| 2019-10-07 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Change signature of HostFunction to (JSGlobalObject*, CallFrame*) |
| https://bugs.webkit.org/show_bug.cgi?id=202569 |
| |
| Reviewed by Saam Barati. |
| |
| This patch changes JSC host-functions's signature from `CallFrame*` to `JSGlobalObject*, CallFrame*`. |
| We would like to replace the current `ExecState*` use with `JSGlobalObject*` to fix many issues, remove |
| globalExec() hack, and remove `ExecState::vm()` hack. This is important since this hack prevents us from |
| implementing scalable IsoSubspace optimization, which leads to putting all JS cells in each IsoSubspace. |
| |
| To get lexical JSGlobalObject in a super fast way, we put it in JSFunction/InternalFunction's field. |
| And trampoline gets JSGlobalObject from callee, and passes it as its argument. Since this trampoline already |
| accesses to the field of callee to get executable address, getting another field is fairly cheap. |
| The memory increase does not matter in this case. The sizeof(JSFunction) is 40. Since our allocation size of |
| JSCells are rounded by 16, increasing one field does not change the actual allocation size. And # of InternalFunction |
| is very limited since it is only used for constructors in JSC. |
| |
| This patch changes the signature. And for the ExecState* -> JSGlobalObject* preparation, we use `CallFrame*` name |
| instead of `ExecState*` in the host-functions. And use `callFrame` variable name instead of `state` or `exec`. |
| And we also get VM& from `JSGlobalObject*` instead of `CallFrame*` since it is faster. |
| |
| * API/APICallbackFunction.h: |
| (JSC::APICallbackFunction::call): |
| (JSC::APICallbackFunction::construct): |
| * API/APICast.h: |
| * API/JSAPIGlobalObject.mm: |
| (JSC::JSAPIGlobalObject::moduleLoaderFetch): |
| * API/JSBaseInternal.h: |
| * API/JSCallbackObject.h: |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::construct): |
| (JSC::JSCallbackObject<Parent>::call): |
| * bytecode/InlineCallFrame.h: |
| * debugger/Debugger.h: |
| * dfg/DFGArithMode.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): |
| (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): |
| * dfg/DFGGraph.h: |
| * dfg/DFGOSREntry.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| * ftl/FTLOSREntry.h: |
| * inspector/ConsoleMessage.h: |
| * inspector/InjectedScriptBase.cpp: |
| (Inspector::InjectedScriptBase::makeAsyncCall): |
| * inspector/InjectedScriptManager.h: |
| * inspector/JSGlobalObjectInspectorController.h: |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate): |
| (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties): |
| * inspector/JSJavaScriptCallFramePrototype.cpp: |
| (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension): |
| (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions): |
| (Inspector::jsJavaScriptCallFrameAttributeCaller): |
| (Inspector::jsJavaScriptCallFrameAttributeSourceID): |
| (Inspector::jsJavaScriptCallFrameAttributeLine): |
| (Inspector::jsJavaScriptCallFrameAttributeColumn): |
| (Inspector::jsJavaScriptCallFrameAttributeFunctionName): |
| (Inspector::jsJavaScriptCallFrameAttributeScopeChain): |
| (Inspector::jsJavaScriptCallFrameAttributeThisObject): |
| (Inspector::jsJavaScriptCallFrameAttributeType): |
| (Inspector::jsJavaScriptCallFrameIsTailDeleted): |
| * inspector/ScriptArguments.h: |
| * inspector/ScriptCallStackFactory.h: |
| * inspector/ScriptDebugServer.h: |
| * inspector/agents/InspectorConsoleAgent.h: |
| * interpreter/AbstractPC.h: |
| * interpreter/CallFrame.h: |
| (JSC::ExecState::guaranteedJSValueCallee const): Deleted. |
| (JSC::ExecState::jsCallee const): Deleted. |
| (JSC::ExecState::callee const): Deleted. |
| (JSC::ExecState::unsafeCallee const): Deleted. |
| (JSC::ExecState::codeBlock const): Deleted. |
| (JSC::ExecState::addressOfCodeBlock const): Deleted. |
| (JSC::ExecState::unsafeCodeBlock const): Deleted. |
| (JSC::ExecState::scope const): Deleted. |
| (JSC::ExecState::create): Deleted. |
| (JSC::ExecState::registers): Deleted. |
| (JSC::ExecState::registers const): Deleted. |
| (JSC::ExecState::operator=): Deleted. |
| (JSC::ExecState::callerFrame const): Deleted. |
| (JSC::ExecState::callerFrameOrEntryFrame const): Deleted. |
| (JSC::ExecState::unsafeCallerFrameOrEntryFrame const): Deleted. |
| (JSC::ExecState::callerFrameOffset): Deleted. |
| (JSC::ExecState::returnPC const): Deleted. |
| (JSC::ExecState::hasReturnPC const): Deleted. |
| (JSC::ExecState::clearReturnPC): Deleted. |
| (JSC::ExecState::returnPCOffset): Deleted. |
| (JSC::ExecState::abstractReturnPC): Deleted. |
| (JSC::ExecState::topOfFrame): Deleted. |
| (JSC::ExecState::setCallerFrame): Deleted. |
| (JSC::ExecState::setScope): Deleted. |
| (JSC::ExecState::argumentCount const): Deleted. |
| (JSC::ExecState::argumentCountIncludingThis const): Deleted. |
| (JSC::ExecState::argumentOffset): Deleted. |
| (JSC::ExecState::argumentOffsetIncludingThis): Deleted. |
| (JSC::ExecState::addressOfArgumentsStart const): Deleted. |
| (JSC::ExecState::argument): Deleted. |
| (JSC::ExecState::uncheckedArgument): Deleted. |
| (JSC::ExecState::setArgument): Deleted. |
| (JSC::ExecState::getArgumentUnsafe): Deleted. |
| (JSC::ExecState::thisArgumentOffset): Deleted. |
| (JSC::ExecState::thisValue): Deleted. |
| (JSC::ExecState::setThisValue): Deleted. |
| (JSC::ExecState::newTarget): Deleted. |
| (JSC::ExecState::offsetFor): Deleted. |
| (JSC::ExecState::noCaller): Deleted. |
| (JSC::ExecState::isGlobalExec const): Deleted. |
| (JSC::ExecState::setArgumentCountIncludingThis): Deleted. |
| (JSC::ExecState::setCallee): Deleted. |
| (JSC::ExecState::setCodeBlock): Deleted. |
| (JSC::ExecState::setReturnPC): Deleted. |
| (JSC::ExecState::iterate): Deleted. |
| (JSC::ExecState::argIndexForRegister): Deleted. |
| (JSC::ExecState::callerFrameAndPC): Deleted. |
| (JSC::ExecState::callerFrameAndPC const): Deleted. |
| (JSC::ExecState::unsafeCallerFrameAndPC const): Deleted. |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| (JSC::Interpreter::prepareForRepeatCall): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/ProtoCallFrame.h: |
| (JSC::ProtoCallFrame::init): |
| * interpreter/Register.h: |
| * interpreter/ShadowChicken.h: |
| * interpreter/StackVisitor.h: |
| * interpreter/VMEntryRecord.h: |
| (JSC::VMEntryRecord::prevTopCallFrame): |
| (JSC::VMEntryRecord::unsafePrevTopCallFrame): |
| * jit/CCallHelpers.h: |
| * jit/JITExceptions.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::nativeForGenerator): |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionPrintStdOut): |
| (functionPrintStdErr): |
| (functionDebug): |
| (functionDescribe): |
| (functionDescribeArray): |
| (functionSleepSeconds): |
| (functionJSCStack): |
| (functionGCAndSweep): |
| (functionFullGC): |
| (functionEdenGC): |
| (functionHeapSize): |
| (functionResetMemoryPeak): |
| (functionAddressOf): |
| (functionVersion): |
| (functionRun): |
| (functionRunString): |
| (functionLoad): |
| (functionLoadString): |
| (functionReadFile): |
| (functionCheckSyntax): |
| (functionSetSamplingFlags): |
| (functionClearSamplingFlags): |
| (functionGetRandomSeed): |
| (functionSetRandomSeed): |
| (functionIsRope): |
| (functionCallerSourceOrigin): |
| (functionReadline): |
| (functionPreciseTime): |
| (functionNeverInlineFunction): |
| (functionNoDFG): |
| (functionNoFTL): |
| (functionNoOSRExitFuzzing): |
| (functionOptimizeNextInvocation): |
| (functionNumberOfDFGCompiles): |
| (functionCallerIsOMGCompiled): |
| (functionDollarCreateRealm): |
| (functionDollarEvalScript): |
| (functionDollarAgentStart): |
| (functionDollarAgentReceiveBroadcast): |
| (functionDollarAgentReport): |
| (functionDollarAgentSleep): |
| (functionDollarAgentBroadcast): |
| (functionDollarAgentGetReport): |
| (functionDollarAgentLeaving): |
| (functionDollarAgentMonotonicNow): |
| (functionWaitForReport): |
| (functionHeapCapacity): |
| (functionFlashHeapAccess): |
| (functionDisableRichSourceInfo): |
| (functionMallocInALoop): |
| (functionTotalCompileTime): |
| (functionJSCOptions): |
| (functionReoptimizationRetryCount): |
| (functionTransferArrayBuffer): |
| (functionFailNextNewCodeBlock): |
| (functionQuit): |
| (functionFalse): |
| (functionUndefined1): |
| (functionUndefined2): |
| (functionIsInt32): |
| (functionIsPureNaN): |
| (functionIdentity): |
| (functionEffectful42): |
| (functionMakeMasquerader): |
| (functionHasCustomProperties): |
| (functionDumpTypesForAllVariables): |
| (functionDrainMicrotasks): |
| (functionReleaseWeakRefs): |
| (functionIs32BitPlatform): |
| (functionCreateGlobalObject): |
| (functionCheckModuleSyntax): |
| (functionPlatformSupportsSamplingProfiler): |
| (functionGenerateHeapSnapshot): |
| (functionGenerateHeapSnapshotForGCDebugging): |
| (functionResetSuperSamplerState): |
| (functionEnsureArrayStorage): |
| (functionStartSamplingProfiler): |
| (functionSamplingProfilerStackTraces): |
| (functionMaxArguments): |
| (functionAsyncTestStart): |
| (functionAsyncTestPassed): |
| (functionWebAssemblyMemoryMode): |
| (functionSetUnhandledRejectionCallback): |
| (runWithOptions): |
| (functionDollarDetachArrayBuffer): Deleted. |
| * llint/LLIntExceptions.h: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::handleHostCall): |
| * llint/LLIntSlowPaths.h: |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoopRegister::callFrame const): |
| (JSC::CLoopRegister::execState const): Deleted. |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/cloop.rb: |
| * runtime/ArrayBufferView.h: |
| * runtime/ArrayConstructor.cpp: |
| (JSC::constructArrayWithSizeQuirk): |
| (JSC::constructWithArrayConstructor): |
| (JSC::callArrayConstructor): |
| (JSC::arrayConstructorPrivateFuncIsArraySlow): |
| * runtime/ArrayConstructor.h: |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSpeciesCreate): |
| (JSC::arrayProtoFuncToString): |
| (JSC::arrayProtoFuncToLocaleString): |
| (JSC::arrayProtoFuncJoin): |
| (JSC::arrayProtoFuncPop): |
| (JSC::arrayProtoFuncPush): |
| (JSC::arrayProtoFuncReverse): |
| (JSC::arrayProtoFuncShift): |
| (JSC::arrayProtoFuncSlice): |
| (JSC::arrayProtoFuncSplice): |
| (JSC::arrayProtoFuncUnShift): |
| (JSC::arrayProtoFuncIndexOf): |
| (JSC::arrayProtoFuncLastIndexOf): |
| (JSC::arrayProtoPrivateFuncConcatMemcpy): |
| (JSC::arrayProtoPrivateFuncAppendMemcpy): |
| * runtime/ArrayPrototype.h: |
| * runtime/AsyncFunctionConstructor.cpp: |
| (JSC::callAsyncFunctionConstructor): |
| (JSC::constructAsyncFunctionConstructor): |
| * runtime/AsyncGeneratorFunctionConstructor.cpp: |
| (JSC::callAsyncGeneratorFunctionConstructor): |
| (JSC::constructAsyncGeneratorFunctionConstructor): |
| * runtime/AtomicsObject.cpp: |
| (JSC::atomicsFuncAdd): |
| (JSC::atomicsFuncAnd): |
| (JSC::atomicsFuncCompareExchange): |
| (JSC::atomicsFuncExchange): |
| (JSC::atomicsFuncIsLockFree): |
| (JSC::atomicsFuncLoad): |
| (JSC::atomicsFuncOr): |
| (JSC::atomicsFuncStore): |
| (JSC::atomicsFuncSub): |
| (JSC::atomicsFuncWait): |
| (JSC::atomicsFuncWake): |
| (JSC::atomicsFuncXor): |
| * runtime/BigIntConstructor.cpp: |
| (JSC::callBigIntConstructor): |
| (JSC::bigIntConstructorFuncAsUintN): |
| (JSC::bigIntConstructorFuncAsIntN): |
| * runtime/BigIntPrototype.cpp: |
| (JSC::bigIntProtoFuncToStringImpl): |
| (JSC::bigIntProtoFuncToString): |
| (JSC::bigIntProtoFuncToLocaleString): |
| (JSC::bigIntProtoFuncValueOf): |
| * runtime/BooleanConstructor.cpp: |
| (JSC::callBooleanConstructor): |
| (JSC::constructWithBooleanConstructor): |
| (JSC::constructBooleanFromImmediateBoolean): |
| * runtime/BooleanPrototype.cpp: |
| (JSC::booleanProtoFuncToString): |
| (JSC::booleanProtoFuncValueOf): |
| * runtime/CallData.h: |
| * runtime/CommonSlowPaths.h: |
| * runtime/Completion.h: |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::consoleLogWithLevel): |
| (JSC::consoleProtoFuncDebug): |
| (JSC::consoleProtoFuncError): |
| (JSC::consoleProtoFuncLog): |
| (JSC::consoleProtoFuncInfo): |
| (JSC::consoleProtoFuncWarn): |
| (JSC::consoleProtoFuncClear): |
| (JSC::consoleProtoFuncDir): |
| (JSC::consoleProtoFuncDirXML): |
| (JSC::consoleProtoFuncTable): |
| (JSC::consoleProtoFuncTrace): |
| (JSC::consoleProtoFuncAssert): |
| (JSC::consoleProtoFuncCount): |
| (JSC::consoleProtoFuncCountReset): |
| (JSC::consoleProtoFuncProfile): |
| (JSC::consoleProtoFuncProfileEnd): |
| (JSC::consoleProtoFuncTakeHeapSnapshot): |
| (JSC::consoleProtoFuncTime): |
| (JSC::consoleProtoFuncTimeLog): |
| (JSC::consoleProtoFuncTimeEnd): |
| (JSC::consoleProtoFuncTimeStamp): |
| (JSC::consoleProtoFuncGroup): |
| (JSC::consoleProtoFuncGroupCollapsed): |
| (JSC::consoleProtoFuncGroupEnd): |
| (JSC::consoleProtoFuncRecord): |
| (JSC::consoleProtoFuncRecordEnd): |
| (JSC::consoleProtoFuncScreenshot): |
| * runtime/ConstructData.h: |
| * runtime/DateConstructor.cpp: |
| (JSC::constructWithDateConstructor): |
| (JSC::callDate): |
| (JSC::dateParse): |
| (JSC::dateNowImpl): |
| (JSC::dateNow): |
| (JSC::dateUTC): |
| * runtime/DateConstructor.h: |
| * runtime/DatePrototype.cpp: |
| (JSC::dateProtoFuncToString): |
| (JSC::dateProtoFuncToUTCString): |
| (JSC::dateProtoFuncToISOString): |
| (JSC::dateProtoFuncToDateString): |
| (JSC::dateProtoFuncToTimeString): |
| (JSC::dateProtoFuncToLocaleString): |
| (JSC::dateProtoFuncToLocaleDateString): |
| (JSC::dateProtoFuncToLocaleTimeString): |
| (JSC::dateProtoFuncToPrimitiveSymbol): |
| (JSC::dateProtoFuncGetTime): |
| (JSC::dateProtoFuncGetFullYear): |
| (JSC::dateProtoFuncGetUTCFullYear): |
| (JSC::dateProtoFuncGetMonth): |
| (JSC::dateProtoFuncGetUTCMonth): |
| (JSC::dateProtoFuncGetDate): |
| (JSC::dateProtoFuncGetUTCDate): |
| (JSC::dateProtoFuncGetDay): |
| (JSC::dateProtoFuncGetUTCDay): |
| (JSC::dateProtoFuncGetHours): |
| (JSC::dateProtoFuncGetUTCHours): |
| (JSC::dateProtoFuncGetMinutes): |
| (JSC::dateProtoFuncGetUTCMinutes): |
| (JSC::dateProtoFuncGetSeconds): |
| (JSC::dateProtoFuncGetUTCSeconds): |
| (JSC::dateProtoFuncGetMilliSeconds): |
| (JSC::dateProtoFuncGetUTCMilliseconds): |
| (JSC::dateProtoFuncGetTimezoneOffset): |
| (JSC::dateProtoFuncSetTime): |
| (JSC::dateProtoFuncSetMilliSeconds): |
| (JSC::dateProtoFuncSetUTCMilliseconds): |
| (JSC::dateProtoFuncSetSeconds): |
| (JSC::dateProtoFuncSetUTCSeconds): |
| (JSC::dateProtoFuncSetMinutes): |
| (JSC::dateProtoFuncSetUTCMinutes): |
| (JSC::dateProtoFuncSetHours): |
| (JSC::dateProtoFuncSetUTCHours): |
| (JSC::dateProtoFuncSetDate): |
| (JSC::dateProtoFuncSetUTCDate): |
| (JSC::dateProtoFuncSetMonth): |
| (JSC::dateProtoFuncSetUTCMonth): |
| (JSC::dateProtoFuncSetFullYear): |
| (JSC::dateProtoFuncSetUTCFullYear): |
| (JSC::dateProtoFuncSetYear): |
| (JSC::dateProtoFuncGetYear): |
| (JSC::dateProtoFuncToJSON): |
| * runtime/DatePrototype.h: |
| * runtime/ECMAScriptSpecInternalFunctions.cpp: |
| (JSC::esSpecIsConstructor): |
| * runtime/ECMAScriptSpecInternalFunctions.h: |
| * runtime/Error.h: |
| * runtime/ErrorConstructor.cpp: |
| (JSC::ErrorConstructor::finishCreation): |
| (JSC::constructErrorConstructor): |
| (JSC::callErrorConstructor): |
| (JSC::ErrorConstructor::put): |
| (JSC::ErrorConstructor::deleteProperty): |
| * runtime/ErrorPrototype.cpp: |
| (JSC::errorProtoFuncToString): |
| * runtime/ExceptionFuzz.h: |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructWithFunctionConstructor): |
| (JSC::callFunctionConstructor): |
| (JSC::constructFunction): |
| * runtime/FunctionPrototype.cpp: |
| (JSC::callFunctionPrototype): |
| (JSC::functionProtoFuncToString): |
| * runtime/GeneratorFunctionConstructor.cpp: |
| (JSC::callGeneratorFunctionConstructor): |
| (JSC::constructGeneratorFunctionConstructor): |
| * runtime/Identifier.h: |
| * runtime/InspectorInstrumentationObject.cpp: |
| (JSC::inspectorInstrumentationObjectLog): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::InternalFunction): |
| * runtime/InternalFunction.h: |
| (JSC::InternalFunction::offsetOfGlobalObject): |
| (JSC::InternalFunction::globalObject const): |
| * runtime/IntlCollatorConstructor.cpp: |
| (JSC::constructIntlCollator): |
| (JSC::callIntlCollator): |
| (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): |
| * runtime/IntlCollatorConstructor.h: |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorFuncCompare): |
| (JSC::IntlCollatorPrototypeGetterCompare): |
| (JSC::IntlCollatorPrototypeFuncResolvedOptions): |
| * runtime/IntlDateTimeFormatConstructor.cpp: |
| (JSC::constructIntlDateTimeFormat): |
| (JSC::callIntlDateTimeFormat): |
| (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlDateTimeFormatConstructor.h: |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatFuncFormatDateTime): |
| (JSC::IntlDateTimeFormatPrototypeGetterFormat): |
| (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): |
| (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): |
| * runtime/IntlNumberFormatConstructor.cpp: |
| (JSC::constructIntlNumberFormat): |
| (JSC::callIntlNumberFormat): |
| (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlNumberFormatConstructor.h: |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatFuncFormatNumber): |
| (JSC::IntlNumberFormatPrototypeGetterFormat): |
| (JSC::IntlNumberFormatPrototypeFuncFormatToParts): |
| (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): |
| * runtime/IntlObject.cpp: |
| (JSC::intlObjectFuncGetCanonicalLocales): |
| * runtime/IntlPluralRulesConstructor.cpp: |
| (JSC::constructIntlPluralRules): |
| (JSC::callIntlPluralRules): |
| (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): |
| * runtime/IntlPluralRulesConstructor.h: |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototypeFuncSelect): |
| (JSC::IntlPluralRulesPrototypeFuncResolvedOptions): |
| * runtime/JSArrayBufferConstructor.cpp: |
| (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation): |
| (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer): |
| (JSC::callArrayBuffer): |
| (JSC::arrayBufferFuncIsView): |
| * runtime/JSArrayBufferConstructor.h: |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::arrayBufferProtoFuncSlice): |
| (JSC::arrayBufferProtoGetterFuncByteLength): |
| (JSC::sharedArrayBufferProtoGetterFuncByteLength): |
| * runtime/JSBoundFunction.cpp: |
| (JSC::boundThisNoArgsFunctionCall): |
| (JSC::boundFunctionCall): |
| (JSC::boundThisNoArgsFunctionConstruct): |
| (JSC::boundFunctionConstruct): |
| (JSC::isBoundFunction): |
| (JSC::hasInstanceBoundFunction): |
| (JSC::JSBoundFunction::boundArgsCopy): |
| * runtime/JSBoundFunction.h: |
| * runtime/JSCJSValue.h: |
| * runtime/JSCell.h: |
| * runtime/JSCustomGetterSetterFunction.cpp: |
| (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): |
| * runtime/JSCustomGetterSetterFunction.h: |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::getData): |
| (JSC::setData): |
| (JSC::dataViewProtoGetterBuffer): |
| (JSC::dataViewProtoGetterByteLength): |
| (JSC::dataViewProtoGetterByteOffset): |
| (JSC::dataViewProtoFuncGetInt8): |
| (JSC::dataViewProtoFuncGetInt16): |
| (JSC::dataViewProtoFuncGetInt32): |
| (JSC::dataViewProtoFuncGetUint8): |
| (JSC::dataViewProtoFuncGetUint16): |
| (JSC::dataViewProtoFuncGetUint32): |
| (JSC::dataViewProtoFuncGetFloat32): |
| (JSC::dataViewProtoFuncGetFloat64): |
| (JSC::dataViewProtoFuncSetInt8): |
| (JSC::dataViewProtoFuncSetInt16): |
| (JSC::dataViewProtoFuncSetInt32): |
| (JSC::dataViewProtoFuncSetUint8): |
| (JSC::dataViewProtoFuncSetUint16): |
| (JSC::dataViewProtoFuncSetUint32): |
| (JSC::dataViewProtoFuncSetFloat32): |
| (JSC::dataViewProtoFuncSetFloat64): |
| * runtime/JSDateMath.h: |
| * runtime/JSFunction.cpp: |
| (JSC::callHostFunctionAsConstructor): |
| (JSC::JSFunction::JSFunction): |
| (JSC::JSFunction::prototypeForConstruction): |
| (JSC::JSFunction::allocateAndInitializeRareData): |
| (JSC::JSFunction::initializeRareData): |
| (JSC::JSFunction::getOwnPropertySlot): |
| * runtime/JSFunction.h: |
| (JSC::JSFunction::offsetOfGlobalObject): |
| (JSC::JSFunction::globalObject const): |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::JSFunction): |
| * runtime/JSGenericTypedArrayViewConstructorInlines.h: |
| (JSC::constructGenericTypedArrayView): |
| (JSC::callGenericTypedArrayView): |
| * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: |
| (JSC::genericTypedArrayViewProtoFuncSlice): |
| (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::makeBoundFunction): |
| (JSC::hasOwnLengthProperty): |
| (JSC::assertCall): |
| (JSC::enqueueJob): |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::globalFuncEval): |
| (JSC::globalFuncParseInt): |
| (JSC::globalFuncParseFloat): |
| (JSC::globalFuncDecodeURI): |
| (JSC::globalFuncDecodeURIComponent): |
| (JSC::globalFuncEncodeURI): |
| (JSC::globalFuncEncodeURIComponent): |
| (JSC::globalFuncEscape): |
| (JSC::globalFuncUnescape): |
| (JSC::globalFuncThrowTypeError): |
| (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller): |
| (JSC::globalFuncMakeTypeError): |
| (JSC::globalFuncProtoGetter): |
| (JSC::globalFuncProtoSetter): |
| (JSC::globalFuncHostPromiseRejectionTracker): |
| (JSC::globalFuncBuiltinLog): |
| (JSC::globalFuncBuiltinDescribe): |
| (JSC::globalFuncImportModule): |
| (JSC::globalFuncPropertyIsEnumerable): |
| (JSC::globalFuncOwnKeys): |
| (JSC::globalFuncDateTimeFormat): |
| * runtime/JSGlobalObjectFunctions.h: |
| * runtime/JSLock.h: |
| * runtime/JSModuleLoader.cpp: |
| (JSC::moduleLoaderParseModule): |
| (JSC::moduleLoaderRequestedModules): |
| (JSC::moduleLoaderModuleDeclarationInstantiation): |
| (JSC::moduleLoaderResolve): |
| (JSC::moduleLoaderResolveSync): |
| (JSC::moduleLoaderFetch): |
| (JSC::moduleLoaderGetModuleNamespaceObject): |
| (JSC::moduleLoaderEvaluate): |
| * runtime/JSNativeStdFunction.cpp: |
| (JSC::runStdFunction): |
| * runtime/JSNativeStdFunction.h: |
| * runtime/JSONObject.cpp: |
| (JSC::JSONProtoFuncParse): |
| (JSC::JSONProtoFuncStringify): |
| * runtime/JSObject.cpp: |
| (JSC::objectPrivateFuncInstanceOf): |
| * runtime/JSObject.h: |
| * runtime/JSTypedArrayViewConstructor.cpp: |
| (JSC::constructTypedArrayView): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::typedArrayViewPrivateFuncIsTypedArrayView): |
| (JSC::typedArrayViewPrivateFuncLength): |
| (JSC::typedArrayViewPrivateFuncGetOriginalConstructor): |
| (JSC::typedArrayViewPrivateFuncSort): |
| (JSC::typedArrayViewProtoFuncSet): |
| (JSC::typedArrayViewProtoFuncCopyWithin): |
| (JSC::typedArrayViewProtoFuncIncludes): |
| (JSC::typedArrayViewProtoFuncLastIndexOf): |
| (JSC::typedArrayViewProtoFuncIndexOf): |
| (JSC::typedArrayViewProtoFuncJoin): |
| (JSC::typedArrayViewProtoGetterFuncBuffer): |
| (JSC::typedArrayViewProtoGetterFuncLength): |
| (JSC::typedArrayViewProtoGetterFuncByteLength): |
| (JSC::typedArrayViewProtoGetterFuncByteOffset): |
| (JSC::typedArrayViewProtoFuncReverse): |
| (JSC::typedArrayViewPrivateFuncSubarrayCreate): |
| (JSC::typedArrayViewProtoFuncSlice): |
| (JSC::typedArrayViewProtoGetterFuncToStringTag): |
| * runtime/JSTypedArrayViewPrototype.h: |
| * runtime/MapConstructor.cpp: |
| (JSC::callMap): |
| (JSC::constructMap): |
| (JSC::mapPrivateFuncMapBucketHead): |
| (JSC::mapPrivateFuncMapBucketNext): |
| (JSC::mapPrivateFuncMapBucketKey): |
| (JSC::mapPrivateFuncMapBucketValue): |
| * runtime/MapConstructor.h: |
| * runtime/MapPrototype.cpp: |
| (JSC::getMap): |
| (JSC::mapProtoFuncClear): |
| (JSC::mapProtoFuncDelete): |
| (JSC::mapProtoFuncGet): |
| (JSC::mapProtoFuncHas): |
| (JSC::mapProtoFuncSet): |
| (JSC::mapProtoFuncSize): |
| * runtime/MathObject.cpp: |
| (JSC::mathProtoFuncAbs): |
| (JSC::mathProtoFuncACos): |
| (JSC::mathProtoFuncASin): |
| (JSC::mathProtoFuncATan): |
| (JSC::mathProtoFuncATan2): |
| (JSC::mathProtoFuncCeil): |
| (JSC::mathProtoFuncClz32): |
| (JSC::mathProtoFuncCos): |
| (JSC::mathProtoFuncExp): |
| (JSC::mathProtoFuncFloor): |
| (JSC::mathProtoFuncHypot): |
| (JSC::mathProtoFuncLog): |
| (JSC::mathProtoFuncMax): |
| (JSC::mathProtoFuncMin): |
| (JSC::mathProtoFuncPow): |
| (JSC::mathProtoFuncRandom): |
| (JSC::mathProtoFuncRound): |
| (JSC::mathProtoFuncSign): |
| (JSC::mathProtoFuncSin): |
| (JSC::mathProtoFuncSqrt): |
| (JSC::mathProtoFuncTan): |
| (JSC::mathProtoFuncIMul): |
| (JSC::mathProtoFuncACosh): |
| (JSC::mathProtoFuncASinh): |
| (JSC::mathProtoFuncATanh): |
| (JSC::mathProtoFuncCbrt): |
| (JSC::mathProtoFuncCosh): |
| (JSC::mathProtoFuncExpm1): |
| (JSC::mathProtoFuncFround): |
| (JSC::mathProtoFuncLog1p): |
| (JSC::mathProtoFuncLog10): |
| (JSC::mathProtoFuncLog2): |
| (JSC::mathProtoFuncSinh): |
| (JSC::mathProtoFuncTanh): |
| (JSC::mathProtoFuncTrunc): |
| * runtime/MathObject.h: |
| * runtime/Microtask.h: |
| * runtime/NativeErrorConstructor.cpp: |
| (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor): |
| (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor): |
| * runtime/NativeErrorConstructor.h: |
| * runtime/NativeFunction.h: |
| (JSC::NativeFunction::operator()): |
| (JSC::TaggedNativeFunction::operator()): |
| * runtime/NullGetterFunction.cpp: |
| (JSC::NullGetterFunctionInternal::callReturnUndefined): |
| * runtime/NullSetterFunction.cpp: |
| (JSC::NullSetterFunctionInternal::callReturnUndefined): |
| * runtime/NumberConstructor.cpp: |
| (JSC::constructNumberConstructor): |
| (JSC::callNumberConstructor): |
| (JSC::numberConstructorFuncIsInteger): |
| (JSC::numberConstructorFuncIsSafeInteger): |
| * runtime/NumberPrototype.cpp: |
| (JSC::numberProtoFuncToExponential): |
| (JSC::numberProtoFuncToFixed): |
| (JSC::numberProtoFuncToPrecision): |
| (JSC::numberProtoFuncToString): |
| (JSC::numberProtoFuncToLocaleString): |
| (JSC::numberProtoFuncValueOf): |
| * runtime/NumberPrototype.h: |
| * runtime/ObjectConstructor.cpp: |
| (JSC::constructObjectWithNewTarget): |
| (JSC::constructWithObjectConstructor): |
| (JSC::callObjectConstructor): |
| (JSC::objectConstructorGetPrototypeOf): |
| (JSC::objectConstructorSetPrototypeOf): |
| (JSC::objectConstructorGetOwnPropertyDescriptor): |
| (JSC::objectConstructorGetOwnPropertyDescriptors): |
| (JSC::objectConstructorGetOwnPropertyNames): |
| (JSC::objectConstructorGetOwnPropertySymbols): |
| (JSC::objectConstructorKeys): |
| (JSC::objectConstructorAssign): |
| (JSC::objectConstructorValues): |
| (JSC::objectConstructorDefineProperty): |
| (JSC::objectConstructorDefineProperties): |
| (JSC::objectConstructorCreate): |
| (JSC::objectConstructorSeal): |
| (JSC::objectConstructorFreeze): |
| (JSC::objectConstructorPreventExtensions): |
| (JSC::objectConstructorIsSealed): |
| (JSC::objectConstructorIsFrozen): |
| (JSC::objectConstructorIsExtensible): |
| (JSC::objectConstructorIs): |
| (JSC::constructObject): Deleted. |
| * runtime/ObjectConstructor.h: |
| * runtime/ObjectPrototype.cpp: |
| (JSC::objectProtoFuncValueOf): |
| (JSC::objectProtoFuncHasOwnProperty): |
| (JSC::objectProtoFuncIsPrototypeOf): |
| (JSC::objectProtoFuncDefineGetter): |
| (JSC::objectProtoFuncDefineSetter): |
| (JSC::objectProtoFuncLookupGetter): |
| (JSC::objectProtoFuncLookupSetter): |
| (JSC::objectProtoFuncPropertyIsEnumerable): |
| (JSC::objectProtoFuncToLocaleString): |
| (JSC::objectProtoFuncToString): |
| * runtime/ObjectPrototype.h: |
| * runtime/ProxyConstructor.cpp: |
| (JSC::makeRevocableProxy): |
| (JSC::proxyRevocableConstructorThrowError): |
| (JSC::constructProxyObject): |
| (JSC::callProxy): |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyCall): |
| (JSC::performProxyConstruct): |
| * runtime/ProxyRevoke.cpp: |
| (JSC::performProxyRevoke): |
| * runtime/ReflectObject.cpp: |
| (JSC::reflectObjectConstruct): |
| (JSC::reflectObjectDefineProperty): |
| (JSC::reflectObjectGet): |
| (JSC::reflectObjectGetOwnPropertyDescriptor): |
| (JSC::reflectObjectGetPrototypeOf): |
| (JSC::reflectObjectIsExtensible): |
| (JSC::reflectObjectOwnKeys): |
| (JSC::reflectObjectPreventExtensions): |
| (JSC::reflectObjectSet): |
| (JSC::reflectObjectSetPrototypeOf): |
| * runtime/RegExpConstructor.cpp: |
| (JSC::regExpConstructorDollar): |
| (JSC::regExpConstructorInput): |
| (JSC::regExpConstructorMultiline): |
| (JSC::regExpConstructorLastMatch): |
| (JSC::regExpConstructorLastParen): |
| (JSC::regExpConstructorLeftContext): |
| (JSC::regExpConstructorRightContext): |
| (JSC::setRegExpConstructorInput): |
| (JSC::setRegExpConstructorMultiline): |
| (JSC::esSpecRegExpCreate): |
| (JSC::constructWithRegExpConstructor): |
| (JSC::callRegExpConstructor): |
| * runtime/RegExpConstructor.h: |
| * runtime/RegExpPrototype.cpp: |
| (JSC::regExpProtoFuncTestFast): |
| (JSC::regExpProtoFuncExec): |
| (JSC::regExpProtoFuncMatchFast): |
| (JSC::regExpProtoFuncCompile): |
| (JSC::regExpProtoFuncToString): |
| (JSC::regExpProtoGetterGlobal): |
| (JSC::regExpProtoGetterIgnoreCase): |
| (JSC::regExpProtoGetterMultiline): |
| (JSC::regExpProtoGetterDotAll): |
| (JSC::regExpProtoGetterSticky): |
| (JSC::regExpProtoGetterUnicode): |
| (JSC::regExpProtoGetterFlags): |
| (JSC::regExpProtoGetterSource): |
| (JSC::regExpProtoFuncSearchFast): |
| (JSC::regExpProtoFuncSplitFast): |
| * runtime/RegExpPrototype.h: |
| * runtime/SetConstructor.cpp: |
| (JSC::callSet): |
| (JSC::constructSet): |
| (JSC::setPrivateFuncSetBucketHead): |
| (JSC::setPrivateFuncSetBucketNext): |
| (JSC::setPrivateFuncSetBucketKey): |
| * runtime/SetConstructor.h: |
| * runtime/SetPrototype.cpp: |
| (JSC::getSet): |
| (JSC::setProtoFuncAdd): |
| (JSC::setProtoFuncClear): |
| (JSC::setProtoFuncDelete): |
| (JSC::setProtoFuncHas): |
| (JSC::setProtoFuncSize): |
| * runtime/StringConstructor.cpp: |
| (JSC::stringFromCharCode): |
| (JSC::stringFromCodePoint): |
| (JSC::constructWithStringConstructor): |
| (JSC::callStringConstructor): |
| * runtime/StringPrototype.cpp: |
| (JSC::stringProtoFuncRepeatCharacter): |
| (JSC::stringProtoFuncReplaceUsingRegExp): |
| (JSC::stringProtoFuncReplaceUsingStringSearch): |
| (JSC::stringProtoFuncToString): |
| (JSC::stringProtoFuncCharAt): |
| (JSC::stringProtoFuncCharCodeAt): |
| (JSC::stringProtoFuncCodePointAt): |
| (JSC::stringProtoFuncIndexOf): |
| (JSC::stringProtoFuncLastIndexOf): |
| (JSC::stringProtoFuncSlice): |
| (JSC::stringProtoFuncSplitFast): |
| (JSC::stringProtoFuncSubstrImpl): |
| (JSC::stringProtoFuncSubstr): |
| (JSC::builtinStringSubstrInternal): |
| (JSC::stringProtoFuncSubstring): |
| (JSC::stringProtoFuncToLowerCase): |
| (JSC::stringProtoFuncToUpperCase): |
| (JSC::stringProtoFuncLocaleCompare): |
| (JSC::toLocaleCase): |
| (JSC::stringProtoFuncToLocaleLowerCase): |
| (JSC::stringProtoFuncToLocaleUpperCase): |
| (JSC::stringProtoFuncTrim): |
| (JSC::stringProtoFuncTrimStart): |
| (JSC::stringProtoFuncTrimEnd): |
| (JSC::stringProtoFuncStartsWith): |
| (JSC::stringProtoFuncEndsWith): |
| (JSC::stringIncludesImpl): |
| (JSC::stringProtoFuncIncludes): |
| (JSC::builtinStringIncludesInternal): |
| (JSC::stringProtoFuncIterator): |
| (JSC::stringProtoFuncNormalize): |
| * runtime/StringPrototype.h: |
| * runtime/SymbolConstructor.cpp: |
| (JSC::callSymbol): |
| (JSC::symbolConstructorFor): |
| (JSC::symbolConstructorKeyFor): |
| * runtime/SymbolPrototype.cpp: |
| (JSC::symbolProtoGetterDescription): |
| (JSC::symbolProtoFuncToString): |
| (JSC::symbolProtoFuncValueOf): |
| * runtime/ThrowScope.h: |
| * runtime/TypedArrayController.h: |
| * runtime/VM.h: |
| * runtime/VMTraps.h: |
| * runtime/Watchdog.h: |
| * runtime/WeakMapConstructor.cpp: |
| (JSC::callWeakMap): |
| (JSC::constructWeakMap): |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::getWeakMap): |
| (JSC::protoFuncWeakMapDelete): |
| (JSC::protoFuncWeakMapGet): |
| (JSC::protoFuncWeakMapHas): |
| (JSC::protoFuncWeakMapSet): |
| * runtime/WeakObjectRefConstructor.cpp: |
| (JSC::callWeakRef): |
| (JSC::constructWeakRef): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::getWeakRef): |
| (JSC::protoFuncWeakRefDeref): |
| * runtime/WeakSetConstructor.cpp: |
| (JSC::callWeakSet): |
| (JSC::constructWeakSet): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::getWeakSet): |
| (JSC::protoFuncWeakSetDelete): |
| (JSC::protoFuncWeakSetHas): |
| (JSC::protoFuncWeakSetAdd): |
| * tools/JSDollarVM.cpp: |
| (JSC::DOMJITGetterComplex::functionEnableException): |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::functionWasmStreamingParserAddBytes): |
| (JSC::functionWasmStreamingParserFinalize): |
| (JSC::functionCrash): |
| (JSC::functionBreakpoint): |
| (JSC::functionDFGTrue): |
| (JSC::functionFTLTrue): |
| (JSC::functionCpuMfence): |
| (JSC::functionCpuRdtsc): |
| (JSC::functionCpuCpuid): |
| (JSC::functionCpuPause): |
| (JSC::functionCpuClflush): |
| (JSC::functionLLintTrue): |
| (JSC::functionJITTrue): |
| (JSC::functionNoInline): |
| (JSC::functionGC): |
| (JSC::functionEdenGC): |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::functionCallFrame): |
| (JSC::functionCodeBlockForFrame): |
| (JSC::codeBlockFromArg): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionDumpSourceFor): |
| (JSC::functionDumpBytecodeFor): |
| (JSC::doPrint): |
| (JSC::functionDataLog): |
| (JSC::functionPrint): |
| (JSC::functionDumpCallFrame): |
| (JSC::functionDumpStack): |
| (JSC::functionDumpRegisters): |
| (JSC::functionDumpCell): |
| (JSC::functionIndexingMode): |
| (JSC::functionInlineCapacity): |
| (JSC::functionValue): |
| (JSC::functionGetPID): |
| (JSC::functionHaveABadTime): |
| (JSC::functionIsHavingABadTime): |
| (JSC::functionCreateGlobalObject): |
| (JSC::functionCreateProxy): |
| (JSC::functionCreateRuntimeArray): |
| (JSC::functionCreateNullRopeString): |
| (JSC::functionCreateImpureGetter): |
| (JSC::functionCreateCustomGetterObject): |
| (JSC::functionCreateDOMJITNodeObject): |
| (JSC::functionCreateDOMJITGetterObject): |
| (JSC::functionCreateDOMJITGetterComplexObject): |
| (JSC::functionCreateDOMJITFunctionObject): |
| (JSC::functionCreateDOMJITCheckSubClassObject): |
| (JSC::functionCreateDOMJITGetterBaseJSObject): |
| (JSC::functionCreateWasmStreamingParser): |
| (JSC::functionCreateStaticCustomAccessor): |
| (JSC::functionSetImpureGetterDelegate): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::functionCreateRoot): |
| (JSC::functionCreateElement): |
| (JSC::functionGetElement): |
| (JSC::functionCreateSimpleObject): |
| (JSC::functionGetHiddenValue): |
| (JSC::functionSetHiddenValue): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): |
| (JSC::functionFindTypeForExpression): |
| (JSC::functionReturnTypeFor): |
| (JSC::functionFlattenDictionaryObject): |
| (JSC::functionDumpBasicBlockExecutionRanges): |
| (JSC::functionHasBasicBlockExecuted): |
| (JSC::functionBasicBlockExecutionCount): |
| (JSC::functionEnableExceptionFuzz): |
| (JSC::functionEnableDebuggerModeWhenIdle): |
| (JSC::functionDisableDebuggerModeWhenIdle): |
| (JSC::functionDeleteAllCodeWhenIdle): |
| (JSC::functionGlobalObjectCount): |
| (JSC::functionGlobalObjectForObject): |
| (JSC::functionGetGetterSetter): |
| (JSC::functionLoadGetterFromGetterSetter): |
| (JSC::functionCreateCustomTestGetterSetter): |
| (JSC::functionDeltaBetweenButterflies): |
| (JSC::functionTotalGCTime): |
| (JSC::functionParseCount): |
| (JSC::functionIsWasmSupported): |
| * wasm/WasmEmbedder.h: |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::webAssemblyCompileFunc): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyValidateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyCompileError): |
| (JSC::callJSWebAssemblyCompileError): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::constructJSWebAssemblyInstance): |
| (JSC::callJSWebAssemblyInstance): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| (JSC::webAssemblyInstanceProtoFuncExports): |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyLinkError): |
| (JSC::callJSWebAssemblyLinkError): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| (JSC::callJSWebAssemblyMemory): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| (JSC::webAssemblyMemoryProtoFuncGrow): |
| (JSC::webAssemblyMemoryProtoFuncBuffer): |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleCustomSections): |
| (JSC::webAssemblyModuleImports): |
| (JSC::webAssemblyModuleExports): |
| (JSC::constructJSWebAssemblyModule): |
| (JSC::callJSWebAssemblyModule): |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyRuntimeError): |
| (JSC::callJSWebAssemblyRuntimeError): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| (JSC::callJSWebAssemblyTable): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::webAssemblyTableProtoFuncLength): |
| (JSC::webAssemblyTableProtoFuncGrow): |
| (JSC::webAssemblyTableProtoFuncGet): |
| (JSC::webAssemblyTableProtoFuncSet): |
| * wasm/js/WebAssemblyWrapperFunction.cpp: |
| (JSC::callWebAssemblyWrapperFunction): |
| * yarr/YarrErrorCode.h: |
| |
| 2019-10-07 Matt Lewis <jlewis3@apple.com> |
| |
| Unreviewed, rolling out r250750. |
| |
| Reverting change as this broke interal test over the weekend. |
| |
| Reverted changeset: |
| |
| "Allow OSR exit to the LLInt" |
| https://bugs.webkit.org/show_bug.cgi?id=197993 |
| https://trac.webkit.org/changeset/250750 |
| |
| 2019-10-04 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Socket-based RWI should base64-encode backend commands on client, not server |
| https://bugs.webkit.org/show_bug.cgi?id=202605 |
| |
| Reviewed by Don Olmstead. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::setupInspectorClient): |
| |
| 2019-10-04 Saam Barati <sbarati@apple.com> |
| |
| Allow OSR exit to the LLInt |
| https://bugs.webkit.org/show_bug.cgi?id=197993 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This patch makes it so we can OSR exit to the LLInt. |
| Here are the interesting implementation details: |
| |
| 1. We no longer baseline compile everything in the inline stack. |
| |
| 2. When the top frame is a LLInt frame, we exit to the corresponding |
| LLInt bytecode. However, we need to materialize the LLInt registers |
| for PC, PB, and metadata. |
| |
| 3. When dealing with inline call frames where the caller is LLInt, we |
| need to return to the appropriate place. Let's consider we're exiting |
| at a place A->B (A calls B), where A is LLInt. If A is a normal call, |
| we place the return PC in the frame we materialize to B to be right |
| after the LLInt's inline cache for calls. If A is a varargs call, we place |
| it at the return location for vararg calls. The interesting scenario here |
| is where A is a getter/setter. This means that A might be get_by_id, |
| get_by_val, put_by_id, or put_by_val. Since the LLInt does not have any |
| form of IC for getters/setters, we make this work by creating new LLInt |
| "return location" stubs for these opcodes. |
| |
| 4. We need to update what callee saves we store in the callee if the caller frame |
| is a LLInt frame. Let's consider an inline stack A->B->C, where A is a LLInt frame. |
| When we materialize the stack frame for B, we need to ensure that the LLInt callee |
| saves that A uses is stored into B's preserved callee saves. Specifically, this |
| is just the PB/metadata registers. |
| |
| This patch also fixes offlineasm's macro expansion to allow us to |
| use computed label names for global labels. |
| |
| In a future bug, I'm going to investigate some kind of control system for |
| throwing away baseline code when we tier up: |
| https://bugs.webkit.org/show_bug.cgi?id=202503 |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::metadataTable): |
| (JSC::CodeBlock::instructionsRawPointer): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| (JSC::DFG::OSRExit::compileOSRExit): |
| * dfg/DFGOSRExit.h: |
| (JSC::DFG::OSRExitState::OSRExitState): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::calleeSaveSlot): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| * dfg/DFGOSRExitPreparation.cpp: |
| (JSC::DFG::prepareCodeOriginForOSRExit): Deleted. |
| * dfg/DFGOSRExitPreparation.h: |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileFTLOSRExit): |
| * llint/LLIntData.h: |
| (JSC::LLInt::getCodePtr): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/asm.rb: |
| * offlineasm/transform.rb: |
| * runtime/OptionsList.h: |
| |
| 2019-10-04 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r250583. |
| |
| Broke multiple internal API tests |
| |
| Reverted changeset: |
| |
| "[JSC] Place VM* in TLS" |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| https://trac.webkit.org/changeset/250583 |
| |
| 2019-10-04 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r250594. |
| |
| Broke multiple internal API tests |
| |
| Reverted changeset: |
| |
| "Unreviewed, fix incorrect assertion" |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| https://trac.webkit.org/changeset/250594 |
| |
| 2019-10-04 Alex Christensen <achristensen@webkit.org> |
| |
| Simplify sandbox enabling macros |
| https://bugs.webkit.org/show_bug.cgi?id=202536 |
| |
| Reviewed by Brent Fulgham. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-10-03 Christopher Reid <chris.reid@sony.com> |
| |
| [WinCairo] Remote Inspector doesn't gracefully shutdown |
| https://bugs.webkit.org/show_bug.cgi?id=202546 |
| |
| Reviewed by Ross Kirsling. |
| |
| Call shutdown before closesocket in windows to close the connection gracefully. |
| |
| This also fixes some potential threading issues where m_clientConnection |
| is set on a worker thread but cleared on the main thread. |
| Remove callOnMainThread in the server too since execution gets paused during JS breakpoints. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: |
| |
| 2019-10-03 Mark Lam <mark.lam@apple.com> |
| |
| Fix testmasm failure on ASan builds. |
| https://bugs.webkit.org/show_bug.cgi?id=202554 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Gigacage is disabled on ASan builds. So testmasm is sad. Make the relevant test |
| bail gracefully if Gigacage should be disabled. |
| |
| Also converted some ASSERTs into RELEASE_ASSERTs. This is a test. No reason to |
| not assert always. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| |
| 2019-10-03 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Socket RWI client should acquire backend commands from server |
| https://bugs.webkit.org/show_bug.cgi?id=202421 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::setupInspectorClient): |
| (Inspector::RemoteInspectorServer::backendCommands const): |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| (Inspector::RemoteInspectorServer::setBackendCommandsPath): |
| Assuming a path to InspectorBackendCommands.js has been provided, |
| read the file and send off its base64-encoded contents in a "BackendCommands" message when setting up a client. |
| |
| 2019-10-03 Yury Semikhatsky <yurys@chromium.org> |
| |
| Web Inspector: tests under LayoutTests/inspector/debugger are flaky |
| https://bugs.webkit.org/show_bug.cgi?id=137131 |
| <rdar://problem/18461335> |
| |
| Reviewed by Devin Rousso. |
| |
| Changed breakpoint resolution logic to make it consistent across platforms and |
| better handle the case when there are several DebuggerPausePositions at the same |
| offset (but with different types). |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::hasOpDebugForLineAndColumn): |
| * bytecode/CodeBlock.h: |
| * debugger/Breakpoint.h: Removed Breakpoint::unspecifiedColumn, Optional<unsigned> |
| is used instead where needed. It allows to avoid code that relies on (int)UINT_MAX => -1 |
| conversion. |
| |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::resolveBreakpoint): clarified that in the map columns are 0-based. |
| * debugger/DebuggerParseData.cpp: |
| (JSC::DebuggerPausePositions::breakpointLocationForLineColumn): replaced custom |
| binary search with std::lower_bound. If there are several pause positions at the |
| same offset they will be sorted by the type and the algorithm is guaranteed to see |
| leftmost one first. |
| |
| (JSC::DebuggerPausePositions::sort): use type as secondary ordering component. |
| * debugger/DebuggerParseData.h: Rearranged type constants so that Enter < Pause < Leave |
| this change along with sorting by type should guarantee that in case of several pause |
| positions at the same line Enter goes before Pause before Leave and the breakpoint |
| resolution will yield result similar to that when each pause locations has different |
| position. |
| |
| * inspector/protocol/Debugger.json: clarified that positions are 0-based. |
| * parser/ParserTokens.h: |
| (JSC::JSTextPosition::column const): added helper method for computing column. |
| |
| 2019-10-03 Keith Miller <keith_miller@apple.com> |
| |
| Fix assembler on ARM64E |
| https://bugs.webkit.org/show_bug.cgi?id=202528 |
| |
| Reviewed by Michael Saboff. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::callOperation): |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::callOperation): |
| |
| 2019-10-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] AsyncGenerator should have internal fields |
| https://bugs.webkit.org/show_bug.cgi?id=201498 |
| |
| Reviewed by Saam Barati. |
| |
| This patch introduces JSAsyncGenerator. We did this already for JSGenerator. This patch does the same thing for JSAsyncGenerator |
| This patch cleans up JSGenerator's code to share it with JSAsyncGenerator, e.g. JSGenerator::initialValues etc. |
| It improves JetStream2/async-fs by ~10%. |
| |
| We also fixed the pre-existing bug. We are using OpcodeID for the key of hashmap. And using op_add code as a part of key. |
| By adding a new bytecode, it suddenly becomes 0. And 0 is not valid key in WTF::HashMap. This patch adds 1 to opcodeID when using |
| for HashMap's key to fix this issue. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/AsyncGeneratorPrototype.js: |
| (globalPrivate.asyncGeneratorQueueIsEmpty): |
| (globalPrivate.asyncGeneratorQueueEnqueue): |
| (globalPrivate.asyncGeneratorQueueDequeue): |
| (globalPrivate.isExecutionState): |
| (globalPrivate.isSuspendYieldState): |
| (globalPrivate.asyncGeneratorReject): |
| (globalPrivate.asyncGeneratorResolve): |
| (asyncGeneratorYieldAwaited): |
| (globalPrivate.asyncGeneratorYield): |
| (globalPrivate.doAsyncGeneratorBodyCall): |
| (globalPrivate.asyncGeneratorResumeNext): |
| (globalPrivate.asyncGeneratorEnqueue): |
| * builtins/BuiltinNames.h: |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields): |
| (JSC::BytecodeGenerator::emitCreateAsyncGenerator): |
| (JSC::BytecodeGenerator::emitYieldPoint): |
| (JSC::BytecodeGenerator::emitYield): |
| (JSC::BytecodeGenerator::emitAwait): |
| (JSC::BytecodeGenerator::emitDelegateYield): |
| (JSC::BytecodeGenerator::emitGeneratorStateChange): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitIsAsyncGenerator): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::asyncGeneratorInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getAsyncGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putAsyncGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isAsyncGenerator): |
| (JSC::YieldExprNode::emitBytecode): |
| (JSC::AwaitExprNode::emitBytecode): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToNewInternalFieldObject): |
| (JSC::DFG::Node::hasStructure): |
| (JSC::DFG::Node::convertToNewGenerator): Deleted. |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): |
| (JSC::DFG::SpeculativeJIT::compileCreateGenerator): |
| (JSC::DFG::SpeculativeJIT::compileCreateAsyncGenerator): |
| (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): |
| (JSC::DFG::SpeculativeJIT::compileNewGenerator): |
| (JSC::DFG::SpeculativeJIT::compileNewAsyncGenerator): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewAsyncGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateAsyncGenerator): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JITInlines.h: |
