Darin Adler.
Replace LockHolder with Locker in local variables. It is shorter and it allows switching the lock
type more easily since the compiler with deduce the lock type T for Locker<T>.
* API/JSCallbackObject.h:
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::deletePrivateProperty):
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
* API/JSValue.mm:
(handerForStructTag):
* API/tests/testapi.cpp:
(testCAPIViaCpp):
* assembler/testmasm.cpp:
(JSC::run):
* b3/air/testair.cpp:
* b3/testb3_1.cpp:
(run):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
(JSC::DirectEvalCodeCache::clear):
(JSC::DirectEvalCodeCache::visitAggregateImpl):
* bytecode/SuperSampler.cpp:
(JSC::initializeSuperSampler):
(JSC::resetSuperSamplerState):
(JSC::printSuperSamplerState):
(JSC::enableSuperSampler):
(JSC::disableSuperSampler):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::~CommonData):
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::codeBlockForVMTrapPC):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::~Worklist):
(JSC::DFG::Worklist::finishCreation):
(JSC::DFG::Worklist::isActiveForVM const):
(JSC::DFG::Worklist::enqueue):
(JSC::DFG::Worklist::compilationState):
(JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
(JSC::DFG::Worklist::removeAllReadyPlansForVM):
(JSC::DFG::Worklist::completeAllReadyPlansForVM):
(JSC::DFG::Worklist::visitWeakReferences):
(JSC::DFG::Worklist::removeDeadPlans):
(JSC::DFG::Worklist::removeNonCompilingPlansForVM):
(JSC::DFG::Worklist::queueLength):
(JSC::DFG::Worklist::dump const):
(JSC::DFG::Worklist::setNumberOfThreads):
* dfg/DFGWorklistInlines.h:
(JSC::DFG::Worklist::iterateCodeBlocksForGC):
* disassembler/Disassembler.cpp:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::addBlock):
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterateCurrentlyExecuting):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::add):
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::collectAsync):
(JSC::Heap::runBeginPhase):
(JSC::Heap::waitForCollector):
(JSC::Heap::requestCollection):
(JSC::Heap::notifyIsSafeToCollect):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::didReachTermination):
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::startTracking):
(Inspector::InspectorScriptProfilerAgent::trackingComplete):
(Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
* inspector/remote/RemoteConnectionToTarget.cpp:
(Inspector::RemoteConnectionToTarget::setup):
(Inspector::RemoteConnectionToTarget::sendMessageToTarget):
(Inspector::RemoteConnectionToTarget::close):
(Inspector::RemoteConnectionToTarget::targetClosed):
* inspector/remote/RemoteInspector.cpp:
(Inspector::RemoteInspector::registerTarget):
(Inspector::RemoteInspector::unregisterTarget):
(Inspector::RemoteInspector::updateTarget):
(Inspector::RemoteInspector::updateClientCapabilities):
(Inspector::RemoteInspector::setClient):
(Inspector::RemoteInspector::setupFailed):
(Inspector::RemoteInspector::setupCompleted):
(Inspector::RemoteInspector::stop):
* inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
(Inspector::RemoteTargetHandleRunSourceGlobal):
(Inspector::RemoteTargetQueueTaskOnGlobalQueue):
(Inspector::RemoteTargetHandleRunSourceWithInfo):
(Inspector::RemoteConnectionToTarget::setup):
(Inspector::RemoteConnectionToTarget::targetClosed):
(Inspector::RemoteConnectionToTarget::close):
(Inspector::RemoteConnectionToTarget::sendMessageToTarget):
(Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
(Inspector::RemoteInspector::sendMessageToRemote):
(Inspector::RemoteInspector::start):
(Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
(Inspector::RemoteInspector::setParentProcessInformation):
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
(Inspector::RemoteInspector::xpcConnectionFailed):
(Inspector::RemoteInspector::pushListingsSoon):
(Inspector::RemoteInspector::receivedIndicateMessage):
(Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::close):
(Inspector::RemoteInspectorXPCConnection::closeFromMessage):
(Inspector::RemoteInspectorXPCConnection::deserializeMessage):
(Inspector::RemoteInspectorXPCConnection::handleEvent):
* inspector/remote/glib/RemoteInspectorGlib.cpp:
(Inspector::RemoteInspector::start):
(Inspector::RemoteInspector::setupConnection):
(Inspector::RemoteInspector::pushListingsSoon):
(Inspector::RemoteInspector::sendMessageToRemote):
(Inspector::RemoteInspector::receivedGetTargetListMessage):
(Inspector::RemoteInspector::receivedDataMessage):
(Inspector::RemoteInspector::receivedCloseMessage):
(Inspector::RemoteInspector::setup):
* inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
(Inspector::RemoteInspectorConnectionClient::didReceive):
* inspector/remote/socket/RemoteInspectorSocket.cpp:
(Inspector::RemoteInspector::didClose):
(Inspector::RemoteInspector::start):
(Inspector::RemoteInspector::pushListingsSoon):
(Inspector::RemoteInspector::setup):
(Inspector::RemoteInspector::setupInspectorClient):
(Inspector::RemoteInspector::frontendDidClose):
(Inspector::RemoteInspector::sendMessageToBackend):
(Inspector::RemoteInspector::startAutomationSession):
* inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
(Inspector::RemoteInspectorSocketEndpoint::listenInet):
(Inspector::RemoteInspectorSocketEndpoint::isListening):
(Inspector::RemoteInspectorSocketEndpoint::workerThread):
(Inspector::RemoteInspectorSocketEndpoint::createClient):
(Inspector::RemoteInspectorSocketEndpoint::disconnect):
(Inspector::RemoteInspectorSocketEndpoint::invalidateClient):
(Inspector::RemoteInspectorSocketEndpoint::invalidateListener):
(Inspector::RemoteInspectorSocketEndpoint::getPort const):
(Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
(Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
(Inspector::RemoteInspectorSocketEndpoint::send):
(Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
* interpreter/CLoopStack.cpp:
(JSC::CLoopStack::addToCommittedByteCount):
(JSC::CLoopStack::committedByteCount):
* jit/ExecutableAllocator.cpp:
(JSC::dumpJITMemory):
* jit/ICStats.cpp:
(JSC::ICStats::ICStats):
(JSC::ICStats::~ICStats):
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiStub):
(JSC::JITThunks::existingCTIStub):
(JSC::JITThunks::ctiSlowPathFunctionStub):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::Plan::compileInThread):
(JSC::JITWorklist::Plan::isFinishedCompiling):
(JSC::JITWorklist::JITWorklist):
(JSC::JITWorklist::completeAllForVM):
(JSC::JITWorklist::poll):
(JSC::JITWorklist::compileLater):
(JSC::JITWorklist::finalizePlans):
* parser/SourceProvider.cpp:
(JSC::SourceProvider::getID):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::ensureBytecodesFor):
(JSC::Profiler::Database::notifyDestruction):
(JSC::Profiler::Database::addCompilation):
(JSC::Profiler::Database::logEvent):
(JSC::Profiler::Database::addDatabaseToAtExit):
(JSC::Profiler::Database::removeDatabaseFromAtExit):
(JSC::Profiler::Database::removeFirstAtExitDatabase):
* profiler/ProfilerUID.cpp:
(JSC::Profiler::UID::create):
* runtime/DeferredWorkTimer.cpp:
(JSC::DeferredWorkTimer::scheduleWorkSoon):
(JSC::DeferredWorkTimer::didResumeScriptExecutionOwner):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::timerLoop):
(JSC::SamplingProfiler::shutdown):
(JSC::SamplingProfiler::start):
(JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
(JSC::SamplingProfiler::noticeJSLockAcquisition):
(JSC::SamplingProfiler::noticeVMEntry):
(JSC::SamplingProfiler::registerForReportAtExit):
* runtime/Watchdog.cpp:
(JSC::Watchdog::startTimer):
(JSC::Watchdog::willDestroyVM):
* tools/VMInspector.cpp:
(JSC::VMInspector::isValidExecutableMemory):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
* wasm/WasmEntryPlan.cpp:
(JSC::Wasm::EntryPlan::ThreadCountHolder::ThreadCountHolder):
(JSC::Wasm::EntryPlan::ThreadCountHolder::~ThreadCountHolder):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::addCompletionTask):
(JSC::Wasm::Plan::waitForCompletion):
(JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
* wasm/WasmSignature.cpp:
(JSC::Wasm::SignatureInformation::signatureFor):
(JSC::Wasm::SignatureInformation::tryCleanup):
* wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::enqueue):
(JSC::Wasm::Worklist::completePlanSynchronously):
(JSC::Wasm::Worklist::stopAllPlansForContext):
(JSC::Wasm::Worklist::Worklist):
(JSC::Wasm::Worklist::~Worklist):
2021-05-22 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r277913.
https://bugs.webkit.org/show_bug.cgi?id=226140
Caused multiple layout-test crash on mac debug queues
Reverted changeset:
"Replace LockHolder with Locker in local variables"
https://bugs.webkit.org/show_bug.cgi?id=226133
https://trac.webkit.org/changeset/277913
2021-05-21 Chris Dumez <cdumez@apple.com>
Remove WTF::holdLock() / WTF::holdLockIf()
https://bugs.webkit.org/show_bug.cgi?id=226135
Reviewed by Darin Adler.
Remove WTF::holdLock() / WTF::holdLockIf() because they are not compatible with
Clang Thread Safety Analysis. All call sites have been converted to use the Locker
constructor directly.
* heap/LockDuringMarking.h:
(JSC::lockDuringMarking):
2021-05-21 Chris Dumez <cdumez@apple.com>
Replace LockHolder with Locker in local variables
https://bugs.webkit.org/show_bug.cgi?id=226133
Reviewed by Darin Adler.
Replace LockHolder with Locker in local variables. It is shorter and it allows switching the lock
type more easily since the compiler with deduce the lock type T for Locker<T>.
* API/JSCallbackObject.h:
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::deletePrivateProperty):
(JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
* API/JSValue.mm:
(handerForStructTag):
* API/tests/testapi.cpp:
(testCAPIViaCpp):
* assembler/testmasm.cpp:
(JSC::run):
* b3/air/testair.cpp:
* b3/testb3_1.cpp:
(run):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
(JSC::DirectEvalCodeCache::clear):
(JSC::DirectEvalCodeCache::visitAggregateImpl):
* bytecode/SuperSampler.cpp:
(JSC::initializeSuperSampler):
(JSC::resetSuperSamplerState):
(JSC::printSuperSamplerState):
(JSC::enableSuperSampler):
(JSC::disableSuperSampler):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::~CommonData):
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::codeBlockForVMTrapPC):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::~Worklist):
(JSC::DFG::Worklist::finishCreation):
(JSC::DFG::Worklist::isActiveForVM const):
(JSC::DFG::Worklist::enqueue):
(JSC::DFG::Worklist::compilationState):
(JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
(JSC::DFG::Worklist::removeAllReadyPlansForVM):
(JSC::DFG::Worklist::completeAllReadyPlansForVM):
(JSC::DFG::Worklist::visitWeakReferences):
(JSC::DFG::Worklist::removeDeadPlans):
(JSC::DFG::Worklist::removeNonCompilingPlansForVM):
(JSC::DFG::Worklist::queueLength):
(JSC::DFG::Worklist::dump const):
(JSC::DFG::Worklist::setNumberOfThreads):
* dfg/DFGWorklistInlines.h:
(JSC::DFG::Worklist::iterateCodeBlocksForGC):
* disassembler/Disassembler.cpp:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::addBlock):
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterateCurrentlyExecuting):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::add):
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::collectAsync):
(JSC::Heap::runBeginPhase):
(JSC::Heap::waitForCollector):
(JSC::Heap::requestCollection):
(JSC::Heap::notifyIsSafeToCollect):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::didReachTermination):
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::startTracking):
(Inspector::InspectorScriptProfilerAgent::trackingComplete):
(Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
* inspector/remote/RemoteConnectionToTarget.cpp:
(Inspector::RemoteConnectionToTarget::setup):
(Inspector::RemoteConnectionToTarget::sendMessageToTarget):
(Inspector::RemoteConnectionToTarget::close):
(Inspector::RemoteConnectionToTarget::targetClosed):
* inspector/remote/RemoteInspector.cpp:
(Inspector::RemoteInspector::registerTarget):
(Inspector::RemoteInspector::unregisterTarget):
(Inspector::RemoteInspector::updateTarget):
(Inspector::RemoteInspector::updateClientCapabilities):
(Inspector::RemoteInspector::setClient):
(Inspector::RemoteInspector::setupFailed):
(Inspector::RemoteInspector::setupCompleted):
(Inspector::RemoteInspector::stop):
* inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
(Inspector::RemoteTargetHandleRunSourceGlobal):
(Inspector::RemoteTargetQueueTaskOnGlobalQueue):
(Inspector::RemoteTargetHandleRunSourceWithInfo):
(Inspector::RemoteConnectionToTarget::setup):
(Inspector::RemoteConnectionToTarget::targetClosed):
(Inspector::RemoteConnectionToTarget::close):
(Inspector::RemoteConnectionToTarget::sendMessageToTarget):
(Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
(Inspector::RemoteInspector::sendMessageToRemote):
(Inspector::RemoteInspector::start):
(Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
(Inspector::RemoteInspector::setParentProcessInformation):
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
(Inspector::RemoteInspector::xpcConnectionFailed):
(Inspector::RemoteInspector::pushListingsSoon):
(Inspector::RemoteInspector::receivedIndicateMessage):
(Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::close):
(Inspector::RemoteInspectorXPCConnection::closeFromMessage):
(Inspector::RemoteInspectorXPCConnection::deserializeMessage):
(Inspector::RemoteInspectorXPCConnection::handleEvent):
* inspector/remote/glib/RemoteInspectorGlib.cpp:
(Inspector::RemoteInspector::start):
(Inspector::RemoteInspector::setupConnection):
(Inspector::RemoteInspector::pushListingsSoon):
(Inspector::RemoteInspector::sendMessageToRemote):
(Inspector::RemoteInspector::receivedGetTargetListMessage):
(Inspector::RemoteInspector::receivedDataMessage):
(Inspector::RemoteInspector::receivedCloseMessage):
(Inspector::RemoteInspector::setup):
* inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
(Inspector::RemoteInspectorConnectionClient::didReceive):
* inspector/remote/socket/RemoteInspectorSocket.cpp:
(Inspector::RemoteInspector::didClose):
(Inspector::RemoteInspector::start):
(Inspector::RemoteInspector::pushListingsSoon):
(Inspector::RemoteInspector::setup):
(Inspector::RemoteInspector::setupInspectorClient):
(Inspector::RemoteInspector::frontendDidClose):
(Inspector::RemoteInspector::sendMessageToBackend):
(Inspector::RemoteInspector::startAutomationSession):
* inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
(Inspector::RemoteInspectorSocketEndpoint::listenInet):
(Inspector::RemoteInspectorSocketEndpoint::isListening):
(Inspector::RemoteInspectorSocketEndpoint::workerThread):
(Inspector::RemoteInspectorSocketEndpoint::createClient):
(Inspector::RemoteInspectorSocketEndpoint::disconnect):
(Inspector::RemoteInspectorSocketEndpoint::invalidateClient):
(Inspector::RemoteInspectorSocketEndpoint::invalidateListener):
(Inspector::RemoteInspectorSocketEndpoint::getPort const):
(Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
(Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
(Inspector::RemoteInspectorSocketEndpoint::send):
(Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
* interpreter/CLoopStack.cpp:
(JSC::CLoopStack::addToCommittedByteCount):
(JSC::CLoopStack::committedByteCount):
* jit/ExecutableAllocator.cpp:
(JSC::dumpJITMemory):
* jit/ICStats.cpp:
(JSC::ICStats::ICStats):
(JSC::ICStats::~ICStats):
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiStub):
(JSC::JITThunks::existingCTIStub):
(JSC::JITThunks::ctiSlowPathFunctionStub):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::Plan::compileInThread):
(JSC::JITWorklist::Plan::isFinishedCompiling):
(JSC::JITWorklist::JITWorklist):
(JSC::JITWorklist::completeAllForVM):
(JSC::JITWorklist::poll):
(JSC::JITWorklist::compileLater):
(JSC::JITWorklist::finalizePlans):
* parser/SourceProvider.cpp:
(JSC::SourceProvider::getID):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::ensureBytecodesFor):
(JSC::Profiler::Database::notifyDestruction):
(JSC::Profiler::Database::addCompilation):
(JSC::Profiler::Database::logEvent):
(JSC::Profiler::Database::addDatabaseToAtExit):
(JSC::Profiler::Database::removeDatabaseFromAtExit):
(JSC::Profiler::Database::removeFirstAtExitDatabase):
* profiler/ProfilerUID.cpp:
(JSC::Profiler::UID::create):
* runtime/DeferredWorkTimer.cpp:
(JSC::DeferredWorkTimer::scheduleWorkSoon):
(JSC::DeferredWorkTimer::didResumeScriptExecutionOwner):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::timerLoop):
(JSC::SamplingProfiler::shutdown):
(JSC::SamplingProfiler::start):
(JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
(JSC::SamplingProfiler::noticeJSLockAcquisition):
(JSC::SamplingProfiler::noticeVMEntry):
(JSC::SamplingProfiler::registerForReportAtExit):
* runtime/Watchdog.cpp:
(JSC::Watchdog::startTimer):
(JSC::Watchdog::willDestroyVM):
* tools/VMInspector.cpp:
(JSC::VMInspector::isValidExecutableMemory):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
* wasm/WasmEntryPlan.cpp:
(JSC::Wasm::EntryPlan::ThreadCountHolder::ThreadCountHolder):
(JSC::Wasm::EntryPlan::ThreadCountHolder::~ThreadCountHolder):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::addCompletionTask):
(JSC::Wasm::Plan::waitForCompletion):
(JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
* wasm/WasmSignature.cpp:
(JSC::Wasm::SignatureInformation::signatureFor):
(JSC::Wasm::SignatureInformation::tryCleanup):
* wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::enqueue):
(JSC::Wasm::Worklist::completePlanSynchronously):
(JSC::Wasm::Worklist::stopAllPlansForContext):
(JSC::Wasm::Worklist::Worklist):
(JSC::Wasm::Worklist::~Worklist):
2021-05-21 Chris Dumez <cdumez@apple.com>
Stop using holdLock() in JSC as it is not compatible with Clang thread safety analysis
https://bugs.webkit.org/show_bug.cgi?id=226116
Reviewed by Mark Lam.
Stop using holdLock() in JSC as it is not compatible with Clang thread safety analysis
(WTF::CheckedLock). Use the Locker constructor instead.
I'll eventually get rid of the holdLock() definition once I have managed to get rid of
all its usages.
* API/JSVirtualMachine.mm:
(+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
(+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
(-[JSVirtualMachine addExternalRememberedObject:]):
(-[JSVirtualMachine addManagedReference:withOwner:]):
(-[JSVirtualMachine removeManagedReference:withOwner:]):
(scanExternalObjectGraph):
(scanExternalRememberedSet):
* API/glib/JSCVirtualMachine.cpp:
(addWrapper):
(removeWrapper):
* API/tests/ExecutionTimeLimitTest.cpp:
(testExecutionTimeLimit):
* assembler/PerfLog.cpp:
(JSC::PerfLog::PerfLog):
(JSC::PerfLog::log):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::visitAggregateImpl):
(JSC::StructureStubInfo::visitWeakReferences):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::considerCaching):
(JSC::StructureStubInfo::clearBufferedStructures):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::UnlinkedCodeBlock::visitChildrenImpl):
* bytecode/UnlinkedCodeBlockGenerator.cpp:
(JSC::UnlinkedCodeBlockGenerator::finalize):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::~BlockDirectory):
(JSC::BlockDirectory::removeBlock):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::parallelNotEmptyBlockSource):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::remove):
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::allocatorForSlow):
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::runNotRunningPhase):
(JSC::Heap::runEndPhase):
(JSC::Heap::finishRelinquishingConn):
(JSC::visitSamplingProfiler):
(JSC::Heap::setBonusVisitorTask):
(JSC::Heap::runTaskInParallel):
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::buildSnapshot):
(JSC::HeapSnapshotBuilder::analyzeNode):
(JSC::HeapSnapshotBuilder::analyzeEdge):
(JSC::HeapSnapshotBuilder::analyzePropertyNameEdge):
(JSC::HeapSnapshotBuilder::analyzeVariableNameEdge):
(JSC::HeapSnapshotBuilder::analyzeIndexEdge):
(JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
* heap/IsoAlignedMemoryAllocator.cpp:
(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
(JSC::IsoCellSet::addSlow):
(JSC::IsoCellSet::didRemoveBlock):
(JSC::IsoCellSet::sweepToFreeList):
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCellInParallel):
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
* heap/IsoSubspacePerVM.cpp:
(JSC::IsoSubspacePerVM::forVM):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::~LocalAllocator):
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::tryCopyOtherThreadStacks):
(JSC::MachineThreads::gatherConservativeRoots):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::noteMarkedSlow):
(JSC::MarkedBlock::Handle::dumpState):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::isLive):
* heap/MarkingConstraint.cpp:
(JSC::MarkingConstraint::doParallelWork):
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::addParallelTask):
(JSC::MarkingConstraintSolver::runExecutionThread):
* heap/ParallelSourceAdapter.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::updateMutatorIsStopped):
(JSC::SlotVisitor::drain):
(JSC::SlotVisitor::performIncrementOfDraining):
(JSC::SlotVisitor::drainFromShared):
(JSC::SlotVisitor::drainInParallelPassively):
(JSC::SlotVisitor::waitForTermination):
(JSC::SlotVisitor::donateAll):
(JSC::SlotVisitor::didRace):
* heap/Subspace.cpp:
(JSC::Subspace::parallelDirectorySource):
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachMarkedCellInParallel):
* inspector/JSInjectedScriptHost.cpp:
* jit/ExecutableAllocator.cpp:
* jsc.cpp:
(Worker::Worker):
(Worker::~Worker):
(Worker::dequeue):
(Workers::broadcast):
(Workers::report):
(Workers::tryGetReport):
(Workers::getReport):
(JSC_DEFINE_HOST_FUNCTION):
* runtime/DeferredWorkTimer.cpp:
(JSC::DeferredWorkTimer::doWork):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildrenImpl):
* runtime/FileBasedFuzzerAgentBase.cpp:
(JSC::FileBasedFuzzerAgentBase::getPrediction):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::visitChildrenImpl):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::detach):
(JSC::JSArrayBufferView::slowDownAndWasteMemory):
* runtime/JSCell.h:
* runtime/JSFinalizationRegistry.cpp:
(JSC::JSFinalizationRegistry::visitChildrenImpl):
(JSC::JSFinalizationRegistry::finalizeUnconditionally):
(JSC::JSFinalizationRegistry::takeDeadHoldingsValue):
(JSC::JSFinalizationRegistry::registerTarget):
(JSC::JSFinalizationRegistry::unregister):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildrenImpl):
* runtime/JSGlobalObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::finishCreation):
(JSC::JSModuleNamespaceObject::visitChildrenImpl):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
* runtime/JSRunLoopTimer.cpp:
(JSC::JSRunLoopTimer::Manager::timerDidFire):
(JSC::JSRunLoopTimer::Manager::registerVM):
(JSC::JSRunLoopTimer::Manager::unregisterVM):
(JSC::JSRunLoopTimer::Manager::scheduleTimer):
(JSC::JSRunLoopTimer::Manager::cancelTimer):
(JSC::JSRunLoopTimer::Manager::timeUntilFire):
(JSC::JSRunLoopTimer::timerDidFire):
(JSC::JSRunLoopTimer::setTimeUntilFire):
(JSC::JSRunLoopTimer::cancelTimer):
(JSC::JSRunLoopTimer::addTimerSetNotification):
(JSC::JSRunLoopTimer::removeTimerSetNotification):
* runtime/JSSegmentedVariableObject.cpp:
(JSC::JSSegmentedVariableObject::findVariableIndex):
(JSC::JSSegmentedVariableObject::addVariables):
(JSC::JSSegmentedVariableObject::visitChildrenImpl):
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildrenImpl):
* runtime/NarrowingNumberPredictionFuzzerAgent.cpp:
(JSC::NarrowingNumberPredictionFuzzerAgent::getPrediction):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildrenImpl):
* runtime/RandomizingFuzzerAgent.cpp:
(JSC::RandomizingFuzzerAgent::getPrediction):
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::compileMatchOnly):
(JSC::RegExp::deleteCode):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
(JSC::SamplingProfiler::stackTracesAsJSON):
(JSC::SamplingProfiler::reportTopFunctions):
(JSC::SamplingProfiler::reportTopBytecodes):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::createTemplateObject):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::remove):
(JSC::SparseArrayValueMap::getConcurrently):
(JSC::SparseArrayValueMap::visitChildrenImpl):
* runtime/Structure.cpp:
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::nonPropertyTransitionSlow):
(JSC::Structure::setBrandTransition):
* runtime/StructureCache.cpp:
(JSC::StructureCache::createEmptyStructure):
(JSC::StructureCache::emptyObjectStructureConcurrently):
* runtime/VM.cpp:
(JSC::waitForVMDestruction):
(JSC::VM::~VM):
(JSC::VM::gatherScratchBufferRoots):
(JSC::VM::scratchBufferForSize):
(JSC::VM::clearScratchBuffers):
(JSC::VM::addLoopHintExecutionCounter):
(JSC::VM::getLoopHintExecutionCounter):
(JSC::VM::removeLoopHintExecutionCounter):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
(JSC::VMTraps::takeTopPriorityTrap):
* runtime/WeakMapImpl.cpp:
(JSC::WeakMapImpl<BucketType>::visitOutputConstraints):
* runtime/WeakMapImpl.h:
(JSC::WeakMapImpl::finishCreation):
* runtime/WeakMapImplInlines.h:
(JSC::WeakMapImpl<WeakMapBucket>::rehash):
* runtime/WideningNumberPredictionFuzzerAgent.cpp:
(JSC::WideningNumberPredictionFuzzerAgent::getPrediction):
* tools/CompilerTimingScope.cpp:
* tools/FunctionOverrides.cpp:
(JSC::FunctionOverrides::FunctionOverrides):
(JSC::FunctionOverrides::reinstallOverrides):
(JSC::FunctionOverrides::initializeOverrideFor):
* tools/Integrity.cpp:
(JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
* tools/VMInspector.cpp:
(JSC::VMInspector::add):
(JSC::VMInspector::remove):
(JSC::VMInspector::codeBlockForMachinePC):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
(JSC::Wasm::BBQPlan::compileFunction):
* wasm/WasmCalleeRegistry.h:
(JSC::Wasm::CalleeRegistry::registerCallee):
(JSC::Wasm::CalleeRegistry::unregisterCallee):
* wasm/WasmCodeBlock.cpp:
(JSC::Wasm::CodeBlock::CodeBlock):
(JSC::Wasm::CodeBlock::waitUntilFinished):
(JSC::Wasm::CodeBlock::compileAsync):
* wasm/WasmContext.cpp:
(JSC::Wasm::Context::scratchBufferForSize):
* wasm/WasmEntryPlan.cpp:
(JSC::Wasm::EntryPlan::parseAndValidateModule):
(JSC::Wasm::EntryPlan::prepare):
(JSC::Wasm::EntryPlan::compileFunctions):
* wasm/WasmEntryPlan.h:
(JSC::Wasm::EntryPlan::tryReserveCapacity):
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
* wasm/WasmInstance.cpp:
(JSC::Wasm::Instance::setFunctionWrapper):
* wasm/WasmLLIntPlan.cpp:
(JSC::Wasm::LLIntPlan::compileFunction):
(JSC::Wasm::LLIntPlan::completeInStreaming):
(JSC::Wasm::LLIntPlan::didCompileFunctionInStreaming):
(JSC::Wasm::LLIntPlan::didFailInStreaming):
* wasm/WasmMachineThreads.cpp:
(JSC::Wasm::resetInstructionCacheOnAllThreads):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::growShared):
* wasm/WasmModule.cpp:
(JSC::Wasm::Module::getOrCreateCodeBlock):
* wasm/WasmOMGForOSREntryPlan.cpp:
(JSC::Wasm::OMGForOSREntryPlan::work):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmOperations.cpp:
(JSC::Wasm::triggerOMGReplacementCompile):
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* wasm/WasmSignatureInlines.h:
(JSC::Wasm::SignatureInformation::get):
* wasm/WasmSlowPaths.cpp:
(JSC::LLInt::jitCompileAndSetHeuristics):
(JSC::LLInt::WASM_SLOW_PATH_DECL):
* wasm/WasmStreamingCompiler.cpp:
(JSC::Wasm::StreamingCompiler::didCompileFunction):
(JSC::Wasm::StreamingCompiler::finalize):
(JSC::Wasm::StreamingCompiler::fail):
(JSC::Wasm::StreamingCompiler::cancel):
* wasm/WasmStreamingPlan.cpp:
(JSC::Wasm::StreamingPlan::work):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::visitAggregateImpl):
* wasm/WasmThunks.cpp:
(JSC::Wasm::Thunks::stub):
(JSC::Wasm::Thunks::existingStub):
* wasm/WasmWorklist.cpp:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::visitChildrenImpl):
2021-05-21 Mark Lam <mark.lam@apple.com>
Remove the unnecessary use of CompileOpStrictEqType.
https://bugs.webkit.org/show_bug.cgi?id=226121
Reviewed by Saam Barati and Robin Morisset.
We're already emitting template code. Might as well make the relevant condition
checks a build time check on the opcode type the template is specializing on
instead of a runtime check on a passed in CompileOpStrictEqType.
