blob: 2934634a71ed690636173448b7cd0692cb602379 [file] [log] [blame]
2019-11-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Make IsoSubspace scalable
https://bugs.webkit.org/show_bug.cgi?id=201908
Reviewed by Keith Miller.
This patch introduces lower-tier into IsoSubspace so that we can avoid allocating MarkedBlock
if a certain type of object is not allocated so many. This optimization allows us apply IsoSubspace
more aggressively to various types of objects without introducing memory regression even if such a
type of object is allocated so frequently.
We use LargeAllocation for these lower-tier objects. Each IsoSubspace holds up to 8 lower-tier objects
allocated via LargeAllocation. We use this special LargeAllocation when we tend to allocate small # of cells
for this type. Specifically, what we are doing right now is, (1) first, try to allocate in an existing
MarkedBlock (there won't be one to start), and (2) then, try to allocate in LargeAllocation, and if we cannot
allocate lower-tier objects, (3) finally we allocate a new MarkedBlock. Once this LargeAllocation is allocated
to a certain type, we do not deallocate it until VM is destroyed, so that we can keep IsoSubspace's
characteristics: once an address is assigned to a certain type, we continue using this address only for this type.
To introduce this optimization, we need to remove an restriction that no callee cells can be a LargeAllocation.
This also turns out that SamplingProfiler's isValueGCObject is heavily relies on that all the callee is small-sized.
isValueGCObject relies on the thing that MarkedSpace::m_largeAllocations is sorted. But this is not true since
this vector is sorted only when conservative scan happens. And further, this vector is only partially sorted: we
sort only an eden part part of this vector. So we cannot use this vector to implement isValueGCObject in the sampling
profiler. Instead we register HeapCell address into a hash-set in MarkedSpace. Since we do not need to find a pointer
that is pointing at the middle of the JSCell in sampling profiler, just registering cell address is enough. And we
maintain this hash-set only when sampling profiler is enabled to save memory in major cases.
We also fix the code that is relying on that JSString is always allocated in MarkedBlock. And we also fix PackedCellPtr's
assumption that CodeBlock is always allocated in MarkedBlock.
We also make sizeof(LargeAllocation) small since it is now used for non-large allocations.
JetStream2 and Speedometer2 are neutral. RAMification shows 0.6% progression on iOS devices.
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
* heap/BlockDirectory.h:
* heap/BlockDirectoryInlines.h:
(JSC::BlockDirectory::tryAllocateFromLowerTier):
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
(JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
* heap/Heap.cpp:
(JSC::Heap::dumpHeapStatisticsAtVMDestruction):
(JSC::Heap::addCoreConstraints):
* heap/HeapUtil.h:
(JSC::HeapUtil::isPointerGCObjectJSCell):
(JSC::HeapUtil::isValueGCObject):
* heap/IsoAlignedMemoryAllocator.cpp:
(JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
(JSC::IsoAlignedMemoryAllocator::freeMemory):
(JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::~IsoCellSet):
* heap/IsoCellSet.h:
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::add):
(JSC::IsoCellSet::remove):
(JSC::IsoCellSet::contains const):
(JSC::IsoCellSet::forEachMarkedCell):
(JSC::IsoCellSet::forEachMarkedCellInParallel):
(JSC::IsoCellSet::forEachLiveCell):
(JSC::IsoCellSet::sweepLowerTierCell):
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::tryAllocateFromLowerTier):
(JSC::IsoSubspace::sweepLowerTierCell):
* heap/IsoSubspace.h:
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::tryReallocate):
(JSC::LargeAllocation::createForLowerTier):
(JSC::LargeAllocation::reuseForLowerTier):
(JSC::LargeAllocation::LargeAllocation):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::lowerTierIndex const):
(JSC::LargeAllocation::isLowerTier const):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::Handle):
(JSC::MarkedBlock::Handle::stopAllocating):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::forEachCell):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::freeMemory):
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::sweepLargeAllocations):
(JSC::MarkedSpace::enableLargeAllocationTracking):
* heap/MarkedSpace.h:
(JSC::MarkedSpace:: const):
* heap/PackedCellPtr.h:
(JSC::PackedCellPtr::PackedCellPtr):
* heap/Subspace.h:
* heap/WeakSet.cpp:
(JSC::WeakSet::~WeakSet):
(JSC::WeakSet::findAllocator):
(JSC::WeakSet::addAllocator):
* heap/WeakSet.h:
(JSC::WeakSet::WeakSet):
(JSC::WeakSet::resetAllocator):
(JSC::WeakSet::container const): Deleted.
(JSC::WeakSet::setContainer): Deleted.
* heap/WeakSetInlines.h:
(JSC::WeakSet::allocate):
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::InternalFunction):
* runtime/JSCallee.cpp:
(JSC::JSCallee::JSCallee):
* runtime/JSString.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::SamplingProfiler):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::releaseStackTraces):
(JSC::SamplingProfiler::stackTracesAsJSON):
(JSC::SamplingProfiler::reportTopFunctions):
(JSC::SamplingProfiler::reportTopBytecodes):
* runtime/SamplingProfiler.h:
2019-11-08 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r252229.
This caused internal failures.
Reverted changeset:
"Split ArithProfile into a Unary and a Binary version"
https://bugs.webkit.org/show_bug.cgi?id=202832
https://trac.webkit.org/changeset/252229
2019-11-08 Chris Dumez <cdumez@apple.com>
Make DeferredPromise behave nicely with regards to the back/forward cache
https://bugs.webkit.org/show_bug.cgi?id=203976
Reviewed by Ryosuke Niwa.
Add template parameter to JSC::Strong to indicate that the destructor should grab the JS lock.
Normally, the callers are in charge of grabbing the lock but this is not always feasible.
In particular, in this patch, I capture a JSC::Strong in a lambda. If the document gets destroyed
before the lambda has run, the lambda will get destroyed and it will destroy the captured JSC::Strong
as a result.
* heap/Handle.h:
* heap/Strong.h:
(JSC::Strong::clear):
* heap/StrongInlines.h:
(JSC::shouldStrongDestructorGrabLock>::Strong):
(JSC::shouldStrongDestructorGrabLock>::set):
2019-11-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use LinkTimeConstants and make some properties lazy
https://bugs.webkit.org/show_bug.cgi?id=203795
Reviewed by Keith Miller.
This patch makes Map and Set lazily initialized in JSGlobalObject by leveraging link-time-constant. @Set was accessed from
builtin-JS. So we cannot make it lazily-allocated. But now we have link-time-constant mechanism that makes such accesses
lazily-initialized. We use this to make Set lazily-allocated.
And, instead of JSGlobalObject's last sequence of initialization, we initialize watchpoint in MapPrototype::finishCreation
and SetPrototype::finishCreation. This allows us to make Map and Set lazily-allocated. We also refactor NumberPrototype to
align to this model.
* runtime/ArrayPrototype.cpp:
(JSC::speciesWatchpointIsValid):
* runtime/JSGlobalObject.cpp:
(JSC::setupAdaptiveWatchpoint):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
(JSC::JSGlobalObject::installNumberPrototypeWatchpoint):
(JSC::JSGlobalObject::installMapPrototypeWatchpoint):
(JSC::JSGlobalObject::installSetPrototypeWatchpoint):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::numberProtoToStringFunction const):
(JSC::JSGlobalObject::mapPrototype const):
(JSC::JSGlobalObject::jsSetPrototype const):
(JSC::JSGlobalObject::numberObjectStructure const):
(JSC::JSGlobalObject::mapStructure const): Deleted.
* runtime/MapPrototype.cpp:
(JSC::MapPrototype::finishCreation):
* runtime/NumberPrototype.cpp:
(JSC::NumberPrototype::finishCreation):
* runtime/NumberPrototype.h:
* runtime/SetPrototype.cpp:
(JSC::SetPrototype::finishCreation):
2019-11-08 Mark Lam <mark.lam@apple.com>
Remove invalid assertion in DFG's compileNewArray().
https://bugs.webkit.org/show_bug.cgi?id=204002
<rdar://problem/56973531>
Reviewed by Robin Morisset.
The assertion is in an if clause conditional on !globalObject->isHavingABadTime().
The assertion tests the IndexingType of a structure returned by
arrayStructureForIndexingTypeDuringAllocation().
However, the structures returned by arrayStructureForIndexingTypeDuringAllocation()
may have started transitioning to their SlowPut variant because the mutator will
be imminently firing the HavingABadTime watchpoint, but haven't done so yet.
In a race, the DFG may see the SlowPut variants of the structures before
isHavingABadTime() returns true. Hence, the assertion is invalid.
Note that the FTL does not have this assertion.
This issue is already tested by stress/racy-slow-put-cloned-arguments-when-having-a-bad-time.js.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewArray):
2019-11-08 Ross Kirsling <ross.kirsling@sony.com>
[PlayStation][JSC] Unreviewed build fix.
* shell/playstation/TestShell.cpp:
2019-11-07 Mark Lam <mark.lam@apple.com>
Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction().
https://bugs.webkit.org/show_bug.cgi?id=203936
<rdar://problem/56624724>
Reviewed by Saam Barati.
Basically, any functions below Yarr::ByteCompiler::compile() that recurses need
to check if it's safe to recurse before doing so. This patch adds the stack
checks in Yarr::ByteCompiler::compile() because it is the entry point to this
sub-system, and Yarr::ByteCompiler::emitDisjunction() because it is the only
function that recurses. All other functions called below compile() are either
leaf functions or have shallow stack usage. Hence, their stack needs are covered
by the DefaultReservedZone, and they do not need stack checks.
This patch also does the following:
1. Added $vm.callWithStackSize() which can be used to call a test function near
the end of the physical stack. This enables is to simulate the smaller stack
size of more resource constrained devices.
$vm.callWithStackSize() uses inline asm to adjust the stack pointer and
does the callback via the JIT probe trampoline.
2. Added the --disableOptionsFreezingForTesting to the jsc shell to make it
possible to disable freezing of JSC options. $vm.callWithStackSize() relies
on this to modify the VM's stack limits.
3. Removed the inline modifier on VM::updateStackLimits() so that we can call it
from $vm.callWithStackSize() as well. It is not a performance critical
function and is rarely called.
4. Added a JSDollarVMHelper class that other parts of the system can declare as
a friend. This gives $vm a backdoor into the private functions and fields of
classes for its debugging work. In this patch, we're only using it to access
VM::updateVMStackLimits().
* jsc.cpp:
(CommandLine::parseArguments):
* runtime/VM.cpp:
(JSC::VM::updateStackLimits):
* runtime/VM.h:
* tools/JSDollarVM.cpp:
(JSC::JSDollarVMHelper::JSDollarVMHelper):
(JSC::JSDollarVMHelper::vmStackStart):
(JSC::JSDollarVMHelper::vmStackLimit):
(JSC::JSDollarVMHelper::vmSoftStackLimit):
(JSC::JSDollarVMHelper::updateVMStackLimits):
(JSC::callWithStackSizeProbeFunction):
(JSC::functionCallWithStackSize):
(JSC::JSDollarVM::finishCreation):
(IGNORE_WARNINGS_BEGIN): Deleted.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::compile):
(JSC::Yarr::ByteCompiler::emitDisjunction):
(JSC::Yarr::ByteCompiler::isSafeToRecurse):
2019-11-07 Tadeu Zagallo <tzagallo@apple.com>
Use fewer virtual registers in Wasm LLInt
https://bugs.webkit.org/show_bug.cgi?id=203861
Reviewed by Saam Barati.
Reduce the number of virtual registers in two ways:
- Re-use arguments for result values (e.g. the result of add lhs, rhs should go in lhs, not a new virtual register)
- Re-use the argument register space for return values that should be placed in registers
* bytecode/BytecodeList.rb:
* generator/Wasm.rb:
* llint/WebAssembly.asm:
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::callInformationFor):
(JSC::Wasm::LLIntGenerator::addReturn):
(JSC::Wasm::LLIntGenerator::addRefIsNull):
(JSC::Wasm::LLIntGenerator::addTableGet):
(JSC::Wasm::LLIntGenerator::addTableGrow):
(JSC::Wasm::LLIntGenerator::addGrowMemory):
(JSC::Wasm::LLIntGenerator::addSelect):
(JSC::Wasm::LLIntGenerator::load):
2019-11-07 Robin Morisset <rmorisset@apple.com>
Split ArithProfile into a Unary and a Binary version
https://bugs.webkit.org/show_bug.cgi?id=202832
<rdar://problem/56266847>
Reviewed by Keith Miller.
ArithProfile was for a long time only used for add/sub/mul/div, but recently it started being used for negate. And it will soon also have to be used for inc and dec due to BigInt.
So in this patch I make a separate version that only has the data for a single argument, and thus takes half as much memory.
After discussing this change with Phil I realized that the ResultType(s) that were taking space in ArithProfile are not needed: they never change and a copy is already in the bytecode instruction itself.
Removing them allowed shrinking both kinds of ArithProfile to fit in 16 bits (9 and 13 respectively).
I kept the two kinds separate because they may shrink or grow independently in the future.
This also required adding the "orh" instruction to the offline assembler, to set bits in the ArithProfile.
This in turn motivated the addition of "storeh", as on RISC platforms "orh" on a memory location is actually loadh -> orh -> storeh.
* bytecode/ArithProfile.cpp:
(JSC::ArithProfile<BitfieldType>::emitObserveResult):
(JSC::ArithProfile<BitfieldType>::shouldEmitSetDouble const):
(JSC::ArithProfile<BitfieldType>::emitSetDouble const):
(JSC::ArithProfile<BitfieldType>::shouldEmitSetNonNumeric const):
(JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt const):
(JSC::ArithProfile<BitfieldType>::emitSetNonNumeric const):
(JSC::ArithProfile<BitfieldType>::emitSetBigInt const):
(WTF::printInternal):
* bytecode/ArithProfile.h:
(JSC::ArithProfile::didObserveNonInt32 const):
(JSC::ArithProfile::didObserveDouble const):
(JSC::ArithProfile::didObserveNonNegZeroDouble const):
(JSC::ArithProfile::didObserveNegZeroDouble const):
(JSC::ArithProfile::didObserveNonNumeric const):
(JSC::ArithProfile::didObserveBigInt const):
(JSC::ArithProfile::didObserveInt32Overflow const):
(JSC::ArithProfile::didObserveInt52Overflow const):
(JSC::ArithProfile::setObservedNonNegZeroDouble):
(JSC::ArithProfile::setObservedNegZeroDouble):
(JSC::ArithProfile::setObservedNonNumeric):
(JSC::ArithProfile::setObservedBigInt):
(JSC::ArithProfile::setObservedInt32Overflow):
(JSC::ArithProfile::setObservedInt52Overflow):
(JSC::ArithProfile::observeResult):
(JSC::ArithProfile::addressOfBits const):
(JSC::ArithProfile::bits const):
(JSC::ArithProfile::ArithProfile):
(JSC::ArithProfile::hasBits const):
(JSC::ArithProfile::setBit):
(JSC::UnaryArithProfile::UnaryArithProfile):
(JSC::UnaryArithProfile::observedIntBits):
(JSC::UnaryArithProfile::observedNumberBits):
(JSC::UnaryArithProfile::argObservedType const):
(JSC::UnaryArithProfile::setArgObservedType):
(JSC::UnaryArithProfile::argSawInt32):
(JSC::UnaryArithProfile::argSawNumber):
(JSC::UnaryArithProfile::argSawNonNumber):
(JSC::UnaryArithProfile::observeArg):
(JSC::UnaryArithProfile::isObservedTypeEmpty):
(JSC::BinaryArithProfile::BinaryArithProfile):
(JSC::BinaryArithProfile::observedIntIntBits):
(JSC::BinaryArithProfile::observedNumberIntBits):
(JSC::BinaryArithProfile::observedIntNumberBits):
(JSC::BinaryArithProfile::observedNumberNumberBits):
(JSC::BinaryArithProfile::setLhsObservedType):
(JSC::BinaryArithProfile::setRhsObservedType):
(JSC::BinaryArithProfile::observeLHS):
(JSC::BinaryArithProfile::observeLHSAndRHS):
(JSC::BinaryArithProfile::isObservedTypeEmpty):
* bytecode/BytecodeList.rb:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::addJITAddIC):
(JSC::CodeBlock::addJITMulIC):
(JSC::CodeBlock::addJITSubIC):
(JSC::CodeBlock::addJITNegIC):
(JSC::CodeBlock::binaryArithProfileForBytecodeOffset):
(JSC::CodeBlock::unaryArithProfileForBytecodeOffset):
(JSC::CodeBlock::binaryArithProfileForPC):
(JSC::CodeBlock::unaryArithProfileForPC):
(JSC::CodeBlock::couldTakeSpecialFastCase):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addMathIC):
* bytecode/Fits.h:
* bytecode/MethodOfGettingAValueProfile.cpp:
(JSC::MethodOfGettingAValueProfile::emitReportValue const):
(JSC::MethodOfGettingAValueProfile::reportValue):
* bytecode/MethodOfGettingAValueProfile.h:
(JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitUnaryOp):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::UnaryOpNode::emitBytecode):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::makeDivSafe):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueAdd):
(JSC::DFG::SpeculativeJIT::compileValueSub):
(JSC::DFG::SpeculativeJIT::compileValueNegate):
(JSC::DFG::SpeculativeJIT::compileValueMul):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
(JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
* jit/JIT.h:
* jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateInline):
(JSC::JITAddGenerator::generateFastPath):
* jit/JITAddGenerator.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_negate):
(JSC::JIT::emit_op_add):
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
(JSC::JIT::emit_op_div):
(JSC::JIT::emit_op_mul):
(JSC::JIT::emit_op_sub):
* jit/JITDivGenerator.cpp:
(JSC::JITDivGenerator::generateFastPath):
* jit/JITDivGenerator.h:
(JSC::JITDivGenerator::JITDivGenerator):
* jit/JITInlines.h:
(JSC::JIT::copiedArithProfile):
* jit/JITMathIC.h:
(JSC::JITMathIC::JITMathIC):
(JSC::JITMathIC::generateInline):
(JSC::JITMathIC::arithProfile const):
(JSC::isBinaryProfileEmpty):
(JSC::JITBinaryMathIC::JITBinaryMathIC):
(JSC::isUnaryProfileEmpty):
(JSC::JITUnaryMathIC::JITUnaryMathIC):
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
(JSC::JITMulGenerator::generateFastPath):
* jit/JITMulGenerator.h:
* jit/JITNegGenerator.cpp:
(JSC::JITNegGenerator::generateInline):
(JSC::JITNegGenerator::generateFastPath):
* jit/JITNegGenerator.h:
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITSubGenerator.cpp:
(JSC::JITSubGenerator::generateInline):
(JSC::JITSubGenerator::generateFastPath):
* jit/JITSubGenerator.h:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntOffsetsExtractor.cpp:
(JSC::LLIntOffsetsExtractor::dummy):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/ResultType.h:
(JSC::ResultType::ResultType):
* runtime/CommonSlowPaths.cpp:
(JSC::updateArithProfileForUnaryArithOp):
(JSC::updateArithProfileForBinaryArithOp):
(JSC::SLOW_PATH_DECL):
2019-11-07 Tadeu Zagallo <tzagallo@apple.com>
[WebAssembly] Inspector's DebuggerCallFrame should be aware of Wasm frames
https://bugs.webkit.org/show_bug.cgi?id=203925
Reviewed by Mark Lam.