| (JSC::JIT::copiedArithProfile): |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * llint/LowLevelInterpreter.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::createInternalFieldObject): |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/JSAsyncGenerator.cpp: Copied from Source/JavaScriptCore/runtime/JSGenerator.cpp. |
| (JSC::JSAsyncGenerator::create): |
| (JSC::JSAsyncGenerator::createStructure): |
| (JSC::JSAsyncGenerator::JSAsyncGenerator): |
| (JSC::JSAsyncGenerator::finishCreation): |
| (JSC::JSAsyncGenerator::visitChildren): |
| * runtime/JSAsyncGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGenerator.h. |
| * runtime/JSAsyncGeneratorFunction.h: |
| * runtime/JSGenerator.cpp: |
| (JSC::JSGenerator::finishCreation): |
| * runtime/JSGenerator.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::asyncGeneratorStructure const): |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| |
| 2019-10-02 Keith Miller <keith_miller@apple.com> |
| |
| FTL OSR exit shouldn't bother updating get_by_id array profiles that have changed modes |
| https://bugs.webkit.org/show_bug.cgi?id=202493 |
| |
| Reviewed by Saam Barati. |
| |
| I added this optimization for DFG but forgot to do it for the FTL |
| at the same time. This patch rectifies that. |
| |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileStub): |
| |
| 2019-10-02 Paulo Matos <pmatos@igalia.com> |
| |
| Gardening build fix: Hide store64/load64 functions from 32bit |
| https://bugs.webkit.org/show_bug.cgi?id=202453 |
| |
| Unreviewed. |
| |
| Prior patch for bug 202250 breaks 32bit builds because functions |
| store64 and load64 do not exist. ifdef these functions away from 32bits since |
| they are not used in 32bit code path. |
| |
| * jit/AssemblyHelpers.h: |
| |
| 2019-10-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix incorrect assertion |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| |
| * runtime/JSLock.cpp: |
| (JSC::JSLock::DropAllLocks::~DropAllLocks): |
| |
| 2019-10-01 Saam Barati <sbarati@apple.com> |
| |
| ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid |
| https://bugs.webkit.org/show_bug.cgi?id=199361 |
| <rdar://problem/52454940> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| In a prior fix to the object allocation sinking phase, I added code where we |
| made sure to insert PutHints over Phis for fields of an object at control flow |
| merge points. However, that code didn't consider that the base of the PutHint |
| may no longer be a valid heap location. This could cause us to emit invalid |
| SSA code by referring to a node which does not dominate the PutHint location. |
| This patch fixes the bug to only emit the PutHints when valid. |
| |
| This patch also makes it so that DFGValidate actually validates that the graph |
| is in valid SSA form. E.g, any use of a node N must be dominated by N. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGValidate.cpp: |
| |
| 2019-10-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Place VM* in TLS |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| |
| Reviewed by Mark Lam. |
| |
| This patch puts VM* in TLS mainly for debugging purpose. In JSLockHolder, we put VM* and save the old VM* in TLS. |
| And JSLockHolder's destructor restores it. It is possible that we have two VMs A and B. After locking A, we enter |
| B. In this case, when B's lock is released, we should restore TLS to A. We put the old VM* in JSLockHolder::m_previousVMInTLS |
| so that we can restore it in JSLockHolder's destructor. |
| |
| This patch also cleans up Lock<JSLock> / std::lock_guard<JSLock> usage in JSRunLoopTimer and JSManagedValue by introducing |
| JSLockHolder with LockIfVMIsLive tag. Previously, we are intentionally use `std::lock_guard<JSLock>` since VM* can be dead |
| at these places. JSLockHolder with LockIfVMIsLive handles this case carefully: it locks JSLock when VM* is live. |
| |
| * API/JSManagedValue.mm: |
| (-[JSManagedValue value]): |
| * API/glib/JSCWeakValue.cpp: |
| (jsc_weak_value_get_value): |
| * runtime/InitializeThreading.cpp: |
| (JSC::initializeThreading): |
| * runtime/JSLock.cpp: |
| (JSC::JSLockHolder::JSLockHolder): |
| (JSC::JSLockHolder::~JSLockHolder): |
| (JSC::JSLock::DropAllLocks::DropAllLocks): |
| (JSC::JSLock::DropAllLocks::~DropAllLocks): |
| * runtime/JSLock.h: |
| (JSC::JSLockHolder::vm): |
| * runtime/JSRunLoopTimer.cpp: |
| (JSC::JSRunLoopTimer::timerDidFire): |
| * runtime/VM.cpp: |
| (JSC::VM::initializeTLS): |
| * runtime/VM.h: |
| (JSC::VM::exchange): |
| (JSC::VM::current): |
| |
| 2019-10-01 Michael Saboff <msaboff@apple.com> and Paulo Matos <pmatos@igalia.com> |
| |
| [YARR] Properly handle surrogates when matching back references |
| https://bugs.webkit.org/show_bug.cgi?id=202041 |
| |
| Reviewed by Keith Miller. |
| |
| This patch is based on a work in progress patch by Paulo Matos <pmatos@igalia.com>. |
| |
| When handling back references in Unicode patterns, we can't match un-decoded surrogate characters, |
| instead we need to read and process surrogate pairs. Changed matchBackreference() to do this, |
| including properly incrementing the back reference pattern and search indexes. |
| |
| In support of this change, on X86_64 we needed to free up r10 to be used exclusively for |
| "patternIndex". It was also used as a temp in tryReadUnicodeCharImpl(). Made a new named |
| temp register, called unicodeTemp, to take the place of regT2(r10) in tryReadUnicodeCharImpl. |
| This new temp is r14 on X86_64 and X5 on ARM64. To free up r14 on X86_64, changed the |
| old leadingSurrogateTag to be a literal. |
| |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl): |
| (JSC::Yarr::YarrGenerator::matchBackreference): |
| (JSC::Yarr::YarrGenerator::generateEnter): |
| (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates): Deleted. |
| |
| 2019-10-01 Keith Miller <keith_miller@apple.com> |
| |
| Add support for the Wasm multi-value proposal |
| https://bugs.webkit.org/show_bug.cgi?id=202250 |
| |
| Reviewed by Saam Barati. |
| |
| The wasm multi-value proposal makes two major changes to the |
| spec. The first is that functions may now return more than one |
| value across calls. When calling to/from JS, if there is more than |
| one return type we return/receive a JSArray/Iterable, |
| respectively. In the Wasm calls JS case, if the iteratable object |
| does not vend the exact number of objects expected by the |
| signature an error is thrown. |
| |
| The second major change in the multi-value proposal allows blocks |
| to have any signature type. This works in a backwards compatible |
| way by exploiting the fact that the old value-type thunk signatures |
| (where the block takes no arguments and returns just the value |
| type i.e. [] -> [type]) were always encoded as a negative |
| number. If a block has a function signature, it is encoded as a |
| positive index into the type section. When a block has a function |
| signature type then the values from the enclosing stack are popped |
| off that stack and added to the new block's stack. In the case of |
| a br/br_if to a Loop block the "argument" values should be on the |
| brancher's stack. |
| |
| The biggest change in this patch is stripping down the |
| WasmCallingConventions file into one simpler API that just tells |
| you where the each argument should be located. It also now handles |
| adding or subtracting sizeof(CallerFrameAndPC) depending on |
| whether you are caller or callee. Additionally, when computing |
| locations for the callee it returns a B3::ValueRep that has the |
| offsetFromFP rather than offsetFromSP. Since the code has been |
| cleaned up I tried to also reduce code duplication in the various |
| stubs for wasm code. This patch also removes the Air specific |
| calling convention code and moves that logic into the Air IR |
| generator. |
| |
| Since blocks can now have arbitrary signatures the control entries |
| now use a const signature* rather than just the return |
| type. Additionally, what used to be the result phi is now the phis |
| for all the results for non-loop blocks and the arguments for a |
| loop block. Due to the control flow restrictions of wasm |
| conveniently we don't have to worry about generating non-optimal |
| SSA, thus we can just use phis directly rather than using a |
| variable. |
| |
| Lastly, to help clean up some code in the IR generators new helper |
| methods were added to create call Patchpoints. These helpers do |
| most of the boiler-plate initialization. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/AbstractMacroAssembler.h: |
| (JSC::AbstractMacroAssembler::ImplicitAddress::ImplicitAddress): |
| * assembler/LinkBuffer.cpp: |
| (JSC::shouldDumpDisassemblyFor): |
| * assembler/LinkBuffer.h: |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::callOperation): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::callOperation): |
| * b3/B3LowerToAir.cpp: |
| * b3/B3PatchpointSpecial.cpp: |
| (JSC::B3::PatchpointSpecial::forEachArg): |
| (JSC::B3::PatchpointSpecial::isValid): |
| (JSC::B3::PatchpointSpecial::admitsStack): |
| (JSC::B3::PatchpointSpecial::generate): |
| * b3/B3Procedure.h: |
| (JSC::B3::Procedure::resultCount const): |
| (JSC::B3::Procedure::typeAtOffset const): |
| (JSC::B3::Procedure::returnCount const): Deleted. |
| * b3/B3StackmapGenerationParams.cpp: |
| (JSC::B3::StackmapGenerationParams::code const): |
| * b3/B3StackmapGenerationParams.h: |
| * b3/B3ValueRep.h: |
| * b3/air/AirHelpers.h: Added. |
| (JSC::B3::Air::moveForType): |
| (JSC::B3::Air::relaxedMoveForType): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::store64FromReg): |
| (JSC::AssemblyHelpers::store32FromReg): |
| (JSC::AssemblyHelpers::load64ToReg): |
| (JSC::AssemblyHelpers::load32ToReg): |
| * runtime/JSCConfig.h: |
| * runtime/OptionsList.h: |
| * tools/JSDollarVM.cpp: |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpValue): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::ConstrainedTmp::operator bool const): |
| (JSC::Wasm::TypedTmp::dump const): |
| (JSC::Wasm::AirIRGenerator::ControlData::ControlData): |
| (JSC::Wasm::AirIRGenerator::ControlData::dump const): |
| (JSC::Wasm::AirIRGenerator::ControlData::blockType const): |
| (JSC::Wasm::AirIRGenerator::ControlData::signature const): |
| (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch): |
| (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock): |
| (JSC::Wasm::AirIRGenerator::addEndToUnreachable): |
| (JSC::Wasm::AirIRGenerator::emitCallPatchpoint): |
| (JSC::Wasm::AirIRGenerator::validateInst): |
| (JSC::Wasm::AirIRGenerator::tmpsForSignature): |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::toB3ResultType): |
| (JSC::Wasm::AirIRGenerator::addBottom): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addTopLevel): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| (JSC::Wasm::AirIRGenerator::addBlock): |
| (JSC::Wasm::AirIRGenerator::addIf): |
| (JSC::Wasm::AirIRGenerator::addElse): |
| (JSC::Wasm::AirIRGenerator::addElseToUnreachable): |
| (JSC::Wasm::AirIRGenerator::addReturn): |
| (JSC::Wasm::AirIRGenerator::addBranch): |
| (JSC::Wasm::AirIRGenerator::addSwitch): |
| (JSC::Wasm::AirIRGenerator::endBlock): |
| (JSC::Wasm::AirIRGenerator::addCall): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::AirIRGenerator::dump): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>): |
| (JSC::Wasm::AirIRGenerator::ControlData::type const): Deleted. |
| (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const): Deleted. |
| (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const): Deleted. |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::ControlData::ControlData): |
| (JSC::Wasm::B3IRGenerator::ControlData::dump const): |
| (JSC::Wasm::B3IRGenerator::ControlData::blockType const): |
| (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const): |
| (JSC::Wasm::B3IRGenerator::ControlData::targetBlockForBranch): |
| (JSC::Wasm::B3IRGenerator::ControlData::convertIfToBlock): |
| (JSC::Wasm::B3IRGenerator::addEndToUnreachable): |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::framePointer): |
| (JSC::Wasm::B3IRGenerator::toB3ResultType): |
| (JSC::Wasm::B3IRGenerator::addArguments): |
| (JSC::Wasm::B3IRGenerator::addGrowMemory): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| (JSC::Wasm::B3IRGenerator::addTopLevel): |
| (JSC::Wasm::B3IRGenerator::addBlock): |
| (JSC::Wasm::B3IRGenerator::addIf): |
| (JSC::Wasm::B3IRGenerator::addElse): |
| (JSC::Wasm::B3IRGenerator::addElseToUnreachable): |
| (JSC::Wasm::B3IRGenerator::addReturn): |
| (JSC::Wasm::B3IRGenerator::addBranch): |
| (JSC::Wasm::B3IRGenerator::addSwitch): |
| (JSC::Wasm::B3IRGenerator::endBlock): |
| (JSC::Wasm::B3IRGenerator::createCallPatchpoint): |
| (JSC::Wasm::B3IRGenerator::addCall): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| (JSC::Wasm::B3IRGenerator::ControlData::type const): Deleted. |
| (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidSignature const): Deleted. |
| (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch const): Deleted. |
| (JSC::Wasm::B3IRGenerator::createStack): Deleted. |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::didReceiveFunctionData): |
| (JSC::Wasm::BBQPlan::parseAndValidateModule): |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmCallingConvention.cpp: |
| (JSC::Wasm::jsCallingConvention): |
| (JSC::Wasm::wasmCallingConvention): |
| (JSC::Wasm::jscCallingConvention): Deleted. |
| (JSC::Wasm::jscCallingConventionAir): Deleted. |
| (JSC::Wasm::wasmCallingConventionAir): Deleted. |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallInformation::CallInformation): |
| (JSC::Wasm::CallInformation::computeResultsOffsetList): |
| (JSC::Wasm::WasmCallingConvention::WasmCallingConvention): |
| (JSC::Wasm::WasmCallingConvention::marshallLocationImpl const): |
| (JSC::Wasm::WasmCallingConvention::marshallLocation const): |
| (JSC::Wasm::WasmCallingConvention::callInformationFor const): |
| (JSC::Wasm::JSCallingConvention::JSCallingConvention): |
| (JSC::Wasm::JSCallingConvention::marshallLocationImpl const): |
| (JSC::Wasm::JSCallingConvention::marshallLocation const): |
| (JSC::Wasm::JSCallingConvention::callInformationFor const): |
| (JSC::Wasm::CallingConvention::CallingConvention): Deleted. |
| (JSC::Wasm::CallingConvention::marshallArgumentImpl const): Deleted. |
| (JSC::Wasm::CallingConvention::marshallArgument const): Deleted. |
| (JSC::Wasm::CallingConvention::headerSizeInBytes): Deleted. |
| (JSC::Wasm::CallingConvention::setupFrameInPrologue const): Deleted. |
| (JSC::Wasm::CallingConvention::loadArguments const): Deleted. |
| (JSC::Wasm::CallingConvention::setupCall const): Deleted. |
| (JSC::Wasm::CallingConventionAir::CallingConventionAir): Deleted. |
| (JSC::Wasm::CallingConventionAir::prologueScratch const): Deleted. |
| (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const): Deleted. |
| (JSC::Wasm::CallingConventionAir::marshallArgument const): Deleted. |
| (JSC::Wasm::CallingConventionAir::headerSizeInBytes): Deleted. |
| (JSC::Wasm::CallingConventionAir::loadArguments const): Deleted. |
| (JSC::Wasm::CallingConventionAir::setupCall const): Deleted. |
| (JSC::Wasm::nextJSCOffset): Deleted. |
| * wasm/WasmFormat.h: |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::splitStack): |
| (JSC::Wasm::FunctionParser::signature const): |
| (JSC::Wasm::FunctionParser<Context>::FunctionParser): |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.h: |
| * wasm/WasmMemoryInformation.cpp: |
| (JSC::Wasm::getPinnedRegisters): |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmParser.h: |
| (JSC::Wasm::FailureHelper::makeString): |
| (JSC::Wasm::Parser<SuccessType>::Parser): |
| (JSC::Wasm::Parser<SuccessType>::peekInt7): |
| (JSC::Wasm::Parser<SuccessType>::parseBlockSignature): |
| (JSC::Wasm::Parser<SuccessType>::parseValueType): |
| (JSC::Wasm::Parser<SuccessType>::parseResultType): Deleted. |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseType): |
| (JSC::Wasm::SectionParser::parseStart): |
| * wasm/WasmSectionParser.h: |
| * wasm/WasmSignature.cpp: |
| (JSC::Wasm::Signature::toString const): |
| (JSC::Wasm::Signature::dump const): |
| (JSC::Wasm::computeHash): |
| (JSC::Wasm::Signature::hash const): |
| (JSC::Wasm::Signature::tryCreate): |
| (JSC::Wasm::SignatureInformation::SignatureInformation): |
| (JSC::Wasm::ParameterTypes::hash): |
| (JSC::Wasm::ParameterTypes::equal): |
| (JSC::Wasm::ParameterTypes::translate): |
| (JSC::Wasm::SignatureInformation::signatureFor): |
| (JSC::Wasm::SignatureInformation::adopt): Deleted. |
| * wasm/WasmSignature.h: |
| (JSC::Wasm::Signature::Signature): |
| (JSC::Wasm::Signature::allocatedSize): |
| (JSC::Wasm::Signature::returnCount const): |
| (JSC::Wasm::Signature::returnType const): |
| (JSC::Wasm::Signature::returnsVoid const): |
| (JSC::Wasm::Signature::argument const): |
| (JSC::Wasm::Signature::operator== const): |
| (JSC::Wasm::Signature::getReturnType): |
| (JSC::Wasm::Signature::getArgument): |
| (JSC::Wasm::SignatureHash::SignatureHash): |
| (JSC::Wasm::SignatureHash::equal): |
| (JSC::Wasm::SignatureInformation::thunkFor const): |
| (JSC::Wasm::Signature::returnType): Deleted. |
| (JSC::Wasm::Signature::argument): Deleted. |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::parseCodeSectionSize): |
| (JSC::Wasm::StreamingParser::parseFunctionPayload): |
| (JSC::Wasm::StreamingParser::parseSectionPayload): |
| * wasm/WasmStreamingParser.h: |
| (JSC::Wasm::StreamingParserClient::didReceiveSectionData): |
| (JSC::Wasm::StreamingParser::reportError): |
| (JSC::Wasm::StreamingParserClient::didReceiveFunctionData): Deleted. |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::throwExceptionFromWasmThunkGenerator): |
| (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): |
| (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::ControlData::ControlData): |
| (JSC::Wasm::Validate::ControlData::dump const): |
| (JSC::Wasm::Validate::ControlData::blockType const): |
| (JSC::Wasm::Validate::ControlData::signature const): |
| (JSC::Wasm::Validate::ControlData::branchTargetArity const): |
| (JSC::Wasm::Validate::ControlData::branchTargetType const): |
| (JSC::Wasm::Validate::fail const): |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableGrow): |
| (JSC::Wasm::Validate::addTableFill): |
| (JSC::Wasm::Validate::addRefIsNull): |
| (JSC::Wasm::Validate::addTopLevel): |
| (JSC::Wasm::splitStack): |
| (JSC::Wasm::Validate::addBlock): |
| (JSC::Wasm::Validate::addLoop): |
| (JSC::Wasm::Validate::addIf): |
| (JSC::Wasm::Validate::addElseToUnreachable): |
| (JSC::Wasm::Validate::addReturn): |
| (JSC::Wasm::Validate::checkBranchTarget): |
| (JSC::Wasm::Validate::addSwitch): |
| (JSC::Wasm::Validate::addGrowMemory): |
| (JSC::Wasm::Validate::addEndToUnreachable): |
| (JSC::Wasm::Validate::addCall): |
| (JSC::Wasm::Validate::addCallIndirect): |
| (JSC::Wasm::Validate::unify): |
| (JSC::Wasm::Validate::ControlData::hasNonVoidSignature const): Deleted. |
| (JSC::Wasm::Validate::ControlData::type const): Deleted. |
| (JSC::Wasm::Validate::ControlData::branchTargetSignature const): Deleted. |
| * wasm/generateWasmOpsHeader.py: |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::boxWasmResult): |
| (JSC::Wasm::allocateResultsArray): |
| (JSC::Wasm::marshallJSResult): |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/JSToWasm.h: |
| * wasm/js/JSWebAssemblyCodeBlock.cpp: |
| (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WasmToJS.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| (JSC::WebAssemblyFunction::useTagRegisters const): |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| |
| 2019-09-30 Alex Christensen <achristensen@webkit.org> |
| |
| Resurrect Mac CMake build |
| https://bugs.webkit.org/show_bug.cgi?id=202384 |
| |
| Rubber-stamped by Tim Horton. |
| |
| * PlatformMac.cmake: |
| |
| 2019-09-30 Alex Christensen <achristensen@webkit.org> |
| |
| Rename JSTokenType::EXPORT to EXPORT_ to avoid naming conflict with internal header |
| https://bugs.webkit.org/show_bug.cgi?id=202385 |
| |
| * parser/Keywords.table: |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseModuleSourceElements): |
| (JSC::Parser<LexerType>::parseExportDeclaration): |
| * parser/ParserTokens.h: |
| |
| 2019-09-30 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Make assertion in JSObject::putOwnDataProperty more precise |
| https://bugs.webkit.org/show_bug.cgi?id=202379 |
| <rdar://problem/49515980> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Currently, we assert that the structure has no accessors/custom accessors, but that assertion is |
| too conservative. All we need to prove is that the property being inserted either does not exist |
| in the target object or is neither an accessor nor read-only. |
| |
| * runtime/JSObject.h: |
| (JSC::JSObject::putOwnDataProperty): Deleted. |
| (JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted. |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::validatePutOwnDataProperty): |
| (JSC::JSObject::putOwnDataProperty): |
| (JSC::JSObject::putOwnDataPropertyMayBeIndex): |
| |
| 2019-09-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too |
| https://bugs.webkit.org/show_bug.cgi?id=202389 |
| <rdar://problem/50717564> |
| |
| Reviewed by Mark Lam. |
| |
| While we are protecting HeapSnapshotBuilder::m_edges with a lock, we are not protecting m_rootData, which is also concurrently modified. |
| This patch protects it. |
| |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell): |
| |
| 2019-09-30 Saam Barati <sbarati@apple.com> |
| |
| Inline caching is wrong for custom accessors and custom values |
| https://bugs.webkit.org/show_bug.cgi?id=201994 |
| <rdar://problem/50850326> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| There was an oversight in our inline caching code for custom accessors and |
| custom values. We used to assume that if an object O had a custom function for |
| property P, then O will forever respond to the same custom function for |
| property P. |
| |
| This assumption was very wrong. These custom accessors/values might be |
| properties in JS which are configurable, so they can be rewritten to be |
| other properties. Our inline caching code would be wrong in the scenarios |
| where these property descriptors got redefined. |
| |
| This patch makes it so that we now properly watchpoint for custom functions |
| being changed. If the custom accessor has been materialized, we place an |
| Equivalence watchpoint on the custom accessor. This patch also teaches |
| StructureStubInfo how to watchpoint on property value equivalence. Before, |
| we just watchpointed on structure transitions. |
| |
| This patch also adds a new property condition kind for when the custom function |
| exists inside the static property table. This case is really easy to test for |
| because we just need to see if the structure still has static properties and |
| the static property table has the entry for a particular property. This |
| property condition kind just needs to watch for structure transitions because |
| an entry in the static property table can't be mutated. |
| |
| This patch is neutral on the microbenchmarks I've added. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::AccessCase): |
| (JSC::AccessCase::couldStillSucceed const): |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h: |
| * bytecode/ObjectPropertyCondition.cpp: |
| (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const): |
| * bytecode/ObjectPropertyCondition.h: |
| (JSC::ObjectPropertyCondition::customFunctionEquivalence): |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const): |
| (JSC::ObjectPropertyConditionSet::slotBaseCondition const): |
| (JSC::generateConditionsForPrototypePropertyHitCustom): |
| * bytecode/ObjectPropertyConditionSet.h: |
| * bytecode/PolyProtoAccessChain.cpp: |
| (JSC::PolyProtoAccessChain::create): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::AccessGenerationState::installWatchpoint): |
| (JSC::PolymorphicAccess::commit): |
| (JSC::AccessGenerationState::addWatchpoint): Deleted. |
| * bytecode/PolymorphicAccess.h: |
| * bytecode/PropertyCondition.cpp: |
| (JSC::PropertyCondition::dumpInContext const): |
| (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): |
| (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const): |
| (JSC::PropertyCondition::isStillValid const): |
| (JSC::PropertyCondition::isWatchableWhenValid const): |
| (WTF::printInternal): |
| * bytecode/PropertyCondition.h: |
| (JSC::PropertyCondition::customFunctionEquivalence): |
| (JSC::PropertyCondition::hash const): |
| (JSC::PropertyCondition::operator== const): |
| * bytecode/StructureStubClearingWatchpoint.cpp: |
| (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal): |
| (JSC::WatchpointsOnStructureStubInfo::addWatchpoint): |
| (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndInstallWatchpoint): |
| (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint): |
| (JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire): |
| (JSC::StructureStubClearingWatchpoint::fireInternal): Deleted. |
| * bytecode/StructureStubClearingWatchpoint.h: |
| * bytecode/Watchpoint.h: |
| * jit/Repatch.cpp: |
| (JSC::tryCacheGetByID): |
| (JSC::tryCachePutByID): |
| * runtime/ClassInfo.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::findPropertyHashEntry const): |
| * runtime/JSObject.h: |
| * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: |
| * runtime/Structure.cpp: |
| (JSC::Structure::findPropertyHashEntry const): |
| * runtime/Structure.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::testStaticAccessorGetter): |
| (JSC::testStaticAccessorPutter): |
| (JSC::StaticCustomAccessor::StaticCustomAccessor): |
| (JSC::StaticCustomAccessor::createStructure): |
| (JSC::StaticCustomAccessor::create): |
| (JSC::StaticCustomAccessor::getOwnPropertySlot): |
| (JSC::functionCreateStaticCustomAccessor): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2019-09-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number |
| https://bugs.webkit.org/show_bug.cgi?id=202382 |
| <rdar://problem/52669112> |
| |
| Reviewed by Saam Barati. |
| |
| If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments, |
| we fold it to constant False. But this is wrong since `false == 0` is true in JS. |
| This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types |
| if one of them are seen. |
| |
| * bytecode/SpeculatedType.cpp: |
| (JSC::leastUpperBoundOfEquivalentSpeculations): |
| (JSC::valuesCouldBeEqual): |
| |
| 2019-09-28 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fix non-unified build issue caused by r250440 |
| https://bugs.webkit.org/show_bug.cgi?id=202349 |
| |
| Reviewed by Mark Lam. |
| |
| * dfg/DFGOSRExit.cpp: Add missing inclusion of the BytecodeUseDef.h header. |
| |
| 2019-09-27 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&` |
| https://bugs.webkit.org/show_bug.cgi?id=202330 |
| |
| Reviewed by Saam Barati. |
| |
| In toLocaleLowerCase and toLocaleUpperCase, we get `const String&` from JSString* and use it. |
| But if this string is newly created one in toLocaleLowerCase and toLocaleUpperCase (like, passing a number, and number.toString() is called |
| in C++), after getting `const String&`, our C++ code potentially does not have any reference to the owner of this `const String&`. So, this |
| JSString* can be collected by GC, while `const String&` is used. This makes `const String&` destroyed, and causes crash. |
| |
| In this patch, we receive it as `String` instead of `const String&` to ref it. This ensures that this string is live even if the owner is collected. |
| I grepped the source code and make this changes conservatively to places which looks dangerous. And I added error checks more after calling `value(exec)`. |
| |
| In this patch, I didn't introduce the change like that: `JSString::value(ExecState*)` returns `String` instead of `const String&`. Some of places are |
| really performance sensitive and we want to use the current behavior when we can ensure the owners are alive. We could figure out these points, and we |
| can change the default behavior of `JSString::value` function to returning `String`. But for now, I plan it as a future work. |
| |
| * dfg/DFGOperations.cpp: |
| * jsc.cpp: |
| (GlobalObject::moduleLoaderImportModule): |
| * runtime/DateConstructor.cpp: |
| (JSC::constructDate): |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::equalSlowCaseInline): |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/StringPrototype.cpp: |
| (JSC::toLocaleCase): |
| (JSC::stringProtoFuncToLocaleLowerCase): |
| (JSC::stringProtoFuncToLocaleUpperCase): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionCreateBuiltin): |
| |
| 2019-09-27 Keith Miller <keith_miller@apple.com> |
| |
| OSR exit shouldn't bother updating get_by_id array profiles that have changed modes |
| https://bugs.webkit.org/show_bug.cgi?id=202324 |
| <rdar://problem/52669110> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This is an optimization that avoids polluting the array profile. |
| |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::OSRExit::compileExit): |
| |
| 2019-09-27 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Non-standard Error properties should not be enumerable |
| https://bugs.webkit.org/show_bug.cgi?id=198975 |
| |
| Reviewed by Ross Kirsling. |
| |
| Define non-standard Error properties "line", "column", and "sourceURL" as non-enumerable to match other engines. |
| |
| * runtime/ErrorInstance.cpp: |
| (JSC::ErrorInstance::materializeErrorInfoIfNeeded): |
| |
| 2019-09-26 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs |
| https://bugs.webkit.org/show_bug.cgi?id=202299 |
| <rdar://problem/52669116> |
| |
| Reviewed by Saam Barati. |
| |
| When converting recursive-tail-call to jump to the upper call frame, we picked call-frame which is spread by LoadVarargs. |
| This is wrong since this call-frame does not know the exact number of arguments. We are using InlineCallFrame::argumentCountIncludingThis, |
| but this is maximal argumentCountIncludingThis when InlineCallFrame is Varargs call-frame. Let's see the simple example. |
| |
| 'use strict'; |
| var count = 0; |
| function foo() { |
| count--; |
| if (count === 0) |
| return 30; |
| return foo(42, 42); // HERE |
| } |
| |
| function test() { |
| count = 100; |
| return foo(...[42, 42]); // THERE |
| } |
| noInline(test); |
| |
| In the above case, currently, we convert HERE's foo call to the jump to the prologue of the foo function inlined by "test". But since foo is called |
| in a varargs form, "test" emits LoadVarargs, and it also emits `SetArgumentMaybe` for 1st and 2nd arguments. Since HERE's foo call is actually passing |
| two arguments, we emit a Phi node which Upsilon is from SetArgumentMaybe and 42 Constant. This is wrong since SetArgumentMaybe should not be used. Later, |
| SSA conversion phase emits Upsilon with SetArgumentMaybe, and since SetArgumentMaybe is simply removed in SSA conversion phase, it ends up emitting |
| Upsilon without a child. |
| |
| We are currently only performing recursive-tail-call optimization when argument count matches. Given this condition, we should not pick varargs CallFrame |
| as a jump target. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| |
| 2019-09-26 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| toExponential, toFixed, and toPrecision should allow arguments up to 100 |
| https://bugs.webkit.org/show_bug.cgi?id=199163 |
| |
| Reviewed by Ross Kirsling. |
| |
| Previously, the spec gave fixed range of [0,20] for Number.prototype.{toExponential,toFixed} argument and |
| range of [1,21] for Number.prototype.toPrecision argument, but allowed implementations to permit a larger range. |
| Historically, only SpiderMonkey accepted a larger range, and other implementations threw a RangeError outside the range. |
| Later the spec was changed (see https://github.com/tc39/ecma262/pull/857) to specify the SpiderMonkey behavior. |
| |
| * runtime/NumberPrototype.cpp: |
| (JSC::numberProtoFuncToExponential): Accept arguments between 0 and 100. |
| (JSC::numberProtoFuncToFixed): Accept arguments between 0 and 100. |
| (JSC::numberProtoFuncToPrecision): Accept arguments between 1 and 100. |
| (JSC::getIntegerArgumentInRange): Inline to improve readability. |
| |
| 2019-09-26 Mark Lam <mark.lam@apple.com> |
| |
| We need to initialize the Gigacage first in setJITEnabled() when disabling the JIT. |
| https://bugs.webkit.org/show_bug.cgi?id=202257 |
| |
| Reviewed by Saam Barati. |
| |
| Because of an OS quirk, even after the JIT region has been unmapped, the OS thinks |
| that region is reserved, and as such, can cause Gigacage allocation to fail. We |
| work around this by initializing the Gigacage first. |
| |
| Note: when called, setJITEnabled() is always called extra early in the process |
| bootstrap. Under normal operation (when setJITEnabled() isn't called at all), we |
| will naturally initialize the Gigacage before we allocate the JIT region. |
| Hence, this workaround is merely ensuring the same behavior of allocation ordering. |
| |
| This patch only applies to iOS. |
| |
| * jit/ExecutableAllocator.cpp: |
| (JSC::ExecutableAllocator::setJITEnabled): |
| |
| 2019-09-25 Guillaume Emont <guijemont@igalia.com> |
| |
| testapi: slow devices need more time before watchdog fires |
| https://bugs.webkit.org/show_bug.cgi?id=202149 |
| |
| Reviewed by Mark Lam. |
| |
| In testExecutionTimeLimit(), the time that we leave for the watchdog |
| to fire is often not enough on (slower) arm and mips devices, creating |
| a testapi failure. |
| This change also skips FTL-specific testing when FTL is disabled. |
| |
| * API/tests/ExecutionTimeLimitTest.cpp: |
| (testExecutionTimeLimit): |
| |
| 2019-09-24 Christopher Reid <chris.reid@sony.com> |
| |
| [WinCairo] Start RemoteInspectorServer |
| https://bugs.webkit.org/show_bug.cgi?id=199938 |
| <rdar://problem/53323048> |
| |
| Reviewed by Fujii Hironori. |
| |
| * inspector/remote/socket/RemoteInspectorSocket.cpp: |
| * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: |
| - Fixed some network byte order issues |
| - Need to check for POLLHUP in isReadable as closed windows sockets don't have POLLIN set |
| |
| 2019-09-24 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the result of the trap is undefined |
| https://bugs.webkit.org/show_bug.cgi?id=154376 |
| |
| Reviewed by Ross Kirsling. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): Remove resolved FIXME comments. |
| |
| 2019-09-24 Alexey Proskuryakov <ap@apple.com> |
| |
| JavaScriptCore (still) doesn't unlock the engineering keychain |
| https://bugs.webkit.org/show_bug.cgi?id=202123 |
| |
| Reviewed by Dan Bernstein. |
| |
| Unlike WebKit, JavaScriptCore only defines CODE_SIGN_IDENTITY in ToolExecutable |
| configuration, not in DebugRelease. As a result, it's not defined when running |
| the script for Unlock Keychain phase. |
| |
| Fix this by moving CODE_SIGN_IDENTITY to DebugRelease configuration, matching |
| WebKit. As a result, we are now using consistent signing options in all targets. |
| |
| * Configurations/DebugRelease.xcconfig: |
| * Configurations/ToolExecutable.xcconfig: |
| When moving, removed a special case for Production, as that's never used with |
| DebugRelease (also, the Profile case was incorrect). |
| |
| 2019-09-24 Caio Lima <ticaiolima@gmail.com> |
| |
| [BigInt] Add ValueBitRShift into DFG |
| https://bugs.webkit.org/show_bug.cgi?id=192663 |
| |
| Reviewed by Robin Morisset. |
| |
| We are introducing a new node called ValueBitRShift that is |
| responsible to handle speculation of `UntypedUse` and `BigIntUse` during |
| DFG. Following the approach of other bitwise operations, we |
| now have 2 nodes to handle ">>" operator during JIT, mainly because |
| of the introduction of BigInt, that makes this operator result into |
| Int32 or BigInt. We renamed `BitRShift` to `ArithBitRShift` and such |
| node handles Integers and Numbers speculation and can only return |
| Int32 values. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/Opcode.h: |
| |
| Adding support to ValueProfile to `op_rshift` to be used during |
| prediction propagation. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| Adding support to still do constant propagation of ValueBitRShift when |
| it is `UntypedUse`. |
| |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| |
| `ValueBitRshift` can trigger GC when it is `BigIntUse` because the |
| operation `JSBigInt::signedRightShift` potentially allocates new |
| JSBigInts. It also can trigger GC when it is `UntypedUse` because it |
| can execute arbitrary code. |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| |
| The fixup rule of `ValueBitRShift` checks if it should fixup for |
| `BigIntUse` or `UntypedUse`. If those checks fail, we fallback to |
| `ArithBitRShift`. |
| |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasNumericResult): |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| |
| We are using the same rule used by `ValueBitLShift` to propagate |
| types. We try to propagate the type based on operation's input, but |
| fallback to `getHeapPrediction()` if this is not possible. |
| |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp): |
| (JSC::DFG::SpeculativeJIT::compileValueBitRShift): |
| (JSC::DFG::SpeculativeJIT::compileShiftOp): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::shiftOp): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBitRShift): Deleted. |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-09-24 Mark Lam <mark.lam@apple.com> |
| |
| Refactor cellSize() out of VMInspector::verifyCellSize(). |
| https://bugs.webkit.org/show_bug.cgi?id=202132 |
| |
| Reviewed by Saam Barati. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * runtime/CellSize.h: Added. |
| (JSC::isDynamicallySizedType): |
| (JSC::cellSize): |
| * runtime/DirectArguments.h: |
| * runtime/JSBigInt.h: |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSType.h: |
| (JSC::isDynamicallySizedType): Deleted. |
| * tools/VMInspectorInlines.h: |
| (JSC::VMInspector::verifyCellSize): |
| |
| 2019-09-23 Mark Lam <mark.lam@apple.com> |
| |
| Introducing Integrity audit functions. |
| https://bugs.webkit.org/show_bug.cgi?id=202085 |
| |
| Reviewed by Saam Barati. |
| |
| This patch's main goal is to introduce the Integrity audit functions. They can |
| be used wherever we want to audit a cell to probabilistically ensure it is not |
| corrupted. However, to keep this patch small, we will only introduce the audit |
| tool here with one example use in SlotVisitor. We'll follow up later with more |
| patches to deploy this tool throughout the VM. |
| |
| 1. Introduced Integrity audit functions that can be configured at several |
| AuditLevels: |
| None - don't do any audits. |
| Minimal - do a minimal quick audit (minimize perf impact). |
| Full - do a full audit of the many aspects of a cell. |
| Random - randomly do a full audit with a probability dictated by |
| Options::randomIntegrityAuditRate() between 0.0 (never audit) and |
| 1.0 (audit at every chance). |
| |
| The default AuditLevel for Debug builds is Random. |
| The default AuditLevel for Release builds is None. |
| The default Options::randomIntegrityAuditRate() is 0.05. |
| |
| How full audits work? |
| ==================== |
| The full audit uses the VMInspector::verifyCell() template function to do its |
| job. The reason for keeping this separate is to allow the template function |
| to be used later for debug checks that want to take some custom action on |
| verification failure instead of crashing with a RELEASE_ASSERT. |
| |
| Full audit of a cell pointer includes: |
| a. Verify that a cell designated as a LargeAllocation is in the heap's |
| set of LargeAllocations. |
| |
| b. Verify that a cell not designated as a LargeAllocation is actually in its |
| MarkedBlock's bounds. |
| |
| c. Verify that the cell's container (LargeAllocation / MarkedBlock) actually |
| belongs to the current VM. |
| |
| d. Verify that a cell in a MarkedBlock is properly aligned on the block's |
| allocation unit size. |
| |
| e. If the cell is not an ImmutableButterfly, verify that it is not located in |
| the Gigacage. |
| |
| f. Verify that the cell's JSType matches its StructureBlob's JSType. |
| |
| g. Verify that the cell size as dictated by the cell ClassInfo does not exceed |
| the size of the allocation unit size (as expected by the container |
| MarkedBlock or LargeAllocation). |
| |
| Some cells are dynamically size (see isDynamicallySizedType()). For these |
| cells, we compute their sizes and verify that the size does not exceed the |
| allocation unit size. Their sizes should also be greater or equal to the |
| static cell size as dictated by their ClassInfo. |
| |
| h. If a cell has a butterfly, verify that the butterfly is in its the JSValue |
| Gigacage. |
| |
| We can add more verifications later, or make some these more robust, but this |
| is a start for now. |
| |
| How random audits work? |
| ====================== |
| Random audits are triggered by the m_triggerBits bits in VM::m_integrityRandom. |
| m_triggerBits is a 64-bit bitfield. |
| |
| If Options::randomIntegrityAuditRate() is 0, m_triggerBits will always be 0, |
| and no audits will be done. |
| |
| If Options::randomIntegrityAuditRate() is non-zero, m_triggerBits will be |
| initialized as follows: |
| |
| | 1 reload bit | ... 63 trigger bits ... | |
| |
| The reload bit is always set (more details below). |
| Each of the 63 trigger bits are randomly set depending if the following is true |
| for the bit: |
| |
| VM::random() <= Options::randomIntegrityAuditRate() * UINT_MAX |
| |
| When Integrity::auditCell() is called, we take the bottom bit as the trigger |
| bit for the current cell, and shifts the rest down by 1. |
| |
| If m_triggerBits is non-null after the shift, the taken trigger bit will dictate |
| whether we do a full audit on the current cell or not. |
| |
| Once the reload bit reaches the bottom, we call a reload function to |
| re-initialize m_triggerBits. The reload function also returns a bool |
| indicating whether to trigger a full audit of the current cell. |
| |
| With this scheme, we only need to call the reload function once every 64 calls |
| to Integrity::auditCell(), and can efficiently determine whether to trigger |
| the audit the other 63 times with the probability specified in |
| Options::randomIntegrityAuditRate(). |
| |
| 2. Embedded the C++ class size of JSCells into their ClassInfo. This is used in |
| the full audits to verify cell sizes. |
| |
| 3. Added isDynamicallySizedType() to check if a JSType has a dynamic size allocation |
| i.e. the size of instances of this type is not determined by the static C++ |
| size of its class, but rather, depends on some runtime variable. |
| |
| 4. Made the VMInspector a friend of several classes so that it can access their |
| private methods and fields. |
| |
| 5. Moved the inline function JSBigInt::allocationSize() from BigInt.cpp to its |
| header file so that we can use it in VMInspector::verifyCellSize(). |
| |
| 6. Gave the JSModuleNamespaceObject() its own JSType so that we can identify it |
| as a dynamically sized object. |
| |
| 7. Increased the randomness of VM::random() (which is implemented with WeakRandom) |
| by re-seeding it with a cryptographically random number each GC. |
| |
| 8. Called Integrity::auditCell() on SlotVisitor::appendJSCellOrAuxiliary()'s cell |
| as an example use of auditCell(). More uses will be added in later patches to |
| follow. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * heap/Heap.cpp: |
| (JSC::Heap::runBeginPhase): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendJSCellOrAuxiliary): |
| * runtime/ClassInfo.h: |
| * runtime/DirectArguments.h: |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::allocationSize): Deleted. |
| * runtime/JSBigInt.h: |
| (JSC::JSBigInt::allocationSize): |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| (JSC::isDynamicallySizedType): |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| * runtime/OptionsList.h: |
| * runtime/Structure.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| (JSC::VM::random): |
| (JSC::VM::integrityRandom): |
| * tools/Integrity.cpp: Added. |
| (JSC::Integrity::Random::Random): |
| (JSC::Integrity::Random::reloadAndCheckShouldAuditSlow): |
| (JSC::Integrity::auditCellFully): |
| (JSC::Integrity::auditCellMinimallySlow): |
| * tools/Integrity.h: Added. |
| (JSC::Integrity::auditCell): |
| * tools/IntegrityInlines.h: Added. |
| (JSC::Integrity::Random::shouldAudit): |
| (JSC::Integrity::auditCellMinimally): |
| (JSC::Integrity::auditCellRandomly): |
| * tools/VMInspector.h: |
| (JSC::VMInspector::unusedVerifier): |
| (JSC::VMInspector::verifyCellSize): |
| * tools/VMInspectorInlines.h: Added. |
| (JSC::VMInspector::verifyCellSize): |
| (JSC::VMInspector::verifyCell): |
| |
| 2019-09-23 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r250262. |
| https://bugs.webkit.org/show_bug.cgi?id=202126 |
| |
| "Breaks Win64 builds because of MSVC bug" (Requested by mlam|a |
| on #webkit). |
| |
| Reverted changeset: |
| |
| "Reduce the amount of memory needed to store Options." |
| https://bugs.webkit.org/show_bug.cgi?id=202105 |
| https://trac.webkit.org/changeset/250262 |
| |
| 2019-09-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Array methods should throw TypeError upon attempting to modify a string |
| https://bugs.webkit.org/show_bug.cgi?id=201910 |
| |
| Reviewed by Keith Miller. |
| |
| We currently allow Array prototype methods to modify strings that they are called upon in certain cases. |
| (In particular, we're inconsistent about permitting writes to the length property.) |
| |
| According to section 22.1.3 of the ES spec, this should result in a TypeError. |
| https://tc39.es/ecma262/#sec-properties-of-the-array-prototype-object |
| (Test262 cases are needed, but the key is that all such methods use Set(..., true) which throws on failure.) |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::putLength): |
| (JSC::setLength): |
| Never update the length property of a non-JSArray without checking whether we're actually allowed to. |
| |
| 2019-09-23 Mark Lam <mark.lam@apple.com> |
| |
| Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition. |
| https://bugs.webkit.org/show_bug.cgi?id=202122 |
| <rdar://problem/55535249> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2019-09-23 Mark Lam <mark.lam@apple.com> |
| |
| Reduce the amount of memory needed to store Options. |
| https://bugs.webkit.org/show_bug.cgi?id=202105 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The size of the JSC::Config needed to store the Options is now reduced to 4K |
| instead of 16K, enabled by constexpr template magic. |
| |
| 1. Instead of all options in a large array of OptionEntry (which is a union of |
| all the option types), we now have separate arrays for each of the types of |
| options. For example, |
| |
| Removed g_jscConfig.options[]. |
| Added g_jscConfig.typeBoolOptions[]. |
| Added g_jscConfig.typeInt32Options[]. |
| Added g_jscConfig.typeDoubleOptions[]. |
| ... |