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_stricteq):
(JSC::JIT::emit_op_nstricteq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_jstricteq):
(JSC::JIT::emit_op_jnstricteq):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_stricteq):
(JSC::JIT::emit_op_nstricteq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_jstricteq):
(JSC::JIT::emit_op_jnstricteq):
2021-05-21 Mark Lam <mark.lam@apple.com>
Introducing JITThunks::preinitializeCTIThunks().
https://bugs.webkit.org/show_bug.cgi?id=226105
Reviewed by Geoffrey Garen.
We're basically renaming JITThunks::preinitializeExtraCTIThunks() to
JITThunks::preinitializeCTIThunks() and making it not conditional on
#if ENABLE(EXTRA_CTI_THUNKS). Some thunks need to be initialized independent of
#if ENABLE(EXTRA_CTI_THUNKS).
* jit/JITThunks.cpp:
(JSC::JITThunks::preinitializeCTIThunks):
(JSC::JITThunks::preinitializeExtraCTIThunks): Deleted.
* jit/JITThunks.h:
* runtime/VM.cpp:
(JSC::VM::VM):
2021-05-21 Adrian Perez de Castro <aperez@igalia.com>
Non-unified build fixes, late-ish May 2021 edition
https://bugs.webkit.org/show_bug.cgi?id=225990
Unreviewed non-unified build fixes.
* jit/CCallHelpers.cpp: Add missing LinkBuffer.h header.
2021-05-21 Sam Sneddon <gsnedders@apple.com>
Fix Python 3.6+ DeprecationWarnings about unknown escapes
https://bugs.webkit.org/show_bug.cgi?id=226018
Reviewed by Jonathan Bedard.
Fix Python 3.6+ DeprecationWarnings about unknown escapes
* wasm/generateWasmB3IRGeneratorInlinesHeader.py:
2021-05-20 Saam Barati <sbarati@apple.com>
[ Catalina Release JSC] A large number of JSC test appear to be flaky failing
https://bugs.webkit.org/show_bug.cgi?id=225998
<rdar://problem/78235001>
Reviewed by Yusuke Suzuki.
This patch is fixing some fallout from moving JIT::link() to a background
thread:
1. We can't shrink the CodeBlock's constant pool on a background thread
since we read from it without grabbing a lock on the main thread (when
reading things off the stack in slow path calls).
2. We can't create GCAwareJITStubRoutines on the compilation thread, since
creating a GCAwareJITStubRoutines adds to a global hash table inside Heap. This
means that we have to do that step of emitting virtual calls for eval when
we're finalizing code on the main thread.
This patch also makes it so that a baseline JIT compilation thread is
correctly marked as such.
* heap/JITStubRoutineSet.cpp:
(JSC::JITStubRoutineSet::add):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitUnlinkedVirtualCall):
(JSC::AssemblyHelpers::emitVirtualCall):
* jit/AssemblyHelpers.h:
* jit/JIT.cpp:
(JSC::JIT::link):
(JSC::JIT::finalizeOnMainThread):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileCallEvalSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEvalSlowCase):
* jit/JITWorklist.cpp:
2021-05-20 Saam Barati <sbarati@apple.com>
Make polymorphic calls play nice with Data Call ICs
https://bugs.webkit.org/show_bug.cgi?id=225793
Reviewed by Robin Morisset.
This patch makes it so that Polymorphic stubs don't repatch when using
Data Call ICs. We add a branch to the Data IC fast path to see if we're
polymorphic. If we are, then we either call or tail call the polymorphic
stub, depending on the CallLinkInfo's call type. This patch also changes
the polymorphic stub to handle being called instead of jumped to, since that
will now happen for Data ICs of non tail calls.
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::setMonomorphicCallee):
(JSC::CallLinkInfo::callee):
(JSC::CallLinkInfo::visitWeak):
(JSC::CallLinkInfo::emitFastPathImpl):
(JSC::CallLinkInfo::revertCallToStub):
(JSC::CallLinkInfo::setStub):
(JSC::CallLinkInfo::emitFirstInstructionForDataIC): Deleted.
* bytecode/CallLinkInfo.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
2021-05-20 Tuomas Karkkainen <tuomas.webkit@apple.com>
$vm should have a function for checking if ASan is enabled similar to $vm.assertEnabled
https://bugs.webkit.org/show_bug.cgi?id=226019
Reviewed by Mark Lam.
Add method $vm.asanEnabled(), which parallels $vm.assertEnabled(), and allows checking at
runtime whether the current JavaScriptCore build is instrumented with AddressSanitizer.
* tools/JSDollarVM.cpp:
2021-05-19 Mark Lam <mark.lam@apple.com>
AbstractSlotVisitor::containsOpaqueRoot() should only declare didFindOpaqueRoot if the root is actually found.
https://bugs.webkit.org/show_bug.cgi?id=226000
rdar://78208014
Reviewed by Robin Morisset.
It was erroneously calling didFindOpaqueRoot() all the time even when the root is
not found. This only affects the GC verifier tool. It has no effect on production
code.
* heap/AbstractSlotVisitorInlines.h:
(JSC::AbstractSlotVisitor::containsOpaqueRoot const):
2021-05-19 Mark Lam <mark.lam@apple.com>
Speed up debug validation in CacheableIdentifier::createFromIdentifierOwnedByCodeBlock().
https://bugs.webkit.org/show_bug.cgi?id=225948
Not reviewed.
Build fix after r277727.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::hasIdentifier):
2021-05-19 Mark Lam <mark.lam@apple.com>
Ripping out broken Baseline JIT rare case profiling.
https://bugs.webkit.org/show_bug.cgi?id=225983
Reviewed by Saam Barati and Robin Morisset.
The profiling has been broken in recent times. Fixing it to work does not appear
to improve performance. Ripping out the profiling appears to not hurt performance.
However, ripping out the profiling appears to save on code size generated for the
Baseline JIT.
Base New Diff
BaselineJIT: 73299112 (69.903481 MB) 65910128 (62.856796 MB) 0.90x (reduction)
DFG: 36850540 (35.143414 MB) 36374400 (34.689331 MB) 0.99x
Thunk: 23128652 (22.057201 MB) 22892292 (21.831791 MB) 0.99x
InlineCache: 22210972 (21.182034 MB) 22083508 (21.060474 MB) 0.99x
FTL: 6065064 (5.784096 MB) 6128080 (5.844193 MB) 1.01x
Wasm: 2305124 (2.198338 MB) 2309732 (2.202732 MB) 1.00x
YarrJIT: 1522712 (1.452171 MB) 1536104 (1.464943 MB) 1.01x
CSSJIT: 0 0
Uncategorized: 0 0
Cumulative diff since the start of this effort to put more code in JIT thunks:
Base New Diff
BaselineJIT: 89089964 (84.962811 MB) 65910128 (62.856796 MB) 0.74x (reduction)
DFG: 39117360 (37.305222 MB) 36374400 (34.689331 MB) 0.93x (reduction)
Thunk: 23230968 (22.154778 MB) 22892292 (21.831791 MB) 0.99x
InlineCache: 22027416 (21.006981 MB) 22083508 (21.060474 MB) 1.00x
FTL: 6575772 (6.271145 MB) 6128080 (5.844193 MB) 0.93x (reduction)
Wasm: 2302724 (2.196049 MB) 2309732 (2.202732 MB) 1.00x
YarrJIT: 1538956 (1.467663 MB) 1536104 (1.464943 MB) 1.00x
CSSJIT: 0 0
Uncategorized: 0 0
Benchmarking was done with Speedometer2 and JetSteam2 on an M1 Mac.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::JITData::size const):
(JSC::CodeBlock::dumpValueProfiles):
(JSC::CodeBlock::setRareCaseProfiles): Deleted.
(JSC::CodeBlock::rareCaseProfileForBytecodeIndex): Deleted.
(JSC::CodeBlock::rareCaseProfileCountForBytecodeIndex): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
(JSC::CodeBlock::couldTakeSlowCase): Deleted.
* bytecode/ValueProfile.h:
(JSC::RareCaseProfile::RareCaseProfile): Deleted.
(JSC::getRareCaseProfileBytecodeIndex): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::parseBlock):
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
2021-05-19 Yusuke Suzuki <ysuzuki@apple.com>
[JSC} Remove exception checks from non-throwing function calls in Baseline JIT
https://bugs.webkit.org/show_bug.cgi?id=224920
Reviewed by Tadeu Zagallo.
These functions are not taking JSGlobalObject and will not throw an error.
Use callOperationNoExceptionCheck instead to avoid emitting unnecessary exception checks.
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::emit_op_profile_type):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_profile_type):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitWriteBarrier):
2021-05-19 Robin Morisset <rmorisset@apple.com>
Fix typo in AirUseCounts
https://bugs.webkit.org/show_bug.cgi?id=225977
rdar://78210501
Reviewed by Mark Lam.
I had just messed up a copy-and-paste, using "gp" instead of "fp" in code that deals with floating point values.
This did not show in my tests, probably because few functions have more floating point temporaries than non-floating-point.
* b3/air/AirUseCounts.h:
(JSC::B3::Air::UseCounts::UseCounts):
2021-05-18 Darin Adler <darin@apple.com>
Move CFStringRef and NSString support from StringBuilder into StringConcatenateCF
https://bugs.webkit.org/show_bug.cgi?id=225839
Reviewed by Sam Weinig.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage): Use StringBuilder::clear instead of
StringBuilder::resize; no advantage to the latter after calling StringBuilder::toString.
* runtime/JSONObject.cpp:
(JSC::Stringifier::Holder::appendNextProperty): Update for name change of
StringBuilder::resize to StringBuilder::shrink.
* runtime/TypeSet.cpp:
(JSC::StructureShape::stringRepresentation): Ditto.
2021-05-19 Mark Lam <mark.lam@apple.com>
Speed up debug validation in CacheableIdentifier::createFromIdentifierOwnedByCodeBlock().
https://bugs.webkit.org/show_bug.cgi?id=225948
rdar://78175542
Reviewed by Yusuke Suzuki.
1. Introduce CodeBlock::hasIdentifier() so that we can encapsulate the identifier
search better. Change CacheableIdentifier::createFromIdentifierOwnedByCodeBlock()
to call this method instead of rolling its own identifier search.
2. If the CodeBlock is pathological and has a ridiculous number of identifiers
to search, create a cached hash set of the identifiers, and use that for
doing the search instead.
Apparently, YouTube can have a single JS function with 2177689 bytecodes, where
a large portion of those are put_by_ids. The function also has some 17k+
identifiers. With that may bytecodes doing a validation search on 17k+
identifiers in a Debug build, the site can become un-useable. This optimization
brings it back from un-useable to barely tolerable on the Debug build.
3. Also fetch the UnlinkedCodeBlock from the WriteBarrier field just once in
CodeBlock::identifier() and CodeBlock::hasIdentifier(). This may not matter
on a Release build, but it can add up on a Debug build, which is already slow.
We should try to avoid doing redundant validation via the WriteBarrier access.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::identifier const):
(JSC::CodeBlock::hasIdentifier):
* bytecode/CodeBlock.h:
* runtime/CacheableIdentifierInlines.h:
(JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock):
2021-05-19 Saam Barati <sbarati@apple.com>
Link Baseline JIT code off the main thread
https://bugs.webkit.org/show_bug.cgi?id=225940
Reviewed by Yusuke Suzuki.
This patch makes JIT::link() able to run on compiler threads.
Most of what the function was already doing happily remains the
same. This patch moves a few operations to JIT::finalizeOnMainThread
for things that can't happen on the compiler thread:
- Adding data to some global hash tables which aren't synchronized.
- Setting the JITCode.
- Setting the code pointer for exception handlers.
- Some other metadata the Sampling Profiler looks at.
* jit/JIT.cpp:
(JSC::JIT::compileAndLinkWithoutFinalizing):
(JSC::JIT::link):
(JSC::JIT::finalizeOnMainThread):
(JSC::JIT::privateCompile):
(JSC::JIT::compileWithoutLinking): Deleted.
* jit/JIT.h:
* jit/JITWorklist.cpp:
(JSC::JITWorklist::Plan::compileInThread):
(JSC::JITWorklist::Plan::finalize):
(JSC::JITWorklist::Plan::compileOnMainThreadNow):
(JSC::JITWorklist::compileLater):
(JSC::JITWorklist::compileOnMainThreadNow):
(JSC::JITWorklist::finalizePlans):
(JSC::JITWorklist::Plan::compileNow): Deleted.
(JSC::JITWorklist::compileNow): Deleted.
* jit/JITWorklist.h:
2021-05-18 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Prune CommonSlowPaths of JITPropertyAccess functions
https://bugs.webkit.org/show_bug.cgi?id=225953
Reviewed by Mark Lam.
A few bytecode operations with slow paths in JITPropertyAccess appear to have either redundant or unnecessary
"common" slow paths; namely, get_private_name and del_by_val already have LLInt slow paths, while in_by_id
and get_by_id_with_this can have their "common" slow path moved to be LLInt-specific.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
* runtime/CommonSlowPaths.h:
2021-05-18 Robin Morisset <rmorisset@apple.com>
Make AirAllocateRegistersByGraphColoring use less memory
https://bugs.webkit.org/show_bug.cgi?id=225848
Reviewed by Filip Pizlo.
We've had some jetsam problems caused by the main Air register allocator, which caused us to lower Options::maximumTmpsForGraphColoring.
Hence this patch tries to improve the memory usage of the allocator. It includes several changes:
- Change the datastructure used for representing the interference graph. Before it was effectively a HashSet<std::pair<uint16_t, uint16_t>. Now, it is either a Bitvector (for n < 400 for now, can be tweaked easily), or a Vector<LikelyDenseUnsignedIntegerSet<uint16_t>> otherwise.
LikelyDenseUnsignedIntegerSet is a new datastructure introduced by this patch, it is either a HashSet if very sparse, or a BitVector + an amount to shift it by.
This is by far the largest memory reduction in this patch, it reduces the maximum memory used for an interference graph in tsf-wasm in JetStream2 from 16MB to 700kB, and in mruby-wasm.aotoki.dev from 262MB to 20MB (the later only happen when we increase Options::maximumTmpsForGraphColoring.. this is the exact function which caused us to lower it).
Its effect on smaller functions in JetStream2 is rarely as dramatic but always an improvement, and improvements between 2x and 5x are extremely common (10x to 30x are significantly rarer but do occur).
- In order to easily test this change and any further change to this datastructure, the old approach was preserved as InterferenceHashSet, and a template to run two such datastructures in parallel, checking their equivalence was added: InstrumentedInterferenceGraph. Running with it and reportInterferenceGraphMemoryUse set to true was used to compute the numbers given above.
- There was already some template parameter to change the size of the tmp indices from unsigned to uint16_t but the code failed to compile unless it was unsigned. I fixed this, made more consistent use of it, and switched to uint16_t in the very common case that we have less than 65k Tmps (we can have more despite the option because of spilling). This halved the memory usage of various other datastructures in the register allocator
- unspillableTmps was a HashSet<unsigned>. Since it is often quite dense (often around 20% on JetStream2), I replaced it by a Bitvector instead
- m_biases was a HashMap<IndexType, HashSet<IndexType>>. Since it is extremely rare that the sets have more than 8 elements (from looking at some instrumented run of JetStream2), I replaced it by HashMap<IndexType, SmallSet<IndexType>>. This not only significantly reduces memory, but nearly halves the time spent in assignColors(around 80ms -> 40ms in JetStream 2)
- UseCounts was needlessly general: it is only used by the register allocator (all other references to UseCounts refer to the completely different B3::UseCounts), so there is no point in it computing, and then storing lots of irrelevant data. A float is also more than enough precision (especially since it is pretty much always 1, 10, 100, or 1000 in practice…). Also, since we only need it indexed by Tmps, we can use a Vector with AbsoluteTmpMapper instead of its HashMap. These changes are not just memory savings, they also make selectSpill way faster (570ms -> 250ms on my machine on JetStream2)
- While I was at it, I did a couple of other tweaks to the logic of selectSpill. In particular, instead of having to check for isFastTmp every time, I just put the fast tmps directly in unspillableTmps, which prevents them from getting added to m_spillWorklist in the first place. This + a bit of clean-up (for example putting an early exit instead of setting score to infinity in the case of dead tmps) resulted in a further perf win (to roughly 200ms spent in selectSpill() on JetStream2)
All together, this patch reduces the time spent in the register allocator by roughly 15 to 20% in JetStream2 (tested both with the Briggs and the IRC allocators on my MBP 2019).
I do not yet have precise performance numbers for this exact patch, but benchmarking a previous version of it (with a less optimized interference graph) resulted in significant RAMification improvements (around 1%), and more surprisingly some JetStream2 improvements on weaker machines (e.g. an iPhone 7 gained > 1%). I believe these gains come either from less trashing of the caches, or less contention caused by the memory traffic.
I will try to update the bugzilla with more up-to-date thorough results when I get them.
This patch does not increase Options::maximumTmpsForGraphColoring, I intend to do that in a separate patch to make it easier to revert in case of a problem.
* b3/B3ReduceLoopStrength.cpp:
(JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
* b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
(JSC::B3::Air::allocateRegistersByGraphColoring):
* b3/air/AirCode.h:
(JSC::B3::Air::Code::forEachFastTmp const):
* b3/air/AirUseCounts.h:
(JSC::B3::Air::UseCounts::UseCounts):
(JSC::B3::Air::UseCounts::isConstDef const):
(JSC::B3::Air::UseCounts::numWarmUsesAndDefs const):
(JSC::B3::Air::UseCounts::dump const):
* parser/Nodes.h:
2021-05-18 Saam Barati <sbarati@apple.com>
Add Data Call ICs that don't repatch and use them in the baseline JIT
https://bugs.webkit.org/show_bug.cgi?id=225321
<rdar://problem/77773796>
Reviewed by Michael Saboff.
This patch adds Data ICs for calls. Data ICs for calls work by loading a code
pointer from CallLinkInfo, and indirect calling that pointer. This means that
to repatch such an IC, all we need to do is replace a code pointer inside
CallLinkInfo. No need to repatch the JIT code.
The current implementation only does this for monomorphic calls. We still
repatch the JIT code for polymorphic calls. In a followup, we will also
opt polymorphic call ICs into data-based calls:
https://bugs.webkit.org/show_bug.cgi?id=225793
This patch only uses Data Call ICs for the Baseline JIT. Even with that, it
reduces the number of calls to cacheFlush by ~45% on JetStream2.
Performance is neutral on AS Macs, but it paves the way towards doing
unlinked JITting in JSC.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::addLateLinkTask):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::linkCode):
(JSC::LinkBuffer::performFinalization):
* assembler/LinkBuffer.h:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::CallLinkInfo):
(JSC::CallLinkInfo::unlink):
(JSC::CallLinkInfo::fastPathStart):
(JSC::CallLinkInfo::slowPathStart):
(JSC::CallLinkInfo::doneLocation):
(JSC::CallLinkInfo::setMonomorphicCallee):
(JSC::CallLinkInfo::clearCallee):
(JSC::CallLinkInfo::emitFirstInstructionForDataIC):
(JSC::CallLinkInfo::emitFastPathImpl):
(JSC::CallLinkInfo::emitFastPath):
(JSC::CallLinkInfo::emitTailCallFastPath):
(JSC::CallLinkInfo::emitSlowPath):
(JSC::CallLinkInfo::emitDirectFastPath):
(JSC::CallLinkInfo::emitDirectTailCallFastPath):
(JSC::CallLinkInfo::initializeDirectCall):
(JSC::CallLinkInfo::setDirectCallTarget):
(JSC::CallLinkInfo::setSlowPathCallDestination):
(JSC::CallLinkInfo::revertCallToStub):
(JSC::CallLinkInfo::setStub):
(JSC::CallLinkInfo::callReturnLocation): Deleted.
(JSC::CallLinkInfo::patchableJump): Deleted.
(JSC::CallLinkInfo::hotPathBegin): Deleted.
(JSC::CallLinkInfo::setCallee): Deleted.
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::calleeGPR const):
(JSC::CallLinkInfo::isDataIC const):
(JSC::CallLinkInfo::setUsesDataICs):
(JSC::CallLinkInfo::setCodeLocations):
(JSC::CallLinkInfo::offsetOfCallee):
(JSC::CallLinkInfo::offsetOfMonomorphicCallDestination):
(JSC::CallLinkInfo::offsetOfSlowPathCallDestination):
(JSC::CallLinkInfo::setCallLocations): Deleted.
(JSC::CallLinkInfo::hotPathOther): Deleted.
(JSC::CallLinkInfo::setStub): Deleted.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addJSCall):
(JSC::DFG::JITCompiler::addJSDirectCall):
(JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
(JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
(JSC::DFG::JITCompiler::addJSDirectTailCall): Deleted.
(JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord): Deleted.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::callerReturnPC):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::emitJITCodeOver):
* jit/CCallHelpers.h:
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileTailCall):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallNode::unlink):
* jit/Repatch.cpp:
(JSC::linkSlowPathTo):
(JSC::linkSlowFor):
(JSC::linkMonomorphicCall):
(JSC::linkDirectCall):
(JSC::revertCall):
(JSC::unlinkCall):
(JSC::linkPolymorphicCall):
(JSC::linkFor): Deleted.
(JSC::linkDirectFor): Deleted.
(JSC::unlinkFor): Deleted.
* jit/Repatch.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2021-05-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r276655.
https://bugs.webkit.org/show_bug.cgi?id=225930
caused a 2% PLT regression
Reverted changeset:
"StructureStubInfo and PolymorphicAccess should account for
their non-GC memory"
https://bugs.webkit.org/show_bug.cgi?id=225113
https://trac.webkit.org/changeset/276655
2021-05-18 Keith Miller <keith_miller@apple.com>
Temporarily revert r276592 as it breaks some native apps
https://bugs.webkit.org/show_bug.cgi?id=225917
Unreviewed, revert.
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::put):
* debugger/DebuggerScope.h:
* runtime/ClassInfo.h:
* runtime/ClonedArguments.h:
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter):
* runtime/CustomGetterSetter.h:
* runtime/ErrorConstructor.h:
* runtime/ErrorInstance.h:
* runtime/GenericArguments.h:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::put):
* runtime/GetterSetter.h:
* runtime/JSArray.cpp:
(JSC::JSArray::put):
* runtime/JSArray.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::put):
* runtime/JSArrayBufferView.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCell.cpp:
(JSC::JSCell::doPutPropertySecurityCheck):
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSFunction.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGlobalLexicalEnvironment.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::put):
* runtime/JSGlobalObject.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSModuleEnvironment.h:
* runtime/JSModuleNamespaceObject.h:
* runtime/JSObject.cpp:
(JSC::JSObject::doPutPropertySecurityCheck):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::prototypeChainMayInterceptStoreTo):
(JSC::definePropertyOnReceiverSlow): Deleted.
(JSC::JSObject::definePropertyOnReceiver): Deleted.
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putByIndexInline):
(JSC::JSObject::doPutPropertySecurityCheck):
(JSC::JSObject::hasNonReifiedStaticProperties): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInlineExcludingProto):
(JSC::JSObject::putInlineForJSObject):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::putInlineFast): Deleted.
* runtime/JSProxy.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::overridesGetOwnPropertySlot const):
(JSC::TypeInfo::overridesAnyFormOfGetOwnPropertyNames const):
(JSC::TypeInfo::hasPutPropertySecurityCheck const):
(JSC::TypeInfo::hasStaticPropertyTable const): Deleted.
(JSC::TypeInfo::overridesPut const): Deleted.
* runtime/Lookup.h:
(JSC::putEntry):
(JSC::lookupPut):
* runtime/PropertySlot.h:
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::put):
* runtime/ProxyObject.h:
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::context const):
(JSC::PutPropertySlot::type const):
(JSC::PutPropertySlot::isInitialization const):
(JSC::PutPropertySlot::isTaintedByOpaqueObject const): Deleted.
(JSC::PutPropertySlot::setIsTaintedByOpaqueObject): Deleted.
* runtime/ReflectObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::put):
* runtime/StringObject.h:
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):
* runtime/StringPrototype.h:
* runtime/Structure.cpp:
(JSC::Structure::validateFlags):
* runtime/Structure.h:
(JSC::Structure::takesSlowPathInDFGForImpureProperty):
(JSC::Structure::hasNonReifiedStaticProperties const): Deleted.
* tools/JSDollarVM.cpp:
2021-05-18 Yoshiaki Jitsukawa <yoshiaki.jitsukawa@sony.com>
[PlayStation] Fix PlayStation port
https://bugs.webkit.org/show_bug.cgi?id=225913
Reviewed by Don Olmstead.
Fix PlayStation port
* jsc.cpp: Include LinkBuffer.h.
2021-05-18 Adrian Perez de Castro <aperez@igalia.com>
[JSCOnly] Non unified build fixes
https://bugs.webkit.org/show_bug.cgi?id=225872
Unreviewed non-unified build fixes.
* jit/JITPropertyAccess.cpp: Add missing ThunkGenerators.h header.
* jit/SlowPathCall.cpp: Add missing JITInlines.h and ThunkGenerators.h headers.
* wasm/js/WebAssemblyFunctionBase.h: Add missing WasmFormat.h header.
2021-05-17 Saam Barati <sbarati@apple.com>
Enable JS to emit sign posts and trace points under Options::exposeProfilersOnGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=225895
Reviewed by Yusuke Suzuki.
* runtime/JSGlobalObject.cpp:
(JSC::asTracePointInt):
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::asSignpostString):
(JSC::JSGlobalObject::init):
2021-05-17 Geoffrey Garen <ggaren@apple.com>
StructureRareData::m_replacementWatchpointSets should not be a pointer to a pointer
https://bugs.webkit.org/show_bug.cgi?id=225840
Reviewed by Mark Lam.
HashMap is already just one pointer. Making it a pointer to a pointer
causes heap fragmentation. Worth about 1MB on GMail.
* runtime/Structure.cpp:
(JSC::Structure::ensurePropertyReplacementWatchpointSet):
* runtime/StructureInlines.h:
(JSC::Structure::didReplaceProperty):
(JSC::Structure::propertyReplacementWatchpointSet):
* runtime/StructureRareData.h:
2021-05-17 Alexey Shvayka <shvaikalesh@gmail.com>
REGRESSION (r271119): Object methods defined with shorthand notation cannot access "caller" in non-strict mode
https://bugs.webkit.org/show_bug.cgi?id=225277
Reviewed by Darin Adler.
This patch loosens `function.caller` to allow non-strict getters, setters, arrow functions,
and ES6 methods to be returned as callers, fixing web compatibility.
The intent of r230662 is preserved: generator / async functions are never exposed. There is
no good way to acquire wrapper function from the internal body one, nor from its arguments.
Also, this behavior is on standards track [1] (seems to be considered desirable).
[1]: https://github.com/claudepache/es-legacy-function-reflection/blob/master/spec.md#get-functionprototypecaller (step 14)
* runtime/JSFunction.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
2021-05-16 Mark Lam <mark.lam@apple.com>
Implement baseline op_enter, op_ret, op_check_traps, op_throw using JIT thunks.
https://bugs.webkit.org/show_bug.cgi?id=225846
Reviewed by Filip Pizlo.
op_enter, op_ret, op_check_traps are 3 of the most common opcodes. Throwing in
op_throw because it's easy.
In this patch, the following changes were also made:
1. Renamed copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer() to
copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer().
It is only used by the baseline JIT. Changed it to always operate on
RegisterAtOffsetList::llintBaselineCalleeSaveRegisters(). This removes the
dependency on a current codeBlock being compiled, and allows us to use it
for a JIT thunk.
2. Added JIT::emitNakedNearJump() to make it easy to emit direct jumps to JIT thunks.
Currently, it is only used by op_ret and op_throw.
3. Changed some thunks to use emitNonPatchableExceptionCheck() instead
emitExceptionCheck() to make it explicit that these are not intended to be
patchable.
With this patch, --dumpLinkBufferStats shows the following changes in emitted
JIT code size (using a single run of the CLI version of JetStream2 on AS Mac)
comparing to current tip of tree:
Base New Diff
BaselineJIT: 77429400 (73.842430 MB) 72407904 (69.053558 MB) 0.94x (reduction)
DFG: 36160880 (34.485703 MB) 36622176 (34.925629 MB) 1.01x
Thunk: 23159024 (22.086166 MB) 23295448 (22.216270 MB) 1.01x
InlineCache: 22068348 (21.046017 MB) 22157236 (21.130787 MB) 1.00x
FTL: 6004736 (5.726562 MB) 6030536 (5.751167 MB) 1.00x
Wasm: 2429204 (2.316669 MB) 2300872 (2.194283 MB) 0.95x (probably noise)
YarrJIT: 1522488 (1.451958 MB) 1522616 (1.452080 MB) 1.00x
CSSJIT: 0 0
Uncategorized: 0 0
Cumulative diff since the start of this effort to put more code in JIT thunks:
Base New Diff
BaselineJIT: 89089964 (84.962811 MB) 72407904 (69.053558 MB) 0.81x (reduction)
DFG: 39117360 (37.305222 MB) 36622176 (34.925629 MB) 0.94x (reduction)
Thunk: 23230968 (22.154778 MB) 23295448 (22.216270 MB) 1.00x
InlineCache: 22027416 (21.006981 MB) 22157236 (21.130787 MB) 1.01x
FTL: 6575772 (6.271145 MB) 6030536 (5.751167 MB) 0.92x (reduction)
Wasm: 2302724 (2.196049 MB) 2300872 (2.194283 MB) 1.00x
YarrJIT: 1538956 (1.467663 MB) 1522616 (1.452080 MB) 0.99x
CSSJIT: 0 0
Uncategorized: 0 0
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::sub64):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
(JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): Deleted.