The DebuggerCallFrame checks for CallFrame::codeBlock to determine if it the current frame is a
valid JS frame, but since the Wasm interpreter stores the Wasm::FunctionCodeBlock to this slot,
that check is not sufficient. Add an extra check for CalleeBits::isWasm.
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::sourceIDForCallFrame):
2019-11-07 Devin Rousso <drousso@apple.com>
Web Inspector: REGRESSION(r250087): inspector/model/remote-object.html is timing out
https://bugs.webkit.org/show_bug.cgi?id=202934
<rdar://problem/56270900>
Reviewed by Timothy Hatcher.
In r250087, the inspector injected script was changed so that remote objects actually
iterate the keys of an array and generate a property descriptor for each. While this worked
fine (and was performant) for fetching remote objects, this was not efficient when creating
object previews, as that path wouldn't be limited by any sort of `fetchCount`, meaning that
a descriptor for every index would be created even though only the first 10 would be used.
Refactor the inspector injected script code so that both the fetch and preview paths only
examine exactly the number of properties desired instead of considering all of them and then
slicing to fit.
* inspector/InjectedScriptSource.js:
(InjectedScript.prototype._getProperties):
(InjectedScript.prototype._forEachPropertyDescriptor): Added.
(InjectedScript.prototype._forEachPropertyDescriptor.createFakeValueDescriptor): Added.
(InjectedScript.prototype._forEachPropertyDescriptor.processDescriptor): Added.
(InjectedScript.prototype._forEachPropertyDescriptor.processProperty): Added.
(RemoteObject.prototype._generatePreview):
(RemoteObject.prototype._appendPropertyPreview): Added.
(RemoteObject.prototype._appendPropertyPreview.appendPreview): Added.
(InjectedScript.prototype._propertyDescriptors): Deleted.
(InjectedScript.prototype._propertyDescriptors.processProperties): Deleted.
(InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
(RemoteObject.prototype._appendPropertyPreviews): Deleted.
2019-11-07 Alexey Shvayka <shvaikalesh@gmail.com>
[[HasProperty]] result of Proxy in prototype chain is ignored
https://bugs.webkit.org/show_bug.cgi?id=203560
Reviewed by Ross Kirsling.
Before this change, when [[HasProperty]] was called on ordinary object with Proxy in prototype chain,
falsy result of Proxy's "has" trap was ignored and prototype chain was inspected further.
According to spec, OrdinaryHasProperty unconditionally returns result of parent's [[HasProperty]] call.
(step 5.a of https://tc39.es/ecma262/#sec-ordinaryhasproperty)
* runtime/JSObjectInlines.h:
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::performHasProperty): Walk the prototype chain in performDefaultHasProperty.
2019-11-06 Mark Lam <mark.lam@apple.com>
Remove remnants of support code for an upwards growing stack.
https://bugs.webkit.org/show_bug.cgi?id=203942
Reviewed by Yusuke Suzuki.
* runtime/VM.cpp:
(JSC::VM::updateStackLimits):
(JSC::VM::committedStackByteCount):
* runtime/VM.h:
(JSC::VM::isSafeToRecurse const):
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
* runtime/VMInlines.h:
(JSC::VM::ensureStackCapacityFor):
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2019-11-06 Tadeu Zagallo <tzagallo@apple.com>
[WebAssembly] BBQPlan should retain Wasm::CodeBlock when compiling a single function
https://bugs.webkit.org/show_bug.cgi?id=203924
Reviewed by Filip Pizlo.
* wasm/WasmBBQPlan.h:
2019-11-06 Mark Lam <mark.lam@apple.com>
JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should fire its watchpoint as the last step.
https://bugs.webkit.org/show_bug.cgi?id=203867
<rdar://problem/56813514>
Reviewed by Saam Barati.
JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should make all
the array structures SlowPut before firing the watchpoint. Otherwise, the
concurrent JIT may think it's grabbing the slow put version of the structure, but
is actually grabbing the non-SlowPut version because it happened to beat the
mutator in a race to read the structure before the mutator makes it SlowPut.
Also removed some assertions in DFGSpeculativeJIT.cpp that are vulnerable to races
between when the mutator makes all array structures SlowPut and when it fires the
HavingABadTime watchpoint. The FTL equivalent did not have these assertions.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileNewArray):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut):
2019-11-06 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r251940.
https://bugs.webkit.org/show_bug.cgi?id=203920
"it introduced test262 failures" (Requested by rkirsling on
#webkit).
Reverted changeset:
"[[HasProperty]] result of Proxy in prototype chain is
ignored"
https://bugs.webkit.org/show_bug.cgi?id=203560
https://trac.webkit.org/changeset/251940
2019-11-05 Mark Lam <mark.lam@apple.com>
WTF::RunLoop should not depend on isMainThread() idiom.
https://bugs.webkit.org/show_bug.cgi?id=203873
<rdar://problem/56524251>
Reviewed by Saam Barati, Ryosuke Niwa, and Devin Rousso.
* inspector/JSGlobalObjectScriptDebugServer.cpp:
(Inspector::JSGlobalObjectScriptDebugServer::runLoopMode):
* inspector/JSGlobalObjectScriptDebugServer.h:
* inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
(Inspector::RemoteTargetInitializeGlobalQueue):
(Inspector::RemoteConnectionToTarget::setupRunLoop):
(Inspector::RemoteConnectionToTarget::teardownRunLoop):
2019-11-05 Tadeu Zagallo <tzagallo@apple.com>
[WebAssembly] Allow tiering up from LLInt to BBQ
https://bugs.webkit.org/show_bug.cgi?id=203793
Reviewed by Yusuke Suzuki.
Even though the interpreter was overall neutral on throughput, it's still a regression in pathological
cases where massive functions spend too long in the LLInt while compiling the function with OMG. This
patch makes it so that the LLInt can tier up to BBQ from the prologue, while still tiering up to OMG from
from loops. This is a huge speed up on the tsf-wasm subtest of JS2:
# BBQ -> OMG
Startup: 100.680
Runtime: 1.852
Score: 13.654
# LLInt -> OMG
Startup: 378.205
Runtime: 1.291
Score: 22.082
# LLInt -> BBQ -> OMG
Startup: 405.983
Runtime: 2.311
Score: 30.623
* runtime/Options.cpp:
(JSC::overrideDefaults):
* runtime/OptionsList.h:
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::BBQPlan):
(JSC::Wasm::BBQPlan::work):
(JSC::Wasm::BBQPlan::compileFunction):
* wasm/WasmEntryPlan.cpp:
(JSC::Wasm::EntryPlan::EntryPlan):
* wasm/WasmEntryPlan.h:
* wasm/WasmLLIntTierUpCounter.h:
(JSC::Wasm::LLIntTierUpCounter::optimizeAfterWarmUp):
(JSC::Wasm::LLIntTierUpCounter::optimizeSoon):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmSlowPaths.cpp:
(JSC::LLInt::jitCompileAndSetHeuristics):
2019-11-04 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Introduce LinkTimeConstant mechanism
https://bugs.webkit.org/show_bug.cgi?id=153792
Reviewed by Saam Barati.
We are using private-name-variables of JSGlobalObject as a way to access to constants that are materialized per JSGlobalObject.
And we also have special-pointers and old link-time-constants to access to per JSGlobalObject constants.
We have bytecode intrinsic constants, but it is only available for per VM values.
However, these ones have multiple problems.
1. private-name-variables is too costly. We need to have an entry in JSGlobalObject's variable, this makes SymbolTable of JSGlobalObject large.
It also requires WatchpointSet to make it constant-fold in DFG. And accessing these variables from builtin JS takes op_resolve_scope and op_get_from_scope,
enlarging bytecode and slow in interpreter and baseline compared to just getting them as a constant register.
2. special-pointers are tailored to op_jne_ptr opcode, and not usable in the other bytecode since this is completely separate from VirtualRegister.
3. Old link-time-constants implementation is putting array of all link-time-constants on each UnlinkedCodeBlock, even if it is not used. If you increase # of
link-time-constant, it increases sizeof(UnlinkedCodeBlock).
In this patch, we introduce a new link-time-constant mechanism and remove the above old ones mostly. (private-name-variables still exists for WebCore and @assert).
We manage link-time-constants in BytecodeIntrinsicRegistry, and emit Int32:LinkTimeConstantID constant when generating an UnlinkedCodeBlock. Later, this constant
is alternated to an actual value when we link UnlinkedCodeBlock to CodeBlock with specific JSGlobalObject. private-name-variables accesses are now converted to
constant register so that it is very efficiently accessed and it reduces memory used for SymbolTable and WatchpointSet. op_jne_ptr takes link-time-constant
VirtualRegisters instead of special-pointers, so that we can remove special-pointers mechanism. We also replace old link-time-constants with new one, which reduces
sizeof(UnlinkedCodeBlock).
Furthermore, new link-time-constant supports lazy initialization by using LazyProperty in JSGlobalObject. This allows us to lazily generate many internal functions
that are previously initialized eagerly. This reduces # of allocated JSFunction significantly when initializing JSGlobalObject.
This patch also manually adds 256 to MarkedSpace's size-class. We empirically know that adding 256 here makes sequence of size-class better for memory consumption.
But this was achieved by adding `sizeof(UnlinkedFunctionCodeBlock)`. Now sizeof(UnlinkedFunctionCodeBlock) is changed by this patch, and this patch unintentionally
breaks that sequence. We should explicitly add 256 instead of adding sizeof(UnlinkedFunctionCodeBlock) adhocly.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/wkbuiltins/builtins_generate_combined_header.py:
(generate_section_for_global_private_code_name_macro):
* Sources.txt:
* builtins/BuiltinNames.h:
* builtins/PromiseConstructor.js:
(nakedConstructor.Promise):
(nakedConstructor.InternalPromise):
(nakedConstructor.Promise.reject): Deleted.
(nakedConstructor.InternalPromise.reject): Deleted.
* bytecode/BytecodeDumper.cpp:
(JSC::CodeBlockBytecodeDumper<Block>::dumpConstants):
* bytecode/BytecodeIntrinsicRegistry.cpp:
(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
(JSC::BytecodeIntrinsicRegistry::lookup const):
* bytecode/BytecodeIntrinsicRegistry.h:
(JSC::BytecodeIntrinsicRegistry::Entry::Entry):
(JSC::BytecodeIntrinsicRegistry::Entry::type const):
(JSC::BytecodeIntrinsicRegistry::Entry::linkTimeConstant const):
(JSC::BytecodeIntrinsicRegistry::Entry::emitter const):
* bytecode/BytecodeList.rb:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantRegisters):
* bytecode/Fits.h:
* bytecode/LinkTimeConstant.cpp: Renamed from Source/JavaScriptCore/bytecode/SpecialPointer.h.
(WTF::printInternal):
* bytecode/LinkTimeConstant.h: Added.
* bytecode/SpecialPointer.cpp: Removed.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::addConstant):
(JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
(JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
(JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
(JSC::BytecodeGenerator::emitCallDefineProperty):
(JSC::BytecodeGenerator::emitGetAsyncIterator):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ImportNode::emitBytecode):
(JSC::BytecodeIntrinsicNode::emitBytecode):
(JSC::promiseInternalFieldIndex):
(JSC::generatorInternalFieldIndex):
(JSC::asyncGeneratorInternalFieldIndex):
(JSC::FunctionNode::emitBytecode):
(JSC::ObjectPatternNode::bindValue const):
(JSC::ObjectSpreadExpressionNode::emitBytecode):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* heap/MarkedSpace.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_jneq_ptr):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_jneq_ptr):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createResolve):
(JSC::ASTBuilder::makeFunctionCallNode):
* parser/NodeConstructors.h:
(JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
* parser/Nodes.h:
* runtime/CachedTypes.cpp:
(JSC::CachedCodeBlock<CodeBlockType>::decode const):
(JSC::CachedCodeBlock<CodeBlockType>::encode):
* runtime/JSCJSValue.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::linkTimeConstant const):
(JSC::JSGlobalObject::callFunction const): Deleted.
(JSC::JSGlobalObject::applyFunction const): Deleted.
(JSC::JSGlobalObject::throwTypeErrorFunction const): Deleted.
(JSC::JSGlobalObject::newPromiseCapabilityFunction const): Deleted.
(JSC::JSGlobalObject::resolvePromiseFunction const): Deleted.
(JSC::JSGlobalObject::rejectPromiseFunction const): Deleted.
(JSC::JSGlobalObject::promiseProtoThenFunction const): Deleted.
(JSC::JSGlobalObject::regExpProtoExecFunction const): Deleted.
(JSC::JSGlobalObject::regExpProtoGlobalGetter const): Deleted.
(JSC::JSGlobalObject::regExpProtoUnicodeGetter const): Deleted.
(JSC::JSGlobalObject::actualPointerFor): Deleted.
(JSC::JSGlobalObject::jsCellForLinkTimeConstant): Deleted.
* runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::throwTypeErrorFunction const):
(JSC::JSGlobalObject::newPromiseCapabilityFunction const):
(JSC::JSGlobalObject::resolvePromiseFunction const):
(JSC::JSGlobalObject::rejectPromiseFunction const):
(JSC::JSGlobalObject::promiseProtoThenFunction const):
(JSC::JSGlobalObject::regExpProtoExecFunction const):
(JSC::JSGlobalObject::regExpProtoGlobalGetter const):
(JSC::JSGlobalObject::regExpProtoUnicodeGetter const):
2019-11-04 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed fix for non-unified build.
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
Add missing includes.
2019-11-04 Saam Barati <sbarati@apple.com>
Don't use memmove/memcpy/memset for memory that can be scanned concurrently
https://bugs.webkit.org/show_bug.cgi?id=203228
<rdar://problem/56401852>
Reviewed by Robin Morisset.