| |
| We used to find the storage for the option using g_jscConfig.options[Options::ID]. |
| We now find the storage for each type of option using |
| g_jscConfig.options[optionTypeSpecificIndex<OptionTypeID, OptionID>()]. For |
| example, Options::useJIT() used to be implemented as: |
| |
| inline bool& Options::useJIT() |
| { |
| return g_jscConfig.options[Options::useJITID]; |
| } |
| |
| ... which is now replaced with: |
| |
| inline bool& Options::useJIT() |
| { |
| return g_jscConfig.typeBoolOptions[optionTypeSpecificIndex<OptionTypeID::Bool, OptionID::useJIT>()]; |
| } |
| |
| 2. Introduce the optionTypeSpecificIndex() constexpr template function for |
| computing the index of each option in their respective type specific options |
| array. |
| |
| 3. Introduce OptionTypes, OptionTypeID, and OptionID. |
| |
| The OptionTypes namespace replaces OptionEntry as the container of option types. |
| The OptionID enum class replaces Options::ID. |
| The OptionTypeID enum class is new and is used together with OptionID in |
| constexpr templates to compute the typeSpecificIndex of options. |
| |
| 4. Removed the OptionEntry struct and OptionEntry.h. After (1), this struct is |
| only used in the Option class. We just moved the union of option types (that |
| OptionEntry embeds) into the Option class. |
| |
| Moved class OptionRange into OptionsList.h. |
| |
| 5. Removed the large OptionEntry arrays from JSC::Config. |
| Added type specific options arrays. |
| Also ordered these arrays to maximize compactness and minimize internal fragmentation. |
| |
| 6. Changed scaleJITPolicy() to go directly to g_jscConfig.typeInt32Options[] |
| instead of going through the Option wrapper object. This allows us to simplify |
| things and make the Option class a read only interface of options. |
| |
| 7. Changed Options::initialize() to only compute the option default value once. |
| The default value specified in the OptionsList may not always be a constant. |
| Sometimes, it is a function call. |
| |
| 8. The Option class now only gives read only access to the options. |
| |
| The Option class' role is to provide an interface for reading an option at any |
| given OptionID without first knowing about the type of the specific option. |
| It is useful for iterating options, and is currently only used by |
| Options::dumpOption(). |
| |
| Technically, we could merge all the Option class code into its single client. |
| We opted not to do this because the amount of code is non-trivial, and the |
| Option class does a good job of encapsulating this functionality. |
| |
| * API/glib/JSCOptions.cpp: |
| (jscOptionsSetValue): |
| (jscOptionsGetValue): |
| (jsc_options_foreach): |
| (jsc_options_get_option_group): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * runtime/JSCConfig.h: |
| * runtime/OptionEntry.h: Removed. |
| * runtime/Options.cpp: |
| (JSC::Options::isAvailable): |
| (JSC::overrideOptionWithHeuristic): |
| (JSC::scaleJITPolicy): |
| (JSC::recomputeDependentOptions): |
| (JSC::Options::initialize): |
| (JSC::Options::setOptionWithoutAlias): |
| (JSC::Options::dumpAllOptions): |
| (JSC::Options::dumpOption): |
| (JSC::Option::Option): |
| (JSC::Option::defaultOption const): |
| (JSC::Option::dump const): |
| (JSC::Option::operator== const): |
| * runtime/Options.h: |
| (JSC::Option::id const): |
| (JSC::Option::name const): |
| (JSC::Option::description const): |
| (JSC::Option::type const): |
| (JSC::Option::availability const): |
| (JSC::Option::isOverridden const): |
| (JSC::Option::Option): |
| (JSC::Option::idIndex const): |
| (JSC::Option::defaultOption const): Deleted. |
| (JSC::Option::boolVal): Deleted. |
| (JSC::Option::unsignedVal): Deleted. |
| (JSC::Option::doubleVal): Deleted. |
| (JSC::Option::int32Val): Deleted. |
| (JSC::Option::optionRangeVal): Deleted. |
| (JSC::Option::optionStringVal): Deleted. |
| (JSC::Option::gcLogLevelVal): Deleted. |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator= ): |
| (JSC::OptionRange::rangeString const): |
| (JSC::optionTypeSpecificIndex): |
| (JSC::countNumberOfJSCOptionsOfType): |
| |
| 2019-09-23 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: show WebGPU shader pipelines |
| https://bugs.webkit.org/show_bug.cgi?id=201675 |
| <rdar://problem/55543450> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Canvas.json: |
| Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the |
| frontend of a new program |
| |
| 2019-09-23 Zan Dobersek <zdobersek@igalia.com> |
| |
| testmasm: integer operands loaded as unsigned values |
| https://bugs.webkit.org/show_bug.cgi?id=202099 |
| |
| Reviewed by Mark Lam. |
| |
| Suppress GCC warnings about comparing signed and unsigned values in |
| test cases introduced in r247913 by using signed integer types for |
| loading 32-bit and 64-bit integer operand values. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testBranchTestBit32RegReg): |
| (JSC::testBranchTestBit32RegImm): |
| (JSC::testBranchTestBit32AddrImm): |
| (JSC::testBranchTestBit64RegReg): |
| (JSC::testBranchTestBit64RegImm): |
| (JSC::testBranchTestBit64AddrImm): |
| |
| 2019-09-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function |
| https://bugs.webkit.org/show_bug.cgi?id=202072 |
| |
| Reviewed by Mark Lam. |
| |
| Inline doubleToStrictInt52 in FTL since it is very simple function. |
| This change improves JetStream2/stanford-crypto-sha256 by ~5%. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52): |
| * ftl/FTLOutput.cpp: |
| (JSC::FTL::Output::doubleToInt64): |
| * ftl/FTLOutput.h: |
| |
| 2019-09-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, follow-up change after r250198 |
| https://bugs.webkit.org/show_bug.cgi?id=201633 |
| |
| * b3/testb3_5.cpp: |
| (testCheckAddRemoveCheckWithSExt16): |
| |
| 2019-09-21 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function |
| https://bugs.webkit.org/show_bug.cgi?id=201633 |
| |
| Reviewed by Mark Lam. |
| |
| Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type. |
| In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double. |
| |
| The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each |
| of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which |
| can be seen if OSR exit occurs. |
| |
| In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions |
| well emitted when Int52 is used. |
| |
| When Int52 is used, we typically have the sequence like, |
| |
| Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64 |
| Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52 |
| |
| While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy. |
| This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis. |
| This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit. |
| We can see ~5% improvement in JetStream2/async-fs. |
| |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.h: |
| (int16Operands): |
| (int8Operands): |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_5.cpp: |
| (testCheckAddRemoveCheckWithSExt8): |
| (testCheckAddRemoveCheckWithSExt16): |
| (testCheckAddRemoveCheckWithSExt32): |
| (testCheckAddRemoveCheckWithZExt32): |
| |
| 2019-09-21 Mark Lam <mark.lam@apple.com> |
| |
| Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage. |
| https://bugs.webkit.org/show_bug.cgi?id=202082 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| They are not being caged anyway. |
| |
| * runtime/DirectArguments.h: |
| * runtime/JSLexicalEnvironment.h: |
| (JSC::JSLexicalEnvironment::subspaceFor): |
| * runtime/ScopedArguments.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-09-21 Tadeu Zagallo <tzagallo@apple.com> |
| |
| AccessCase should strongly visit its dependencies while on stack |
| https://bugs.webkit.org/show_bug.cgi?id=201986 |
| <rdar://problem/55521953> |
| |
| Reviewed by Saam Barati and Yusuke Suzuki. |
| |
| AccessCase::doesCalls is responsible for specifying the cells it depends on, so that |
| MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However, |
| it was missing most of its dependencies, which led to it being collected while on stack. |
| This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js |
| as the PolymorphicAccess being collected and removing its exception handler from the code |
| block, which led to exception propagating past the try/catch. |
| |
| In order to fix this, we abstract the dependency gathering logic from AccessCase into |
| forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to |
| guarantee that their implementation is consistent. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::forEachDependentCell const): |
| (JSC::AccessCase::doesCalls const): |
| (JSC::AccessCase::visitWeak const): |
| * bytecode/AccessCase.h: |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::lastSeenCallee const): |
| (JSC::CallLinkInfo::haveLastSeenCallee const): |
| (JSC::CallLinkInfo::lastSeenCallee): Deleted. |
| (JSC::CallLinkInfo::haveLastSeenCallee): Deleted. |
| * bytecode/CallLinkInfo.h: |
| (JSC::CallLinkInfo::isDirect const): |
| (JSC::CallLinkInfo::isLinked const): |
| (JSC::CallLinkInfo::stub const): |
| (JSC::CallLinkInfo::forEachDependentCell const): |
| (JSC::CallLinkInfo::isLinked): Deleted. |
| (JSC::CallLinkInfo::stub): Deleted. |
| * bytecode/ObjectPropertyCondition.cpp: |
| (JSC::ObjectPropertyCondition::isStillLive const): |
| * bytecode/ObjectPropertyCondition.h: |
| (JSC::ObjectPropertyCondition::forEachDependentCell const): |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| (JSC::ObjectPropertyConditionSet::areStillLive const): |
| * bytecode/ObjectPropertyConditionSet.h: |
| (JSC::ObjectPropertyConditionSet::forEachDependentCell const): |
| * bytecode/PropertyCondition.cpp: |
| (JSC::PropertyCondition::isStillLive const): |
| * bytecode/PropertyCondition.h: |
| (JSC::PropertyCondition::forEachDependentCell const): |
| * jit/PolymorphicCallStubRoutine.cpp: |
| (JSC::PolymorphicCallStubRoutine::visitWeak): |
| * jit/PolymorphicCallStubRoutine.h: |
| (JSC::PolymorphicCallStubRoutine::forEachDependentCell): |
| |
| 2019-09-21 David Kilzer <ddkilzer@apple.com> |
| |
| clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore |
| <https://webkit.org/b/202069> |
| |
| Reviewed by Mark Lam. |
| |
| Fix unwanted copying/ref churn of loop variables by making them |
| const references. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::setConstantIdentifierSetRegisters): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * inspector/agents/InspectorAgent.cpp: |
| (Inspector::InspectorAgent::activateExtraDomains): |
| * inspector/remote/cocoa/RemoteInspectorCocoa.mm: |
| (Inspector::RemoteInspector::stopInternal): |
| (Inspector::RemoteInspector::xpcConnectionFailed): |
| (Inspector::RemoteInspector::pushListingsNow): |
| * parser/Parser.h: |
| (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates): |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::registerForReportAtExit): |
| (JSC::SamplingProfiler::reportTopFunctions): |
| (JSC::SamplingProfiler::reportTopBytecodes): |
| * runtime/TypeSet.cpp: |
| (JSC::StructureShape::inspectorRepresentation): |
| (JSC::StructureShape::merge): |
| |
| 2019-09-20 Keith Miller <keith_miller@apple.com> |
| |
| eliding a move in Air O0 needs to mark the dest's old reg as available |
| https://bugs.webkit.org/show_bug.cgi?id=202066 |
| |
| Reviewed by Saam Barati. |
| |
| Also adds a new release method that handles all the invariants of |
| returning a register to the available register pool. |
| |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::release): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::spill): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::generate): |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| |
| 2019-09-20 Mark Lam <mark.lam@apple.com> |
| |
| Harden assertion in StructureIDTable::get(). |
| https://bugs.webkit.org/show_bug.cgi?id=202067 |
| <rdar://problem/55577923> |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/StructureIDTable.h: |
| (JSC::StructureIDTable::get): |
| |
| 2019-09-20 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r250114. |
| |
| Broke ~16 webgpu/ tests on Mojave wk2 |
| |
| Reverted changeset: |
| |
| "Web Inspector: Canvas: show WebGPU shader pipelines" |
| https://bugs.webkit.org/show_bug.cgi?id=201675 |
| https://trac.webkit.org/changeset/250114 |
| |
| 2019-09-20 Paulo Matos <pmatos@igalia.com> |
| |
| Implement memory monitoring functions for Linux OS |
| https://bugs.webkit.org/show_bug.cgi?id=200391 |
| |
| Reviewed by Žan Doberšek. |
| |
| * jsc.cpp: |
| |
| 2019-09-20 Devin Rousso <drousso@apple.com> |
| |
| ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html |
| https://bugs.webkit.org/show_bug.cgi?id=201713 |
| <rdar://problem/55290349> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value |
| instead of using a referenced `bool` (which wouldn't include any of the exception's info). |
| |
| * bindings/ScriptFunctionCall.h: |
| * bindings/ScriptFunctionCall.cpp: |
| (Deprecated::ScriptFunctionCall::call): |
| |
| * inspector/InjectedScript.cpp: |
| (Inspector::InjectedScript::wrapCallFrames const): |
| (Inspector::InjectedScript::wrapObject const): |
| (Inspector::InjectedScript::wrapJSONString const): |
| (Inspector::InjectedScript::wrapTable const): |
| (Inspector::InjectedScript::previewValue const): |
| (Inspector::InjectedScript::findObjectById const): |
| (Inspector::InjectedScript::releaseObjectGroup): |
| |
| * inspector/InjectedScriptBase.h: |
| * inspector/InjectedScriptBase.cpp: |
| (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const): |
| (Inspector::InjectedScriptBase::makeCall): |
| (Inspector::InjectedScriptBase::makeAsyncCall): |
| |
| * inspector/InjectedScriptManager.h: |
| * inspector/InjectedScriptManager.cpp: |
| (Inspector::InjectedScriptManager::createInjectedScript): |
| (Inspector::InjectedScriptManager::injectedScriptFor): |
| |
| * inspector/InjectedScriptModule.cpp: |
| (Inspector::InjectedScriptModule::ensureInjected): |
| |
| 2019-09-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable |
| https://bugs.webkit.org/show_bug.cgi?id=202014 |
| |
| Reviewed by Saam Barati. |
| |
| Let's look into the bytecode generated by the test. |
| |
| [ 0] enter |
| [ 1] get_scope loc4 |
| [ 3] mov loc5, loc4 |
| [ 6] check_traps |
| [ 7] mov loc6, callee |
| [ 10] create_direct_arguments loc7 |
| [ 12] to_this this |
| [ 15] mov loc8, loc7 |
| [ 18] mov loc9, loc6 |
| [ 21] mov loc12, Undefined(const0) |
| [ 24] get_by_id loc11, loc6, 0 |
| [ 29] jneq_ptr loc11, ApplyFunction, 18(->47) |
| [ 34] mov loc11, loc6 |
| [ 37] call_varargs loc11, loc11, this, loc8, loc13, 0 |
| [ 45] jmp 17(->62) |
| [ 47] mov loc16, loc6 |
| [ 50] mov loc15, this |
| [ 53] mov loc14, loc8 |
| [ 56] call loc11, loc11, 3, 22 |
| ... |
| |
| call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this). |
| This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13. |
| And it is not in the previous place to loc13 (|this| is not loc12). |
| |
| On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments. |
| But this is wrong. loc12 in the above bytecode is used for `[ 56] call loc11, loc11, 3, 22`'s argument later, and this call assumes |
| that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it. |
| |
| The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined |
| CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since |
| LoadVarargs clobbers it. And we eventually use it and crash. |
| |
| 60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid) |
| |
| This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used. |
| |
| In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place. |
| DFG should not assume that the previous register to firstFreeReg is used for |this|. |
| |
| This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to |
| represent that `maxArgumentCountIncludingThis` includes |this| count. |
| |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis): |
| (JSC::CallLinkInfo::setMaxNumArguments): Deleted. |
| * bytecode/CallLinkInfo.h: |
| (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis): |
| (JSC::CallLinkInfo::maxArgumentCountIncludingThis): |
| (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted. |
| (JSC::CallLinkInfo::maxNumArguments): Deleted. |
| * bytecode/CallLinkStatus.cpp: |
| (JSC::CallLinkStatus::computeFor): |
| (JSC::CallLinkStatus::dump const): |
| * bytecode/CallLinkStatus.h: |
| (JSC::CallLinkStatus::maxArgumentCountIncludingThis const): |
| (JSC::CallLinkStatus::maxNumArguments const): Deleted. |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleVarargsInlining): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileSetupFrame): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileSetupFrame): |
| * jit/JITOperations.cpp: |
| |
| 2019-09-19 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: show WebGPU shader pipelines |
| https://bugs.webkit.org/show_bug.cgi?id=201675 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Canvas.json: |
| Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the |
| frontend of a new program |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Rename VMInspector::m_list to m_vmList. |
| https://bugs.webkit.org/show_bug.cgi?id=202015 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| m_vmList is more descriptive, and this rename helps grep-ability by disambiguating |
| it from other m_lists in the code base. |
| |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::add): |
| (JSC::VMInspector::remove): |
| * tools/VMInspector.h: |
| (JSC::VMInspector::iterate): |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Reduce the number of required tag bits for the JSValue. |
| https://bugs.webkit.org/show_bug.cgi?id=201990 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We're reducing the number of tag bits to 15. It should just work. |
| |
| How did we arrive at 15 bits? |
| ============================ |
| Currently, the minimum number of top bits used by doubles is 13-bits. The |
| highest double bit encoding are: |
| |
| "negative" pureNaN: starts with 0xfff8 |
| negative infinity: starts with 0xfff0 |
| highest number: starts with 0xffe* |
| lowest number: starts with 0x0000 |
| |
| Requirements: |
| 1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints |
| (all 1s at the top). |
| |
| 2. We want to be able to add an offset to double bits and ensure that they never |
| end up in the ranges for pointers and ints. |
| |
| 3. The int tag must be higher than whatever value is produced in the top bits |
| when boxing a double. We have code that relies on this relationship being |
| true and checks if a JSValue is an int by checking if the tag bits are above |
| or equal to the int tag. |
| |
| 4. We don't want to burn more than 2 CPU registers for tag / mask registers. |
| |
| Based on the bit encoding of doubles, the full number range of the top 13 bits |
| are used in valid double numbers. This means the minimum tag bits must be greater |
| than 13. |
| |
| Consider a 14-bit tag. The DoubleEncodeOffset will be 1 << 50 i.e. starts with |
| 0x0004. With this encoding, |
| "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc |
| |
| i.e. the top 14 bits are all set. This conflicts with the int number range. |
| |
| Next, consider a 15-bit tag. The DoubleEncodeOffset will be 1 << 49 i.e. starts |
| with 0x0002. With this encoding: |
| "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa |
| negative infinity: maps to 0xfff0 + 0x0002 => 0xfff2 |
| |
| i.e. 0xfffe (top 5 bits set) is available to represent ints. This is the encoding |
| that we'll adopt in this patch. |
| |
| Alternate encodings schemes to consider in the future: |
| ===================================================== |
| 1. If we're willing and able to purifyNaN at all the places that can produce a |
| "negative" pureNaN, e.g. after a division, then we can remove the "negative" |
| pureNaN as a valid double bit encoding. With this, we can now box doubles |
| with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with |
| 0x0004. |
| |
| With this encoding, the top double, negative infinity, is encoded as follows: |
| |
| negative infinity: maps to 0xfff0 + 0x0004 => 0xfff4 |
| |
| i.e. leaving 0xfffc as the tag for ints. |
| |
| We didn't adopt this scheme at this time because it adds complexity, and may |
| have performance impact from the extra purifyNaN checks. |
| |
| Ref: https://bugs.webkit.org/show_bug.cgi?id=202002 |
| |
| 2. If we're willing to use 3 tag registers or always materialize one of them, we |
| can also adopt a 14-bit tag as follows: |
| |
| Pointer { 0000:PPPP:PPPP:PPPP |
| / 0002:****:****:**** |
| Double { ... |
| \ FFFC:****:****:**** |
| Integer { FFFF:0000:IIII:IIII |
| |
| where ... |
| NumberMask is 0xfffc: any bits set in the top 14 bits is a number. |
| IntMask is 0xffff: value is int if value & IntMask == IntMask. |
| NotCellMask is NumberMask | OtherTag. |
| |
| Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding |
| a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is |
| still less than 0xffff. |
| |
| We didn't adopt this scheme at this time because it adds complexity and may |
| have a performance impact from either burning another register, or materializing |
| the 3rd mask. |
| |
| Ref: https://bugs.webkit.org/show_bug.cgi?id=202005 |
| |
| * runtime/JSCJSValue.h: |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Refactoring: fix broken indentation in JSNonDestructibleProxy.h. |
| https://bugs.webkit.org/show_bug.cgi?id=201989 |
| |
| Reviewed by Saam Barati. |
| |
| This patch only unindent the code to get it back to compliant formatting. |
| There is no actual code change. |
| |
| * runtime/JSNonDestructibleProxy.h: |
| (JSC::JSNonDestructibleProxy::subspaceFor): |
| (JSC::JSNonDestructibleProxy::create): |
| (JSC::JSNonDestructibleProxy::createStructure): |
| (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy): |
| |
| 2019-09-19 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Syntax checker should report duplicate __proto__ properties |
| https://bugs.webkit.org/show_bug.cgi?id=201897 |
| <rdar://problem/53201788> |
| |
| Reviewed by Mark Lam. |
| |
| Currently we have two ways of parsing object literals: |
| - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking, |
| it doesn't allocate string literals while parsing properties. It does still allocate identifiers, |
| but it won't store them in the Property object that it creates for each parsed property. This |
| method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters. |
| - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters |
| as stated above. This will always allocate string literals as well as identifiers and store them in |
| the Property object, even during syntax checking. |
| |
| From looking at the history, it seems that there was a distinction between these two methods: |
| parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate |
| getters/setters or properties defined as both getters/setters and constants. That distinction |
| was removed and the only distinction that remained was whether we build strings and store the |
| strings and properties as part of the Property object created by SyntaxChecker::createProperty. |
| However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate |
| __proto__ properties in object literals even in sloppy mode, which means that we do need to build |
| the strings and identifiers and store them as part of the Property objects. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseObjectLiteral): |
| (JSC::Parser<LexerType>::parsePrimaryExpression): |
| (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted. |
| * parser/Parser.h: |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Remove a now unnecessary hack to work around static const needing external linkage. |
| https://bugs.webkit.org/show_bug.cgi?id=201988 |
| |
| Reviewed by Saam Barati. |
| |
| MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's |
| inlinable. |
| |
| * b3/B3Common.cpp: |
| (JSC::B3::pinnedExtendedOffsetAddrRegister): |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Replace JSValue #defines with static constexpr values. |
| https://bugs.webkit.org/show_bug.cgi?id=201966 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| static constexpr is the modern C++ way to define these constants. |
| |
| Some of the values are typed int64_t and some are int32_t. The original #define |
| values are int64_t. Hence, we adopt int64_t as the default type to use here. |
| |
| However, some of these constants are being used as 32-bit values, and the code |
| was static_cast'ing them into int32_t. This set of constants are all the small |
| values that fit in an int32_t anyway. So, we're putting these in int32_t instead |
| so that we don't have to keep casting them. In the few places where they are |
| used as int64_t, they will automatically get up-casted anyway. |
| |
| In this patch, we also did the following: |
| |
| 1. Renamed TagMask to NotCellMask, because everywhere in the code, we're |
| basically using it to filter out cells like this: |
| |
| if (value & NotCellMask) then goto handleNotCellCase; |
| |
| 2. Renamed TagTypeNumber to NumberTag for a shorter name. |
| |
| Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask. |
| They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask. |
| |
| 3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value |
| as a literal constant. We now define DoubleEncodeOffset based on |
| DoubleEncodeOffsetBit ensuring consistency. |
| |
| 4. Introduced MiscTag so that clients don't have to put this set of tags together |
| themselves. |
| |
| 5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now |
| captures these values correctly with constexpr statements. These static |
| asserts were holdovers from the old days back when we had to define LLInt |
| constant values manually, and we needed a mechanism to detect when the values |
| have changed in the source. |
| |
| 6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts. |
| |
| 7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset |
| constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit. There's no need |
| to do this for ARM64 because the constant can be loaded efficiently with a single |
| MOVZ instruction. So, we add a CPU(ARM64) case to just move the constant into |
| the target register. |
| |
| * assembler/AbortReason.h: |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateWithGuard): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::OSRExit::compileExit): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::silentFill): |
| (JSC::DFG::SpeculativeJIT::checkArgumentTypes): |
| (JSC::DFG::SpeculativeJIT::compileValueToInt32): |
| (JSC::DFG::SpeculativeJIT::compileDoubleRep): |
| (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand): |
| (JSC::DFG::SpeculativeJIT::speculateMisc): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::spill): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::fillJSValue): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): |
| (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): |
| (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): |
| (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): |
| (JSC::DFG::SpeculativeJIT::compileInt52Compare): |
| (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNot): |
| (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): |
| (JSC::DFG::SpeculativeJIT::emitBranch): |
| (JSC::DFG::SpeculativeJIT::compile): |
| (JSC::DFG::SpeculativeJIT::moveTrueTo): |
| (JSC::DFG::SpeculativeJIT::moveFalseTo): |
| (JSC::DFG::SpeculativeJIT::blessBoolean): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber): |
| (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname): |
| (JSC::FTL::DFG::LowerDFGToB3::getById): |
| (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined): |
| (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): |
| (JSC::FTL::DFG::LowerDFGToB3::isInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::boxInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc): |
| (JSC::FTL::DFG::LowerDFGToB3::unboxDouble): |
| (JSC::FTL::DFG::LowerDFGToB3::boxDouble): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotCell): |
| (JSC::FTL::DFG::LowerDFGToB3::isCell): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotMisc): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean): |
| (JSC::FTL::DFG::LowerDFGToB3::boxBoolean): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotOther): |
| (JSC::FTL::DFG::LowerDFGToB3::isOther): |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::reboxAccordingToFormat): |
| (JSC::FTL::compileStub): |
| * interpreter/CalleeBits.h: |
| (JSC::CalleeBits::boxWasm): |
| (JSC::CalleeBits::isWasm const): |
| (JSC::CalleeBits::asWasmCallee const): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::jitAssertIsJSInt32): |
| (JSC::AssemblyHelpers::jitAssertIsJSNumber): |
| (JSC::AssemblyHelpers::jitAssertIsJSDouble): |
| (JSC::AssemblyHelpers::jitAssertIsCell): |
| (JSC::AssemblyHelpers::jitAssertTagsInPlace): |
| (JSC::AssemblyHelpers::emitConvertValueToBoolean): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters): |
| (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters): |
| (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters): |
| (JSC::AssemblyHelpers::branchIfNotCell): |
| (JSC::AssemblyHelpers::branchIfCell): |
| (JSC::AssemblyHelpers::branchIfOther): |
| (JSC::AssemblyHelpers::branchIfNotOther): |
| (JSC::AssemblyHelpers::branchIfInt32): |
| (JSC::AssemblyHelpers::branchIfNotInt32): |
| (JSC::AssemblyHelpers::branchIfNumber): |
| (JSC::AssemblyHelpers::branchIfNotNumber): |
| (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32): |
| (JSC::AssemblyHelpers::branchIfBoolean): |
| (JSC::AssemblyHelpers::branchIfNotBoolean): |
| (JSC::AssemblyHelpers::boxDouble): |
| (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions): |
| (JSC::AssemblyHelpers::boxInt52): |
| (JSC::AssemblyHelpers::boxBooleanPayload): |
| (JSC::AssemblyHelpers::boxInt32): |
| * jit/CallFrameShuffleData.h: |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::CallFrameShuffler): |
| (JSC::CallFrameShuffler::dump const): |
| (JSC::CallFrameShuffler::prepareAny): |
| * jit/CallFrameShuffler.h: |
| (JSC::CallFrameShuffler::getFreeRegister const): |
| * jit/CallFrameShuffler64.cpp: |
| (JSC::CallFrameShuffler::emitBox): |
| (JSC::CallFrameShuffler::tryAcquireNumberTagRegister): |
| (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted. |
| * jit/GPRInfo.h: |
| (JSC::GPRInfo::reservedRegisters): |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_compareAndJumpSlow): |
| * jit/JITBitAndGenerator.cpp: |
| (JSC::JITBitAndGenerator::generateFastPath): |
| * jit/JITBitOrGenerator.cpp: |
| (JSC::JITBitOrGenerator::generateFastPath): |
| * jit/JITBitXorGenerator.cpp: |
| (JSC::JITBitXorGenerator::generateFastPath): |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileTailCall): |
| * jit/JITDivGenerator.cpp: |
| (JSC::JITDivGenerator::generateFastPath): |
| * jit/JITInlines.h: |
| (JSC::JIT::emitPatchableJumpIfNotInt): |
| * jit/JITLeftShiftGenerator.cpp: |
| (JSC::JITLeftShiftGenerator::generateFastPath): |
| * jit/JITMulGenerator.cpp: |
| (JSC::JITMulGenerator::generateFastPath): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_overrides_has_instance): |
| (JSC::JIT::emit_op_is_undefined): |
| (JSC::JIT::emit_op_is_undefined_or_null): |
| (JSC::JIT::emit_op_is_boolean): |
| (JSC::JIT::emit_op_is_number): |
| (JSC::JIT::emit_op_is_cell_with_type): |
| (JSC::JIT::emit_op_is_object): |
| (JSC::JIT::emit_op_not): |
| (JSC::JIT::emit_op_jeq_null): |
| (JSC::JIT::emit_op_jneq_null): |
| (JSC::JIT::emit_op_jundefined_or_null): |
| (JSC::JIT::emit_op_jnundefined_or_null): |
| (JSC::JIT::emit_op_eq_null): |
| (JSC::JIT::emit_op_neq_null): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitGenericContiguousPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * jit/JITRightShiftGenerator.cpp: |
| (JSC::JITRightShiftGenerator::generateFastPath): |
| * jit/RegisterSet.cpp: |
| (JSC::RegisterSet::runtimeTagRegisters): |
| (JSC::RegisterSet::llintBaselineCalleeSaveRegisters): |
| (JSC::RegisterSet::dfgCalleeSaveRegisters): |
| (JSC::RegisterSet::ftlCalleeSaveRegisters): |
| * jit/SpecializedThunkJIT.h: |
| (JSC::SpecializedThunkJIT::returnDouble): |
| (JSC::SpecializedThunkJIT::tagReturnAsInt32): |
| * jit/ThunkGenerators.cpp: |
| (JSC::virtualThunkFor): |
| (JSC::nativeForGenerator): |
| (JSC::arityFixupGenerator): |
| (JSC::absThunkGenerator): |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoop::execute): |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm64.rb: |
| * offlineasm/cloop.rb: |
| * offlineasm/x86.rb: |
| * runtime/JSCJSValue.h: |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::isUndefinedOrNull const): |
| (JSC::JSValue::isCell const): |
| (JSC::JSValue::isInt32 const): |
| (JSC::JSValue::JSValue): |
| (JSC::JSValue::asDouble const): |
| (JSC::JSValue::isNumber const): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-09-18 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Better handling for large arrays and collections in Object Trees |
| https://bugs.webkit.org/show_bug.cgi?id=143589 |
| <rdar://problem/16135388> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Adds two buttons before the "Prototype" item in expanded object/collection previews: |
| - Show %d More |
| - Show All (%d More) |
| |
| The default `fetchCount` increment is `100`. The first button will only be shown if there |
| are more than `100` items remaining (haven't been shown). |
| |
| * inspector/InjectedScriptSource.js: |
| (InjectedScript.prototype.getProperties): |
| (InjectedScript.prototype.getDisplayableProperties): |
| (InjectedScript.prototype.getCollectionEntries): |
| (InjectedScript.prototype._getProperties): |
| (InjectedScript.prototype._internalPropertyDescriptors): |
| (InjectedScript.prototype._propertyDescriptors): |
| (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor): |
| (InjectedScript.prototype._propertyDescriptors.processProperties): |
| (InjectedScript.prototype._getSetEntries): |
| (InjectedScript.prototype._getMapEntries): |
| (InjectedScript.prototype._getWeakMapEntries): |
| (InjectedScript.prototype._getWeakSetEntries): |
| (InjectedScript.prototype._getIteratorEntries): |
| (InjectedScript.prototype._entries): |
| (RemoteObject.prototype._generatePreview): |
| (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted. |
| Don't include boolean property descriptor values if they are `false. |
| |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::weakMapEntries): |
| (Inspector::JSInjectedScriptHost::weakSetEntries): |
| |
| * inspector/InjectedScript.h: |
| * inspector/InjectedScript.cpp: |
| (Inspector::InjectedScript::getProperties): |
| (Inspector::InjectedScript::getDisplayableProperties): |
| (Inspector::InjectedScript::getCollectionEntries): |
| |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| (Inspector::asInt): Added. |
| (Inspector::InspectorRuntimeAgent::getProperties): |
| (Inspector::InspectorRuntimeAgent::getDisplayableProperties): |
| (Inspector::InspectorRuntimeAgent::getCollectionEntries): |
| |
| * inspector/protocol/Runtime.json: |
| Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`. |
| Mark boolean properties as optional so they can be omitted if `false`. |
| |
| 2019-09-18 Joonghun Park <pjh0718@gmail.com> |
| |
| Unreviewed. Remove build warning since r249976. |
| |
| No new tests, no behavioral changes. |
| |
| This patch removes the build warning below. |
| warning: control reaches end of non-void function [-Wreturn-type] |
| |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::ArrayMode::alreadyChecked const): |
| |
| 2019-09-18 Saam Barati <sbarati@apple.com> |
| |
| TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT |
| https://bugs.webkit.org/show_bug.cgi?id=201953 |
| <rdar://problem/53803524> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We had code in DFGSpeculativeJIT like: |
| |
| if (!globalObject->isHavingABadTime()) { |
| <-- here --> |
| Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())); |
| assert 's' has expected indexing type |
| } |
| |
| The problem is, we may have a bad time before we actually load the structure |
| inside the if. We may have a bad time while we're at the "<-- here -->" in the |
| above program. The fix is to first load the structure, then check if we're |
| having a bad time. If we're still not having a bad time, it's valid to assert |
| things about the structure. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewArray): |
| |
| 2019-09-18 Chris Dumez <cdumez@apple.com> |
| |
| Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*() |
| https://bugs.webkit.org/show_bug.cgi?id=201947 |
| <rdar://problem/55453612> |
| |
| Reviewed by Mark Lam. |
| |
| Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533> |
| but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of |
| <https://trac.webkit.org/changeset/249064>. |
| |
| * API/JSContextRef.cpp: |
| (JSContextGroupCreate): |
| (JSGlobalContextCreate): |
| (JSGlobalContextCreateInGroup): |
| |
| 2019-09-18 Saam Barati <sbarati@apple.com> |
| |
| Phantom insertion phase may disagree with arguments forwarding about live ranges |
| https://bugs.webkit.org/show_bug.cgi?id=200715 |
| <rdar://problem/54301717> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The issue is that Phantom insertion phase was disagreeing about live ranges |
| from the arguments forwarding phase. The effect is that Phantom insertion |
| would insert a Phantom creating a longer live range than what arguments |
| forwarding was analyzing. Arguments forwarding will look for the last DFG |
| use or the last bytecode use of a variable it wants to eliminate. It then |
| does an interference analysis to ensure that nothing clobbers other variables |
| it needs to recover the sunken allocation during OSR exit. |
| |
| Phantom insertion works by ordering the program into OSR exit epochs. If a value was used |
| in the current epoch, there is no need to insert a phantom for it. We |
| determine where we might need a Phantom by looking at bytecode kills. In this |
| analysis, we have a mapping from bytecode local to DFG node. However, we |
| sometimes forgot to remove the entry when a local is killed. So, if the first |
| kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design. |
| However, if the variable gets killed again, we might errantly insert a Phantom |
| for the prior variable which should've already been killed. The solution is to |
| clear the entry in our mapping when a variable is killed. |
| |
| The program in question was like this: |
| |
| 1: DirectArguments |
| ... |
| 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 |
| ... |
| clobber things needed for recovery |
| ... |
| |
| Arguments elimination would transform the program since between @1 and |
| @2, nothing clobbers values needed for exit and nothing escapes @1. The |
| program becomes: |
| |
| 1: PhantomDirectArguments |
| ... |
| 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 |
| ... |
| clobber things needed for recovery of @1 |
| ... |
| |
| |
| Phantom insertion would then transform the program into: |
| |
| 1: PhantomDirectArguments |
| ... |
| 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 |
| ... |
| clobber things needed for recovery of @1 |
| ... |
| 3: Phantom(@1) |
| ... |
| |
| This is wrong because Phantom insertion and arguments forwarding must agree on live |
| ranges, otherwise the interference analysis performed by arguments forwarding will |
| not correctly analyze up until where the value might be recovered. |
| |
| * dfg/DFGPhantomInsertionPhase.cpp: |
| |
| 2019-09-18 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r250002. |
| https://bugs.webkit.org/show_bug.cgi?id=201943 |
| |
| Patching of the callee and call is not atomic (Requested by |
| tadeuzagallo on #webkit). |
| |
| Reverted changeset: |
| |
| "Change WebAssembly calling conventions" |
| https://bugs.webkit.org/show_bug.cgi?id=201799 |
| https://trac.webkit.org/changeset/250002 |
| |
| 2019-09-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Generator should have internal fields |
| https://bugs.webkit.org/show_bug.cgi?id=201159 |
| |
| Reviewed by Keith Miller. |
| |
| This patch makes generator's internal states InternalField instead of private properties. |
| Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures. |
| As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary. |
| |
| If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting |
| in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next |
| lookup suboptimal for now. |
| |
| In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal |
| states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access |
| these fields without using megamorphic get_by_id_direct. |
| |
| And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode. |
| |
| We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto |
| JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0 |
| inline-storage slot for PolyProto implementation. |
| |
| This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support. |
| In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator. |
| |
| This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly. |
| |
| This patch includes several design decisions. |
| |
| 1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`. |
| 2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto |
| support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger. |
| 3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now, |
| we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep |
| this patch simple. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/AsyncFunctionPrototype.js: |
| (globalPrivate.asyncFunctionResume): |
| * builtins/GeneratorPrototype.js: |
| (globalPrivate.generatorResume): |
| (next): |
| (return): |
| (throw): |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::BytecodeGeneratorification::run): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecode/SpeculatedType.cpp: |
| (JSC::speculationFromJSType): |
| * bytecode/SpeculatedType.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitPutGeneratorFields): |
| (JSC::BytecodeGenerator::emitCreateGenerator): |
| (JSC::BytecodeGenerator::emitNewGenerator): |
| (JSC::BytecodeGenerator::emitYield): |
| (JSC::BytecodeGenerator::emitDelegateYield): |
| (JSC::BytecodeGenerator::emitGeneratorStateChange): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitIsGenerator): |
| (JSC::BytecodeGenerator::generatorStateRegister): |
| (JSC::BytecodeGenerator::generatorValueRegister): |
| (JSC::BytecodeGenerator::generatorResumeModeRegister): |
| (JSC::BytecodeGenerator::generatorFrameRegister): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::generatorInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator): |
| (JSC::FunctionNode::emitBytecode): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| (JSC::DFG::FixupPhase::fixupIsCellWithType): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToNewGenerator): |
| (JSC::DFG::Node::speculatedTypeForQuery): |
| (JSC::DFG::Node::hasStructure): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileCreateGenerator): |
| (JSC::DFG::SpeculativeJIT::compileNewGenerator): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::isCellWithType): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| * llint/LowLevelInterpreter.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::createSubclassStructureSlow): |
| * runtime/InternalFunction.h: |
| (JSC::InternalFunction::createSubclassStructure): |
| * runtime/JSGenerator.cpp: Added. |
| (JSC::JSGenerator::create): |
| (JSC::JSGenerator::createStructure): |
| (JSC::JSGenerator::JSGenerator): |
| (JSC::JSGenerator::finishCreation): |
| (JSC::JSGenerator::visitChildren): |
| * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h. |
| * runtime/JSGeneratorFunction.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::generatorStructure const): |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| |
| 2019-09-17 Keith Miller <keith_miller@apple.com> |
| |
| Move comment explaining our Options to OptionsList.h |
| https://bugs.webkit.org/show_bug.cgi?id=201891 |
| |
| Rubber-stamped by Mark Lam. |
| |
| We moved the list so we should move the comment. |
| |
| * runtime/Options.h: |
| * runtime/OptionsList.h: |
| |
| 2019-09-17 Keith Miller <keith_miller@apple.com> |
| |
| Elide unnecessary moves in Air O0 |
| https://bugs.webkit.org/show_bug.cgi?id=201703 |
| |
| Reviewed by Saam Barati. |
| |
| This patch also removes the code that would try to reuse temps in |
| WasmAirIRGenerator. That code makes it hard to accurately |
| determine where a temp dies as it could be reused again |
| later. Thus every temp, may appear to live for a long time in the |
| global ordering. |
| |
| This appears to be a minor progression on the overall score of |
| wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction. |
| |
| This patch also fixes an issue where we didn't ask Patchpoints |
| for early clobber registers when determining what callee saves |
| were used by the program. |
| |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::generate): |
| * b3/air/AirBasicBlock.h: |
| * b3/air/AirCode.h: |
| * b3/air/AirHandleCalleeSaves.cpp: |
| (JSC::B3::Air::handleCalleeSaves): |
| * b3/air/testair.cpp: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::didKill): Deleted. |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::didKill): Deleted. |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::didKill): Deleted. |
| |
| 2019-09-17 Mark Lam <mark.lam@apple.com> |
| |
| Use constexpr instead of const in symbol definitions that are obviously constexpr. |
| https://bugs.webkit.org/show_bug.cgi?id=201879 |
| |
| Rubber-stamped by Joseph Pecoraro. |
| |
| const may require external storage (at the compiler's whim) though these |
| currently do not. constexpr makes it clear that the value is a literal constant |
| that can be inlined. In most cases in the code, when we say static const, we |
| actually mean static constexpr. I'm changing the code to reflect this. |
| |
| * API/JSAPIValueWrapper.h: |
| * API/JSCallbackConstructor.h: |
| * API/JSCallbackObject.h: |
| * API/JSContextRef.cpp: |
| * API/JSWrapperMap.mm: |
| * API/tests/CompareAndSwapTest.cpp: |
| * API/tests/TypedArrayCTest.cpp: |
| * API/tests/testapi.mm: |
| (testObjectiveCAPIMain): |
| * KeywordLookupGenerator.py: |
| (Trie.printAsC): |
| * assembler/ARMv7Assembler.h: |
| * assembler/AssemblerBuffer.h: |
| * assembler/AssemblerCommon.h: |
| * assembler/MacroAssembler.h: |
| * assembler/MacroAssemblerARM64.h: |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/MacroAssemblerARMv7.h: |
| * assembler/MacroAssemblerCodeRef.h: |
| * assembler/MacroAssemblerMIPS.h: |
| * assembler/MacroAssemblerX86.h: |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::absDouble): |
| (JSC::MacroAssemblerX86Common::negateDouble): |
| * assembler/MacroAssemblerX86_64.h: |
| * assembler/X86Assembler.h: |
| * b3/B3Bank.h: |
| * b3/B3CheckSpecial.h: |
| * b3/B3DuplicateTails.cpp: |
| * b3/B3EliminateCommonSubexpressions.cpp: |
| * b3/B3FixSSA.cpp: |