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::link):
* jit/JIT.h:
(JSC::NearJumpRecord::NearJumpRecord):
* jit/JITInlines.h:
(JSC::JIT::emitNakedNearJump):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_ret):
(JSC::JIT::op_ret_handlerGenerator):
(JSC::JIT::emit_op_throw):
(JSC::JIT::op_throw_handlerGenerator):
(JSC::JIT::emit_op_enter):
(JSC::JIT::op_enter_handlerGenerator):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::emitSlow_op_check_traps):
(JSC::JIT::op_check_traps_handlerGenerator):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::slow_op_get_from_scopeGenerator):
(JSC::JIT::slow_op_put_to_scopeGenerator):
* jit/JITThunks.cpp:
(JSC::JITThunks::preinitializeExtraCTIThunks):
* jit/SlowPathCall.cpp:
(JSC::JITSlowPathCall::generateThunk):
2021-05-16 Keith Miller <keith_miller@apple.com>
IsoAlignedMemoryAllocator should use BitVector
https://bugs.webkit.org/show_bug.cgi?id=225852
Reviewed by Mark Lam.
Right now IsoAlignedMemoryAllocator uses FastBitVector, which does
not have inline storage for small sizes. However, it's not
uncommon for IsoAlignedMemoryAllocator to be holding onto only a
few blocks. Those blocks may exist for a long time, which some
data indicates causes IsoAlignedMemoryAllocator's FastBitVector to
pin a full physical page for one 8 byte allocation. Since
accessing the commited blocks list is not a particularly hot
operation, we should just use a BitVector instead.
This seems to be perf neutral on benchmarks.
* heap/IsoAlignedMemoryAllocator.cpp:
(JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
* heap/IsoAlignedMemoryAllocator.h:
2021-05-16 Saam Barati <sbarati@apple.com>
DFGVarargsForwardingPhase shouldn't consult Flush
https://bugs.webkit.org/show_bug.cgi?id=225824
Reviewed by Filip Pizlo and Yusuke Suzuki.
In the Varargs Forwarding Phase, we were treating Flush as if it
were any other form of node that interferes with an argument
via clobbering a stack location.
This isn't how Flush works though. It doesn't have execution
semantics at the node's graph location. Instead, Flush means that
any variable it's linked to in CPS should be flushed to the stack
between it and the Flush.
The semantics of arguments is that they're already flushed to the
stack, and they've always been. Seeing a Flush node doesn't prevent
arguments elimination, we already know the arguments are on the stack,
and all we're searching for is if there is an interference operation
that says it'll clobber that stack slot. Flush isn't an interference operation.
This is a 0.5% Speedometer progression.
* dfg/DFGVarargsForwardingPhase.cpp:
2021-05-15 Alexey Shvayka <shvaikalesh@gmail.com>
Turn callGetter() / callSetter() into instance methods
https://bugs.webkit.org/show_bug.cgi?id=225831
Reviewed by Ross Kirsling.
1. Turn callGetter() / callSetter() into instance methods to simplify their signatures.
2. Rename `base` parameter to `thisValue`, avoiding similarity with slotBase().
3. Accept `bool shouldThrow` in callSetter() since ECMAMode is cumbersome to construct.
4. Replace isSetterNull(), which does LIKELY(inherits), with direct JSType check.
5. Introduce getCallData(VM&, JSCell*) overload to avoid extra checks / casts.
6. Move isValidCallee() to JSCell and handle primitives gracefully.
No behavior change. Advances provided callSetter() microbenchmark by 2%.
* runtime/GetterSetter.cpp:
(JSC::GetterSetter::callGetter):
(JSC::GetterSetter::callSetter):
(JSC::callGetter): Deleted.
(JSC::callSetter): Deleted.
* runtime/GetterSetter.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::isValidCallee): Deleted.
* runtime/JSCJSValue.h:
* runtime/JSCell.cpp:
(JSC::JSCell::isValidCallee const):
* runtime/JSCell.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/JSObjectInlines.h:
(JSC::getCallData):
(JSC::getConstructData):
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::functionGetter const):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayEntry::put):
2021-05-14 Chris Dumez <cdumez@apple.com>
Drop FileSystem::fileMetadata() / fileMetadataFollowingSymlinks()
https://bugs.webkit.org/show_bug.cgi?id=225820
Reviewed by Darin Adler.
Update our code base because of the FileSystem API changes.
* API/JSScript.mm:
(validateBytecodeCachePath):
2021-05-14 Ross Kirsling <ross.kirsling@sony.com>
REGRESSION (r277221): 2 test262 tests failing
https://bugs.webkit.org/show_bug.cgi?id=225819
Reviewed by Alexey Shvayka.
Undo the other part of r277221's code consolidation --
I'd forgotten that this exists to enforce a evaluation order on AggregateError's arguments.
* runtime/AggregateError.cpp:
(JSC::createAggregateError):
2021-05-14 Mark Lam <mark.lam@apple.com>
Implement Baseline JIT property access slow paths using JIT thunks.
https://bugs.webkit.org/show_bug.cgi?id=225771
Reviewed by Yusuke Suzuki and Saam Barati.
This patch applies the following strategy to Baseline JIT property access slow paths:
1. If the slow path operation call is not patchable, emit a near call to a JIT
thunk to do the entire operation call.
2. If the slow path operation call is patachable, emit a near call to a prepare
call JIT thunk before the patchable operation call, and a near call to an exception
check JIT thunk after.
This strategy reduces the amount of instructions emitted for all the slow paths.
Performance is expected to be neutral or slightly improved due to the reduced
compile times and better cache locality.
With this patch, --dumpLinkBufferStats shows the following changes in emitted
JIT code size (using a single run of the CLI version of JetStream2 on AS Mac)
comparing to current tip of tree:
Base New Diff
BaselineJIT: 84624776 (80.704475 MB) 77429400 (73.842430 MB) 0.91x (reduction)
DFG: 36415264 (34.728302 MB) 36160880 (34.485703 MB) 0.99x
Thunk: 23130336 (22.058807 MB) 23159024 (22.086166 MB) 1.00x
InlineCache: 21969728 (20.951965 MB) 22068348 (21.046017 MB) 1.00x
FTL: 6097336 (5.814873 MB) 6004736 (5.726562 MB) 0.98x
Wasm: 2301956 (2.195316 MB) 2429204 (2.316669 MB) 1.06x (probably noise)
YarrJIT: 1522488 (1.451958 MB) 1522488 (1.451958 MB) 1.00x
CSSJIT: 0
Uncategorized: 0
Comparing to tip of tree at the start of this effort to move put slow paths in
JIT thunks:
Base New Diff
BaselineJIT: 89089964 (84.962811 MB) 77429400 (73.842430 MB) 0.87x (reduction)
DFG: 39117360 (37.305222 MB) 36160880 (34.485703 MB) 0.92x (reduction)
Thunk: 23230968 (22.154778 MB) 23159024 (22.086166 MB) 1.00x
InlineCache: 22027416 (21.006981 MB) 22068348 (21.046017 MB) 1.00x
FTL: 6575772 (6.271145 MB) 6004736 (5.726562 MB) 0.91x (reduction)
Wasm: 2302724 (2.196049 MB) 2429204 (2.316669 MB) 1.05x (probably noise)
YarrJIT: 1538956 (1.467663 MB) 1522488 (1.451958 MB) 0.99x
CSSJIT: 0 0
Uncategorized: 0 0
This patch has passed the JSC tests on AS Mac, and also a subset of the JSC tests
(as a smoke test) on x86_64.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::offsetOfGlobalObject):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::emitExceptionCheck):
(JSC::AssemblyHelpers::emitNonPatchableExceptionCheck):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::slow_op_get_by_val_prepareCallGenerator):
(JSC::JIT::emitSlow_op_get_private_name):
(JSC::JIT::slow_op_get_private_name_prepareCallGenerator):
(JSC::JIT::emitSlow_op_set_private_brand):
(JSC::JIT::emitSlow_op_check_private_brand):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::slow_op_put_by_val_prepareCallGenerator):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::emitSlow_op_del_by_id):
(JSC::JIT::slow_op_del_by_id_prepareCallGenerator):
(JSC::JIT::emitSlow_op_del_by_val):
(JSC::JIT::slow_op_del_by_val_prepareCallGenerator):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::slow_op_get_by_id_prepareCallGenerator):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::slow_op_get_by_id_with_this_prepareCallGenerator):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::slow_op_put_by_id_prepareCallGenerator):
(JSC::JIT::emitSlow_op_in_by_id):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::slow_op_get_from_scopeGenerator):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::slow_op_put_to_scopeGenerator):
* jit/JITThunks.cpp:
(JSC::JITThunks::preinitializeExtraCTIThunks):
* jit/SlowPathCall.cpp:
(JSC::JITSlowPathCall::call):
* jit/ThunkGenerators.cpp:
(JSC::checkExceptionGenerator):
* jit/ThunkGenerators.h:
2021-05-14 Chris Dumez <cdumez@apple.com>
Rename FileSystem::getFileSize() to FileSystem::fileSize()
https://bugs.webkit.org/show_bug.cgi?id=225798
Reviewed by Alex Christensen.
Update code path to due to the API change.
* inspector/remote/socket/RemoteInspectorSocket.cpp:
(Inspector::RemoteInspector::backendCommands const):
* jsc.cpp:
2021-05-13 Darin Adler <darin@apple.com>
Follow-up fix for: Remove StringBuilder::appendNumber
https://bugs.webkit.org/show_bug.cgi?id=225732
rdar://78000283
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::json): Removed a stray single quote mark that
meant we produced a JSON file that could not be parsed.
2021-05-13 Patrick Angle <pangle@apple.com>
[REGRESSION: r271876] Web Inspector: [Cocoa] Remote inspection crashes when using WEB_THREAD
https://bugs.webkit.org/show_bug.cgi?id=225794
Reviewed by Devin Rousso.
For WEB_THREAD, move `callback` in `dispatchAsyncOnTarget` to `block` scope to ensure it is available for the
lifetime of the block.
* inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
(Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget):
2021-05-13 Geoffrey Garen <ggaren@apple.com>
m_calleeSaveRegisters should not be a pointer to a pointer
https://bugs.webkit.org/show_bug.cgi?id=225787
Reviewed by Keith Miller.
Ben found this through memory stress testing.
RegisterAtOffsetList is effectively just a pointer. unique_ptr<RegisterAtOffsetList>
is a pointer to a pointer. RegisterAtOffsetList is long-lived, so it
creates heap page fragmentation.
Worth 3MB on Ben's test.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setCalleeSaveRegisters):
(JSC::CodeBlock::calleeSaveRegisters const): Use a fence before setting
m_hasCalleeSaveRegisters to ensure that all writes have completed before
the struct becomes visible.
* bytecode/CodeBlock.h: Use RegisterAtOffsetList directly instead of
unique_ptr<RegisterAtOffsetList> to avoid a long-lived lonely 8 byte
allocation.
* ftl/FTLCompile.cpp:
(JSC::FTL::compile): Updated for type change.
2021-05-13 Chris Dumez <cdumez@apple.com>
Rename FileSystem::directoryName() to FileSystem::parentPath()
https://bugs.webkit.org/show_bug.cgi?id=225768
Reviewed by Darin Adler.
Rename FileSystem::directoryName() to FileSystem::parentPath() for clarity and
consistency with std::filesystem::parent_path() which is used internally.
* API/JSScript.mm:
(validateBytecodeCachePath):
2021-05-13 Chris Dumez <cdumez@apple.com>
Rename FileSystem::fileIsDirectory(path, followSymlinks) to isDirectory(path) / isDirectoryFollowingSymlinks(path)
https://bugs.webkit.org/show_bug.cgi?id=225772
Reviewed by Darin Adler.
Update code base due to API naming change.
* API/JSScript.mm:
(validateBytecodeCachePath):
2021-05-13 Darin Adler <darin@apple.com>
Remove StringBuilder::appendNumber
https://bugs.webkit.org/show_bug.cgi?id=225732
Reviewed by Sam Weinig.
* API/JSContextRef.cpp:
(BacktraceFunctor::operator() const): Use append instead of appendNumber.
* API/tests/PingPongStackOverflowTest.cpp:
(PingPongStackOverflowObject_hasInstance): Ditto.
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::json): Ditto.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::toString const): Use makeString instead of StringBuilder.
* runtime/ConsoleClient.cpp:
(JSC::appendURLAndPosition): Ditto.
(JSC::ConsoleClient::printConsoleMessageWithArguments): Use append instead of appendNumber.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue): Ditto.
* runtime/Options.cpp:
(JSC::OptionReader::Option::dump const): Ditto.
* runtime/StackFrame.cpp:
(JSC::StackFrame::toString const): Use makeString instead of StringBuilder.
2021-05-12 Geoffrey Garen <ggaren@apple.com>
ConservativeRoots triggers page demand on Speedometer
https://bugs.webkit.org/show_bug.cgi?id=225676
Reviewed by Filip Pizlo.
Use a 2048 item / 16kB inline buffer. That's about 10% bigger than the
max capacity observed on Speedometer, and small enough to reasonably fit
on the stack.
Removed the separate out of line capacity because it was smaller than
the new inline capacity.
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::grow):
* heap/ConservativeRoots.h:
2021-05-12 Mark Lam <mark.lam@apple.com>
Implement some common Baseline JIT slow paths using JIT thunks.
https://bugs.webkit.org/show_bug.cgi?id=225682
Reviewed by Filip Pizlo.
This patch implements the following changes:
1. Implement exception handling thunks:
a. handleExceptionGenerator, which calls operationLookupExceptionHandler().
b. handleExceptionWithCallFrameRollbackGenerator, which calls
operationLookupExceptionHandlerFromCallerFrame().
All the JIT tiers were emitting their own copy of these routines to call these
operation, one per CodeBlock. We now emit 2 thunks for these and have all the
tiers just jump to them.
PolymorphicAccess also now uses the handleExceptionGenerator thunk.
DFG::JITCompiler::compileExceptionHandlers() has one small behavior difference
before it calls operationLookupExceptionHandlerFromCallerFrame(): it first
re-sets the top of stack for the function where we are about to throw a
StackOverflowError from. This re-setting of top of stack is useless because
we're imminently unwinding out of at least this frame for the StackOverflowError.
Hence, it is ok to use the handleExceptionWithCallFrameRollbackGenerator thunk
here as well. Note that no other tiers does this re-setting of top of stack.
FTLLowerDFGToB3 has one case using operationLookupExceptionHandlerFromCallerFrame()
which cannot be refactored to use these thunks because it does additional
work to throw a StackOverflowError. A different thunk will be needed. I left
it alone for now.
2. Introduce JITThunks::existingCTIStub(ThunkGenerator, NoLockingNecessaryTag) so
that a thunk can get a pointer to another thunk without locking the JITThunks
lock. Otherwise, deadlock ensues.
3. Change SlowPathCall to emit and use thunks instead of emitting a blob of code
to call a slow path function for every bytecode in a CodeBlock.
4. Introduce JITThunks::ctiSlowPathFunctionStub() to manage these SlowPathFunction
thunks.
5. Introduce JITThunks::preinitializeAggressiveCTIThunks() to initialize these
thunks at VM initialization time. Pre-initializing them has multiple benefits:
a. the thunks are not scattered through out JIT memory, thereby reducing
fragmentation.
b. we don't spend time at runtime compiling them when the user is interacting
with the VM. Conceptually, these thunks can be VM independent and can be
shared by VMs process-wide. However, it will require some additional work.
For now, the thunks remain bound to a specific VM instance.
These changes are only enabled when ENABLE(EXTRA_CTI_THUNKS), which is currently
only available for ARM64 and non-Windows x86_64.
This patch has passed JSC tests on AS Mac.
With this patch, --dumpLinkBufferStats shows the following changes in emitted
JIT code size (using a single run of the CLI version of JetStream2 on AS Mac):
Base New Diff
BaselineJIT: 89089964 (84.962811 MB) 84624776 (80.704475 MB) 0.95x (reduction)
DFG: 39117360 (37.305222 MB) 36415264 (34.728302 MB) 0.93x (reduction)
Thunk: 23230968 (22.154778 MB) 23130336 (22.058807 MB) 1.00x
InlineCache: 22027416 (21.006981 MB) 21969728 (20.951965 MB) 1.00x
FTL: 6575772 (6.271145 MB) 6097336 (5.814873 MB) 0.93x (reduction)
Wasm: 2302724 (2.196049 MB) 2301956 (2.195316 MB) 1.00x
YarrJIT: 1538956 (1.467663 MB) 1522488 (1.451958 MB) 0.99x
CSSJIT: 0 0
Uncategorized: 0 0
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::offsetOfInstructionsRawPointer):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* jit/JIT.cpp:
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
* jit/JITThunks.cpp:
(JSC::JITThunks::existingCTIStub):
(JSC::JITThunks::ctiSlowPathFunctionStub):
(JSC::JITThunks::preinitializeExtraCTIThunks):
* jit/JITThunks.h:
* jit/SlowPathCall.cpp: Added.
(JSC::JITSlowPathCall::call):
(JSC::JITSlowPathCall::generateThunk):
* jit/SlowPathCall.h:
* jit/ThunkGenerators.cpp:
(JSC::handleExceptionGenerator):
(JSC::handleExceptionWithCallFrameRollbackGenerator):
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):
* jit/ThunkGenerators.h:
* runtime/CommonSlowPaths.h:
* runtime/SlowPathFunction.h: Added.
* runtime/VM.cpp:
(JSC::VM::VM):
2021-05-12 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r277346.
https://bugs.webkit.org/show_bug.cgi?id=225705
Introduced a (rare) deadlock
Reverted changeset:
"ConservativeRoots triggers page demand on Speedometer"
https://bugs.webkit.org/show_bug.cgi?id=225676
https://trac.webkit.org/changeset/277346
2021-05-12 Mark Lam <mark.lam@apple.com>
Remove dead code around ENABLE(OPCODE_SAMPLING) and ENABLE(CODEBLOCK_SAMPLING).
https://bugs.webkit.org/show_bug.cgi?id=225699
Reviewed by Tadeu Zagallo.
This code revolves around an Interpreter::sampler() method which returns a
SamplingTool*. Neither the Interpreter method nor the SamplingTool class exists
anymore.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::compileWithoutLinking):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileCallEval):
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEval):
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITInlines.h:
(JSC::JIT::sampleInstruction): Deleted.
(JSC::JIT::sampleCodeBlock): Deleted.
* jit/JITOperations.cpp:
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* runtime/ScriptExecutable.h:
(JSC::ScriptExecutable::finishCreation): Deleted.
2021-05-11 Geoffrey Garen <ggaren@apple.com>
ConservativeRoots triggers page demand on Speedometer
https://bugs.webkit.org/show_bug.cgi?id=225676
Reviewed by Saam Barati.
Use a Vector instead of OSAllocator to avoid mmap() and page fault --
and, like, come on.
Bump default inlineCapacity up to 1024 because we seem to overflow
frequently.
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::ConservativeRoots):
(JSC::ConservativeRoots::~ConservativeRoots):
(JSC::ConservativeRoots::genericAddPointer):
(JSC::ConservativeRoots::grow): Deleted.
* heap/ConservativeRoots.h:
(JSC::ConservativeRoots::roots const):
(JSC::ConservativeRoots::size const): Deleted.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::append):
* heap/VerifierSlotVisitor.cpp:
(JSC::VerifierSlotVisitor::append):
2021-05-10 Filip Pizlo <fpizlo@apple.com>
Tune number of threads for AS
https://bugs.webkit.org/show_bug.cgi?id=225635
Reviewed by Mark Lam.
Using 4 GC markers (which really means 3 parallel GC worker threads -- the mutator thread is
the 4th), 2 DFG threads, and 2 FTL threads seems to be more optimal than going off ncpu.
~1% JetStream2 speed-up, ~1% Speedometer2 speed-up.
* runtime/Options.cpp:
(JSC::overrideDefaults):
2021-05-10 Mark Lam <mark.lam@apple.com>
Removed unused CallRecord::bytecodeIndex field.
https://bugs.webkit.org/show_bug.cgi?id=225627
Reviewed by Yusuke Suzuki.
* jit/JIT.cpp:
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::CallRecord::CallRecord):
* jit/JITInlines.h:
(JSC::JIT::emitNakedNearCall):
(JSC::JIT::emitNakedNearTailCall):
2021-05-10 Mark Lam <mark.lam@apple.com>
Add support to collect stats on cumulative LinkBuffer linked sizes based on profiles.
https://bugs.webkit.org/show_bug.cgi?id=225617
Reviewed by Saam Barati.
There are 2 ways to dump the stats:
1. Specify --dumpLinkBufferStats as an argument to the jsc shell.
2. Call $vm.dumpLinkBufferStats() from your JS script to get the stats as a string.
e.g.
$vm.print($vm.dumpLinkBufferStats());
Here's an example of what the dump looks like:
Cummulative LinkBuffer profile sizes:
BaselineJIT: 79480320 (75.798340 MB)
DFG: 36108672 (34.435913 MB)
Thunk: 22495360 (21.453247 MB)
InlineCache: 19538521 (18.633386 MB)
FTL: 5186240 (4.945984 MB)
Wasm: 1998272 (1.905701 MB)
YarrJIT: 1331072 (1.269409 MB)
CSSJIT: 0
Uncategorized: 0
The stats are currently grouped into some coarse profiles. If needed, we can
break these down into more fine grain profiles later.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::performFinalization):
(JSC::LinkBuffer::dumpProfileStatistics):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::LinkBuffer):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/ExecutableAllocator.cpp:
(JSC::jitWriteThunkGenerator):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
* jit/JITMathIC.h:
(JSC::JITMathIC::generateOutOfLine):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutPrivateNameWithCachedId):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::stringGetByValGenerator):
(JSC::boundFunctionCallGenerator):
* jsc.cpp:
(CommandLine::parseArguments):
(jscmain):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::generateThunkWithJumpToPrologue):
(JSC::LLInt::generateThunkWithJumpToLLIntReturnPoint):
(JSC::LLInt::getHostCallReturnValueThunk):
(JSC::LLInt::createJSGateThunk):
(JSC::LLInt::createWasmGateThunk):
(JSC::LLInt::createTailCallGate):
(JSC::LLInt::loopOSREntryGateThunk):
(JSC::LLInt::entryOSREntryGateThunk):
(JSC::LLInt::wasmOSREntryGateThunk):
(JSC::LLInt::exceptionHandlerGateThunk):
(JSC::LLInt::returnFromLLIntGateThunk):
(JSC::LLInt::tagGateThunk):
(JSC::LLInt::untagGateThunk):
(JSC::LLInt::jitCagePtrThunk):
* tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
(JSC::Wasm::BBQPlan::didCompleteCompilation):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmLLIntPlan.cpp:
(JSC::Wasm::LLIntPlan::didCompleteCompilation):
* wasm/WasmOMGForOSREntryPlan.cpp:
(JSC::Wasm::OMGForOSREntryPlan::work):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
* yarr/YarrJIT.cpp:
2021-05-08 Darin Adler <darin@apple.com>
Remove calls to the String::toInt family of functions from JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=225571
Reviewed by Sam Weinig.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::parseLocation): Use parseIntegerAllowingTrailingJunk<JSC::SourceID>
instead of String::toIntPtr. There was no reason to parse the source ID as a
signed integer, and it's more elegant to parse the type we intend to store and
process, not a different but similar type.
(Inspector::InspectorDebuggerAgent::searchInContent): Ditto.
(Inspector::InspectorDebuggerAgent::getScriptSource): Ditto.
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): Use
parseInteger<uintptr_t> instead of String::toIntPtrStrict.
(Inspector::InspectorRuntimeAgent::getBasicBlocks): Use
parseIntegerAllowingTrailingJunk<uintptr_t> instead of String::toIntPtr.
* runtime/FuzzerPredictions.cpp:
(JSC::FuzzerPredictions::FuzzerPredictions): Use parseInteger<uint64_t>
instead of String::toUInt64Strict.
2021-05-08 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Fix invalid exception checks after recent ErrorInstance changes
https://bugs.webkit.org/show_bug.cgi?id=225565
Reviewed by Alexey Shvayka.
r277221 and r277224 each introduced issues under validateExceptionChecks=1; this patch fixes them.
Of particular note:
The earlier patch sought to consolidate Error#cause logic under ErrorInstance::finishCreation.
This part must be undone as it is crucial that non-user-thrown errors be able to bypass that logic
(otherwise throwException itself would need to be exception-checked).
* runtime/AggregateError.cpp:
(JSC::createAggregateError):
* runtime/ArrayPrototype.cpp:
(JSC::getProperty):
* runtime/Error.cpp:
(JSC::createError):
(JSC::createEvalError):
(JSC::createRangeError):
(JSC::createReferenceError):
(JSC::createSyntaxError):
(JSC::createTypeError):
(JSC::createURIError):
(JSC::createGetterTypeError):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::create):
(JSC::ErrorInstance::finishCreation):
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::create):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::getIfPropertyExists):
* runtime/NullSetterFunction.cpp:
(JSC::NullSetterFunctionInternal::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/JSWebAssemblyCompileError.cpp:
(JSC::createJSWebAssemblyCompileError):
* wasm/js/JSWebAssemblyLinkError.cpp:
(JSC::createJSWebAssemblyLinkError):
* wasm/js/JSWebAssemblyRuntimeError.cpp:
(JSC::createJSWebAssemblyRuntimeError):
2021-05-08 Chris Dumez <cdumez@apple.com>
Port Filesystem::pathByAppendingComponent() & Filesystem:: pathByAppendingComponents() to std::filesystem
https://bugs.webkit.org/show_bug.cgi?id=225550
Reviewed by Darin Adler.
Build fix.
* Configurations/JavaScriptCore.xcconfig:
2021-05-08 Ross Kirsling <ross.kirsling@sony.com>
Introduce JSObject::getIfPropertyExists helper
https://bugs.webkit.org/show_bug.cgi?id=225553
Reviewed by Alexey Shvayka.
Suggested by Alexey during review of r277221.
ArrayPrototype also has a "Has-guarded Get", so it's helpful for JSObject to house this functionality.
* runtime/ArrayPrototype.cpp:
(JSC::getProperty):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::getIfPropertyExists):
2021-05-07 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Error#cause must recognize explicit undefined
https://bugs.webkit.org/show_bug.cgi?id=225535
Reviewed by Alexey Shvayka.
Error#cause is specified such that `new Error(message, {})` and `new Error(message, { cause: undefined })`
are not the same -- namely, the latter should create a property descriptor with an undefined `value`.
This would seem absurd, but the reason is because the `cause` field is meant to store a thrown object,
and `throw undefined;` is valid code.
In aligning our implementation with the spec, this patch also consolidates the relevant logic in one place
(ErrorInstance::finishCreation) to minimize confusion.
* runtime/AggregateError.cpp:
(JSC::createAggregateError):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::create):
(JSC::ErrorInstance::finishCreation):
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::create):
2021-05-06 Chris Dumez <cdumez@apple.com>
Port Filesystem::fileMetadata() & Filesystem::getFileModificationTime() to std::filesystem
https://bugs.webkit.org/show_bug.cgi?id=225362
Reviewed by Darin Adler.
Build fix.
* Configurations/JavaScriptCore.xcconfig:
2021-05-06 Eleni Maria Stea <estea@igalia.com>
Removed the assertion m_numParameters >= 0, it is always true as
m_numParameters is unsigned.
https://bugs.webkit.org/show_bug.cgi?id=225457
Reviewed by Yusuke Suzuki.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::numberOfArgumentValueProfiles):
2021-05-06 Filip Pizlo <fpizlo@apple.com>
Make some things easier to dataLog in wasm
https://bugs.webkit.org/show_bug.cgi?id=225472
Reviewed by Yusuke Suzuki.
* wasm/WasmMemoryMode.cpp:
(WTF::printInternal):
* wasm/WasmMemoryMode.h:
* wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::dump const):
* wasm/WasmWorklist.h:
2021-05-06 Filip Pizlo <fpizlo@apple.com>
Reduce use of dmb ish on ARM64
https://bugs.webkit.org/show_bug.cgi?id=225465
Reviewed by Keith Miller.
We use loadLoadFence a lot, often in situations like:
Foo* ptr = loadStuff;
loadLoadFence();
use ptr
On ARM64, we don't need a dmb ish here. This introduces a dependentLoadLoadFence() for these
cases; it's just a compiler fence on ARM64 and Intel.
We also used loadLoadFence in some places where I couldn't think of any good reason for the
fence other than paranoia. I got rid of those.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromCallLinkInfo):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::jitType const):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfileBase::structure):
(JSC::ObjectAllocationProfileWithPrototype::prototype):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::state const):
(JSC::InlineWatchpointSet::state const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handlePutByVal):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
* runtime/GetterSetter.h:
* runtime/InferredValue.h:
(JSC::InferredValue::state const):
* runtime/Structure.h:
(JSC::Structure::tryRareData):
* runtime/StructureInlines.h:
(JSC::Structure::propertyReplacementWatchpointSet):
2021-05-06 Filip Pizlo <fpizlo@apple.com>
It should be possible to --logJIT=true
https://bugs.webkit.org/show_bug.cgi?id=225464
Reviewed by Mark Lam.
This makes it easy to just log when JITing happens. It's like --dumpDisassembly=true but
without the disassembly.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
* assembler/LinkBuffer.h:
* runtime/Options.cpp:
(JSC::Options::recomputeDependentOptions):
* runtime/OptionsList.h:
2021-05-06 Mark Lam <mark.lam@apple.com>
Forbid further execution in jsc shell if execution is terminated.
https://bugs.webkit.org/show_bug.cgi?id=225410
rdar://77548608
Reviewed by Michael Saboff.
