Google Git
Sign in
webkit / WebKit / 4c96d1df8ae595137c198a306e1fe5e2e773e595 / . / Source / JavaScriptCore / ChangeLog
blob: cf1d33d3e557be82a160ff82ec061e08b9e3690a [file] [log] [blame]
2019-06-12 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
https://bugs.webkit.org/show_bug.cgi?id=198770
Reviewed by Saam Barati.
Polymorphic call stub is a bit specially patched in JS call site. Typical JS call site for tail calls
are the following.
if (callee == patchableCallee) {
restore callee saves for tail call
prepare for tail call
jump to the target function
}
restore callee saves for slow path
call the slow path function
And linking patches patchableCallee, target function, and slow path function. But polymorphic call stub
patches the above `if` statement with the jump to the stub.
jump to the polymorphic call stub
This is because polymorphic call stub wants to use CallFrameShuffler to get scratch registers. As a result,
"restore callee saves for tail call" thing needs to be done in the polymorphic call stubs. While it is
correctly done for the major cases, we have `slowPath` skips, and that path missed restoring callee saves.
This skip happens if the callee is non JSCell or non JS function, so typically, InternalFunction is handled
in that path.
This patch does that skips after restoring callee saves.
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::CallLinkInfo):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::setUpCall):
(JSC::CallLinkInfo::calleeGPR):
(JSC::CallLinkInfo::setCalleeGPR): Deleted.
* jit/Repatch.cpp:
(JSC::revertCall):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
* jit/Repatch.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
2019-06-12 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r246322.
https://bugs.webkit.org/show_bug.cgi?id=198796
"It's a huge page load regression on iOS" (Requested by
saamyjoon on #webkit).
Reverted changeset:
"Roll out PAC cage"
https://bugs.webkit.org/show_bug.cgi?id=198726
https://trac.webkit.org/changeset/246322
2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com>
JSC should throw if proxy set returns falsish in strict mode context
https://bugs.webkit.org/show_bug.cgi?id=177398
Reviewed by Yusuke Suzuki.
Throw TypeError exception if Proxy's `set` trap returns falsy value.
(step 6.c of https://tc39.es/ecma262/#sec-putvalue)
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::put):
(JSC::ProxyObject::putByIndexCommon):
* runtime/ProxyObject.h:
2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com>
Error message for non-callable Proxy `construct` trap is misleading
https://bugs.webkit.org/show_bug.cgi?id=198637
Reviewed by Saam Barati.
Just like other traps, Proxy `construct` trap is invoked with [[Call]], not [[Construct]].
* runtime/ProxyObject.cpp:
(JSC::performProxyConstruct): Tweak error message.
2019-06-10 Tadeu Zagallo <tzagallo@apple.com>
AI BitURShift's result should not be unsigned
https://bugs.webkit.org/show_bug.cgi?id=198689
<rdar://problem/51550063>
Reviewed by Saam Barati.
Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it.
This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but
get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber,
all we have to do is store the result as a signed int32.
* dfg/DFGAbstractInterpreterInlines.h:
2019-06-11 Michael Catanzaro <mcatanzaro@igalia.com>
Unreviewed build warning fixes
Silence -Wreturn-type warning
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::tryCreate):
2019-06-11 Saam Barati <sbarati@apple.com>
Roll out PAC cage
https://bugs.webkit.org/show_bug.cgi?id=198726
Reviewed by Keith Miller.
This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622.
The resulting state we're in is we have Gigacage enabled on arm64.
There is no more PAC caging.
We're doing this because there are performance issues with PAC caging
that we haven't resolved yet.
* assembler/CPU.h:
(JSC::isARM64E): Deleted.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted.
(JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted.
(JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted.
* b3/B3LowerToAir.cpp:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::admitsStack):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):
* b3/B3Validate.cpp:
* b3/B3ValueRep.cpp:
(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):
* b3/B3ValueRep.h:
(JSC::B3::ValueRep::ValueRep):
(JSC::B3::ValueRep::isReg const):
* dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
(JSC::FTL::DFG::LowerDFGToB3::caged):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
(JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted.