| * b3/B3FoldPathConstants.cpp: |
| * b3/B3InferSwitches.cpp: |
| * b3/B3Kind.h: |
| * b3/B3LowerToAir.cpp: |
| * b3/B3NativeTraits.h: |
| * b3/B3ReduceDoubleToFloat.cpp: |
| * b3/B3ReduceLoopStrength.cpp: |
| * b3/B3ReduceStrength.cpp: |
| * b3/B3ValueKey.h: |
| * b3/air/AirAllocateRegistersByGraphColoring.cpp: |
| * b3/air/AirAllocateStackByGraphColoring.cpp: |
| * b3/air/AirArg.h: |
| * b3/air/AirCCallSpecial.h: |
| * b3/air/AirEmitShuffle.cpp: |
| * b3/air/AirFixObviousSpills.cpp: |
| * b3/air/AirFormTable.h: |
| * b3/air/AirLowerAfterRegAlloc.cpp: |
| * b3/air/AirPrintSpecial.h: |
| * b3/air/AirStackAllocation.cpp: |
| * b3/air/AirTmp.h: |
| * b3/testb3_6.cpp: |
| (testInterpreter): |
| * bytecode/AccessCase.cpp: |
| * bytecode/CallLinkStatus.cpp: |
| * bytecode/CallVariant.h: |
| * bytecode/CodeBlock.h: |
| * bytecode/CodeOrigin.h: |
| * bytecode/DFGExitProfile.h: |
| * bytecode/DirectEvalCodeCache.h: |
| * bytecode/ExecutableToCodeBlockEdge.h: |
| * bytecode/GetterSetterAccessCase.cpp: |
| * bytecode/LazyOperandValueProfile.h: |
| * bytecode/ObjectPropertyCondition.h: |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| * bytecode/PolymorphicAccess.cpp: |
| * bytecode/PropertyCondition.h: |
| * bytecode/SpeculatedType.h: |
| * bytecode/StructureStubInfo.cpp: |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): |
| * bytecode/UnlinkedCodeBlock.h: |
| * bytecode/UnlinkedEvalCodeBlock.h: |
| * bytecode/UnlinkedFunctionCodeBlock.h: |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * bytecode/UnlinkedModuleProgramCodeBlock.h: |
| * bytecode/UnlinkedProgramCodeBlock.h: |
| * bytecode/ValueProfile.h: |
| * bytecode/VirtualRegister.h: |
| * bytecode/Watchpoint.h: |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/Label.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ThisNode::emitBytecode): |
| * bytecompiler/RegisterID.h: |
| * debugger/Breakpoint.h: |
| * debugger/DebuggerParseData.cpp: |
| * debugger/DebuggerPrimitives.h: |
| * debugger/DebuggerScope.h: |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGAbstractValue.h: |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| * dfg/DFGByteCodeParser.cpp: |
| * dfg/DFGCSEPhase.cpp: |
| * dfg/DFGCommon.h: |
| * dfg/DFGCompilationKey.h: |
| * dfg/DFGDesiredGlobalProperty.h: |
| * dfg/DFGEdgeDominates.h: |
| * dfg/DFGEpoch.h: |
| * dfg/DFGForAllKills.h: |
| (JSC::DFG::forAllKilledNodesAtNodeIndex): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::isLiveInBytecode): |
| * dfg/DFGHeapLocation.h: |
| * dfg/DFGInPlaceAbstractState.cpp: |
| * dfg/DFGIntegerCheckCombiningPhase.cpp: |
| * dfg/DFGIntegerRangeOptimizationPhase.cpp: |
| * dfg/DFGInvalidationPointInjectionPhase.cpp: |
| * dfg/DFGLICMPhase.cpp: |
| * dfg/DFGLazyNode.h: |
| * dfg/DFGMinifiedID.h: |
| * dfg/DFGMovHintRemovalPhase.cpp: |
| * dfg/DFGNodeFlowProjection.h: |
| * dfg/DFGNodeType.h: |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGPhantomInsertionPhase.cpp: |
| * dfg/DFGPromotedHeapLocation.h: |
| * dfg/DFGPropertyTypeKey.h: |
| * dfg/DFGPureValue.h: |
| * dfg/DFGPutStackSinkingPhase.cpp: |
| * dfg/DFGRegisterBank.h: |
| * dfg/DFGSSAConversionPhase.cpp: |
| * dfg/DFGSSALoweringPhase.cpp: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileDoubleRep): |
| (JSC::DFG::compileClampDoubleToByte): |
| (JSC::DFG::SpeculativeJIT::compileArithRounding): |
| (JSC::DFG::compileArithPowIntegerFastPath): |
| (JSC::DFG::SpeculativeJIT::compileArithPow): |
| (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): |
| * dfg/DFGStackLayoutPhase.cpp: |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * dfg/DFGStrengthReductionPhase.cpp: |
| * dfg/DFGStructureAbstractValue.h: |
| * dfg/DFGVarargsForwardingPhase.cpp: |
| * dfg/DFGVariableEventStream.cpp: |
| (JSC::DFG::VariableEventStream::reconstruct const): |
| * dfg/DFGWatchpointCollectionPhase.cpp: |
| * disassembler/ARM64/A64DOpcode.h: |
| * ftl/FTLLocation.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom): |
| * ftl/FTLSlowPathCall.cpp: |
| * ftl/FTLSlowPathCallKey.h: |
| * heap/CellContainer.h: |
| * heap/CellState.h: |
| * heap/ConservativeRoots.h: |
| * heap/GCSegmentedArray.h: |
| * heap/HandleBlock.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::updateAllocationLimits): |
| * heap/Heap.h: |
| * heap/HeapSnapshot.h: |
| * heap/HeapUtil.h: |
| (JSC::HeapUtil::findGCObjectPointersForMarking): |
| * heap/IncrementalSweeper.cpp: |
| * heap/LargeAllocation.h: |
| * heap/MarkedBlock.cpp: |
| * heap/Strong.h: |
| * heap/VisitRaceKey.h: |
| * heap/Weak.h: |
| * heap/WeakBlock.h: |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHostPrototype.h: |
| * inspector/JSJavaScriptCallFrame.h: |
| * inspector/JSJavaScriptCallFramePrototype.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): |
| * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: |
| (CppProtocolTypesHeaderGenerator._generate_versions): |
| * inspector/scripts/tests/generic/expected/version.json-result: |
| * interpreter/Interpreter.h: |
| * interpreter/ShadowChicken.cpp: |
| * jit/BinarySwitch.cpp: |
| * jit/CallFrameShuffler.h: |
| * jit/ExecutableAllocator.h: |
| * jit/FPRInfo.h: |
| * jit/GPRInfo.h: |
| * jit/ICStats.h: |
| * jit/JITThunks.h: |
| * jit/Reg.h: |
| * jit/RegisterSet.h: |
| * jit/TempRegisterSet.h: |
| * jsc.cpp: |
| * parser/ASTBuilder.h: |
| * parser/Nodes.h: |
| * parser/SourceCodeKey.h: |
| * parser/SyntaxChecker.h: |
| * parser/VariableEnvironment.h: |
| * profiler/ProfilerOrigin.h: |
| * profiler/ProfilerOriginStack.h: |
| * profiler/ProfilerUID.h: |
| * runtime/AbstractModuleRecord.cpp: |
| * runtime/ArrayBufferNeuteringWatchpointSet.h: |
| * runtime/ArrayConstructor.h: |
| * runtime/ArrayConventions.h: |
| * runtime/ArrayIteratorPrototype.h: |
| * runtime/ArrayPrototype.cpp: |
| (JSC::setLength): |
| * runtime/AsyncFromSyncIteratorPrototype.h: |
| * runtime/AsyncGeneratorFunctionPrototype.h: |
| * runtime/AsyncGeneratorPrototype.h: |
| * runtime/AsyncIteratorPrototype.h: |
| * runtime/AtomicsObject.cpp: |
| * runtime/BigIntConstructor.h: |
| * runtime/BigIntPrototype.h: |
| * runtime/BooleanPrototype.h: |
| * runtime/ClonedArguments.h: |
| * runtime/CodeCache.h: |
| * runtime/ControlFlowProfiler.h: |
| * runtime/CustomGetterSetter.h: |
| * runtime/DateConstructor.h: |
| * runtime/DatePrototype.h: |
| * runtime/DefinePropertyAttributes.h: |
| * runtime/ErrorPrototype.h: |
| * runtime/EvalExecutable.h: |
| * runtime/Exception.h: |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::invalidParameterInSourceAppender): |
| (JSC::invalidParameterInstanceofSourceAppender): |
| * runtime/ExceptionHelpers.h: |
| * runtime/ExecutableBase.h: |
| * runtime/FunctionExecutable.h: |
| * runtime/FunctionRareData.h: |
| * runtime/GeneratorPrototype.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericOffset.h: |
| * runtime/GetPutInfo.h: |
| * runtime/GetterSetter.h: |
| * runtime/GlobalExecutable.h: |
| * runtime/Identifier.h: |
| * runtime/InspectorInstrumentationObject.h: |
| * runtime/InternalFunction.h: |
| * runtime/IntlCollatorConstructor.h: |
| * runtime/IntlCollatorPrototype.h: |
| * runtime/IntlDateTimeFormatConstructor.h: |
| * runtime/IntlDateTimeFormatPrototype.h: |
| * runtime/IntlNumberFormatConstructor.h: |
| * runtime/IntlNumberFormatPrototype.h: |
| * runtime/IntlObject.h: |
| * runtime/IntlPluralRulesConstructor.h: |
| * runtime/IntlPluralRulesPrototype.h: |
| * runtime/IteratorPrototype.h: |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::tryCreateUninitializedRestricted): |
| * runtime/JSArray.h: |
| * runtime/JSArrayBuffer.h: |
| * runtime/JSArrayBufferView.h: |
| * runtime/JSBigInt.h: |
| * runtime/JSCJSValue.h: |
| * runtime/JSCell.h: |
| * runtime/JSCustomGetterSetterFunction.h: |
| * runtime/JSDataView.h: |
| * runtime/JSDataViewPrototype.h: |
| * runtime/JSDestructibleObject.h: |
| * runtime/JSFixedArray.h: |
| * runtime/JSGenericTypedArrayView.h: |
| * runtime/JSGlobalLexicalEnvironment.h: |
| * runtime/JSGlobalObject.h: |
| * runtime/JSImmutableButterfly.h: |
| * runtime/JSInternalPromiseConstructor.h: |
| * runtime/JSInternalPromiseDeferred.h: |
| * runtime/JSInternalPromisePrototype.h: |
| * runtime/JSLexicalEnvironment.h: |
| * runtime/JSModuleEnvironment.h: |
| * runtime/JSModuleLoader.h: |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSNonDestructibleProxy.h: |
| * runtime/JSONObject.cpp: |
| * runtime/JSONObject.h: |
| * runtime/JSObject.h: |
| * runtime/JSPromiseConstructor.h: |
| * runtime/JSPromiseDeferred.h: |
| * runtime/JSPromisePrototype.h: |
| * runtime/JSPropertyNameEnumerator.h: |
| * runtime/JSProxy.h: |
| * runtime/JSScope.h: |
| * runtime/JSScriptFetchParameters.h: |
| * runtime/JSScriptFetcher.h: |
| * runtime/JSSegmentedVariableObject.h: |
| * runtime/JSSourceCode.h: |
| * runtime/JSString.cpp: |
| * runtime/JSString.h: |
| * runtime/JSSymbolTableObject.h: |
| * runtime/JSTemplateObjectDescriptor.h: |
| * runtime/JSTypeInfo.h: |
| * runtime/MapPrototype.h: |
| * runtime/MinimumReservedZoneSize.h: |
| * runtime/ModuleProgramExecutable.h: |
| * runtime/NativeExecutable.h: |
| * runtime/NativeFunction.h: |
| * runtime/NativeStdFunctionCell.h: |
| * runtime/NumberConstructor.h: |
| * runtime/NumberPrototype.h: |
| * runtime/ObjectConstructor.h: |
| * runtime/ObjectPrototype.h: |
| * runtime/ProgramExecutable.h: |
| * runtime/PromiseDeferredTimer.cpp: |
| * runtime/PropertyMapHashTable.h: |
| * runtime/PropertyNameArray.h: |
| (JSC::PropertyNameArray::add): |
| * runtime/PrototypeKey.h: |
| * runtime/ProxyConstructor.h: |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| * runtime/ProxyRevoke.h: |
| * runtime/ReflectObject.h: |
| * runtime/RegExp.h: |
| * runtime/RegExpCache.h: |
| * runtime/RegExpConstructor.h: |
| * runtime/RegExpKey.h: |
| * runtime/RegExpObject.h: |
| * runtime/RegExpPrototype.h: |
| * runtime/RegExpStringIteratorPrototype.h: |
| * runtime/SamplingProfiler.cpp: |
| * runtime/ScopedArgumentsTable.h: |
| * runtime/ScriptExecutable.h: |
| * runtime/SetPrototype.h: |
| * runtime/SmallStrings.h: |
| * runtime/SparseArrayValueMap.h: |
| * runtime/StringConstructor.h: |
| * runtime/StringIteratorPrototype.h: |
| * runtime/StringObject.h: |
| * runtime/StringPrototype.h: |
| * runtime/Structure.h: |
| * runtime/StructureChain.h: |
| * runtime/StructureRareData.h: |
| * runtime/StructureTransitionTable.h: |
| * runtime/Symbol.h: |
| * runtime/SymbolConstructor.h: |
| * runtime/SymbolPrototype.h: |
| * runtime/SymbolTable.h: |
| * runtime/TemplateObjectDescriptor.h: |
| * runtime/TypeProfiler.cpp: |
| * runtime/TypeProfiler.h: |
| * runtime/TypeProfilerLog.cpp: |
| * runtime/VarOffset.h: |
| * testRegExp.cpp: |
| * tools/HeapVerifier.cpp: |
| (JSC::HeapVerifier::checkIfRecorded): |
| * tools/JSDollarVM.cpp: |
| * wasm/WasmB3IRGenerator.cpp: |
| * wasm/WasmBBQPlan.cpp: |
| * wasm/WasmFaultSignalHandler.cpp: |
| * wasm/WasmFunctionParser.h: |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| * wasm/WasmOMGPlan.cpp: |
| * wasm/WasmPlan.cpp: |
| * wasm/WasmSignature.cpp: |
| * wasm/WasmSignature.h: |
| * wasm/WasmWorklist.cpp: |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyCodeBlock.h: |
| * wasm/js/WebAssemblyCompileErrorConstructor.h: |
| * wasm/js/WebAssemblyCompileErrorPrototype.h: |
| * wasm/js/WebAssemblyFunction.h: |
| * wasm/js/WebAssemblyInstanceConstructor.h: |
| * wasm/js/WebAssemblyInstancePrototype.h: |
| * wasm/js/WebAssemblyLinkErrorConstructor.h: |
| * wasm/js/WebAssemblyLinkErrorPrototype.h: |
| * wasm/js/WebAssemblyMemoryConstructor.h: |
| * wasm/js/WebAssemblyMemoryPrototype.h: |
| * wasm/js/WebAssemblyModuleConstructor.h: |
| * wasm/js/WebAssemblyModulePrototype.h: |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.h: |
| * wasm/js/WebAssemblyRuntimeErrorPrototype.h: |
| * wasm/js/WebAssemblyTableConstructor.h: |
| * wasm/js/WebAssemblyTablePrototype.h: |
| * wasm/js/WebAssemblyToJSCallee.h: |
| * yarr/Yarr.h: |
| * yarr/YarrParser.h: |
| * yarr/generateYarrCanonicalizeUnicode: |
| |
| 2019-09-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Follow-up after String.codePointAt optimization |
| https://bugs.webkit.org/show_bug.cgi?id=201889 |
| |
| Reviewed by Saam Barati. |
| |
| Follow-up after string.codePointAt DFG / FTL optimizations, |
| |
| 1. Gracefully accept arguments more than expected for intrinsics |
| 2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| |
| 2019-09-17 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Change WebAssembly calling conventions |
| https://bugs.webkit.org/show_bug.cgi?id=201799 |
| |
| Reviewed by Saam Barati. |
| |
| Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when |
| we have the Wasm interpreter, since we need the callee in order to know which function are we executing. |
| This patch changes the calling conventions in preparation for the interpreter, so that the caller |
| becomes responsible for writing the callee into the call frame. |
| However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually |
| generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary |
| code when we know statically who is the callee: |
| - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC. |
| - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry |
| |
| Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping |
| of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addCall): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmAirIRGenerator.h: |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::addCall): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::BBQPlan): |
| (JSC::Wasm::BBQPlan::prepare): |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmBBQPlanInlines.h: |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmCallee.cpp: |
| (JSC::Wasm::Callee::Callee): |
| (JSC::Wasm::repatchMove): |
| (JSC::Wasm::repatchCall): |
| (JSC::Wasm::BBQCallee::addCaller): |
| (JSC::Wasm::BBQCallee::addAndLinkCaller): |
| (JSC::Wasm::BBQCallee::repatchCallers): |
| * wasm/WasmCallee.h: |
| (JSC::Wasm::Callee::entrypoint): |
| (JSC::Wasm::Callee::code const): |
| (JSC::Wasm::Callee::calleeSaveRegisters): |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConvention::setupFrameInPrologue const): |
| * wasm/WasmCodeBlock.cpp: |
| (JSC::Wasm::CodeBlock::CodeBlock): |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace): |
| * wasm/WasmEmbedder.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation): |
| * wasm/WasmInstance.h: |
| (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation): |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGForOSREntryPlan.h: |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::OMGPlan): |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmOMGPlan.h: |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::triggerOMGReplacementCompile): |
| (JSC::Wasm::doOSREntry): |
| (JSC::Wasm::triggerOSREntryNow): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/JSToWasm.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| (JSC::WebAssemblyFunction::create): |
| (JSC::WebAssemblyFunction::WebAssemblyFunction): |
| * wasm/js/WebAssemblyFunction.h: |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| (JSC::WebAssemblyModuleRecord::evaluate): |
| * wasm/js/WebAssemblyWrapperFunction.cpp: |
| (JSC::WebAssemblyWrapperFunction::create): |
| |
| 2019-09-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CheckArray+NonArray is not filtering out Array in AI |
| https://bugs.webkit.org/show_bug.cgi?id=201857 |
| <rdar://problem/54194820> |
| |
| Reviewed by Keith Miller. |
| |
| The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure. |
| While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked |
| accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array. |
| This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime. |
| |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::ArrayMode::alreadyChecked const): |
| |
| 2019-09-17 Saam Barati <sbarati@apple.com> |
| |
| CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage |
| https://bugs.webkit.org/show_bug.cgi?id=201853 |
| <rdar://problem/53805461> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We were claiming CheckArray for ScopedArguments/DirectArguments was filtering |
| out SlowPutArrayStorage. It does no such thing. We just check that the object |
| is either ScopedArguments/DirectArguments. |
| |
| * dfg/DFGArrayMode.h: |
| (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): |
| (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const): |
| (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted. |
| |
| 2019-09-16 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Wasm StreamingParser should validate that number of functions matches number of declarations |
| https://bugs.webkit.org/show_bug.cgi?id=201850 |
| <rdar://problem/55290186> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Currently, when parsing the code section, we check that the number of functions matches the number |
| of declarations in the function section. However, that check is never performed if the module does |
| not have a code section. To fix that, we perform the check again in StreamingParser::finalize. |
| |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::finalize): |
| |
| 2019-09-16 Michael Saboff <msaboff@apple.com> |
| |
| [JSC] Perform check again when we found non-BMP characters |
| https://bugs.webkit.org/show_bug.cgi?id=201647 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We need to check for end of input for non-BMP characters when matching a character class that contains |
| both BMP and non-BMP characters. In advanceIndexAfterCharacterClassTermMatch() we were checking for |
| end of input for both BMP and non-BMP characters. For BMP characters, this check is redundant. |
| After moving the check to after the "is BMP check", we need to decrement index after reaching the failure |
| label to back out the index++ for the first surrogate of the non-BMP character. |
| |
| Added the same kind of check in generateCharacterClassOnce(). In that case, we have pre-checked the |
| first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before |
| we increment for the second surrogate. |
| |
| While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the |
| loop to check the count at loop top instead of loop bottom. |
| |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch): |
| (JSC::Yarr::YarrGenerator::generateCharacterClassOnce): |
| (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy): |
| (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy): |
| (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy): |
| |
| 2019-09-16 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Add missing syntax errors for await in function parameter default expressions |
| https://bugs.webkit.org/show_bug.cgi?id=201615 |
| |
| Reviewed by Darin Adler. |
| |
| This patch rectifies two oversights: |
| 1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}` |
| (and likewise for async arrow functions). |
| 2. We were not prohibiting `(x = await => {}) => {}` in an async context |
| (regardless of parentheses, but note that this one *only* applies to arrow functions). |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1). |
| (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2). |
| (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT. |
| (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2). |
| |
| 2019-09-16 Tadeu Zagallo <tzagallo@apple.com> |
| |
| SamplingProfiler should hold API lock before reporting results |
| https://bugs.webkit.org/show_bug.cgi?id=201829 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Right now, the SamplingProfiler crashes in debug builds when trying |
| report results if it finds a JSFunction on the stack that doesn't have |
| RareData. It tries to allocate the function's rare data when we call |
| getOwnPropertySlot in order to get the function's name, but that fails |
| because we are not holding the VM's API lock. We fix it by just holding |
| the lock before reporting the results. |
| |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::reportDataToOptionFile): |
| |
| 2019-09-16 David Kilzer <ddkilzer@apple.com> |
| |
| [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32() |
| <https://webkit.org/b/201804> |
| |
| Reviewed by Saam Barati. |
| |
| * b3/testb3_8.cpp: |
| (testFastForwardCopy32): Allocate arrays using |
| WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue |
| statements. |
| |
| 2019-09-16 Saam Barati <sbarati@apple.com> |
| |
| JSObject::putInlineSlow should not ignore "__proto__" for Proxy |
| https://bugs.webkit.org/show_bug.cgi?id=200386 |
| <rdar://problem/53854946> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We used to ignore '__proto__' in putInlineSlow when the object in question |
| was Proxy. There is no reason for this, and it goes against the spec. So |
| I've removed that condition. This also has the effect that it fixes an |
| assertion firing inside our inline caching code which dictates that for a |
| property replace that the base value's structure must be equal to the |
| structure when we grabbed the structure prior to the put operation. |
| The old code caused a weird edge case where we broke this invariant. |
| |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::putInlineSlow): |
| |
| 2019-09-15 David Kilzer <ddkilzer@apple.com> |
| |
| Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:] |
| <https://webkit.org/b/201803> |
| |
| Reviewed by Dan Bernstein. |
| |
| * API/JSVirtualMachine.mm: |
| (-[JSVirtualMachine addManagedReference:withOwner:]): Use |
| RetainPtr<> to fix the leak. |
| |
| 2019-09-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Retire x86 32bit JIT support |
| https://bugs.webkit.org/show_bug.cgi?id=201790 |
| |
| Reviewed by Mark Lam. |
| |
| Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS. |
| Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs |
| can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed. |
| WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested. |
| |
| While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden. |
| This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr. |
| |
| This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo, |
| MachineContext information since they are useful even though JIT is not supported. |
| |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::ArrayMode::refine const): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compileExceptionHandlers): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::osrWriteBarrier): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileArithDiv): |
| (JSC::DFG::SpeculativeJIT::compileArithMod): |
| (JSC::DFG::SpeculativeJIT::compileCreateRest): |
| (JSC::DFG::SpeculativeJIT::compileGetDirectPname): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitGenerationThunkGenerator): |
| * ftl/FTLThunks.cpp: |
| (JSC::FTL::slowPathCallThunkGenerator): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::callExceptionFuzz): |
| (JSC::AssemblyHelpers::debugCall): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::setupArgumentsImpl): |
| (JSC::CCallHelpers::prepareForTailCallSlow): |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::prepareForTailCall): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileExceptionHandlers): |
| * jit/JITArithmetic32_64.cpp: |
| (JSC::JIT::emit_op_mod): |
| (JSC::JIT::emitSlow_op_mod): |
| * jit/SlowPathCall.h: |
| (JSC::JITSlowPathCall::call): |
| * jit/ThunkGenerators.cpp: |
| (JSC::nativeForGenerator): |
| (JSC::arityFixupGenerator): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitModOrDiv): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::generateDotStarEnclosure): |
| (JSC::Yarr::YarrGenerator::generateEnter): |
| (JSC::Yarr::YarrGenerator::generateReturn): |
| (JSC::Yarr::YarrGenerator::compile): |
| * yarr/YarrJIT.h: |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| jsc -d stopped working. |
| https://bugs.webkit.org/show_bug.cgi?id=201787 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| The reason is because, in this case, the jsc shell is trying to set an option |
| after the VM has been instantiated. The fix is simply to move all options |
| initialization before the VM is instantiated. |
| |
| * jsc.cpp: |
| (runWithOptions): |
| (jscmain): |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| watchOS requires PageSize alignment of 16K for JSC::Config. |
| https://bugs.webkit.org/show_bug.cgi?id=201786 |
| <rdar://problem/55357890> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSCConfig.h: |
| |
| 2019-09-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, follow-up fix after r249842 |
| https://bugs.webkit.org/show_bug.cgi?id=201750 |
| |
| Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::nearCall): |
| (JSC::MacroAssemblerARM64::threadSafePatchableNearCall): |
| |
| 2019-09-13 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Date.prototype.toJSON does not execute steps 1-2 |
| https://bugs.webkit.org/show_bug.cgi?id=105282 |
| |
| Reviewed by Ross Kirsling. |
| |
| According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be |
| strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved |
| using sloppy mode semantics, resulting in `toISOString` being called on global object if `this` |
| value equals `null` or `undefined`. |
| |
| * runtime/DatePrototype.cpp: |
| (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check. |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy() should do its !Gigacage assertion on exit. |
| https://bugs.webkit.org/show_bug.cgi?id=201780 |
| <rdar://problem/55354867> |
| |
| Reviewed by Robin Morisset. |
| |
| Re-doing previous fix. |
| |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| (JSC::GigacageAssertScope::GigacageAssertScope): Deleted. |
| (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted. |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy() should do its !Gigacage assertion on exit. |
| https://bugs.webkit.org/show_bug.cgi?id=201780 |
| <rdar://problem/55354867> |
| |
| Reviewed by Robin Morisset. |
| |
| * jit/ExecutableAllocator.h: |
| (JSC::GigacageAssertScope::GigacageAssertScope): |
| (JSC::GigacageAssertScope::~GigacageAssertScope): |
| (JSC::performJITMemcpy): |
| |
| 2019-09-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Micro-optimize YarrJIT's surrogate pair handling |
| https://bugs.webkit.org/show_bug.cgi?id=201750 |
| |
| Reviewed by Michael Saboff. |
| |
| Optimize sequence of machine code used to get code-point with unicode flag. |
| |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl): |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| We should assert $vm is enabled on entry and exit in its functions. |
| https://bugs.webkit.org/show_bug.cgi?id=201762 |
| <rdar://problem/55338742> |
| |
| Rubber-stamped by Michael Saboff. |
| |
| 1. Also do the same for FunctionOverrides. |
| 2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this. |
| 3. Also added assertions to lambda functions in $vm. |
| |
| * tools/FunctionOverrides.cpp: |
| (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope): |
| (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope): |
| (JSC::FunctionOverrides::overrides): |
| (JSC::FunctionOverrides::FunctionOverrides): |
| (JSC::FunctionOverrides::reinstallOverrides): |
| (JSC::initializeOverrideInfo): |
| (JSC::FunctionOverrides::initializeOverrideFor): |
| (JSC::parseClause): |
| (JSC::FunctionOverrides::parseOverridesInFile): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame): |
| (JSC::JSDollarVMCallFrame::createStructure): |
| (JSC::JSDollarVMCallFrame::create): |
| (JSC::JSDollarVMCallFrame::finishCreation): |
| (JSC::JSDollarVMCallFrame::addProperty): |
| (JSC::Element::Element): |
| (JSC::Element::create): |
| (JSC::Element::visitChildren): |
| (JSC::Element::createStructure): |
| (JSC::Root::Root): |
| (JSC::Root::setElement): |
| (JSC::Root::create): |
| (JSC::Root::createStructure): |
| (JSC::Root::visitChildren): |
| (JSC::SimpleObject::SimpleObject): |
| (JSC::SimpleObject::create): |
| (JSC::SimpleObject::visitChildren): |
| (JSC::SimpleObject::createStructure): |
| (JSC::ImpureGetter::ImpureGetter): |
| (JSC::ImpureGetter::createStructure): |
| (JSC::ImpureGetter::create): |
| (JSC::ImpureGetter::finishCreation): |
| (JSC::ImpureGetter::getOwnPropertySlot): |
| (JSC::ImpureGetter::visitChildren): |
| (JSC::CustomGetter::CustomGetter): |
| (JSC::CustomGetter::createStructure): |
| (JSC::CustomGetter::create): |
| (JSC::CustomGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::customGetter): |
| (JSC::CustomGetter::customGetterAcessor): |
| (JSC::RuntimeArray::create): |
| (JSC::RuntimeArray::destroy): |
| (JSC::RuntimeArray::getOwnPropertySlot): |
| (JSC::RuntimeArray::getOwnPropertySlotByIndex): |
| (JSC::RuntimeArray::createPrototype): |
| (JSC::RuntimeArray::createStructure): |
| (JSC::RuntimeArray::finishCreation): |
| (JSC::RuntimeArray::RuntimeArray): |
| (JSC::RuntimeArray::lengthGetter): |
| (JSC::DOMJITNode::DOMJITNode): |
| (JSC::DOMJITNode::createStructure): |
| (JSC::DOMJITNode::checkSubClassSnippet): |
| (JSC::DOMJITNode::create): |
| (JSC::DOMJITGetter::DOMJITGetter): |
| (JSC::DOMJITGetter::createStructure): |
| (JSC::DOMJITGetter::create): |
| (JSC::DOMJITGetter::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetter::customGetter): |
| (JSC::DOMJITGetter::finishCreation): |
| (JSC::DOMJITGetterComplex::DOMJITGetterComplex): |
| (JSC::DOMJITGetterComplex::createStructure): |
| (JSC::DOMJITGetterComplex::create): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterComplex::functionEnableException): |
| (JSC::DOMJITGetterComplex::customGetter): |
| (JSC::DOMJITGetterComplex::finishCreation): |
| (JSC::DOMJITFunctionObject::DOMJITFunctionObject): |
| (JSC::DOMJITFunctionObject::createStructure): |
| (JSC::DOMJITFunctionObject::create): |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::checkSubClassSnippet): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): |
| (JSC::DOMJITCheckSubClassObject::createStructure): |
| (JSC::DOMJITCheckSubClassObject::create): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): |
| (JSC::DOMJITGetterBaseJSObject::createStructure): |
| (JSC::DOMJITGetterBaseJSObject::create): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterBaseJSObject::customGetter): |
| (JSC::DOMJITGetterBaseJSObject::finishCreation): |
| (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter): |
| (JSC::JSTestCustomGetterSetter::create): |
| (JSC::JSTestCustomGetterSetter::createStructure): |
| (JSC::customSetAccessor): |
| (JSC::customSetValue): |
| (JSC::JSTestCustomGetterSetter::finishCreation): |
| (JSC::Element::handleOwner): |
| (JSC::Element::finishCreation): |
| (JSC::WasmStreamingParser::WasmStreamingParser): |
| (JSC::WasmStreamingParser::create): |
| (JSC::WasmStreamingParser::createStructure): |
| (JSC::WasmStreamingParser::finishCreation): |
| (JSC::functionWasmStreamingParserAddBytes): |
| (JSC::functionWasmStreamingParserFinalize): |
| (JSC::functionCrash): |
| (JSC::functionBreakpoint): |
| (JSC::functionDFGTrue): |
| (JSC::functionFTLTrue): |
| (JSC::functionCpuMfence): |
| (JSC::functionCpuRdtsc): |
| (JSC::functionCpuCpuid): |
| (JSC::functionCpuPause): |
| (JSC::functionCpuClflush): |
| (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): |
| (JSC::getExecutableForFunction): |
| (JSC::functionLLintTrue): |
| (JSC::functionJITTrue): |
| (JSC::functionNoInline): |
| (JSC::functionGC): |
| (JSC::functionEdenGC): |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::functionCallFrame): |
| (JSC::functionCodeBlockForFrame): |
| (JSC::codeBlockFromArg): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionDumpSourceFor): |
| (JSC::functionDumpBytecodeFor): |
| (JSC::doPrint): |
| (JSC::functionDataLog): |
| (JSC::functionPrint): |
| (JSC::functionDumpCallFrame): |
| (JSC::functionDumpStack): |
| (JSC::functionDumpRegisters): |
| (JSC::functionDumpCell): |
| (JSC::functionIndexingMode): |
| (JSC::functionInlineCapacity): |
| (JSC::functionValue): |
| (JSC::functionGetPID): |
| (JSC::functionHaveABadTime): |
| (JSC::functionIsHavingABadTime): |
| (JSC::functionCreateGlobalObject): |
| (JSC::functionCreateProxy): |
| (JSC::functionCreateRuntimeArray): |
| (JSC::functionCreateNullRopeString): |
| (JSC::functionCreateImpureGetter): |
| (JSC::functionCreateCustomGetterObject): |
| (JSC::functionCreateDOMJITNodeObject): |
| (JSC::functionCreateDOMJITGetterObject): |
| (JSC::functionCreateDOMJITGetterComplexObject): |
| (JSC::functionCreateDOMJITFunctionObject): |
| (JSC::functionCreateDOMJITCheckSubClassObject): |
| (JSC::functionCreateDOMJITGetterBaseJSObject): |
| (JSC::functionCreateWasmStreamingParser): |
| (JSC::functionSetImpureGetterDelegate): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::functionCreateRoot): |
| (JSC::functionCreateElement): |
| (JSC::functionGetElement): |
| (JSC::functionCreateSimpleObject): |
| (JSC::functionGetHiddenValue): |
| (JSC::functionSetHiddenValue): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): |
| (JSC::functionFindTypeForExpression): |
| (JSC::functionReturnTypeFor): |
| (JSC::functionFlattenDictionaryObject): |
| (JSC::functionDumpBasicBlockExecutionRanges): |
| (JSC::functionHasBasicBlockExecuted): |
| (JSC::functionBasicBlockExecutionCount): |
| (JSC::functionEnableExceptionFuzz): |
| (JSC::changeDebuggerModeWhenIdle): |
| (JSC::functionEnableDebuggerModeWhenIdle): |
| (JSC::functionDisableDebuggerModeWhenIdle): |
| (JSC::functionDeleteAllCodeWhenIdle): |
| (JSC::functionGlobalObjectCount): |
| (JSC::functionGlobalObjectForObject): |
| (JSC::functionGetGetterSetter): |
| (JSC::functionLoadGetterFromGetterSetter): |
| (JSC::functionCreateCustomTestGetterSetter): |
| (JSC::functionDeltaBetweenButterflies): |
| (JSC::functionTotalGCTime): |
| (JSC::functionParseCount): |
| (JSC::functionIsWasmSupported): |
| (JSC::JSDollarVM::finishCreation): |
| (JSC::JSDollarVM::addFunction): |
| (JSC::JSDollarVM::addConstructibleFunction): |
| * tools/JSDollarVM.h: |
| (JSC::DollarVMAssertScope::DollarVMAssertScope): |
| (JSC::DollarVMAssertScope::~DollarVMAssertScope): |
| |
| 2019-09-13 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>) |
| https://bugs.webkit.org/show_bug.cgi?id=201535 |
| <rdar://problem/29119232> |
| |
| Reviewed by Devin Rousso. |
| |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::resolveBreakpoint): |
| When resolving a breakpoint inside of an inline <script> we need to adjust |
| based on the starting position of the <script> in the HTML resource. |
| |
| 2019-09-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] X86Registers.h callee-save register definition is wrong |
| https://bugs.webkit.org/show_bug.cgi?id=201756 |
| |
| Reviewed by Mark Lam. |
| |
| I think nobody is using X86 JIT backend, but it is simply wrong. |
| edi and esi should be callee-save. |
| |
| * assembler/X86Registers.h: |
| |
| 2019-09-12 Mark Lam <mark.lam@apple.com> |
| |
| Harden JSC against the abuse of runtime options. |
| https://bugs.webkit.org/show_bug.cgi?id=201597 |
| <rdar://problem/55167068> |
| |
| Reviewed by Filip Pizlo. |
| |
| Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>. |
| |
| 1. Introduce a JSC::Config struct that will be protected as ReadOnly once the |
| first VM instance is constructed. The end of the VM constructor calls |
| Config::permanentlyFreeze() which will make the Config ReadOnly. |
| |
| Note: this is currently only supported for OS(DARWIN) and OS(LINUX). |
| OS(WINDOWS) will need to implement some missing pieces before it can enable |
| this hardening (see FIXME in JSCConfig.cpp). |
| |
| The hardening strategy here is to put immutable global values into the Config. |
| Any modifications that need to be made to these values must be done before the |
| first VM instance is done instantiating. This ensures that no script will |
| ever run while the Config is still writable. |
| |
| Also, the policy for this hardening is that a process is opted in by default. |
| If there's a valid need to disable this hardening (e.g. for some test |
| environments), the relevant process will need to opt itself out by calling |
| Config::configureForTesting(). |
| |
| The jsc shell, WK2 UI and WebContent processes are opted in by default. |
| Only test processes may be opt out. |
| |
| 2. Put all JSC::Options in the Config. This enforces the invariant that options |
| can only be changed before we instantiate a VM. Once a VM is instantiated, |
| the options are immutable. |
| |
| 3. Remove functionForceGCSlowPaths() from the jsc shell. Setting |
| Options::forceGCSlowPaths this way is no longer allowed. |
| |
| 4. Re-factored the Options code (Options.h) into: |
| - OptionEntry.h: the data structure that stores the option values. |
| - OptionsList.h: the list of options. |
| - Options.h: the Options singleton object which is the interface for accessing options. |
| |
| Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because |
| "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than |
| "JSC_OPTIONS(FOR_EACH_OPTION)". |
| |
| 5. Change testapi to call Config::configureForTesting(). Parts of testapi makes |
| use of setting options in its tests. Hence, this hardening is disabled for |
| testapi. |
| |
| Note: the jsc shell does enable this hardening. |
| |
| 6. Put ExecutableAllocator's immutable globals in the Config. |
| |
| 7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the |
| FunctionOverrides test utility. |
| |
| 8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm. |
| |
| We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions |
| that are non-trivial at an eye's glance. This includes (but is not limited to): |
| constructors |
| create() factory |
| createStructure() factory |
| finishCreation() |
| HOST_CALL or operation functions |
| Constructors and methods of utility and test classes |
| |
| The only exception are some constexpr constructors used for instantiating |
| globals (since these must have trivial constructors) e.g. DOMJITAttribute. |
| Instead, these constructors should always be ALWAYS_INLINE. |
| |
| * API/glib/JSCOptions.cpp: |
| (jscOptionsSetValue): |
| (jscOptionsGetValue): |
| (jsc_options_foreach): |
| (jsc_options_get_option_group): |
| * API/tests/testapi.c: |
| (main): |
| * API/tests/testapi.cpp: |
| (configureJSCForTesting): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * jit/ExecutableAllocator.cpp: |
| (JSC::isJITEnabled): |
| (JSC::ExecutableAllocator::setJITEnabled): |
| (JSC::ExecutableAllocator::initializeUnderlyingAllocator): |
| (JSC::ExecutableAllocator::isValid const): |
| (JSC::ExecutableAllocator::underMemoryPressure): |
| (JSC::ExecutableAllocator::memoryPressureMultiplier): |
| (JSC::ExecutableAllocator::allocate): |
| (JSC::ExecutableAllocator::isValidExecutableMemory): |
| (JSC::ExecutableAllocator::getLock const): |
| (JSC::ExecutableAllocator::committedByteCount): |
| (JSC::ExecutableAllocator::dumpProfile): |
| (JSC::startOfFixedExecutableMemoryPoolImpl): |
| (JSC::endOfFixedExecutableMemoryPoolImpl): |
| (JSC::isJITPC): |
| (JSC::dumpJITMemory): |
| (JSC::ExecutableAllocator::initialize): |
| (JSC::ExecutableAllocator::singleton): |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionJSCOptions): |
| (jscmain): |
| (functionForceGCSlowPaths): Deleted. |
| * runtime/ConfigFile.cpp: |
| (JSC::ConfigFile::parse): |
| * runtime/InitializeThreading.cpp: |
| (JSC::initializeThreading): |
| * runtime/JSCConfig.cpp: Added. |
| (JSC::Config::disableFreezingForTesting): |
| (JSC::Config::enableRestrictedOptions): |
| (JSC::Config::permanentlyFreeze): |
| * runtime/JSCConfig.h: Added. |
| (JSC::Config::configureForTesting): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::exposeDollarVM): |
| * runtime/OptionEntry.h: Added. |
| (JSC::OptionRange::operator= ): |
| (JSC::OptionRange::rangeString const): |
| * runtime/Options.cpp: |
| (JSC::Options::isAvailable): |
| (JSC::scaleJITPolicy): |
| (JSC::Options::initialize): |
| (JSC::Options::setOptions): |
| (JSC::Options::setOptionWithoutAlias): |
| (JSC::Options::setAliasedOption): |
| (JSC::Option::dump const): |
| (JSC::Option::operator== const): |
| (): Deleted. |
| (JSC::Options::enableRestrictedOptions): Deleted. |
| * runtime/Options.h: |
| (JSC::Option::Option): |
| (JSC::Option::defaultOption const): |
| (JSC::Option::boolVal): |
| (JSC::Option::unsignedVal): |
| (JSC::Option::doubleVal): |
| (JSC::Option::int32Val): |
| (JSC::Option::optionRangeVal): |
| (JSC::Option::optionStringVal): |
| (JSC::Option::gcLogLevelVal): |
| (JSC::OptionRange::operator= ): Deleted. |
| (JSC::OptionRange::rangeString const): Deleted. |
| * runtime/OptionsList.h: Added. |
| (JSC::countNumberOfJSCOptions): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * tools/FunctionOverrides.cpp: |
| (JSC::FunctionOverrides::FunctionOverrides): |
| (JSC::FunctionOverrides::reinstallOverrides): |
| (JSC::FunctionOverrides::initializeOverrideFor): |
| (JSC::FunctionOverrides::parseOverridesInFile): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame): |
| (JSC::JSDollarVMCallFrame::createStructure): |
| (JSC::JSDollarVMCallFrame::create): |
| (JSC::JSDollarVMCallFrame::finishCreation): |
| (JSC::JSDollarVMCallFrame::addProperty): |
| (JSC::Element::Element): |
| (JSC::Element::create): |
| (JSC::Element::createStructure): |
| (JSC::Root::Root): |
| (JSC::Root::create): |
| (JSC::Root::createStructure): |
| (JSC::SimpleObject::SimpleObject): |
| (JSC::SimpleObject::create): |
| (JSC::SimpleObject::createStructure): |
| (JSC::ImpureGetter::ImpureGetter): |
| (JSC::ImpureGetter::createStructure): |
| (JSC::ImpureGetter::create): |
| (JSC::ImpureGetter::finishCreation): |
| (JSC::ImpureGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::CustomGetter): |
| (JSC::CustomGetter::createStructure): |
| (JSC::CustomGetter::create): |
| (JSC::CustomGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::customGetter): |
| (JSC::CustomGetter::customGetterAcessor): |
| (JSC::RuntimeArray::create): |
| (JSC::RuntimeArray::destroy): |
| (JSC::RuntimeArray::getOwnPropertySlot): |
| (JSC::RuntimeArray::getOwnPropertySlotByIndex): |
| (JSC::RuntimeArray::createPrototype): |
| (JSC::RuntimeArray::createStructure): |
| (JSC::RuntimeArray::finishCreation): |
| (JSC::RuntimeArray::RuntimeArray): |
| (JSC::RuntimeArray::lengthGetter): |
| (JSC::DOMJITNode::DOMJITNode): |
| (JSC::DOMJITNode::createStructure): |
| (JSC::DOMJITNode::checkSubClassSnippet): |
| (JSC::DOMJITNode::create): |
| (JSC::DOMJITGetter::DOMJITGetter): |
| (JSC::DOMJITGetter::createStructure): |
| (JSC::DOMJITGetter::create): |
| (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): |
| (JSC::DOMJITGetter::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetter::customGetter): |
| (JSC::DOMJITGetter::finishCreation): |
| (JSC::DOMJITGetterComplex::DOMJITGetterComplex): |
| (JSC::DOMJITGetterComplex::createStructure): |
| (JSC::DOMJITGetterComplex::create): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterComplex::functionEnableException): |
| (JSC::DOMJITGetterComplex::customGetter): |
| (JSC::DOMJITGetterComplex::finishCreation): |
| (JSC::DOMJITFunctionObject::DOMJITFunctionObject): |
| (JSC::DOMJITFunctionObject::createStructure): |
| (JSC::DOMJITFunctionObject::create): |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::checkSubClassSnippet): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): |
| (JSC::DOMJITCheckSubClassObject::createStructure): |
| (JSC::DOMJITCheckSubClassObject::create): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): |
| (JSC::DOMJITGetterBaseJSObject::createStructure): |
| (JSC::DOMJITGetterBaseJSObject::create): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterBaseJSObject::customGetter): |
| (JSC::DOMJITGetterBaseJSObject::finishCreation): |
| (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter): |
| (JSC::JSTestCustomGetterSetter::create): |
| (JSC::JSTestCustomGetterSetter::createStructure): |
| (JSC::customSetAccessor): |
| (JSC::customSetValue): |
| (JSC::JSTestCustomGetterSetter::finishCreation): |
| (JSC::Element::handleOwner): |
| (JSC::Element::finishCreation): |
| (JSC::WasmStreamingParser::WasmStreamingParser): |
| (JSC::WasmStreamingParser::create): |
| (JSC::WasmStreamingParser::createStructure): |
| (JSC::WasmStreamingParser::finishCreation): |
| (JSC::functionWasmStreamingParserAddBytes): |
| (JSC::functionWasmStreamingParserFinalize): |
| (JSC::functionCrash): |
| (JSC::functionBreakpoint): |
| (JSC::functionDFGTrue): |
| (JSC::functionFTLTrue): |
| (JSC::functionCpuMfence): |
| (JSC::functionCpuRdtsc): |
| (JSC::functionCpuCpuid): |
| (JSC::functionCpuPause): |
| (JSC::functionCpuClflush): |
| (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): |
| (JSC::getExecutableForFunction): |
| (JSC::functionLLintTrue): |
| (JSC::functionJITTrue): |
| (JSC::functionNoInline): |
| (JSC::functionGC): |
| (JSC::functionEdenGC): |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::functionCallFrame): |
| (JSC::functionCodeBlockForFrame): |
| (JSC::codeBlockFromArg): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionDumpSourceFor): |
| (JSC::functionDumpBytecodeFor): |
| (JSC::doPrint): |
| (JSC::functionDataLog): |
| (JSC::functionPrint): |
| (JSC::functionDumpCallFrame): |
| (JSC::functionDumpStack): |
| (JSC::functionDumpRegisters): |
| (JSC::functionDumpCell): |
| (JSC::functionIndexingMode): |
| (JSC::functionInlineCapacity): |
| (JSC::functionValue): |
| (JSC::functionGetPID): |
| (JSC::functionHaveABadTime): |
| (JSC::functionIsHavingABadTime): |
| (JSC::functionCreateGlobalObject): |
| (JSC::functionCreateProxy): |
| (JSC::functionCreateRuntimeArray): |
| (JSC::functionCreateNullRopeString): |
| (JSC::functionCreateImpureGetter): |
| (JSC::functionCreateCustomGetterObject): |
| (JSC::functionCreateDOMJITNodeObject): |
| (JSC::functionCreateDOMJITGetterObject): |
| (JSC::functionCreateDOMJITGetterComplexObject): |
| (JSC::functionCreateDOMJITFunctionObject): |
| (JSC::functionCreateDOMJITCheckSubClassObject): |
| (JSC::functionCreateDOMJITGetterBaseJSObject): |
| (JSC::functionCreateWasmStreamingParser): |
| (JSC::functionSetImpureGetterDelegate): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::functionCreateRoot): |
| (JSC::functionCreateElement): |
| (JSC::functionGetElement): |
| (JSC::functionCreateSimpleObject): |
| (JSC::functionGetHiddenValue): |
| (JSC::functionSetHiddenValue): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): |
| (JSC::functionFindTypeForExpression): |
| (JSC::functionReturnTypeFor): |
| (JSC::functionFlattenDictionaryObject): |
| (JSC::functionDumpBasicBlockExecutionRanges): |
| (JSC::functionHasBasicBlockExecuted): |
| (JSC::functionBasicBlockExecutionCount): |
| (JSC::functionEnableExceptionFuzz): |
| (JSC::changeDebuggerModeWhenIdle): |
| (JSC::functionEnableDebuggerModeWhenIdle): |
| (JSC::functionDisableDebuggerModeWhenIdle): |
| (JSC::functionDeleteAllCodeWhenIdle): |
| (JSC::functionGlobalObjectCount): |
| (JSC::functionGlobalObjectForObject): |
| (JSC::functionGetGetterSetter): |
| (JSC::functionLoadGetterFromGetterSetter): |
| (JSC::functionCreateCustomTestGetterSetter): |
| (JSC::functionDeltaBetweenButterflies): |
| (JSC::functionTotalGCTime): |
| (JSC::functionParseCount): |
| (JSC::functionIsWasmSupported): |