1. Introduce a VM::m_executionForbidden flag.
2. In the jsc shell, forbid further execution if termination was encountered.
* jsc.cpp:
(runWithOptions):
* runtime/VM.cpp:
(JSC::VM::drainMicrotasks):
* runtime/VM.h:
(JSC::VM::executionForbidden const):
(JSC::VM::setExecutionForbidden):
2021-05-06 Mark Lam <mark.lam@apple.com>
Fix missing exception check in objectConstructorGetOwnPropertyDescriptors().
https://bugs.webkit.org/show_bug.cgi?id=225413
rdar://77551530
Reviewed by Michael Saboff.
Need to handle TerminationException.
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetOwnPropertyDescriptors):
2021-05-05 Mark Lam <mark.lam@apple.com>
Introduce VM::hasPendingTerminationException() to make code a little more terse.
https://bugs.webkit.org/show_bug.cgi?id=225412
Reviewed by Michael Saboff.
This is purely a refactoring patch. There is no behavior change.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
* jit/JITOperations.cpp:
* runtime/ExceptionScope.h:
(JSC::ExceptionScope::assertNoExceptionExceptTermination):
(JSC::ExceptionScope::releaseAssertNoExceptionExceptTermination):
* runtime/JSObject.h:
(JSC::JSObject::get const):
* runtime/LazyPropertyInlines.h:
(JSC::ElementType>::callFunc):
* runtime/VM.cpp:
(JSC::VM::throwException):
* runtime/VM.h:
(JSC::VM::hasPendingTerminationException const):
* runtime/VMTraps.cpp:
(JSC::VMTraps::deferTerminationSlow):
2021-05-05 Mark Lam <mark.lam@apple.com>
Enable incremental sweeping of GCAwareJITStubRoutines.
https://bugs.webkit.org/show_bug.cgi?id=225376
Reviewed by Filip Pizlo.
This patch makes the following changes:
1. Enhance JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines() to be able to
run in an incremental time slice.
2. Added JITStubRoutineSet::notifyHaveRoutinesToDelete() so that
GCAwareJITStubRoutine::observeZeroRefCount() can flag that the GC may have
some dead GCAwareJITStubRoutines to delete.
3. Added JITStubRoutineSet::mayHaveRoutinesToDelete() so that clients can do
a cheap check ahead of time to determine if there's work to do, and avoid
calling JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines() altogether
if not needed.
4. Added Heap::mayHaveJITStubRoutinesToDelete() and Heap::deleteDeadJITStubRoutines()
as wrappers around JITStubRoutineSet::mayHaveRoutinesToDelete() and
JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines() because the use of
the JITStubRoutineSet is a heap internal implementation detail.
5. Enhanced the IncrementalSweeper to also call Heap::deleteDeadJITStubRoutines()
if needed.
6. Enhanced Heap::sweepSynchronously() to also call Heap::deleteDeadJITStubRoutines()
if needed.
7. Time slices for Heap::deleteDeadJITStubRoutines() is currently set at the
current values:
a. max of 1 ms (1/10 of the IncreamentalSweeper's time slice) when invoked from
the IncreamentalSweeper.
b. max of 5 ms when invoked from Heap::deleteUnmarkedCompiledCode().
c. unlimited time (with a sanity check) when called from Heap::sweepSynchronously().
The choices of 1ms and 5ms were picked to not be too long, but would still delete
the bulk of the dead GCAwareJITStubRoutines quickly enough based on data from my
instrumented runs the CLI version of JetStream2.
I think these hardcoded values will do for now. If need be, we can try something
more sophisticated later.
* CMakeLists.txt:
* heap/Heap.cpp:
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepSynchronously):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::mayHaveJITStubRoutinesToDelete):
(JSC::Heap::deleteDeadJITStubRoutines):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::doSweep):
* heap/JITStubRoutineSet.cpp:
(JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
* heap/JITStubRoutineSet.h:
(JSC::JITStubRoutineSet::mayHaveRoutinesToDelete):
(JSC::JITStubRoutineSet::notifyHaveRoutinesToDelete):
(JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::observeZeroRefCount):
* jit/JITStubRoutine.h:
(JSC::JITStubRoutine::createSelfManagedRoutine): Deleted.
2021-05-03 Mark Lam <mark.lam@apple.com>
Fix syntax error message for AUTOPLUSPLUS token.
https://bugs.webkit.org/show_bug.cgi?id=225308
rdar://76830934
Reviewed by Saam Barati.
For the record, it's not easy to tell from the code why AUTOPLUSPLUS is needed.
It's needed to distinguish this:
```
statement ++ stuff // ++ is a postfix operator applied to `statement`.
```
from this:
```
statement
++stuff // The `\n` before the ++ makes it a prefix operator applied to `stuff``.
```
If we merely tokenize the ++ as a PLUSPLUS token, then it's unclear whether it acts
as a postfix or prefix token in the 2nd case above.
This is why the correct fix is not to get rid of the AUTOPLUSPLUS token, but to
teach the syntax error message to be aware of the AUTOPLUSPLUS token.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseUnaryExpression):
2021-05-03 Chris Dumez <cdumez@apple.com>
Restore pre-r276879 behavior for FileSystem::deleteFile() and FileSystem::deleteEmptyDirectory()
https://bugs.webkit.org/show_bug.cgi?id=225289
Reviewed by Darin Adler.
Fix build.
* Configurations/JavaScriptCore.xcconfig:
2021-05-03 Mark Lam <mark.lam@apple.com>
Add some missing exception checks before some jsCasts.
https://bugs.webkit.org/show_bug.cgi?id=225264
rdar://77381608
Reviewed by Saam Barati.
Introducing JSObject::getAs() and JSValue::getAs() convenience methods that will
check for an exception before doing a jsCast on the get result. We only need this
to placate the assertion in jsCast in the event a pending exception exists at the
time of the jsCast. If ASSERTs are not enabled, this will be a no-op. All clients
that use jsCast this way (and now use getAs instead) will already be doing an
exception check immediately after. Hence, they are already doing the right thing
in terms of handling exceptions. We're only placating the jsCast assertion here.
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::hostResolveImportedModule):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::getAs const):
* runtime/JSInternalPromise.cpp:
(JSC::JSInternalPromise::then):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::dependencyKeysIfEvaluated):
(JSC::JSModuleLoader::provideFetch):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):
* runtime/JSObject.h:
(JSC::JSObject::getAs const):
* runtime/JSPromise.cpp:
(JSC::JSPromise::createDeferredData):
* runtime/VM.h:
2021-05-03 Dmitry Bezhetskov <dbezhetskov@igalia.com>
[WASM-Function-References] Add call_ref instruction
https://bugs.webkit.org/show_bug.cgi?id=222903
Reviewed by Yusuke Suzuki.
Add support for call_ref instruction from the typed function
references proposal: https://github.com/WebAssembly/function-references/blob/master/proposals/function-references/Overview.md.
call_ref calls the given function references from the stack
and it does almost the same stuff as call_indirect but
it doesn't check signatures because wasm types system guaranties
correctness.
* bytecode/BytecodeList.rb:
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* llint/LowLevelInterpreter.asm:
* llint/WebAssembly.asm:
* runtime/Gate.h:
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::addCallIndirect):
(JSC::Wasm::AirIRGenerator::addCallRef):
(JSC::Wasm::AirIRGenerator::emitIndirectCall):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitIndirectCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
(JSC::Wasm::B3IRGenerator::addCallRef):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addCallRef):
* wasm/WasmSlowPaths.cpp:
(JSC::LLInt::doWasmCallRef):
(JSC::LLInt::WASM_SLOW_PATH_DECL):
* wasm/WasmSlowPaths.h:
* wasm/js/JSWebAssemblyTable.cpp:
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::WebAssemblyFunction):
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyFunctionBase.cpp:
(JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase):
* wasm/js/WebAssemblyFunctionBase.h:
(JSC::WebAssemblyFunctionBase::offsetOfEntrypointLoadLocation):
* wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
* wasm/js/WebAssemblyWrapperFunction.h:
* wasm/wasm.json:
2021-05-01 Chris Dumez <cdumez@apple.com>
Start leveraging std::filesystem in WTF::FileSystem
https://bugs.webkit.org/show_bug.cgi?id=225255
Reviewed by Sam Weinig.
Unexport some symbols to fix build.
* Configurations/JavaScriptCore.xcconfig:
2021-04-30 Filip Pizlo <fpizlo@apple.com>
Make small JIT pool tests pass on AS
https://bugs.webkit.org/show_bug.cgi?id=225256
Reviewed by Mark Lam.
If we ask for a JIT pool that is smaller than the smallest possible "region" (thing with jump
island) that we can create -- i.e. smaller than a jump region, then assume that the user is
asking us to create a pool that has that much usable space plus a jump region.
I think that this makes the option easier to use when you're testing ridiculously small JIT
pools, which we happen to do in our test suite.
Also remove some dead options I didn't mean to commit.
* jit/ExecutableAllocator.cpp:
(JSC::initializeJITPageReservation):
* runtime/OptionsList.h:
2021-04-30 Filip Pizlo <fpizlo@apple.com>
Make the JIT pool smaller on AS
https://bugs.webkit.org/show_bug.cgi?id=225249
Reviewed by Saam Barati.
This adds three related features:
- Makes it easy to dump where the JIT pool was allocated.
- Makes it possible to override the JIT pool size with Options even with jump islands.
- Changes the default JIT pool size on AS to 512MB.
Estimated 2% speed-up on JetStream2, 1.5% speed-up on Speedometer2.
* jit/ExecutableAllocator.cpp:
(JSC::initializeJITPageReservation):
* runtime/OptionsList.h:
2021-04-29 Saam Barati <sbarati@apple.com>
Inlining property accesses inside constant folding should check Options::useAccessInlining
https://bugs.webkit.org/show_bug.cgi?id=225194
Reviewed by Mark Lam.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
2021-04-29 Saam Barati <sbarati@apple.com>
Sampling profiler should dump a tier breakdown, and add ability to see time spent in C code with sampleCCode=0, and fix bugs with frames having the wrong jitType if they're inlined
https://bugs.webkit.org/show_bug.cgi?id=225116
Reviewed by Yusuke Suzuki.
This patch makes it so we also dump time spent in each tier when dumping top
bytecodes. This can be helpful info when analyzing benchmarks.
This patch also makes it so we know when we're in C/C++ code when we're not
using the sampleCCode=true option. I found some weird performance pathologies
with that option that cause us to not sample code at all. I was seeing ~50
samples taken for ~7 seconds of code running time. It's worth figuring out
what's going on there eventually. But for now, I've made it so that we
recognize that the top frame is C/C++ when using the collectExtraSamplingProfilerData=1
option.
This patch also fixes a bug where we mis-attribute JITTypes for inline
frames. We'd attribute it to whatever the CodeBlock was compiled as, instead
of using the machine frame's JITType.
* jsc.cpp:
(CommandLine::parseArguments):
* runtime/OptionsList.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::StackFrame::displayName):
(JSC::SamplingProfiler::reportTopBytecodes):
2021-04-28 Mark Lam <mark.lam@apple.com>
Fix exception assertions in light of the TerminationException.
https://bugs.webkit.org/show_bug.cgi?id=225128
rdar://76694909
Reviewed by Robin Morisset.
Some pre-existing functions assertNoException() or releaseAssertNoException().
These assertion may not be valid anymore in light of the TerminationException, and
require some fix up:
1. If it makes sense to convert the assertion into an exception check, then do so.
For example, see objectPrototypeToString(), slow_path_create_this().
2. If the assertion is at the end of a function just before it returns, or if the
remaining code in the function will not be affected by the pending exception,
then we can replace the assertion as follows:
assertNoException() => assertNoExceptionExceptTermination()
releaseAssertNoException() => releaseAssertNoExceptionExceptTermination()
For example, see objectPrototypeHasOwnProperty(), JSObject::getOwnNonIndexPropertyNames().
3. If the assertion is in a function where perf is not absolutely critical, and the
function isn't calling any other functions that will re-enter the VM or potentially
get stuck in an infinite loop, then we can use a DeferTermination scope to defer
termination.
For example, see Debugger::pauseIfNeeded(), SamplingProfiler::StackFrame::nameFromCallee().
4. If the assertion is in an initializer function is only run once and adding
exception checks would complicate the code more than it's worth (an engineering
judgement), then use a DeferTermination scope.
For example, see ProgramExecutable::initializeGlobalProperties(), setupAdaptiveWatchpoint().
Some leaf (or near-leaf) functions that currently DECLARE_CATCH_SCOPE() may also
fall under this category.
For example, see JSFunction::prototypeForConstruction().
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addBigIntConstant):
* debugger/Debugger.cpp:
(JSC::Debugger::pauseIfNeeded):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::debug):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::functionsOnStack):
* jsc.cpp:
(runWithOptions):
* parser/ParserArena.cpp:
(JSC::IdentifierArena::makeBigIntDecimalIdentifier):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::finishCreation):
* runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::sanitizedMessageString):
(JSC::ErrorInstance::sanitizedNameString):
* runtime/ExceptionScope.h:
(JSC::ExceptionScope::assertNoExceptionExceptTermination):
(JSC::ExceptionScope::releaseAssertNoExceptionExceptTermination):
* runtime/JSFunction.cpp:
(JSC::JSFunction::prototypeForConstruction):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncIncludes):
(JSC::genericTypedArrayViewProtoFuncIndexOf):
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* runtime/JSGlobalObject.cpp:
(JSC::setupAdaptiveWatchpoint):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::defineOwnProperty):
(JSC::JSGlobalObject::tryInstallSpeciesWatchpoint):
* runtime/JSModuleLoader.cpp:
(JSC::printableModuleKey):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::finishCreation):
* runtime/JSObject.cpp:
(JSC::JSObject::ordinaryToPrimitive const):
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/JSTemplateObjectDescriptor.cpp:
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTypedArrayViewPrototype.cpp:
* runtime/ObjectPrototype.cpp:
(JSC::objectPrototypeHasOwnProperty):
(JSC::objectPrototypeToString):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
* tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-04-28 Daniel Kolesa <dkolesa@igalia.com>
[WPE][GTK] More correct fixes for stack size issues on musl libc
https://bugs.webkit.org/show_bug.cgi?id=225099
Reviewed by Adrian Perez de Castro.
Partial revert https://bugs.webkit.org/show_bug.cgi?id=210068
After fixing the thread stack issues in WTF properly, we can revert
the JSC options changes, which are actually harmful since they result
in JSC being unstable. Previously, softReservedZoneSize was causing a
crash when set to 128K because of the main thread stack bounds, and
this is now fixed. We can keep the maxPerThreadStackUsage at 5M as
well; there is no fundamental difference from how things are done on
glibc anymore.
* runtime/OptionsList.h:
2021-04-27 Filip Pizlo <fpizlo@apple.com>
Get the bytecode profiler working again
https://bugs.webkit.org/show_bug.cgi?id=225129
Reviewed by Saam Barati.
The bytecode profiler was broken because it was trying to look at unset labels. This patch
improves our label discipline a bit so we don't try to look at unset labels.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
2021-04-27 Mark Lam <mark.lam@apple.com>
Move ExceptionExpectation into its own .h file.
https://bugs.webkit.org/show_bug.cgi?id=225124
Reviewed by Robin Morisset.
Also fixed some compiler warnings.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/ExceptionExpectation.h: Added.
* runtime/ExceptionHelpers.h:
* runtime/HashMapImplInlines.h:
(JSC::jsMapHashImpl):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
2021-04-27 Alexey Shvayka <shvaikalesh@gmail.com>
[JSC] Remove defaultValue() from the method table
https://bugs.webkit.org/show_bug.cgi?id=225032
Reviewed by Darin Adler.
This patch not only removes the unnecessary method table entry, but also makes
the presence of custom ToPrimitive behavior observable to userland code.
To maintain object identity and (possibly) enable caching, Symbol.toPrimitive
method is stored on a structure. To avoid any potential breakage, it's made
replaceable and configurable, covering the case when its holder is a [[ProxyTarget]].
For JSCallbackObject, Symbol.toPrimitive method is created only if ConvertToType
callback is present, before initialization is performed.
Also, this change adds additional ordinaryToPrimitive() cast to fix the invariant
that toPrimitive() returns a primitive value, which was broken if ConvertToType
callback returned an object. The invariant is enforced by the spec [1][2] and is
validated via assertion in JSValue::toStringSlowCase().
[1]: https://tc39.es/ecma262/#sec-toprimitive (step 2.b.vi)
[2]: https://tc39.es/ecma262/#sec-ordinarytoprimitive (step 6)
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::init):
(JSC::JSCallbackObject<Parent>::customToPrimitive):
(JSC::JSCallbackObject<Parent>::defaultValue): Deleted.
* API/tests/testapiScripts/testapi.js:
* runtime/ClassInfo.h:
* runtime/JSCell.cpp:
(JSC::JSCell::defaultValue): Deleted.
* runtime/JSCell.h:
* runtime/JSObject.cpp:
(JSC::JSObject::toPrimitive const):
(JSC::JSObject::defaultValue): Deleted.
* runtime/JSObject.h:
* runtime/Operations.cpp:
(JSC::jsAddSlowCase):
2021-04-27 Keith Miller <keith_miller@apple.com>
StructureStubInfo and PolymorphicAccess should account for their non-GC memory
https://bugs.webkit.org/show_bug.cgi?id=225113
Reviewed by Mark Lam.
We don't pass the ConcurrentJSLocker to the helper methods here since the
DECLARE_VISIT_AGGREGATE macro does not allow for extra parameters to be passed.
I filed https://bugs.webkit.org/show_bug.cgi?id=225114 to track that.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::JITData::size const):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::extraMemoryInBytes const):
* bytecode/PolymorphicAccess.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::extraMemoryInBytes):
* bytecode/StructureStubInfo.h:
2021-04-26 Keith Miller <keith_miller@apple.com>
UnlinkedCodeBlock should have better accounting for extra memory
https://bugs.webkit.org/show_bug.cgi?id=225080
Reviewed by Mark Lam.
Right now we aren't telling the JS GC about the extra memory
attached to UnlinkedCodeBlocks. It looks like on at least some sites this
can be a fairly large percentage of the total memory retained by
the JS object graph. This is very similar to the change we made for
CodeBlocks in r276610.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildrenImpl):
(JSC::UnlinkedCodeBlock::RareData::sizeInBytes const):
* bytecode/UnlinkedCodeBlock.h:
2021-04-26 Alex Christensen <achristensen@webkit.org>
Update Mac-specific CMake files
https://bugs.webkit.org/show_bug.cgi?id=225064
Rubber-stamped by Tim Horton.
* PlatformMac.cmake:
2021-04-26 Mark Lam <mark.lam@apple.com>
%TypedArray%.prototype.sort() should not use a regular array as a temp buffer.
https://bugs.webkit.org/show_bug.cgi?id=225062
rdar://77021547
Reviewed by Yusuke Suzuki.
%TypedArray%.prototype.sort() should not be affected by property changes in
Array.prototype.
References:
[1] https://tc39.es/ecma262/#sec-%typedarray%.prototype.sort
[2] https://tc39.es/ecma262/#sec-array.prototype.sort
[3] https://tc39.es/ecma262/#sec-sortcompare
* builtins/TypedArrayPrototype.js:
(globalPrivate.typedArrayMergeSort):
2021-04-26 Keith Miller <keith_miller@apple.com>
CodeBlock should do a better job accounting for extra memory it allocates.
https://bugs.webkit.org/show_bug.cgi?id=225068
Reviewed by Mark Lam.
Right now we aren't telling the JS GC about the extra memory
attached to CodeBlocks. It looks like on at least some sites this
can be a fairly large percentage of the total memory retained by
the JS object graph.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::JITData::size const):
* bytecode/CodeBlock.h:
* jit/JITCodeMap.h:
(JSC::JITCodeMap::memorySize const):
2021-04-26 Keith Miller <keith_miller@apple.com>
numCalleeLocals, numParameters, and numVars should be unsigned
https://bugs.webkit.org/show_bug.cgi?id=224995
Reviewed by Mark Lam.
All of the various CodeBlock classes currently have the
numCalleeLocals and numVars marked as ints. I believe this is just
a historical artifact or because VirtualRegister's offset is an
int to make handling constants easier. Regardless, it's a bit
strange to not handle the sign conversion at the point of
comparison between a VirtualRegister offset and the local/var
count. This doesn't completely fix every place we use ints for
these values but starts on the right track. Lastly, I also added
some Check<unsigned>s to the wasm parser for sanity checking.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setNumParameters):
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::numParameters const):
(JSC::CodeBlock::numberOfArgumentsToSkip const):
(JSC::CodeBlock::numCalleeLocals const):
(JSC::CodeBlock::numVars const):
(JSC::CodeBlock::numTmps const):
(JSC::CodeBlock::addressOfNumParameters):
(JSC::CodeBlock::isTemporaryRegister):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::numCalleeLocals const):
(JSC::UnlinkedCodeBlock::numVars const):
* bytecode/UnlinkedCodeBlockGenerator.h:
(JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const):
(JSC::UnlinkedCodeBlockGenerator::numVars const):
(JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals):
(JSC::UnlinkedCodeBlockGenerator::setNumVars):
(JSC::UnlinkedCodeBlockGenerator::setNumParameters):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::emitPushFunctionNameScope):
* bytecompiler/BytecodeGeneratorBaseInlines.h:
(JSC::BytecodeGeneratorBase<Traits>::newRegister):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
(JSC::DFG::ByteCodeParser::inliningCost):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):
* interpreter/CallFrameClosure.h:
* interpreter/ProtoCallFrameInlines.h:
(JSC::ProtoCallFrame::init):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::numberOfStackPaddingSlots):
(JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
* wasm/WasmFunctionCodeBlock.h:
(JSC::Wasm::FunctionCodeBlock::numVars const):
(JSC::Wasm::FunctionCodeBlock::numCalleeLocals const):
(JSC::Wasm::FunctionCodeBlock::setNumVars):
(JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::push):
(JSC::Wasm::LLIntGenerator::getDropKeepCount):
(JSC::Wasm::LLIntGenerator::walkExpressionStack):
(JSC::Wasm::LLIntGenerator::checkConsistency):
(JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals):
(JSC::Wasm::LLIntGenerator::splitStack):
(JSC::Wasm::LLIntGenerator::finalize):
(JSC::Wasm::LLIntGenerator::callInformationForCaller):
(JSC::Wasm::LLIntGenerator::addLoop):
(JSC::Wasm::LLIntGenerator::addTopLevel):
(JSC::Wasm::LLIntGenerator::addBlock):
(JSC::Wasm::LLIntGenerator::addIf):
(JSC::Wasm::LLIntGenerator::addElseToUnreachable):
2021-04-26 Alexey Shvayka <shvaikalesh@gmail.com>
[JSC] OrdinarySet should invoke custom [[Set]] methods
https://bugs.webkit.org/show_bug.cgi?id=217916
Reviewed by Yusuke Suzuki.
This patch fixes putInlineSlow() to handle special properties (like JSFunction's "name"
and JSArray's "length") in prototype chain. When such property is encountered, prototype
chain traversal is stopped; if it's read-only, a TypeError is thrown in strict mode.
This change adds OverridesPut out of line type info flag, and utilizes it in putInlineSlow()
to invoke overriden methods. While this approach requires put() methods to be aware of
altered receivers, it renders several benefits:
1. put() method can be used for both "real" [[Set]] overrides and special properties,
with its return value remaining `bool`;
2. it is simpler, faster, and more predictable than calling [[GetOwnProperty]] in
putInlineSlow() or adding defineOwnPropertyViaPut() to the method table.
Removes ordinarySetSlow() for non-index properties, which didn't invoke some [[Set]]
methods as well. Instead, definePropertyOnReceiver() is introduced for altered receivers,
which performs correctly when reached because:
1. all special properties were already handled (unless it's Reflect.set);
2. performing putDirectInternal() is unobservable (unless ProxyObject was seen);
3. putDirectInternal() now fully implements property definition of OrdinarySet [1];
4. put() override is required if a spec defines custom [[DefineOwnProperty]].
Since indexed puts handle overrides / altered receivers quite differently, they will
be fixed in a follow-up, completely removing ordinarySetSlow().
Also, by merging putEntry() / putToPrimitive() into putInlineSlow() and introducing
putInlineFastReplacingStaticPropertyIfNeeded() helper, this patch fixes a few bugs:
1. Direct [[Set]] to non-reified static property now preserves its attributes when replacing [[Value]].
2. Prototype chain [[Set]] to non-reified static property now throws if receiver is non-extensible.
3. Non-reified static writable property now shadows read-only one that is further in prototype chain.
4. Non-reified static properties in prototype chain of a primitive are now considered.
Fixes a few issues that were previously unobservable:
1. PropertyAttribute::CustomValue is now unset when a setter-less property is reassigned.
2. uint64_t putByIndexInline() now calls put() via method table like uint32_t counterpart.
Other notable refactors:
1. Inlines callCustomSetter(), dropping weird TriState return value.
2. Simplifies initialization of StringPrototype.
3. Simplifies isThisValueAltered() to pointer comparisons at non-JSProxy call sites.
4. Removes doPutPropertySecurityCheck() methods as the same checks are performed by put() methods.
5. Removes prototypeChainMayInterceptStoreTo(), which pretty much duplicated canPerformFastPutInline().
6. Removes dummy JSArrayBufferView::put() method.
7. Removes now unused lookupPut().
Aligns JSC with V8 and SpiderMonkey.
This patch carefully preserves the current behavior of Reflect.set with CustomValue
and prototype chain [[Set]] to a JSCallbackObject / legacy platform object.
This change is performance-neutral on /put/ microbenchmarks as it doesn't affect
caching, only the slow path. Reflect.set with JSFinalObject receiver is 130% faster.
putInlineSlow() microbenchmarks progress by 4-18%.
[1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 3)
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::put):
* API/tests/testapiScripts/testapi.js:
* debugger/DebuggerScope.h:
* runtime/ClassInfo.h:
* runtime/ClonedArguments.h:
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter): Deleted.
* runtime/CustomGetterSetter.h:
* runtime/ErrorConstructor.h:
* runtime/ErrorInstance.h:
* runtime/GenericArguments.h:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::put):
* runtime/GetterSetter.h:
* runtime/JSArray.cpp:
(JSC::JSArray::put):
* runtime/JSArray.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::put): Deleted.
* runtime/JSArrayBufferView.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCell.cpp:
(JSC::JSCell::doPutPropertySecurityCheck): Deleted.
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSFunction.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGlobalLexicalEnvironment.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::put):
* runtime/JSGlobalObject.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSModuleEnvironment.h:
* runtime/JSModuleNamespaceObject.h:
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putInlineSlow):
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
(JSC::JSObject::prototypeChainMayInterceptStoreTo): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putByIndexInline):
(JSC::JSObject::hasNonReifiedStaticProperties):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putDirect):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInlineExcludingProto):
(JSC::JSObject::putInlineForJSObject):
(JSC::JSObject::putInlineFast):
(JSC::JSObject::putDirectInternal):
* runtime/JSProxy.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::hasStaticPropertyTable const):
(JSC::TypeInfo::overridesPut const):
(JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const):
(JSC::TypeInfo::hasPutPropertySecurityCheck const): Deleted.
* runtime/Lookup.h:
(JSC::putEntry): Deleted.
(JSC::lookupPut): Deleted.
* runtime/PropertySlot.h:
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::put):
* runtime/ProxyObject.h:
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::context const):
(JSC::PutPropertySlot::isTaintedByOpaqueObject const):
(JSC::PutPropertySlot::setIsTaintedByOpaqueObject):
* runtime/ReflectObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::put):
* runtime/StringObject.h:
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):
* runtime/StringPrototype.h:
* runtime/Structure.cpp:
(JSC::Structure::validateFlags):
* runtime/Structure.h:
(JSC::Structure::hasNonReifiedStaticProperties const):
* tools/JSDollarVM.cpp:
2021-04-23 Michael Saboff <msaboff@apple.com>
[YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
https://bugs.webkit.org/show_bug.cgi?id=224983
Reviewed by Mark Lam.
When we backtrack a parentheses with a greedy non zero based quantifier,
we don't properly restore for the case where we hadn't reached the minimum count.
We now save the input position on entry and restore it when we backtrack for
this case. We also properly release the allocated ParenthesesDisjunctionContext's.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchParentheses):
(JSC::Yarr::Interpreter::backtrackParentheses):
2021-04-23 Mark Lam <mark.lam@apple.com>
Fix B3 strength reduction for shl.
https://bugs.webkit.org/show_bug.cgi?id=224913
rdar://76978874
Reviewed by Michael Saboff.
If the operation can potentially either underflow or overflow, then the result
can be any value.
* b3/B3ReduceStrength.cpp:
2021-04-23 Fujii Hironori <Hironori.Fujii@sony.com>
[JSC][Win] callOperationNoExceptionCheck() also needs to support operations that return SlowPathReturnType
https://bugs.webkit.org/show_bug.cgi?id=224964
Reviewed by Yusuke Suzuki.
r229989 (Bug 183655) added the x64 Windows support only for
callOperation(), but for callOperationNoExceptionCheck().
callOperationNoExceptionCheck() also needs the x64 Windows
support.
This change is a preparation for Bug 224920 that is going to use
callOperationNoExceptionCheck instead of callOperation.
* jit/JIT.h:
(callOperation): Rewrote by using 'if constexpr' instead of SFINAE.
(callOperationNoExceptionCheck): Added a new implementation for
x64 Windows based on callOperation.
2021-04-23 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r276486.
https://bugs.webkit.org/show_bug.cgi?id=224973
broke windows build
Reverted changeset:
"[JSC][Win] callOperationNoExceptionCheck() also needs to
support operations that return SlowPathReturnType"
https://bugs.webkit.org/show_bug.cgi?id=224964
https://trac.webkit.org/changeset/276486
2021-04-22 Fujii Hironori <Hironori.Fujii@sony.com>
[JSC][Win] callOperationNoExceptionCheck() also needs to support operations that return SlowPathReturnType
https://bugs.webkit.org/show_bug.cgi?id=224964
Reviewed by Yusuke Suzuki.
r229989 (Bug 183655) added the x64 Windows support only for
callOperation(), but for callOperationNoExceptionCheck().
callOperationNoExceptionCheck() also needs the x64 Windows
support.