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cageConditionally):
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDirectArgumentsGetByVal):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallNode::clearCallLinkInfo):
* jit/RegisterSet.h:
* llint/LowLevelInterpreter64.asm:
* runtime/ArrayBuffer.cpp:
(JSC::SharedArrayBufferContents::SharedArrayBufferContents):
(JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
(JSC::ArrayBufferContents::ArrayBufferContents):
(JSC::ArrayBufferContents::destroy):
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::makeShared):
(JSC::ArrayBufferContents::copyTo):
* runtime/ArrayBuffer.h:
(JSC::SharedArrayBufferContents::data const):
(JSC::ArrayBufferContents::data const):
(JSC::ArrayBuffer::data):
(JSC::ArrayBuffer::data const):
(JSC::ArrayBuffer::byteLength const):
* runtime/ArrayBufferView.cpp:
(JSC::ArrayBufferView::ArrayBufferView):
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::baseAddress const):
(JSC::ArrayBufferView::setRangeImpl):
(JSC::ArrayBufferView::getRangeImpl):
(JSC::ArrayBufferView::byteLength const): Deleted.
* runtime/CachedTypes.cpp:
(JSC::CachedScopedArgumentsTable::encode):
(JSC::CachedScopedArgumentsTable::decode const):
* runtime/CagedBarrierPtr.h:
(JSC::CagedBarrierPtr::CagedBarrierPtr):
(JSC::CagedBarrierPtr::set):
(JSC::CagedBarrierPtr::get const):
(JSC::CagedBarrierPtr::getMayBeNull const):
(JSC::CagedBarrierPtr::operator== const):
(JSC::CagedBarrierPtr::operator!= const):
(JSC::CagedBarrierPtr::operator bool const):
(JSC::CagedBarrierPtr::setWithoutBarrier):
(JSC::CagedBarrierPtr::operator* const):
(JSC::CagedBarrierPtr::operator-> const):
(JSC::CagedBarrierPtr::operator[] const):
(JSC::CagedBarrierPtr::getUnsafe const): Deleted.
(JSC::CagedBarrierPtr::at const): Deleted.
* runtime/DataView.cpp:
(JSC::DataView::DataView):
* runtime/DataView.h:
(JSC::DataView::get):
(JSC::DataView::set):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::unmapArgument):
* runtime/DirectArguments.h:
* runtime/GenericArguments.h:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::visitChildren):
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
(JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
(JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
* runtime/GenericTypedArrayView.h:
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::slowDownAndWasteMemory):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::ConstructionContext::vector const):
(JSC::JSArrayBufferView::isNeutered):
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::hasVector const): Deleted.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
* runtime/Options.h:
* runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::clone):
(JSC::ScopedArgumentsTable::setLength):
* runtime/ScopedArgumentsTable.h:
* runtime/SymbolTable.h:
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::cachedMemory const):
(JSC::Wasm::Instance::updateCachedMemory):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::~Memory):
(JSC::Wasm::Memory::grow):
(JSC::Wasm::Memory::dump const):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::memory const):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2019-06-10 Basuke Suzuki <Basuke.Suzuki@sony.com>
[WinCairo] Remove build warning from RemoteInspector.
https://bugs.webkit.org/show_bug.cgi?id=198724
Reviewed by Joseph Pecoraro.
In `RemoteInspectorConnectionClient.h`, an interface was defined with empty implementation.
This method is to be overwritten by sub classes so that parameter name is important
so they are commented out rather than just removing from the definition.
* inspector/remote/RemoteInspector.h:
2019-06-10 Sam Weinig <weinig@apple.com>
Remove Dashboard support
https://bugs.webkit.org/show_bug.cgi?id=198615
Reviewed by Ryosuke Niwa.
* Configurations/FeatureDefines.xcconfig:
2019-06-10 Devin Rousso <drousso@apple.com>
Web Automation: add notifications for when remote automation is enabled/disabled
https://bugs.webkit.org/show_bug.cgi?id=198703
<rdar://problem/50588975>
Reviewed by Timothy Hatcher.
* inspector/remote/RemoteInspectorConstants.h:
2019-06-10 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, build fix for non-DFG configurations, part 2
https://bugs.webkit.org/show_bug.cgi?id=198023
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeUnconditionally):
2019-06-10 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, build fix for non-DFG configurations
https://bugs.webkit.org/show_bug.cgi?id=198023
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeUnconditionally):
2019-06-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
https://bugs.webkit.org/show_bug.cgi?id=198023
Reviewed by Saam Barati.