We had code inside various places of the runtime which would call into system
memcpy/memmove/memset when updating a live butterfly. This means that the
concurrent collector could be scanning such butterflies while a memcpy/memmove/memset
was running. Those functions don't guarantee anything about the minimum
alignment of the stores they do. And implementations for them frequently have
byte copy loops for low byte copy counts. This lead to us seeing torn JSValues
inside the concurrent collector during Array.prototype.splice. This patch
introduces new functions for doing memcpy/memmove/memset for data structures
which may be concurrently scanned. The loops are written using inline assembly
for gcc compatible compilers on 64 bit platforms. The inline assembly
ensures we never write to memory using instructions that store fewer
than 8 bytes. On other platforms, we just use a volatile pointer to
ensure the compiler doesn't turn the loop into a function call or a
series of stores which may be smaller than 8 bytes.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/GCMemoryOperations.h: Added.
(JSC::gcSafeMemcpy):
(JSC::gcSafeMemmove):
(JSC::gcSafeZeroMemory):
* heap/Heap.h:
* runtime/ArrayConventions.cpp:
(JSC::clearArrayMemset):
* runtime/ArrayPrototype.cpp:
(JSC::copyElements):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::reallocArrayRightIfPossible):
(JSC::Butterfly::resizeArray):
(JSC::Butterfly::unshift):
(JSC::Butterfly::shift):
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertFromCopyOnWrite):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
2019-11-04 Truitt Savell <tsavell@apple.com>
Unreviewed, rolling out r252015.
Broke the Windows build
Reverted changeset:
"Split ArithProfile into a Unary and a Binary version"
https://bugs.webkit.org/show_bug.cgi?id=202832
https://trac.webkit.org/changeset/252015
2019-11-04 Alexey Shvayka <shvaikalesh@gmail.com>
[[Set]] isn't correct with respect to the spec and Proxy
https://bugs.webkit.org/show_bug.cgi?id=155012
Reviewed by Saam Barati.
This patch merely removes a FIXME comment, as JavaScriptCore has already correct
implementation of ordinary [[Set]]. In step 2.b of https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor,
if `parent` is a Proxy, the algorithm returns result of Proxy's [[Set]] method call.
It is up to the author of "set" trap (if any) to consult the prototype chain.
All browsers pass https://test262.report/browse/built-ins/Proxy/set/call-parameters-prototype.js,
which asserts that no traps besides "set" are invoked on Proxies in prototype chain during [[Set]].
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
2019-11-04 Robin Morisset <rmorisset@apple.com>
Split ArithProfile into a Unary and a Binary version
https://bugs.webkit.org/show_bug.cgi?id=202832
<rdar://problem/56266847>
Reviewed by Keith Miller.
ArithProfile was for a long time only used for add/sub/mul/div, but recently it started being used for negate. And it will soon also have to be used for inc and dec due to BigInt.
So in this patch I make a separate version that only has the data for a single argument, and thus takes half as much memory.
After discussing this change with Phil I realized that the ResultType(s) that were taking space in ArithProfile are not needed: they never change and a copy is already in the bytecode instruction itself.
Removing them allowed shrinking both kinds of ArithProfile to fit in 16 bits (9 and 13 respectively).
I kept the two kinds separate because they may shrink or grow independently in the future.
This also required adding the "orh" instruction to the offline assembler, to set bits in the ArithProfile.
This in turn motivated the addition of "storeh", as on RISC platforms "orh" on a memory location is actually loadh -> orh -> storeh.
* bytecode/ArithProfile.cpp:
(JSC::ArithProfile<BitfieldType>::emitObserveResult):
(JSC::ArithProfile<BitfieldType>::shouldEmitSetDouble const):
(JSC::ArithProfile<BitfieldType>::emitSetDouble const):
(JSC::ArithProfile<BitfieldType>::shouldEmitSetNonNumeric const):
(JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt const):
(JSC::ArithProfile<BitfieldType>::emitSetNonNumeric const):
(JSC::ArithProfile<BitfieldType>::emitSetBigInt const):
(WTF::printInternal):
* bytecode/ArithProfile.h:
(JSC::ArithProfile::didObserveNonInt32 const):
(JSC::ArithProfile::didObserveDouble const):
(JSC::ArithProfile::didObserveNonNegZeroDouble const):
(JSC::ArithProfile::didObserveNegZeroDouble const):
(JSC::ArithProfile::didObserveNonNumeric const):
(JSC::ArithProfile::didObserveBigInt const):
(JSC::ArithProfile::didObserveInt32Overflow const):
(JSC::ArithProfile::didObserveInt52Overflow const):
(JSC::ArithProfile::setObservedNonNegZeroDouble):
(JSC::ArithProfile::setObservedNegZeroDouble):
(JSC::ArithProfile::setObservedNonNumeric):
(JSC::ArithProfile::setObservedBigInt):
(JSC::ArithProfile::setObservedInt32Overflow):
(JSC::ArithProfile::setObservedInt52Overflow):
(JSC::ArithProfile::observeResult):
(JSC::ArithProfile::addressOfBits const):
(JSC::ArithProfile::bits const):
(JSC::ArithProfile::ArithProfile):
(JSC::ArithProfile::hasBits const):
(JSC::ArithProfile::setBit):
(JSC::UnaryArithProfile::UnaryArithProfile):
(JSC::UnaryArithProfile::observedIntBits):
(JSC::UnaryArithProfile::observedNumberBits):
(JSC::UnaryArithProfile::argObservedType const):
(JSC::UnaryArithProfile::setArgObservedType):
(JSC::UnaryArithProfile::argSawInt32):
(JSC::UnaryArithProfile::argSawNumber):
(JSC::UnaryArithProfile::argSawNonNumber):
(JSC::UnaryArithProfile::observeArg):
(JSC::UnaryArithProfile::isObservedTypeEmpty):
(JSC::BinaryArithProfile::BinaryArithProfile):
(JSC::BinaryArithProfile::observedIntIntBits):
(JSC::BinaryArithProfile::observedNumberIntBits):
(JSC::BinaryArithProfile::observedIntNumberBits):
(JSC::BinaryArithProfile::observedNumberNumberBits):
(JSC::BinaryArithProfile::setLhsObservedType):
(JSC::BinaryArithProfile::setRhsObservedType):
(JSC::BinaryArithProfile::observeLHS):
(JSC::BinaryArithProfile::observeLHSAndRHS):
(JSC::BinaryArithProfile::isObservedTypeEmpty):
* bytecode/BytecodeList.rb:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::addJITAddIC):
(JSC::CodeBlock::addJITMulIC):
(JSC::CodeBlock::addJITSubIC):
(JSC::CodeBlock::addJITNegIC):
(JSC::CodeBlock::binaryArithProfileForBytecodeOffset):
(JSC::CodeBlock::unaryArithProfileForBytecodeOffset):
(JSC::CodeBlock::binaryArithProfileForPC):
(JSC::CodeBlock::unaryArithProfileForPC):
(JSC::CodeBlock::couldTakeSpecialFastCase):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addMathIC):
* bytecode/Fits.h:
* bytecode/MethodOfGettingAValueProfile.cpp:
(JSC::MethodOfGettingAValueProfile::emitReportValue const):
(JSC::MethodOfGettingAValueProfile::reportValue):
* bytecode/MethodOfGettingAValueProfile.h:
(JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitUnaryOp):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::UnaryOpNode::emitBytecode):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::makeDivSafe):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueAdd):
(JSC::DFG::SpeculativeJIT::compileValueSub):
(JSC::DFG::SpeculativeJIT::compileValueNegate):
(JSC::DFG::SpeculativeJIT::compileValueMul):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
(JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
* jit/JIT.h:
* jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateInline):
(JSC::JITAddGenerator::generateFastPath):
* jit/JITAddGenerator.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_negate):
(JSC::JIT::emit_op_add):
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
(JSC::JIT::emit_op_div):
(JSC::JIT::emit_op_mul):
(JSC::JIT::emit_op_sub):
* jit/JITDivGenerator.cpp:
(JSC::JITDivGenerator::generateFastPath):
* jit/JITDivGenerator.h:
(JSC::JITDivGenerator::JITDivGenerator):
* jit/JITInlines.h:
(JSC::JIT::copiedArithProfile):
* jit/JITMathIC.h:
(JSC::JITMathIC::JITMathIC):
(JSC::JITMathIC::generateInline):
(JSC::JITMathIC::arithProfile const):
(JSC::isBinaryProfileEmpty):
(JSC::JITBinaryMathIC::JITBinaryMathIC):
(JSC::isUnaryProfileEmpty):
(JSC::JITUnaryMathIC::JITUnaryMathIC):
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
(JSC::JITMulGenerator::generateFastPath):
* jit/JITMulGenerator.h:
* jit/JITNegGenerator.cpp:
(JSC::JITNegGenerator::generateInline):
(JSC::JITNegGenerator::generateFastPath):
* jit/JITNegGenerator.h:
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITSubGenerator.cpp:
(JSC::JITSubGenerator::generateInline):
(JSC::JITSubGenerator::generateFastPath):
* jit/JITSubGenerator.h:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntOffsetsExtractor.cpp:
(JSC::LLIntOffsetsExtractor::dummy):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/ResultType.h:
(JSC::ResultType::ResultType):
* runtime/CommonSlowPaths.cpp:
(JSC::updateArithProfileForUnaryArithOp):
(JSC::updateArithProfileForBinaryArithOp):
(JSC::SLOW_PATH_DECL):
2019-11-04 Mark Lam <mark.lam@apple.com>
Surpress ASAN in SamplingProfiler's FrameWalker::resetAtMachineFrame().
https://bugs.webkit.org/show_bug.cgi?id=203819
<rdar://problem/56840002>
Reviewed by Saam Barati.
* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::resetAtMachineFrame):
2019-11-03 Tadeu Zagallo <tzagallo@apple.com>
LLIntGenerator should not allocate temporaries in between variables
https://bugs.webkit.org/show_bug.cgi?id=203787
Reviewed by Yusuke Suzuki.
The BytecodeGenerator requires that all variables must be allocated contiguously, before any
temporaries are allocated. Currently, we might end up allocating a temporary to materialize
the null constant to initialize locals of type Anyref/Funcref. Fix it by keeping track of the
locals that need to be initialized and adding a new callback to notify when we have finished
parsing locals. Only then we perform the delayed initialization of local refs.
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::didFinishParsingLocals):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::didFinishParsingLocals):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parse):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addLocal):
(JSC::Wasm::LLIntGenerator::didFinishParsingLocals):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::didFinishParsingLocals):
2019-11-02 Alexey Proskuryakov <ap@apple.com>
Revert http://trac.webkit.org/r251875
Don't use memmove/memcpy/memset for memory that can be scanned concurrently
This is suspected to have broken performance tests on iOS.
Also reverted http://trac.webkit.org/r251909, because that was necessary for clean revert.
gcSafeMemmove references undefined slowPathBackwardsMemmove on non-gcc compatible compilers
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/GCMemoryOperations.h: Removed.
* heap/Heap.h:
* runtime/ArrayConventions.cpp:
(JSC::clearArrayMemset):
* runtime/ArrayPrototype.cpp:
(JSC::copyElements):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::reallocArrayRightIfPossible):
(JSC::Butterfly::resizeArray):
(JSC::Butterfly::unshift):
(JSC::Butterfly::shift):
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertFromCopyOnWrite):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
2019-11-02 Robin Morisset <rmorisset@apple.com>
The offline assembler is wrong about which immediates are supported by and/or/xor on ARM64
https://bugs.webkit.org/show_bug.cgi?id=203752
Reviewed by Tadeu Zagallo.
See https://dinfuehr.github.io/blog/encoding-of-immediate-values-on-aarch64/ for the details of which immediates are supported.
This patch is a minimal fix, ideally we should refactor all of the code dealing with immediates in risc.rb, but considering that I don't know ruby and this code is poorly/not tested, I went for the simplest possible fix.
* offlineasm/arm64.rb:
* offlineasm/mips.rb:
* offlineasm/risc.rb:
2019-11-02 Devin Rousso <drousso@apple.com>
Web Inspector: Add diagnostic logging for frontend feature usage
https://bugs.webkit.org/show_bug.cgi?id=203579
<rdar://problem/56717410>
Reviewed by Brian Burg.
Original patch by Matt Baker <mattbaker@apple.com>.
* Configurations/FeatureDefines.xcconfig:
Add `ENABLE_INSPECTOR_TELEMETRY`, which is only enabled for macOS.
2019-11-01 Devin Rousso <drousso@apple.com>
Web Inspector: Timelines: add a timeline that shows information about any recorded CSS animation/transition
https://bugs.webkit.org/show_bug.cgi?id=203651
<rdar://problem/56128726>
Reviewed by Brian Burg.
Unlike all other forms of Web Animations, CSS animations/transitions, are _not_ created by
JavaScript, and therefore can seemingly appear out of nowhere. This patch expands the Media
timeline to be the Media & Animations timeline, which tracks when CSS animations/transitions
are created, started, delayed, iterated, canceled, or finished.
* CMakeLists.txt:
* DerivedSources-input.xcfilelist:
* DerivedSources.make:
* inspector/protocol/Animation.json: Added.
* inspector/protocol/Timeline.json:
Add an Animation domain for handling the tracking of CSS Web Animations.
2019-11-01 Saam Barati <sbarati@apple.com>
Refactor uses of StructureStubInfo 'thisGPR' to a union for thisGPR and prototypeGPR
https://bugs.webkit.org/show_bug.cgi?id=203693
Reviewed by Mark Lam and Yusuke Suzuki.
I'm going to be adding a third overload for this field when making
GetByVal inline caching part of StructureStubInfo. It's nicer for
each use case of this field to use it by the proper name.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
(JSC::AccessGenerationState::AccessGenerationState):
* bytecode/StructureStubInfo.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
(JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2019-11-01 Alexey Shvayka <shvaikalesh@gmail.com>
[[HasProperty]] result of Proxy in prototype chain is ignored
https://bugs.webkit.org/show_bug.cgi?id=203560
Reviewed by Ross Kirsling.
Before this change, when [[HasProperty]] was called on ordinary object with Proxy in prototype chain,
falsy result of Proxy's "has" trap was ignored and prototype chain was inspected further.
According to spec, OrdinaryHasProperty unconditionally returns result of parent's [[HasProperty]] call.
(step 5.a of https://tc39.es/ecma262/#sec-ordinaryhasproperty)
* runtime/JSObjectInlines.h:
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
2019-10-31 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, speculative GTK build fix r251886
https://bugs.webkit.org/show_bug.cgi?id=203703
* wasm/WasmSlowPaths.h:
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
Fix GTK build after r251886
https://bugs.webkit.org/show_bug.cgi?id=203703
Reviewed by Yusuke Suzuki.
slow_path_wasm_throw_exception was missing `extern "C"` in the implementation file.
* wasm/WasmSlowPaths.cpp:
(JSC::LLInt::slow_path_wasm_throw_exception):
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
gcSafeMemmove references undefined slowPathBackwardsMemmove on non-gcc compatible compilers
https://bugs.webkit.org/show_bug.cgi?id=203721
Reviewed by Fujii Hironori.
* heap/GCMemoryOperations.h:
(JSC::gcSafeMemmove):
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
Fix build when WTF_CPU_NEEDS_ALIGNED_ACCESS=1 after r251886
https://bugs.webkit.org/show_bug.cgi?id=203718
Reviewed by Yusuke Suzuki.
* bytecompiler/BytecodeGeneratorBaseInlines.h:
(JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode16):
(JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32):
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
offlineasm should emit the suffixes for floating point instructions on Windows x86
https://bugs.webkit.org/show_bug.cgi?id=203720
Reviewed by Yusuke Suzuki.
* offlineasm/x86.rb:
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
Disable Wasm interpreter on WinCairo
https://bugs.webkit.org/show_bug.cgi?id=203705
Reviewed by Yusuke Suzuki.
The interpreter does not build on WinCairo.
* llint/LowLevelInterpreter.asm:
2019-10-31 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove metadata(CallFrame*) accessor
https://bugs.webkit.org/show_bug.cgi?id=203712
Reviewed by Tadeu Zagallo.
We should pass CodeBlock* explicitly to remove unnecessary use of CallFrame*, which is very error-prone.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareCatchOSREntry):
* dfg/DFGOSREntry.h:
* generator/Metadata.rb:
* jit/JITOperations.cpp:
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
Unreviewed, fix LowLevelInterpreter32_64.asm after r251886
https://bugs.webkit.org/show_bug.cgi?id=194257
ci2d was renamed to ci2ds and I also missed LowLevelInterpreter32_64.asm
* llint/LowLevelInterpreter32_64.asm:
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
Unreviewed, fix cloop builds after r251886
https://bugs.webkit.org/show_bug.cgi?id=194257
ci2d was renamed to ci2ds, but I missed cloop.rb, arm.rb and mips.rb
* offlineasm/arm.rb:
* offlineasm/cloop.rb:
* offlineasm/mips.rb:
2019-10-31 Tadeu Zagallo <tzagallo@apple.com>
[WebAssembly] Create a Wasm interpreter
https://bugs.webkit.org/show_bug.cgi?id=194257
<rdar://problem/44186794>
Reviewed by Saam Barati.