This change is a preparation for Bug 224920 that is going to use
callOperationNoExceptionCheck instead of callOperation.
* jit/JIT.h:
(callOperation): Rewrote by using 'if constexpr' instead of SFINAE.
(callOperationNoExceptionCheck): Added a new implementation for
x64 Windows based on callOperation.
2021-04-22 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r276456.
https://bugs.webkit.org/show_bug.cgi?id=224952
Windows specific crash
Reverted changeset:
"[JSC} Remove exception checks from non-throwing function
calls in Baseline JIT"
https://bugs.webkit.org/show_bug.cgi?id=224920
https://trac.webkit.org/changeset/276456
2021-04-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC} Remove exception checks from non-throwing function calls in Baseline JIT
https://bugs.webkit.org/show_bug.cgi?id=224920
Reviewed by Tadeu Zagallo.
These functions are not taking JSGlobalObject and will not throw an error.
Use callOperationNoExceptionCheck instead to avoid emitting unnecessary exception checks.
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::emit_op_profile_type):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_profile_type):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitWriteBarrier):
2021-04-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Baseline should have fast path for switch_imm
https://bugs.webkit.org/show_bug.cgi?id=224521
Reviewed by Tadeu Zagallo.
This patch implements op_switch_imm fast path in Baseline.
We have this fast path in LLInt, DFG, and FTL. So only Baseline lacks this.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_imm):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_switch_imm):
2021-04-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG / FTL should inline switch_string
https://bugs.webkit.org/show_bug.cgi?id=224578
Reviewed by Mark Lam.
Because of r275840 change, we no longer copy StringJumpTable when compiling DFG / FTL code.
Instead we are using a pointer to UnlinkedStringTable stored in UnlinkedCodeBlock.
This allows DFG / FTL to inline CodeBlock which includes op_switch_string. We were previously not able
to do that because we cannot copy StringImpl in DFG / FTL concurrent compiler thread.
1. We handle StringJumpTable / UnlinkedStringJumpTable in the same way as SimpleJumpTable / UnlinkedSimpleJumpTable.
2. We put m_ctiDefault of StringJumpTable in the last element of m_ctiOffsets vector of StringJumpTable to make
sizeof(StringJumpTable) small.
3. We use m_indexInTable instead of m_branchOffset in FTL switch generation to make switch table dense.
The microbenchmark shows 30% improvement because of unlocking inlining feature.
ToT Patched
switch-inlining 27.1238+-0.2708 ^ 20.2630+-0.1477 ^ definitely 1.3386x faster
<geometric> 27.1238+-0.2708 ^ 20.2630+-0.1477 ^ definitely 1.3386x faster
* bytecode/JumpTable.h:
(JSC::StringJumpTable::ensureCTITable):
(JSC::StringJumpTable::ctiForValue const):
(JSC::StringJumpTable::ctiDefault const):
(JSC::StringJumpTable::isEmpty const):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedStringJumpTable::indexForValue const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
* ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* ftl/FTLOperations.h:
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_string):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_switch_string):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
2021-04-21 Adrian Perez de Castro <aperez@igalia.com>
Non-unified build fixes, mid April 2021 edition
https://bugs.webkit.org/show_bug.cgi?id=222652
<rdar://problem/75262285>
Unreviewed non-unified build fixes.
* bytecode/JumpTable.cpp: Remove inclusion of wtf/text/StringHash.h
* bytecode/JumpTable.h: Add missing inclusions of wtf/FixedVector.h and
wtf/text/StringHash.h
* bytecode/SpeculatedType.cpp: Add missing includes JSCJSValueInlines.h and
JSCellInlines.h
* bytecompiler/BytecodeGenerator.cpp: Move template method to header, remove now uneeded
LinkTimeConstant.h include.
* bytecompiler/BytecodeGenerator.h: Add include for LinkTimeConstant.h
(JSC::BytecodeGenerator::emitDirectSetPrototypeOf): Template method moved here from
BytecodeGenerator.cpp to avoid compile errors due to usage of missing template body
definition.
* dfg/DFGDesiredGlobalProperties.cpp: Add missing DFGDesiredWatchpoints.h include.
* ftl/FTLAbstractHeap.cpp: Add missing JSCJSValueInlines.h include.
* runtime/JSCustomGetterFunction.cpp: Add missing IdentifierInlines.h include.
* runtime/JSCustomSetterFunction.cpp: Ditto.
* runtime/SetPrototype.cpp: Add missing HashMapImplInlines.h include.
* runtime/VMTraps.cpp: Add missing VMEntryScope.h include.
* runtime/WeakSetConstructor.cpp: Add missing WeakMapImplInlines.h include.
* runtime/WeakSetPrototype.cpp: Add missing includes for HashMapImplInlines.h and
WeakMapImplInlines.h
* wasm/js/JSWebAssemblyTable.cpp: Add missing ObjectConstructor.h include.
2021-04-20 Michael Catanzaro <mcatanzaro@gnome.org>
Static asserts in WasmAirIRGenerator.cpp and WasmB3IRGenerator.cpp trigger -Wnonnull warnings with GCC 11
https://bugs.webkit.org/show_bug.cgi?id=224826
Reviewed by Yusuke Suzuki.
Rewrite these static asserts to avoid warnings when built with GCC 11. Credit to Jonathan
Wakely for providing this mind-bending solution.
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCurrentMemory):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCurrentMemory):
2021-04-20 Michael Catanzaro <mcatanzaro@gnome.org>
-Warray-bounds warning in AirAllocateRegistersByGraphColoring.cpp with GCC 11
https://bugs.webkit.org/show_bug.cgi?id=224782
Reviewed by Darin Adler.
These warnings don't make any sense to me. Suppress them.
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
2021-04-20 Keith Miller <keith_miller@apple.com>
FullGCActivityCallback should use the percentage of pages uncompressed in RAM to determine deferral.
https://bugs.webkit.org/show_bug.cgi?id=224817
Reviewed by Filip Pizlo.
Right now we try to determine if too many pages are paged out by
dereferencing them and bailing out of the GC if we go over a
deadline. While this works if the only goal is to avoid causing
extensive thrashing on spinny disks (HDD), it doesn't prevent
thrashing when access to disk is fast (e.g. SSD). This is because
on fast disks the proportional time to load the memory from disk
is much lower. Additionally, on SSDs in particular we don't want
to load the pages into RAM then bail as that will force a
different page onto disk, increasing wear.
This patch switches to asking the OS if each MarkedBlock is paged
out. Then if we are over a threshold we wait until we would have
GC'd anyway. This patch uses the (maxVMGrowthFactor - 1) as the
percentage of "slow" pages (paged out or compressed) needed to
defer the GC. The idea behind that threshold is that if we add
that many pages then the same number of pages would be forced
out of RAM for us to do a GC anyway (in the limit).
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::updatePercentageOfPagedOutPages):
(JSC::BlockDirectory::isPagedOut): Deleted.
* heap/BlockDirectory.h:
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
* heap/Heap.cpp:
(JSC::Heap::isPagedOut):
* heap/Heap.h:
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::isPagedOut):
* heap/MarkedSpace.h:
* runtime/OptionsList.h:
2021-04-20 Don Olmstead <don.olmstead@sony.com>
[CMake] Don't use FORWARDING_HEADERS_DIR for JSC GLib headers
https://bugs.webkit.org/show_bug.cgi?id=224821
Reviewed by Michael Catanzaro.
Use JavaScriptCoreGLib_FRAMEWORK_HEADERS_DIR and JavaScriptCoreGLib_DERIVED_SOURCES_DIR
for GLib JSC headers instead of FORWARDING_HEADERS_DIR and DERIVED_SOURCES_DIR.
* GLib.cmake:
* PlatformGTK.cmake:
2021-04-20 Ben Nham <nham@apple.com>
LinkBuffer fails to build when MALLOC_HEAP_BREAKDOWN is enabled
https://bugs.webkit.org/show_bug.cgi?id=224722
Reviewed by Yusuke Suzuki.
When ENABLE_MALLOC_HEAP_BREAKDOWN is set, LinkBuffer causes a build failure at link time
since it never defines its debugHeap. Fix that.
* assembler/LinkBuffer.cpp:
2021-04-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use FixedVector for LLIntPrototypeLoadAdaptiveStructureWatchpoint vector
https://bugs.webkit.org/show_bug.cgi?id=224729
Reviewed by Darin Adler.
Replace Vector<LLIntPrototypeLoadAdaptiveStructureWatchpoint> with FixedVector.
* bytecode/CodeBlock.h:
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::initialize):
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
2021-04-19 Mark Lam <mark.lam@apple.com>
Build fix for Debug -O3 after r276162.
https://bugs.webkit.org/show_bug.cgi?id=224681
rdar://76698113
Not reviewed.
* runtime/JSObject.cpp:
2021-04-19 Kimmo Kinnunen <kkinnunen@apple.com>
Enable -Wthread-safety, add attributes to custom lock classes, and provide macros to declare guards
https://bugs.webkit.org/show_bug.cgi?id=221614
<rdar://problem/74396781>
Reviewed by David Kilzer.
Add -Wthread-safety to compile flags.
* Configurations/Base.xcconfig:
2021-04-18 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, build fix
https://bugs.webkit.org/show_bug.cgi?id=224715
* dfg/DFGDesiredWatchpoints.h:
2021-04-18 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Do not use Bag<> for DFG / FTL watchpoints
https://bugs.webkit.org/show_bug.cgi?id=224715
Reviewed by Darin Adler.
While Bag<> is useful since its allocated memory will not be moved,
this is really memory-inefficient data structure. Each entry gets a
tail pointer (so adding 8 bytes) and we allocate each entry separately.
In DFG and FTL, we are using Bag<> for watchpoints. But this is not necessary actually: thanks to
concurrent compilers, our watchpoint registration is batched at the end of compilation. This means
that we have a way to know how many watchpoints we should register at that point.
In this patch, we introduce WatchpointCollector. In DesiredGlobalProperties, we run reallyAdd twice
with WatchpointCollector. First time, we just count # of watchpoints. Then we allocate FixedVector<XXXWatchpoint>
and install them. Since we do not (cannot) grow this fixed vector, watchpoint's address will not be changed as required.
We also move DesiredGlobalProperties under DesiredWatchpoints since this basically registers watchpoints.
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
(JSC::AdaptiveInferredPropertyValueWatchpointBase::AdaptiveInferredPropertyValueWatchpointBase):
(JSC::AdaptiveInferredPropertyValueWatchpointBase::initialize):
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
* bytecode/CodeBlockJettisoningWatchpoint.h:
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::AdaptiveInferredPropertyValueWatchpoint):
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::initialize):
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
* dfg/DFGAdaptiveStructureWatchpoint.cpp:
(JSC::DFG::AdaptiveStructureWatchpoint::AdaptiveStructureWatchpoint):
(JSC::DFG::AdaptiveStructureWatchpoint::initialize):
* dfg/DFGAdaptiveStructureWatchpoint.h:
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::validateReferences):
(JSC::DFG::CommonData::clearWatchpoints):
* dfg/DFGCommonData.h:
* dfg/DFGDesiredGlobalProperties.cpp:
(JSC::DFG::DesiredGlobalProperties::reallyAdd):
* dfg/DFGDesiredGlobalProperties.h:
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
(JSC::DFG::SymbolTableAdaptor::add):
(JSC::DFG::FunctionExecutableAdaptor::add):
(JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
(JSC::DFG::DesiredWatchpoints::addLazily):
(JSC::DFG::DesiredWatchpoints::reallyAdd):
(JSC::DFG::DesiredWatchpoints::areStillValidOnMainThread):
(JSC::DFG::WatchpointCollector::finalize):
* dfg/DFGDesiredWatchpoints.h:
(JSC::DFG::SetPointerAdaptor::add):
(JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::watchGlobalProperty):
* dfg/DFGGraph.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::reallyAdd):
(JSC::DFG::Plan::isStillValidOnMainThread):
(JSC::DFG::Plan::cancel):
* dfg/DFGPlan.h:
(JSC::DFG::Plan::transitions):
(JSC::DFG::Plan::globalProperties): Deleted.
2021-04-18 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Make more DFG/FTL data FixedVector/Vector
https://bugs.webkit.org/show_bug.cgi?id=224713
Reviewed by Darin Adler.
1. DFG::JITCode::m_osrEntry / DFG::JITCode::m_osrExit / DFG::JITCode::m_speculationRecovery are changed to FixedVector.
They are added at compiling time, and after that, these vectors are not modified. So when finalizing, we can easily make it FixedVector.
We also change OSREntry::{m_reshufflings,m_expectedValues} to FixedVector and FixedOperands.
2. FTL::JITCode::m_osrExit is changed from SegmentedVector to Vector. We are still using Vector since it also involves osrExitDescriptor.
But later, we should merge m_osrExit to osrExitDescriptor. Vector is still better than SegmentedVector since it wastes several entries
per segment. SegmentedVector was used to use a direct pointer of OSRExit (this is not possible in Vector since this pointer can be invalidated
after growing), but usage of that is fairly limited so that we can just replace them with m_index + osrExit vector.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::tallyFrequentExitSites):
* bytecode/Operands.h:
(JSC::Operands::Operands):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::shrinkToFit):
(JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
(JSC::DFG::JITCode::validateReferences):
(JSC::DFG::JITCode::findPC):
(JSC::DFG::JITCode::finalizeOSREntrypoints):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::noticeOSREntry):
(JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendOSRExit):
(JSC::DFG::JITCompiler::appendSpeculationRecovery):
* dfg/DFGOSREntry.h:
* dfg/DFGOSRExit.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculationCheck):
(JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
(JSC::DFG::SpeculativeJIT::linkOSREntries):
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::shrinkToFit):
(JSC::FTL::JITCode::validateReferences):
(JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
(JSC::FTL::JITCode::findPC):
* ftl/FTLJITCode.h:
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
(JSC::FTL::OSRExit::OSRExit):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* ftl/FTLOSRExitHandle.cpp:
(JSC::FTL::OSRExitHandle::emitExitThunk):
* ftl/FTLOSRExitHandle.h:
(JSC::FTL::OSRExitHandle::OSRExitHandle):
* ftl/FTLPatchpointExceptionHandle.cpp:
(JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
2021-04-17 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, suppress warnings
https://bugs.webkit.org/show_bug.cgi?id=224616
* runtime/HashMapImpl.h:
* runtime/HashMapImplInlines.h:
(JSC::areKeysEqual):
(JSC::wangsInt64Hash):
2021-04-16 Mark Lam <mark.lam@apple.com>
More changes to support the TerminationException.
https://bugs.webkit.org/show_bug.cgi?id=224681
rdar://76698113
Reviewed by Keith Miller.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
- ProgramExecutable::initializeGlobalProperties() can throw the TerminationException.
Add handling for that.
* runtime/JSObject.cpp:
(JSC::JSObject::defineOwnIndexedProperty):
- JSObject::defineOwnIndexedProperty() has a blob of assertion code that it verifying
that getOwnPropertyDescriptor() should succeed without throwing any exceptions if
the fast path is allowed. However, this is assertion is only true if there isn't
a termination being requested. So, use the DeferTermination scope to allow this
assertion to be tested without the complication of a TerminationException.
2021-04-16 Keith Miller <keith_miller@apple.com>
Before deleting a MarkedBlock we do not need to clear its m_directory pointer.
https://bugs.webkit.org/show_bug.cgi?id=224677
Reviewed by Yusuke Suzuki.
Right now when we are about to free a MarkedBlock we clear the
m_directory pointer in the MarkedBlock's Handle. This has the
downside, however, of potentially paging in the footer from disk /
the compressor, which some data we have seen shows is happening.
This patch prevents this uncessary store to hopefully reduce the
number of pageins/decompressions caused by Safari web content.
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::removeBlock):
(JSC::BlockDirectory::removeBlockForDeletion):
* heap/BlockDirectory.h:
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::~Handle):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::freeBlock):
2021-04-16 Mark Lam <mark.lam@apple.com>
Build fix for Debug -O3 after r276069.
https://bugs.webkit.org/show_bug.cgi?id=224619
Not reviewed.
* runtime/HashMapImplInlines.h:
2021-04-15 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r276112.
https://bugs.webkit.org/show_bug.cgi?id=224646
.h files should not #include *Inlines.h files.
Reverted changeset:
"REGRESSION(r276039) [GTK] Build failures on Ubuntu 18.04"
https://bugs.webkit.org/show_bug.cgi?id=224644
https://trac.webkit.org/changeset/276112
2021-04-15 Lauro Moura <lmoura@igalia.com>
REGRESSION(r276039) [GTK] Build failures on Ubuntu 18.04
https://bugs.webkit.org/show_bug.cgi?id=224644
Unreviewed build fix.
* runtime/JSSet.h: Use HashMapImplInlines to include the base
finishCreation implementation. Somehow GCC 7.5 wasn't picking it up.
2021-04-15 Mark Lam <mark.lam@apple.com>
HashMapImpl::rehash() should use a version of jsMapHash that cannot throw.
https://bugs.webkit.org/show_bug.cgi?id=224610
rdar://76698910
Reviewed by Yusuke Suzuki.
For context, HashMapImpl::rehash()'s rehash operation relies on jsMapHash().
jsMapHash() can be interrupted by a TerminationException, and as a result, may
not return the string hash we are expecting. This in turn can lead to the
rehash operation hashing with wrong keys.
However, all the keys should have already been hashed. Hence, rehash() should
never see an exception thrown there. We can avoid this complication with the
TerminationException by simply calling an alternate version of jsMapHash() that
is guaranteed to never throw e.g. a jsMapHashForAlreadyHashedValue() function.
* runtime/ExceptionHelpers.h:
* runtime/HashMapImplInlines.h:
(JSC::jsMapHashImpl):
(JSC::jsMapHash):
(JSC::jsMapHashForAlreadyHashedValue):
(JSC::HashMapImpl<HashMapBucketType>::rehash):
2021-04-14 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove CodeBlock::RareData::m_catchProfiles
https://bugs.webkit.org/show_bug.cgi?id=224593
Reviewed by Mark Lam.
We are having this Vector just because we would like to destroy them when destroying the owner Baseline / LLInt CodeBlock.
But we are setting a pointer in OpCatch's metadata in Baseline / LLInt.
So we should just iterate metadata for that and destroy them in the destructor. No need to keep them separately.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndex):
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow):
(JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::createRareDataIfNecessary):
* bytecode/ValueProfile.h:
(JSC::ValueProfileAndVirtualRegisterBuffer::ValueProfileAndVirtualRegisterBuffer): Deleted.
(JSC::ValueProfileAndVirtualRegisterBuffer::~ValueProfileAndVirtualRegisterBuffer): Deleted.
(JSC::ValueProfileAndVirtualRegisterBuffer::forEach): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2021-04-15 Mark Lam <mark.lam@apple.com>
Optimize the DeferTermination scope to be more efficient.
https://bugs.webkit.org/show_bug.cgi?id=224619
Reviewed by Saam Barati.
This can be beneficial since we may be using DeferTermination in more places in
the code.
1. Added a VMTrapsInlines.h to hold the inline functions.
2. Split deferTermination() and undoDeferTermination() into fast and slow functions.
The fast functions are inlineable.
3. Remove the locking of VMTraps::m_lock in these functions. These functions only
modify the following:
a. VMTraps::m_deferTerminationCount
b. VMTraps::m_suspendedTerminationException
c. VMTraps::m_trapBits for setting the NeedTermination bit if needed.
d. VM::m_exception
Except for VMTraps::m_trapBits, all of these are only written to from the mutator
thread. VMTraps::m_trapBits is always written to using Atomics. There isn't
anything that needs to be guarded by VMTraps::m_lock.
4. Fix VMTraps::deferTermination() to only set m_suspendedTerminationException
and clear an existing TerminationException if it's being called from the
outermost DeferTermination (i.e. m_deferTerminationCount is 1 after incrementing).
These conditional operations are not done in VMTraps::deferTerminationSlow().
In practice, it wouldn't have mattered anyway because we would never throw a
TerminationException while a DeferTermination scope is in effect. The
the vm.isTerminationException() in the original deferTermination() would
always have prevented the slow path operations from being executed anyway.
However, for the purpose of this patch, we want to avoid as much unnecessary
work as possible in the fast path. Hence, it is good to skip the slow path
if deferTermination() isn't called from the outermost scope.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* jit/JITOperations.cpp:
* jsc.cpp:
* runtime/JSGlobalObject.cpp:
* runtime/VMTraps.cpp:
(JSC::VMTraps::deferTerminationSlow):
(JSC::VMTraps::undoDeferTerminationSlow):
(JSC::VMTraps::vm const): Deleted.
(JSC::VMTraps::deferTermination): Deleted.
(JSC::VMTraps::undoDeferTermination): Deleted.
* runtime/VMTraps.h:
* runtime/VMTrapsInlines.h: Added.
(JSC::VMTraps::vm const):
(JSC::VMTraps::deferTermination):
(JSC::VMTraps::undoDeferTermination):
2021-04-15 Mark Lam <mark.lam@apple.com>
Refactor inline functions out of HashMapImpl.h into HashMapImplInlines.h.
https://bugs.webkit.org/show_bug.cgi?id=224616
rdar://76713709
Reviewed by Yusuke Suzuki.
Also do the same for clients of HashMapImpl that require similar refactoring.
This fixes the #include of JSCJSValueInlines.h in HashMapImpl.h, as well as makes
it easier to use other inline functions from other classes in the implementation
of HashMapImpl's inline functions in the future.
This patch only moves inline functions out to their respective *Inlines.h.
There are no behavior changes.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
* dfg/DFGOperations.cpp:
* runtime/AbstractModuleRecord.cpp:
* runtime/HashMapImpl.cpp:
* runtime/HashMapImpl.h:
(JSC::areKeysEqual): Deleted.
(JSC::normalizeMapKey): Deleted.
(JSC::wangsInt64Hash): Deleted.
(JSC::jsMapHash): Deleted.
(JSC::concurrentJSMapHash): Deleted.
(JSC::shouldShrink): Deleted.
(JSC::shouldRehashAfterAdd): Deleted.
(JSC::nextCapacity): Deleted.
(JSC::HashMapImpl::finishCreation): Deleted.
(JSC::HashMapImpl::findBucket): Deleted.
(JSC::HashMapImpl::get): Deleted.
(JSC::HashMapImpl::has): Deleted.
(JSC::HashMapImpl::add): Deleted.
(JSC::HashMapImpl::addNormalized): Deleted.
(JSC::HashMapImpl::remove): Deleted.
(JSC::HashMapImpl::clear): Deleted.
(JSC::HashMapImpl::setUpHeadAndTail): Deleted.
(JSC::HashMapImpl::addNormalizedNonExistingForCloning): Deleted.
(JSC::HashMapImpl::addNormalizedInternal): Deleted.
(JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized): Deleted.
(JSC::HashMapImpl::rehash): Deleted.
(JSC::HashMapImpl::checkConsistency const): Deleted.
(JSC::HashMapImpl::makeAndSetNewBuffer): Deleted.
(JSC::HashMapImpl::assertBufferIsEmpty const): Deleted.
* runtime/HashMapImplInlines.h: Added.
(JSC::areKeysEqual):
(JSC::normalizeMapKey):
(JSC::wangsInt64Hash):
(JSC::jsMapHash):
(JSC::concurrentJSMapHash):
(JSC::shouldShrink):
(JSC::shouldRehashAfterAdd):
(JSC::nextCapacity):
(JSC::HashMapImpl<HashMapBucketType>::finishCreation):
(JSC::HashMapImpl<HashMapBucketType>::findBucket):
(JSC::HashMapImpl<HashMapBucketType>::get):
(JSC::HashMapImpl<HashMapBucketType>::has):
(JSC::HashMapImpl<HashMapBucketType>::add):
(JSC::HashMapImpl<HashMapBucketType>::addNormalized):
(JSC::HashMapImpl<HashMapBucketType>::remove):
(JSC::HashMapImpl<HashMapBucketType>::clear):
(JSC::HashMapImpl<HashMapBucketType>::setUpHeadAndTail):
(JSC::HashMapImpl<HashMapBucketType>::addNormalizedNonExistingForCloning):
(JSC::HashMapImpl<HashMapBucketType>::addNormalizedInternal):
(JSC::HashMapImpl<HashMapBucketType>::findBucketAlreadyHashedAndNormalized):
(JSC::HashMapImpl<HashMapBucketType>::rehash):
(JSC::HashMapImpl<HashMapBucketType>::checkConsistency const):
(JSC::HashMapImpl<HashMapBucketType>::makeAndSetNewBuffer):
(JSC::HashMapImpl<HashMapBucketType>::assertBufferIsEmpty const):
* runtime/JSMap.h:
* runtime/JSMapInlines.h: Added.
(JSC::JSMap::set):
* runtime/JSSetInlines.h: Added.
* runtime/JSWeakMap.h:
* runtime/JSWeakMapInlines.h: Added.
(JSC::JSWeakMap::set):
* runtime/MapConstructor.cpp:
* runtime/MapPrototype.cpp:
* runtime/SetConstructor.cpp:
* runtime/WeakMapConstructor.cpp:
* runtime/WeakMapImpl.h:
(JSC::jsWeakMapHash): Deleted.
(JSC::nextCapacityAfterBatchRemoval): Deleted.
(JSC::WeakMapImpl::add): Deleted.
(JSC::WeakMapImpl::shouldRehashAfterAdd const): Deleted.
(JSC::WeakMapImpl::rehash): Deleted.
* runtime/WeakMapImplInlines.h:
(JSC::jsWeakMapHash):
(JSC::nextCapacityAfterBatchRemoval):
(JSC::WeakMapImpl<WeakMapBucket>::add):
(JSC::WeakMapImpl<WeakMapBucket>::rehash):
(JSC::WeakMapImpl<WeakMapBucket>::shouldRehashAfterAdd const):
* runtime/WeakMapPrototype.cpp:
2021-04-15 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Change Vector<> to FixedVector<> in DFG::CommonData if possible
https://bugs.webkit.org/show_bug.cgi?id=224588
Reviewed by Mark Lam.
DFG::CommonData is kept alive so long as DFG code exists. It includes a lot of Vectors while they are not mutable after the DFG code compilation.
This patch changes Vector<> to FixedVector<> if possible to shrink sizeof(DFG::CommonData). And this also removes the need of calling shrinkToFit
explicitly for them.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::stronglyVisitWeakReferences):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::numberOfDFGIdentifiers const):
(JSC::CodeBlock::identifier const):
* bytecode/CodeBlock.h:
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::shrinkToFit):
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::~CommonData):
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::CommonData::isVMTrapBreakpoint):
(JSC::DFG::CommonData::finalizeCatchEntrypoints):
(JSC::DFG::CommonData::notifyCompilingStructureTransition): Deleted.
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
(JSC::DFG::CommonData::appendCatchEntrypoint): Deleted.
* dfg/DFGDesiredIdentifiers.cpp:
(JSC::DFG::DesiredIdentifiers::reallyAdd):
* dfg/DFGDesiredTransitions.cpp:
(JSC::DFG::DesiredTransition::DesiredTransition):
(JSC::DFG::DesiredTransitions::DesiredTransitions):
(JSC::DFG::DesiredTransitions::addLazily):
(JSC::DFG::DesiredTransitions::reallyAdd):
(JSC::DFG::DesiredTransition::reallyAdd): Deleted.
* dfg/DFGDesiredTransitions.h:
* dfg/DFGDesiredWeakReferences.cpp:
(JSC::DFG::DesiredWeakReferences::reallyAdd):
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::noticeCatchEntrypoint):
* dfg/DFGOSREntry.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::linkOSREntries):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
2021-04-14 Mark Lam <mark.lam@apple.com>
Add missing exception check in operationGetPrivateNameOptimize().
https://bugs.webkit.org/show_bug.cgi?id=224592
rdar://76645873
Reviewed by Yusuke Suzuki.
Though the fieldNameValue.toPropertyKey() call in operationGetPrivateNameOptimize()
would not normally throw an exception, it still can throw a TerminationException
because it contains RETURN_IF_EXCEPTION checks.
* jit/JITOperations.cpp:
2021-04-14 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Do not copy SimpleJumpTable
https://bugs.webkit.org/show_bug.cgi?id=224472
Reviewed by Mark Lam.
This patch avoids copying UnlinkedSimpleJumpTable to SimpleJumpTable by decoupling CTI addresses from jump offset in SimpleJumpTable.
SimpleJumpTable and UnlinkedSimpleJumpTable are almost identical. SimpleJumpTable adds JIT jump target for each branch.
We should use data from UnlinkedSimpleJumpTable and jump via SimpleJumpTable. Do not need to have copy of branches from UnlinkedSimpleJumpTable.
This way removes Vector<SimpleJumpTable> from CodeBlock::RareData. And this is moved to CodeBlock::JITData. And it only includes jump target addresses,
and branch offset information is kept in UnlinkedSimpleJumpTable side. We no longer need to carefully copy these vectors in CodeBlock including DFG / FTL ones.
In LLInt, we instead use UnlinkedSimpleJumpTable for jumping.
In Baseline, we first allocate enough FixedVector<SimpleJumpTable> and fill content via SimpleJumpTable::ensureCTITable() call when compiling corresponding
switch opcode. Finally we fill these data structures with actual code locations in JIT::link function.