| (JSC::JSDollarVM::finishCreation): |
| (JSC::JSDollarVM::addFunction): |
| (JSC::JSDollarVM::addConstructibleFunction): |
| * tools/JSDollarVM.h: |
| |
| 2019-09-11 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext |
| https://bugs.webkit.org/show_bug.cgi?id=201650 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`. |
| |
| A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even |
| required (e.g. compute pipeline). We should treat the `GPUCanvasContext` almost like a |
| `-webkit-canvas` client of a `WebGPUDevice`. |
| |
| * inspector/protocol/Canvas.json: |
| - Add `powerPreference` key to `ContextAttributes` type. |
| - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason. |
| - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason. |
| - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't |
| really a "canvas". |
| |
| 2019-09-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Add StringCodePointAt intrinsic |
| https://bugs.webkit.org/show_bug.cgi?id=201673 |
| |
| Reviewed by Michael Saboff. |
| |
| JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt. |
| This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker. |
| |
| In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit |
| inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits |
| preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope |
| check. This thing is just the same to the existing StringCharCodeAt mechanism. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasArrayMode): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| (JSC::DFG::SpeculativeJIT::compileStringCodePointAt): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt): |
| * jit/JITInlines.h: |
| (JSC::JIT::emitLoadCharacterString): |
| * jit/ThunkGenerators.cpp: |
| (JSC::stringGetByValGenerator): |
| (JSC::stringCharLoad): |
| (JSC::stringPrototypeCodePointAtThunkGenerator): |
| * jit/ThunkGenerators.h: |
| * runtime/Intrinsic.cpp: |
| (JSC::intrinsicName): |
| * runtime/Intrinsic.h: |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| * runtime/VM.cpp: |
| (JSC::thunkGeneratorForIntrinsic): |
| |
| 2019-09-11 Michael Saboff <msaboff@apple.com> |
| |
| JSC crashes due to stack overflow while building RegExp |
| https://bugs.webkit.org/show_bug.cgi?id=201649 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Check for running out of stack when we are optimizing RegExp containing BOL terms or |
| other deep copying of disjunctions. |
| |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPatternConstructor::copyDisjunction): |
| (JSC::Yarr::YarrPatternConstructor::copyTerm): |
| (JSC::Yarr::YarrPatternConstructor::error): |
| (JSC::Yarr::YarrPattern::compile): |
| |
| 2019-09-11 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r249753. |
| |
| caused inspector/canvas/shaderProgram-add-remove-webgl.html to |
| crash on all Mac platforms. |
| |
| Reverted changeset: |
| |
| "Web Inspector: Canvas: instrument WebGPUDevice instead of |
| GPUCanvasContext" |
| https://bugs.webkit.org/show_bug.cgi?id=201650 |
| https://trac.webkit.org/changeset/249753 |
| |
| 2019-09-10 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext |
| https://bugs.webkit.org/show_bug.cgi?id=201650 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`. |
| |
| A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even |
| required (e.g. compute pipeline). We should treat the `GPUCanvasContext` almost like a |
| `-webkit-canvas` client of a `WebGPUDevice`. |
| |
| * inspector/protocol/Canvas.json: |
| - Add `powerPreference` key to `ContextAttributes` type. |
| - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason. |
| - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason. |
| - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't |
| really a "canvas". |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3 |
| https://bugs.webkit.org/show_bug.cgi?id=201634 |
| |
| Reviewed by Mark Lam and Robin Morisset. |
| |
| This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction. |
| |
| 1. 32bit bitwise operation with allOne constants |
| |
| Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`! |
| For example, in BitAnd strength reduction, |
| |
| 1034 // Turn this: BitAnd(value, all-ones) |
| 1035 // Into this: value. |
| 1036 if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max())) |
| 1037 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) { |
| 1038 replaceWithIdentity(m_value->child(0)); |
| 1039 break; |
| 1040 } |
| |
| We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is, |
| |
| 262 inline bool Value::isInt(int64_t value) const |
| 263 { |
| 264 return hasInt() && asInt() == value; |
| 265 } |
| |
| So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is, |
| |
| 257 inline int64_t Value::asInt() const |
| 258 { |
| 259 return hasInt32() ? asInt32() : asInt64(); |
| 260 } |
| |
| So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want! |
| We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes). |
| |
| 2. BitAnd and BitOr strength reduction bug |
| |
| We also fix the following optimization. |
| |
| // Turn this: BitAnd(Op(value, constant1), constant2) |
| // where !(constant1 & constant2) |
| // and Op is BitOr or BitXor |
| // into this: BitAnd(value, constant2) |
| |
| Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken. |
| |
| // Turn this: BitAnd(BitXor(x, allOnes), c) |
| // Into this: BitXor(BitOr(x, ~c), allOnes) |
| |
| And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it. |
| |
| For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option. |
| |
| * b3/B3LowerToAir.cpp: |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.h: |
| * b3/testb3_2.cpp: |
| (testBitAndNotNot32): |
| (testBitAndNotImm): |
| (testBitAndNotImm32): |
| (testBitOrAndAndArgs32): |
| (testBitOrAndSameArgs32): |
| (testBitOrNotNot32): |
| (testBitOrNotImm32): |
| (addBitTests): |
| * b3/testb3_3.cpp: |
| (testBitXorAndAndArgs32): |
| (testBitXorAndSameArgs32): |
| |
| 2019-09-10 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r249721. |
| https://bugs.webkit.org/show_bug.cgi?id=201667 |
| |
| Discovering existing bug (Requested by yusukesuzuki on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "[JSC] 32bit bitwide operation with all-one (-1) is wrong in |
| B3" |
| https://bugs.webkit.org/show_bug.cgi?id=201634 |
| https://trac.webkit.org/changeset/249721 |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData |
| https://bugs.webkit.org/show_bug.cgi?id=201664 |
| <rdar://problem/52126927> |
| |
| Reviewed by Tadeu Zagallo. |
| |
| We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result. |
| This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters. |
| Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread, |
| we can see half-baked JITData structure which holds garbage pointers. |
| |
| But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons. |
| |
| 1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are |
| called while taking this exact same lock, so dead-lock can happen. |
| 2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT |
| compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock. |
| |
| Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that |
| JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::ensureJITDataSlow): |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result |
| https://bugs.webkit.org/show_bug.cgi?id=198253 |
| |
| Reviewed by Mark Lam. |
| |
| ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32. |
| When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles |
| it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens. |
| |
| In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly. |
| |
| * parser/ResultType.h: |
| (JSC::ResultType::bigIntOrInt32Type): |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3 |
| https://bugs.webkit.org/show_bug.cgi?id=201634 |
| |
| Reviewed by Mark Lam. |
| |
| Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`! |
| For example, in BitAnd strength reduction, |
| |
| 1034 // Turn this: BitAnd(value, all-ones) |
| 1035 // Into this: value. |
| 1036 if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max())) |
| 1037 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) { |
| 1038 replaceWithIdentity(m_value->child(0)); |
| 1039 break; |
| 1040 } |
| |
| We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is, |
| |
| 262 inline bool Value::isInt(int64_t value) const |
| 263 { |
| 264 return hasInt() && asInt() == value; |
| 265 } |
| |
| So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is, |
| |
| 257 inline int64_t Value::asInt() const |
| 258 { |
| 259 return hasInt32() ? asInt32() : asInt64(); |
| 260 } |
| |
| So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want! |
| We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes). |
| |
| We also fix the following optimization. |
| |
| // Turn this: BitAnd(Op(value, constant1), constant2) |
| // where !(constant1 & constant2) |
| // and Op is BitOr or BitXor |
| // into this: BitAnd(value, constant2) |
| |
| Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken. |
| |
| // Turn this: BitAnd(BitXor(x, allOnes), c) |
| // Into this: BitXor(BitOr(x, ~c), allOnes) |
| |
| We add 32bit version of B3 tests for these optimizations. |
| |
| * b3/B3LowerToAir.cpp: |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.h: |
| * b3/testb3_2.cpp: |
| (testBitAndNotNot32): |
| (testBitAndNotImm): |
| (testBitAndNotImm32): |
| (testBitOrAndAndArgs32): |
| (testBitOrAndSameArgs32): |
| (testBitOrNotNot32): |
| (testBitOrNotImm32): |
| (addBitTests): |
| * b3/testb3_3.cpp: |
| (testBitXorAndAndArgs32): |
| (testBitXorAndSameArgs32): |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan |
| https://bugs.webkit.org/show_bug.cgi?id=189043 |
| |
| Reviewed by Keith Miller. |
| |
| This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan. |
| And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by |
| using Wasm::StreamingParser. |
| |
| Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will |
| create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming |
| and instantiateStreaming. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * tools/JSDollarVM.cpp: |
| (JSC::WasmStreamingParser::WasmStreamingParser): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmAirIRGenerator.h: |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed. |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::BBQPlan): |
| (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation. |
| (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser. |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmModuleParser.cpp: Removed. |
| * wasm/WasmModuleParser.h: Removed. |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmPlan.cpp: |
| (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used. |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used. |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::StreamingParser): |
| (JSC::Wasm::StreamingParser::parseCodeSectionSize): |
| (JSC::Wasm::StreamingParser::parseFunctionPayload): |
| (JSC::Wasm::StreamingParser::parseSectionPayload): |
| (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings. |
| * wasm/WasmStreamingParser.h: |
| (JSC::Wasm::StreamingParserClient::didReceiveSectionData): |
| (JSC::Wasm::StreamingParserClient::didReceiveFunctionData): |
| (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient, |
| which has 3 callbacks right now. StreamingParser gets this client and call these callbacks |
| at appropriate timings. |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::validateFunction): |
| * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed. |
| |
| 2019-09-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory |
| https://bugs.webkit.org/show_bug.cgi?id=201622 |
| |
| Reviewed by Mark Lam. |
| |
| CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate |
| this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector, |
| the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::setConstantRegisters): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addConstant): |
| (JSC::CodeBlock::addConstantLazily): |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): |
| (JSC::DFG::SymbolTableAdaptor::add): |
| (JSC::DFG::FunctionExecutableAdaptor::add): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::registerFrozenValues): |
| * dfg/DFGJITFinalizer.cpp: |
| (JSC::DFG::JITFinalizer::finalizeCommon): |
| * dfg/DFGLazyJSValue.cpp: |
| (JSC::DFG::LazyJSValue::emit const): |
| |
| 2019-09-09 Robin Morisset <rmorisset@apple.com> |
| |
| [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array |
| https://bugs.webkit.org/show_bug.cgi?id=197305 |
| |
| Reviewed by Keith Miller. |
| |
| Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet. |
| Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists). |
| |
| This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly. |
| Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers). |
| |
| The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms. |
| So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall. |
| |
| No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2. |
| |
| * b3/air/AirAllocateRegistersByGraphColoring.cpp: |
| |
| 2019-09-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector |
| https://bugs.webkit.org/show_bug.cgi?id=201613 |
| |
| Reviewed by Mark Lam. |
| |
| We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode |
| since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the |
| issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is |
| misleading, it is like "instructions-requires-llint-finalize"). |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::propagateTransitions): |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::applyModification): |
| (JSC::UnlinkedCodeBlock::shrinkToFit): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted. |
| (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted. |
| (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted. |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitResolveScope): |
| (JSC::BytecodeGenerator::emitGetFromScope): |
| (JSC::BytecodeGenerator::emitPutToScope): |
| (JSC::BytecodeGenerator::emitGetById): |
| (JSC::BytecodeGenerator::emitDirectGetById): |
| (JSC::BytecodeGenerator::emitPutById): |
| (JSC::BytecodeGenerator::emitDirectPutById): |
| (JSC::BytecodeGenerator::emitCreateThis): |
| (JSC::BytecodeGenerator::emitToThis): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedCodeBlock<CodeBlockType>::decode const): |
| (JSC::CachedCodeBlock<CodeBlockType>::encode): |
| |
| 2019-09-07 Keith Miller <keith_miller@apple.com> |
| |
| OSR entry into wasm misses some contexts |
| https://bugs.webkit.org/show_bug.cgi?id=201569 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch fixes an issue where we could fail to capture some of |
| our contexts when OSR entering into wasm code. Before we would |
| only capture the state of the block immediately surrounding the |
| entrance loop block header. We actually need to capture all |
| enclosed stacks. |
| |
| Additionally, we don't need to use variables for all the captured |
| values. We can use a Phi and insert an upsilon just below the |
| captured value. |
| |
| * interpreter/CallFrame.h: |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionCallerIsOMGCompiled): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::createStack): |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::addConstant): |
| (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| (JSC::Wasm::B3IRGenerator::addEndToUnreachable): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::B3IRGenerator::dump): |
| (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::append): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::last): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted. |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser::controlStack): |
| |
| 2019-09-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Promise resolve/reject functions should be created more efficiently |
| https://bugs.webkit.org/show_bug.cgi?id=201488 |
| |
| Reviewed by Mark Lam. |
| |
| While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations. |
| Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used |
| for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject). |
| Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower. |
| |
| In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information |
| to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes |
| anonymous-builtin-function creation faster. |
| |
| We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test. |
| The simple microbenchmark shows 1.7x improvement. |
| |
| ToT Patched |
| |
| promise-creation-many 45.6701+-0.1488 ^ 26.8663+-1.8336 ^ definitely 1.6999x faster |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::create): |
| (JSC::FunctionRareData::FunctionRareData): |
| * runtime/FunctionRareData.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::finishCreation): |
| (JSC::JSFunction::allocateRareData): |
| (JSC::JSFunction::allocateAndInitializeRareData): |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::hasReifiedName const): |
| |
| 2019-09-07 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy() source buffer should not be in the Gigacage. |
| https://bugs.webkit.org/show_bug.cgi?id=201577 |
| <rdar://problem/55142606> |
| |
| Reviewed by Michael Saboff. |
| |
| Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source |
| buffer is not in the Gigacage. |
| |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| |
| 2019-09-07 Mark Lam <mark.lam@apple.com> |
| |
| The jsc shell should allow disabling of the Gigacage for testing purposes. |
| https://bugs.webkit.org/show_bug.cgi?id=201579 |
| |
| Reviewed by Michael Saboff. |
| |
| Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code. If |
| this env var is present and it has a falsy value, then do not |
| forbidDisablingPrimitiveGigacage() in the jsc shell. |
| |
| * jsc.cpp: |
| (jscmain): |
| |
| 2019-09-06 Mark Lam <mark.lam@apple.com> |
| |
| Harden protection of the Gigacage Config parameters. |
| https://bugs.webkit.org/show_bug.cgi?id=201570 |
| <rdar://problem/55134229> |
| |
| Reviewed by Saam Barati. |
| |
| Just renaming some function names here. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * jsc.cpp: |
| (jscmain): |
| |
| 2019-09-06 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Math.round() produces wrong result for value prior to 0.5 |
| https://bugs.webkit.org/show_bug.cgi?id=185115 |
| |
| Reviewed by Saam Barati. |
| |
| Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994. |
| This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite. |
| |
| Specifically: |
| - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5), |
| so taking the difference between ceil(value)` and `value` is problematic. |
| - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones |
| (by falling back to jsRound). This patch gives baseline a legitimate implementation too. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileArithRounding): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): |
| * jit/ThunkGenerators.cpp: |
| (JSC::roundThunkGenerator): |
| * runtime/MathCommon.cpp: |
| |
| 2019-09-05 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken) |
| https://bugs.webkit.org/show_bug.cgi?id=201366 |
| |
| Reviewed by Saam Barati. |
| |
| It is possible for the log buffer to be full right as someone is trying to |
| log a function prologue. In such a case the machine stack has already been |
| updated to include the new JavaScript call frame, but the prologue packet |
| cannot be included in the update because the log is full. This would mean |
| that the update fails to rationalize the machine stack with the shadow |
| log / stack. Namely, the current JavaScript call frame is unable to |
| find a matching prologue (the one we are holding to include after the update) |
| and inserts a questionable value into the stack; and in the process |
| missing and removing real potential tail calls. |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function start() { return first(); } |
| |
| If the the log fills up just as we are entering `b` then we may have a list |
| full log of packets looking like: |
| |
| Shadow Log: |
| ... |
| { prologue-packet: entering `start` ... } |
| { prologue-packet: entering `first` ... } |
| { tail-packet: leaving `first` with a tail call } |
| |
| Incoming Packet: |
| { prologue-packet: entering `second` ... } |
| |
| Current JS Stack: |
| second |
| start |
| |
| Since the Current JavaScript stack already has `second`, if we process the |
| log without the prologue for `second` then we push a confused entry on the |
| shadow stack and clear the log such that we eventually lose the tail-call |
| information for `first` to `second`. |
| |
| This patch solves this issue by providing enough extra space in the log |
| to always process the incoming packet when that forces an update. This way |
| clients can continue to behave exactly as they are. |
| |
| -- |
| |
| We also document a corner case in some circumstances where the shadow |
| log may currently be insufficient to know how to reconcile: |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail() { return Math.random() } |
| function start() { |
| for (i=0;i<1000;++i) doNothingTail(); |
| return first(); |
| } |
| |
| In this case the ShadowChicken log may be processed multiple times due |
| to the many calls to `doNothingTail` / `Math.random()`. When calling the |
| Native function no prologue packet is emitted, so it is unclear that we |
| temporarly go deeper and come back out on the stack, so the log appears |
| to have lots of doNothingTail calls reusing the same frame: |
| |
| Shadow Log: |
| ... |
| , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start} |
| , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [125] tail-packet:{frame = 0x7ffeef8971f0} |
| , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [127] tail-packet:{frame = 0x7ffeef8971f0} |
| ... |
| , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [141] tail-packet:{frame = 0x7ffeef8971f0} |
| , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [143] tail-packet:{frame = 0x7ffeef8971f0} |
| , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first} |
| , [145] tail-packet:{frame = 0x7ffeef8971f0} |
| , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second} |
| ... |
| |
| This log would seem to be indistinguishable from real tail recursion, such as: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail(n) { |
| return n ? doNothingTail(n-1) : first(); |
| } |
| function start() { |
| return doNothingTail(1000); |
| } |
| |
| Likewise there are more cases where the shadow log appears to be ambiguous with determining |
| the appropriate parent call frame with intermediate function calls. In practice this may |
| not be too problematic, as this is a best effort reconstruction of tail deleted frames. |
| It seems likely we would only show additional frames that did in fact happen serially |
| between JavaScript call frames, but may not actually be the proper parent frames |
| heirachy in the stack. |
| |
| * interpreter/ShadowChicken.cpp: |
| (JSC::ShadowChicken::Packet::dump const): |
| (JSC::ShadowChicken::Frame::dump const): |
| (JSC::ShadowChicken::dump const): |
| Improved debugging output. Especially for functions. |
| |
| (JSC::ShadowChicken::ShadowChicken): |
| Make space in the log for 1 additional packet to process when we slow log. |
| |
| (JSC::ShadowChicken::log): |
| Include this packet in our update. |
| |
| (JSC::ShadowChicken::update): |
| Address an edge case where we can eliminate tail-deleted frames that don't make sense. |
| |
| 2019-09-06 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r249566. |
| |
| Causes inspector layout test crashes under GuardMalloc |
| |
| Reverted changeset: |
| |
| "Tail Deleted Frames shown in Web Inspector are sometimes |
| incorrect (Shadow Chicken)" |
| https://bugs.webkit.org/show_bug.cgi?id=201366 |
| https://trac.webkit.org/changeset/249566 |
| |
| 2019-09-06 Guillaume Emont <guijemont@igalia.com> |
| |
| testmasm: save r6 in JIT'ed code on ARM_THUMB2 |
| https://bugs.webkit.org/show_bug.cgi?id=201138 |
| |
| Reviewed by Mark Lam. |
| |
| MacroAssemblerArmv7 uses r6 as a temporary register, and it is a |
| callee-saved register. The JITs use |
| AssemblyHelpers::emitSaveCalleeSaves() and friends to save |
| callee-saved registers, but there is no such mechanism in testmasm, |
| which seems to make the assumption that the macroassembler does not |
| use callee-saved registers (which I guess is true for all other |
| architectures, but not for Armv7). |
| |
| This issue means that testmasm crashes on Armv7 since code generated |
| by gcc uses r6, and it gets modified by JIT'ed code. |
| |
| This change makes sure that we save and restore r6 for all code |
| compiled by testmasm on Armv7. |
| |
| * assembler/testmasm.cpp: |
| (JSC::emitFunctionPrologue): |
| (JSC::emitFunctionEpilogue): |
| (JSC::testSimple): |
| (JSC::testGetEffectiveAddress): |
| (JSC::testBranchTruncateDoubleToInt32): |
| (JSC::testBranchTestBit32RegReg): |
| (JSC::testBranchTestBit32RegImm): |
| (JSC::testBranchTestBit32AddrImm): |
| (JSC::testBranchTestBit64RegReg): |
| (JSC::testBranchTestBit64RegImm): |
| (JSC::testBranchTestBit64AddrImm): |
| (JSC::testCompareDouble): |
| (JSC::testMul32WithImmediates): |
| (JSC::testMul32SignExtend): |
| (JSC::testCompareFloat): |
| (JSC::testProbeReadsArgumentRegisters): |
| (JSC::testProbeWritesArgumentRegisters): |
| (JSC::testProbePreservesGPRS): |
| (JSC::testProbeModifiesStackPointer): |
| (JSC::testProbeModifiesProgramCounter): |
| (JSC::testProbeModifiesStackValues): |
| (JSC::testByteSwap): |
| (JSC::testMoveDoubleConditionally32): |
| (JSC::testMoveDoubleConditionally64): |
| (JSC::testCagePreservesPACFailureBit): |
| |
| 2019-09-05 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken) |
| https://bugs.webkit.org/show_bug.cgi?id=201366 |
| |
| Reviewed by Saam Barati. |
| |
| It is possible for the log buffer to be full right as someone is trying to |
| log a function prologue. In such a case the machine stack has already been |
| updated to include the new JavaScript call frame, but the prologue packet |
| cannot be included in the update because the log is full. This would mean |
| that the update fails to rationalize the machine stack with the shadow |
| log / stack. Namely, the current JavaScript call frame is unable to |
| find a matching prologue (the one we are holding to include after the update) |
| and inserts a questionable value into the stack; and in the process |
| missing and removing real potential tail calls. |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function start() { return first(); } |
| |
| If the the log fills up just as we are entering `b` then we may have a list |
| full log of packets looking like: |
| |
| Shadow Log: |
| ... |
| { prologue-packet: entering `start` ... } |
| { prologue-packet: entering `first` ... } |
| { tail-packet: leaving `first` with a tail call } |
| |
| Incoming Packet: |
| { prologue-packet: entering `second` ... } |
| |
| Current JS Stack: |
| second |
| start |
| |
| Since the Current JavaScript stack already has `second`, if we process the |
| log without the prologue for `second` then we push a confused entry on the |
| shadow stack and clear the log such that we eventually lose the tail-call |
| information for `first` to `second`. |
| |
| This patch solves this issue by providing enough extra space in the log |
| to always process the incoming packet when that forces an update. This way |
| clients can continue to behave exactly as they are. |
| |
| -- |
| |
| We also document a corner case in some circumstances where the shadow |
| log may currently be insufficient to know how to reconcile: |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail() { return Math.random() } |
| function start() { |
| for (i=0;i<1000;++i) doNothingTail(); |
| return first(); |
| } |
| |
| In this case the ShadowChicken log may be processed multiple times due |
| to the many calls to `doNothingTail` / `Math.random()`. When calling the |
| Native function no prologue packet is emitted, so it is unclear that we |
| temporarly go deeper and come back out on the stack, so the log appears |
| to have lots of doNothingTail calls reusing the same frame: |
| |
| Shadow Log: |
| ... |
| , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start} |
| , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [125] tail-packet:{frame = 0x7ffeef8971f0} |
| , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [127] tail-packet:{frame = 0x7ffeef8971f0} |
| ... |
| , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [141] tail-packet:{frame = 0x7ffeef8971f0} |
| , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [143] tail-packet:{frame = 0x7ffeef8971f0} |
| , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first} |
| , [145] tail-packet:{frame = 0x7ffeef8971f0} |
| , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second} |
| ... |
| |
| This log would seem to be indistinguishable from real tail recursion, such as: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail(n) { |
| return n ? doNothingTail(n-1) : first(); |
| } |
| function start() { |
| return doNothingTail(1000); |
| } |
| |
| Likewise there are more cases where the shadow log appears to be ambiguous with determining |
| the appropriate parent call frame with intermediate function calls. In practice this may |
| not be too problematic, as this is a best effort reconstruction of tail deleted frames. |
| It seems likely we would only show additional frames that did in fact happen serially |
| between JavaScript call frames, but may not actually be the proper parent frames |
| heirachy in the stack. |
| |
| * interpreter/ShadowChicken.cpp: |
| (JSC::ShadowChicken::Packet::dump const): |
| (JSC::ShadowChicken::Frame::dump const): |
| (JSC::ShadowChicken::dump const): |
| Improved debugging output. Especially for functions. |
| |
| (JSC::ShadowChicken::ShadowChicken): |
| Make space in the log for 1 additional packet to process when we slow log. |
| |
| (JSC::ShadowChicken::log): |
| Include this packet in our update. |
| |
| (JSC::ShadowChicken::update): |
| Address an edge case where we can eliminate tail-deleted frames that don't make sense. |
| |
| 2019-09-05 Mark Lam <mark.lam@apple.com> |
| |
| Refactor the Gigacage code to require less pointer casting. |
| https://bugs.webkit.org/show_bug.cgi?id=201521 |
| |
| Reviewed by Saam Barati. |
| |
| Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled |
| in the build. This allows us to remove the unneeded stubs in WTF Gigacage.h. |
| |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/VM.h: |
| (JSC::VM::gigacageAuxiliarySpace): |
| |
| 2019-09-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, follow-up after r249530 and r249509 |
| https://bugs.webkit.org/show_bug.cgi?id=201495 |
| |
| Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer. |
| |
| * builtins/PromiseConstructor.js: |
| (nakedConstructor.Promise.resolve): |
| (nakedConstructor.Promise.reject): |
| (nakedConstructor.Promise): |
| (nakedConstructor.InternalPromise.resolve): |
| (nakedConstructor.InternalPromise.reject): |
| (nakedConstructor.InternalPromise): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::weakPointer): |
| (JSC::FTL::DFG::LowerDFGToB3::frozenPointer): |
| (JSC::FTL::DFG::LowerDFGToB3::weakStructure): |
| * ftl/FTLOutput.h: |
| (JSC::FTL::Output::alreadyRegisteredWeakPointer): |
| (JSC::FTL::Output::alreadyRegisteredFrozenPointer): |
| (JSC::FTL::Output::weakPointer): Deleted. |
| |
| 2019-09-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl |
| https://bugs.webkit.org/show_bug.cgi?id=201513 |
| |
| Reviewed by Ross Kirsling. |
| |
| This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects. |
| It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on. |
| |
| The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties |
| with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions |
| has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to |
| different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary. |
| And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets |
| emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem. |
| |
| Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified |
| number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/Opcode.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitGetInternalField): |
| (JSC::BytecodeGenerator::emitPutInternalField): |
| (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted. |
| (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted. |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGMayExit.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasInternalFieldIndex): |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetInternalField): |
| (JSC::DFG::SpeculativeJIT::compilePutInternalField): |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileNewPromise): |
| (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted. |
| (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted. |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted. |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted. |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| * jit/JIT.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| (JSC::JIT::emit_op_get_promise_internal_field): Deleted. |
| (JSC::JIT::emit_op_put_promise_internal_field): Deleted. |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| (JSC::JIT::emit_op_get_promise_internal_field): Deleted. |
| (JSC::JIT::emit_op_put_promise_internal_field): Deleted. |
| * llint/LLIntOffsetsExtractor.cpp: |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h. |
| (JSC::JSInternalFieldObjectImpl::allocationSize): |
| (JSC::JSInternalFieldObjectImpl::internalField const): |
| (JSC::JSInternalFieldObjectImpl::internalField): |
| (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields): |
| (JSC::JSInternalFieldObjectImpl::offsetOfInternalField): |
| (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl): |
| * runtime/JSInternalFieldObjectImplInlines.h: Added. |
| (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren): |
| * runtime/JSPromise.cpp: |
| (JSC::JSPromise::finishCreation): |
| (JSC::JSPromise::visitChildren): |
| (JSC::JSPromise::status const): |
| (JSC::JSPromise::result const): |
| (JSC::JSPromise::isHandled const): |
| * runtime/JSPromise.h: |
| (JSC::JSPromise::allocationSize): Deleted. |
| (JSC::JSPromise::offsetOfInternalFields): Deleted. |
| (JSC::JSPromise::offsetOfInternalField): Deleted. |
| (): Deleted. |
| |
| 2019-09-05 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247463. |
| https://bugs.webkit.org/show_bug.cgi?id=201515 |
| |
| JetStream2 code-load related regression (Requested by |
| yusukesuzuki on #webkit). |
| |
| Reverted changeset: |
| |
| "Keyword lookup can use memcmp to get around unaligned load |
| undefined behavior" |
| https://bugs.webkit.org/show_bug.cgi?id=199650 |
| https://trac.webkit.org/changeset/247463 |
| |
| 2019-09-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| LazyClassStructure::setConstructor should not store the constructor to the global object |
| https://bugs.webkit.org/show_bug.cgi?id=201484 |
| <rdar://problem/50400451> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| LazyClassStructure::setConstructor sets the constructor as a property of the global object. |
| This became a problem when it started being used for WebAssembly constructors, such as Module |
| and Instance, since they are properties of the WebAssembly object, not the global object. That |
| resulted in properties of the global object replaced whenever a lazy WebAssembly constructor |
| was first accessed. e.g. |
| |
| globalThis.Module = x; |
| WebAssembly.Module; |
| globalThis.Module === WebAssembly.Module; |
| |
| * runtime/LazyClassStructure.cpp: |
| (JSC::LazyClassStructure::Initializer::setConstructor): |
| * runtime/LazyClassStructure.h: |
| * runtime/Lookup.h: |
| (JSC::reifyStaticProperty): |
| |
| 2019-09-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Do not use FTLOutput::weakPointer directly |
| https://bugs.webkit.org/show_bug.cgi?id=201495 |
| |
| Reviewed by Filip Pizlo. |
| |
| FTLOutput::weakPointer does not register the cell as a weak pointer. |
| CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion. |
| While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live, |
| and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function. |
| For FrozenValue, we should use frozenPointer helper function. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression |
| https://bugs.webkit.org/show_bug.cgi?id=201373 |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitLoopHint): |
| (JSC::BytecodeGenerator::emitCheckTraps): |
| * bytecompiler/BytecodeGenerator.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * jit/JIT.cpp: |
| (JSC::JIT::emitEnterOptimizationCheck): |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JIT.h: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_enter): |
| (JSC::JIT::emit_op_loop_hint): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emit_op_check_traps): |
| (JSC::JIT::emitSlow_op_check_traps): |
| (JSC::JIT::emitSlow_op_enter): Deleted. |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_enter): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, rebaseline builtin generator test results |
| https://bugs.webkit.org/show_bug.cgi?id=200898 |
| |
| Rebaseline the result files. |
| |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result: |
| * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen |
| https://bugs.webkit.org/show_bug.cgi?id=201485 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing |
| it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have |
| a race issue like, |
| |
| 1. While one thread is adding overrides information, |
| 2. Another thread is accessing this hash table. |
| |
| This patch adds a lock to make sure that only one thread can access this registry. |
| |
| * tools/FunctionOverrides.cpp: |
| (JSC::FunctionOverrides::FunctionOverrides): |
| (JSC::FunctionOverrides::reinstallOverrides): |
| (JSC::FunctionOverrides::initializeOverrideFor): |
| (JSC::FunctionOverrides::parseOverridesInFile): |
| * tools/FunctionOverrides.h: |
| (JSC::FunctionOverrides::clear): |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make Promise implementation faster |
| https://bugs.webkit.org/show_bug.cgi?id=200898 |
| |
| Reviewed by Saam Barati. |
| |
| This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%. |
| |
| 1. Make JSPromise C++ friendly |
| |
| Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise. |
| This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these |
| fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal |
| fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL |
| supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand |
| this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1]. |
| |
| We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented. |
| This also requires adding SpecPromiseObject and PromiseObjectUse to DFG. |
| |
| Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension |
| is filed in [2]. |
| |
| 2. Make JSPromise constructor JS friendly |
| |
| The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it |
| calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program. |
| If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them. |
| Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for |
| construct is 100. We might want to investigate getting it inlined in the future[3]. |
| |
| We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor |
| annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator |
| do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows |
| us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise, |
| which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement |
| JSPromise constructor fully in JS. |
| With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4]. |
| |
| 3. DFG supports for JSPromise operations |
| |
| This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis, |
| and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate |
| promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG. |
| When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism |
| used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile |
| can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable |
| in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's |
| structure is invalidated: `callee.prototype` is replaced. |
| |
| 4. Avoid creating unnecessary promises |
| |
| Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided. |
| For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating |
| intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They |
| take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations |
| in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then` |
| check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types. |
| |
| 5. Avoid creating resolving-functions and promise capabilities |
| |
| Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this |
| patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later |
| created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions |
| and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`. |
| The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing |
| `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`. |
| This mechanism will be used to drop JSPromiseDeferred in a separate patch. |
| |
| JetStream2/async-fs results. |
| ToT: |
| Running async-fs: |
| Startup: 116.279 |
| Worst Case: 151.515 |
| Average: 176.630 |
| Score: 145.996 |
| Wall time: 0:01.149 |
| |
| Patched: |
| Running async-fs: |
| Startup: 166.667 |
| Worst Case: 267.857 |
| Average: 299.080 |
| Score: 237.235 |
| Wall time: 0:00.683 |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=201159 |
| [2]: https://bugs.webkit.org/show_bug.cgi?id=201160 |
| [3]: https://bugs.webkit.org/show_bug.cgi?id=201452 |
| [4]: https://bugs.webkit.org/show_bug.cgi?id=201158 |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Scripts/wkbuiltins/builtins_generate_combined_header.py: |
| (ConstructAbility): |
| (ConstructorKind): |
| * Scripts/wkbuiltins/builtins_generate_separate_header.py: |
| * Scripts/wkbuiltins/builtins_generator.py: |
| (BuiltinsGenerator.generate_embedded_code_data_for_function): |
| (BuiltinsGenerator.generate_embedded_code_string_section_for_data): |
| * Scripts/wkbuiltins/builtins_model.py: |
| (BuiltinFunction.__init__): |
| (BuiltinFunction.fromString): |
| * Scripts/wkbuiltins/builtins_templates.py: |
| * builtins/AsyncFromSyncIteratorPrototype.js: |
| (next.try): |
| (next): |
| (return.try): |
| (return): |
| (throw.try): |
| (throw): |
| * builtins/AsyncFunctionPrototype.js: |
| (globalPrivate.asyncFunctionResume): |
| * builtins/AsyncGeneratorPrototype.js: |
| (globalPrivate.asyncGeneratorQueueIsEmpty): |
| (globalPrivate.asyncGeneratorQueueEnqueue): |
| (globalPrivate.asyncGeneratorQueueDequeue): |
| (globalPrivate.asyncGeneratorReject): |
| (globalPrivate.asyncGeneratorResolve): |
| (globalPrivate.asyncGeneratorYield): |
| (onRejected): |
| (globalPrivate.awaitValue): |
| (onFulfilled): |
| (globalPrivate.doAsyncGeneratorBodyCall): |
| (globalPrivate.asyncGeneratorResumeNext): |
| (globalPrivate.asyncGeneratorEnqueue): |
| (globalPrivate.asyncGeneratorDequeue): Deleted. |
| (const.onRejected): Deleted. |
| (const.onFulfilled): Deleted. |
| (globalPrivate.asyncGeneratorResumeNext.): Deleted. |
| * builtins/BuiltinExecutableCreator.h: |
| * builtins/BuiltinExecutables.cpp: |
| (JSC::BuiltinExecutables::defaultConstructorSourceCode): |
| (JSC::BuiltinExecutables::createDefaultConstructor): |
| (JSC::BuiltinExecutables::createBuiltinExecutable): |
| (JSC::BuiltinExecutables::createExecutable): |
| (JSC::createBuiltinExecutable): Deleted. |
| * builtins/BuiltinExecutables.h: |
| * builtins/BuiltinNames.h: |
| * builtins/BuiltinUtils.h: |
| * builtins/ModuleLoader.js: |
| (forceFulfillPromise): |
| * builtins/PromiseConstructor.js: |
| (nakedConstructor.Promise.resolve): |
| (nakedConstructor.Promise.reject): |
| (nakedConstructor.Promise): |
| (nakedConstructor.InternalPromise.resolve): |
| (nakedConstructor.InternalPromise.reject): |
| (nakedConstructor.InternalPromise): |
| * builtins/PromiseOperations.js: |
| (globalPrivate.newPromiseReaction): |
| (globalPrivate.newPromiseCapability): |
| (globalPrivate.newHandledRejectedPromise): |
| (globalPrivate.triggerPromiseReactions): |
| (globalPrivate.resolvePromise): |
| (globalPrivate.rejectPromise): |
| (globalPrivate.fulfillPromise): |
| (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck): |
| (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck): |
| (globalPrivate.createResolvingFunctions.resolve): |
| (globalPrivate.createResolvingFunctions.reject): |
| (globalPrivate.createResolvingFunctions): |
| (globalPrivate.promiseReactionJobWithoutPromise): |
| (globalPrivate.resolveWithoutPromise): |
| (globalPrivate.rejectWithoutPromise): |
| (globalPrivate.fulfillWithoutPromise): |
| (resolve): |
| (reject): |
| (globalPrivate.createResolvingFunctionsWithoutPromise): |
| (globalPrivate.promiseReactionJob): |
| (globalPrivate.promiseResolveThenableJobFast): |
| (globalPrivate.promiseResolveThenableJobWithoutPromiseFast): |
| (globalPrivate.promiseResolveThenableJob): |
| (globalPrivate.isPromise): Deleted. |
| (globalPrivate.newPromiseCapability.executor): Deleted. |
| (globalPrivate.initializePromise): Deleted. |
| * builtins/PromisePrototype.js: |
| (then): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecode/Opcode.h: |
| * bytecode/SpeculatedType.cpp: |
| (JSC::dumpSpeculation): |
| (JSC::speculationFromClassInfo): |
| (JSC::speculationFromJSType): |
| (JSC::speculationFromString): |
| * bytecode/SpeculatedType.h: |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::generate): |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitGetPromiseInternalField): |
| (JSC::BytecodeGenerator::emitPutPromiseInternalField): |
| (JSC::BytecodeGenerator::emitCreatePromise): |
| (JSC::BytecodeGenerator::emitNewPromise): |
| (JSC::BytecodeGenerator::emitReturn): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::promiseRegister): |
| (JSC::BytecodeGenerator::emitIsPromise): |
| (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted. |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::promiseInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise): |
| (JSC::FunctionNode::emitBytecode): |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGHeapLocation.cpp: |
| (WTF::printInternal): |
| * dfg/DFGHeapLocation.h: |
| * dfg/DFGMayExit.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToNewPromise): |
| (JSC::DFG::Node::hasIsInternalPromise): |
| (JSC::DFG::Node::isInternalPromise): |
| (JSC::DFG::Node::hasInternalFieldIndex): |
| (JSC::DFG::Node::internalFieldIndex): |