Add an interpreter tier to WebAssembly which reuses the LLInt infrastructure. The interpreter
currently tiers up straight to OMG and can OSR enter at the prologue and from loops. The initial
implementation of the interpreter is very naive, but despite the lack of optimizations it still
shows a 2x improvement on the WebAssembly subtests in JetStream2 and 2x improvement on the
PSPDFKit benchmark. It reduces "compilation" times by ~3x and it's neutral on throughput.
The interpreter follows the same calling conventions as the BBQ/OMG, this means that:
- We have to allocate locals for all argument registers and write all arguments registers to the
stack in the prologue.
- Calls have to allocate space for at least as many arguments as the number of argument registers.
Before each call, all argument registers must be loaded from the stack, and after we return from
the call, all registers must be stored back to the stack, in case they contain return values. We
carefully layout the stack so that the arguments that would already have to be passed in the stack
end up in the right place. The stack layout for calls is:
[ gprs ][ fprs ][ optional stack arguments ][ callee frame ]
^ sp
- The return opcode has to load all registers from the stack, since they might need to contain
results of the function.
- The calling convention requires that the callee should store itself in the callee slot of the call
frame, which is impossible in the interpreter, since the code we execute is the same for all callees.
In order to work around that, we generate an entry thunk to the wasm interpreter for each function.
All this thunk does is store the callee in the call frame and tail call the interpreter.
* CMakeLists.txt:
* DerivedSources-input.xcfilelist:
* DerivedSources-output.xcfilelist:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::constantName const):
(JSC::BytecodeDumper<Block>::dumpValue):
(JSC::BytecodeDumper<Block>::dumpBytecode):
(JSC::CodeBlockBytecodeDumper<Block>::vm const):
(JSC::CodeBlockBytecodeDumper<Block>::identifier const):
(JSC::CodeBlockBytecodeDumper<Block>::dumpIdentifiers):
(JSC::CodeBlockBytecodeDumper<Block>::dumpConstants):
(JSC::CodeBlockBytecodeDumper<Block>::dumpExceptionHandlers):
(JSC::CodeBlockBytecodeDumper<Block>::dumpSwitchJumpTables):
(JSC::CodeBlockBytecodeDumper<Block>::dumpStringSwitchJumpTables):
(JSC::CodeBlockBytecodeDumper<Block>::dumpBlock):
* bytecode/BytecodeDumper.h:
(JSC::BytecodeDumper::dumpValue):
(JSC::BytecodeDumper::BytecodeDumper):
* bytecode/BytecodeGeneratorification.cpp:
(JSC::performGeneratorification):
* bytecode/BytecodeList.rb:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/Fits.h:
* bytecode/Instruction.h:
(JSC::BaseInstruction::BaseInstruction):
(JSC::BaseInstruction::Impl::opcodeID const):
(JSC::BaseInstruction::opcodeID const):
(JSC::BaseInstruction::name const):
(JSC::BaseInstruction::isWide16 const):
(JSC::BaseInstruction::isWide32 const):
(JSC::BaseInstruction::hasMetadata const):
(JSC::BaseInstruction::sizeShiftAmount const):
(JSC::BaseInstruction::size const):
(JSC::BaseInstruction::is const):
(JSC::BaseInstruction::as const):
(JSC::BaseInstruction::cast):
(JSC::BaseInstruction::cast const):
(JSC::BaseInstruction::wide16 const):
(JSC::BaseInstruction::wide32 const):
* bytecode/InstructionStream.h:
(JSC::InstructionStream::iterator::operator+=):
(JSC::InstructionStream::iterator::operator++):
(JSC::InstructionStreamWriter::iterator::operator+=):
(JSC::InstructionStreamWriter::iterator::operator++):
* bytecode/Opcode.cpp:
* bytecode/Opcode.h:
* bytecode/PreciseJumpTargetsInlines.h:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/VirtualRegister.cpp:
(JSC::VirtualRegister::VirtualRegister):
* bytecode/VirtualRegister.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::GenericLabel<JSGeneratorTraits>::setLocation):
(JSC::BytecodeGenerator::BytecodeGenerator):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/BytecodeGeneratorBase.h: Added.
* bytecompiler/BytecodeGeneratorBaseInlines.h: Added.
(JSC::shrinkToFit):
(JSC::BytecodeGeneratorBase<Traits>::BytecodeGeneratorBase):
(JSC::BytecodeGeneratorBase<Traits>::newLabel):
(JSC::BytecodeGeneratorBase<Traits>::newEmittedLabel):
(JSC::BytecodeGeneratorBase<Traits>::reclaimFreeRegisters):
(JSC::BytecodeGeneratorBase<Traits>::emitLabel):
(JSC::BytecodeGeneratorBase<Traits>::recordOpcode):
(JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode16):
(JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32):
(JSC::BytecodeGeneratorBase<Traits>::write):
(JSC::BytecodeGeneratorBase<Traits>::newRegister):
(JSC::BytecodeGeneratorBase<Traits>::newTemporary):
(JSC::BytecodeGeneratorBase<Traits>::addVar):
(JSC::BytecodeGeneratorBase<Traits>::allocateCalleeSaveSpace):
* bytecompiler/Label.h:
(JSC::GenericBoundLabel::GenericBoundLabel):
(JSC::GenericBoundLabel::target):
(JSC::GenericBoundLabel::saveTarget):
(JSC::GenericBoundLabel::commitTarget):
* dfg/DFGByteCodeParser.cpp:
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGOperations.cpp:
* generator/Argument.rb:
* generator/DSL.rb:
* generator/GeneratedFile.rb:
* generator/Opcode.rb:
* generator/Options.rb:
* generator/Section.rb:
* generator/Wasm.rb: Added.
* interpreter/Register.h:
* interpreter/RegisterInlines.h:
(JSC::Register::operator=):
* jit/JITArithmetic.cpp:
* jit/JITOpcodes.cpp:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::wasmExceptionInstructions):
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntSlowPaths.cpp:
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::wasmFunctionEntryThunk):
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* llint/WebAssembly.asm: Added.
* offlineasm/arm64.rb:
* offlineasm/instructions.rb:
* offlineasm/parser.rb:
* offlineasm/registers.rb:
* offlineasm/transform.rb:
* offlineasm/x86.rb:
* parser/Nodes.h:
* runtime/Error.cpp:
(JSC::FindFirstCallerFrameWithCodeblockFunctor::operator() const):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
* runtime/Options.cpp:
(JSC::overrideDefaults):
* runtime/OptionsList.h:
* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::recordJITFrame):
(JSC::FrameWalker::resetAtMachineFrame):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::isControlTypeIf):
(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::isControlTypeIf):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::prepareImpl):
(JSC::Wasm::BBQPlan::work):
(JSC::Wasm::BBQPlan::compileFunction):
(JSC::Wasm::BBQPlan::didCompleteCompilation):
(JSC::Wasm::BBQPlan::initializeCallees):
* wasm/WasmBBQPlan.h:
* wasm/WasmBBQPlanInlines.h: Removed.
* wasm/WasmCallee.cpp:
(JSC::Wasm::Callee::Callee):
(JSC::Wasm::Callee::dump const):
(JSC::Wasm::JITCallee::JITCallee):
(JSC::Wasm::LLIntCallee::setEntrypoint):
(JSC::Wasm::LLIntCallee::entrypoint const):
(JSC::Wasm::LLIntCallee::calleeSaveRegisters):
(JSC::Wasm:: const):
* wasm/WasmCallee.h:
(JSC::Wasm::Callee::setOSREntryCallee):
(JSC::Wasm::JITCallee::wasmToWasmCallsites):
(JSC::Wasm::JITCallee:: const):
* wasm/WasmCallingConvention.h:
* wasm/WasmCodeBlock.cpp:
(JSC::Wasm::CodeBlock::CodeBlock):
* wasm/WasmCodeBlock.h:
(JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
(JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
(JSC::Wasm::CodeBlock::wasmToWasmExitStub):
* wasm/WasmCompilationMode.cpp:
(JSC::Wasm::makeString):
* wasm/WasmCompilationMode.h:
* wasm/WasmEmbedder.h:
* wasm/WasmEntryPlan.cpp: Added.
(JSC::Wasm::EntryPlan::EntryPlan):
(JSC::Wasm::EntryPlan::stateString):
(JSC::Wasm::EntryPlan::moveToState):
(JSC::Wasm::EntryPlan::didReceiveFunctionData):
(JSC::Wasm::EntryPlan::parseAndValidateModule):
(JSC::Wasm::EntryPlan::prepare):
(JSC::Wasm::EntryPlan::ThreadCountHolder::ThreadCountHolder):
(JSC::Wasm::EntryPlan::ThreadCountHolder::~ThreadCountHolder):
(JSC::Wasm::EntryPlan::complete):
(JSC::Wasm::EntryPlan::compileFunctions):
(JSC::Wasm::EntryPlan::work):
* wasm/WasmEntryPlan.h: Copied from Source/JavaScriptCore/wasm/WasmBBQPlan.h.
(JSC::Wasm::EntryPlan::parseAndValidateModule):
(JSC::Wasm::EntryPlan::exports const):
(JSC::Wasm::EntryPlan::internalFunctionCount const):
(JSC::Wasm::EntryPlan::takeModuleInformation):
(JSC::Wasm::EntryPlan::takeWasmToWasmExitStubs):
(JSC::Wasm::EntryPlan::takeWasmToWasmCallsites):
(JSC::Wasm::EntryPlan::hasBeenPrepared const):
(JSC::Wasm::EntryPlan::tryReserveCapacity):
* wasm/WasmFunctionCodeBlock.cpp: Added.
(JSC::Wasm::FunctionCodeBlock::setInstructions):
(JSC::Wasm::FunctionCodeBlock::dumpBytecode):
(JSC::Wasm::FunctionCodeBlock::addOutOfLineJumpTarget):
(JSC::Wasm::FunctionCodeBlock::outOfLineJumpOffset):
(JSC::Wasm::FunctionCodeBlock::outOfLineJumpTarget):
(JSC::Wasm::FunctionCodeBlock::addSignature):
(JSC::Wasm::FunctionCodeBlock::signature const):
(JSC::Wasm::FunctionCodeBlock::addJumpTable):
(JSC::Wasm::FunctionCodeBlock::jumpTable const const):
(JSC::Wasm::FunctionCodeBlock::numberOfJumpTables const):
* wasm/WasmFunctionCodeBlock.h: Added.
(JSC::Wasm::FunctionCodeBlock::FunctionCodeBlock):
(JSC::Wasm::FunctionCodeBlock::getConstant const):
(JSC::Wasm::FunctionCodeBlock::functionIndex const):
(JSC::Wasm::FunctionCodeBlock::addJumpTarget):
(JSC::Wasm::FunctionCodeBlock::numberOfJumpTargets):
(JSC::Wasm::FunctionCodeBlock::lastJumpTarget):
(JSC::Wasm::FunctionCodeBlock::outOfLineJumpOffset):
(JSC::Wasm::FunctionCodeBlock::bytecodeOffset):
(JSC::Wasm::FunctionCodeBlock::tierUpCounter):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
* wasm/WasmInstance.h:
* wasm/WasmLLIntGenerator.cpp: Added.
(JSC::Wasm::LLIntGenerator::ControlType::ControlType):
(JSC::Wasm::LLIntGenerator::ControlType::loop):
(JSC::Wasm::LLIntGenerator::ControlType::topLevel):
(JSC::Wasm::LLIntGenerator::ControlType::block):
(JSC::Wasm::LLIntGenerator::ControlType::if_):
(JSC::Wasm::LLIntGenerator::ControlType::targetLabelForBranch const):
(JSC::Wasm::LLIntGenerator::fail const):
(JSC::Wasm::LLIntGenerator::unifyValuesWithBlock):
(JSC::Wasm::LLIntGenerator::emptyExpression):
(JSC::Wasm::LLIntGenerator::createStack):
(JSC::Wasm::LLIntGenerator::isControlTypeIf):
(JSC::Wasm::LLIntGenerator::addEndToUnreachable):
(JSC::Wasm::LLIntGenerator::setParser):
(JSC::Wasm::LLIntGenerator::dump):
(JSC::Wasm::LLIntGenerator::virtualRegisterForLocal):
(JSC::Wasm::LLIntGenerator::tmpsForSignature):
(JSC::Wasm::LLIntGenerator::jsNullConstant):
(JSC::Wasm::LLIntGenerator::isConstant):
(JSC::Wasm::parseAndCompileBytecode):
(JSC::Wasm::LLIntGenerator::LLIntGenerator):
(JSC::Wasm::LLIntGenerator::finalize):
(JSC::Wasm::LLIntGenerator::callInformationFor):
(JSC::Wasm::LLIntGenerator::addArguments):
(JSC::Wasm::LLIntGenerator::addLocal):
(JSC::Wasm::LLIntGenerator::addConstant):
(JSC::Wasm::LLIntGenerator::getLocal):
(JSC::Wasm::LLIntGenerator::setLocal):
(JSC::Wasm::LLIntGenerator::getGlobal):
(JSC::Wasm::LLIntGenerator::setGlobal):
(JSC::Wasm::LLIntGenerator::addLoop):
(JSC::Wasm::LLIntGenerator::addTopLevel):
(JSC::Wasm::LLIntGenerator::addBlock):
(JSC::Wasm::LLIntGenerator::addIf):
(JSC::Wasm::LLIntGenerator::addElse):
(JSC::Wasm::LLIntGenerator::addElseToUnreachable):
(JSC::Wasm::LLIntGenerator::addReturn):
(JSC::Wasm::LLIntGenerator::addBranch):
(JSC::Wasm::LLIntGenerator::addSwitch):
(JSC::Wasm::LLIntGenerator::endBlock):
(JSC::Wasm::LLIntGenerator::addCall):
(JSC::Wasm::LLIntGenerator::addCallIndirect):
(JSC::Wasm::LLIntGenerator::addRefIsNull):
(JSC::Wasm::LLIntGenerator::addRefFunc):
(JSC::Wasm::LLIntGenerator::addTableGet):
(JSC::Wasm::LLIntGenerator::addTableSet):
(JSC::Wasm::LLIntGenerator::addTableSize):
(JSC::Wasm::LLIntGenerator::addTableGrow):
(JSC::Wasm::LLIntGenerator::addTableFill):
(JSC::Wasm::LLIntGenerator::addUnreachable):
(JSC::Wasm::LLIntGenerator::addCurrentMemory):
(JSC::Wasm::LLIntGenerator::addGrowMemory):
(JSC::Wasm::LLIntGenerator::addSelect):
(JSC::Wasm::LLIntGenerator::load):
(JSC::Wasm::LLIntGenerator::store):
(JSC::GenericLabel<Wasm::GeneratorTraits>::setLocation):
* wasm/WasmLLIntGenerator.h: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.h.
* wasm/WasmLLIntPlan.cpp: Added.
(JSC::Wasm::LLIntPlan::prepareImpl):
(JSC::Wasm::LLIntPlan::compileFunction):
(JSC::Wasm::LLIntPlan::didCompleteCompilation):
(JSC::Wasm::LLIntPlan::initializeCallees):
* wasm/WasmLLIntPlan.h: Copied from Source/JavaScriptCore/wasm/WasmOMGForOSREntryPlan.h.
* wasm/WasmLLIntTierUpCounter.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp.
(JSC::Wasm::LLIntTierUpCounter::addOSREntryDataForLoop):
(JSC::Wasm::LLIntTierUpCounter::osrEntryDataForLoop const const):
* wasm/WasmLLIntTierUpCounter.h: Copied from Source/JavaScriptCore/wasm/WasmOMGForOSREntryPlan.h.
(JSC::Wasm::LLIntTierUpCounter::LLIntTierUpCounter):
(JSC::Wasm::LLIntTierUpCounter::optimizeAfterWarmUp):
(JSC::Wasm::LLIntTierUpCounter::checkIfOptimizationThresholdReached):
(JSC::Wasm::LLIntTierUpCounter::optimizeSoon):
* wasm/WasmMemoryInformation.cpp:
(JSC::Wasm::PinnedRegisterInfo::get):
* wasm/WasmModule.cpp:
(JSC::Wasm::makeValidationResult):
(JSC::Wasm::makeValidationCallback):
(JSC::Wasm::Module::validateSync):
(JSC::Wasm::Module::validateAsync):
* wasm/WasmOMGForOSREntryPlan.cpp:
(JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
(JSC::Wasm::OMGForOSREntryPlan::work):
* wasm/WasmOMGForOSREntryPlan.h:
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmSlowPaths.cpp: Added.