In DFG, we first collect UnlinkedSimpleJumpTable without copying. This is OK since it is kept by UnlinkedCodeBlock, and UnlinkedCodeBlock is kept by baseline CodeBlocks that
are handled by this DFG compilation. We hold Vector<const UnlinkedSimpleJumpTable*> in DFG::Graph and we materialize Vector<SimpleJumpTable> in DFG::Graph.
During DFG compilation, we touch this DFG::Graph's jump tables, and JIT compiler generates code via these tables. And when linking, we move the content to CodeBlock.
In FTL, while we use UnlinkedSimpleJumpTable in FTL code generation, FTL do not use SimpleJumpTable and instead FTL uses Switch in B3.
* bytecode/BytecodeDumper.cpp:
(JSC::CodeBlockBytecodeDumper<Block>::dumpSwitchJumpTables):
* bytecode/BytecodeDumper.h:
* bytecode/BytecodeGeneratorification.cpp:
(JSC::BytecodeGeneratorification::run):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::shrinkToFit):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::switchJumpTable):
(JSC::CodeBlock::numberOfUnlinkedSwitchJumpTables const):
(JSC::CodeBlock::unlinkedSwitchJumpTable):
(JSC::CodeBlock::numberOfSwitchJumpTables const): Deleted.
(JSC::CodeBlock::clearSwitchJumpTables): Deleted.
(JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock): Deleted.
* bytecode/JumpTable.cpp:
(JSC::SimpleJumpTable::offsetForValue): Deleted.
* bytecode/JumpTable.h:
(JSC::SimpleJumpTable::ensureCTITable):
(JSC::SimpleJumpTable::ctiForValue const):
(JSC::SimpleJumpTable::isEmpty const):
(): Deleted.
(JSC::SimpleJumpTable::cloneNonJITPart const): Deleted.
(JSC::SimpleJumpTable::ctiForValue): Deleted.
(JSC::SimpleJumpTable::clear): Deleted.
* bytecode/PreciseJumpTargetsInlines.h:
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedSimpleJumpTable::offsetForValue const):
(JSC::UnlinkedSimpleJumpTable::add):
(JSC::UnlinkedCodeBlock::numberOfUnlinkedSwitchJumpTables const):
(JSC::UnlinkedCodeBlock::unlinkedSwitchJumpTable const):
(JSC::UnlinkedCodeBlock::unlinkedStringSwitchJumpTable const):
(JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables const): Deleted.
(JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
(JSC::UnlinkedCodeBlock::unlinkedStringSwitchJumpTable): Deleted.
* bytecode/UnlinkedCodeBlockGenerator.cpp:
(JSC::UnlinkedCodeBlockGenerator::finalize):
* bytecode/UnlinkedCodeBlockGenerator.h:
(JSC::UnlinkedCodeBlockGenerator::numberOfUnlinkedSwitchJumpTables const):
(JSC::UnlinkedCodeBlockGenerator::addUnlinkedSwitchJumpTable):
(JSC::UnlinkedCodeBlockGenerator::unlinkedSwitchJumpTable):
(JSC::UnlinkedCodeBlockGenerator::numberOfSwitchJumpTables const): Deleted.
(JSC::UnlinkedCodeBlockGenerator::addSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlockGenerator::switchJumpTable): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::beginSwitch):
(JSC::prepareJumpTableForSwitch):
(JSC::BytecodeGenerator::endSwitch):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchChar):
(JSC::DFG::SpeculativeJIT::emitSwitchString):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
* jit/JIT.h:
(JSC::SwitchRecord::SwitchRecord):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CachedTypes.cpp:
(JSC::CachedSimpleJumpTable::encode):
(JSC::CachedSimpleJumpTable::decode const):
(JSC::CachedCodeBlockRareData::encode):
(JSC::CachedCodeBlockRareData::decode const):
2021-04-14 Alex Christensen <achristensen@webkit.org>
Keep UniqueRef<MathICGenerationState> instead of MathICGenerationState in HashTables
https://bugs.webkit.org/show_bug.cgi?id=224569
Reviewed by Geoffrey Garen.
sizeof(KeyValuePair<const Instruction*, MathICGenerationState>) is 136 on some platforms.
That's on the big side for sparse HashTable entries. I think using UniqueRef will help performance.
* jit/JIT.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITMathIC.h:
2021-04-14 Mark Lam <mark.lam@apple.com>
Apply DeferTermination in some utility functions in the jsc shell.
https://bugs.webkit.org/show_bug.cgi?id=224572
rdar://76646089
Reviewed by Yusuke Suzuki.
This is to make sure that these functions don't get in the way of testing with
the watchdog. Since these are only test utility functions, just doing the simple
thing of using a DeferTermination scope is the right thing to do here.
* jsc.cpp:
2021-04-14 Mark Lam <mark.lam@apple.com>
Defer TerminationExceptions when evaluating ASSERT in HashMapIml::addNormalized().
https://bugs.webkit.org/show_bug.cgi?id=224565
rdar://76645980
Reviewed by Yusuke Suzuki.
HashMapImpl::addNormalized() has an ASSERT that calls jsMapHash(), which can
potentially throw exceptions. As a result, it has a RETURN_IF_EXCEPTION which
provides an opportunity to handle traps and throw a TerminationException. This
in turn causes the ASSERT to fail.
To fix this, we do:
1. Introduce VMTraps::DeferAction, which gives us DeferForAWhile and DeferUntilEndOfScope.
2. Templatize the DeferTermination RAII object on VMTraps::DeferAction.
Introduce DeferTerrminationForAWhile, which is DeferTermination<VMTraps::DeferAction::DeferForAWhile>.
DeferForAWhile means that the deferScope will not throw the TerminationException
on exit. Instead, it will re-set the NeedTermination bit in the traps, and let
the next trap check handle it.
3. Introduce DEFER_TERMINATION_AND_ASSERT_WITH_MESSAGE (and friends) which creates
a DeferTerrminationForAWhile scope before doing an ASSERT_WITH_MESSAGE.
4. Use DEFER_TERMINATION_AND_ASSERT_WITH_MESSAGE instead in HashMapImpl::addNormalized().
* runtime/DeferTermination.h:
(JSC::DeferTermination::DeferTermination):
(JSC::DeferTermination::~DeferTermination):
* runtime/ExceptionHelpers.h:
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::addNormalized):
* runtime/VMTraps.cpp:
(JSC::VMTraps::deferTermination):
(JSC::VMTraps::undoDeferTermination):
* runtime/VMTraps.h:
2021-04-13 Mark Lam <mark.lam@apple.com>
The watchdog should not fire when it's not active.
https://bugs.webkit.org/show_bug.cgi?id=224494
rdar://76581259
Reviewed by Saam Barati and Yusuke Suzuki.
The watchdog is only active when we have entered the VM. If we haven't entered
the VM, we postpone starting the watchdog. For example, see Watchdog::enteredVM()
and Watchdog::exitedVM().
The underlying timer may still fire the NeedWatchdogCheck event after
Watchdog::stopTimer() is called. So, we need to just ignore the event if the
watchdog isn't active.
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* runtime/Watchdog.h:
(JSC::Watchdog::isActive const):
2021-04-13 Ross Kirsling <ross.kirsling@sony.com>
Move cloneUBreakIterator declaration to IntlWorkaround.h
https://bugs.webkit.org/show_bug.cgi?id=224511
Reviewed by Yusuke Suzuki.
Follow up to r275856. There's ultimately no reason IntlWorkaround.cpp needs to be headerless;
this was tied to some confusion about how to successfully include ubrk.h in two different ways.
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/IntlSegmenter.cpp:
* runtime/IntlSegmenter.h:
* runtime/IntlSegments.cpp:
* runtime/IntlWorkaround.cpp:
* runtime/IntlWorkaround.h: Added.
2021-04-13 Mark Lam <mark.lam@apple.com>
Use a JSString for the TerminationException value instead of a Symbol.
https://bugs.webkit.org/show_bug.cgi?id=224490
Reviewed by Yusuke Suzuki.
This makes it convertible to a String for clients that wish to report the exception.
Clients, in this case, does not apply to JS code, only C++ code that catches the
exception at the outermost point to handle the termination. The TerminationException
value is not visible to JS code because the TerminationException cannot be caught.
So, this change is transparent to JS code.
* runtime/VM.cpp:
(JSC::VM::ensureTerminationException):
2021-04-13 Commit Queue <commit-queue@webkit.org>
Unreviewed, reverting r275867.
https://bugs.webkit.org/show_bug.cgi?id=224495
Need alternate fix.
Reverted changeset:
"Reduce functionWithHellaArguments3()'s number of arguments
from 5000 to 500."
https://bugs.webkit.org/show_bug.cgi?id=224474
https://trac.webkit.org/changeset/275867
2021-04-13 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, casting to unsigned long long to suppress warning
https://bugs.webkit.org/show_bug.cgi?id=224473
* b3/B3ConstDoubleValue.cpp:
(JSC::B3::ConstDoubleValue::dumpMeta const):
2021-04-13 Mark Lam <mark.lam@apple.com>
Reduce functionWithHellaArguments3()'s number of arguments from 5000 to 500.
https://bugs.webkit.org/show_bug.cgi?id=224474
rdar://73614896
Reviewed by Yusuke Suzuki.
Using 5000 arguments seems excessive, and may blow out the stack on more resource
constrained devices. 500 should be high enough.
* b3/testb3_5.cpp:
(JSC_DEFINE_JIT_OPERATION):
(testCallFunctionWithHellaArguments3):
2021-04-12 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove CodeBlock::m_constantsSourceCodeRepresentation
https://bugs.webkit.org/show_bug.cgi?id=224473
Reviewed by Mark Lam.
CodeBlock::m_constantsSourceCodeRepresentation is identical to UnlinkedCodeBlock::m_constantsSourceCodeRepresentation.
1. For all constants existing at bytecode compile time, elements of the above vectors are identical.
2. For lazily added constants from DFG, it is always SourceCodeRepresentation::Other.
And the array is effectively accessed only when compiling DFG code. So we should remove copy of that in CodeBlock, and
get SourceCodeRepresentation from UnlinkedCodeBlock.
* bytecode/BytecodeDumper.cpp:
(JSC::CodeBlockBytecodeDumper<Block>::dumpConstants):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::shrinkToFit):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::constants):
(JSC::CodeBlock::addConstant):
(JSC::CodeBlock::addConstantLazily):
(JSC::CodeBlock::constantSourceCodeRepresentation const):
(JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::constantSourceCodeRepresentation const):
* bytecode/UnlinkedCodeBlockGenerator.h:
(JSC::UnlinkedCodeBlockGenerator::constantSourceCodeRepresentation const):
(JSC::UnlinkedCodeBlockGenerator::constantsSourceCodeRepresentation): Deleted.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::registerFrozenValues):
2021-04-12 Mark Lam <mark.lam@apple.com>
Interpreter::executeProgram() should install its VMEntryScope at the top.
https://bugs.webkit.org/show_bug.cgi?id=224450
rdar://76530841
Reviewed by Yusuke Suzuki.
"top" includes before any VM code that can throw exceptions is run.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
2021-04-12 Ross Kirsling <ross.kirsling@sony.com>
ICU 69 deprecates ubrk_safeClone in favor of ubrk_clone
https://bugs.webkit.org/show_bug.cgi?id=224093
Reviewed by Yusuke Suzuki.
In a shining example of "disappointing library practices", ICU 69 deprecates ubrk_safeClone in favor of
a new *draft* API ubrk_clone, meaning that no function with this functionality is exposed by default.
This patch introduces a function cloneUBreakIterator to abstract over this change; however, since we need to:
1. confine the effects of disabling U_HIDE_DRAFT_API to a non-unified implementation file
2. still be able to include ubrk.h from IntlSegmenter.h to instantiate ICUDeleter<ubrk_close> (*not* `clone`!)
...the new helper function is introduced in a *headerless* implementation file, IntlWorkaround.cpp.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/IntlSegmenter.cpp:
(JSC::IntlSegmenter::segment const):
* runtime/IntlSegmenter.h:
* runtime/IntlSegments.cpp:
(JSC::IntlSegments::createSegmentIterator):
* runtime/IntlWorkaround.cpp: Added.
(JSC::cloneUBreakIterator):
2021-04-12 Don Olmstead <don.olmstead@sony.com>
Inspector code is wrongly including some private headers
https://bugs.webkit.org/show_bug.cgi?id=224456
Reviewed by Alex Christensen.
These files were including some headers using #include <JavaScriptCore/Foo.h> style instead
of "Foo.h" style. This caused a build error when attempting to revive the Mac CMake build
since those headers were private and private headers are generated after the JavaScriptCore
build. No other ports were have ENABLE_INSPECTOR_ALTERNATE_DISPATCHERS turned on so the
issue hadn't manifested until now.
* API/JSContextRefInspectorSupport.h:
* inspector/augmentable/AlternateDispatchableAgent.h:
* inspector/augmentable/AugmentableInspectorController.h:
2021-04-12 BJ Burg <bburg@apple.com>
Modernize uses of ConsoleClient
https://bugs.webkit.org/show_bug.cgi?id=224398
Reviewed by David Kilzer.
ConsoleClient acts like a delegate, so its callers
should be using weak references to it.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::consoleClient const):
* inspector/JSGlobalObjectInspectorController.h:
* runtime/ConsoleClient.h:
* runtime/ConsoleObject.cpp:
(JSC::consoleLogWithLevel):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::setConsoleClient):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::consoleClient const):
(JSC::JSGlobalObject::setConsoleClient): Deleted.
2021-04-11 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Do not copy StringSwitchJumpTable
https://bugs.webkit.org/show_bug.cgi?id=224414
Reviewed by Keith Miller.
Previously, we were copying UnlinkedStringJumpTable to CodeBlock's StringJumpTable because we embed CodeLocation pointer
inside CodeBlock's StringJumpTable. This is copying a mostly identical hashtable to each CodeBlock even in DFG and FTL. This
even prevents us from inlining op_switch_string in DFG and FTL because (1) we don't want to copy this string tables collected from
each inlined CodeBlock into a new DFG / FTL CodeBlock and (2) we cannot ref/deref StringImpl inside DFG / FTL compilers so copying
these tables in the compiler threads need additional "DesiredStringSwitchJumpTable" etc.
In this patch, we stop copying StringSwitchJumpTable. We decouple CodeLocation pointers from the hashtable so that we can use
UnlinkedStringJumpTable in UnlinkedCodeBlock. UnlinkedStringJumpTable's hashtable inclues m_indexInTable in each entry so that
we can have array of CodeLocation pointers in CodeBlock's JITData to have JIT jump targets separately. This design prevents us
from copying unnecessary hashtables, and even this paves the way to inlining switch_string in DFG and FTL.
* bytecode/BytecodeDumper.cpp:
(JSC::CodeBlockBytecodeDumper<Block>::dumpStringSwitchJumpTables):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::shrinkToFit):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::stringSwitchJumpTable):
(JSC::CodeBlock::numberOfUnlinkedStringSwitchJumpTables const):
(JSC::CodeBlock::unlinkedStringSwitchJumpTable):
(JSC::CodeBlock::numberOfStringSwitchJumpTables const): Deleted.
* bytecode/JumpTable.h:
(JSC::StringJumpTable::ctiForValue const):
(JSC::StringJumpTable::offsetForValue): Deleted.
(JSC::StringJumpTable::ctiForValue): Deleted.
(JSC::StringJumpTable::clear): Deleted.
* bytecode/PreciseJumpTargetsInlines.h:
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedStringJumpTable::offsetForValue const):
(JSC::UnlinkedCodeBlock::numberOfUnlinkedStringSwitchJumpTables const):
(JSC::UnlinkedCodeBlock::unlinkedStringSwitchJumpTable):
(JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
(JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables const): Deleted.
(JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
* bytecode/UnlinkedCodeBlockGenerator.cpp:
(JSC::UnlinkedCodeBlockGenerator::finalize):
* bytecode/UnlinkedCodeBlockGenerator.h:
(JSC::UnlinkedCodeBlockGenerator::numberOfUnlinkedStringSwitchJumpTables const):
(JSC::UnlinkedCodeBlockGenerator::addUnlinkedStringSwitchJumpTable):
(JSC::UnlinkedCodeBlockGenerator::unlinkedStringSwitchJumpTable):
(JSC::UnlinkedCodeBlockGenerator::numberOfStringSwitchJumpTables const): Deleted.
(JSC::UnlinkedCodeBlockGenerator::addStringSwitchJumpTable): Deleted.
(JSC::UnlinkedCodeBlockGenerator::stringSwitchJumpTable): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::beginSwitch):
(JSC::prepareJumpTableForStringSwitch):
(JSC::BytecodeGenerator::endSwitch):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
* ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JIT.h:
(JSC::SwitchRecord::SwitchRecord):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_string):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_switch_string):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/CachedTypes.cpp:
(JSC::CachedStringJumpTable::encode):
(JSC::CachedStringJumpTable::decode const):
(JSC::CachedCodeBlockRareData::encode):
(JSC::CachedCodeBlockRareData::decode const):
2021-04-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] B3 reduce-double-to-float should reduce only when constant double is canonical one to reduced float value
https://bugs.webkit.org/show_bug.cgi?id=224403
<rdar://problem/76259599>
Reviewed by Mark Lam.
When reducing double-constant value to float in B3, we should check whether the double value is a canonical one
which can be converted back from the reduced float value. For example, double 1.1 is not the one since it is truncated
into float 1.1 by removing some bits.
static_cast<double>(static_cast<float>(1.1)) != 1.1
Reducing such a double to float changes the semantics.
* b3/B3ConstDoubleValue.cpp:
(JSC::B3::ConstDoubleValue::dumpMeta const):
* b3/B3ConstFloatValue.cpp:
(JSC::B3::ConstFloatValue::dumpMeta const):
* b3/B3ReduceDoubleToFloat.cpp:
* b3/B3ReduceStrength.cpp:
* b3/testb3.h:
(populateWithInterestingValues):
* b3/testb3_1.cpp:
(run):
* b3/testb3_3.cpp:
(testConvertDoubleToFloatToDouble):
(testConvertDoubleToFloatEqual):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::JSC_DEFINE_JIT_OPERATION_WITH_ATTRIBUTES):
(JSC::FTL::DFG::LowerDFGToB3::crash):
(JSC::FTL::DFG::ftlUnreachable): Deleted.
2021-04-10 Mark Lam <mark.lam@apple.com>
Enable VMTraps checks in RETURN_IF_EXCEPTION.
https://bugs.webkit.org/show_bug.cgi?id=224078
rdar://75037057
Reviewed by Keith Miller.
In pre-existing code, termination of a VM's execution can already be requested
asynchronously (with respect to the mutator thread). For example, sources of such
a request can be a watchdog timer firing, or a request to stop execution issued
from a main web thread to a worker thread.
This request is made by firing the VMTraps::NeedTermination event on VMTraps.
Firing the event here only means setting a flag to indicate the presence of the
request. We still have to wait till the mutator thread reaches one of the
pre-designated polling check points to call VMTraps::handleTraps() in order to
service the request. As a result of this need to wait for a polling check point,
if the mutator is executing in a long running C++ loop, then a termination request
may not be serviced for a long time.
However, we observed that a lot of our C++ loops already have RETURN_IF_EXCEPTION
checks. Hence, if we can check VMTraps::needHandling() there, we can service the
VMTraps events more frequently even in a lot of C++ loops, and get a better response.
Full details of what this patch changes:
1. Shorten some type and methods names in the VMTraps class to make code easier to
read e.g. EventType => Event, needTrapHandling => needHandling.
2. Remove the VMTraps::Mask class. Mask was introduced so that we can express a
concatenation of multiple VMTraps events to form a bit mask in a simple way.
In the end, it isn't flexible enough but makes the code more complicated than
necessary. It is now replaced by the simpler solution of using macros to define
the Events as bit fields. Having Events as bit fields intrinsically make them
easy to concatenate (bitwise or) or filter (bitwise and).
Also removed the unused VMTraps::Error class.
3. Make VMTraps::BitField a uint32_t. There was always unused padding in VMTraps
to allow for this. So, we'll just extend it to a full 32-bit to make it easier
to add more events in the future for other uses.
4. Add NeedExceptionHandling as a VMTrap::Event.
5. Make VMTraps::m_trapBits Atomic. This makes it easier to set and clear the
NeedExceptionHandling bit from the mutator without a lock.
6. RETURN_IF_EXCEPTION now checks VMTraps::m_trapBits (via VMTraps::needHandling())
instead of checking VM::m_exception. If the VMTraps::m_trapBits is non-null,
the macro will call VM:hasExceptionsAfterHandlingTraps() to service VMTraps
events as appropriate before returning whether an exception is being thrown.
The result of VM:hasExceptionsAfterHandlingTraps() will determine if
RETURN_IF_EXCEPTION returns or not.
VM:hasExceptionsAfterHandlingTraps() is intentionally designed to take a minimum
of arguments (just the VM as this pointer). This is because RETURN_IF_EXCEPTION
is called from many places, and we would like to minimize code size bloating
from this change.
7. Simplify paramaters of VMTraps::handleTraps().
NeedDebuggerBreak's callFrame argument was always vm.topCallFrame anyway.
So, the patch makes it explicit, and removes the callFrame parameter.
NeedWatchdogCheck's globalObject argument should have always been
vm.entryScope->globalObject(), and we can remove the globalObject parameter.
Before this, we pass in whichever globalObject was convenient to grab hold of.
However, the idea of the watchdog is to time out the current script executing
on the stack. Hence, it makes sense to identify thay script by the globalObject
in use at VM entry.
So far, the only clients that uses the watchdog mechanism only operates in
scenarios with only one globalObject anyway. So this formalization to use
VMEntryScope's globalObject does not change the expected behavior.
8. Make the execution of termination more robust. Before reading this, please
read the description of the Events in VMTraps.h first, especially the section
on NeedTermination.
Here's the life cycle of a termination:
a. a client requests termination of the current execution stack by calling
VM::notifyNeedTermination(). notifyNeedTermination() does 2 things:
i. fire the NeedTermination event on VMTraps.
ii. set the VM::m_terminationInProgress flag.
b. Firing the NeedTermination event on VMTraps means setting the NeedTermination
bit on VMTraps::m_trapBits. This bit will be polled by the mutator thread
later at various designated points (including RETURN_IF_EXCEPTION, which we
added in this patch).
Once the mutator sees the NeedTermination bit is set, it will clear the bit
and throw the TerminationException (see VMTraps::handleTraps()). This is
unless the mutator thread is currently in a DeferTermination scope (see (8)
below). If in a DeferTermination scope, then it will not throw the
TerminationException.
Since the NeedTermination bit is cleared, the VM will no longer call
VMTraps::handleTraps() to service the event. If the mutator thread is in
a DeferTermination scope, then on exiting the scope (at scope destruction),
the scope will see that VM::m_terminationInProgress is set, and throw the
deferred TerminationException then.
c. The TerminationException will trigger unwinding out of the current stack
until we get to the outermost VMEntryScope.
d. At the the outermost VMEntryScope, we will clear VM::m_terminationInProgress
if the NeedTermination bit in VMtraps::m_trapBits is cleared.
If the NeedTermination bit is set, then that means we haven't thrown the
TerminationException yet. Currently, clients expect that we must throw the
TerminationException if NeedTermination was requested (again, read comments
at the top of VMTraps.h).
If the NeedTermination bit is set, we'll leave VM::m_terminationInProgress
set until the next time we re-enter the VM and exit to the outermost
VMEntryScope.
e. The purpose of VM::m_terminationInProgress is to provide a summary of the
fact that the VM is in a state of trying to terminate the current stack.
Note that this state is first indicated by the NeedTermination bit being set
in VMTraps::m_trapBits. Then, in VMTraps::handleTraps(), the state is
handed of with the NeedTermination bit being cleared, and the
TerminationException being thrown.
While the VM is in this termination state, we need to prevent new DFG/FTL
JIT code from being compiled and run. The reason is the firing of the
NeedTermination event has invalidated DFG/FTL code on the stack, thereby
allowing their baseline / LLInt versions which have VMTraps polling checks
to run. We don't want to compile new DFG / FTL code and possibly get stuck
in loops in there before the termination is complete.
In operationOptimize(), we check if VM::m_terminationInProgress is set, and
prevent new DFG (and therefore FTL) code from being compiled if needed.
Note: it is easier to check a single flag, VM::m_terminationInProgress,
then to check both if the NeedTermination bit is set or if the
TerminationException is being being thrown.
9. One complication of being able to service VMTraps in RETURN_IF_EXCEPTION checks
is that some of our code (usually for lengthier initializations and bootstrapping)
currently does not handle exceptions well, e.g. JSGlobalObject::init(). They
rely on the code crashing if an exception is thrown while still initializing.
However, for a worker thread, a TerminationException (requested by the main
thread) may arrive before the initialization is complete. This can lead to
crashes because part of the initialization may be aborted in the presence of
an exception, while other parts still expect everything prior to have been
initialized correctly. For resource exhaustion cases (which is abnormal), it
is OK to crash. For the TerminationException (which can be part of normal
operation), we should not be crashing.
To work around this, we introduce a DeferTermination RAII scope object that we
deploy in this type of initialization code. With the scope in effect,
a. if a TerminationException arrives but hasn't been thrown yet, it will be
deferred till the scope ends before being thrown.
b. if a TerminationException has already been thrown, the scope will stash
the exception, clear it from the VM so that the initialization code can
run to completion, and then re-throw the exception when the scope ends.
Currently, we only need to use the DeferTermination scope in a few places
where we know that initialization code will only run for a short period of time.
DeferTermination should not be used for code that can block waiting on an
external event for a long time. Obviously, doing so will prevent the VM
termination mechanism from working.
10. Replaced llint_slow_path_check_if_exception_is_uncatchable_and_notify_profiler
and operationCheckIfExceptionIsUncatchableAndNotifyProfiler with
llint_slow_path_retrieve_and_clear_exception_if_catchable and
operationRetrieveAndClearExceptionIfCatchable.
The 2 runtime functions doesn't actually do anything to notify a profiler.
So, we drop that part of the name.
After returning from these runtime functions respectively, the previous LLInt
and JIT code, which calls these runtimes functions, would go on to load
VM::m_exception, and then store a nullptr there to clear it. This is wasteful.
This patch changes the runtime function to clear and return the Exception
instead. As a result, the calling LLInt and JIT code is simplified a bit.
Note also that clearing an exception now also entails clearing the
NeedExceptionHandling bit in VMTraps::m_trapBits in an atomic way. The above
change makes it easy to do this clearing with C++ code.
11. Fix ScriptFunctionCall::call() to handle exceptions correctly. Previously,
it had one case where it propagates an exception, while another eats it.
Change this function to eat the exception in both cases. This is approproiate
because ScriptFunctionCall is only used to execute some Inspector instrumentation
calls. It doesn't make sense to propagate the exception back to user code.
12. Fix the lazy initialization of JSGlobalObject::m_defaultCollator to be able to
handle the TerminationException.
13. Not related to TerminationException, but this patch also fixes
MarkedArgumentBuffer::expandCapacity() to use Gigacage::tryMalloc() instead of
Gigacage::malloc(). This is needed as one of the fixes to make the
accompanying test case work.
This patch increases code size by 320K (144K for JSC, 176K for WebCore) measured
on x86_64.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchTest32):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchTest32):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchTest32):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::branchTest32):
* bindings/ScriptFunctionCall.cpp:
(Deprecated::ScriptFunctionCall::call):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckTraps):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::execute):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_check_traps):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_catch):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::expandCapacity):
* runtime/DeferTermination.h: Added.
(JSC::DeferTermination::DeferTermination):
(JSC::DeferTermination::~DeferTermination):
* runtime/ExceptionScope.h:
(JSC::ExceptionScope::exception const):
(JSC::ExceptionScope::exception): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::finishCreation):
* runtime/LazyPropertyInlines.h:
(JSC::ElementType>::callFunc):
* runtime/StringPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/VM.cpp:
(JSC::VM::hasExceptionsAfterHandlingTraps):
(JSC::VM::clearException):
(JSC::VM::setException):
(JSC::VM::throwTerminationException):
(JSC::VM::throwException):
* runtime/VM.h:
(JSC::VM::terminationInProgress const):
(JSC::VM::setTerminationInProgress):
(JSC::VM::notifyNeedTermination):
(JSC::VM::DeferExceptionScope::DeferExceptionScope):
(JSC::VM::DeferExceptionScope::~DeferExceptionScope):
(JSC::VM::handleTraps): Deleted.
(JSC::VM::needTrapHandling): Deleted.
(JSC::VM::needTrapHandlingAddress): Deleted.
(JSC::VM::setException): Deleted.
(JSC::VM::clearException): Deleted.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
(JSC::VMTraps::takeTopPriorityTrap):
(JSC::VMTraps::deferTermination):
(JSC::VMTraps::undoDeferTermination):
* runtime/VMTraps.h:
(JSC::VMTraps::onlyContainsAsyncEvents):
(JSC::VMTraps::needHandling const):
(JSC::VMTraps::trapBitsAddress):
(JSC::VMTraps::isDeferringTermination const):
(JSC::VMTraps::notifyGrabAllLocks):
(JSC::VMTraps::hasTrapBit):
(JSC::VMTraps::clearTrapBit):
(JSC::VMTraps::setTrapBit):
(JSC::VMTraps::Mask::Mask): Deleted.
(JSC::VMTraps::Mask::allEventTypes): Deleted.
(JSC::VMTraps::Mask::bits const): Deleted.
(JSC::VMTraps::Mask::init): Deleted.
(JSC::VMTraps::interruptingTraps): Deleted.
(JSC::VMTraps::needTrapHandling): Deleted.
(JSC::VMTraps::needTrapHandlingAddress): Deleted.
(JSC::VMTraps::hasTrapForEvent): Deleted.
(JSC::VMTraps::setTrapForEvent): Deleted.