While CodeBlock is periodically jettisoned, UnlinkedCodeBlock and UnlinkedFunctionExecutable can be retained almost forever in certain type of applications.
When we execute a program, which has UnlinkedProgramCodeBlock retained in CodeCache. And UnlinkedProgramCodeBlock holds array of UnlinkedFunctionExecutable.
And UnlinkedFunctionExecutables hold UnlinkedFunctionCodeBlocks once it is generated. So eventually, this tree gets larger and larger until we purge
UnlinkedProgramCodeBlock from CodeCache. This is OK in the browser case. We navigate to various other pages, and UnlinkedProgramCodeBlocks should eventually
be pruned from CodeCache with the new ones. So this tree won't be retained forever. But the behavior is different in the other applications that do not have
navigations. If they only have one program which holds all, we basically retain this tree during executing this application. The same thing can happen in
web applications which does not have navigation and keeps alive for a long time. Once we hit CodeCache limit by periodically executing a new script, we will
hit the uppermost of memory footprint. But until that, we increase our memory footprint.
However, destroying these UnlinkedCodeBlocks and UnlinkedFunctionExecutables causes a tricky problem. In the browser environment, navigation can happen at any
time. So even if the given UnlinkedCodeBlock seems unused in the current page, it can be used when navigating to a new page which is under the same domain.
One example is initializing function in a script. It is only executed once per page. So once it is executed, it seems that this UnlinkedCodeBlock is unused.
But this will be used when we navigate to a new page. Pruning code blocks based on usage could cause performance regression.
But if our VM is mini VM mode, the story is different. In mini VM mode, we focus on memory footprint rather than performance e.g. daemons. The daemon never
reuse these CodeCache since we do not have the navigation.
This patch logically makes UnlinkedFunctionExecutable -> UnlinkedCodeBlock reference weak when VM is mini mode. If UnlinkedCodeBlock is used in previous GC
cycle, we retain it. But if it is not used, and if UnlinkedFunctionExecutable is only the cell keeping UnlinkedCodeBlock alive, we destroy it. It is a
heuristic. In a super pathological case, it could increase memory footprint. Consider the following example.
UnlinkedFunctionExecutable(A1) -> UnlinkedCodeBlock(B1) -> UnlinkedFunctionExecutable(C1) -> UnlinkedCodeBlock(D1)
^
CodeBlock(E1)
We could delete A1, B1, and C1 while keeping D1. But if we eventually re-execute the same code corresponding to A1, B1, C1, they will be newly created, and
we will create duplicate UnlinkedCodeBlock and instructions stream for D1.
UnlinkedCodeBlock(D1)
^
CodeBlock(E1)
UnlinkedFunctionExecutable(A2) -> UnlinkedCodeBlock(B2) -> UnlinkedFunctionExecutable(C2) -> UnlinkedCodeBlock(D2)
But this does not happen in practice and even it happens, we eventually discard D1 and D2 since CodeBlock E1 will be jettisoned anyway. So in practice, we do
not see memory footprint increase. We tested it in Gmail and the target application, but both said memory footprint reduction (30 MB / 400 MB and 1 MB /6 MB).
While this affects on performance much on tests which has navigation (1-3 % regression in Speedometer2, note that JetStream2 does not show regression in x64,
while it is not enabling mini mode), we do not apply this to non mini mode VM until we come up with a good strategy to fasten performance of re-generation.
Personally I think flushing destroyed UnlinkedCodeBlock to the disk sounds promising.
If UnlinkedCodeBlock is generated from bytecode cache, we do not make UnlinkedFunctionExecutable -> UnlinkedCodeBlock link weak because the decoder of the bytecode
cache assumes that generated JSCells won't be destroyed while the parent cells of that cell are live. This is true in the current implementation, and this assumption
will be broken with this patch. So, for now, we do not make this link weak. Currently, our target application does not use bytecode cache so it is OK.
This patch also introduce simple heuristic. We are counting UnlinkedCodeBlock's age. And once the age becomes maximum size, we make UnlinkedFunctionExecutable ->
UnlinkedCodeBlock link weak. We also use execution counter information to reset this age: CodeBlock will reset undelying UnlinkedCodeBlock's age if it has executed
While this heuristic is quite simple, it has some effect in practice. Basically what happens with this heuristic is that UnlinkedFunctionExecutable ->
UnlinkedCodeBlock link strong. When GC happens, we are executing some CodeBlocks, which become live. And ScriptExecutables -> UnlinkedFunctionExecutables held
by this CodeBlock become also live. Then UnlinkedFunctionExecutables can mark the child UnlinkedCodeBlocks if it is not so old.