(JSC::LLInt::jitCompileAndSetHeuristics):
(JSC::LLInt::WASM_SLOW_PATH_DECL):
(JSC::LLInt::doWasmCall):
(JSC::LLInt::doWasmCallIndirect):
(JSC::LLInt::slow_path_wasm_throw_exception):
(JSC::LLInt::slow_path_wasm_popcount):
(JSC::LLInt::slow_path_wasm_popcountll):
* wasm/WasmSlowPaths.h: Added.
* wasm/WasmTable.cpp:
(JSC::Wasm::FuncRefTable::function const):
(JSC::Wasm::FuncRefTable::instance const):
* wasm/WasmTable.h:
* wasm/WasmTierUpCount.h:
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::isControlTypeIf):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSToWasm.h:
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::calleeSaves const):
2019-10-31 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Make String#localeCompare faster by inlining JSGlobalObject::defaultCollator
https://bugs.webkit.org/show_bug.cgi?id=203696
Reviewed by Mark Lam.
We found that JSGlobalObject::defaultCollator is not inlined and it takes some time in JetStream2/cdjs.
We use LazyProperty mechanism here and make JSGlobalObject::defaultCollator function inlinable simple one.
This patch improves JetStream2/cdjs by 2%.
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlObject.cpp:
(JSC::intlBooleanOption):
(JSC::intlStringOption):
(JSC::intlNumberOption):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::defaultCollator): Deleted.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::defaultCollator const):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncLocaleCompare):
2019-10-31 Saam Barati <sbarati@apple.com>
Don't use memmove/memcpy/memset for memory that can be scanned concurrently
https://bugs.webkit.org/show_bug.cgi?id=203228
<rdar://problem/56401852>
Reviewed by Robin Morisset.
We had code inside various places of the runtime which would call into system
memcpy/memmove/memset when updating a live butterfly. This means that the
concurrent collector could be scanning such butterflies while a memcpy/memmove/memset
was running. Those functions don't guarantee anything about the minimum
alignment of the stores they do. And implementations for them frequently have
byte copy loops for low byte copy counts. This lead to us seeing torn JSValues
inside the concurrent collector during Array.prototype.splice. This patch
introduces new functions for doing memcpy/memmove/memset for data structures
which may be concurrently scanned. The loops are written using inline assembly
for gcc compatible compilers on 64 bit platforms. The inline assembly
ensures we never write to memory using instructions that store fewer
than 8 bytes. On other platforms, we just use a volatile pointer to
ensure the compiler doesn't turn the loop into a function call or a
series of stores which may be smaller than 8 bytes.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/GCMemoryOperations.h: Added.
(JSC::gcSafeMemcpy):
(JSC::gcSafeMemmove):
(JSC::gcSafeZeroMemory):
* heap/Heap.h:
* runtime/ArrayConventions.cpp:
(JSC::clearArrayMemset):
* runtime/ArrayPrototype.cpp:
(JSC::copyElements):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::reallocArrayRightIfPossible):
(JSC::Butterfly::resizeArray):
(JSC::Butterfly::unshift):
(JSC::Butterfly::shift):
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertFromCopyOnWrite):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
2019-10-31 Devin Rousso <drousso@apple.com>
Web Inspector: Debugger: make sure the blackbox config is removed before iterating all existing scripts
https://bugs.webkit.org/show_bug.cgi?id=203666
Reviewed by Matt Baker.
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::setShouldBlackboxURL):
2019-10-31 Alex Christensen <achristensen@webkit.org>
CMake build should make WebKit framework able to be used by Safari
https://bugs.webkit.org/show_bug.cgi?id=203685
Rubber-stamped by Tim Horton.
* PlatformMac.cmake:
2019-10-31 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DateMath should have TimeClipped version
https://bugs.webkit.org/show_bug.cgi?id=203550
Reviewed by Saam Barati.
Removing `using namespace WTF;` in Date related files in JSC.
* runtime/DateConstructor.cpp:
* runtime/DateConversion.cpp:
(JSC::formatDateTime):
* runtime/DateInstance.cpp:
* runtime/DatePrototype.cpp:
* runtime/JSDateMath.cpp:
(JSC::localTimeOffset):
(JSC::timeToMS):
(JSC::gregorianDateTimeToMS):
(JSC::msToGregorianDateTime):
(JSC::parseDate):
(JSC::msToSeconds): Deleted.
(JSC::msToWeekDay): Deleted.
2019-10-30 Peng Liu <peng.liu6@apple.com>
[Picture-in-Picture Web API] Enable the support for iOS
https://bugs.webkit.org/show_bug.cgi?id=202618
Reviewed by Jer Noble.
Enable the Picture-in-Picture API support for iOS (iPad only).
* Configurations/FeatureDefines.xcconfig:
2019-10-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Date functions should have intrinsic
https://bugs.webkit.org/show_bug.cgi?id=202187
Reviewed by Keith Miller.
This patch adds intrinsic to Date object getter functions to make it inlined in DFG and FTL.
We add two DFG nodes, DateGetInt32OrNaN and DateGetTime. DateGetTime is used when we know
that the result is always machine double. On the other hand, DateGetInt32OrNaN is used when the result is Int32 or NaN.
Run SunSpider 100 times and get the solid improvement in Date related benchmarks.
ToT Patched
date-format-tofte 5.3511+-0.0260 ^ 5.2747+-0.0273 ^ definitely 1.0145x faster
date-format-xparb 4.9196+-0.0265 ^ 4.7067+-0.0200 ^ definitely 1.0452x faster
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationFromClassInfo):
(JSC::speculationFromJSType):
(JSC::speculationFromString):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasIntrinsic):
(JSC::DFG::Node::intrinsic):
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateDateObject):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileDateGet):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLAbstractHeapRepository.cpp:
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileDateGet):
(JSC::FTL::DFG::LowerDFGToB3::lowDateObject):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateDateObject):
* runtime/DateConversion.cpp:
(JSC::formatDateTime):
* runtime/DateInstance.cpp:
(JSC::DateInstance::calculateGregorianDateTime const):
(JSC::DateInstance::calculateGregorianDateTimeUTC const):
* runtime/DateInstance.h:
* runtime/DateInstanceCache.h:
(JSC::DateInstanceData::offsetOfGregorianDateTimeCachedForMS):
(JSC::DateInstanceData::offsetOfCachedGregorianDateTime):
(JSC::DateInstanceData::offsetOfGregorianDateTimeUTCCachedForMS):
(JSC::DateInstanceData::offsetOfCachedGregorianDateTimeUTC):
(JSC::DateInstanceData::DateInstanceData): Deleted.
* runtime/DatePrototype.cpp:
(JSC::formatLocaleDate):
(JSC::formateDateInstance):
(JSC::dateProtoFuncToISOString):
(JSC::dateProtoFuncGetFullYear):
(JSC::dateProtoFuncGetUTCFullYear):
(JSC::dateProtoFuncGetMonth):
(JSC::dateProtoFuncGetUTCMonth):
(JSC::dateProtoFuncGetDate):
(JSC::dateProtoFuncGetUTCDate):
(JSC::dateProtoFuncGetDay):
(JSC::dateProtoFuncGetUTCDay):
(JSC::dateProtoFuncGetHours):
(JSC::dateProtoFuncGetUTCHours):
(JSC::dateProtoFuncGetMinutes):
(JSC::dateProtoFuncGetUTCMinutes):
(JSC::dateProtoFuncGetSeconds):
(JSC::dateProtoFuncGetUTCSeconds):
(JSC::dateProtoFuncGetMilliSeconds):
(JSC::dateProtoFuncGetUTCMilliseconds):
(JSC::dateProtoFuncGetTimezoneOffset):
(JSC::setNewValueFromTimeArgs):
(JSC::setNewValueFromDateArgs):
(JSC::dateProtoFuncSetYear):
(JSC::dateProtoFuncGetYear):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSDateMath.cpp:
(JSC::msToGregorianDateTime):
* runtime/JSType.cpp:
(WTF::printInternal):
* runtime/JSType.h:
2019-10-30 Ross Kirsling <ross.kirsling@sony.com>
Intl.DateTimeFormat returns resolvedOptions in the wrong order
https://bugs.webkit.org/show_bug.cgi?id=203297
Reviewed by Yusuke Suzuki.
See table here:
https://tc39.es/ecma402/#table-datetimeformat-resolvedoptions-properties
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::resolvedOptions):
2019-10-30 Tadeu Zagallo <tzagallo@apple.com>
tryCachePutToScopeGlobal should hold the lock to update metadata.m_getPutInfo
https://bugs.webkit.org/show_bug.cgi?id=203628
<rdar://problem/56705353>
Reviewed by Yusuke Suzuki.
We hold the lock to update m_watchpointSet and m_operand, but at that point we have already
updated m_getPutInfo. This can lead to inconsistent state observable from the compiler thread
where the getPutInfo does not match the watchpointSet.
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2019-10-07 Jer Noble <jer.noble@apple.com>
Implement the Remote Playback API.
https://bugs.webkit.org/show_bug.cgi?id=162971
Reviewed by Youenn Fablet.
Add RemotePlayback as a common identifier, needed for bindings due to "EnabledAtRuntime=RemotePlayback".
* runtime/CommonIdentifiers.h:
2019-10-29 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add fast path for String#localeCompare
https://bugs.webkit.org/show_bug.cgi?id=202676
Reviewed by Mark Lam.
When String#localeCompare is invoked, we are setting up UCharIterator to iterate code points.
But this is too slow since its implementation is invoking function pointer for each code point
to get next code point. Strings have many code points typically. Invoking function pointer so many times
takes too much time just for locale-aware comparison.
This patch revises the implementation by adding 2 fast path and 1 slow path. The slow path requires extra memory,
but it is soon released (not GC-managed).
1. If both strings are ASCII (not Latin1), we use ucol_strcollUTF8.
2. If both strings are 16-bit, we use ucol_strcoll.
3. Otherwise, we convert strings to 16-bit strings, and then we use ucol_strcoll.
JetStream2/cdjs is improved from 56 to 85 on iMac Pro (50%).
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::compareStrings):
* tools/JSDollarVM.cpp:
(JSC::functionMake16BitStringIfPossible):
(JSC::JSDollarVM::finishCreation):
2019-10-28 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove JSPromiseDeferred
https://bugs.webkit.org/show_bug.cgi?id=203400
Reviewed by Keith Miller.
This patch optimizes the existing Promise usage in C++. We remove JSPromiseDeferred and JSInternalPromiseDeferred, use JSPromise and JSInternalPromise directly.
JSC now offers first `resolve` and `reject` operations to `JSPromise` without separating `resolve` and `reject` function from `JSPromise`. Then, we do not need
to have a tuple of these functions and promise, and we can just use `JSPromise::resolve` and `JSPromise::reject`. This removes unnecessary function allocations
and cell allocation for JSPromiseDeferred and makes API simple.
* API/JSAPIGlobalObject.mm:
(JSC::JSAPIGlobalObject::moduleLoaderImportModule):
(JSC::JSAPIGlobalObject::moduleLoaderFetch):
(JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
* API/JSObjectRef.cpp:
(JSObjectMakeDeferredPromise):
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* jsc.cpp:
(GlobalObject::moduleLoaderImportModule):
(GlobalObject::moduleLoaderFetch):
(runJSC):
* runtime/Completion.cpp:
(JSC::rejectPromise):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::newPromiseCapabilityFunction const):
(JSC::JSGlobalObject::resolvePromiseFunction const):
(JSC::JSGlobalObject::rejectPromiseFunction const):
(JSC::JSGlobalObject::numberProtoToStringFunction const):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncImportModule):
* runtime/JSInternalPromise.h:
* runtime/JSInternalPromiseDeferred.cpp: Removed.
* runtime/JSInternalPromiseDeferred.h: Removed.
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::importModule):
(JSC::JSModuleLoader::resolve):
(JSC::JSModuleLoader::fetch):
(JSC::moduleLoaderParseModule):
* runtime/JSPromise.cpp:
(JSC::JSPromise::flags const):
(JSC::JSPromise::isHandled const):
(JSC::JSPromise::createDeferredData):
(JSC::JSPromise::resolvedPromise):
(JSC::callFunction):
(JSC::JSPromise::resolve):
(JSC::JSPromise::reject):
* runtime/JSPromise.h:
* runtime/JSPromiseDeferred.cpp: Removed.
* runtime/JSPromiseDeferred.h: Removed.
* runtime/PromiseTimer.cpp: Renamed from Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp.
(JSC::PromiseTimer::PromiseTimer):
(JSC::PromiseTimer::doWork):
(JSC::PromiseTimer::runRunLoop):
(JSC::PromiseTimer::addPendingPromise):
(JSC::PromiseTimer::hasPendingPromise):
(JSC::PromiseTimer::hasDependancyInPendingPromise):
(JSC::PromiseTimer::cancelPendingPromise):
(JSC::PromiseTimer::scheduleWorkSoon):
* runtime/PromiseTimer.h: Renamed from Source/JavaScriptCore/runtime/PromiseDeferredTimer.h.
(JSC::PromiseTimer::create):
* runtime/StringRecursionChecker.h:
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
* runtime/VM.h:
* wasm/js/JSWebAssembly.cpp:
(JSC::reject):
(JSC::webAssemblyModuleValidateAsyncInternal):
(JSC::webAssemblyCompileFunc):
(JSC::resolve):
(JSC::JSWebAssembly::webAssemblyModuleValidateAsync):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::JSWebAssembly::instantiate):
(JSC::webAssemblyModuleInstantinateAsyncInternal):
(JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync):
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyCompileStreamingInternal):
(JSC::webAssemblyInstantiateStreamingInternal):
* wasm/js/JSWebAssembly.h:
* wasm/js/JSWebAssemblyCodeBlock.h:
2019-10-28 Adrian Perez de Castro <aperez@igalia.com>
[GTK][WPE] Fix various non-unified build issues introduced since r251436
https://bugs.webkit.org/show_bug.cgi?id=203492
Reviewed by Alex Christensen and Mark Lam.
* bytecode/BytecodeIndex.cpp: Add missing inclusion of wtf/PrintStream.h
* bytecode/ICStatusUtils.h: Add missing inclusion if BytecodeIndex.h
* bytecode/InstructionStream.h: Ditto.
* debugger/DebuggerLocation.cpp: Add missing inclusion of JSCellInlines.h
* dfg/DFGLazyJSValue.h: Add missing inclusion of GPRInfo.h
* ftl/FTLOSREntry.h: Add missing inclusion of BytecodeIndex.h
* heap/CompleteSubspaceInlines.h: Add missing inclusions of CompleteSubspace.h and VM.h
* inspector/JavaScriptCallFrame.h:
(Inspector::JavaScriptCallFrame::thisValue const): Prepend namespace to the JSC::VM type.
* jit/JITDisassembler.h: Add missing inclusion of BytecodeIndex.h
* jit/JITWorklist.h: Ditto.
* runtime/JSImmutableButterfly.cpp: Add missing inclusion of ButterflyInlines.h
* runtime/ObjectInitializationScope.h: Add missing inclusion of VM.h
* runtime/StringRecursionChecker.h: Add missing inclusion of GetVM.h
* runtime/VMTraps.cpp: Add missing inclusion of CallFrameInlines.h
* tools/Integrity.cpp: Add missing inclusion of Integrity.h, HeapCellInlines.h, and
JSCellInlines.h
* wasm/WasmOperations.cpp: Add missing inclusion of JSCJSValueInlines.h and
JSGlobalObjectInlines.h
* wasm/WasmOperations.h: Add missing inclusion of IndexingType.h, JSCJSValue.h, and
WasmExceptionType.h; add forward declarations for JSArrray and Wasm::Signature.
* wasm/js/JSWebAssembly.cpp: Add missing inclusion of WasmOperations.h
* wasm/js/JSWebAssemblyHelpers.h: Add missing inclusion of Error.h and JSArrayBufferView.h
2019-10-28 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Lexer flags should be an OptionSet
https://bugs.webkit.org/show_bug.cgi?id=203032
Reviewed by Yusuke Suzuki.
LexerFlags has an annoyingly misspelled value LexexFlagsDontBuildKeywords;
let's use this as an opportunity to modernize this enum.
* parser/ASTBuilder.h:
* parser/Lexer.cpp:
(JSC::Lexer<LChar>::parseIdentifier):
(JSC::Lexer<UChar>::parseIdentifier):
(JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
(JSC::Lexer<T>::lexWithoutClearingLineTerminator):
* parser/Lexer.h:
(JSC::Lexer<T>::lexExpectIdentifier):
(JSC::Lexer<T>::lex):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseProperty):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
(JSC::Parser::next):
(JSC::Parser::nextWithoutClearingLineTerminator):
(JSC::Parser::nextExpectIdentifier):
(JSC::Parser::consume):
* parser/SyntaxChecker.h:
2019-10-28 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Optimize Promise runtime functions
https://bugs.webkit.org/show_bug.cgi?id=203454
Reviewed by Keith Miller.