(JSC::VMTraps::clearTrapForEvent): Deleted.
2021-04-09 Alexey Shvayka <shvaikalesh@gmail.com>
Remove className() and toStringName() from the method table
https://bugs.webkit.org/show_bug.cgi?id=224247
Reviewed by Darin Adler.
ES6 introduced Symbol.toStringTag to customize Object.prototype.toString return value.
It was adopted by WebIDL spec, Chrome's DevTools, Node.js etc. There is no reason to
keep 2 method table methods, each with only 1 call site, instead of using the symbol.
Also, it's a bit confusing that for some objects, method table's className() returns
different result than JSCell::className(VM&).
This change:
1. Removes JSProxy's className() / toStringName() methods because its target() is a
global object that never has these overrides and uses Symbol.toStringTag instead.
2. Removes DebuggerScope's className() / toStringName() overrides because its objectAtScope()
has these methods extremely rarely (e.g. `with (new Date) {}`), and its not displayed
by Web Inspector.
3. Merges JSCallbackObject's className() / toStringName() methods into Symbol.toStringTag
branch of getOwnPropertySlot(), with permissive property attributes. To avoid any possible
breakage, we make sure that it will be shadowed by a structure property.
4. Reworks JSObject::calculatedClassName() to rely on Symbol.toStringTag, matching Chrome's
DevTools behavior. On its own, it's a nice change for Web Inspector. We make sure to
lookup Symbol.toStringTag if `constructor.name` inference fails to avoid confusion when
extending builtins.
5. Removes now unused className() from the method table.
6. Removes toStringName() override from JSFinalizationRegistry because its builtin tag [1]
is already "Object".
7. Introduces BooleanObjectType for Boolean wrapper object, and Boolean.prototype as it's
also required to have a [[BooleanData]] internal slot [2].
8. Reworks Object.prototype.toString to determine builtin tag [1] based on JSType rather than
performing method table call. It's guaranteed that a) the set of types we are checking
against won't be expanded, and b) objects with these types have correct `className`.
9. Removes now unused toStringTag() from the method table.
This patch is performance-neutral and carefully preserves current behavior for API objects,
including isPokerBros() hack.
[1]: https://tc39.es/ecma262/#sec-object.prototype.tostring (steps 5-14)
[2]: https://tc39.es/ecma262/#sec-properties-of-the-boolean-prototype-object
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
(JSC::JSCallbackObject<Parent>::className): Deleted.
(JSC::JSCallbackObject<Parent>::toStringName): Deleted.
* API/tests/testapiScripts/testapi.js:
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::className): Deleted.
(JSC::DebuggerScope::toStringName): Deleted.
* debugger/DebuggerScope.h:
* runtime/BooleanObject.cpp:
(JSC::BooleanObject::toStringName): Deleted.
* runtime/BooleanObject.h:
(JSC::BooleanObject::createStructure):
* runtime/BooleanPrototype.h:
* runtime/ClassInfo.h:
* runtime/DateInstance.cpp:
(JSC::DateInstance::toStringName): Deleted.
* runtime/DateInstance.h:
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::toStringName): Deleted.
* runtime/ErrorInstance.h:
* runtime/JSCell.cpp:
(JSC::JSCell::className): Deleted.
(JSC::JSCell::toStringName): Deleted.
* runtime/JSCell.h:
* runtime/JSFinalizationRegistry.cpp:
(JSC::JSFinalizationRegistry::toStringName): Deleted.
* runtime/JSFinalizationRegistry.h:
* runtime/JSObject.cpp:
(JSC::JSObject::calculatedClassName):
(JSC::JSObject::className): Deleted.
(JSC::isPokerBros): Deleted.
(JSC::JSObject::toStringName): Deleted.
* runtime/JSObject.h:
* runtime/JSProxy.cpp:
(JSC::JSProxy::className): Deleted.
(JSC::JSProxy::toStringName): Deleted.
* runtime/JSProxy.h:
* runtime/JSType.cpp:
(WTF::printInternal):
* runtime/JSType.h:
* runtime/NumberObject.cpp:
(JSC::NumberObject::toStringName): Deleted.
* runtime/NumberObject.h:
(JSC::NumberObject::createStructure):
* runtime/ObjectPrototype.cpp:
(JSC::isPokerBros):
(JSC::inferBuiltinTag):
(JSC::objectPrototypeToString):
1. Removes jsNontrivialString() because it's assertion may fail in case of iOS hack.
2. Utilizes AtomStringImpl to avoid allocating StringImpl for a small fixed set of strings.
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::toStringName): Deleted.
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::toStringName): Deleted.
* runtime/StringObject.h:
2021-04-08 Khem Raj <raj.khem@gmail.com>
[WPE] Build fixes for musl C library on Linux
https://bugs.webkit.org/show_bug.cgi?id=210068
Reviewed by Carlos Alberto Lopez Perez.
Use OS(LINUX) to include musl in platform test
for linux and consolidate all linux platfrom
under same test. Use smaller limits for JSC
stack size per thread and reserved zone size.
* runtime/MachineContext.h:
(JSC::MachineContext::stackPointerImpl):
(JSC::MachineContext::framePointerImpl):
(JSC::MachineContext::instructionPointerImpl):
(JSC::MachineContext::argumentPointer<1>):
(JSC::MachineContext::llintInstructionPointer):
* runtime/OptionsList.h:
2021-04-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DUCET level-1 weighs are equal if characters are alphabets
https://bugs.webkit.org/show_bug.cgi?id=224047
Reviewed by Saam Barati and Mark Lam.
ASCII comparison optimization was based on that DUCET level-1 weights are all different (except for 0000 case), but this was wrong.
If we have the same latin letters with different capitalization, then they have the same level-1 weight ('A' v.s. 'a').
In this patch,
1. If we found that the result of level-1 weight comparison is equal, and characters are not equal, then we do level-3 weight comparison.
We do not perform level-2 since they are all the same weight in ASCII (excluding control characters) region.
2. We do not perform level-4 weight comparison since level-1 and level-3 comparison must distinguish the strings. Level-1 weights are equal
only when characters are the same latin letters. And level-3 weight puts different weights for capital latin letters. Since we already know
that these strings are different while they are equal in level-1 weight comparison, the only case is that they have same latin letters in
the same position. In that case, level-3 weight must say different results for these characters so that we never meet "equal" status in
level-3 weight comparison if characters are different.
* runtime/IntlObject.cpp:
* runtime/IntlObject.h:
* runtime/IntlObjectInlines.h:
(JSC::canUseASCIIUCADUCETComparison):
(JSC::compareASCIIWithUCADUCETLevel3):
(JSC::compareASCIIWithUCADUCET):
2021-04-02 Darin Adler <darin@apple.com>
Use Hasher more, remove IntegerHasher, fix hashing-related mistakes
https://bugs.webkit.org/show_bug.cgi?id=224138
Reviewed by Chris Dumez.
* bytecode/BytecodeIndex.h:
(JSC::BytecodeIndex::hash const): Remove unneeded WTF prefix on call
to intHash.
* ftl/FTLAbstractHeap.h: Use HashTraits instead of WTF::GenericHashTraits.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::validateAIState): Remove unneeded WTF
prefix on call to intHash.
* wasm/WasmLLIntGenerator.cpp: Use HashTraits instead of WTF::GenericHashTraits.
2021-04-07 Mark Lam <mark.lam@apple.com>
Rename and make the TerminationException a singleton.
https://bugs.webkit.org/show_bug.cgi?id=224295
Reviewed by Keith Miller.
We previously call it the TerminatedExecutionException, which is a mouthful but
adds no meaningful information. It's now renamed to TerminationException.
We can make it a singleton because the TerminationException is just a VM internal
mechanism for implementing the termination of the current execution stack. It
should never be exposed to user JS code, and therefore, there is no value in
making it a JS object. Making it a singleton simplifies the code.
A TerminationException is now implemented as an Exception cell which holds a
Symbol with the name "TerminationError". The TerminationException is only created
if needed e.g. if the JSC watchdog is created, or if the VM is for a Worker thread
which needs to be able to handle termination requests.
We'll also stop notifying the debugger when we throw the TerminationException.
This is because the TerminationException is not like ordinary exceptions that
should be reported to the debugger. The fact that the TerminationException uses
the exception handling mechanism is just a VM internal implementation detail.
It is not meaningful to report it to the debugger as an exception.
* API/JSContext.mm:
(-[JSContext evaluateJSScript:]):
* API/tests/ExecutionTimeLimitTest.cpp:
(testExecutionTimeLimit):
* bindings/ScriptFunctionCall.cpp:
(Deprecated::ScriptFunctionCall::call):
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptFor):
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):
(JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jsc.cpp:
(checkException):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ExceptionHelpers.cpp:
(JSC::TerminatedExecutionError::defaultValue): Deleted.
(JSC::createTerminatedExecutionException): Deleted.
(JSC::isTerminatedExecutionException): Deleted.
(JSC::throwTerminatedExecutionException): Deleted.
* runtime/ExceptionHelpers.h:
(): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::get const):
* runtime/JSPromise.cpp:
(JSC::JSPromise::rejectWithCaughtException):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::ensureWatchdog):
(JSC::VM::ensureTerminationException):
(JSC::VM::throwTerminationException):
(JSC::VM::throwException):
* runtime/VM.h:
(JSC::VM::terminationException const):
(JSC::VM::isTerminationException const):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
2021-04-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use FixedVector more in bytecode dir and JumpTable
https://bugs.webkit.org/show_bug.cgi?id=224275
Reviewed by Michael Saboff and Mark Lam.
1. Use FixedVector more in bytecode/ directory's long-living data structures.
2. Use FixedVector in SimpleJumpTable. This involves LLInt changes because we need to access FixedVector data from LLInt.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/InlineCallFrame.cpp:
(JSC::InlineCallFrame::dumpInContext const):
* bytecode/InlineCallFrame.h:
* bytecode/JumpTable.h:
(JSC::SimpleJumpTable::clear):
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::ObjectPropertyConditionSet::mergedWith const):
(JSC::ObjectPropertyConditionSet::dumpInContext const):
(JSC::ObjectPropertyConditionSet::isValidAndWatchable const):
* bytecode/ObjectPropertyConditionSet.h:
(JSC::ObjectPropertyConditionSet::create):
(JSC::ObjectPropertyConditionSet::isValid const):
(JSC::ObjectPropertyConditionSet::size const):
(JSC::ObjectPropertyConditionSet::begin const):
(JSC::ObjectPropertyConditionSet::end const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::isLiveInBytecode):
* dfg/DFGGraph.h:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::argumentsStart):
* jit/SetupVarargsFrame.cpp:
(JSC::emitSetupVarargsFrameFastCase):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createWithInlineFrame):
2021-04-07 Mark Lam <mark.lam@apple.com>
Fix a typo in JITUncoughtExceptionAfterCall.
https://bugs.webkit.org/show_bug.cgi?id=224290
Reviewed by Keith Miller.
* assembler/AbortReason.h:
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::jitReleaseAssertNoException):
2021-04-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] WasmMemory caging should care about nullptr
https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>
Reviewed by Mark Lam.
1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB.
This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we
do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error
since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone.
2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB.
And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero.
caging needs to handle this case as we do in CagedPtr::getMayBeNull.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::untagArrayPtrLength32):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
* llint/LowLevelInterpreter64.asm:
* llint/WebAssembly.asm:
* offlineasm/arm64e.rb:
* offlineasm/ast.rb:
* offlineasm/instructions.rb:
* runtime/CagedBarrierPtr.h:
(JSC::CagedBarrierPtr::CagedBarrierPtr):
(JSC::CagedBarrierPtr::set):
(JSC::CagedBarrierPtr::get const):
(JSC::CagedBarrierPtr::getMayBeNull const):
(JSC::CagedBarrierPtr::at const):
(JSC::CagedBarrierPtr::setWithoutBarrier):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::updateCachedMemory):
* wasm/WasmMemory.cpp:
(JSC::Wasm::MemoryHandle::MemoryHandle):
* wasm/WasmMemory.h:
2021-04-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use FixedVector more in JSC
https://bugs.webkit.org/show_bug.cgi?id=224255
Reviewed by Mark Lam.
Use FixedVector more aggressively. This reduces sizeof(Holder) since sizeof(FixedVector) is 8
while sizeof(Vector) is 16. And since this allocates just-fit size, this does not waste memory.
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::BytecodeLivenessAnalysis::computeFullLiveness):
* bytecode/BytecodeLivenessAnalysis.h:
* bytecode/FullBytecodeLiveness.h:
(JSC::FullBytecodeLiveness::FullBytecodeLiveness):
* bytecode/UnlinkedEvalCodeBlock.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::livenessFor):
* ftl/FTLForOSREntryJITCode.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileRecovery):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::sweepPreciseAllocations):
* jit/RegisterAtOffsetList.cpp:
(JSC::RegisterAtOffsetList::RegisterAtOffsetList):
* jit/RegisterAtOffsetList.h:
(JSC::RegisterAtOffsetList::begin const):
(JSC::RegisterAtOffsetList::end const):
(JSC::RegisterAtOffsetList::clear): Deleted.
* runtime/JSGlobalObject.h:
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::finishCreation):
* runtime/JSModuleNamespaceObject.h:
* yarr/YarrPattern.h:
(JSC::Yarr::YarrPattern::resetForReparsing):
2021-04-06 Alexey Shvayka <shvaikalesh@gmail.com>
Symbol and BigInt wrapper objects should perform OrdinaryToPrimitive
https://bugs.webkit.org/show_bug.cgi?id=224208
Reviewed by Yusuke Suzuki.
ES6 introduced Symbol.toPrimitive as the only way to override ToPrimitive;
if it's nullish, OrdinaryToPrimitive [1] is performed unconditionally.
This patch removes two redundant defaultValue() overrides, fixing JSC to call
(possibly userland) toString() / valueOf() methods of a) Symbol objects whose
Symbol.toPrimitive was removed, and b) BigInt wrapper objects.
Aligns JSC with V8 and SpiderMonkey. Coercion of primitives is unaffected.
Also, removes dummy BigIntObject::internalValue() override.
[1]: https://tc39.es/ecma262/#sec-toprimitive (step 2.d)
* runtime/BigIntObject.cpp:
(JSC::BigIntObject::defaultValue): Deleted.
* runtime/BigIntObject.h:
* runtime/SymbolObject.cpp:
(JSC::SymbolObject::defaultValue): Deleted.
* runtime/SymbolObject.h:
2021-04-06 Alexey Shvayka <shvaikalesh@gmail.com>
Array's toString() is incorrect if join() is non-callable
https://bugs.webkit.org/show_bug.cgi?id=224215
Reviewed by Yusuke Suzuki.
This patch exposes objectPrototypeToString() to be used by Array.prototype.toString
if "join" lookup doesn't return a callable value [1].
Fixes Array's toString() to return the correct tag instead of internal `className`,
perform Symbol.toStringTag lookup, and throw for revoked Proxy objects.
Aligns JSC with V8 and SpiderMonkey.
Also, a few objectPrototypeToString() tweaks: a bit nicer `undefined` / `null`
checks and simpler toObject() exception handling.
[1]: https://tc39.es/ecma262/#sec-array.prototype.tostring (step 3)
* runtime/ArrayPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectPrototype.cpp:
(JSC::objectPrototypeToString):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectPrototype.h:
2021-04-06 Yusuke Suzuki <ysuzuki@apple.com>
[WTF] Introduce FixedVector and use it for FixedOperands
https://bugs.webkit.org/show_bug.cgi?id=224171
Reviewed by Mark Lam.
Define FixedOperands<T> which uses FixedVector for its storage. We use FixedOperands in FTL::OSRExitDescriptor.
We also replace RefCountedArray<T> with FixedVector<T> if they are not requiring RefCountedArray<T>'s ref-counting
semantics.
* bytecode/BytecodeGeneratorification.cpp:
(JSC::BytecodeGeneratorification::run):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::setNumParameters):
(JSC::CodeBlock::setRareCaseProfiles):
(JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
* bytecode/CodeBlock.h:
* bytecode/Operands.h:
(JSC::Operands::Operands):
* bytecode/OperandsInlines.h:
(JSC::U>::dumpInContext const):
(JSC::U>::dump const):
(JSC::Operands<T>::dumpInContext const): Deleted.
(JSC::Operands<T>::dump const): Deleted.
* bytecode/PolyProtoAccessChain.h:
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::expressionInfo):
(JSC::UnlinkedCodeBlock::identifiers const):
(JSC::UnlinkedCodeBlock::constantRegisters):
(JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
(JSC::UnlinkedCodeBlock::constantIdentifierSets):
(JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
* bytecode/UnlinkedFunctionExecutable.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::prepareJumpTableForSwitch):
* dfg/DFGJITCode.h:
* dfg/DFGPlan.h:
(JSC::DFG::Plan::tierUpInLoopHierarchy):
* ftl/FTLOSRExit.h:
* jit/GCAwareJITStubRoutine.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
* jit/PolymorphicCallStubRoutine.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LowLevelInterpreter.asm:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseClassFieldInitializerSourceElements):
* parser/Parser.h:
(JSC::Parser<LexerType>::parse):
(JSC::parse):
* runtime/CachedTypes.cpp:
(JSC::CachedVector::encode):
(JSC::CachedVector::decode const):
* wasm/js/JSWebAssemblyInstance.h:
2021-04-05 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Shrink some of Vectors in JSC
https://bugs.webkit.org/show_bug.cgi?id=224162
Reviewed by Simon Fraser.
1. Add XXXStatus::shrinkToFit to shrink underlying dynamic Vectors.
2. Replace tierUpInLoopHierarchy's Vector with RefCountedArray since it is constructed-once-lookup-only data.
3. Use MemoryCompactLookupOnlyRobinHoodHashSet for StringTables since this is constructed-once-lookup-only data. We also add
MemoryCompactLookupOnlyRobinHoodHashSet support for CachedTypes.
4. Use resizeToFit for StringSwitchJumpTables and SwitchJumpTables.
5. JITStubRoutineSet's Vector should be shrunk.
6. BlockDirectoryBits's Vector's initial size should be small.
7. Make PolyProtoAccessChain RefCounted, and use RefCountedArray for its Vector<StructureID>. And remove PolyProtoAccessChain::clone.
Just having Ref is enough since this is immutable data.
8. Use RefCountedArray for UnlinkedFunctionExecutable's m_classFieldLocations.
9. Use RefCountedArray for JSWebAssemblyInstance.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::AccessCase):
(JSC::AccessCase::create):
(JSC::AccessCase::createTransition):
* bytecode/AccessCase.h:
(JSC::AccessCase::AccessCase): Deleted.
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::setFrameShuffleData):
* bytecode/CheckPrivateBrandStatus.cpp:
(JSC::CheckPrivateBrandStatus::shrinkToFit):
(JSC::CheckPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::CheckPrivateBrandStatus::merge):
* bytecode/CheckPrivateBrandStatus.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/DeleteByStatus.cpp:
(JSC::DeleteByStatus::shrinkToFit):
(JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::DeleteByStatus::merge):
* bytecode/DeleteByStatus.h:
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::shrinkToFit):
(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByStatus::computeFor):
(JSC::GetByStatus::merge):
* bytecode/GetByStatus.h:
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::GetterSetterAccessCase):
(JSC::GetterSetterAccessCase::create):
* bytecode/GetterSetterAccessCase.h:
* bytecode/InByIdStatus.cpp:
(JSC::InByIdStatus::shrinkToFit):
(JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::InByIdStatus::merge):
* bytecode/InByIdStatus.h:
* bytecode/InstanceOfStatus.cpp:
(JSC::InstanceOfStatus::shrinkToFit):
(JSC::InstanceOfStatus::computeForStubInfo):
* bytecode/InstanceOfStatus.h:
* bytecode/IntrinsicGetterAccessCase.cpp:
(JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
(JSC::IntrinsicGetterAccessCase::create):
* bytecode/IntrinsicGetterAccessCase.h:
* bytecode/JumpTable.h:
* bytecode/PolyProtoAccessChain.cpp:
(JSC::PolyProtoAccessChain::tryCreate):
(JSC::PolyProtoAccessChain::create): Deleted.
* bytecode/PolyProtoAccessChain.h:
(JSC::PolyProtoAccessChain::clone): Deleted.
(JSC::PolyProtoAccessChain::chain const): Deleted.
(JSC::PolyProtoAccessChain::operator!= const): Deleted.
(JSC::PolyProtoAccessChain::forEach const): Deleted.
(JSC::PolyProtoAccessChain::slotBaseStructure const): Deleted.
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::visitWeak const):
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
* bytecode/ProxyableAccessCase.cpp:
(JSC::ProxyableAccessCase::ProxyableAccessCase):
(JSC::ProxyableAccessCase::create):
* bytecode/ProxyableAccessCase.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::shrinkToFit):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::merge):
* bytecode/PutByIdStatus.h:
* bytecode/SetPrivateBrandStatus.cpp:
(JSC::SetPrivateBrandStatus::shrinkToFit):
(JSC::SetPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::SetPrivateBrandStatus::merge):
* bytecode/SetPrivateBrandStatus.h:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
* bytecode/UnlinkedFunctionExecutable.h:
* dfg/DFGJITCode.h:
* dfg/DFGPlan.h:
(JSC::DFG::Plan::tierUpInLoopHierarchy):
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
* heap/BlockDirectoryBits.h:
* heap/JITStubRoutineSet.cpp:
(JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
* jit/CallFrameShuffleData.h:
(JSC::CallFrameShuffleData::shrinkToFit):
* jit/GCAwareJITStubRoutine.h:
* jit/PolymorphicCallStubRoutine.h:
* jit/Repatch.cpp:
(JSC::tryCacheGetBy):
(JSC::tryCachePutByID):
(JSC::tryCacheInByID):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseClassFieldInitializerSourceElements):
* parser/Parser.h:
(JSC::Parser<LexerType>::parse):
(JSC::parse):
* runtime/CachedTypes.cpp:
(JSC::CachedFunctionExecutableRareData::encode):
(JSC::CachedFunctionExecutableRareData::decode const):
* runtime/VM.cpp:
(JSC::VM::popAllCheckpointOSRSideStateUntil):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::visitChildrenImpl):
* wasm/js/JSWebAssemblyInstance.h:
2021-04-05 Alex Christensen <achristensen@webkit.org>
Resurrect Mac CMake build
https://bugs.webkit.org/show_bug.cgi?id=224084
Reviewed by Tim Horton.
* PlatformMac.cmake:
2021-04-05 Keith Miller <keith_miller@apple.com>
DFG arity fixup nodes should exit to the caller's call opcode
https://bugs.webkit.org/show_bug.cgi?id=223278
Reviewed by Saam Barati.
Right now when we do arity fixup in the DFG we model it in the
same way that it executes, which means all the nodes are part of
the callee. Unfortunately, this causes PhantomInsertionPhase to
think those nodes could be replacing previously defined
VirtualRegisters as they are part of the callee's header (always
alive). When PhantomInsertionPhase then inserts a Phantom it will
put that node in the caller's frame as that's the first ExitOK
node. The caller however may have no knowledge of that
VirtualRegister though. For example:
--> foo: loc10 is a local in foo.
...
1: MovHint(loc10)
2: SetLocal(loc10)
<-- foo // loc10 ten is now out of scope for the InlineCallFrame of the caller.
...
// Phantom will be inserted here refering to loc10, which doesn't make sense.
--> bar // loc10 is an argument to bar and needs arity fixup.
... // All of these nodes are ExitInvalid
3: MovHint(loc10, ExitInvalid)
4: SetLocal(loc10, ExitInvalid)
...
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::currentNodeOrigin):
(JSC::DFG::ByteCodeParser::inlineCall):
2021-04-02 Alexey Shvayka <shvaikalesh@gmail.com>
Reduce bytecode instruction count emitted for `class extends`
https://bugs.webkit.org/show_bug.cgi?id=223884
Reviewed by Yusuke Suzuki.
This patch adds a variant of globalFuncSetPrototypeDirect() that throws on
invalid [[Prototype]] values (instead of ignoring them) and utilizes it in
ClassExprNode::emitBytecode(), removing equivalent checks.
Throwing for invalid `superclass.prototype` value after setting the [[Prototype]]
of `constructor` is unobservable because it's a newly created extensible object
and `superclass` is a proven object.
The fact that [[Prototype]] set can throw only in case of `superclass.prototype`
allows keeping descriptive error message via custom appender. To find "extends"
in a source code, ClassExprNode is made an instance of ThrowableExpressionData.
This change reduces the number of emitted bytecodes by 4, and fixes IsConstructor's
error [1] to point to correct source code location.
[1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.f)
* builtins/BuiltinNames.h:
* bytecode/LinkTimeConstant.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDirectSetPrototypeOf):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitPutConstantProperty):
(JSC::ClassExprNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createClassExpr):
* parser/Nodes.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createClassExpr):
* runtime/ExceptionHelpers.cpp:
(JSC::invalidPrototypeSourceAppender):
(JSC::createInvalidPrototypeError):
* runtime/ExceptionHelpers.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObjectFunctions.h:
2021-04-02 Jessica Tallon <jtallon@igalia.com>
Add type method to WebAssembly.Memory, WebAssembly.Table & WebAssembly.Global objects
https://bugs.webkit.org/show_bug.cgi?id=222412
Reviewed by Yusuke Suzuki.
This adds a type method to several WASM objects as part of the work to add WASM
type reflections to the JS-API. The methods return a JSON object which describes
the type of the object and can be passed to the constructor to create a new wasm
object of that type.
* wasm/js/JSWebAssemblyGlobal.cpp:
(JSC::JSWebAssemblyGlobal::type):
* wasm/js/JSWebAssemblyGlobal.h:
* wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::type):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::type):
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WebAssemblyGlobalPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyGlobalPrototype.h:
* wasm/js/WebAssemblyMemoryPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-04-01 Yusuke Suzuki <ysuzuki@apple.com>
[WTF] Introduce RobinHoodHashTable
https://bugs.webkit.org/show_bug.cgi?id=223895
Reviewed by Fil Pizlo.
* builtins/BuiltinNames.cpp:
(JSC::lookUpPrivateNameImpl):
(JSC::lookUpWellKnownSymbolImpl):
* builtins/BuiltinNames.h:
* bytecode/BytecodeIntrinsicRegistry.h:
* runtime/Identifier.h:
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
(JSC::IntlCollator::checkICULocaleInvariants):
* runtime/IntlCollator.h:
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlDisplayNames.cpp:
(JSC::IntlDisplayNames::initializeDisplayNames):
* runtime/IntlDisplayNamesConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlListFormat.cpp:
(JSC::IntlListFormat::initializeListFormat):
* runtime/IntlListFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlObject.cpp:
(JSC::addScriptlessLocaleIfNeeded):
(JSC::intlAvailableLocales):
(JSC::intlCollatorAvailableLocales):
(JSC::intlSegmenterAvailableLocales):
(JSC::bestAvailableLocale):
(JSC::lookupMatcher):
(JSC::bestFitMatcher):
(JSC::resolveLocale):
(JSC::lookupSupportedLocales):
(JSC::bestFitSupportedLocales):
(JSC::supportedLocales):
* runtime/IntlObject.h:
(JSC::intlDateTimeFormatAvailableLocales):
(JSC::intlDisplayNamesAvailableLocales):
(JSC::intlNumberFormatAvailableLocales):
(JSC::intlPluralRulesAvailableLocales):
(JSC::intlRelativeTimeFormatAvailableLocales):
(JSC::intlListFormatAvailableLocales):
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::initializePluralRules):
* runtime/IntlPluralRulesConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlRelativeTimeFormat.cpp:
(JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
* runtime/IntlRelativeTimeFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlSegmenter.cpp:
(JSC::IntlSegmenter::initializeSegmenter):
* runtime/IntlSegmenterConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/RegExpCache.h:
* runtime/RegExpKey.h:
2021-04-01 Yusuke Suzuki <ysuzuki@apple.com>
REGRESSION(r274724): JITCage trampoline needs to be adjusted
https://bugs.webkit.org/show_bug.cgi?id=224065
Reviewed by Saam Barati.
r274724 introduced a new parameter to custom setters, but it didn't change the parameter recognization of JITCage trampolines for custom accessors.
As a result, we are jumping with the wrong pointer, and crash when custom setter is called with JITCage.
This patch fixes the above bug.
1. Now, custom getter and custom setter have different number of parameters. We should have two different trampolines to invoke it. We remove vmEntryCustomAccessor, and
add vmEntryCustomGetter/vmEntryCustomSetter.
2. vmEntryCustomSetter should use a4 parameter as a executable address for trampoline.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
* llint/LLIntThunks.cpp:
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* offlineasm/arm64.rb:
* offlineasm/registers.rb:
* runtime/PropertySlot.h:
2021-04-01 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Use ucal_getTimeZoneOffsetFromLocal if ICU 69 is present
https://bugs.webkit.org/show_bug.cgi?id=224075
Reviewed by Yusuke Suzuki.
Apple ICU 68 cherry picked ucal_getTimeZoneOffsetFromLocal (see r223783),
but now that ICU 69 is in RC, we can go ahead and update the #if for non-Apple platforms.
* runtime/JSDateMath.cpp:
2021-04-01 Tadeu Zagallo <tzagallo@apple.com>
Remove use of ENABLE from API header
https://bugs.webkit.org/show_bug.cgi?id=224060
<rdar://76111678>
Reviewed by Mark Lam.
The use of the ENABLE macro in these API headers has caused build failures. Instead of
conditionally exposing these API methods we make them into no-ops if DFG is disabled.