| (JSC::DFG::Node::hasHeapPrediction): |
| (JSC::DFG::Node::hasStructure): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGPromotedHeapLocation.cpp: |
| (WTF::printInternal): |
| * dfg/DFGPromotedHeapLocation.h: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::SafeToExecuteEdge::operator()): |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| (JSC::DFG::SpeculativeJIT::speculatePromiseObject): |
| (JSC::DFG::SpeculativeJIT::speculate): |
| (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): |
| (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileNewPromise): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * dfg/DFGUseKind.cpp: |
| (WTF::printInternal): |
| * dfg/DFGUseKind.h: |
| (JSC::DFG::typeFilterFor): |
| (JSC::DFG::isCell): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::speculate): |
| (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JIT.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_promise_internal_field): |
| (JSC::JIT::emit_op_put_promise_internal_field): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_promise_internal_field): |
| (JSC::JIT::emit_op_put_promise_internal_field): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| (JSC::Parser<LexerType>::parseFunctionInfo): |
| * parser/Parser.h: |
| (JSC::parse): |
| * parser/ParserModes.h: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/ConstructAbility.h: |
| * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h. |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::FunctionRareData): |
| (JSC::FunctionRareData::initializeObjectAllocationProfile): |
| (JSC::FunctionRareData::clear): |
| * runtime/FunctionRareData.h: |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::createSubclassStructureSlow): |
| * runtime/InternalFunction.h: |
| (JSC::InternalFunction::createSubclassStructure): |
| * runtime/JSCast.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::enqueueJob): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::arrayProtoValuesFunction const): |
| (JSC::JSGlobalObject::promiseProtoThenFunction const): |
| (JSC::JSGlobalObject::initializePromiseFunction const): Deleted. |
| * runtime/JSInternalPromise.cpp: |
| (JSC::JSInternalPromise::createStructure): |
| * runtime/JSInternalPromiseConstructor.cpp: |
| (JSC::JSInternalPromiseConstructor::create): |
| (JSC::JSInternalPromiseConstructor::createStructure): |
| (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor): |
| (JSC::constructPromise): Deleted. |
| * runtime/JSInternalPromiseConstructor.h: |
| * runtime/JSInternalPromisePrototype.cpp: |
| (JSC::JSInternalPromisePrototype::create): |
| * runtime/JSMicrotask.cpp: |
| (JSC::createJSMicrotask): |
| (JSC::JSMicrotask::run): |
| * runtime/JSMicrotask.h: |
| * runtime/JSPromise.cpp: |
| (JSC::JSPromise::createStructure): |
| (JSC::JSPromise::finishCreation): |
| (JSC::JSPromise::visitChildren): |
| (JSC::JSPromise::status const): |
| (JSC::JSPromise::result const): |
| (JSC::JSPromise::isHandled const): |
| (JSC::JSPromise::initialize): Deleted. |
| * runtime/JSPromise.h: |
| (JSC::JSPromise::allocationSize): |
| (JSC::JSPromise::offsetOfInternalFields): |
| (JSC::JSPromise::offsetOfInternalField): |
| * runtime/JSPromiseConstructor.cpp: |
| (JSC::JSPromiseConstructor::create): |
| (JSC::JSPromiseConstructor::createStructure): |
| (JSC::JSPromiseConstructor::JSPromiseConstructor): |
| (JSC::JSPromiseConstructor::finishCreation): |
| (JSC::constructPromise): Deleted. |
| (JSC::callPromise): Deleted. |
| * runtime/JSPromiseConstructor.h: |
| * runtime/JSPromisePrototype.cpp: |
| (JSC::JSPromisePrototype::create): |
| (JSC::JSPromisePrototype::finishCreation): |
| (JSC::JSPromisePrototype::addOwnInternalSlots): |
| * runtime/JSPromisePrototype.h: |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| |
| 2019-09-04 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based) |
| https://bugs.webkit.org/show_bug.cgi?id=201262 |
| <rdar://problem/13108764> |
| |
| Reviewed by Devin Rousso. |
| |
| When interception is enabled, Network requests that match any of the configured |
| interception patterns will be paused on the backend and allowed to be modified |
| by the frontend. |
| |
| Currently the only time a network request can be intercepted is during the |
| HTTP response. However, this intercepting interface is mean to extend to |
| HTTP requests as well. |
| |
| When a response is to be intercepted a new event is sent to the frontend: |
| |
| `Network.responseIntercepted` event |
| |
| With a `requestId` to identify that network request. The frontend |
| must respond with one of the following commands to continue: |
| |
| `Network.interceptContinue` - proceed with the response unmodified |
| `Network.interceptWithResponse` - provide a response |
| |
| The response is paused in the meantime. |
| |
| * inspector/protocol/Network.json: |
| New interfaces for intercepting network responses and suppling override content. |
| |
| * Scripts/generate-combined-inspector-json.py: |
| * inspector/scripts/generate-inspector-protocol-bindings.py: |
| (generate_from_specification.load_specification): |
| Complete allowing comments in JSON protocol files. |
| |
| * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: |
| (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command): |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| Allow optional enums in ObjC interfaces. |
| |
| 2019-09-03 Mark Lam <mark.lam@apple.com> |
| |
| Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread(). |
| https://bugs.webkit.org/show_bug.cgi?id=201449 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Using !isMainThread() in the assertion also disables the assertion for the mutator |
| of worker threads. This is not what we intended. |
| |
| * runtime/StructureInlines.h: |
| (JSC::Structure::storedPrototype const): |
| (JSC::Structure::storedPrototypeObject const): |
| |
| 2019-09-04 Mark Lam <mark.lam@apple.com> |
| |
| Disambiguate a symbol used in JSDollarVM. |
| https://bugs.webkit.org/show_bug.cgi?id=201466 |
| <rdar://problem/51826672> |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This was causing a build issue on some internal build. |
| |
| * tools/JSDollarVM.cpp: |
| |
| 2019-09-03 Mark Lam <mark.lam@apple.com> |
| |
| Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread. |
| https://bugs.webkit.org/show_bug.cgi?id=201309 |
| <rdar://problem/54832121> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * runtime/JSArrayBufferView.h: |
| * runtime/JSArrayBufferViewInlines.h: |
| (JSC::JSArrayBufferView::possiblySharedBufferImpl): |
| (JSC::JSArrayBufferView::possiblySharedBuffer): |
| (JSC::JSArrayBufferView::byteOffsetImpl): |
| (JSC::JSArrayBufferView::byteOffset): |
| (JSC::JSArrayBufferView::byteOffsetConcurrently): |
| |
| 2019-09-03 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: implement blackboxing of script resources |
| https://bugs.webkit.org/show_bug.cgi?id=17240 |
| <rdar://problem/5732847> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| When a script is blackboxed and the debugger attempts to pause in that script, the pause |
| reason/data will be saved and execution will continue until it has left the blackboxed |
| script. Once outside, execution is paused with the saved reason/data. |
| |
| This is especially useful when debugging issues using libraries/frameworks, as it allows the |
| developer to "skip" the internal logic of the library/framework and instead focus only on |
| how they're using it. |
| |
| * inspector/protocol/Debugger.json: |
| Add `setShouldBlackboxURL` command. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent): |
| (Inspector::InspectorDebuggerAgent::enable): |
| (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added. |
| (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): |
| (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement): |
| (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added. |
| (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts): |
| (Inspector::InspectorDebuggerAgent::didParseSource): |
| (Inspector::InspectorDebuggerAgent::didPause): |
| (Inspector::InspectorDebuggerAgent::didContinue): |
| (Inspector::InspectorDebuggerAgent::breakProgram): |
| (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): |
| (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added. |
| (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted. |
| Renamed "break" to "pause" to match `Debugger` naming. |
| |
| * debugger/Debugger.h: |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::pauseIfNeeded): |
| (JSC::Debugger::setBlackboxType): Added. |
| (JSC::Debugger::clearBlackbox): Added. |
| (JSC::Debugger::isBlacklisted const): Deleted. |
| (JSC::Debugger::addToBlacklist): Deleted. |
| (JSC::Debugger::clearBlacklist): Deleted. |
| |
| 2019-09-03 Mark Lam <mark.lam@apple.com> |
| |
| Remove the need to pass performJITMemcpy as a pointer. |
| https://bugs.webkit.org/show_bug.cgi?id=201413 |
| |
| Reviewed by Michael Saboff. |
| |
| We want performJITMemcpy to always be inlined. In this patch, we also clean up |
| some template parameters to use enums instead of booleans to better document the |
| intent of the code. |
| |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::fillNops): |
| (JSC::ARM64Assembler::linkJump): |
| (JSC::ARM64Assembler::linkCall): |
| (JSC::ARM64Assembler::relinkJump): |
| (JSC::ARM64Assembler::relinkCall): |
| (JSC::ARM64Assembler::link): |
| (JSC::ARM64Assembler::linkJumpOrCall): |
| (JSC::ARM64Assembler::linkCompareAndBranch): |
| (JSC::ARM64Assembler::linkConditionalBranch): |
| (JSC::ARM64Assembler::linkTestAndBranch): |
| (JSC::ARM64Assembler::relinkJumpOrCall): |
| (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted. |
| (JSC::ARM64Assembler::CopyFunction::operator()): Deleted. |
| * assembler/ARMv7Assembler.h: |
| (JSC::ARMv7Assembler::fillNops): |
| (JSC::ARMv7Assembler::link): |
| (JSC::ARMv7Assembler::linkJumpT1): |
| (JSC::ARMv7Assembler::linkJumpT2): |
| (JSC::ARMv7Assembler::linkJumpT3): |
| (JSC::ARMv7Assembler::linkJumpT4): |
| (JSC::ARMv7Assembler::linkConditionalJumpT4): |
| (JSC::ARMv7Assembler::linkBX): |
| (JSC::ARMv7Assembler::linkConditionalBX): |
| * assembler/AbstractMacroAssembler.h: |
| (JSC::AbstractMacroAssembler::emitNops): |
| * assembler/LinkBuffer.cpp: |
| (JSC::LinkBuffer::copyCompactAndLinkCode): |
| * assembler/MIPSAssembler.h: |
| (JSC::MIPSAssembler::fillNops): |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::link): |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::link): |
| * assembler/X86Assembler.h: |
| (JSC::X86Assembler::fillNops): |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| * runtime/JSCPtrTag.h: |
| |
| 2019-09-03 Devin Rousso <drousso@apple.com> |
| |
| REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected |
| https://bugs.webkit.org/show_bug.cgi?id=201201 |
| <rdar://problem/54771560> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/InjectedScriptSource.js: |
| (let.InjectedScript.prototype.injectModule): |
| (let.InjectedScript.prototype._evaluateOn): |
| (CommandLineAPI): |
| (let.InjectedScript.prototype.setInspectObject): Deleted. |
| (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted. |
| (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted. |
| (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted. |
| (InjectedScript.CommandLineAPI): Deleted. |
| Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects |
| directly, instead of having them call functions. |
| |
| * inspector/InjectedScriptModule.cpp: |
| (Inspector::InjectedScriptModule::ensureInjected): |
| Make sure to reset `hadException` to `false` before making another call. |
| |
| 2019-09-03 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove BytecodeGenerator::emitPopScope |
| https://bugs.webkit.org/show_bug.cgi?id=201395 |
| |
| Reviewed by Saam Barati. |
| |
| Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions. |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::popLexicalScopeInternal): |
| (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration): |
| (JSC::BytecodeGenerator::emitPopWithScope): |
| (JSC::BytecodeGenerator::emitPopScope): Deleted. |
| * bytecompiler/BytecodeGenerator.h: |
| |
| 2019-09-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Merge op_check_traps into op_enter and op_loop_hint |
| https://bugs.webkit.org/show_bug.cgi?id=201373 |
| |
| Reviewed by Mark Lam. |
| |
| This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations. |
| But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in |
| op_enter and op_loop_hint. |
| |
| While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint), |
| since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy. |
| |
| We also inline op_enter's slow path's write-barrier emission in LLInt. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitLoopHint): |
| (JSC::BytecodeGenerator::emitCheckTraps): Deleted. |
| * bytecompiler/BytecodeGenerator.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| (JSC::JIT::emitEnterOptimizationCheck): Deleted. |
| * jit/JIT.h: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_loop_hint): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emit_op_enter): |
| (JSC::JIT::emitSlow_op_enter): |
| (JSC::JIT::emit_op_check_traps): Deleted. |
| (JSC::JIT::emitSlow_op_check_traps): Deleted. |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_enter): Deleted. |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| * runtime/CommonSlowPaths.h: |
| |
| 2019-09-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Fix testb3 debug failures |
| https://bugs.webkit.org/show_bug.cgi?id=201382 |
| |
| Reviewed by Mark Lam. |
| |
| Fix testb3 debug failures due to incorrect types of operations like pointer + int32. |
| |
| * b3/testb3_8.cpp: |
| (testByteCopyLoop): |
| (testByteCopyLoopStartIsLoopDependent): |
| (testByteCopyLoopBoundIsLoopDependent): |
| |
| 2019-09-01 Mark Lam <mark.lam@apple.com> |
| |
| Speculative build fix for ARMv7 and MIPS. |
| https://bugs.webkit.org/show_bug.cgi?id=201389 |
| |
| Not reviewed. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::jettison): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] LLInt op should not emit the same code three times |
| https://bugs.webkit.org/show_bug.cgi?id=201370 |
| |
| Reviewed by Mark Lam. |
| |
| LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue. |
| But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2019-08-30 Mark Lam <mark.lam@apple.com> |
| |
| Remove some obsolete statements that have no effect. |
| https://bugs.webkit.org/show_bug.cgi?id=201357 |
| |
| Reviewed by Saam Barati. |
| |
| This patch removes 3 statements that look like this: |
| |
| result->butterfly(); // Ensure that the butterfly is in to-space. |
| |
| The statement just reads a field and does nothing with it. This is a no-op |
| logic-wise, and the comment that accompanies it is obsolete. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2019-08-30 Mark Lam <mark.lam@apple.com> |
| |
| Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information. |
| https://bugs.webkit.org/show_bug.cgi?id=201345 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using |
| the wrong pointer for capture the cell headerWord and zapReason. As a result, |
| we get junk for those 2 values. |
| |
| Previously, we were only capturing the upper 32-bits of the cell header slot, |
| and the lower 32-bit of the next slot in the zapped cell. We now capture the |
| full 64-bits of both slots. If the second slot did not contain a zapReason as we |
| expect, the upper 32-bits might give us a clue as to what type of value the slot |
| contains. |
| |
| This patch also adds capturing of the found MarkedBlock address for the zapped |
| cell, as well as some state bit values. |
| |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::reportZappedCellAndCrash): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Generate new.target register only when it is used |
| https://bugs.webkit.org/show_bug.cgi?id=201335 |
| |
| Reviewed by Mark Lam. |
| |
| Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register |
| only when it is actually required. |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::newTarget): |
| * parser/Nodes.h: |
| (JSC::ScopeNode::needsNewTargetRegisterForThisScope const): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable |
| https://bugs.webkit.org/show_bug.cgi?id=201331 |
| |
| Reviewed by Mark Lam. |
| |
| SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand. |
| For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows. |
| |
| 1. DFG ByteCodeParser is inlining and copying SimpleJumpTable |
| 2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable |
| |
| Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that. |
| This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered |
| by profiled CodeBlock. |
| |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock): |
| * bytecode/JumpTable.h: |
| (JSC::SimpleJumpTable::cloneNonJITPart const): |
| (JSC::SimpleJumpTable::clear): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid |
| https://bugs.webkit.org/show_bug.cgi?id=201332 |
| |
| Reviewed by Mark Lam. |
| |
| When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes |
| that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result |
| does not exist, set BottomValue only when "result" is valid as the other DFG code is doing. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleInlining): |
| |
| 2019-08-29 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: async event listener stack traces should be available in Workers |
| https://bugs.webkit.org/show_bug.cgi?id=200903 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| (Inspector::InspectorDebuggerAgent::enabled): Added. |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend): |
| (Inspector::InspectorDebuggerAgent::enable): |
| (Inspector::InspectorDebuggerAgent::disable): |
| Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`. |
| |
| 2019-08-29 Keith Rollin <krollin@apple.com> |
| |
| Update .xcconfig symbols to reflect the current set of past and future product versions. |
| https://bugs.webkit.org/show_bug.cgi?id=200720 |
| <rdar://problem/54305032> |
| |
| Reviewed by Alex Christensen. |
| |
| Remove version symbols related to old OS's we no longer support, |
| ensure that version symbols are defined for OS's we do support. |
| |
| * Configurations/Base.xcconfig: |
| * Configurations/DebugRelease.xcconfig: |
| * Configurations/Version.xcconfig: |
| |
| 2019-08-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Repatch should construct CallCases and CasesValue at the same time |
| https://bugs.webkit.org/show_bug.cgi?id=201325 |
| |
| Reviewed by Saam Barati. |
| |
| In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`. |
| If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too. |
| |
| * jit/Repatch.cpp: |
| (JSC::linkPolymorphicCall): |
| |
| 2019-08-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation |
| https://bugs.webkit.org/show_bug.cgi?id=198650 |
| |
| Reviewed by Saam Barati. |
| |
| Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties. |
| This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this |
| interpreter interpret the control-flow edge that AI proved that is never taken. |
| AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But |
| ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis |
| done in ObjectAllocationSinking. |
| |
| Let's see the example. |
| |
| BB#0 |
| 35: NewObject([%AM:Object]) |
| ... |
| 47: Branch(ConstantTrue, T:#1, F:#2) |
| |
| BB#1 // This basic block is never taken due to @47's jump. |
| ... |
| 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2)) |
| 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066) |
| ... |
| XX: Jump(#2) |
| |
| BB#2 |
| ... |
| 92: CheckStructure(@35, [%Dx:Object]) |
| 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2)) |
| ... |
| |
| AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant. |
| AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92. |
| After AI removes @92, ObjectAllocationSinking starts looking into this graph. |
| |
| BB#0 |
| 35: NewObject([%AM:Object]) |
| ... |
| 47: Branch(ConstantTrue, T:#1, F:#2) |
| |
| BB#1 // This basic block is never taken due to @47's jump. |
| ... |
| 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2)) |
| 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066) |
| ... |
| XX: Jump(#2) |
| |
| BB#2 |
| ... |
| 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2)) |
| ... |
| YY: Jump(#3) |
| |
| BB#3 |
| ... |
| ZZ: <HERE> want to materialize @35's sunk object. |
| |
| Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in |
| BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and |
| insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original |
| one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking |
| phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes |
| conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property. |
| So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug |
| assertion. |
| |
| 187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >) |
| |
| This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data. |
| In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| |
| 2019-08-29 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: DOMDebugger: support event breakpoints in Worker contexts |
| https://bugs.webkit.org/show_bug.cgi?id=200651 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/DOMDebugger.json: |
| Make the domain available in "worker" contexts as well. |
| |
| 2019-08-29 Keith Rollin <krollin@apple.com> |
| |
| Remove 32-bit macOS support |
| https://bugs.webkit.org/show_bug.cgi?id=201282 |
| <rdar://problem/54821667> |
| |
| Reviewed by Anders Carlsson. |
| |
| WebKit doesn’t support 32-bit Mac any more, so remove checks and code |
| for that platform. |
| |
| * API/JSBase.h: |
| * runtime/VM.h: |
| |
| 2019-08-29 Keith Rollin <krollin@apple.com> |
| |
| Remove support for macOS < 10.13 (part 3) |
| https://bugs.webkit.org/show_bug.cgi?id=201224 |
| <rdar://problem/54795934> |
| |
| Reviewed by Darin Adler. |
| |
| Remove symbols in WebKitTargetConditionals.xcconfig related to macOS |
| 10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes |
| like _MACOS_SINCE_1013. |
| |
| * Configurations/WebKitTargetConditionals.xcconfig: |
| |
| 2019-08-29 Mark Lam <mark.lam@apple.com> |
| |
| Remove a bad assertion in ByteCodeParser::inlineCall(). |
| https://bugs.webkit.org/show_bug.cgi?id=201292 |
| <rdar://problem/54121659> |
| |
| Reviewed by Michael Saboff. |
| |
| In the DFG bytecode parser, we've already computed the inlining cost of a candidate |
| inlining target, and determine that it is worth inlining before invoking |
| ByteCodeParser::inlineCall(). However, in ByteCodeParser::inlineCall(), it |
| recomputes the inlining cost again only for the purpose of asserting that it isn't |
| too high. |
| |
| Not consider a badly written test that does the following: |
| |
| function bar() { |
| ... |
| foo(); // Call in a hot loop here. |
| ... |
| } |
| |
| bar(); // <===== foo is inlineable into bar here. |
| noInline(foo); // <===== Change mind, and make foo not inlineable. |
| bar(); |
| |
| With this bad test, the following racy scenario can occur: |
| |
| 1. the first invocation of bar() gets hot, and a concurrent compile is kicked off. |
| 2. the compiler thread computes foo()'s inliningCost() and determines that it is |
| worthy to be inlined, and will imminently call inlineCall(). |
| 3. the mutator calls the noInline() test utility on foo(), thereby making it NOT |
| inlineable. |
| 4. the compiler thread calls inlineCall(). In inlineCall(), it re-computes the |
| inliningCost for foo() and now finds that it is not inlineable. An assertion |
| failure follows. |
| |
| Technically, the test is in error because noInline() shouldn't be used that way. |
| However, fuzzers that are not clued into noInline()'s proper usage may generate |
| code like this. |
| |
| On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the |
| inlining cost and asserting on it. The only reason inlineCall() is invoked is |
| because it was already previously determined that a target function is inlineable |
| based on its inlining cost. Today, in practice, I don't think we have any real |
| world condition where the mutator can affect the inlining cost of a target |
| function midway through execution. So, this assertion isn't a problem if no one |
| writes a test that abuses noInline(). However, should things change such that the |
| mutator is able to affect the inlining cost of a target function, then it is |
| incorrect for the compiler to assume that the inlining cost is immutable. Once |
| the compiler decides to inline a function, it should just follow through. |
| |
| This patch removes this assertion in ByteCodeParser::inlineCall(). It is an |
| annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the |
| ability to affect the inlining cost of a target function. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::inlineCall): |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks. |
| https://bugs.webkit.org/show_bug.cgi?id=201281 |
| <rdar://problem/54028228> |
| |
| Reviewed by Yusuke Suzuki and Saam Barati. |
| |
| This (see title above) is already the preferred idiom used in most places in our |
| compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's |
| compileStringCharAt(). Consider the following: |
| |
| bool prototypeChainIsSane = false; |
| if (globalObject->stringPrototypeChainIsSane()) { |
| ... |
| m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm())); |
| m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm())); |
| |
| prototypeChainIsSane = globalObject->stringPrototypeChainIsSane(); |
| } |
| |
| What's essential for correctness here is that the stringPrototype and objectPrototype |
| structures be loaded before the loads in the second stringPrototypeChainIsSane() |
| check. Without a loadLoadFence before the second stringPrototypeChainIsSane() |
| check, we can't guarantee that. Elsewhere in the compiler, the preferred idiom |
| for doing this right is to pre-load the structures first, do a loadLoadFence, and |
| then do the IsSane check just once after e.g. |
| |
| Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm); |
| Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm); |
| |
| if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences. |
| && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences. |
| && globalObject->arrayPrototypeChainIsSane()) { |
| |
| m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure); |
| m_graph.registerAndWatchStructureTransition(objectPrototypeStructure); |
| ... |
| } |
| |
| This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's |
| compileStringCharAt() to follow the same idiom. |
| |
| We also fix a bad assertion in Structure::storedPrototype() and |
| Structure::storedPrototypeObject(). The assertion is only correct when those |
| methods are called from the mutator thread. The assertion has been updated to |
| only check its test condition if the current thread is the mutator thread. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnString): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): |
| * runtime/StructureInlines.h: |
| (JSC::Structure::storedPrototype const): |
| (JSC::Structure::storedPrototypeObject const): |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| Placate exception check validation in DFG's operationHasGenericProperty(). |
| https://bugs.webkit.org/show_bug.cgi?id=201245 |
| <rdar://problem/54777512> |
| |
| Reviewed by Robin Morisset. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2019-08-28 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed. Restabilize non-unified build. |
| |
| * runtime/PropertySlot.h: |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks. |
| https://bugs.webkit.org/show_bug.cgi?id=201006 |
| <rdar://problem/52053991> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We already ensured that it is not possible to overflow in Wasm::FunctionParser's |
| parse(). It is unnecessary and misleading to do those overflow checks in |
| AirIRGenerator and B3IRGenerator. The only check that is necessary is that |
| m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory |
| situation. |
| |
| This patch changes these unnecessary checks to assertions instead. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::addLocal): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addLocal): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addLocal): |
| |
| 2019-08-28 Keith Rollin <krollin@apple.com> |
| |
| Remove support for macOS < 10.13 (part 2) |
| https://bugs.webkit.org/show_bug.cgi?id=201197 |
| <rdar://problem/54759985> |
| |
| Update conditionals that reference WK_MACOS_1013 and suffixes like |
| _MACOS_SINCE_1013, assuming that we're always building on 10.13 or |
| later and that these conditionals are always True or False. |
| |
| See Bug 200694 for earlier changes in this area. |
| |
| Reviewed by Darin Adler. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| Gardening: Rebase test results after r249175. |
| https://bugs.webkit.org/show_bug.cgi?id=201172 |
| |
| Not reviewed. |
| |
| * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: |
| |
| 2019-08-27 Michael Saboff <msaboff@apple.com> |
| |
| Update PACCage changes for builds without Gigacage, but with signed pointers |
| https://bugs.webkit.org/show_bug.cgi?id=201202 |
| |
| Reviewed by Saam Barati. |
| |
| Factored out the untagging of pointers and added that to both the Gigacage enabled |
| and disabled code paths. Did this for the LLInt as well as the JITs. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list. |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-08-27 Mark Lam <mark.lam@apple.com> |
| |
| Refactor to use VM& instead of VM* at as many places as possible. |
| https://bugs.webkit.org/show_bug.cgi?id=201172 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Using VM& documents more clearly that the VM pointer is expected to never be null |
| in most cases. There are a few places where it can be null (e.g JSLock, and |
| DFG::Plan). Those will be left using a VM*. |
| |
| Also converted some uses of ExecState* to using VM& instead since the ExecState* |
| is only there to fetch the VM pointer. Doing this also reduces the number of |
| times we have to compute VM* from ExecState*. |
| |
| This patch is not exhaustive in converting to use VM&, but applies the change to |
| many commonly used pieces of code for a start. |
| |
| Also fixed a missing exception check in JSString::toIdentifier() and |
| JSValue::toPropertyKey() exposed by this patch. |
| |
| * API/APICast.h: |
| (toJS): |
| * API/JSAPIGlobalObject.mm: |
| (JSC::JSAPIGlobalObject::moduleLoaderResolve): |
| (JSC::JSAPIGlobalObject::moduleLoaderImportModule): |
| (JSC::JSAPIGlobalObject::moduleLoaderFetch): |
| (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties): |
| (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule): |
| * API/JSCallbackConstructor.cpp: |
| (JSC::JSCallbackConstructor::finishCreation): |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::asCallbackObject): |
| (JSC::JSCallbackObject<Parent>::~JSCallbackObject): |
| (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex): |
| (JSC::JSCallbackObject<Parent>::putByIndex): |
| (JSC::JSCallbackObject<Parent>::deletePropertyByIndex): |
| (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames): |
| * API/JSContext.mm: |
| (-[JSContext dependencyIdentifiersForModuleJSScript:]): |
| * API/JSObjectRef.cpp: |
| (JSObjectMakeFunction): |
| (classInfoPrivate): |
| (JSObjectGetPrivate): |
| (JSObjectSetPrivate): |
| (JSObjectCopyPropertyNames): |
| (JSPropertyNameAccumulatorAddName): |
| (JSObjectGetProxyTarget): |
| * API/JSScriptRef.cpp: |
| (parseScript): |
| * API/JSValueRef.cpp: |
| (JSValueMakeString): |
| * API/OpaqueJSString.cpp: |
| (OpaqueJSString::identifier const): |
| * API/glib/JSCContext.cpp: |
| (jsc_context_check_syntax): |
| * KeywordLookupGenerator.py: |
| (Trie.printSubTreeAsC): |
| * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: |
| (BuiltinsWrapperHeaderGenerator.generate_constructor): |
| * Scripts/wkbuiltins/builtins_templates.py: |
| * bindings/ScriptFunctionCall.cpp: |
| (Deprecated::ScriptCallArgumentHandler::appendArgument): |
| (Deprecated::ScriptFunctionCall::call): |
| * bindings/ScriptValue.cpp: |
| (Inspector::jsToInspectorValue): |
| * builtins/BuiltinExecutables.cpp: |
| (JSC::BuiltinExecutables::createExecutable): |
| * builtins/BuiltinNames.cpp: |
| (JSC::BuiltinNames::BuiltinNames): |
| * builtins/BuiltinNames.h: |
| (JSC::BuiltinNames::getPublicName const): |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::BytecodeDumper<Block>::vm const): |
| * bytecode/BytecodeDumper.h: |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::BytecodeGeneratorification::BytecodeGeneratorification): |
| (JSC::BytecodeGeneratorification::storageForGeneratorLocal): |
| (JSC::BytecodeGeneratorification::run): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue): |
| (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue): |
| * bytecode/CallVariant.h: |
| (JSC::CallVariant::internalFunction const): |
| (JSC::CallVariant::function const): |
| (JSC::CallVariant::isClosureCall const): |
| (JSC::CallVariant::executable const): |
| (JSC::CallVariant::functionExecutable const): |
| (JSC::CallVariant::nativeExecutable const): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::dumpSource): |
| (JSC::CodeBlock::CodeBlock): |
| (JSC::CodeBlock::setConstantIdentifierSetRegisters): |
| (JSC::CodeBlock::setNumParameters): |
| (JSC::CodeBlock::finalizeBaselineJITInlineCaches): |
| (JSC::CodeBlock::unlinkIncomingCalls): |
| (JSC::CodeBlock::replacement): |
| (JSC::CodeBlock::computeCapabilityLevel): |
| (JSC::CodeBlock::noticeIncomingCall): |
| (JSC::CodeBlock::nameForRegister): |
| (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::vm const): |
| (JSC::CodeBlock::numberOfArgumentValueProfiles): |
| (JSC::CodeBlock::valueProfileForArgument): |
| * bytecode/DeferredSourceDump.cpp: |
| (JSC::DeferredSourceDump::DeferredSourceDump): |
| * bytecode/EvalCodeBlock.h: |
| * bytecode/FunctionCodeBlock.h: |
| * bytecode/GetByIdStatus.cpp: |
| (JSC::GetByIdStatus::computeFromLLInt): |
| * bytecode/GlobalCodeBlock.h: |
| (JSC::GlobalCodeBlock::GlobalCodeBlock): |
| * bytecode/ModuleProgramCodeBlock.h: |
| * bytecode/ObjectAllocationProfileInlines.h: |
| (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount): |
| * bytecode/PolyProtoAccessChain.cpp: |
| (JSC::PolyProtoAccessChain::create): |
| * bytecode/ProgramCodeBlock.h: |
| * bytecode/PropertyCondition.cpp: |
| (JSC::PropertyCondition::isWatchableWhenValid const): |
| * bytecode/PutByIdStatus.cpp: |
| (JSC::PutByIdStatus::computeFromLLInt): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::initGetByIdSelf): |
| (JSC::StructureStubInfo::initPutByIdReplace): |
| (JSC::StructureStubInfo::initInByIdSelf): |
| (JSC::StructureStubInfo::addAccessCase): |
| (JSC::StructureStubInfo::visitWeakReferences): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::addSetConstant): |
| (JSC::UnlinkedCodeBlock::addConstant): |
| (JSC::UnlinkedCodeBlock::addFunctionDecl): |
| (JSC::UnlinkedCodeBlock::addFunctionExpr): |
| * bytecode/UnlinkedEvalCodeBlock.h: |
| * bytecode/UnlinkedFunctionCodeBlock.h: |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::generateUnlinkedFunctionCodeBlock): |
| (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * bytecode/UnlinkedGlobalCodeBlock.h: |
| (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): |
| * bytecode/UnlinkedModuleProgramCodeBlock.h: |
| * bytecode/UnlinkedProgramCodeBlock.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::pushLexicalScopeInternal): |
| (JSC::BytecodeGenerator::emitDirectPutById): |
| (JSC::BytecodeGenerator::getVariablesUnderTDZ): |
| (JSC::BytecodeGenerator::addBigIntConstant): |
| (JSC::BytecodeGenerator::addTemplateObjectConstant): |
| (JSC::BytecodeGenerator::emitNewDefaultConstructor): |
| (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::vm const): |
| (JSC::BytecodeGenerator::propertyNames const): |
| (JSC::BytecodeGenerator::emitNodeInTailPosition): |
| (JSC::BytecodeGenerator::emitDefineClassElements): |
| (JSC::BytecodeGenerator::emitNodeInConditionContext): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::RegExpNode::emitBytecode): |
| (JSC::ArrayNode::emitBytecode): |
| (JSC::FunctionCallResolveNode::emitBytecode): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject): |
| (JSC::InstanceOfNode::emitBytecode): |
| * debugger/Debugger.cpp: |
| * debugger/DebuggerParseData.cpp: |
| (JSC::gatherDebuggerParseData): |
| * debugger/DebuggerScope.cpp: |
| (JSC::DebuggerScope::next): |
| (JSC::DebuggerScope::name const): |
| (JSC::DebuggerScope::location const): |
| * dfg/DFGDesiredIdentifiers.cpp: |
| (JSC::DFG::DesiredIdentifiers::reallyAdd): |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): |
| (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add): |
| * dfg/DFGFrozenValue.h: |
| (JSC::DFG::FrozenValue::FrozenValue): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::canOptimizeStringObjectAccess): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::linkOSRExits): |
| (JSC::DFG::JITCompiler::compileExceptionHandlers): |
| (JSC::DFG::JITCompiler::link): |
| (JSC::DFG::emitStackOverflowCheck): |
| (JSC::DFG::JITCompiler::compileFunction): |
| (JSC::DFG::JITCompiler::exceptionCheck): |
| (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback): |
| (JSC::DFG::JITCompiler::fastExceptionCheck): |
| (JSC::DFG::JITCompiler::vm): |
| * dfg/DFGLazyJSValue.cpp: |
| (JSC::DFG::LazyJSValue::getValue const): |
| (JSC::DFG::LazyJSValue::emit const): |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareOSREntry): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::compileOSRExit): |
| (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::newTypedArrayWithSize): |
| (JSC::DFG::binaryOp): |
| (JSC::DFG::bitwiseBinaryOp): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::Plan): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): |
| (JSC::DFG::SpeculativeJIT::compileStringSlice): |
| (JSC::DFG::SpeculativeJIT::compileCurrentBlock): |
| (JSC::DFG::SpeculativeJIT::compileCheckTraps): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnString): |
| (JSC::DFG::SpeculativeJIT::compileFromCharCode): |
| (JSC::DFG::SpeculativeJIT::compileStringZeroLength): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther): |
| (JSC::DFG::SpeculativeJIT::emitStringBranch): |
| (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetGlobalObject): |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| (JSC::DFG::SpeculativeJIT::compileCreateActivation): |
| (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileSpread): |
| (JSC::DFG::SpeculativeJIT::compileNewArray): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): |
| (JSC::DFG::SpeculativeJIT::compileArraySlice): |
| (JSC::DFG::SpeculativeJIT::compileArrayPush): |
| (JSC::DFG::SpeculativeJIT::compileTypeOf): |
| (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly): |
| (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): |
| (JSC::DFG::SpeculativeJIT::compileCheckSubClass): |
| (JSC::DFG::SpeculativeJIT::compileNewStringObject): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileNewRegexp): |
| (JSC::DFG::SpeculativeJIT::compileStoreBarrier): |
| (JSC::DFG::SpeculativeJIT::compileStringReplace): |
| (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject): |
| (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): |
| (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext): |
| (JSC::DFG::SpeculativeJIT::compileObjectKeys): |
| (JSC::DFG::SpeculativeJIT::compileCreateThis): |
| (JSC::DFG::SpeculativeJIT::compileNewObject): |
| (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue): |
| (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail): |
| (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): |
| (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileProfileType): |
| (JSC::DFG::SpeculativeJIT::compileMakeRope): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::vm): |
| (JSC::DFG::SpeculativeJIT::prepareForExternalCall): |
| (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize): |
| (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): |
| (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): |
| (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNot): |
| (JSC::DFG::SpeculativeJIT::emitBranch): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNot): |
| (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): |
| (JSC::DFG::SpeculativeJIT::emitBranch): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitThunkGenerator): |
| (JSC::DFG::osrExitGenerationThunkGenerator): |
| (JSC::DFG::osrEntryThunkGenerator): |
| * dfg/DFGThunks.h: |
| * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: |
| (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::visitWeakReferences): |
| * dynbench.cpp: |
| (main): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): |
| (JSC::FTL::DFG::LowerDFGToB3::boolify): |
| * ftl/FTLThunks.cpp: |
| (JSC::FTL::genericGenerationThunkGenerator): |
| (JSC::FTL::osrExitGenerationThunkGenerator): |
| (JSC::FTL::lazySlowPathGenerationThunkGenerator): |
| * ftl/FTLThunks.h: |
| * heap/CellContainer.h: |
| * heap/CellContainerInlines.h: |
| (JSC::CellContainer::vm const): |
| (JSC::CellContainer::heap const): |
| * heap/CompleteSubspace.cpp: |
| (JSC::CompleteSubspace::tryAllocateSlow): |
| (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual): |
| * heap/GCActivityCallback.h: |
| * heap/GCAssertions.h: |
| * heap/HandleSet.cpp: |
| (JSC::HandleSet::HandleSet): |
| * heap/HandleSet.h: |
| (JSC::HandleSet::vm): |
| * heap/Heap.cpp: |
| (JSC::Heap::Heap): |
| (JSC::Heap::lastChanceToFinalize): |
| (JSC::Heap::releaseDelayedReleasedObjects): |
| (JSC::Heap::protect): |
| (JSC::Heap::unprotect): |
| (JSC::Heap::finalizeMarkedUnconditionalFinalizers): |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| (JSC::Heap::completeAllJITPlans): |
| (JSC::Heap::iterateExecutingAndCompilingCodeBlocks): |
| (JSC::Heap::gatherJSStackRoots): |
| (JSC::Heap::gatherScratchBufferRoots): |
| (JSC::Heap::removeDeadCompilerWorklistEntries): |
| (JSC::Heap::isAnalyzingHeap const): |
| (JSC::Heap::gatherExtraHeapData): |
| (JSC::Heap::protectedObjectTypeCounts): |
| (JSC::Heap::objectTypeCounts): |
| (JSC::Heap::deleteAllCodeBlocks): |
| (JSC::Heap::deleteAllUnlinkedCodeBlocks): |
| (JSC::Heap::deleteUnmarkedCompiledCode): |
| (JSC::Heap::checkConn): |
| (JSC::Heap::runEndPhase): |
| (JSC::Heap::stopThePeriphery): |
| (JSC::Heap::finalize): |
| (JSC::Heap::requestCollection): |
| (JSC::Heap::sweepInFinalize): |
| (JSC::Heap::sweepArrayBuffers): |
| (JSC::Heap::deleteSourceProviderCaches): |
| (JSC::Heap::didFinishCollection): |
| (JSC::Heap::addCoreConstraints): |
| * heap/Heap.h: |
| * heap/HeapCell.h: |
| * heap/HeapCellInlines.h: |
| (JSC::HeapCell::heap const): |
| (JSC::HeapCell::vm const): |
| * heap/HeapInlines.h: |
| (JSC::Heap::vm const): |
| * heap/IsoSubspacePerVM.cpp: |
| (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace): |
| * heap/LargeAllocation.cpp: |
| (JSC::LargeAllocation::sweep): |
| (JSC::LargeAllocation::assertValidCell const): |
| * heap/LargeAllocation.h: |
| (JSC::LargeAllocation::vm const): |
| * heap/LocalAllocator.cpp: |
| (JSC::LocalAllocator::allocateSlowCase): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::Handle): |
| (JSC::MarkedBlock::aboutToMarkSlow): |
| (JSC::MarkedBlock::assertMarksNotStale): |
| (JSC::MarkedBlock::areMarksStale): |
| (JSC::MarkedBlock::isMarked): |
| (JSC::MarkedBlock::assertValidCell const): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::vm const): |
| (JSC::MarkedBlock::vm const): |
| * heap/MarkedBlockInlines.h: |
| (JSC::MarkedBlock::heap const): |
| (JSC::MarkedBlock::Handle::specializedSweep): |
| * heap/SlotVisitor.cpp: |
| (JSC::validate): |
| * heap/SlotVisitorInlines.h: |
| (JSC::SlotVisitor::vm): |
| (JSC::SlotVisitor::vm const): |
| * heap/StopIfNecessaryTimer.cpp: |
| (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer): |
| * heap/StopIfNecessaryTimer.h: |
| * heap/Strong.h: |
| (JSC::Strong::operator=): |
| * heap/WeakSet.h: |
| (JSC::WeakSet::WeakSet): |
| (JSC::WeakSet::vm const): |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::savedResultAlias const): |
| (Inspector::JSInjectedScriptHost::internalConstructorName): |
| (Inspector::JSInjectedScriptHost::subtype): |
| (Inspector::JSInjectedScriptHost::functionDetails): |
| (Inspector::constructInternalProperty): |
| (Inspector::JSInjectedScriptHost::getInternalProperties): |
| (Inspector::JSInjectedScriptHost::weakMapEntries): |
| (Inspector::JSInjectedScriptHost::weakSetEntries): |
| (Inspector::JSInjectedScriptHost::iteratorEntries): |
| (Inspector::JSInjectedScriptHost::queryInstances): |
| (Inspector::JSInjectedScriptHost::queryHolders): |
| * inspector/JSJavaScriptCallFrame.cpp: |
| (Inspector::valueForScopeLocation): |
| (Inspector::JSJavaScriptCallFrame::scopeDescriptions): |
| (Inspector::JSJavaScriptCallFrame::functionName const): |
| (Inspector::JSJavaScriptCallFrame::type const): |
| * inspector/ScriptCallStackFactory.cpp: |
| (Inspector::extractSourceInformationFromException): |
| * inspector/agents/InspectorAuditAgent.cpp: |
| (Inspector::InspectorAuditAgent::populateAuditObject): |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::gc): |
| * interpreter/FrameTracers.h: |
| (JSC::NativeCallFrameTracer::NativeCallFrameTracer): |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::prepareForRepeatCall): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding): |
| (JSC::StackVisitor::Frame::computeLineAndColumn const): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitDumbVirtualCall): |
| (JSC::AssemblyHelpers::emitConvertValueToBoolean): |
| (JSC::AssemblyHelpers::branchIfValue): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::vm): |
| * jit/JIT.cpp: |
| (JSC::JIT::JIT): |
| (JSC::JIT::emitEnterOptimizationCheck): |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileExceptionHandlers): |
| * jit/JIT.h: |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileCallEvalSlowCase): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileCallEvalSlowCase): |
| * jit/JITExceptions.cpp: |
| (JSC::genericUnwind): |
| * jit/JITExceptions.h: |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::JITGetByIdGenerator::JITGetByIdGenerator): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_is_undefined): |
| (JSC::JIT::emit_op_jfalse): |
| (JSC::JIT::emit_op_jeq_null): |
| (JSC::JIT::emit_op_jneq_null): |
| (JSC::JIT::emit_op_jtrue): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_eq_null): |
| (JSC::JIT::emit_op_neq_null): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emit_op_log_shadow_chicken_prologue): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_jfalse): |
| (JSC::JIT::emit_op_jtrue): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_log_shadow_chicken_prologue): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITOperations.cpp: |