This patch optimizes Promise runtime functions a bit.
1. Add fast paths to Promise.resolve / Promise.reject.
2. Remove state check in async-functions. Unlike generators, async-function's next function is not exposed to users.
It is called by runtime so we can control state perfectly.
3. Add "enqueueJob" name to make sampling profiler work for this function.
4. Make Promise/InternalPromise constructor inlinable size
ToT Patched
promise-creation-many 25.5794+-0.3681 ^ 22.5410+-0.3229 ^ definitely 1.1348x faster
promise-resolve 32.3793+-0.4252 ^ 9.4219+-0.1114 ^ definitely 3.4366x faster
promise-reject 108.5968+-0.7741 ^ 36.9383+-0.3770 ^ definitely 2.9400x faster
* builtins/AsyncFunctionPrototype.js:
(globalPrivate.asyncFunctionResume):
* builtins/PromiseConstructor.js:
(reject):
(resolve):
(nakedConstructor.Promise.reject):
(nakedConstructor.Promise):
(nakedConstructor.InternalPromise.reject):
(nakedConstructor.InternalPromise):
(nakedConstructor.Promise.resolve): Deleted.
(nakedConstructor.InternalPromise.resolve): Deleted.
* builtins/PromiseOperations.js:
(globalPrivate.newPromiseCapability.resolve):
(globalPrivate.newPromiseCapability.reject):
(globalPrivate.newPromiseCapability):
(globalPrivate.promiseResolveSlow):
(globalPrivate.promiseRejectSlow):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
2019-10-28 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use FTLOutput::callWithoutSideEffects if operation does not have side effects
https://bugs.webkit.org/show_bug.cgi?id=203485
Reviewed by Mark Lam.
This makes Call's Effect none, and encourages optimizations around it.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
(JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
(JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
2019-10-28 Tuomas Karkkainen <tuomas.webkit@apple.com>
dumpSpeculation in SpeculatedType.cpp prints to the wrong stream and has wrong capitalization for NaN
https://bugs.webkit.org/show_bug.cgi?id=203486
Reviewed by Antti Koivisto.
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
2019-10-28 Fujii Hironori <Hironori.Fujii@sony.com>
[Windows][Clang] error LNK2001: unresolved external symbol "void * __cdecl JSC::allocateCell<class JSC::JSGenericTypedArrayView<struct JSC::Float32Adaptor> >(class JSC::Heap &,unsigned __int64)"
https://bugs.webkit.org/show_bug.cgi?id=203483
Unreviewed build fix for clang-cl builds.
* runtime/JSGenericTypedArrayViewInlines.h: Added #include "JSCellInlines.h".
2019-10-26 Chris Lord <clord@igalia.com>
Put OffscreenCanvas behind a build flag
https://bugs.webkit.org/show_bug.cgi?id=203146
Reviewed by Ryosuke Niwa.
* Configurations/FeatureDefines.xcconfig:
2019-10-25 Yury Semikhatsky <yurys@chromium.org>
Web Inspector: support emulateUserGesture parameter in Runtime.callFunctionOn
https://bugs.webkit.org/show_bug.cgi?id=200262
Reviewed by Devin Rousso.
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::callFunctionOn):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
2019-10-24 Mark Lam <mark.lam@apple.com>
Move JSC::Register inline methods into RegisterInlines.h.
https://bugs.webkit.org/show_bug.cgi?id=203391
Reviewed by Yusuke Suzuki and Keith Miller.
We're doing this because:
1. RegisterInlines.h is the canonical place to put inline Register methods.
2. It helps reduce build time.
e.g. build-jsc went from 208.02 to 196.81 seconds (about a 5% reduction).
3. This enables experimental work to box JSCells in JSValue.
This patch also handles the fallout of this change, which necessitates more
inline methods being moved from <file>.h to their respective <file>Inlines.h.
JSArray.h used to include ButterflyInlines.h and JSCellInlines.h. This is a
violation of inclusion ordering (.h should not #include Inlines.h). This
violation has been removed.
* API/JSAPIGlobalObject.mm:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.h:
(JSC::CallFrame::r): Deleted.
(JSC::CallFrame::uncheckedR): Deleted.
* bytecode/MetadataTable.cpp:
* ftl/FTLLowerDFGToB3.cpp:
* interpreter/CallFrame.h:
(JSC::CallFrame::guaranteedJSValueCallee const): Deleted.
(JSC::CallFrame::jsCallee const): Deleted.
(JSC::CallFrame::codeBlock const): Deleted.
(JSC::CallFrame::unsafeCodeBlock const): Deleted.
(JSC::CallFrame::scope const): Deleted.
(JSC::CallFrame::topOfFrame): Deleted.
(JSC::CallFrame::setScope): Deleted.
(JSC::CallFrame::setCallee): Deleted.
(JSC::CallFrame::setCodeBlock): Deleted.
* interpreter/CallFrameInlines.h:
(JSC::CallFrame::r):
(JSC::CallFrame::uncheckedR):
(JSC::CallFrame::guaranteedJSValueCallee const):
(JSC::CallFrame::jsCallee const):
(JSC::CallFrame::codeBlock const):
(JSC::CallFrame::unsafeCodeBlock const):
(JSC::CallFrame::lexicalGlobalObject const):
(JSC::CallFrame::setCallee):
(JSC::CallFrame::setCodeBlock):
(JSC::CallFrame::setScope):
(JSC::CallFrame::scope const):
(JSC::CallFrame::topOfFrame):
* interpreter/Interpreter.cpp:
* interpreter/ProtoCallFrame.h:
(JSC::ProtoCallFrame::init): Deleted.
* interpreter/ProtoCallFrameInlines.h: Added.
(JSC::ProtoCallFrame::init):
(JSC::ProtoCallFrame::callee const):
(JSC::ProtoCallFrame::setCallee):
(JSC::ProtoCallFrame::codeBlock const):
(JSC::ProtoCallFrame::setCodeBlock):
* interpreter/Register.h:
(JSC::Register::callFrame const): Deleted.
(JSC::Register::codeBlock const): Deleted.
(JSC::Register::asanUnsafeCodeBlock const): Deleted.
* interpreter/RegisterInlines.h: Added.
(JSC::Register::callFrame const):
(JSC::Register::codeBlock const):
(JSC::Register::asanUnsafeCodeBlock const):
(JSC::Register::object const):
(JSC::Register::operator=):
(JSC::Register::scope const):
* interpreter/StackVisitor.cpp:
* jit/AssemblyHelpers.h:
* llint/LLIntSlowPaths.cpp:
* runtime/ArrayStorage.h:
(JSC::ArrayStorage::optimalVectorLength): Deleted.
* runtime/ArrayStorageInlines.h: Added.
(JSC::ArrayStorage::availableVectorLength):
(JSC::ArrayStorage::optimalVectorLength):
(JSC::ArrayStorage::totalSize const):
* runtime/ButterflyInlines.h:
* runtime/ClassInfo.h:
* runtime/GetVM.h: Added.
* runtime/JSArray.h:
* runtime/JSArrayInlines.h:
* runtime/JSCellInlines.h:
* runtime/JSGlobalObject.h:
* runtime/JSObject.h:
(JSC::Register::object const): Deleted.
(JSC::Register::operator=): Deleted.
* runtime/JSObjectInlines.h:
* runtime/JSScope.h:
(JSC::Register::operator=): Deleted.
(JSC::Register::scope const): Deleted.
(JSC::CallFrame::lexicalGlobalObject const): Deleted.
* runtime/JSString.h:
* runtime/PropertyNameArray.h:
* runtime/PropertySlot.h:
* runtime/VMInlines.h:
* tools/HeapVerifier.cpp:
* wasm/js/WebAssemblyFunction.cpp:
2019-10-24 Zan Dobersek <zdobersek@igalia.com>
REGRESSION(r251468): Build, test failures in 32-bit JSC after BytecodeIndex refactoring
https://bugs.webkit.org/show_bug.cgi?id=203290
Reviewed by Keith Miller.
* bytecode/BytecodeIndex.h:
(JSC::BytecodeIndex::BytecodeIndex):
Add a BytecodeIndex(WTF::HashTableDeletedValueType) constructor.
* bytecode/CodeOrigin.h:
(JSC::CodeOrigin::CodeOrigin):
Have the CodeOrigin(WTF::HashTableDeletedValueType) constructor
initialize the BytecodeIndex object accordingly, as a deleted value.
(JSC::CodeOrigin::isHashTableDeletedValue const):
Test BytecodeIndex object's deleted-value condition through the
corresponding BytecodeIndex::isHashTableDeletedValue() method.
* profiler/ProfilerOrigin.h:
(JSC::Profiler::Origin::Origin):
Simplify the m_bytecodeIndex member initialization for a deleted value.
(JSC::Profiler::Origin::operator! const):
Fix the negation operator, returning true if the m_bytecodeIndex is
either empty or deleted.
2019-10-24 Sihui Liu <sihui_liu@apple.com>
[ Mac WK1 ] REGRESSION (r251261): Layout Test inspector/console/webcore-logging.html is consistently Failing
https://bugs.webkit.org/show_bug.cgi?id=203173
<rdar://problem/56424721>
Hold a strong reference to JSGlobalOjbect in ConsoleMessage so that object is not garbage collected before
WebConsoleAgent::frameWindowDiscarded.
Covered by existing test: inspector/console/webcore-logging.html.
Reviewed by Geoffrey Garen.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::clear):
* inspector/ConsoleMessage.h:
2019-10-24 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Properly organize wasm operations
https://bugs.webkit.org/show_bug.cgi?id=203360
Reviewed by Keith Miller.
This patch cleans up operation functions called from Wasm.
1. Properly name these operations with prefix "operation".
2. Do not use lambda. Define function with JIT_OPERATION.
3. Consolidate them in WasmOperations.cpp.
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::addRefFunc):
(JSC::Wasm::AirIRGenerator::addTableGet):
(JSC::Wasm::AirIRGenerator::addTableSet):
(JSC::Wasm::AirIRGenerator::addTableSize):
(JSC::Wasm::AirIRGenerator::addTableGrow):
(JSC::Wasm::AirIRGenerator::addTableFill):
(JSC::Wasm::AirIRGenerator::addGrowMemory):
(JSC::Wasm::AirIRGenerator::emitWriteBarrierForJSWrapper):
(JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
(JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addTableGet):
(JSC::Wasm::B3IRGenerator::addTableSet):
(JSC::Wasm::B3IRGenerator::addRefFunc):
(JSC::Wasm::B3IRGenerator::addTableSize):
(JSC::Wasm::B3IRGenerator::addTableGrow):
(JSC::Wasm::B3IRGenerator::addTableFill):
(JSC::Wasm::B3IRGenerator::addGrowMemory):
(JSC::Wasm::B3IRGenerator::emitWriteBarrierForJSWrapper):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
* wasm/WasmInstance.cpp:
(JSC::Wasm::getWasmTableElement): Deleted.
(JSC::Wasm::setWasmTableElement): Deleted.
(JSC::Wasm::doWasmTableGrow): Deleted.
(JSC::Wasm::doWasmTableFill): Deleted.
(JSC::Wasm::doWasmRefFunc): Deleted.
* wasm/WasmInstance.h:
* wasm/WasmOperations.cpp:
(JSC::Wasm::operationWasmUnwind):
(JSC::Wasm::operationConvertToF64):
(JSC::Wasm::operationConvertToI32):
(JSC::Wasm::operationConvertToF32):
(JSC::Wasm::operationIterateResults):
(JSC::Wasm::operationAllocateResultsArray):
(JSC::Wasm::operationWasmWriteBarrierSlowPath):
(JSC::Wasm::operationPopcount32):
(JSC::Wasm::operationPopcount64):
(JSC::Wasm::operationGrowMemory):
(JSC::Wasm::operationGetWasmTableElement):
(JSC::Wasm::setWasmTableElement):
(JSC::Wasm::operationSetWasmTableElement):
(JSC::Wasm::operationWasmTableGrow):
(JSC::Wasm::operationWasmTableFill):
(JSC::Wasm::operationWasmRefFunc):
(JSC::Wasm::operationGetWasmTableSize):
(JSC::Wasm::operationWasmToJSException):
* wasm/WasmOperations.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::marshallJSResult):
(JSC::Wasm::allocateResultsArray): Deleted.
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
(JSC::Wasm::operationWasmToJSException): Deleted.
* wasm/js/WasmToJS.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
2019-10-24 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove LLInt's Callee size assumption
https://bugs.webkit.org/show_bug.cgi?id=203282
Reviewed by Mark Lam.
LLInt code still assumes that Callee is always allocated in non-LargeAllocation.
This patch removes this assumption by following three changes.
1. If we can get CodeBlock, we get VM& from CodeBlock.
2. In nativeCallTrampoline and internalFunctionCallTrampoline, we get VM& from JSGlobalObject. It involves one more pointer-chasing but it is OK
since this JSGlobalObject's VM* field will be touched in called native functions anyway. And this code is only used when we are not using JIT.
3. In exception handling code in LLInt, we get VM& from callee by checking LargeAllocation possibility. This is OK since it is only executed when
exception unwinding happens, and which is an expensive operation anyway.
* heap/LargeAllocation.h:
(JSC::LargeAllocation::headerSize):
* heap/WeakSet.h:
(JSC::WeakSet::WeakSet):
(JSC::WeakSet::vm const):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::vm const):
(JSC::JSGlobalObject::defaultCodeGenerationMode const):
* runtime/VM.h:
(JSC::WeakSet::heap const):
2019-10-24 Zan Dobersek <zdobersek@igalia.com>
[JSC] Get 32-bit ports back into building order
https://bugs.webkit.org/show_bug.cgi?id=203358
Reviewed by Carlos Garcia Campos.
Get JSC building again on 32-bit architectures after changes in r251468.
Some 32-bit code in LLint and JIT is brought back, and additional casts
around BytecodeIndex construction are added as necessary.
* dfg/DFGOSRExit.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::setCurrentVPC):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::updateTopCallFrame):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_log_shadow_chicken_tail):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emit_op_try_get_by_id):
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emit_op_in_by_id):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
2019-10-24 Paulo Matos <pmatos@igalia.com>
Disable pichdr generation on MIPS for return location labels
https://bugs.webkit.org/show_bug.cgi?id=203040
Reviewed by Yusuke Suzuki.
Disable generation of pichdr for return location labels generated in
defineOSRExitReturnLabel. Since r250806 (Allow OSR exit to the LLInt),
MIPS was segfaulting since the pichdr after an OSR exit was corruption
the gp register.
* offlineasm/mips.rb:
2019-10-23 Devin Rousso <drousso@apple.com>
Web Inspector: provide a way to inject "bootstrap" JavaScript into the page as the first script executed
https://bugs.webkit.org/show_bug.cgi?id=195847
<rdar://problem/48950551>
Reviewed by Joseph Pecoraro.
When debugging webpages, it's often useful to be able to swizzle various functions in order
to add extra logs for when they're called (e.g. `Event.prototype.preventDefault`). Sometimes
this can be difficult, such as if the page saves a copy of the function and references that
instead, in which case it would be helpful to have a way to guarantee that the swizzled code
is the first thing evaluated after the context is created.
This change adds support for that concept, which has been named Inspector Bootstrap Script.
Once created, it will be injected as the first user script to every new global object that
is created afterwards. Modifications to the Inspector Bootstrap Script take effect for all
new global objects created _after_ the modification happened.
* inspector/protocol/Page.json:
Add `setBoostrapScript` command.
2019-10-23 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove wasmAwareLexicalGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=203351
Reviewed by Mark Lam.
CallFrame::lexicalGlobalObject() is no longer called frequently. We can just make the current wasmAwareLexicalGlobalObject as CallFrame::lexicalGlobalObject,
and remove wasmAwareLexicalGlobalObject function.
* debugger/Debugger.cpp:
(JSC::Debugger::hasBreakpoint):
(JSC::Debugger::breakProgram):
(JSC::lexicalGlobalObjectForCallFrame):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const):
(JSC::DebuggerCallFrame::scope):
(JSC::DebuggerCallFrame::thisValue const):
(JSC::DebuggerCallFrame::evaluateWithScopeExtension):
* debugger/DebuggerCallFrame.h:
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::thisObject const):
* inspector/JavaScriptCallFrame.h:
(Inspector::JavaScriptCallFrame::thisValue const):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::lexicalGlobalObjectFromWasmCallee const):
(JSC::CallFrame::wasmAwareLexicalGlobalObject): Deleted.