* API/JSVirtualMachine.mm:
(+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
(+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
* API/JSVirtualMachinePrivate.h:
2021-04-01 Alexey Shvayka <shvaikalesh@gmail.com>
Optimize createListFromArrayLike() and Proxy's [[OwnPropertyKeys]] method
https://bugs.webkit.org/show_bug.cgi?id=223928
Reviewed by Yusuke Suzuki.
createListFromArrayLike() changes:
1. Use toLength() / getIndex() methods that have fast paths.
2. Remove RuntimeTypeMask and error messages from its signature: type checks are better
performed in advance / inside a functor to keep the helper more versatile.
3. Invert functor's return value to align with Structure::forEachProperty() and friends.
4. Rename it to forEachInArrayLike() as no list is actually returned.
ProxyObject::performGetOwnPropertyNames() changes:
1. Remove RuntimeTypeMask filtering as it's already performed by PropertyNameArray::add().
2. Store target's keys in a HashSet for faster insertion / search.
3. Don't populate `targetConfigurableKeys` for extensible target as it won't be used [1].
4. Leverage return value of HashSet::remove() instead of using a helper.
This patch advances Proxy's [[OwnPropertyKeys]] microbenchmarks by 20-30%,
mainly due to createListFromArrayLike() changes. No behavior changes.
Also, utilizes forEachInArrayLike() for allow list of JSON.stringify().
[1]: https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys (step 20)
* runtime/JSONObject.cpp:
(JSC::Stringifier::Stringifier):
* runtime/JSObject.h:
(JSC::JSObject::getIndex const):
* runtime/JSObjectInlines.h:
(JSC::forEachInArrayLike):
(JSC::createListFromArrayLike): Deleted.
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::performGetOwnPropertyNames):
* runtime/ReflectObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-03-31 David Kilzer <ddkilzer@apple.com>
UBSan: JSC::Parser<LexerType>::parseProperty(): runtime error: load of value nnn, which is not a valid value for type 'bool'
<https://webkit.org/b/223896>
<rdar://problem/75970132>
Reviewed by Darin Adler.
Based on a suggestion by Darin Adler.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseProperty):
- Change 'escaped' to 'wasUnescapedIdent' to avoid the undefined
behavior since m_token.m_data.escaped is only set in the case
when an identifer is parsed (in Lexer<>::parseIdentifer()),
not a string (in Lexer<>::parseString()). This simplifies the
logic later in the method.
2021-03-31 Mark Lam <mark.lam@apple.com>
Missing exception check in HashMapImpl::add().
https://bugs.webkit.org/show_bug.cgi?id=224007
rdar://76053163
Reviewed by Saam Barati.
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::add):
2021-03-31 Xan Lopez <xan@igalia.com>
[JSC] Remove warnings about unnecessary operator= for ARMv7Assembler LinkRecord
https://bugs.webkit.org/show_bug.cgi?id=223916
Reviewed by Darin Adler.
Many years ago we defined an assignment operator for LinkRecord in
order to speed up build times (see #90930). Recent GCC versions
tell us that if we do that we almost certainly want to define a
copy constructor too. The ARM64Assembler file already does it, so
do it too for ARMv7 to remove the warnings.
* assembler/ARM64Assembler.h:
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::LinkRecord::LinkRecord):
(JSC::ARMv7Assembler::LinkRecord::operator=):
2021-03-31 Alexey Shvayka <shvaikalesh@gmail.com>
Optimize constructors of ES6 collections
https://bugs.webkit.org/show_bug.cgi?id=223953
Reviewed by Yusuke Suzuki.
This patch speeds up the constructors by avoiding call() for non-observable
"set" / "add" methods and using getIndex() for Map / WeakMap collections.
For Map / Set, this change leverages existing cloning helpers, which rely on
watchpoints, to avoid even a method lookup. However, slower path is used for
subclasses. Results in 1.9x speed-up for common case.
For WeakMap / WeakSet, adder function is checked by C++ pointer, which enables
fast path even for cross-realm subclasses. Results in 2.3x progression.
Both approaches require special handling of a cross-realm NewTarget to ensure
that raised exceptions (OOM / TypeError) belong to realm of the adder function,
and not to constructor's or NewTarget's.
Also, adds descriptve error messages for non-callable "set" / "add" properties.
* runtime/JSMap.cpp:
(JSC::JSMap::isSetFastAndNonObservable):
(JSC::JSMap::canCloneFastAndNonObservable): Deleted.
* runtime/JSMap.h:
* runtime/JSSet.cpp:
(JSC::JSSet::isAddFastAndNonObservable):
(JSC::JSSet::canCloneFastAndNonObservable): Deleted.
* runtime/JSSet.h:
* runtime/MapConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/SetConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakMapConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakMapPrototype.cpp:
(JSC::WeakMapPrototype::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakMapPrototype.h:
* runtime/WeakSetConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakSetPrototype.cpp:
(JSC::WeakSetPrototype::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakSetPrototype.h:
2021-03-30 Devin Rousso <drousso@apple.com>
REGRESSION(r274607): media controls script is visible in Web Inspector even without the engineering "Show WebKit-internal scripts" enabled
https://bugs.webkit.org/show_bug.cgi?id=223961
Reviewed by Yusuke Suzuki.
It turns out that Web Inspector will only ignore scripts that have a source URL directive
that matches `__InjectedScript_*.js`, not those that have a (source) URL matching that.
In addition to Web Inspector ignoring these scripts in the UI, it will also cause the
`Debugger` to not pause in scripts with a matching source URL directive (unless the
local build engineering only "Pause in WebKit-internal scripts" is enabled).
* Scripts/make-js-file-arrays.py:
(main):
Add a `//# sourceURL=__InjectedScript_*.js` to the contents before it's encoded.
2021-03-30 Sam Weinig <weinig@apple.com>
JSGlobalObject's m_customGetterFunctionMap and m_customSetterFunctionMap should be sets, not maps, and should use both the identifier and function pointer as the key
https://bugs.webkit.org/show_bug.cgi?id=223613
Reviewed by Saam Barati.
- Adds a generic WeakGCSet class to go with the existing WeakGCMap.
- Renames WeakGCMapBase to WeakGCHashTable, moves it to its own file
and now uses it as the base class of both WeakGCSet and WeakGCMap.
- Replaces JSGlobalObject's customGetterFunctionMap/customSetterFunctionMap
with customGetterFunctionSet/customSetterFunctionSet, using the new
WeakGCSet, and updates them to use both the function pointer and
property name for the key, rather than just the function pointer which
is what the previous code did. This allows multiple custom functions
to use the same underlying function pointer as long as they have distinct
property names, which is going to be used to optimize the bindings for
CSSStyleDeclaration.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
Add new files.
* heap/Heap.cpp:
(JSC::Heap::runEndPhase):
(JSC::Heap::pruneStaleEntriesFromWeakGCHashTables):
(JSC::Heap::registerWeakGCHashTable):
(JSC::Heap::unregisterWeakGCHashTable):
(JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Deleted.
(JSC::Heap::registerWeakGCMap): Deleted.
(JSC::Heap::unregisterWeakGCMap): Deleted.
* heap/Heap.h:
Update for new name. WeakGCMapBase -> WeakGCHashTable.
* runtime/JSCInlines.h:
Add WeakGCSetInlines.h
* runtime/JSCustomGetterFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSCustomGetterFunction::JSCustomGetterFunction):
(JSC::JSCustomGetterFunction::create):
* runtime/JSCustomGetterFunction.h:
* runtime/JSCustomSetterFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSCustomSetterFunction::JSCustomSetterFunction):
(JSC::JSCustomSetterFunction::create):
* runtime/JSCustomSetterFunction.h:
Add helper type CustomFunctionPointer and helper function customFunctionPointer()
to allow some generic hashing code to run on either JSCustomGetterFunction
or JSCustomSetterFunction.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::WeakCustomGetterOrSetterHash::hash):
(JSC::JSGlobalObject::WeakCustomGetterOrSetterHash::equal):
(JSC::JSGlobalObject::customGetterFunctionSet):
(JSC::JSGlobalObject::customSetterFunctionSet):
(JSC::JSGlobalObject::customGetterFunctionMap): Deleted.
(JSC::JSGlobalObject::customSetterFunctionMap): Deleted.
Replace m_customGetterFunctionMap/m_customSetterFunctionMap with
m_customGetterFunctionSet/m_customSetterFunctionSet. As the key is included
in the value, it saves space to use a set rather than a map. We now also
hash and compare both the function pointer and the property name to allow
sharing implementations.
* runtime/JSObject.cpp:
(JSC::WeakCustomGetterOrSetterHashTranslator::hash):
(JSC::WeakCustomGetterOrSetterHashTranslator::equal):
(JSC::createCustomGetterFunction):
(JSC::createCustomSetterFunction):
Update creation functions to use the new sets, making use of the
ensureValue function and a HashTranslator allowing the use of a
std::pair<PropertyName, FunctionPointer> as an alternative lookup
key. This allows us to avoid creating the JSCustomGetterFunction/JSCustomSetterFunction
pointer if one with the same property name and function pointer are
already in the set.
* runtime/WeakGCHashTable.h: Added.
(JSC::WeakGCHashTable::~WeakGCHashTable):
Moved from WeakGCMap and renamed as it is now the base of both
WeakGCMap and WeakGCSet.
* runtime/WeakGCMap.h:
Update to use new WeakGCHashTable base class.
* runtime/WeakGCMapInlines.h:
(JSC::KeyTraitsArg>::WeakGCMap):
(JSC::KeyTraitsArg>::~WeakGCMap):
Update for new Heap function names for WeakGCHashTable.
* runtime/WeakGCSet.h: Added.
* runtime/WeakGCSetInlines.h: Added.
(JSC::TraitsArg>::WeakGCSet):
(JSC::TraitsArg>::~WeakGCSet):
(JSC::TraitsArg>::find):
(JSC::TraitsArg>::find const):
(JSC::TraitsArg>::contains const):
(JSC::TraitsArg>::pruneStaleEntries):
Added a minimal WeakGCSet based on WeakGCMap.
2021-03-30 Mark Lam <mark.lam@apple.com>
Add disableForwardingVPrintfStdErrToOSLog() and use it in the jsc shell.
https://bugs.webkit.org/show_bug.cgi?id=223963
Reviewed by Saam Barati.
This prevents automatic forwarding of vprintf_stderr_common() to os_log_with_args(),
which results in duplicate output when using the jsc shell. As a result, ASSERT
fail messages and crash stack traces will be more readable.
* jsc.cpp:
(main):
2021-03-30 Mark Lam <mark.lam@apple.com>
Add Options::exitOnResourceExhaustion() to enable exiting instead of crashing on resource exhaustion.
https://bugs.webkit.org/show_bug.cgi?id=223959
rdar://63934158
Reviewed by Tadeu Zagallo.
This is useful to unblock fuzzers from false positive crashes due to resource
exhaustion. Currently, this is only applied to StructureID exhaustion.
Since we're adding this facility, we might as well implement it in such a way that
it can be easily deployed for other types of resource exhaustion as well.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/OptionsList.h:
* runtime/ResourceExhaustion.cpp: Added.
(JSC::handleResourceExhaustion):
* runtime/ResourceExhaustion.h: Added.
* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::resize):
2021-03-30 Ryan Haddad <ryanhaddad@apple.com>
Ensure that GlobalPropertyInfo is allocated on the stack.
https://bugs.webkit.org/show_bug.cgi?id=223911
Unreviewed test gardening.
Rebaseline builtins generator tests after r275212.
* Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2021-03-30 Mark Lam <mark.lam@apple.com>
Add more information to GC verifier verbose dumps.
https://bugs.webkit.org/show_bug.cgi?id=223951
Reviewed by Yusuke Suzuki.
* heap/VerifierSlotVisitor.cpp:
(JSC::VerifierSlotVisitor::dumpMarkerData):
2021-03-30 Mark Lam <mark.lam@apple.com>
Ensure that GlobalPropertyInfo is allocated on the stack.
https://bugs.webkit.org/show_bug.cgi?id=223911
rdar://75865742
Reviewed by Yusuke Suzuki.
We rely on GlobalPropertyInfo being allocated on the stack to allow its JSValue
value to be scanned by the GC. Unfortunately, an ASAN compilation would choose
to allocate the GlobalPropertyInfo on a side buffer instead of directly on the
stack. This prevents the GC from doing the needed scan.
We'll fix this by suppressing ASAN on the functions that allocated GlobalPropertyInfo
arrays. Also added an ASSERT in the GlobalPropertyInfo constructor to assert that
it is allocated on the stack.
* Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
(BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::initStaticGlobals):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::exposeDollarVM):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
2021-03-29 Xan López <xan@igalia.com>
[JSC] Use helper method when possible to store data in the callframe header
https://bugs.webkit.org/show_bug.cgi?id=223432
Reviewed by Yusuke Suzuki.
A bunch of the direct stores to the callframe header are zeroing
out the codeblock slot. Create a helper method to do that and use
it accordingly. For the rest, use emitPutToCallFrameHeader, which
already does the right thing. Also, remove a lot of unused helper
methods in AssemblyHelpers (which have been updated for no reason
throughout the years).
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue): Deleted.
(JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue): Deleted.
(JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue): Deleted.
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2021-03-28 Sam Weinig <weinig@apple.com>
Remove ENABLE_INDEXED_DATABASE & ENABLE_INDEXED_DATABASE_IN_WORKERS, it seems like it is on for all ports
https://bugs.webkit.org/show_bug.cgi?id=223810
Reviewed by Simon Fraser.
* inspector/protocol/IndexedDB.json:
Update for remove ENABLE_INDEXED_DATABASE conditional.
2021-03-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use AppleICU SPI for canonicalization
https://bugs.webkit.org/show_bug.cgi?id=223552
Reviewed by Ryosuke Niwa.
uloc_canonicalize does not perform alias mapping. This is different from ECMA402's canonicalization requirement.
ICU C++ icu::Locale can canonicalize locale ID with alias mapping, but this is not exposed to C API.
In this patch, we adopt AppleICU SPI "ualoc_canonicalForm" added in rdar://74314220. This canonicalization can perform
alias mapping too. We do not extend uloc_canonicalize since this API explicitly says "It does NOT map aliased names in any way."[1].
In [2], we are tracking upstreaming of this new SPI. Once it is upstreamed to the mainline ICU, we will switch to that.
[1]: https://unicode-org.github.io/icu-docs/apidoc/dev/icu4c/uloc_8h.html#a69b148194cf57ac40d4bb15c5b905260
[2]: https://unicode-org.atlassian.net/browse/ICU-21506
* runtime/IntlLocale.cpp:
(JSC::LocaleIDBuilder::initialize):
(JSC::LocaleIDBuilder::toCanonical):
* runtime/IntlObject.cpp:
(JSC::localeIDBufferForLanguageTagWithNullTerminator):
(JSC::canonicalizeLanguageTag):
(JSC::canonicalizeLocaleIDWithoutNullTerminator):
(JSC::localeIDBufferForLanguageTag): Deleted.
* runtime/IntlObject.h:
2021-03-26 Don Olmstead <don.olmstead@sony.com>
[CMake] Deprecate using DERIVED_SOURCES_DIR/FOWARDING_HEADERS_DIR directly
https://bugs.webkit.org/show_bug.cgi?id=223763
Reviewed by Michael Catanzaro.
Remove any usages of DERIVED_SOURCES_DIR and FOWARDING_HEADERS_DIR.
* CMakeLists.txt:
* PlatformMac.cmake:
2021-03-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use new Apple ICU APIs to avoid C++ ICU API usage
https://bugs.webkit.org/show_bug.cgi?id=223783
<rdar://problem/75060240>
Reviewed by Mark Lam.
This patch adopts ICU 69's draft APIs to avoid using ICU C++ APIs in newer macOS build.
AppleICU adopts these draft APIs so that we can use it even in ICU 68 if ICU is AppleICU.
The API is ucal_getTimeZoneOffsetFromLocal, which is back-ported from ICU 69[1].
The purpose of this API is that calculating timezone offset and dst offset from *local* time.
[1]: https://github.com/unicode-org/icu/commit/53aa0505c5f95a8cebbd7b4421d474fd2a790b80
* runtime/IntlDateTimeFormat.cpp:
* runtime/JSDateMath.cpp:
(JSC::OpaqueICUTimeZoneDeleter::operator()):
(JSC::DateCache::calculateLocalTimeOffset):
(JSC::DateCache::defaultTimeZone):
(JSC::DateCache::timeZoneCacheSlow):
* runtime/JSDateMath.h:
2021-03-26 Jessie Berlin <jberlin@webkit.org>
Update the BEFORE/SINCE, SYSTEM_VERSION_PREFIX, and MACOSX_DEPLOYMENT_TARGET flags
https://bugs.webkit.org/show_bug.cgi?id=223779
Reviewed by Tim Horton.
* Configurations/DebugRelease.xcconfig:
* Configurations/Version.xcconfig:
* Configurations/WebKitTargetConditionals.xcconfig:
2021-03-25 Saam Barati <sbarati@apple.com>
validate untagArrayPtr
https://bugs.webkit.org/show_bug.cgi?id=214953
<rdar://problem/66391434>
Reviewed by Mark Lam.
This patch adds validation to untagArrayPtr along paths where we don't
immediately store/load from the result.
This patch also changes the removeArrayPtrTag macro assembler function to
use a bitwise and instead of xpacd to strip the tag, because it's faster.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::untagArrayPtr):
(JSC::MacroAssemblerARM64E::removeArrayPtrTag):
* assembler/testmasm.cpp:
(JSC::testCagePreservesPACFailureBit):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cageWithoutUntagging): Deleted.
(JSC::AssemblyHelpers::cageConditionally): Deleted.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2021-03-25 Jessie Berlin <jberlin@webkit.org>
Remove 10.13 DEPLOYMENT_TARGETs and SYSTEM_VERSION_PREFIXs
https://bugs.webkit.org/show_bug.cgi?id=223765
Reviewed by Tim Horton.
* Configurations/Base.xcconfig:
* Configurations/DebugRelease.xcconfig:
* Configurations/Version.xcconfig:
2021-03-25 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] JSC crashes if a function expects a parameter but doesn't receive any
https://bugs.webkit.org/show_bug.cgi?id=223646
Reviewed by Adrian Perez de Castro.
Handle the case of receiving fewer argumens than expected in function calls and constructors. We pass undefined
for the expected arguments that are missing. We were not correctly handling the case of converting undefined and
null values to JSCValue, so this patch fixes that case too.
* API/glib/JSCCallbackFunction.cpp:
(JSC::JSCCallbackFunction::call):
(JSC::JSCCallbackFunction::construct):
* API/glib/JSCContext.cpp:
(jscContextJSValueToWrappedObject):
(jscContextJSValueToGValue):
2021-03-24 Michael Saboff <msaboff@apple.com>
[YARR] Interpreter incorrectly matches non-BMP characters with multiple . w/dotAll flag
https://bugs.webkit.org/show_bug.cgi?id=223666
Reviewed by Mark Lam.
In checkCharacterClassDontAdvanceInputForNonBMP(), we need to check for input.readChecked() returning -1
and return that the character class didn't match.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2021-03-24 Saam Barati <sbarati@apple.com>
r271034 added code in constant folding phase that's unreachable given current invariants of our ICs and PutByIdStatus
https://bugs.webkit.org/show_bug.cgi?id=223625
Reviewed by Yusuke Suzuki.
The code was doing a lot of wrong things by making bad assumptions about the
invariants of PutByIdVariants. Replace PutByIdVariants never have object
property condition sets, since we always replace on the self object (and don't
look at the prototype chain). This patch clears up the code to make it
clearer what the invariants are.
With respect to the original fix about not emitting a PutByOffset for a
Replace on a Structure that has an unfired replacement watchpoint set,
that was already handled by the PutByIdStatus::computeFor variant we're
calling inside of constant folding. It will return TakesSlowPathif it
encounters a Replace where the Structure still has an unfired watchpoint.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
2021-03-24 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Rope string equal operation should first check length
https://bugs.webkit.org/show_bug.cgi?id=223678
Reviewed by Mark Lam.
This can avoid eagerly resolving rope strings if it is not necessary.
* runtime/JSString.cpp:
(JSC::JSString::equalSlowCase const):
2021-03-23 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Functor for WeakGCMap::ensureValue must not invoke GC
https://bugs.webkit.org/show_bug.cgi?id=223629
<rdar://problem/75619217>
Reviewed by Mark Lam.
The functor for WeakGCMap::ensureValue must not invoke GC. GC can prune entries in WeakGCMap.
So we can modify underlying HashMap while we are just touching it for HashMap::ensure. This
can corrupt HashMap. To ensure this invariant, we put DisallowGC for WeakGCMap::ensureValue.
So we cannot invoke GC in the functor of that function (otherwise, assertion hits).
And we use DeferGC in createCustomGetterFunction / createCustomSetterFunction to avoid invoking
GC in WeakGCMap::ensureValue. This defers GC invocation until this DeferGC scope is destroyed,
and ensures that functor invoked by WeakGCMap::ensureValue will not cause GC.
* runtime/JSObject.cpp:
(JSC::createCustomGetterFunction):
(JSC::createCustomSetterFunction):
(JSC::JSObject::getOwnPropertyDescriptor):
* runtime/WeakGCMap.h:
2021-03-23 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use ErrorInstance for AggregateError
https://bugs.webkit.org/show_bug.cgi?id=223626
Reviewed by Darin Adler.
From r274609, WebAssembly errors start using normal ErrorInstance. We apply the same thing to AggregateError too.
This patch removes AggregateError class, and just generating ErrorInstance.
* runtime/AggregateError.cpp:
(JSC::createAggregateError):
(JSC::AggregateError::AggregateError): Deleted.
(JSC::AggregateError::finishCreation): Deleted.
(JSC::AggregateError::create): Deleted.
* runtime/AggregateError.h:
(): Deleted.
* runtime/AggregateErrorConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::initializeAggregateErrorConstructor):
2021-03-23 Robin Morisset <rmorisset@apple.com>
Object.freeze(this) at the global scope can lose a reference to a WatchpointSet
https://bugs.webkit.org/show_bug.cgi?id=223608
Reviewed by Yusuke Suzuki.
When freezing the global object, we should make a proper copy of symbol table entries, to keep any outstanding reference to the WatchpointSet.
We cannot use pack(), because it does not support FatEntries.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::defineOwnProperty):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTableGet):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::setReadOnly):
2021-03-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] JSCustomGetterFunction/JSCustomSetterFunction should use Identifier for their field
https://bugs.webkit.org/show_bug.cgi?id=223588
Reviewed by Mark Lam and Saam Barati.
PropertyName is the holder for passing it as an argument, and it does not ref/deref underlying UniqueStringImpl.
We should use Identifier to keep it strongly ref-ed in JSCustomGetterFunction/JSCustomSetterFunction.
And we should make JSCustomGetterFunction/JSCustomSetterFunction destructible objects since Identifier needs to
deref underlying UniqueStringImpl when destroying these functions.
* runtime/JSCustomGetterFunction.cpp:
(JSC::JSCustomGetterFunction::JSCustomGetterFunction):
(JSC::JSCustomGetterFunction::destroy):
* runtime/JSCustomGetterFunction.h:
* runtime/JSCustomSetterFunction.cpp:
(JSC::JSCustomSetterFunction::JSCustomSetterFunction):
(JSC::JSCustomSetterFunction::destroy):
* runtime/JSCustomSetterFunction.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2021-03-22 Saam Barati <sbarati@apple.com>
LiteralParser shouldn't make error messages of length ~2^31
https://bugs.webkit.org/show_bug.cgi?id=223483
<rdar://75572255>
Reviewed by Robin Morisset.
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
2021-03-22 Michael Saboff <msaboff@apple.com>
[YARR] Interpreter incorrectly matches non-BMP characters with multiple .
https://bugs.webkit.org/show_bug.cgi?id=223498
Reviewed by Yusuke Suzuki.
We need to check that we read an actual character before seeing if it is part of a character class.
In the case where we are checking that a character is not in a character class, like .,
the failed to read result from input.readChecked(), -1, is not part of the newline character class.
This will allow regular expressions that require more than the number of characters in a string
to match.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::checkCharacterClass):
2021-03-22 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed, fix Mac and non-unified JSCOnly builds
https://bugs.webkit.org/show_bug.cgi?id=223546
* wasm/WasmGlobal.h:
* wasm/WasmTable.h:
* wasm/js/JSWebAssemblyCompileError.cpp:
* wasm/js/JSWebAssemblyLinkError.cpp:
* wasm/js/JSWebAssemblyRuntimeError.cpp:
Add missing includes for non-unified JSC build.
2021-03-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Intl.Locale should not assume is8Bit
https://bugs.webkit.org/show_bug.cgi?id=223553
Reviewed by Ross Kirsling.
is8Bit or not is not guaranteed if it is an user-input. For example, "test日本語".substring(0, 3) should be non 8Bit string.
Intl.Locale has several places that assumed that input should be 8Bit if they are ASCII. This patch fixes it.
* runtime/IntlLocale.cpp:
(JSC::LocaleIDBuilder::overrideLanguageScriptRegion):
(JSC::LocaleIDBuilder::setKeywordValue):
2021-03-22 Sam Weinig <weinig@apple.com>
Use the PropertyName parameter passed to custom getters/setters rather than a redundant const char* in DOM attribute prologues
https://bugs.webkit.org/show_bug.cgi?id=223542
Reviewed by Alexey Shvayka.
Add throwVMDOMAttributeSetterTypeError to match existing throwVMDOMAttributeGetterTypeError and move
additional helpers used by WebCore here to avoid redundant work.
Removes some now unused functions.
* runtime/Error.cpp:
(JSC::createGetterTypeError):
(JSC::makeDOMAttributeGetterTypeErrorMessage):
(JSC::makeDOMAttributeSetterTypeErrorMessage):
(JSC::throwDOMAttributeGetterTypeError):
(JSC::throwDOMAttributeSetterTypeError):
(JSC::throwGetterTypeError): Deleted.
* runtime/Error.h:
(JSC::throwVMRangeError):
(JSC::throwVMDOMAttributeSetterTypeError):
(JSC::throwVMGetterTypeError): Deleted.
2021-03-22 Tyler Wilcock <twilco.o@protonmail.com>
AppleWin can't start due to "Failed to determine path to AAS directory." because iTunes changed the registry key
https://bugs.webkit.org/show_bug.cgi?id=219015
Reviewed by Alex Christensen.
It appears that iTunes no longer sets the Apple Application Support
registry entry. Fall back to trying to find the iTunes installation
directory if the AAS directory is not present.
* shell/DLLLauncherMain.cpp:
(iTunesDirectory): Added.
(modifyPath):
2021-03-19 Darin Adler <darin@apple.com>
[Cocoa] Make it possible to release a WKWebView on a non-main thread without a crash due to WKScriptMessage race
https://bugs.webkit.org/show_bug.cgi?id=222336
Reviewed by Chris Dumez.
* API/ObjcRuntimeExtras.h: Removed declarations of objc_initWeak and objc_destroyWeak, since
these are already in <wtf/spi/cocoa/objcSPI.h>.
2021-03-19 Mark Lam <mark.lam@apple.com>
BrandedStructure should keep its members alive.
https://bugs.webkit.org/show_bug.cgi?id=223495
rdar://75565765
Reviewed by Saam Barati.
Normally, each type of JSCell would have its own structure (and therefore, its own
ClassInfo, MethodTable, etc), which would have handled visiting m_parentBrand.
Similarly, it would have its own destructor, which would deref m_brand.
However, the design of BrandedStructure is not like other JSCells. As present,
we have chosen to go with having BrandedStructure look exactly like a regular
Structure, except that its isBrandedStructure flag is set to true.
This design has advantages because we do checks all over the system for whether
a cell is a Structure by simply comparing its structureID to structureStructure's
structureID. By virtue of BrandedStructure having the same structure as Structure,
none of this code need to change.
The downside is that we need to enhance Structure's methods to check if it is
actually working on an instance of BrandedStructure, and do some additional work.
This patch fixes 2 bugs:
1. m_parentBrand was not visited by visitChildren().
Structure::visitChildrenImpl() now calls BrandedStructure::visitAdditionalChildren()
to handle this.
2. m_brand needs to be ref'ed.
In Structure::setBrandTransition(), if the BrandedStructure is a dictionary,
then its m_transitionPropertyName will be cleared. m_transitionPropertyName
was the only means by which the UniqueStringImpl pointed to by m_brand was
ref'ed. The fix is to make m_brand a RefPtr.
Hence, it follows that we also need to deref m_brand on destruction.
Structure's destructor now calls BrandedStructure::destruct() to handle this.
* runtime/BrandedStructure.h:
* runtime/Structure.cpp:
(JSC::Structure::~Structure):
(JSC::Structure::visitChildrenImpl):
2021-03-19 Sam Weinig <weinig@apple.com>
Add PropertyName parameter to custom setters to allow shared implementations to do late name lookup
https://bugs.webkit.org/show_bug.cgi?id=223413
Reviewed by Alexey Shvayka.
Make custom setters match custom getters by adding a PropertyName parameter.
This will be used by the CSSStyleDeclaration bindings to avoid > 1000 copies
of the same getter/setter code, which will instead be able to differentiate
using the name.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* jsc.cpp:
(JSC_DEFINE_CUSTOM_SETTER):
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter):
* runtime/CustomGetterSetter.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCustomSetterFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSCustomSetterFunction::JSCustomSetterFunction):
(JSC::JSCustomSetterFunction::create):
* runtime/JSCustomSetterFunction.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/PropertySlot.h:
* runtime/RegExpConstructor.cpp:
(JSC::JSC_DEFINE_CUSTOM_SETTER):
* runtime/RegExpObject.cpp:
(JSC::JSC_DEFINE_CUSTOM_SETTER):
* tools/JSDollarVM.cpp:
== Rolled over to ChangeLog-2021-03-18 ==