| (JSC::operationNewFunctionCommon): |
| (JSC::tryGetByValOptimize): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitWriteBarrier): |
| * jit/JITThunks.cpp: |
| (JSC::JITThunks::ctiNativeCall): |
| (JSC::JITThunks::ctiNativeConstruct): |
| (JSC::JITThunks::ctiNativeTailCall): |
| (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags): |
| (JSC::JITThunks::ctiInternalFunctionCall): |
| (JSC::JITThunks::ctiInternalFunctionConstruct): |
| (JSC::JITThunks::ctiStub): |
| (JSC::JITThunks::hostFunctionStub): |
| * jit/JITThunks.h: |
| * jit/JITWorklist.cpp: |
| (JSC::JITWorklist::Plan::vm): |
| (JSC::JITWorklist::completeAllForVM): |
| (JSC::JITWorklist::poll): |
| (JSC::JITWorklist::compileLater): |
| (JSC::JITWorklist::compileNow): |
| * jit/Repatch.cpp: |
| (JSC::readPutICCallTarget): |
| (JSC::ftlThunkAwareRepatchCall): |
| (JSC::linkSlowFor): |
| (JSC::linkFor): |
| (JSC::linkDirectFor): |
| (JSC::revertCall): |
| (JSC::unlinkFor): |
| (JSC::linkVirtualFor): |
| (JSC::linkPolymorphicCall): |
| * jit/SpecializedThunkJIT.h: |
| (JSC::SpecializedThunkJIT::SpecializedThunkJIT): |
| * jit/ThunkGenerator.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::throwExceptionFromCallSlowPathGenerator): |
| (JSC::slowPathFor): |
| (JSC::linkCallThunkGenerator): |
| (JSC::linkPolymorphicCallThunkGenerator): |
| (JSC::virtualThunkFor): |
| (JSC::nativeForGenerator): |
| (JSC::nativeCallGenerator): |
| (JSC::nativeTailCallGenerator): |
| (JSC::nativeTailCallWithoutSavedTagsGenerator): |
| (JSC::nativeConstructGenerator): |
| (JSC::internalFunctionCallGenerator): |
| (JSC::internalFunctionConstructGenerator): |
| (JSC::arityFixupGenerator): |
| (JSC::unreachableGenerator): |
| (JSC::stringGetByValGenerator): |
| (JSC::charToString): |
| (JSC::charCodeAtThunkGenerator): |
| (JSC::charAtThunkGenerator): |
| (JSC::fromCharCodeThunkGenerator): |
| (JSC::clz32ThunkGenerator): |
| (JSC::sqrtThunkGenerator): |
| (JSC::floorThunkGenerator): |
| (JSC::ceilThunkGenerator): |
| (JSC::truncThunkGenerator): |
| (JSC::roundThunkGenerator): |
| (JSC::expThunkGenerator): |
| (JSC::logThunkGenerator): |
| (JSC::absThunkGenerator): |
| (JSC::imulThunkGenerator): |
| (JSC::randomThunkGenerator): |
| (JSC::boundThisNoArgsFunctionCallGenerator): |
| * jit/ThunkGenerators.h: |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (GlobalObject::addFunction): |
| (GlobalObject::moduleLoaderImportModule): |
| (GlobalObject::moduleLoaderResolve): |
| (GlobalObject::moduleLoaderCreateImportMetaProperties): |
| (functionDescribe): |
| (functionDescribeArray): |
| (JSCMemoryFootprint::addProperty): |
| (functionRun): |
| (functionRunString): |
| (functionReadFile): |
| (functionCallerSourceOrigin): |
| (functionReadline): |
| (functionDollarCreateRealm): |
| (functionDollarEvalScript): |
| (functionDollarAgentGetReport): |
| (functionWaitForReport): |
| (functionJSCOptions): |
| (functionCheckModuleSyntax): |
| (functionGenerateHeapSnapshotForGCDebugging): |
| (functionWebAssemblyMemoryMode): |
| (dumpException): |
| (checkUncaughtException): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::handleHostCall): |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::ASTBuilder): |
| (JSC::ASTBuilder::createResolve): |
| (JSC::ASTBuilder::createGetterOrSetterProperty): |
| (JSC::ASTBuilder::createProperty): |
| (JSC::ASTBuilder::createFuncDeclStatement): |
| (JSC::ASTBuilder::makeFunctionCallNode): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::Lexer): |
| (JSC::Lexer<LChar>::parseIdentifier): |
| (JSC::Lexer<UChar>::parseIdentifier): |
| * parser/Lexer.h: |
| (JSC::Lexer<T>::lexExpectIdentifier): |
| * parser/ModuleAnalyzer.cpp: |
| (JSC::ModuleAnalyzer::ModuleAnalyzer): |
| * parser/ModuleAnalyzer.h: |
| (JSC::ModuleAnalyzer::vm): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| (JSC::Parser<LexerType>::parseInner): |
| (JSC::Parser<LexerType>::isArrowFunctionParameters): |
| (JSC::Parser<LexerType>::parseSourceElements): |
| (JSC::Parser<LexerType>::parseModuleSourceElements): |
| (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements): |
| (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): |
| (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements): |
| (JSC::Parser<LexerType>::parseSingleFunction): |
| (JSC::Parser<LexerType>::parseStatementListItem): |
| (JSC::Parser<LexerType>::parseObjectRestAssignmentElement): |
| (JSC::Parser<LexerType>::parseAssignmentElement): |
| (JSC::Parser<LexerType>::parseDestructuringPattern): |
| (JSC::Parser<LexerType>::parseForStatement): |
| (JSC::Parser<LexerType>::parseBreakStatement): |
| (JSC::Parser<LexerType>::parseContinueStatement): |
| (JSC::Parser<LexerType>::parseStatement): |
| (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement): |
| (JSC::Parser<LexerType>::createGeneratorParameters): |
| (JSC::Parser<LexerType>::parseFunctionInfo): |
| (JSC::Parser<LexerType>::parseFunctionDeclaration): |
| (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): |
| (JSC::Parser<LexerType>::parseClassDeclaration): |
| (JSC::Parser<LexerType>::parseClass): |
| (JSC::Parser<LexerType>::parseImportClauseItem): |
| (JSC::Parser<LexerType>::parseImportDeclaration): |
| (JSC::Parser<LexerType>::parseExportSpecifier): |
| (JSC::Parser<LexerType>::parseExportDeclaration): |
| (JSC::Parser<LexerType>::parseAssignmentExpression): |
| (JSC::Parser<LexerType>::parseProperty): |
| (JSC::Parser<LexerType>::parseGetterSetter): |
| (JSC::Parser<LexerType>::parseObjectLiteral): |
| (JSC::Parser<LexerType>::parseStrictObjectLiteral): |
| (JSC::Parser<LexerType>::parseClassExpression): |
| (JSC::Parser<LexerType>::parseFunctionExpression): |
| (JSC::Parser<LexerType>::parseAsyncFunctionExpression): |
| (JSC::Parser<LexerType>::parsePrimaryExpression): |
| (JSC::Parser<LexerType>::parseMemberExpression): |
| (JSC::Parser<LexerType>::parseArrowFunctionExpression): |
| (JSC::Parser<LexerType>::parseUnaryExpression): |
| * parser/Parser.h: |
| (JSC::isArguments): |
| (JSC::isEval): |
| (JSC::isEvalOrArgumentsIdentifier): |
| (JSC::Scope::Scope): |
| (JSC::Scope::declareParameter): |
| (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded): |
| (JSC::Scope::collectFreeVariables): |
| (JSC::Parser::canRecurse): |
| (JSC::parse): |
| (JSC::parseFunctionForFunctionConstructor): |
| * parser/ParserArena.h: |
| (JSC::IdentifierArena::makeIdentifier): |
| (JSC::IdentifierArena::makeEmptyIdentifier): |
| (JSC::IdentifierArena::makeIdentifierLCharFromUChar): |
| (JSC::IdentifierArena::makeNumericIdentifier): |
| * parser/SyntaxChecker.h: |
| (JSC::SyntaxChecker::SyntaxChecker): |
| (JSC::SyntaxChecker::createProperty): |
| (JSC::SyntaxChecker::createGetterOrSetterProperty): |
| * profiler/ProfilerBytecode.cpp: |
| (JSC::Profiler::Bytecode::toJS const): |
| * profiler/ProfilerBytecodeSequence.cpp: |
| (JSC::Profiler::BytecodeSequence::addSequenceProperties const): |
| * profiler/ProfilerBytecodes.cpp: |
| (JSC::Profiler::Bytecodes::toJS const): |
| * profiler/ProfilerCompilation.cpp: |
| (JSC::Profiler::Compilation::toJS const): |
| * profiler/ProfilerCompiledBytecode.cpp: |
| (JSC::Profiler::CompiledBytecode::toJS const): |
| * profiler/ProfilerEvent.cpp: |
| (JSC::Profiler::Event::toJS const): |
| * profiler/ProfilerOSRExit.cpp: |
| (JSC::Profiler::OSRExit::toJS const): |
| * profiler/ProfilerOSRExitSite.cpp: |
| (JSC::Profiler::OSRExitSite::toJS const): |
| * profiler/ProfilerUID.cpp: |
| (JSC::Profiler::UID::toJS const): |
| * runtime/AbstractModuleRecord.cpp: |
| (JSC::AbstractModuleRecord::finishCreation): |
| (JSC::AbstractModuleRecord::hostResolveImportedModule): |
| (JSC::AbstractModuleRecord::resolveExportImpl): |
| (JSC::getExportedNames): |
| (JSC::AbstractModuleRecord::getModuleNamespace): |
| * runtime/ArrayBufferNeuteringWatchpointSet.cpp: |
| (JSC::ArrayBufferNeuteringWatchpointSet::fireAll): |
| * runtime/ArrayIteratorPrototype.cpp: |
| (JSC::ArrayIteratorPrototype::finishCreation): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::fastJoin): |
| (JSC::arrayProtoFuncToLocaleString): |
| (JSC::slowJoin): |
| (JSC::arrayProtoFuncJoin): |
| (JSC::arrayProtoFuncPush): |
| * runtime/AsyncFunctionPrototype.cpp: |
| (JSC::AsyncFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorFunctionPrototype.cpp: |
| (JSC::AsyncGeneratorFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorPrototype.cpp: |
| (JSC::AsyncGeneratorPrototype::finishCreation): |
| * runtime/AtomicsObject.cpp: |
| (JSC::AtomicsObject::finishCreation): |
| (JSC::atomicsFuncWait): |
| (JSC::operationAtomicsAdd): |
| (JSC::operationAtomicsAnd): |
| (JSC::operationAtomicsCompareExchange): |
| (JSC::operationAtomicsExchange): |
| (JSC::operationAtomicsIsLockFree): |
| (JSC::operationAtomicsLoad): |
| (JSC::operationAtomicsOr): |
| (JSC::operationAtomicsStore): |
| (JSC::operationAtomicsSub): |
| (JSC::operationAtomicsXor): |
| * runtime/BigIntPrototype.cpp: |
| (JSC::BigIntPrototype::finishCreation): |
| (JSC::bigIntProtoFuncToString): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedUniquedStringImplBase::decode const): |
| (JSC::CachedIdentifier::decode const): |
| (JSC::CachedJSValue::decode const): |
| * runtime/CodeCache.cpp: |
| (JSC::CodeCacheMap::pruneSlowCase): |
| (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): |
| * runtime/CodeCache.h: |
| (JSC::generateUnlinkedCodeBlockImpl): |
| * runtime/CommonIdentifiers.cpp: |
| (JSC::CommonIdentifiers::CommonIdentifiers): |
| * runtime/CommonIdentifiers.h: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/Completion.cpp: |
| (JSC::checkSyntaxInternal): |
| (JSC::checkModuleSyntax): |
| (JSC::loadAndEvaluateModule): |
| (JSC::loadModule): |
| * runtime/DateConstructor.cpp: |
| (JSC::callDate): |
| * runtime/DatePrototype.cpp: |
| (JSC::formatLocaleDate): |
| (JSC::formateDateInstance): |
| (JSC::DatePrototype::finishCreation): |
| (JSC::dateProtoFuncToISOString): |
| * runtime/Error.cpp: |
| (JSC::addErrorInfo): |
| * runtime/ErrorInstance.cpp: |
| (JSC::appendSourceToError): |
| (JSC::ErrorInstance::finishCreation): |
| (JSC::ErrorInstance::materializeErrorInfoIfNeeded): |
| * runtime/ErrorPrototype.cpp: |
| (JSC::ErrorPrototype::finishCreation): |
| (JSC::errorProtoFuncToString): |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::TerminatedExecutionError::defaultValue): |
| * runtime/FunctionPrototype.cpp: |
| (JSC::functionProtoFuncToString): |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::clear): |
| * runtime/GeneratorFunctionPrototype.cpp: |
| (JSC::GeneratorFunctionPrototype::finishCreation): |
| * runtime/GeneratorPrototype.cpp: |
| (JSC::GeneratorPrototype::finishCreation): |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::getOwnPropertyNames): |
| * runtime/GetterSetter.h: |
| * runtime/Identifier.cpp: |
| (JSC::Identifier::add): |
| (JSC::Identifier::add8): |
| (JSC::Identifier::from): |
| (JSC::Identifier::checkCurrentAtomStringTable): |
| * runtime/Identifier.h: |
| (JSC::Identifier::fromString): |
| (JSC::Identifier::createLCharFromUChar): |
| (JSC::Identifier::Identifier): |
| (JSC::Identifier::add): |
| * runtime/IdentifierInlines.h: |
| (JSC::Identifier::Identifier): |
| (JSC::Identifier::add): |
| (JSC::Identifier::fromUid): |
| (JSC::Identifier::fromString): |
| (JSC::identifierToJSValue): |
| (JSC::identifierToSafePublicJSValue): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::finishCreation): |
| * runtime/IntlCollator.cpp: |
| (JSC::IntlCollator::resolvedOptions): |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototype::finishCreation): |
| * runtime/IntlDateTimeFormat.cpp: |
| (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate): |
| (JSC::IntlDateTimeFormat::resolvedOptions): |
| (JSC::IntlDateTimeFormat::format): |
| (JSC::IntlDateTimeFormat::formatToParts): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototype::finishCreation): |
| * runtime/IntlNumberFormat.cpp: |
| (JSC::IntlNumberFormat::initializeNumberFormat): |
| (JSC::IntlNumberFormat::formatNumber): |
| (JSC::IntlNumberFormat::resolvedOptions): |
| (JSC::IntlNumberFormat::formatToParts): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototype::finishCreation): |
| * runtime/IntlObject.cpp: |
| (JSC::lookupSupportedLocales): |
| (JSC::supportedLocales): |
| (JSC::intlObjectFuncGetCanonicalLocales): |
| * runtime/IntlPluralRules.cpp: |
| (JSC::IntlPluralRules::initializePluralRules): |
| (JSC::IntlPluralRules::resolvedOptions): |
| (JSC::IntlPluralRules::select): |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototype::finishCreation): |
| * runtime/JSArray.h: |
| (JSC::asArray): |
| (JSC::isJSArray): |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::JSArrayBufferPrototype::finishCreation): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::slowDownAndWasteMemory): |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::putToPrimitiveByIndex): |
| (JSC::JSValue::dumpForBacktrace const): |
| (JSC::JSValue::toStringSlowCase const): |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::toPropertyKey const): |
| (JSC::JSValue::get const): |
| * runtime/JSCast.h: |
| (JSC::jsCast): |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::dump const): |
| (JSC::JSCell::dumpToStream): |
| (JSC::JSCell::putByIndex): |
| * runtime/JSCellInlines.h: |
| (JSC::JSCell::structure const): |
| (JSC::ExecState::vm const): |
| (JSC::tryAllocateCellHelper): |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::JSDataViewPrototype::finishCreation): |
| * runtime/JSFixedArray.cpp: |
| (JSC::JSFixedArray::dumpToStream): |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::finishCreation): |
| (JSC::RetrieveCallerFunctionFunctor::operator() const): |
| (JSC::JSFunction::reifyName): |
| (JSC::JSFunction::reifyLazyBoundNameIfNeeded): |
| (JSC::JSFunction::assertTypeInfoFlagInvariants): |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex): |
| (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::exposeDollarVM): |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::encode): |
| (JSC::decode): |
| (JSC::globalFuncEscape): |
| (JSC::globalFuncUnescape): |
| (JSC::globalFuncBuiltinDescribe): |
| * runtime/JSLexicalEnvironment.cpp: |
| (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): |
| * runtime/JSModuleEnvironment.cpp: |
| (JSC::JSModuleEnvironment::getOwnPropertySlot): |
| (JSC::JSModuleEnvironment::put): |
| (JSC::JSModuleEnvironment::deleteProperty): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::JSModuleLoader::finishCreation): |
| (JSC::JSModuleLoader::requestImportModule): |
| (JSC::moduleLoaderParseModule): |
| (JSC::moduleLoaderRequestedModules): |
| * runtime/JSModuleNamespaceObject.cpp: |
| (JSC::JSModuleNamespaceObject::finishCreation): |
| (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex): |
| * runtime/JSModuleRecord.cpp: |
| (JSC::JSModuleRecord::instantiateDeclarations): |
| * runtime/JSONObject.cpp: |
| (JSC::JSONObject::finishCreation): |
| (JSC::PropertyNameForFunctionCall::value const): |
| (JSC::Stringifier::Stringifier): |
| (JSC::Stringifier::stringify): |
| (JSC::Stringifier::Holder::appendNextProperty): |
| (JSC::Walker::walk): |
| * runtime/JSObject.cpp: |
| (JSC::getClassPropertyNames): |
| (JSC::JSObject::getOwnPropertySlotByIndex): |
| (JSC::JSObject::putByIndex): |
| (JSC::JSObject::deletePropertyByIndex): |
| (JSC::JSObject::toString const): |
| (JSC::JSObject::reifyAllStaticProperties): |
| (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): |
| * runtime/JSObject.h: |
| (JSC::JSObject::putByIndexInline): |
| (JSC::JSObject::butterflyPreCapacity): |
| (JSC::JSObject::butterflyTotalSize): |
| (JSC::makeIdentifier): |
| * runtime/JSPromisePrototype.cpp: |
| (JSC::JSPromisePrototype::finishCreation): |
| * runtime/JSPropertyNameEnumerator.cpp: |
| (JSC::JSPropertyNameEnumerator::finishCreation): |
| * runtime/JSPropertyNameEnumerator.h: |
| (JSC::propertyNameEnumerator): |
| * runtime/JSRunLoopTimer.cpp: |
| (JSC::JSRunLoopTimer::JSRunLoopTimer): |
| * runtime/JSRunLoopTimer.h: |
| * runtime/JSString.cpp: |
| (JSC::JSString::dumpToStream): |
| (JSC::JSRopeString::resolveRopeWithFunction const): |
| (JSC::jsStringWithCacheSlowCase): |
| * runtime/JSString.h: |
| (JSC::jsEmptyString): |
| (JSC::jsSingleCharacterString): |
| (JSC::jsNontrivialString): |
| (JSC::JSString::toIdentifier const): |
| (JSC::JSString::toAtomString const): |
| (JSC::JSString::toExistingAtomString const): |
| (JSC::JSString::value const): |
| (JSC::JSString::tryGetValue const): |
| (JSC::JSString::getIndex): |
| (JSC::jsString): |
| (JSC::jsSubstring): |
| (JSC::jsOwnedString): |
| (JSC::jsStringWithCache): |
| (JSC::JSRopeString::unsafeView const): |
| (JSC::JSRopeString::viewWithUnderlyingString const): |
| (JSC::JSString::unsafeView const): |
| * runtime/JSStringInlines.h: |
| (JSC::jsMakeNontrivialString): |
| (JSC::repeatCharacter): |
| * runtime/JSStringJoiner.cpp: |
| (JSC::JSStringJoiner::join): |
| * runtime/JSSymbolTableObject.cpp: |
| (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): |
| * runtime/JSTemplateObjectDescriptor.cpp: |
| (JSC::JSTemplateObjectDescriptor::createTemplateObject): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::typedArrayViewProtoGetterFuncToStringTag): |
| * runtime/LazyClassStructure.cpp: |
| (JSC::LazyClassStructure::Initializer::setConstructor): |
| * runtime/LazyProperty.h: |
| (JSC::LazyProperty::Initializer::Initializer): |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::tryJSONPParse): |
| (JSC::LiteralParser<CharType>::makeIdentifier): |
| (JSC::LiteralParser<CharType>::parse): |
| * runtime/Lookup.h: |
| (JSC::reifyStaticProperties): |
| * runtime/MapIteratorPrototype.cpp: |
| (JSC::MapIteratorPrototype::finishCreation): |
| * runtime/MapPrototype.cpp: |
| (JSC::MapPrototype::finishCreation): |
| * runtime/MathObject.cpp: |
| (JSC::MathObject::finishCreation): |
| * runtime/NumberConstructor.cpp: |
| (JSC::NumberConstructor::finishCreation): |
| * runtime/NumberPrototype.cpp: |
| (JSC::numberProtoFuncToExponential): |
| (JSC::numberProtoFuncToFixed): |
| (JSC::numberProtoFuncToPrecision): |
| (JSC::int32ToStringInternal): |
| (JSC::numberToStringInternal): |
| (JSC::int52ToString): |
| * runtime/ObjectConstructor.cpp: |
| (JSC::objectConstructorGetOwnPropertyDescriptors): |
| (JSC::objectConstructorAssign): |
| (JSC::objectConstructorValues): |
| (JSC::defineProperties): |
| (JSC::setIntegrityLevel): |
| (JSC::testIntegrityLevel): |
| (JSC::ownPropertyKeys): |
| * runtime/ObjectPrototype.cpp: |
| (JSC::objectProtoFuncToString): |
| * runtime/Operations.h: |
| (JSC::jsString): |
| (JSC::jsStringFromRegisterArray): |
| (JSC::jsStringFromArguments): |
| * runtime/ProgramExecutable.cpp: |
| (JSC::ProgramExecutable::initializeGlobalProperties): |
| * runtime/PromiseDeferredTimer.cpp: |
| (JSC::PromiseDeferredTimer::PromiseDeferredTimer): |
| (JSC::PromiseDeferredTimer::hasPendingPromise): |
| (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise): |
| (JSC::PromiseDeferredTimer::cancelPendingPromise): |
| * runtime/PropertyNameArray.h: |
| (JSC::PropertyNameArray::PropertyNameArray): |
| (JSC::PropertyNameArray::vm): |
| * runtime/PropertySlot.h: |
| (JSC::PropertySlot::getValue const): |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): |
| (JSC::ProxyObject::performHasProperty): |
| (JSC::ProxyObject::getOwnPropertySlotByIndex): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::putByIndexCommon): |
| (JSC::ProxyObject::performDelete): |
| (JSC::ProxyObject::deletePropertyByIndex): |
| (JSC::ProxyObject::performDefineOwnProperty): |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| * runtime/RegExpGlobalData.cpp: |
| (JSC::RegExpGlobalData::getBackref): |
| (JSC::RegExpGlobalData::getLastParen): |
| * runtime/RegExpMatchesArray.cpp: |
| (JSC::createEmptyRegExpMatchesArray): |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::regExpProtoGetterFlags): |
| (JSC::regExpProtoGetterSourceInternal): |
| (JSC::regExpProtoGetterSource): |
| * runtime/RegExpStringIteratorPrototype.cpp: |
| (JSC::RegExpStringIteratorPrototype::finishCreation): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::processUnverifiedStackTraces): |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::installCode): |
| (JSC::ScriptExecutable::newCodeBlockFor): |
| (JSC::ScriptExecutable::newReplacementCodeBlockFor): |
| (JSC::setupJIT): |
| * runtime/SetIteratorPrototype.cpp: |
| (JSC::SetIteratorPrototype::finishCreation): |
| * runtime/SetPrototype.cpp: |
| (JSC::SetPrototype::finishCreation): |
| * runtime/StackFrame.cpp: |
| (JSC::StackFrame::computeLineAndColumn const): |
| * runtime/StringConstructor.cpp: |
| (JSC::stringFromCharCode): |
| (JSC::stringFromCodePoint): |
| (JSC::stringConstructor): |
| (JSC::callStringConstructor): |
| * runtime/StringIteratorPrototype.cpp: |
| (JSC::StringIteratorPrototype::finishCreation): |
| * runtime/StringObject.cpp: |
| (JSC::StringObject::getOwnPropertySlotByIndex): |
| (JSC::StringObject::getOwnPropertyNames): |
| * runtime/StringObject.h: |
| (JSC::StringObject::create): |
| (JSC::jsStringWithReuse): |
| (JSC::jsSubstring): |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| (JSC::StringPrototype::create): |
| (JSC::jsSpliceSubstrings): |
| (JSC::jsSpliceSubstringsWithSeparators): |
| (JSC::replaceUsingRegExpSearch): |
| (JSC::operationStringProtoFuncReplaceRegExpEmptyStr): |
| (JSC::operationStringProtoFuncReplaceRegExpString): |
| (JSC::replaceUsingStringSearch): |
| (JSC::operationStringProtoFuncReplaceGeneric): |
| (JSC::stringProtoFuncCharAt): |
| (JSC::stringProtoFuncSplitFast): |
| (JSC::stringProtoFuncSubstr): |
| (JSC::stringProtoFuncToLowerCase): |
| (JSC::stringProtoFuncToUpperCase): |
| (JSC::toLocaleCase): |
| (JSC::trimString): |
| (JSC::normalize): |
| * runtime/StringPrototypeInlines.h: |
| (JSC::stringSlice): |
| * runtime/StringRecursionChecker.cpp: |
| (JSC::StringRecursionChecker::emptyString): |
| * runtime/Structure.cpp: |
| (JSC::Structure::didTransitionFromThisStructure const): |
| * runtime/StructureInlines.h: |
| (JSC::Structure::didReplaceProperty): |
| (JSC::Structure::shouldConvertToPolyProto): |
| * runtime/SymbolConstructor.cpp: |
| (JSC::symbolConstructorKeyFor): |
| * runtime/SymbolPrototype.cpp: |
| (JSC::SymbolPrototype::finishCreation): |
| (JSC::symbolProtoGetterDescription): |
| (JSC::symbolProtoFuncToString): |
| * runtime/SymbolTable.cpp: |
| (JSC::SymbolTable::setRareDataCodeBlock): |
| * runtime/TestRunnerUtils.cpp: |
| (JSC::getExecutableForFunction): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| (JSC::VM::getHostFunction): |
| (JSC::VM::getCTIInternalFunctionTrampolineFor): |
| (JSC::VM::shrinkFootprintWhenIdle): |
| (JSC::logSanitizeStack): |
| (JSC::sanitizeStackForVM): |
| (JSC::VM::emptyPropertyNameEnumeratorSlow): |
| * runtime/VM.h: |
| (JSC::VM::getCTIStub): |
| (JSC::WeakSet::heap const): |
| * runtime/VMTraps.cpp: |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::WeakMapPrototype::finishCreation): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::WeakObjectRefPrototype::finishCreation): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::WeakSetPrototype::finishCreation): |
| * tools/HeapVerifier.cpp: |
| (JSC::HeapVerifier::printVerificationHeader): |
| (JSC::HeapVerifier::verifyCellList): |
| (JSC::HeapVerifier::validateJSCell): |
| (JSC::HeapVerifier::reportCell): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::finishCreation): |
| (JSC::JSDollarVMCallFrame::addProperty): |
| (JSC::CustomGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::customGetter): |
| (JSC::CustomGetter::customGetterAcessor): |
| (JSC::DOMJITGetter::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetter::finishCreation): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterComplex::finishCreation): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterBaseJSObject::finishCreation): |
| (JSC::customSetAccessor): |
| (JSC::customSetValue): |
| (JSC::JSTestCustomGetterSetter::finishCreation): |
| (JSC::WasmStreamingParser::finishCreation): |
| (JSC::getExecutableForFunction): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionIndexingMode): |
| (JSC::functionValue): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::JSDollarVM::finishCreation): |
| (JSC::JSDollarVM::addFunction): |
| (JSC::JSDollarVM::addConstructibleFunction): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpRegisters): |
| (JSC::VMInspector::dumpCellMemoryToStream): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::setGlobal): |
| (JSC::Wasm::Instance::setFunctionWrapper): |
| (JSC::Wasm::setWasmTableElement): |
| (JSC::Wasm::doWasmRefFunc): |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::set): |
| (JSC::Wasm::FuncRefTable::setFunction): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::resolve): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::create): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| (JSC::Wasm::wasmToJSException): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleImports): |
| (JSC::webAssemblyModuleExports): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::finishCreation): |
| (JSC::WebAssemblyModuleRecord::link): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| |
| 2019-08-27 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI |
| https://bugs.webkit.org/show_bug.cgi?id=201193 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js |
| causes inspector/debugger/tail-deleted-frames-this-value.html to fail. |
| |
| We should have a similar approach to adding command line api getters and functions, in that |
| the CommandLineAPIModuleSource.js calls a function with a callback. |
| |
| * inspector/InjectedScriptSource.js: |
| (InjectedScript.prototype.inspectObject): |
| (InjectedScript.prototype.setInspectObject): Added. |
| (InjectedScript.prototype._evaluateOn): |
| |
| 2019-08-27 Mark Lam <mark.lam@apple.com> |
| |
| constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM. |
| https://bugs.webkit.org/show_bug.cgi?id=201196 |
| <rdar://problem/54703775> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructFunctionSkippingEvalEnabledCheck): |
| |
| 2019-08-27 Keith Miller <keith_miller@apple.com> |
| |
| When dumping Air Graphs BBQ should dump patchpoints. |
| https://bugs.webkit.org/show_bug.cgi?id=201167 |
| |
| Reviewed by Filip Pizlo. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator:: const): |
| (JSC::Wasm::AirIRGenerator::addPatchpoint): |
| (JSC::Wasm::parseAndCompileAir): |
| |
| 2019-08-27 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [RemoteInspector][Socket] Restructuring the components of Socket implementation |
| https://bugs.webkit.org/show_bug.cgi?id=201079 |
| |
| Reviewed by Ross Kirsling. |
| |
| Since the change for WeakPtr on r248386, our port start assertion failure on the usage of |
| RemoteInspectorSocketEndpoint. We have to send a message to connection client, but if that |
| has to be done in the same thread which weakPtr generated, it's a little bit stronger |
| restriction for us to handle. In this restructure, we are stopping to use weakPtr to |
| resolve circular dependency, but using a reference with invalidation method because |
| everything is under our control. |
| |
| - Make SocketEndpoint a singleton. This class represents a central place to handle socket |
| connections and there's no need to instantiate more than one in a process. Once every |
| connection goes away, it just start sleeping until next connection is created. Very low |
| resource usage when it is idle. |
| - Move Socket::Connection structure from global definition to SocketEndpoint local |
| structure. It is directly used in SocketEndpoint privately. |
| - Move responsibility to handle message encoding/decoding task from SocketEndpoint to |
| ConnectionClient. Make SocketEndpoint as plain socket handling as possible to keep it |
| simple to exist long span. |
| - Extract an interface from ConnectionClient as SocketEndpoint::Client which is required |
| to work with SocketEndpoint. Now SocketEndpoint is very independent from others. |
| SocketEndpoint::Client is the required parameter to create a connection. |
| |
| Many responsibilities are moved into ConnectionClient which was a thin interface for |
| communication between RemoteInspector, RemoteInspectorServer and RemoteInspectorClient. |
| It now handles followings: |
| - life cycle of connection: create, listen and close or invalidation |
| - sending and receiving data packed in a message. |
| |
| RemoteInspector and RemoteInspectorServer are now free from creation of SocketEndpoint. |
| All communication to SocketEndpoint id now the duty of super class. |
| |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: |
| (Inspector::RemoteInspectorConnectionClient::~RemoteInspectorConnectionClient): Make all connection invalidated. |
| (Inspector::RemoteInspectorConnectionClient::connectInet): Add itself as a listener of socket. |
| (Inspector::RemoteInspectorConnectionClient::listenInet): Ditto. |
| (Inspector::RemoteInspectorConnectionClient::createClient): Ditto. |
| (Inspector::RemoteInspectorConnectionClient::send): Add message processing. |
| (Inspector::RemoteInspectorConnectionClient::didReceive): Ditto. |
| (Inspector::RemoteInspectorConnectionClient::extractEvent): Extracted from send. |
| * inspector/remote/socket/RemoteInspectorConnectionClient.h: |
| * inspector/remote/socket/RemoteInspectorMessageParser.cpp: |
| (Inspector::MessageParser::MessageParser): |
| (Inspector::MessageParser::pushReceivedData): |
| (Inspector::MessageParser::parse): |
| * inspector/remote/socket/RemoteInspectorMessageParser.h: |
| (Inspector::MessageParser::MessageParser): |
| (Inspector::MessageParser::Function<void): |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::connect): Remove direct communication to Socket Endpoint. |
| (Inspector::RemoteInspectorServer::listenForTargets): Ditto. |
| (Inspector::RemoteInspectorServer::sendWebInspectorEvent): Ditto. |
| (Inspector::RemoteInspectorServer::start): Ditto. |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| * inspector/remote/socket/RemoteInspectorSocket.cpp: |
| (Inspector::RemoteInspector::sendWebInspectorEvent): Remove direct communication to Socket Endpoint. |
| (Inspector::RemoteInspector::start): Ditto. |
| (Inspector::RemoteInspector::stopInternal): Ditto. |
| (Inspector::RemoteInspector::pushListingsNow): Change the target of validity check to ID. |
| (Inspector::RemoteInspector::pushListingsSoon): Ditto. |
| (Inspector::RemoteInspector::sendMessageToRemote): Ditto. |
| * inspector/remote/socket/RemoteInspectorSocket.h: Move Connection structure to RemoteInspectorSocketEndpoint. |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: |
| (Inspector::RemoteInspectorSocketEndpoint::singleton): Added. |
| (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): Use hard-coded thread name. |
| (Inspector::RemoteInspectorSocketEndpoint::connectInet): Accept RemoteInspectorSocketEndpoint::Client as listener. |
| (Inspector::RemoteInspectorSocketEndpoint::listenInet): Ditto. |
| (Inspector::RemoteInspectorSocketEndpoint::createClient): Ditto. |
| (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): Added. Invalidate all connection from the client. |
| (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): Remove message parser handling. |
| (Inspector::RemoteInspectorSocketEndpoint::send): Remove message packing. |
| (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: |
| (Inspector::RemoteInspectorSocketEndpoint::Connection::Connection): |
| |
| 2019-08-26 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: use more C++ keywords for defining agents |
| https://bugs.webkit.org/show_bug.cgi?id=200959 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| - make constructors `protected` when the agent isn't meant to be constructed directly |
| - add `virtual` destructors that are defined in the *.cpp so forward-declarations work |
| - use `final` wherever possible |
| - add comments to indicate where any virtual functions come from |
| |
| * inspector/agents/InspectorAgent.h: |
| * inspector/agents/InspectorAgent.cpp: |
| * inspector/agents/InspectorAuditAgent.h: |
| * inspector/agents/InspectorAuditAgent.cpp: |
| * inspector/agents/InspectorConsoleAgent.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| * inspector/agents/InspectorHeapAgent.h: |
| * inspector/agents/InspectorHeapAgent.cpp: |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/agents/InspectorScriptProfilerAgent.h: |
| * inspector/agents/InspectorScriptProfilerAgent.cpp: |
| * inspector/agents/InspectorTargetAgent.h: |
| * inspector/agents/InspectorTargetAgent.cpp: |
| * inspector/agents/JSGlobalObjectAuditAgent.h: |
| * inspector/agents/JSGlobalObjectAuditAgent.cpp: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.h: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.h: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| |
| 2019-08-26 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: unify agent command error messages |
| https://bugs.webkit.org/show_bug.cgi?id=200950 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Different agents can sometimes have different error messages for commands that have a |
| similar intended effect. We should make our error messages more similar. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| * inspector/agents/InspectorAgent.cpp: |
| * inspector/agents/InspectorAuditAgent.cpp: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| * inspector/agents/InspectorHeapAgent.cpp: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| * inspector/agents/InspectorTargetAgent.cpp: |
| * inspector/agents/JSGlobalObjectAuditAgent.cpp: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| Elide function lists to avoid an extremely large ChangeLog entry. |
| |
| 2019-08-26 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Ensure x?.y ?? z is fast |
| https://bugs.webkit.org/show_bug.cgi?id=200875 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We anticipate `x?.y ?? z` to quickly become a common idiom in JS. With a little bytecode rearrangement, |
| we can avoid the "load undefined and check it" dance in the middle and just turn this into two jumps. |
| |
| Before: |
| (get x) |
| ----- jundefined_or_null |
| | (get y) |
| | --- jmp |
| > | (load undefined) |
| > - jnundefined_or_null |
| | (get z) |
| > end |
| |
| After: |
| (get x) |
| --- jundefined_or_null |
| | (get y) |
| | - jnundefined_or_null |
| > | (get z) |
| > end |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::popOptionalChainTarget): Added specialization. |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::CoalesceNode::emitBytecode): |
| (JSC::OptionalChainNode::emitBytecode): |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::makeDeleteNode): |
| (JSC::ASTBuilder::makeCoalesceNode): Added. |
| (JSC::ASTBuilder::makeBinaryNode): |
| * parser/NodeConstructors.h: |
| (JSC::CoalesceNode::CoalesceNode): |
| * parser/Nodes.h: |
| (JSC::ExpressionNode::isDeleteNode const): Added. (Replaces OptionalChainNode::m_isDelete.) |
| |
| 2019-08-26 Carlos Alberto Lopez Perez <clopez@igalia.com> |
| |
| Missing media controls when WebKit is built with Python3 |
| https://bugs.webkit.org/show_bug.cgi?id=194367 |
| |
| Reviewed by Carlos Garcia Campos. |
| |
| The JavaScript minifier script jsmin.py expects a text stream |
| with text type as input, but the script make-js-file-arrays.py |
| was passing to it a FileIO() object. So, when the jsmin script |
| called read() over this object, python3 was returning a type of |
| bytes, but for python2 it returns type str. |
| |
| This caused two problems: first that jsmin failed to do any minifying |
| because it was comparing strings with a variable of type bytes. |
| The second major problem was in the write() function, when the |
| jsmin script tried to convert a byte character to text by calling |
| str() on it. Because what this does is not to convert from byte |
| type to string, but to simply generate a string with the format b'c'. |
| So the jsmin script was returning back as minified JS complete |
| garbage in the form of "b't'b'h'b'h'b'i" for python3. |
| |
| Therefore, when WebKit was built with python3 this broke everything |
| that depended on the embedded JS code that make-js-file-arrays.py |
| was supposed to generate, like the media controls and the WebDriver |
| atoms. |
| |
| Fix this by reworking the code in make-js-file-arrays script to |
| read the data from the file using a TextIOWrapper in python 3 |
| with decoding for 'utf-8'. This ensures that the jsmin receives |
| a text type. For python2 keep using the same FileIO class. |
| |
| On the jsmin.py script remove the problematic call to str() inside |
| the write() function when running with python3. |
| On top of that, add an extra check in jsmin.py script to make it |
| fail if the character type read is not the one expected. This |
| will cause the build to fail instead of failing silently like |
| now. I did some tests and the runtime cost of this extra check |
| is almost zero. |
| |
| * Scripts/jsmin.py: |
| (JavascriptMinify.minify.write): |
| (JavascriptMinify): |
| * Scripts/make-js-file-arrays.py: |
| (main): |
| |
| 2019-08-23 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: create additional command line api functions for other console methods |
| https://bugs.webkit.org/show_bug.cgi?id=200971 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Expose all `console.*` functions in the command line API, since they're all already able to |
| be referenced via the `console` object. |
| |
| Provide a simpler interface for other injected scripts to modify the command line API. |
| |
| * inspector/InjectedScriptModule.cpp: |
| (Inspector::InjectedScriptModule::ensureInjected): |
| |
| * inspector/InjectedScriptSource.js: |
| (InjectedScript.prototype.inspectObject): |
| (InjectedScript.prototype.addCommandLineAPIGetter): Added. |
| (InjectedScript.prototype.addCommandLineAPIMethod): Added. |
| (InjectedScript.prototype.hasInjectedModule): Added. |
| (InjectedScript.prototype.injectModule): |
| (InjectedScript.prototype._evaluateOn): |
| (InjectedScript.CommandLineAPI): Added. |
| (InjectedScript.prototype.module): Deleted. |
| (InjectedScript.prototype._savedResult): Deleted. |
| (bind): Deleted. |
| (BasicCommandLineAPI): Deleted. |
| (clear): Deleted. |
| (table): Deleted. |
| (profile): Deleted. |
| (profileEnd): Deleted. |
| (keys): Deleted. |
| (values): Deleted. |
| (queryInstances): Deleted. |
| (queryObjects): Deleted. |
| (queryHolders): Deleted. |
| |
| 2019-08-23 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Remove MaximalFlushInsertionPhase |
| https://bugs.webkit.org/show_bug.cgi?id=201036 |
| |
| Reviewed by Saam Barati. |
| |
| Maximal flush has found too many false positives recently, so we decided it's finally time |
| to remove it instead of hacking it to fix the most recent false positive. |
| |
| The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely |
| for the argument count that was being flushed in a much later block. Now, since that block was |
| the head of a loop, and there was a SetLocal in the same block to the same variable, this |
| generated a Phi of both values, which then led to the unification of their VariableAccessData |
| in the unification phase. This caused AI to assign the Int52 type to argument count, which |
| broke the AI’s assumption that it should always be an Int32. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleVarargsInlining): |
| * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed. |
| * dfg/DFGMaximalFlushInsertionPhase.h: Removed. |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| * runtime/Options.h: |
| |
| 2019-08-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed WinCairo build fix following r249058. |
| |
| * API/tests/testapi.cpp: |
| (TestAPI::callFunction): |
| WinCairo chokes on `JSValueRef args[sizeof...(arguments)]` when there are no arguments, but AppleWin does not... |
| MSVC must have changed somehow. |
| |
| 2019-08-23 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Do not overwrite argument registers in jsCallEntrypoint |
| https://bugs.webkit.org/show_bug.cgi?id=200952 |
| |
| Reviewed by Saam Barati. |
| |
| The c call that we emitted was incorrect. If we had an int argument that was supposed to be placed in GPR0 by this loop, |
| we would clobber it while making the call (among many other possible registers). To fix this, we just inline the call |
| to isWebassemblyHostFunction. |
| |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-08-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| JSC should have public API for unhandled promise rejections |
| https://bugs.webkit.org/show_bug.cgi?id=197172 |
| |
| Reviewed by Keith Miller. |
| |
| This patch makes it possible to register a unhandled promise rejection callback via the JSC API. |
| Since there is no event loop in such an environment, this callback fires off of the microtask queue. |
| The callback receives the promise and rejection reason as arguments and its return value is ignored. |
| |
| * API/JSContextRef.cpp: |
| (JSGlobalContextSetUnhandledRejectionCallback): Added. |
| * API/JSContextRefPrivate.h: |
| Add new C++ API call. |
| |
| * API/tests/testapi.cpp: |
| (TestAPI::promiseResolveTrue): Clean up test output. |
| (TestAPI::promiseRejectTrue): Clean up test output. |
| (TestAPI::promiseUnhandledRejection): Added. |
| (TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback): Added. |
| (TestAPI::promiseEarlyHandledRejections): Added. |
| (testCAPIViaCpp): |
| Add new C++ API test. |
| |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionSetUnhandledRejectionCallback): Added. |
| Add corresponding global to JSC shell. |
| |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::setUnhandledRejectionCallback): Added. |
| (JSC::JSGlobalObject::unhandledRejectionCallback const): Added. |
| Keep a strong reference to the callback. |
| |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::globalFuncHostPromiseRejectionTracker): |
| Add default behavior. |
| |
| * runtime/VM.cpp: |
| (JSC::VM::callPromiseRejectionCallback): Added. |
| (JSC::VM::didExhaustMicrotaskQueue): Added. |
| (JSC::VM::promiseRejected): Added. |
| (JSC::VM::drainMicrotasks): |
| When microtask queue is exhausted, deal with any pending unhandled rejections |
| (in a manner based on RejectedPromiseTracker's reportUnhandledRejections), |
| then make sure this didn't cause any new microtasks to be added to the queue. |
| |
| * runtime/VM.h: |
| Store unhandled rejections. |
| (This collection will always be empty in the presence of WebCore.) |
| |
| 2019-08-22 Mark Lam <mark.lam@apple.com> |
| |
| VirtualRegister::dump() can use more informative CallFrame header slot names. |
| https://bugs.webkit.org/show_bug.cgi?id=201062 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| For example, it currently dumps head3 instead of callee. This patch changes the |
| dump as follows (for 64-bit addressing): |
| head0 => callerFrame |
| head1 => returnPC |
| head2 => codeBlock |
| head3 => callee |
| head4 => argumentCount |
| |
| Now, one might be wondering when would bytecode ever access callerFrame and |
| returnPC? The answer is never. However, I don't think its the role of the |
| dumper to catch a bug where these header slots are being used. The dumper's role |
| is to clearly report them so that we can see that these unexpected values are |
| being used. |
| |
| * bytecode/VirtualRegister.cpp: |
| (JSC::VirtualRegister::dump const): |
| |
| 2019-08-22 Andy Estes <aestes@apple.com> |
| |
| [watchOS] Disable Content Filtering in the simulator build |
| https://bugs.webkit.org/show_bug.cgi?id=201047 |
| |
| Reviewed by Tim Horton. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-08-22 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fixes for non-unified builds after r248547 |
| https://bugs.webkit.org/show_bug.cgi?id=201044 |
| |
| Reviewed by Philippe Normand. |
| |
| * b3/B3ReduceLoopStrength.cpp: Add missing inclusions of B3BasicBlockInlines.h, |
| B3InsertionSet.h, and B3NaturalLoops.h |
| * wasm/WasmOMGForOSREntryPlan.h: Include WasmCallee.h instead of forward-declaring |
| BBQCallee in order to avoid build failure due to incomplete definition on template |
| expansions. |
| |
| 2019-08-22 Justin Michaud <justin_michaud@apple.com> |
| |
| Add missing exception check in canonicalizeLocaleList |
| https://bugs.webkit.org/show_bug.cgi?id=201021 |
| |
| Reviewed by Mark Lam. |
| |
| * runtime/IntlObject.cpp: |
| (JSC::canonicalizeLocaleList): |
| |
| 2019-08-17 Darin Adler <darin@apple.com> |
| |
| Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends |
| https://bugs.webkit.org/show_bug.cgi?id=200862 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::createUndefinedVariableError): Got rid of unnecessary local variable. |
| (JSC::notAFunctionSourceAppender): Use single append instead of multiple. |
| Eliminate unneeded and unconventional use of makeString on a single string literal. |
| (JSC::invalidParameterInstanceofNotFunctionSourceAppender): Ditto. |
| (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender): Ditto. |
| (JSC::createInvalidFunctionApplyParameterError): Ditto. |
| (JSC::createInvalidInParameterError): Ditto. |
| (JSC::createInvalidInstanceofParameterErrorNotFunction): Ditto. |
| (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): Ditto. |
| |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructFunctionSkippingEvalEnabledCheck): Use single append instead of multiple. |
| * runtime/Options.cpp: |
| (JSC::Options::dumpOption): Ditto. |
| * runtime/TypeProfiler.cpp: |
| (JSC::TypeProfiler::typeInformationForExpressionAtOffset): Ditto. |
| * runtime/TypeSet.cpp: |
| (JSC::StructureShape::stringRepresentation): Ditto. Also use a modern for loop. |
| |
| 2019-08-21 Mark Lam <mark.lam@apple.com> |
| |
| Wasm::FunctionParser is failing to enforce maxFunctionLocals. |
| https://bugs.webkit.org/show_bug.cgi?id=201016 |
| <rdar://problem/54579911> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Currently, Wasm::FunctionParser is allowing |
| |
| maxFunctionParams + maxFunctionLocals * maxFunctionLocals |
| |
| ... locals, which is 0x9502FCE8. It should be enforcing max locals of |
| maxFunctionLocals instead. |
| |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parse): |
| |
| 2019-08-21 Michael Saboff <msaboff@apple.com> |
| |
| [JSC] incorrent JIT lead to StackOverflow |
| https://bugs.webkit.org/show_bug.cgi?id=197823 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Added stack overflow check to the bound function thunk generator. Added a new C++ operation |
| throwStackOverflowErrorFromThunk() to throw the error. |
| |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::boundThisNoArgsFunctionCallGenerator): |
| |
| 2019-08-21 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Page: re-add enable/disable after r248454 |
| https://bugs.webkit.org/show_bug.cgi?id=200947 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| We shouldn't design the agent system with only Web Inspector in mind. Other clients may want |
| to have different functionality, not being told about frames creation/updates/destruction. |