If some of parent UnlinkedFunctionExecutable becomes dead, child UnlinkedCodeBlocks tends to be dead unless some live CodeBlock holds it. But it is OK for a first
heuristics since this means that parent code block is now considered old, reachable UnlinkedCodeBlock will be used when the parent is executed again. So destroying
the tree is OK even if the tree may include some new UnlinkedCodeBlock. While we could make more sophisticated mechanism to manage these lifetime, I think this is a
good starting point.
Based on measurement, we pick 7 as a maximum age. If we pick 0, we can get more memory reduction (1 - 1.5 MB!), while we ends up reparsing codes so many times.
It seems that 7 can reduce fair amount of memory while doing small # of reparsing on average (usually, 1, 2. Sometimes, 100. But not 300, which is the case in 0).
If we want to get more memory reduction for the sake of performance, we could decrease this age limit.
Since we do not have an automated script right now so it is a bit difficult to measure memory footprint precisely. But manual testing shows that this patch improves
memory footprint of our target application from about 6.5 MB to about 5.9 MB.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/CodeBlock.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::UnlinkedCodeBlock::visitChildren):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::age const):
(JSC::UnlinkedCodeBlock::resetAge):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::UnlinkedFunctionExecutable::visitChildren):
(JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
(JSC::UnlinkedFunctionExecutable::decodeCachedCodeBlocks):
(JSC::UnlinkedFunctionExecutable::finalizeUnconditionally):
* bytecode/UnlinkedFunctionExecutable.h:
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* runtime/CachedTypes.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
* runtime/CodeSpecializationKind.h:
* runtime/Options.h:
* runtime/VM.cpp:
(JSC::VM::isInMiniMode): Deleted.
* runtime/VM.h:
(JSC::VM::isInMiniMode):
(JSC::VM::useUnlinkedCodeBlockJettisoning):
2019-06-10 Timothy Hatcher <timothy@apple.com>
Integrate dark mode support for iOS.
https://bugs.webkit.org/show_bug.cgi?id=198687
rdar://problem/51545643
Reviewed by Tim Horton.
* Configurations/FeatureDefines.xcconfig:
2019-06-10 Adrian Perez de Castro <aperez@igalia.com>
[JSC] Linker fails when unified sources are not in use
https://bugs.webkit.org/show_bug.cgi?id=198722
Reviewed by Keith Miller.
Added missing inclusions of headers in several files which make use of inline functions.
* b3/B3AtomicValue.cpp:
* b3/B3BlockInsertionSet.cpp:
* b3/B3FenceValue.cpp:
* b3/B3LowerMacrosAfterOptimizations.cpp:
* b3/B3PureCSE.cpp:
* b3/B3StackmapValue.cpp:
* b3/B3SwitchValue.cpp:
* b3/B3UseCounts.cpp:
* b3/B3VariableValue.cpp:
* b3/B3WasmAddressValue.cpp:
* b3/B3WasmBoundsCheckValue.cpp:
* ftl/FTLCompile.cpp:
* wasm/WasmSectionParser.cpp:
* wasm/WasmTable.cpp:
* wasm/WasmValidate.cpp:
2019-06-10 Keith Miller <keith_miller@apple.com>
Make new Symbol/Promise API public
https://bugs.webkit.org/show_bug.cgi?id=198709
Reviewed by Saam Barati.
We also need to #ifdef some tests when building for older
platforms because the signatures for some methods are outdated on
those platforms.
* API/JSObjectRef.h:
* API/JSObjectRefPrivate.h:
* API/JSValue.h:
* API/JSValuePrivate.h:
* API/JSValueRef.h:
* API/tests/testapi.mm:
(testObjectiveCAPIMain):
2019-06-09 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r246150, r246160, and r246166.
https://bugs.webkit.org/show_bug.cgi?id=198698
Regresses page loading time on iOS 13 (Requested by keith_m__
on #webkit).