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
(JSC::Interpreter::debug):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::createArguments):
* interpreter/StackVisitor.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_throw_stack_overflow_error):
* runtime/JSFunction.cpp:
(JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
(JSC::RetrieveArgumentsFunctor::operator() const):
(JSC::retrieveArguments):
* runtime/JSScope.h:
(JSC::CallFrame::lexicalGlobalObject const):
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2019-10-23 Keith Miller <keith_miller@apple.com>
Undo incidental change from BytecodeIndex class patch
https://bugs.webkit.org/show_bug.cgi?id=203339
Reviewed by Mark Lam.
It's not totally clear why we need to claim our bytecode index is
0 when we can't figure what the true index is. I'd rather unbreak
our build for now, however, and fix the underlying issue in
https://bugs.webkit.org/show_bug.cgi?id=203340
* runtime/Error.cpp:
(JSC::getBytecodeIndex):
2019-10-23 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Figure out missing prepareCallOperation
https://bugs.webkit.org/show_bug.cgi?id=203285
Reviewed by Mark Lam.
We start using __builtin_frame_address to get CallFrame* in JIT operations. For the platform which is not supporting this API (MSVC),
we put frame-pointer to vm.topCallFrame in the caller side. The problem is that all Apple platform is now using __builtin_frame_address,
and we are not testing vm.topCallFrame version at all.
To find missing prepareCallOperation call, we introduce JITOperationPrologueCallFrameTracer. When USE(BUILTIN_FRAME_ADDRESS) is enabled and
if it is debug build, we anyway put frame-pointer to vm.topCallFrame. And after that, we ensure that vm.topCallFrame is the same to the
CallFrame* gained by __builtin_frame_address. By doing this, we can find places missing this call in debug build of Apple ports.
We also found that FTL's custom getter calling is putting wrong value to vm.topCallFrame. This patch fixes it too.
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::emitRestoreArguments):
(JSC::DFG::operationCompileOSRExit):
(JSC::DFG::OSRExit::compileExit):
(JSC::DFG::operationDebugPrintSpeculationFailure):
(JSC::DFG::OSRExit::compileOSRExit): Deleted.
(JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::osrWriteBarrier):
* dfg/DFGOSRExitCompilerCommon.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
(JSC::FTL::DFG::LowerDFGToB3::callPreflight):
(JSC::FTL::DFG::LowerDFGToB3::callCheck):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
(JSC::FTL::operationCompileFTLOSRExit):
(JSC::FTL::compileFTLOSRExit): Deleted.
* ftl/FTLOSRExitCompiler.h:
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
(JSC::FTL::operationCompileFTLLazySlowPath):
(JSC::FTL::compileFTLLazySlowPath): Deleted.
* ftl/FTLOperations.h:
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* ftl/FTLThunks.h:
(JSC::FTL::generateIfNecessary):
(JSC::FTL::Thunks::getSlowPathCallThunk):
* interpreter/FrameTracers.h:
(JSC::SlowPathFrameTracer::SlowPathFrameTracer):
(JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer):
(JSC::JITOperationPrologueCallFrameTracer::~JITOperationPrologueCallFrameTracer):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::debugCall):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::prepareCallOperation):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::prepareCallOperation): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/Repatch.cpp:
(JSC::ftlThunkAwareRepatchCall):
* jit/ThunkGenerators.cpp:
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
* runtime/AtomicsObject.cpp:
(JSC::operationAtomicsAdd):
(JSC::operationAtomicsAnd):
(JSC::operationAtomicsCompareExchange):
(JSC::operationAtomicsExchange):
(JSC::operationAtomicsIsLockFree):
(JSC::operationAtomicsLoad):
(JSC::operationAtomicsOr):
(JSC::operationAtomicsStore):
(JSC::operationAtomicsSub):
(JSC::operationAtomicsXor):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/StringPrototype.cpp:
(JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
(JSC::operationStringProtoFuncReplaceRegExpString):
(JSC::operationStringProtoFuncReplaceGeneric):
* tools/JSDollarVM.cpp:
(IGNORE_WARNINGS_BEGIN):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
* wasm/WasmOperations.cpp:
(JSC::Wasm::operationWasmThrowBadI64):
(JSC::Wasm::operationWasmTriggerOSREntryNow):
(JSC::Wasm::operationWasmTriggerTierUpNow):
(JSC::Wasm::operationThrowBadI64): Deleted.
(JSC::Wasm::triggerOSREntryNow): Deleted.
(JSC::Wasm::triggerTierUpNow): Deleted.
* wasm/WasmOperations.h:
* wasm/WasmThunks.cpp:
(JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
* wasm/js/JSWebAssembly.cpp:
(JSC::instantiate):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::operationWasmToJSException):
(JSC::Wasm::emitThrowWasmToJSException):
(JSC::Wasm::wasmToJSException): Deleted.
* wasm/js/WasmToJS.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
2019-10-23 Truitt Savell <tsavell@apple.com>
Unreviewed, rolling out r251482.
r251261 broke multiple tests, reverting this as part of that
rollout.
Reverted changeset:
"[ Mac WK1 ] REGRESSION (r251261): Layout Test
inspector/console/webcore-logging.html is consistently
Failing"
https://bugs.webkit.org/show_bug.cgi?id=203173
https://trac.webkit.org/changeset/251482
2019-10-23 Yury Semikhatsky <yurys@chromium.org>
Web Inspector: notify inspector when provisional page is created, committed and destroyed
https://bugs.webkit.org/show_bug.cgi?id=202704
Reviewed by Devin Rousso.
* inspector/InspectorTarget.h: changed InspectorTarget to not require FrontendChannel as
all messages are routed by means of the owning InspectorTargetAgent.
* inspector/agents/InspectorTargetAgent.cpp:
(Inspector::InspectorTargetAgent::InspectorTargetAgent):
(Inspector::buildTargetInfoObject):
(Inspector::InspectorTargetAgent::targetCreated):
(Inspector::InspectorTargetAgent::targetDestroyed):
(Inspector::InspectorTargetAgent::didCommitProvisionalTarget): this method is used to
notify frontend that corresponding provisional target has committed and replaced previous
target.
(Inspector::InspectorTargetAgent::connectionType const):
(Inspector::InspectorTargetAgent::connectToTargets):
(Inspector::InspectorTargetAgent::disconnectFromTargets):
* inspector/agents/InspectorTargetAgent.h:
* inspector/protocol/Target.json: extended TargetInfo with provisional page details and
added event which is fired when provisional page gets committed. If provisional
load fails there will be targetDestroyed event without corresponding commit.
2019-10-23 Ross Kirsling <ross.kirsling@sony.com>
String.prototype.matchAll should throw on non-global regex
https://bugs.webkit.org/show_bug.cgi?id=202838
Reviewed by Keith Miller.
* builtins/StringPrototype.js:
(matchAll):
Implement normative change from https://github.com/tc39/ecma262/pull/1716.
* builtins/BuiltinNames.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/RegExpConstructor.cpp:
(JSC::esSpecIsRegExp): Added.
* runtime/RegExpConstructor.h:
Expose isRegExp to builtins. (This differs from @isRegExpObject by first checking for Symbol.match.)
2019-10-23 Sihui Liu <sihui_liu@apple.com>
[ Mac WK1 ] REGRESSION (r251261): Layout Test inspector/console/webcore-logging.html is consistently Failing
https://bugs.webkit.org/show_bug.cgi?id=203173
<rdar://problem/56424721>
Hold a strong reference to JSGlobalOjbect in ConsoleMessage so that object is not garbage collected before
WebConsoleAgent::frameWindowDiscarded.
Covered by existing test: inspector/console/webcore-logging.html.
Reviewed by Geoffrey Garen.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::clear):
* inspector/ConsoleMessage.h:
2019-10-22 Yusuke Suzuki <ysuzuki@apple.com>
Make `JSGlobalObject*` threading change more stabilized by adding tests and assertions
https://bugs.webkit.org/show_bug.cgi?id=203274
Reviewed by Saam Barati.
This patch does some follow-up changes after r251425.
1. Add tests that tests vm.topCallFrame from C++ world to ensure that `vm.topCallFrame` is kept nullptr if it is accessed from C++ world even after executing some scripts.
2. Add assertion to ensure that `DECLARE_CALL_FRAME` is only called in JIT operation's prologue.
3. Remove some of ExecState::deprecatedVM call.
4. Define `USE(BUILTIN_FRAME_ADDRESS)` when using __builtin_frame_address to get CallFrame.
* API/tests/testapi.cpp:
(TestAPI::topCallFrameAccess):
(testCAPIViaCpp):
* interpreter/CallFrame.cpp:
(JSC::isFromJSCode):
* interpreter/CallFrame.h:
* jit/CCallHelpers.h:
(JSC::CCallHelpers::prepareCallOperation):
* tools/VMInspector.cpp:
(JSC::VMInspector::dumpRegisters):
2019-10-22 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, WinCairo build fix after r251468
https://bugs.webkit.org/show_bug.cgi?id=203276
* jit/JIT.h:
2019-10-22 Keith Miller <keith_miller@apple.com>
BytecodeIndex should be a proper C++ class
https://bugs.webkit.org/show_bug.cgi?id=203276
Reviewed by Mark Lam.
This patch makes a change to how we refer to the bytecode index in
a bytecode stream. Previously we just used an unsigned number to
represent the index, this patch changes most of the code to use a
BytecodeIndex class instead. The only places where this patch does
not change this is for jump and switch targets / deltas.
Additionally, this patch attempts to canonicalize the terminology
around how we refer to bytecode indices. Now we use the word index
to refer to the bytecode index class and offset to refer to the
unsigned byte offset into the instruction stream.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ByValInfo.h:
(JSC::ByValInfo::ByValInfo):
(JSC::getByValInfoBytecodeIndex):
* bytecode/BytecodeBasicBlock.cpp:
(JSC::BytecodeBasicBlock::computeImpl):
* bytecode/BytecodeGeneratorification.cpp:
(JSC::GeneratorLivenessAnalysis::run):
* bytecode/BytecodeIndex.cpp: Added.
(JSC::BytecodeIndex::dump const):
* bytecode/BytecodeIndex.h: Added.
(JSC::BytecodeIndex::BytecodeIndex):
(JSC::BytecodeIndex::offset const):
(JSC::BytecodeIndex::asBits const):
(JSC::BytecodeIndex::hash const):
(JSC::BytecodeIndex::deletedValue):
(JSC::BytecodeIndex::isHashTableDeletedValue const):
(JSC::BytecodeIndex::operator bool const):
(JSC::BytecodeIndex::operator == const):
(JSC::BytecodeIndex::operator != const):
(JSC::BytecodeIndex::operator < const):
(JSC::BytecodeIndex::operator > const):
(JSC::BytecodeIndex::operator <= const):
(JSC::BytecodeIndex::operator >= const):
(JSC::BytecodeIndex::fromBits):
(JSC::BytecodeIndexHash::hash):
(JSC::BytecodeIndexHash::equal):
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex):
(JSC::BytecodeLivenessAnalysis::computeFullLiveness):
(JSC::BytecodeLivenessAnalysis::computeKills):
(JSC::BytecodeLivenessAnalysis::dumpResults):
(JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): Deleted.
* bytecode/BytecodeLivenessAnalysis.h:
* bytecode/BytecodeLivenessAnalysisInlines.h:
(JSC::BytecodeLivenessPropagation::stepOverInstruction):
(JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex):
(JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
(JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex):
(JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset): Deleted.
(JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset): Deleted.
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeIndex):
(JSC::computeDefsForBytecodeIndex):
(JSC::computeUsesForBytecodeOffset): Deleted.
(JSC::computeDefsForBytecodeOffset): Deleted.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
* bytecode/CallLinkStatus.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
(JSC::CodeBlock::addRareCaseProfile):
(JSC::CodeBlock::rareCaseProfileForBytecodeIndex):
(JSC::CodeBlock::rareCaseProfileCountForBytecodeIndex):
(JSC::CodeBlock::handlerForBytecodeIndex):
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndex):
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow):
(JSC::CodeBlock::lineNumberForBytecodeIndex):
(JSC::CodeBlock::columnNumberForBytecodeIndex):
(JSC::CodeBlock::expressionRangeForBytecodeIndex const):
(JSC::CodeBlock::hasOpDebugForLineAndColumn):
(JSC::CodeBlock::getArrayProfile):
(JSC::CodeBlock::tryGetValueProfileForBytecodeIndex):
(JSC::CodeBlock::valueProfilePredictionForBytecodeIndex):
(JSC::CodeBlock::valueProfileForBytecodeIndex):
(JSC::CodeBlock::validate):
(JSC::CodeBlock::arithProfileForBytecodeIndex):
(JSC::CodeBlock::couldTakeSpecialArithFastCase):
(JSC::CodeBlock::bytecodeIndexFromCallSiteIndex):
(JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
(JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset): Deleted.
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow): Deleted.
(JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
(JSC::CodeBlock::expressionRangeForBytecodeOffset const): Deleted.
(JSC::CodeBlock::tryGetValueProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
(JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
(JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::likelyToTakeSlowCase):
(JSC::CodeBlock::couldTakeSlowCase):
(JSC::CodeBlock::bytecodeIndex):
* bytecode/CodeOrigin.cpp:
(JSC::CodeOrigin::approximateHash const):
(JSC::CodeOrigin::dump const):
* bytecode/CodeOrigin.h:
(JSC::CodeOrigin::CodeOrigin):
(JSC::CodeOrigin::isSet const):
(JSC::CodeOrigin::isHashTableDeletedValue const):
(JSC::CodeOrigin::bytecodeIndex const):
(JSC::CodeOrigin::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
(JSC::CodeOrigin::buildCompositeValue):
(JSC::CodeOrigin::hash const):
* bytecode/DFGExitProfile.cpp:
(JSC::DFG::FrequentExitSite::dump const):
(JSC::DFG::ExitProfile::exitSitesFor):
* bytecode/DFGExitProfile.h:
(JSC::DFG::FrequentExitSite::FrequentExitSite):
(JSC::DFG::FrequentExitSite::operator== const):
(JSC::DFG::FrequentExitSite::subsumes const):
(JSC::DFG::FrequentExitSite::hash const):
(JSC::DFG::FrequentExitSite::bytecodeIndex const):
(JSC::DFG::FrequentExitSite::isHashTableDeletedValue const):
(JSC::DFG::QueryableExitProfile::hasExitSite const):
(JSC::DFG::FrequentExitSite::bytecodeOffset const): Deleted.
* bytecode/DeferredSourceDump.cpp:
(JSC::DeferredSourceDump::DeferredSourceDump):
(JSC::DeferredSourceDump::dump):
* bytecode/DeferredSourceDump.h:
(): Deleted.
* bytecode/FullBytecodeLiveness.h:
(JSC::FullBytecodeLiveness::getLiveness const):
(JSC::FullBytecodeLiveness::operandIsLive const):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdStatus.h:
* bytecode/ICStatusUtils.cpp:
(JSC::hasBadCacheExitSite):
* bytecode/ICStatusUtils.h:
* bytecode/InByIdStatus.cpp:
(JSC::InByIdStatus::computeFor):
* bytecode/InByIdStatus.h:
* bytecode/InlineCallFrame.cpp:
(JSC::InlineCallFrame::dumpInContext const):
* bytecode/InstanceOfStatus.cpp:
(JSC::InstanceOfStatus::computeFor):
* bytecode/InstanceOfStatus.h:
* bytecode/InstructionStream.h:
(JSC::InstructionStream::BaseRef::offset const):
(JSC::InstructionStream::BaseRef::index const):
(JSC::InstructionStream::at const):
* bytecode/LazyOperandValueProfile.h:
(JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
(JSC::LazyOperandValueProfileKey::operator== const):
(JSC::LazyOperandValueProfileKey::hash const):
(JSC::LazyOperandValueProfileKey::bytecodeIndex const):
(JSC::LazyOperandValueProfileKey::isHashTableDeletedValue const):
(JSC::LazyOperandValueProfileKey::bytecodeOffset const): Deleted.
* bytecode/MethodOfGettingAValueProfile.cpp:
(JSC::MethodOfGettingAValueProfile::fromLazyOperand):
* bytecode/MethodOfGettingAValueProfile.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::StructureStubInfo):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::lineNumberForBytecodeIndex):
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const):
(JSC::UnlinkedCodeBlock::handlerForBytecodeIndex):
(JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset const): Deleted.
(JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
* bytecode/UnlinkedCodeBlock.h:
* bytecode/ValueProfile.h:
(JSC::RareCaseProfile::RareCaseProfile):
(JSC::getRareCaseProfileBytecodeIndex):
(JSC::getRareCaseProfileBytecodeOffset): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::ForInContext::finalize):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::currentPosition):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::BasicBlock):
* dfg/DFGBasicBlock.h:
(JSC::DFG::getBytecodeBeginForBlock):
(JSC::DFG::blockForBytecodeIndex):
(JSC::DFG::blockForBytecodeOffset): Deleted.
* dfg/DFGBlockInsertionSet.cpp:
(JSC::DFG::BlockInsertionSet::insert):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flushIfTerminal):
(JSC::DFG::ByteCodeParser::branchData):
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::getPrediction):
(JSC::DFG::ByteCodeParser::getArrayMode):
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::makeDivSafe):
(JSC::DFG::ByteCodeParser::allocateTargetableBlock):
(JSC::DFG::ByteCodeParser::allocateUntargetableBlock):
(JSC::DFG::ByteCodeParser::makeBlockTargetable):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::handleCallVariant):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::addCodeOrigin):
(JSC::DFG::CommonData::addUniqueCallSiteIndex):
(JSC::DFG::CommonData::lastCallSite const):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
(JSC::DFG::CommonData::appendCatchEntrypoint):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
(JSC::DFG::compile):
* dfg/DFGDriver.h:
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
(JSC::DFG::Graph::willCatchExceptionInMachineFrame):
* dfg/DFGGraph.h:
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds):
* dfg/DFGJITCode.h:
(JSC::DFG::JITCode::appendOSREntryData):
(JSC::DFG::JITCode::osrEntryDataForBytecodeIndex):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::JITCompiler):
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::setStartOfCode):
* dfg/DFGLiveCatchVariablePreservationPhase.cpp:
(JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext const):
(JSC::DFG::prepareOSREntry):
(JSC::DFG::prepareCatchOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::getOSREntryDataBytecodeIndex):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::printOSRExit):
(JSC::DFG::OSRExit::compileExit):
(JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::callerReturnPC):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOSRExitCompilerCommon.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
(JSC::DFG::Plan::compileInThreadImpl):
(JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
* dfg/DFGPlan.h:
(JSC::DFG::Plan::osrEntryBytecodeIndex const):
(JSC::DFG::Plan::tierUpInLoopHierarchy):
(JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
(JSC::DFG::SpeculativeJIT::compileValueAdd):
(JSC::DFG::SpeculativeJIT::compileValueSub):
(JSC::DFG::SpeculativeJIT::compileValueNegate):
(JSC::DFG::SpeculativeJIT::compileValueMul):
(JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
(JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
* dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
(JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
* dfg/DFGValidate.cpp:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLForOSREntryJITCode.h:
(JSC::FTL::ForOSREntryJITCode::setBytecodeIndex):
(JSC::FTL::ForOSREntryJITCode::bytecodeIndex const):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
(JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):
* ftl/FTLOSREntry.h:
* interpreter/CallFrame.cpp:
(JSC::CallFrame::callSiteIndex const):
(JSC::CallFrame::unsafeCallSiteIndex const):
(JSC::CallFrame::setCurrentVPC):
(JSC::CallFrame::bytecodeIndex):
(JSC::CallFrame::codeOrigin):
(JSC::CallFrame::dump):
(JSC::CallFrame::bytecodeOffset): Deleted.
* interpreter/CallFrame.h:
(JSC::CallSiteIndex::CallSiteIndex):
(JSC::CallSiteIndex::operator bool const):
(JSC::CallSiteIndex::operator== const):
(JSC::CallSiteIndex::bits const):
(JSC::CallSiteIndex::bytecodeIndex const):
(JSC::DisposableCallSiteIndex::DisposableCallSiteIndex):
(): Deleted.
* interpreter/Interpreter.cpp:
(JSC::GetStackTraceFunctor::operator() const):
(JSC::findExceptionHandler):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::readNonInlinedFrame):
(JSC::StackVisitor::readInlinedFrame):
(JSC::StackVisitor::Frame::retrieveExpressionInfo const):
(JSC::StackVisitor::Frame::dump const):
* interpreter/StackVisitor.h:
(JSC::StackVisitor::Frame::bytecodeIndex const):
(JSC::StackVisitor::Frame::bytecodeOffset const): Deleted.
* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::CallRecord::CallRecord):
(JSC::SlowCaseEntry::SlowCaseEntry):
(JSC::SwitchRecord::SwitchRecord):
(JSC::ByValCompilationInfo::ByValCompilationInfo):
* jit/JITCall.cpp:
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
* jit/JITCodeMap.h:
(JSC::JITCodeMap::Entry::Entry):
(JSC::JITCodeMap::Entry::bytecodeIndex const):
(JSC::JITCodeMap::append):
(JSC::JITCodeMap::find const):
* jit/JITDisassembler.cpp:
(JSC::JITDisassembler::dumpVectorForInstructions):
(JSC::JITDisassembler::reportInstructions):
* jit/JITDisassembler.h:
* jit/JITInlines.h:
(JSC::JIT::emitNakedCall):
(JSC::JIT::emitNakedTailCall):
(JSC::JIT::updateTopCallFrame):
(JSC::JIT::linkAllSlowCasesForBytecodeIndex):
(JSC::JIT::addSlowCase):
(JSC::JIT::addJump):
(JSC::JIT::emitJumpSlowToHot):
(JSC::JIT::emitGetVirtualRegister):
(JSC::JIT::linkAllSlowCasesForBytecodeOffset): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emit_op_log_shadow_chicken_tail):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emit_op_has_indexed_property):
* jit/JITOperations.cpp:
(JSC::getByVal):
(JSC::tryGetByValOptimize):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emit_op_try_get_by_id):
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emit_op_in_by_id):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::Plan::Plan):
(JSC::JITWorklist::Plan::compileNow):
(JSC::JITWorklist::compileLater):
(JSC::JITWorklist::compileNow):
* jit/JITWorklist.h:
* jit/PCToCodeOriginMap.cpp:
(JSC::PCToCodeOriginMap::PCToCodeOriginMap):
(JSC::PCToCodeOriginMap::findPC const):
* jit/PCToCodeOriginMap.h:
(JSC::PCToCodeOriginMapBuilder::defaultCodeOrigin):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::jitCompileAndSetHeuristics):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* profiler/ProfilerOrigin.cpp:
(JSC::Profiler::Origin::Origin):
(JSC::Profiler::Origin::dump const):
(JSC::Profiler::Origin::toJS const):
* profiler/ProfilerOrigin.h:
(JSC::Profiler::Origin::Origin):
(JSC::Profiler::Origin::operator! const):
(JSC::Profiler::Origin::bytecodeIndex const):
(JSC::Profiler::Origin::hash const):
(JSC::Profiler::Origin::isHashTableDeletedValue const):
* runtime/Error.cpp:
(JSC::getBytecodeIndex):
(JSC::getBytecodeOffset): Deleted.
* runtime/Error.h:
* runtime/ErrorInstance.cpp:
(JSC::appendSourceToError):
(JSC::ErrorInstance::finishCreation):
* runtime/SamplingProfiler.cpp:
(JSC::tryGetBytecodeIndex):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::reportTopBytecodes):
* runtime/SamplingProfiler.h:
(JSC::SamplingProfiler::StackFrame::CodeLocation::hasBytecodeIndex const):
* runtime/StackFrame.cpp:
(JSC::StackFrame::StackFrame):
(JSC::StackFrame::computeLineAndColumn const):
* runtime/StackFrame.h:
(JSC::StackFrame::hasBytecodeIndex const):
(JSC::StackFrame::bytecodeIndex):
(JSC::StackFrame::hasBytecodeOffset const): Deleted.
(JSC::StackFrame::bytecodeOffset): Deleted.
* tools/VMInspector.cpp:
(JSC::VMInspector::dumpRegisters):
2019-10-22 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, make 32bit JIT built
https://bugs.webkit.org/show_bug.cgi?id=202392
This patch makes 32bit JIT built at least.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_throw):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_get_from_scope):
2019-10-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Remove non-LargeAllocation restriction for JSCallee
https://bugs.webkit.org/show_bug.cgi?id=203260
Reviewed by Saam Barati.
We now pass JSGlobalObject* instead of ExecState*. And we are getting VM& from JSGlobalObject*.
Because now accessing ExecState::vm() becomes less frequent, we can remove the restriction that
callee is only allocated in non-LargeAllocation, which restriction made ExecState::vm fast.
This patch renames `CallFrame::vm` to `CallFrame::deprecatedVM`. And we avoid using it as much as possible.
And we also remove the restriction that callee needs to be in non-LargeAllocation.
* API/JSContextRef.cpp:
(JSContextCreateBacktrace):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::noticeIncomingCall):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const):
(JSC::DebuggerCallFrame::functionName const):
(JSC::DebuggerCallFrame::scope):
(JSC::DebuggerCallFrame::type const):
(JSC::DebuggerCallFrame::evaluateWithScopeExtension):
(JSC::DebuggerCallFrame::positionForCallFrame):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::OSRExit::compileOSRExit):
(JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
* dfg/DFGOperations.cpp:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLOperations.cpp:
(JSC::FTL::compileFTLLazySlowPath):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::createScriptCallStackForConsole):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::callerSourceOrigin):
(JSC::CallFrame::friendlyFunctionName):
* interpreter/CallFrame.h:
(JSC::CallFrame::iterate):
* interpreter/Interpreter.cpp:
(JSC::sizeOfVarargs):
(JSC::sizeFrameForVarargs):
(JSC::Interpreter::getStackTrace):
(JSC::Interpreter::unwind):
(JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
(JSC::Interpreter::debug):
* interpreter/Interpreter.h:
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::StackVisitor):
(JSC::StackVisitor::Frame::functionName const):
* interpreter/StackVisitor.h:
(JSC::StackVisitor::visit):
* jit/HostCallReturnValue.cpp:
(JSC::getHostCallReturnValueWithExecState):
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::linkFor):
(JSC::linkPolymorphicCall):
* jit/Repatch.h:
* jsc.cpp:
(functionJSCStack):
(functionRunString):
(functionLoadString):
(functionCallerSourceOrigin):
(functionCallerIsOMGCompiled):
(functionDollarEvalScript):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Error.cpp:
(JSC::getBytecodeOffset):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunction):
* runtime/JSCellInlines.h:
(JSC::CallFrame::deprecatedVM const):
(JSC::CallFrame::vm const): Deleted.
* runtime/JSFunction.cpp:
(JSC::retrieveArguments):
(JSC::JSFunction::argumentsGetter):
(JSC::retrieveCallerFunction):
(JSC::JSFunction::callerGetter):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGlobalObject.cpp:
(JSC::assertCall):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
(JSC::globalFuncImportModule):
* runtime/NullSetterFunction.cpp:
(JSC::callerIsStrict):
(JSC::NullSetterFunctionInternal::callReturnUndefined):
* tools/JSDollarVM.cpp:
(IGNORE_WARNINGS_BEGIN):
(JSC::functionLLintTrue):
(JSC::functionJITTrue):
(JSC::functionDumpRegisters):
(JSC::functionShadowChickenFunctionsOnStack):
* tools/VMInspector.cpp:
(JSC::VMInspector::codeBlockForFrame):
(JSC::VMInspector::dumpCallFrame):
(JSC::VMInspector::dumpRegisters):
(JSC::VMInspector::dumpStack):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2019-10-22 Mark Lam <mark.lam@apple.com>
Clients of JSArray::tryCreateUninitializedRestricted() should invoke the mutatorFence().
https://bugs.webkit.org/show_bug.cgi?id=203231
<rdar://problem/56486552>
Reviewed by Saam Barati.
Clients of JSArray::tryCreateUninitializedRestricted() creates a partially
initialized JSArray butterfly, with the contract that it (the client) will take
care of filling in all the missing indexed properties before setting the newly
created array loose in the world. We intentionally do not unconditionally write
barrier the newly created array but, instead, rely on an owner object (or GC root)
that it gets put into to scan it.
That said, we do need to ensure that all the stores are completed before this
array is put in an owner object (or GC root) which makes it scannable by the GC.
This ensures that the GC will not be scanning a partially initialized array
butterfly. To achieve this, we should invoke the mutatorFence after the clients
of JSArray::tryCreateUninitializedRestricted() finish initializing the array.
By design, all clients of tryCreateUninitializedRestricted() must instantiate an
ObjectInitializationScope RAII object. This patch makes use of the
ObjectInitializationScope destructor to invoke the mutatorFence.
Note: we technically only need to invoke the fence if we succeeded in allocating
the array. However, we just invoke the fence unconditionally because we expect
that in the common path, we will succeed in allocating the array. The release
build version of ObjectInitializationScope does not keep record of whether we
succeed in allocating the array anyway. To keep the behavior consistent, the
debug build version of ObjectInitializationScope will also unconditionally
invoke the fence even if we failed to allocate the array.
This patch also does the following:
1. Replaced the setting of the public length in arrayProtoPrivateFuncConcatMemcpy()
with an assertion. The public length was already set by
tryCreateUninitializedRestricted() earlier.
Ditto for JSArray::fastSlice().
2. Removed a redundant instance of ObjectInitializationScope in
createEmptyRegExpMatchesArray().
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/JSArray.cpp:
(JSC::JSArray::fastSlice):
* runtime/ObjectInitializationScope.cpp:
(JSC::ObjectInitializationScope::~ObjectInitializationScope):
* runtime/ObjectInitializationScope.h:
(JSC::ObjectInitializationScope::~ObjectInitializationScope):
* runtime/RegExpMatchesArray.cpp:
(JSC::createEmptyRegExpMatchesArray):
2019-10-22 Mark Lam <mark.lam@apple.com>
Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
https://bugs.webkit.org/show_bug.cgi?id=203230
<rdar://problem/56460749>
Reviewed by Robin Morisset.
operationRegExpExecNonGlobalOrSticky() was asserting no exception when
createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns
null when RegExp::matchInline() returns -1. RegExp::matchInline() can return -1
either when there's an error, or if the match fails. When there's an error,
RegExp::matchInline() also throws an exception via a throwError() helper.
This patch fixes operationRegExpExecNonGlobalOrSticky() to check for an exception
being thrown, or createRegExpMatchesArray() returning a null array due to a failed
match.
* dfg/DFGOperations.cpp:
2019-10-22 Adrian Perez de Castro <aperez@igalia.com>
[GTK][WPE] Fix non-unified builds after r251326
https://bugs.webkit.org/show_bug.cgi?id=203244
Reviewed by Youenn Fablet.
* ftl/FTLOSREntry.h: Add missing forward declaration of JSC::VM.
* inspector/ScriptCallStackFactory.h: Add missing forward declaration of JSC::JSGlobalObject.
* llint/LLIntExceptions.h: Add missing forward declaration of JSC::VM.
* runtime/ExceptionFuzz.h: Add missing forward declaration of JSC::JSGlobalObject.
* runtime/JSDateMath.h: Ditto.
* runtime/JSStringJoiner.h: Add missing inclusion of the JSGlobalObject.h header.
* runtime/Watchdog.h: Add missing forward declaration of JSC::JSGlobalObject.
* wasm/WasmOperations.h: Add missing forward declaration of JSC::JSWebAssemblyInstance.
2019-10-21 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Thread JSGlobalObject* instead of ExecState*
https://bugs.webkit.org/show_bug.cgi?id=202392
Reviewed by Geoffrey Garen.
This patch replaces JSC's convention entirely: instead of passing ExecState*, we pass lexical JSGlobalObject*.
We have many issues historically.
1. We have a hack like global-exec, since many runtime functions take ExecState* while valid ExecState* is populated only after executing some JS function.
2. We pass ExecState* without considering whether this is correct one when inlining a function. If inlined function has different realm, `exec->lexicalGlobalObject()` just returns wrong JSGlobalObject*.
This patch attempts to remove these issues entirely by passing JSGlobalObject* instead of ExecState*.
1. We change ExecState* to JSGlobalObject*.
2. JIT operations should take JSGlobalObject* instead of ExecState* to reflect the inlinee's JSGlobalObject* correctly.
3. We get CallFrame* by using `__builtin_frame_address(1)` in JIT operations. When it is not available, we put CallFrame* to `vm.topCallFrame` in the caller side and load it from VM.
4. We remove ExecState*. All the actual call-frame is called `CallFrame*`. CallFrame* is passed only when CallFrame* is actually needed: accessing arguments, OSR etc.
5. LLInt and Baseline slow paths are just getting CallFrame*. It gets CodeBlock from CallFrame* and getting VM& and JSGlobalObject* from it since they do not have inlining.
6. We basically removed `VM::vmEntryGlobalObject`. It returns JSGlobalObject* from VMEntryScope. APIs and Completion.cpp use this but they are wrong. And by using lexical JSGlobalObject*, we fixed WPT issues.