Reverted changesets:
"Reenable Gigacage on ARM64."
https://bugs.webkit.org/show_bug.cgi?id=198453
https://trac.webkit.org/changeset/246150
"Unrevied build fix for FTL without Gigacage."
https://trac.webkit.org/changeset/246160
"Fix typo in cageWithoutUntagging"
https://bugs.webkit.org/show_bug.cgi?id=198617
https://trac.webkit.org/changeset/246166
2019-06-09 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use mergePrediction in ValuePow prediction propagation
https://bugs.webkit.org/show_bug.cgi?id=198648
Reviewed by Saam Barati.
We are accidentally using setPrediction. This is wrong since prediction propagation (not processInvariant)
must extend the speculation types to ensure we eventually reach to the fixed point. setPrediction can discard
previously configured predictions, can lead to oscillation potentially. Use mergePrediction instead.
* dfg/DFGPredictionPropagationPhase.cpp:
2019-06-07 Tadeu Zagallo <tzagallo@apple.com>
AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
https://bugs.webkit.org/show_bug.cgi?id=198581
<rdar://problem/51099753>
Reviewed by Saam Barati.
For GetGetterSetterByOffset, when the abstract interpreter fails to read the property
from the object, it gets the GetterSetter structure from the CodeBlock's global object.
However, that's not correct, since the global object for the base object might differ
from the CodeBlock's. Instead, we try to get the global object from the base, when it's
a constant object. Otherwise, we can't infer the value and only set the type.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2019-06-06 Devin Rousso <drousso@apple.com>
Web Inspector: create CommandLineAPIHost lazily like the other agents
https://bugs.webkit.org/show_bug.cgi?id=196047
<rdar://problem/49087835>
Reviewed by Timothy Hatcher.
* inspector/InjectedScriptManager.h:
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::connect): Added.
2019-06-06 Keith Miller <keith_miller@apple.com>
Fix typo in cageWithoutUntagging
https://bugs.webkit.org/show_bug.cgi?id=198617
Reviewed by Saam Barati.
* assembler/testmasm.cpp:
(JSC::testCagePreservesPACFailureBit):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionally):
(JSC::AssemblyHelpers::cageWithoutUntaging): Deleted.
2019-06-06 Alexey Shvayka <shvaikalesh@gmail.com>
JSON.parse throws incorrect exception when called w/o arguments
https://bugs.webkit.org/show_bug.cgi?id=198574
Reviewed by Yusuke Suzuki.
Always coerce first argument to string and attempt to parse it.
(steps 1-2 of https://tc39.github.io/ecma262/#sec-json.parse)
* runtime/JSONObject.cpp:
(JSC::JSONProtoFuncParse): Remove argumentCount check.
2019-06-06 Keith Miller <keith_miller@apple.com>
Unrevied build fix for FTL without Gigacage.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::caged):
2019-06-06 Michael Catanzaro <mcatanzaro@igalia.com>
aarch64: ‘JSC::ARM64Assembler::LinkRecord::<unnamed union>::RealTypes::m_compareRegister’ is too small to hold all values of ‘JSC::ARM64Assembler::RegisterID’ {aka ‘enum JSC::ARM64Registers::RegisterID’}
https://bugs.webkit.org/show_bug.cgi?id=198014
Reviewed by Yusuke Suzuki.
When building for aarch64, there is a huge warning spam here. It's impossible to see any
other warnings. This has been ongoing for so long I've begun to suspect that nobody works
on this architecture.
Anyway, the problem is because we need eight bits to store all possible RegisterID values,
but the bitfield is only six bits wide. Fix it. The COMPILE_ASSERT checking the size of this
struct is still happy, so I presume the change is OK.
* assembler/ARM64Assembler.h:
2019-06-06 Keith Miller <keith_miller@apple.com>
Reenable Gigacage on ARM64.
https://bugs.webkit.org/show_bug.cgi?id=198453
Reviewed by Michael Saboff.
This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the
old Gigacage however, arm64e uses both Gigacaging and PAC. In
order to ensure the PAC bits are not stripped in the caging
process we use the bit field insert instruction to take the low
bits from caging and the high bits from the PAC authentication.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::bitFieldInsert64):
* assembler/MacroAssemblerARM64E.h:
* assembler/testmasm.cpp:
(JSC::testCagePreservesPACFailureBit):
(JSC::run):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cageWithoutUntaging):
(JSC::AssemblyHelpers::cageConditionally):
(JSC::AssemblyHelpers::cage): Deleted.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/instructions.rb:
* offlineasm/registers.rb:
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2019-06-06 Michael Saboff <msaboff@apple.com>
[ARM64E]: Add disassembler support for authenticated instructions
https://bugs.webkit.org/show_bug.cgi?id=198562
Reviewed by Keith Miller.
Added support for all the instructions supported in ARM64EAssembler.h.
* disassembler/ARM64/A64DOpcode.cpp:
(JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
(JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
(JSC::ARM64Disassembler::A64DOpcodeHint::format):
(JSC::ARM64Disassembler::A64DOpcodeHint::opName):
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::format):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpName):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::format):
* disassembler/ARM64/A64DOpcode.h:
(JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex):
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opName):
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opNum):
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::mBit):
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::sBit):
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::wBit):
(JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::immediate10):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpCode):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op2):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op3):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op4):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::mBit):
(JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::rm):
(JSC::ARM64Disassembler::A64DOpcodeHint::opName): Deleted.
2019-06-05 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
https://bugs.webkit.org/show_bug.cgi?id=198398
Reviewed by Saam Barati.
Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec).
Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to
support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because
we need to write barrier it (so it should not restrict how we implement threads). This patch does, however,
restrict the implementation of function references to require every Ref.func to have an associated wrapper. This
can be done statically, so this too should not restrict our threads implementation.
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::addTableGet):
(JSC::Wasm::AirIRGenerator::addTableSet):
(JSC::Wasm::AirIRGenerator::addCallIndirect):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addLocal):
(JSC::Wasm::B3IRGenerator::addTableGet):
(JSC::Wasm::B3IRGenerator::addTableSet):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmFormat.h:
(JSC::Wasm::TableInformation::TableInformation):
(JSC::Wasm::TableInformation::type const):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
* wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseTableHelper):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::tryCreate):
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::clear):
(JSC::Wasm::Table::set):
(JSC::Wasm::Table::get):
(JSC::Wasm::Table::visitChildren):
(JSC::Wasm::FuncRefTable::FuncRefTable):
(JSC::Wasm::FuncRefTable::setFunction):
(JSC::Wasm::Table::~Table): Deleted.
(JSC::Wasm::Table::clearFunction): Deleted.
(JSC::Wasm::Table::setFunction): Deleted.
* wasm/WasmTable.h:
(JSC::Wasm::Table::length const):
(JSC::Wasm::Table::type const):
(JSC::Wasm::Table::setOwner):
(JSC::Wasm::FuncRefTable::offsetOfFunctions):
(JSC::Wasm::FuncRefTable::offsetOfInstances):
(JSC::Wasm::Table::offsetOfFunctions): Deleted.
(JSC::Wasm::Table::offsetOfInstances): Deleted.
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::addTableGet):
(JSC::Wasm::Validate::addTableSet):
(JSC::Wasm::Validate::addCallIndirect):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::finishCreation):
(JSC::JSWebAssemblyTable::visitChildren):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::get):
(JSC::JSWebAssemblyTable::set):
(JSC::JSWebAssemblyTable::clear):
(JSC::JSWebAssemblyTable::getFunction): Deleted.
(JSC::JSWebAssemblyTable::clearFunction): Deleted.
(JSC::JSWebAssemblyTable::setFunction): Deleted.
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyTableConstructor.cpp:
(JSC::constructJSWebAssemblyTable):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::webAssemblyTableProtoFuncGet):
(JSC::webAssemblyTableProtoFuncSet):
* wasm/wasm.json:
2019-06-05 Justin Michaud <justin_michaud@apple.com>
WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
https://bugs.webkit.org/show_bug.cgi?id=198106
Reviewed by Saam Barati.
Fix bug caused by using fcsel sX instead of fcsel dX on an f64 value in moveDoubleConditionally32.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::moveDoubleConditionally32):
2019-06-05 Alex Christensen <achristensen@webkit.org>
Progress towards resurrecting Mac CMake build
https://bugs.webkit.org/show_bug.cgi?id=197132
Reviewed by Don Olmstead.
* API/JSScript.mm:
(-[JSScript readCache]):
(-[JSScript sourceCode]):
(-[JSScript jsSourceCode]):
(-[JSScript writeCache:]):
* CMakeLists.txt:
== Rolled over to ChangeLog-2019-06-05 ==