| In these cases, we should have graceful error message failures for other agents that rely on |
| the Page agent. |
| |
| * inspector/protocol/Page.json: |
| |
| 2019-08-20 Justin Michaud <justin_michaud@apple.com> |
| |
| Identify memcpy loops in b3 |
| https://bugs.webkit.org/show_bug.cgi?id=200181 |
| |
| Reviewed by Saam Barati. |
| |
| Add a new pass in B3 to identify one type of forward byte copy loop and replace it with a call to a custom version of memcpy |
| that will not cause GC tearing and have the correct behaviour when overlapping regions are passed in. |
| |
| Microbenchmarks show memcpy-typed-loop-large is about 6x faster, and everything else is neutral. The optimization is disabled |
| on arm for now, until we add a memcpy implementation for it. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * b3/B3Generate.cpp: |
| (JSC::B3::generateToAir): |
| * b3/B3ReduceLoopStrength.cpp: Added. |
| (JSC::B3::fastForwardCopy32): |
| (JSC::B3::ReduceLoopStrength::AddrInfo::appendAddr): |
| (JSC::B3::ReduceLoopStrength::ReduceLoopStrength): |
| (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): |
| (JSC::B3::ReduceLoopStrength::hoistValue): |
| (JSC::B3::ReduceLoopStrength::run): |
| (JSC::B3::reduceLoopStrength): |
| * b3/B3ReduceLoopStrength.h: Added. |
| * b3/testb3.h: |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_8.cpp: |
| (testFastForwardCopy32): |
| (testByteCopyLoop): |
| (testByteCopyLoopStartIsLoopDependent): |
| (testByteCopyLoopBoundIsLoopDependent): |
| (addCopyTests): |
| |
| 2019-08-20 Devin Rousso <drousso@apple.com> |
| |
| Unreviewed, speculative build fix for High Sierra after r248925 |
| |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::HeapHolderFinder::dump): |
| |
| 2019-08-20 Mark Lam <mark.lam@apple.com> |
| |
| Remove superfluous size argument to allocateCell() for fixed size objects. |
| https://bugs.webkit.org/show_bug.cgi?id=200958 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The size is already automatically computed by the allocateCell() template's default |
| arguments. Removing these superfluous arguments will make it easier for us to |
| grep for cases where we do allocate variable size cells (for later analysis work). |
| |
| * jsc.cpp: |
| (JSC::Masquerader::create): |
| (JSCMemoryFootprint::create): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::create): |
| (JSC::Element::create): |
| (JSC::Root::create): |
| (JSC::SimpleObject::create): |
| (JSC::ImpureGetter::create): |
| (JSC::CustomGetter::create): |
| (JSC::DOMJITNode::create): |
| (JSC::DOMJITGetter::create): |
| (JSC::DOMJITGetterComplex::create): |
| (JSC::DOMJITFunctionObject::create): |
| (JSC::DOMJITCheckSubClassObject::create): |
| (JSC::DOMJITGetterBaseJSObject::create): |
| (JSC::JSTestCustomGetterSetter::create): |
| (JSC::WasmStreamingParser::create): |
| |
| 2019-08-20 Mark Lam <mark.lam@apple.com> |
| |
| JSBigInt::m_length should be immutable. |
| https://bugs.webkit.org/show_bug.cgi?id=200956 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This is because the JSBigInt cell size is allocated with that length. Changing |
| the length after construction does not change the size of the cell, and hence, |
| makes no sense. |
| |
| This patch removes the setLength() method, and decorates the m_length field with |
| const to enforce that it is immutable after construction. |
| |
| * runtime/JSBigInt.h: |
| |
| 2019-08-20 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Implement `queryHolders` Command Line API |
| https://bugs.webkit.org/show_bug.cgi?id=200458 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Call `queryHolders(object)` from the Console to return an array of objects that strongly |
| reference the given `object`. This could be very useful for finding JavaScript "leaks". |
| |
| * inspector/InjectedScriptSource.js: |
| (queryHolders): Added. |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::HeapHolderFinder::HeapHolderFinder): Added. |
| (Inspector::HeapHolderFinder::holders): Added. |
| (Inspector::HeapHolderFinder::analyzeEdge): Added. |
| (Inspector::HeapHolderFinder::analyzePropertyNameEdge): Added. |
| (Inspector::HeapHolderFinder::analyzeVariableNameEdge): Added. |
| (Inspector::HeapHolderFinder::analyzeIndexEdge): Added. |
| (Inspector::HeapHolderFinder::analyzeNode): Added. |
| (Inspector::HeapHolderFinder::setOpaqueRootReachabilityReasonForCell): Added. |
| (Inspector::HeapHolderFinder::setWrappedObjectForCell): Added. |
| (Inspector::HeapHolderFinder::setLabelForCell): Added. |
| (Inspector::HeapHolderFinder::dump): Added. |
| (Inspector::JSInjectedScriptHost::queryHolders): Added. |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): Added. |
| |
| * heap/HeapAnalyzer.h: Added. |
| Create an abstract base class for analyzing the Heap during a GC. Rather than create an |
| entire `HeapSnapshot` for `queryHolders`, the `HeapHolderFinder` can just walk the Heap and |
| only save the information it needs to determine the holders of the given `object`. |
| |
| * heap/Heap.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::isAnalyzingHeap const): Added. |
| (JSC::GatherExtraHeapData::GatherExtraHeapData): Added. |
| (JSC::GatherExtraHeapData::operator() const): Added. |
| (JSC::Heap::gatherExtraHeapData): Added. |
| (JSC::Heap::didFinishCollection): Added. |
| (JSC::Heap::isHeapSnapshotting const): Deleted. |
| (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData): Deleted. |
| (JSC::GatherHeapSnapshotData::operator() const): Deleted. |
| (JSC::Heap::gatherExtraHeapSnapshotData): Deleted. |
| * heap/SlotVisitor.h: |
| (JSC::SlotVisitor::isAnalyzingHeap const): Added. |
| (JSC::SlotVisitor::heapAnalyzer const): Added. |
| (JSC::SlotVisitor::isBuildingHeapSnapshot const): Deleted. |
| (JSC::SlotVisitor::heapSnapshotBuilder const): Deleted. |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::didStartMarking): |
| (JSC::SlotVisitor::reset): |
| (JSC::SlotVisitor::appendSlow): |
| (JSC::SlotVisitor::visitChildren): |
| * heap/SlotVisitorInlines.h: |
| (JSC::SlotVisitor::appendUnbarriered): |
| * heap/WeakBlock.cpp: |
| (JSC::WeakBlock::specializedVisit): |
| * runtime/Structure.cpp: |
| (JSC::Structure::visitChildren): |
| Rename `HeapAnalyzer` functions to be less specific to building a `HeapSnapshot`. |
| |
| * heap/HeapProfiler.h: |
| (JSC::HeapProfiler::activeHeapAnalyzer const): Added. |
| (JSC::HeapProfiler::activeSnapshotBuilder const): Deleted. |
| * heap/HeapProfiler.cpp: |
| (JSC::HeapProfiler::setActiveHeapAnalyzer): Added. |
| (JSC::HeapProfiler::setActiveSnapshotBuilder): Deleted. |
| * heap/HeapSnapshotBuilder.h: |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder): |
| (JSC::HeapSnapshotBuilder::buildSnapshot): |
| (JSC::HeapSnapshotBuilder::analyzeNode): Added. |
| (JSC::HeapSnapshotBuilder::analyzeEdge): Added. |
| (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): Added. |
| (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): Added. |
| (JSC::HeapSnapshotBuilder::analyzeIndexEdge): Added. |
| (JSC::HeapSnapshotBuilder::appendNode): Deleted. |
| (JSC::HeapSnapshotBuilder::appendEdge): Deleted. |
| (JSC::HeapSnapshotBuilder::appendPropertyNameEdge): Deleted. |
| (JSC::HeapSnapshotBuilder::appendVariableNameEdge): Deleted. |
| (JSC::HeapSnapshotBuilder::appendIndexEdge): Deleted. |
| |
| * inspector/InjectedScriptManager.h: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| |
| * runtime/ClassInfo.h: |
| * runtime/JSCell.h: |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::analyzeHeap): Added. |
| (JSC::JSCell::heapSnapshot): Deleted. |
| * runtime/JSLexicalEnvironment.h: |
| * runtime/JSLexicalEnvironment.cpp: |
| (JSC::JSLexicalEnvironment::analyzeHeap): Added. |
| (JSC::JSLexicalEnvironment::heapSnapshot): Deleted. |
| * runtime/JSObject.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::analyzeHeap): Added. |
| (JSC::JSObject::heapSnapshot): Deleted. |
| * runtime/JSSegmentedVariableObject.h: |
| * runtime/JSSegmentedVariableObject.cpp: |
| (JSC::JSSegmentedVariableObject::analyzeHeap): Added. |
| (JSC::JSSegmentedVariableObject::heapSnapshot): Deleted. |
| Rename `heapSnapshot` to `analyzeHeap`. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2019-08-20 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Enable by default |
| https://bugs.webkit.org/show_bug.cgi?id=200931 |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/Options.h: |
| |
| 2019-08-20 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Array.prototype.toString should not get "join" function each time |
| https://bugs.webkit.org/show_bug.cgi?id=200905 |
| |
| Reviewed by Mark Lam. |
| |
| We avoid looking up `join` every time Array#toString is called. This patch implements the most profitable and easy |
| case first as we are doing optimization for Array#slice: non-modified original Array. Configuring watchpoint for |
| Array.prototype.join change and use this information and structure information to determine whether `join` lookup |
| in Array.prototype.toString is unnecessary. This improves JetStream2/3d-raytrace-SP score by 1.6% |
| |
| ToT: 363.56 |
| Patched: 369.26 |
| |
| This patch also renames InlineWatchpointSet fields from Watchpoint to WatchpointSet since they are not Watchpoint. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint): |
| (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::speciesWatchpointIsValid): |
| (JSC::canUseDefaultArrayJoinForToString): |
| (JSC::arrayProtoFuncToString): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::JSGlobalObject): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::mapSetWatchpointSet): |
| (JSC::JSGlobalObject::setAddWatchpointSet): |
| (JSC::JSGlobalObject::arraySpeciesWatchpointSet): |
| (JSC::JSGlobalObject::arrayJoinWatchpointSet): |
| (JSC::JSGlobalObject::numberToStringWatchpointSet): |
| (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::setIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::mapSetWatchpoint): Deleted. |
| (JSC::JSGlobalObject::setAddWatchpoint): Deleted. |
| (JSC::JSGlobalObject::arraySpeciesWatchpoint): Deleted. |
| (JSC::JSGlobalObject::numberToStringWatchpoint): Deleted. |
| * runtime/JSGlobalObjectInlines.h: |
| (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable): |
| (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable): |
| |
| 2019-08-20 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Support for JavaScript BigInt |
| https://bugs.webkit.org/show_bug.cgi?id=180731 |
| <rdar://problem/36298748> |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/InjectedScriptSource.js: |
| (toStringDescription): |
| (isSymbol): |
| (isBigInt): |
| (let.InjectedScript.prototype._fallbackWrapper): |
| (let.RemoteObject): |
| (let.RemoteObject.subtype): |
| (let.RemoteObject.describe): |
| (let.RemoteObject.prototype._appendPropertyPreviews): |
| (let.RemoteObject.set _isPreviewableObjectInternal): |
| (let.RemoteObject.prototype._isPreviewableObject.set add): |
| * inspector/protocol/Runtime.json: |
| New RemoteObject type and preview support. |
| |
| * runtime/RuntimeType.cpp: |
| (JSC::runtimeTypeForValue): |
| (JSC::runtimeTypeAsString): |
| * runtime/RuntimeType.h: |
| * runtime/TypeSet.cpp: |
| (JSC::TypeSet::displayName const): |
| (JSC::TypeSet::inspectorTypeSet const): |
| New type for the type profiler. |
| |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::json): |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::getPreview): |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::toString): |
| (JSC::JSBigInt::tryGetString): |
| (JSC::JSBigInt::toStringBasePowerOfTwo): |
| (JSC::JSBigInt::toStringGeneric): |
| * runtime/JSBigInt.h: |
| BigInts are not tied to a GlobalObject, so provide a way to get a |
| String for HeapSnapshot previews that are not tied to an ExecState. |
| |
| 2019-08-19 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: add a global breakpoint for pausing in the next microtask |
| https://bugs.webkit.org/show_bug.cgi?id=200652 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Debugger.json: |
| Add `setPauseOnMicrotasks` command. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::disable): |
| (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks): Added. |
| (Inspector::InspectorDebuggerAgent::willRunMicrotask): Added. |
| (Inspector::InspectorDebuggerAgent::didRunMicrotask): Added. |
| |
| * debugger/Debugger.h: |
| (JSC::Debugger::willRunMicrotask): Added. |
| (JSC::Debugger::didRunMicrotask): Added. |
| * inspector/ScriptDebugListener.h: |
| * inspector/ScriptDebugServer.h: |
| * inspector/ScriptDebugServer.cpp: |
| (Inspector::ScriptDebugServer::evaluateBreakpointAction): |
| (Inspector::ScriptDebugServer::sourceParsed): |
| (Inspector::ScriptDebugServer::willRunMicrotask): Added. |
| (Inspector::ScriptDebugServer::didRunMicrotask): Added. |
| (Inspector::ScriptDebugServer::canDispatchFunctionToListeners const): ADded. |
| (Inspector::ScriptDebugServer::dispatchFunctionToListeners): ADded. |
| (Inspector::ScriptDebugServer::handlePause): |
| (Inspector::ScriptDebugServer::dispatchDidPause): Deleted. |
| (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Deleted. |
| (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Deleted. |
| (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Deleted. |
| (Inspector::ScriptDebugServer::dispatchDidContinue): Deleted. |
| (Inspector::ScriptDebugServer::dispatchDidParseSource): Deleted. |
| (Inspector::ScriptDebugServer::dispatchFailedToParseSource): Deleted. |
| Unify the various `dispatch*` functions to use lambdas so state management is centralized. |
| |
| * runtime/JSMicrotask.cpp: |
| (JSC::JSMicrotask::run): |
| |
| * inspector/agents/JSGlobalObjectDebuggerAgent.h: |
| |
| 2019-08-19 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: pause on assertion failures breakpoint doesn't work when inspecting a JSContext |
| https://bugs.webkit.org/show_bug.cgi?id=200874 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): |
| |
| 2019-08-19 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Proxy constructor should throw if handler is revoked Proxy |
| https://bugs.webkit.org/show_bug.cgi?id=198755 |
| |
| Reviewed by Saam Barati. |
| |
| Reword error message and check if handler is revoked Proxy. |
| (step 4 of https://tc39.es/ecma262/#sec-proxycreate) |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::finishCreation): Add isRevoked check. |
| |
| 2019-08-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] OSR entry to Wasm OMG |
| https://bugs.webkit.org/show_bug.cgi?id=200362 |
| |
| Reviewed by Michael Saboff. |
| |
| This patch implements Wasm OSR entry mechanism from BBQ tier to OMG tier. |
| We found that one of JetStream2 test heavily relies on OSR entry feature. gcc-loops-wasm consumes |
| most of time in BBQ tier since one of the function takes significantly long time. And since we did |
| not have OSR entry feature, we cannot use OMG function until that BBQ function finishes. |
| |
| To implement Wasm OSR feature, we first capture all locals and stacks in the patchpoint to generate |
| the stackmap. Once the threshold is crossed, the patchpoint calls `MacroAssembler::probe` feature to |
| capture whole register context, and C++ runtime function reads stackmap and Probe::Context to perform |
| OSR entry. This patch intentionally makes OSR entry written in C++ runtime side as much as possible |
| to make it easily reusable for the other tiers. For example, we are planning to introduce Wasm interpreter, |
| and it can easily use this tier-up function. Because of this simplicity, this generic implementation can |
| cover both BBQ Air and BBQ B3 tier-up features. So, in the feature, it is possible that we revive BBQ B3, |
| and construct the wasm pipeline like, interpreter->BBQ B3->OMG B3. |
| |
| To generate OMG code for OSR entry, we add a new mode OMGForOSREntry, which mimics the FTLForOSREntry. |
| In FTLForOSREntry, we cut unrelated blocks including the usual entry point in DFG tier and later convert |
| graph to SSA. This is possible because DFG is not SSA. On the other hand, B3 is SSA and we cannot take the |
| same thing without a hack. |
| |
| This patch introduce a hack: making all wasm locals and stack values B3::Variable for OMGForOSREntry mode. |
| Then, we can cut blocks easily and we can generate the B3 graph without doing reachability analysis from the |
| OSR entry point. B3 will remove unreachable blocks later. |
| |
| Tier-up function mimics DFG->FTL OSR entry heuristics and threshold as much as possible. And this patch adjusts |
| the tier-up count threshold to make it close to DFG->FTL ones. Wasm tier-up is now using ExecutionCounter, which |
| is inherited from Wasm::TierUpCount. Since wasm can execute concurrently, the tier-up counter can be racily updated. |
| But this is OK in practice. Even if we see some more tier-up function calls or tier-up function calls are delayed, |
| the critical part is guarded by a lock in tier-up function. |
| |
| In iMac Pro, it shows ~4x runtime improvement for gcc-loops-wasm. On iOS device (iPhone XR), we saw ~2x improvement. |
| |
| ToT: |
| HashSet-wasm:Score: 24.6pt stdev=4.6% |
| :Time:Geometric: 204ms stdev=4.4% |
| Runtime:Time: 689ms stdev=1.0% |
| Startup:Time: 60.3ms stdev=8.4% |
| gcc-loops-wasm:Score: 8.41pt stdev=6.7% |
| :Time:Geometric: 597ms stdev=6.5% |
| Runtime:Time: 8.509s stdev=0.7% |
| Startup:Time: 42ms stdev=12.4% |
| quicksort-wasm:Score: 347pt stdev=20.9% |
| :Time:Geometric: 15ms stdev=18.6% |
| Runtime:Time: 28.2ms stdev=7.9% |
| Startup:Time: 8.2ms stdev=35.0% |
| richards-wasm:Score: 77.6pt stdev=4.5% |
| :Time:Geometric: 64.6ms stdev=4.4% |
| Runtime:Time: 544ms stdev=3.3% |
| Startup:Time: 7.67ms stdev=6.7% |
| tsf-wasm:Score: 47.9pt stdev=4.5% |
| :Time:Geometric: 104ms stdev=4.8% |
| Runtime:Time: 259ms stdev=4.4% |
| Startup:Time: 42.2ms stdev=8.5% |
| |
| Patched: |
| HashSet-wasm:Score: 24.1pt stdev=4.1% |
| :Time:Geometric: 208ms stdev=4.1% |
| Runtime:Time: 684ms stdev=1.1% |
| Startup:Time: 63.2ms stdev=8.1% |
| gcc-loops-wasm:Score: 15.7pt stdev=5.1% |
| :Time:Geometric: 319ms stdev=5.3% |
| Runtime:Time: 2.491s stdev=0.7% |
| Startup:Time: 41ms stdev=11.0% |
| quicksort-wasm:Score: 353pt stdev=13.7% |
| :Time:Geometric: 14ms stdev=12.7% |
| Runtime:Time: 26.2ms stdev=2.9% |
| Startup:Time: 8.0ms stdev=23.7% |
| richards-wasm:Score: 77.4pt stdev=5.3% |
| :Time:Geometric: 64.7ms stdev=5.3% |
| Runtime:Time: 536ms stdev=1.5% |
| Startup:Time: 7.83ms stdev=9.6% |
| tsf-wasm:Score: 47.3pt stdev=5.7% |
| :Time:Geometric: 106ms stdev=6.1% |
| Runtime:Time: 250ms stdev=3.5% |
| Startup:Time: 45ms stdev=13.8% |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::branchAdd32): |
| * b3/B3ValueRep.h: |
| * bytecode/CodeBlock.h: |
| * bytecode/ExecutionCounter.cpp: |
| (JSC::applyMemoryUsageHeuristics): |
| (JSC::ExecutionCounter<countingVariant>::setThreshold): |
| * bytecode/ExecutionCounter.h: |
| (JSC::ExecutionCounter::clippedThreshold): |
| * dfg/DFGJITCode.h: |
| * dfg/DFGOperations.cpp: |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::prologueStackPointerDelta): |
| * runtime/Options.h: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::createStack): |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| (JSC::Wasm::AirIRGenerator::outerLoopIndex const): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| (JSC::Wasm::AirIRGenerator::addElse): |
| (JSC::Wasm::AirIRGenerator::addBranch): |
| (JSC::Wasm::AirIRGenerator::addSwitch): |
| (JSC::Wasm::AirIRGenerator::endBlock): |
| (JSC::Wasm::AirIRGenerator::addEndToUnreachable): |
| (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock): |
| (JSC::Wasm::AirIRGenerator::dump): |
| (JSC::Wasm::AirIRGenerator::emitTierUpCheck): Deleted. |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::Stack::Stack): |
| (JSC::Wasm::B3IRGenerator::Stack::append): |
| (JSC::Wasm::B3IRGenerator::Stack::takeLast): |
| (JSC::Wasm::B3IRGenerator::Stack::last): |
| (JSC::Wasm::B3IRGenerator::Stack::size const): |
| (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): |
| (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): |
| (JSC::Wasm::B3IRGenerator::Stack::at const): |
| (JSC::Wasm::B3IRGenerator::Stack::variableAt const): |
| (JSC::Wasm::B3IRGenerator::Stack::shrink): |
| (JSC::Wasm::B3IRGenerator::Stack::swap): |
| (JSC::Wasm::B3IRGenerator::Stack::dump const): |
| (JSC::Wasm::B3IRGenerator::createStack): |
| (JSC::Wasm::B3IRGenerator::outerLoopIndex const): |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| (JSC::Wasm::B3IRGenerator::addElse): |
| (JSC::Wasm::B3IRGenerator::addBranch): |
| (JSC::Wasm::B3IRGenerator::addSwitch): |
| (JSC::Wasm::B3IRGenerator::endBlock): |
| (JSC::Wasm::B3IRGenerator::addEndToUnreachable): |
| (JSC::Wasm::B3IRGenerator::unifyValuesWithBlock): |
| (JSC::Wasm::B3IRGenerator::dump): |
| (JSC::Wasm::parseAndCompile): |
| (JSC::Wasm::B3IRGenerator::emitTierUpCheck): Deleted. |
| (JSC::Wasm::dumpExpressionStack): Deleted. |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmBBQPlanInlines.h: |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| * wasm/WasmCallee.h: |
| * wasm/WasmCodeBlock.cpp: |
| (JSC::Wasm::CodeBlock::CodeBlock): |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::tierUpCount): Deleted. |
| * wasm/WasmCompilationMode.cpp: |
| (JSC::Wasm::makeString): |
| * wasm/WasmCompilationMode.h: |
| * wasm/WasmContext.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp. |
| (JSC::Wasm::Context::scratchBufferForSize): |
| * wasm/WasmContext.h: |
| * wasm/WasmContextInlines.h: |
| (JSC::Wasm::Context::tryLoadInstanceFromTLS): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::FunctionParser): |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| * wasm/WasmOMGForOSREntryPlan.cpp: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.cpp. |
| (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGForOSREntryPlan.h: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.h. |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| (JSC::Wasm::OMGPlan::runForIndex): Deleted. |
| * wasm/WasmOMGPlan.h: |
| * wasm/WasmOSREntryData.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h. |
| (JSC::Wasm::OSREntryValue::OSREntryValue): |
| (JSC::Wasm::OSREntryValue::type const): |
| (JSC::Wasm::OSREntryData::OSREntryData): |
| (JSC::Wasm::OSREntryData::functionIndex const): |
| (JSC::Wasm::OSREntryData::loopIndex const): |
| (JSC::Wasm::OSREntryData::values): |
| * wasm/WasmOperations.cpp: Added. |
| (JSC::Wasm::shouldTriggerOMGCompile): |
| (JSC::Wasm::triggerOMGReplacementCompile): |
| (JSC::Wasm::doOSREntry): |
| (JSC::Wasm::triggerOSREntryNow): |
| (JSC::Wasm::triggerTierUpNow): |
| * wasm/WasmOperations.h: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.h. |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator): |
| (JSC::Wasm::triggerOMGTierUpThunkGenerator): Deleted. |
| * wasm/WasmThunks.h: |
| * wasm/WasmTierUpCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp. |
| (JSC::Wasm::TierUpCount::TierUpCount): |
| (JSC::Wasm::TierUpCount::addOSREntryData): |
| * wasm/WasmTierUpCount.h: |
| (JSC::Wasm::TierUpCount::loopIncrement): |
| (JSC::Wasm::TierUpCount::functionEntryIncrement): |
| (JSC::Wasm::TierUpCount::osrEntryTriggers): |
| (JSC::Wasm::TierUpCount::outerLoops): |
| (JSC::Wasm::TierUpCount::getLock): |
| (JSC::Wasm::TierUpCount::optimizeAfterWarmUp): |
| (JSC::Wasm::TierUpCount::checkIfOptimizationThresholdReached): |
| (JSC::Wasm::TierUpCount::dontOptimizeAnytimeSoon): |
| (JSC::Wasm::TierUpCount::optimizeNextInvocation): |
| (JSC::Wasm::TierUpCount::optimizeSoon): |
| (JSC::Wasm::TierUpCount::setOptimizationThresholdBasedOnCompilationResult): |
| (JSC::Wasm::TierUpCount::TierUpCount): Deleted. |
| (JSC::Wasm::TierUpCount::loopDecrement): Deleted. |
| (JSC::Wasm::TierUpCount::functionEntryDecrement): Deleted. |
| (JSC::Wasm::TierUpCount::shouldStartTierUp): Deleted. |
| (JSC::Wasm::TierUpCount::count): Deleted. |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::createStack): |
| (JSC::Wasm::Validate::addLoop): |
| (JSC::Wasm::Validate::addElse): |
| (JSC::Wasm::Validate::checkBranchTarget): |
| (JSC::Wasm::Validate::addBranch): |
| (JSC::Wasm::Validate::addSwitch): |
| (JSC::Wasm::Validate::endBlock): |
| (JSC::Wasm::Validate::unify): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::Validate::dump): |
| |
| 2019-08-19 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Date.prototype.toJSON throws if toISOString returns an object |
| https://bugs.webkit.org/show_bug.cgi?id=198495 |
| |
| Reviewed by Ross Kirsling. |
| |
| Don't throw TypeError if result of toISOString call is not a primitive. |
| (step 4 of https://tc39.es/ecma262/#sec-date.prototype.tojson) |
| |
| * runtime/DatePrototype.cpp: |
| (JSC::dateProtoFuncToJSON): Remove isObject check. |
| |
| 2019-08-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty |
| https://bugs.webkit.org/show_bug.cgi?id=200899 |
| <rdar://problem/54073341> |
| |
| Reviewed by Mark Lam. |
| |
| DFGByteCodeParser attempt to get constant flag for isLittleEndian for DataView get/set. |
| When getting a constant in DFG, we first need to check whether it is JSEmpty. But we are missing |
| this check for DataView get/set optimization. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| |
| 2019-08-19 Tadeu Zagallo <tzagallo@apple.com> |
| |
| JSC tool targets should unlock the keychain before codesigning |
| https://bugs.webkit.org/show_bug.cgi?id=200733 |
| <rdar://problem/54223095> |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| In r245564, we started codesigning JSC tool targets to run the datavault tests |
| in testapi, but we should unlock the keychain first so that it doesn't require |
| the password during builds. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2019-08-19 Michael Saboff <msaboff@apple.com> |
| |
| Webkit jsc Crash in RegExp::matchInline (this=<optimized out> |
| https://bugs.webkit.org/show_bug.cgi?id=197090 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Turned the debug JIT assert into falling back to the interpreter. In release builds, that is effectively what we do |
| after exhausting the loop try count. No sense of looping until we exceed the count, as we can exit immediately. |
| |
| * assembler/AbortReason.h: |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::generate): |
| |
| 2019-08-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF] Add makeUnique<T>, which ensures T is fast-allocated, makeUnique / makeUniqueWithoutFastMallocCheck part |
| https://bugs.webkit.org/show_bug.cgi?id=200620 |
| |
| Reviewed by Geoff Garen. |
| |
| * API/JSCallbackObject.h: |
| (JSC::JSCallbackObjectData::setPrivateProperty): |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::JSCallbackObject): |
| * API/JSClassRef.cpp: |
| (OpaqueJSClassContextData::OpaqueJSClassContextData): |
| (OpaqueJSClass::contextData): |
| * API/JSMarkingConstraintPrivate.cpp: |
| (JSContextGroupAddMarkingConstraint): |
| * API/JSWrapperMap.mm: |
| (-[JSWrapperMap initWithGlobalContextRef:]): |
| * API/ObjCCallbackFunction.mm: |
| (ArgumentTypeDelegate::typeInteger): |
| (ArgumentTypeDelegate::typeDouble): |
| (ArgumentTypeDelegate::typeBool): |
| (ArgumentTypeDelegate::typeId): |
| (ArgumentTypeDelegate::typeOfClass): |
| (ArgumentTypeDelegate::typeStruct): |
| (ResultTypeDelegate::typeInteger): |
| (ResultTypeDelegate::typeDouble): |
| (ResultTypeDelegate::typeBool): |
| (ResultTypeDelegate::typeVoid): |
| (ResultTypeDelegate::typeId): |
| (ResultTypeDelegate::typeOfClass): |
| (ResultTypeDelegate::typeBlock): |
| (ResultTypeDelegate::typeStruct): |
| (objCCallbackFunctionForInvocation): |
| * API/glib/JSCContext.cpp: |
| (jscContextSetVirtualMachine): |
| * API/glib/JSCWrapperMap.cpp: |
| (JSC::WrapperMap::WrapperMap): |
| * assembler/ProbeStack.cpp: |
| (JSC::Probe::Stack::ensurePageFor): |
| * b3/B3LowerToAir.cpp: |
| * b3/B3Procedure.cpp: |
| (JSC::B3::Procedure::Procedure): |
| (JSC::B3::Procedure::dominators): |
| (JSC::B3::Procedure::naturalLoops): |
| (JSC::B3::Procedure::backwardsCFG): |
| (JSC::B3::Procedure::backwardsDominators): |
| (JSC::B3::Procedure::addDataSection): |
| * b3/air/AirCode.cpp: |
| (JSC::B3::Air::Code::cCallSpecial): |
| * b3/air/AirGenerate.cpp: |
| (JSC::B3::Air::prepareForGeneration): |
| * b3/air/testair.cpp: |
| * b3/testb3.h: |
| (compileProc): |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCaseSnippetParams.cpp: |
| * bytecode/BytecodeBasicBlock.cpp: |
| (JSC::BytecodeBasicBlock::computeImpl): |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::setFrameShuffleData): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::ensureJITDataSlow): |
| (JSC::CodeBlock::setCalleeSaveRegisters): |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::createRareDataIfNecessary): |
| * bytecode/DFGExitProfile.cpp: |
| (JSC::DFG::ExitProfile::add): |
| * bytecode/DeferredCompilationCallback.cpp: |
| (JSC::DeferredCompilationCallback::ensureDeferredSourceDump): |
| * bytecode/GetByIdStatus.cpp: |
| (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): |
| * bytecode/GetByIdVariant.cpp: |
| (JSC::GetByIdVariant::operator=): |
| * bytecode/LazyOperandValueProfile.cpp: |
| (JSC::CompressedLazyOperandValueProfileHolder::add): |
| * bytecode/PolyProtoAccessChain.h: |
| (JSC::PolyProtoAccessChain::clone): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PutByIdStatus.cpp: |
| (JSC::PutByIdStatus::computeForStubInfo): |
| * bytecode/PutByIdVariant.cpp: |
| (JSC::PutByIdVariant::operator=): |
| * bytecode/RecordedStatuses.cpp: |
| (JSC::RecordedStatuses::addCallLinkStatus): |
| (JSC::RecordedStatuses::addGetByIdStatus): |
| (JSC::RecordedStatuses::addPutByIdStatus): |
| (JSC::RecordedStatuses::addInByIdStatus): |
| * bytecode/StructureStubClearingWatchpoint.cpp: |
| (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::addAccessCase): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::livenessAnalysisSlow): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::generate): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::Graph): |
| (JSC::DFG::Graph::livenessFor): |
| (JSC::DFG::Graph::killsFor): |
| (JSC::DFG::Graph::ensureCPSCFG): |
| (JSC::DFG::Graph::ensureCPSDominators): |
| (JSC::DFG::Graph::ensureSSADominators): |
| (JSC::DFG::Graph::ensureCPSNaturalLoops): |
| (JSC::DFG::Graph::ensureSSANaturalLoops): |
| (JSC::DFG::Graph::ensureBackwardsCFG): |
| (JSC::DFG::Graph::ensureBackwardsDominators): |
| (JSC::DFG::Graph::ensureControlEquivalenceAnalysis): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::JITCompiler): |
| (JSC::DFG::JITCompiler::link): |
| (JSC::DFG::JITCompiler::compile): |
| (JSC::DFG::JITCompiler::compileFunction): |
| (JSC::DFG::JITCompiler::addressOfDoubleConstant): |
| * dfg/DFGLivenessAnalysisPhase.cpp: |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| * dfg/DFGSlowPathGenerator.h: |
| (JSC::DFG::slowPathCall): |
| (JSC::DFG::slowPathMove): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): |
| (JSC::DFG::SpeculativeJIT::arrayify): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnString): |
| (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileArraySlice): |
| (JSC::DFG::SpeculativeJIT::emitStructureCheck): |
| (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::createNewThread): |
| * disassembler/Disassembler.cpp: |
| (JSC::disassembleAsynchronously): |
| * ftl/FTLAbstractHeap.cpp: |
| (JSC::FTL::IndexedAbstractHeap::atSlow): |
| * ftl/FTLCompile.cpp: |
| (JSC::FTL::compile): |
| * ftl/FTLFail.cpp: |
| (JSC::FTL::fail): |
| * ftl/FTLLink.cpp: |
| (JSC::FTL::link): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): |
| * ftl/FTLState.cpp: |
| (JSC::FTL::State::State): |
| * heap/CompleteSubspace.cpp: |
| (JSC::CompleteSubspace::allocatorForSlow): |
| * heap/Heap.cpp: |
| (JSC::Heap::Heap): |
| (JSC::Heap::protectedObjectTypeCounts): |
| (JSC::Heap::objectTypeCounts): |
| (JSC::Heap::addCoreConstraints): |
| * heap/HeapInlines.h: |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::buildSnapshot): |
| * heap/IsoCellSet.cpp: |
| (JSC::IsoCellSet::addSlow): |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::IsoSubspace): |
| * heap/MarkingConstraintSet.cpp: |
| (JSC::MarkingConstraintSet::add): |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): |
| (Inspector::JSGlobalObjectConsoleClient::profile): |
| (Inspector::JSGlobalObjectConsoleClient::profileEnd): |
| (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented): |
| * inspector/JSGlobalObjectInspectorController.cpp: |
| (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): |
| (Inspector::JSGlobalObjectInspectorController::reportAPIException): |
| (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent): |
| (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent): |
| (Inspector::JSGlobalObjectInspectorController::createLazyAgents): |
| * inspector/agents/InspectorAgent.cpp: |
| (Inspector::InspectorAgent::InspectorAgent): |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::InspectorConsoleAgent): |
| (Inspector::InspectorConsoleAgent::startTiming): |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent): |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::InspectorHeapAgent): |
| * inspector/agents/InspectorScriptProfilerAgent.cpp: |
| (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent): |
| * inspector/agents/InspectorTargetAgent.cpp: |
| (Inspector::InspectorTargetAgent::InspectorTargetAgent): |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: |
| (Inspector::RemoteInspectorSocketEndpoint::createClient): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: |
| * inspector/scripts/codegen/objc_generator_templates.py: |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/domain-availability.json-result: |
| * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| * jit/JIT.cpp: |
| (JSC::JIT::compileWithoutLinking): |
| (JSC::JIT::link): |
| * jit/JITThunks.cpp: |
| (JSC::JITThunks::JITThunks): |
| * jit/Repatch.cpp: |
| (JSC::linkPolymorphicCall): |
| * jsc.cpp: |
| (runJSC): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| * parser/Parser.h: |
| (JSC::Scope::pushLabel): |
| (JSC::Parser<LexerType>::parse): |
| * parser/ParserArena.h: |
| (JSC::ParserArena::identifierArena): |
| * profiler/ProfilerCompilation.cpp: |
| (JSC::Profiler::Compilation::executionCounterFor): |
| * runtime/Error.cpp: |
| (JSC::getStackTrace): |
| * runtime/FunctionExecutable.cpp: |
| (JSC::FunctionExecutable::ensureRareDataSlow): |
| * runtime/FunctionRareData.h: |
| (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::createRareDataIfNeeded): |
| * runtime/JSRunLoopTimer.cpp: |
| (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): |
| (JSC::JSRunLoopTimer::Manager::registerVM): |
| * runtime/PropertyMapHashTable.h: |
| (JSC::PropertyTable::addDeletedOffset): |
| * runtime/PropertyTable.cpp: |
| (JSC::PropertyTable::PropertyTable): |
| * runtime/RegExp.cpp: |
| (JSC::RegExp::finishCreation): |
| * runtime/RegExp.h: |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::ensureTemplateObjectMapImpl): |
| * runtime/Structure.cpp: |
| (JSC::Structure::ensurePropertyReplacementWatchpointSet): |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::setObjectToStringValue): |
| * runtime/SymbolTable.cpp: |
| (JSC::SymbolTable::localToEntry): |
| (JSC::SymbolTable::cloneScopePart): |
| (JSC::SymbolTable::prepareForTypeProfiling): |
| (JSC::SymbolTable::setRareDataCodeBlock): |
| * runtime/TypeSet.cpp: |
| (JSC::StructureShape::propertyHash): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| (JSC::VM::ensureHeapProfiler): |
| (JSC::VM::enableTypeProfiler): |
| (JSC::VM::enableControlFlowProfiler): |
| (JSC::VM::queueMicrotask): |
| (JSC::VM::ensureShadowChicken): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| (JSC::Wasm::AirIRGenerator::emitCheck): |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmWorklist.cpp: |
| (JSC::Wasm::Worklist::Worklist): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * yarr/YarrInterpreter.cpp: |
| (JSC::Yarr::ByteCompiler::compile): |
| (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd): |
| (JSC::Yarr::ByteCompiler::regexBegin): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::compile): |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::CharacterClassConstructor::charClass): |
| (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor): |
| (JSC::Yarr::YarrPatternConstructor::resetForReparsing): |
| (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin): |
| (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin): |
| (JSC::Yarr::YarrPatternConstructor::copyDisjunction): |
| (JSC::Yarr::anycharCreate): |
| * yarr/YarrPattern.h: |
| (JSC::Yarr::PatternDisjunction::addNewAlternative): |
| * yarr/create_regex_tables: |
| * yarr/generateYarrUnicodePropertyTables.py: |
| |
| 2019-08-18 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Correct a->an in error messages and API docblocks |
| https://bugs.webkit.org/show_bug.cgi?id=200833 |
| |
| Reviewed by Don Olmstead. |
| |
| * API/JSObjectRef.h: |
| * builtins/PromiseConstructor.js: |
| (race): |
| (reject): |
| (resolve): |
| * builtins/PromisePrototype.js: |
| (finally): |
| * jsc.cpp: |
| (functionAsyncTestStart): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseIfStatement): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseResizableLimits): |
| |
| 2019-08-17 Darin Adler <darin@apple.com> |
| |
| Tidy up checks to see if a character is in the Latin-1 range by using isLatin1 consistently |
| https://bugs.webkit.org/show_bug.cgi?id=200861 |
| |
| Reviewed by Ross Kirsling. |
| |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::record8): Use isLatin1. |
| (JSC::assertCharIsIn8BitRange): Deleted. Can just assert isLatin1 directly. |
| (JSC::Lexer<T>::append8): Assert isLatin1 directly. |
| (JSC::characterRequiresParseStringSlowCase): Use isLatin1. |
| * parser/Lexer.h: |
| (JSC::Lexer<UChar>::isWhiteSpace): Ditto. |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::Lexer::lex): Ditto. |
| (JSC::isSafeStringCharacter): Ditto. |
| * runtime/Identifier.cpp: |
| (JSC::Identifier::add8): Ditto. |
| * runtime/LiteralParser.cpp: |
| (JSC::isSafeStringCharacter): Ditto. |
| * runtime/StringPrototype.cpp: |
| (JSC::stringProtoFuncRepeatCharacter): Ditto. |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): Ditto. |
| (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy): Ditto. |
| (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy): Ditto. |
| |
| 2019-08-17 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [ESNext] Implement optional chaining |
| https://bugs.webkit.org/show_bug.cgi?id=200199 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Implement the optional chaining proposal, which has now reached Stage 3 at TC39. |
| |
| This introduces a ?. operator which: |
| - guards member access when the LHS is nullish, i.e. `null?.foo` and `null?.['foo']` are undefined |
| - guards function calls when the LHS is nullish, i.e. `null?.()` is undefined |
| - short-circuits over a whole access/call chain, i.e. `null?.a['b'](c++)` is undefined and does not increment c |
| |
| This feature can be naively viewed as a ternary in disguise, i.e. `a?.b` is like `a == null ? undefined : a.b`. |
| However, since we must be sure not to double-evaluate the LHS, it's actually rather akin to a try block -- |
| namely, we have the bytecode generator keep an early-out label for use throughout the access and call chain. |
| |
| (Also note that document.all behaves as an object, so "nullish" means *strictly* equal to null or undefined.) |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::pushOptionalChainTarget): Added. |
| (JSC::BytecodeGenerator::popOptionalChainTarget): Added. |
| (JSC::BytecodeGenerator::emitOptionalCheck): Added. |
| * bytecompiler/BytecodeGenerator.h: |
| Implement early-out logic. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BracketAccessorNode::emitBytecode): |
| (JSC::DotAccessorNode::emitBytecode): |
| (JSC::EvalFunctionCallNode::emitBytecode): Refactor so we can emitOptionalCheck in a single location. |
| (JSC::FunctionCallValueNode::emitBytecode): |
| (JSC::FunctionCallResolveNode::emitBytecode): Refactor so we can emitOptionalCheck in a single location. |
| (JSC::FunctionCallBracketNode::emitBytecode): |
| (JSC::FunctionCallDotNode::emitBytecode): |
| (JSC::CallFunctionCallDotNode::emitBytecode): |
| (JSC::ApplyFunctionCallDotNode::emitBytecode): |
| (JSC::DeleteBracketNode::emitBytecode): |
| (JSC::DeleteDotNode::emitBytecode): |
| (JSC::CoalesceNode::emitBytecode): Clean up. |
| (JSC::OptionalChainNode::emitBytecode): Added. |
| Implement ?. node and emit checks where needed. |
| |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| Have OpIsUndefinedOrNull support constant registers. |
| |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::createOptionalChain): Added. |
| (JSC::ASTBuilder::makeDeleteNode): |
| (JSC::ASTBuilder::makeFunctionCallNode): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| * parser/NodeConstructors.h: |
| (JSC::OptionalChainNode::OptionalChainNode): Added. |
| * parser/Nodes.h: |
| (JSC::ExpressionNode::isOptionalChain const): Added. |
| (JSC::ExpressionNode::isOptionalChainBase const): Added. |
| (JSC::ExpressionNode::setIsOptionalChainBase): Added. |
| * parser/ParserTokens.h: |
| * parser/SyntaxChecker.h: |
| (JSC::SyntaxChecker::makeFunctionCallNode): |
| (JSC::SyntaxChecker::createOptionalChain): Added. |
| Introduce new token and AST node, as well as an ExpressionNode field to mark LHSes with. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseMemberExpression): |
| Parse optional chains by wrapping the access/call parse loop. |
| |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::functionCallBase): |
| Ensure that TypeError messages don't include the '?.'. |
| |
| * runtime/Options.h: |
| Update feature flag, as ?. and ?? are a double feature of "nullish-aware" operators. |
| |
| 2019-08-17 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [ESNext] Support hashbang. |
| https://bugs.webkit.org/show_bug.cgi?id=200865 |
| |
| Reviewed by Mark Lam. |
| |
| Hashbang (a.k.a. shebang) support is at Stage 3 in TC39: |
| https://github.com/tc39/proposal-hashbang |
| |
| This allows `#!` to be treated like `//`, but only at the very start of the source text. |
| |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::Lexer): |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| |
| 2019-08-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG ToNumber should support Boolean in fixup |
| https://bugs.webkit.org/show_bug.cgi?id=200864 |
| |
| Reviewed by Mark Lam. |
| |
| ToNumber should speculate on Boolean, or BooleanOrInt32 in fixup phase to optimize it. |
| |
| ToT Patched |
| |
| to-number-boolean 897.6430+-26.8843 ^ 87.4802+-5.2831 ^ definitely 10.2611x faster |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupToNumber): |
| |
| 2019-08-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] WebAssembly BBQ should switch compile mode for size of modules |
| https://bugs.webkit.org/show_bug.cgi?id=200807 |
| |
| Reviewed by Mark Lam. |
| |
| Some webpages use very large Wasm module, and it exhausts all executable memory in ARM64 devices since the size of executable memory region is 128MB. |
| The long term solution should be introducing Wasm interpreter. But as a short term solution, we introduce heuristics switching back to BBQ B3 at |
| the sacrifice of start-up time, since BBQ Air bloats such lengthy code, and thereby consumes a large amount of executable memory. |
| |
| Currently, I picked 10MB since the reported website is using 11MB wasm module. |
| |
| * runtime/Options.h: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| * wasm/WasmModuleInformation.h: |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseCode): |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::parseCodeSectionSize): |
| |
| 2019-08-16 Mark Lam <mark.lam@apple.com> |
| |
| More missing exception checks in string comparison operators. |
| https://bugs.webkit.org/show_bug.cgi?id=200844 |
| <rdar://problem/54378684> |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/Operations.h: |
| (JSC::jsLess): |
| (JSC::jsLessEq): |
| |
| 2019-08-16 Mark Lam <mark.lam@apple.com> |
| |
| CodeBlock destructor should clear all of its watchpoints. |
| https://bugs.webkit.org/show_bug.cgi?id=200792 |
| <rdar://problem/53947800> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We need to clear the watchpoints explicitly (just like we do in CodeBlock::jettison()) |
| because the JITCode may outlive the CodeBlock for a while. For example, the JITCode |
| is ref'd in Interpreter::execute(JSC::CallFrameClosure&) like so: |
| |
| JSValue result = closure.functionExecutable->generatedJITCodeForCall()->execute(&vm, closure.protoCallFrame); |
| |
| The call to generatedJITCodeForCall() returns a Ref<JITCode> with the underlying |
| JITCode ref'd. Hence, while the interpreter frame is still on the stack, the |
| executing JITCode instance will have a non-zero refCount, and be kept alive even |
| though its CodeBlock may have already been destructed. |
| |
| Note: the Interpreter execute() methods aren't the only ones who would ref the JITCode: |
| ExecutableBase also holds a RefPtr<JITCode> m_jitCodeForCall and RefPtr<JITCode> |
| m_jitCodeForConstruct. But a CodeBlock will be uninstalled before it gets destructed. |
| Hence, the uninstallation will deref the JITCode before we get to the CodeBlock |
| destructor. That said, we should be aware that a JITCode's refCount is not always |
| 1 after the JIT installs it into the CodeBlock, and it should not be assumed to be so. |
| |
| For this patch, I also audited all Watchpoint subclasses to ensure that we are |
| clearing all the relevant watchpoints in the CodeBlock destructor. Here is the |
| list of audited Watchpoints: |
| |
| CodeBlockJettisoningWatchpoint |
| AdaptiveStructureWatchpoint |
| AdaptiveInferredPropertyValueWatchpoint |
| - these are held in the DFG::CommonData, and is tied to JITCode's life cycle. |
| - they need to be cleared eagerly in CodeBlock's destructor. |
| |
| LLIntPrototypeLoadAdaptiveStructureWatchpoint |
| - stored in m_llintGetByIdWatchpointMap in the CodeBlock. |
| - this will be automatically cleared on CodeBlock destruction. |
| |
| The following does not reference CodeBlock: |
| |
| FunctionRareData::AllocationProfileClearingWatchpoint |
| - stored in FunctionRareData and will be cleared automatically on |
| FunctionRareData destruction. |
| - only references the owner FunctionRareData. |
| |
| ObjectToStringAdaptiveStructureWatchpoint |
| ObjectToStringAdaptiveInferredPropertyValueWatchpoint |
| - stored in StructureRareData and will be cleared automatically on |
| StructureRareData destruction. |
| |
| ObjectPropertyChangeAdaptiveWatchpoint |
| - stored in JSGlobalObject, and will be cleared automatically on |
| JSGlobalObject destruction. |
| - only references the owner JSGlobalObject. |
| |
| StructureStubClearingWatchpoint |
| - stored in WatchpointsOnStructureStubInfo and will be cleared automatically |
| on WatchpointsOnStructureStubInfo destruction. |
| |
| PropertyWatchpoint |
| StructureWatchpoint |
| - embedded in AdaptiveInferredPropertyValueWatchpointBase, which is extended |
| as AdaptiveInferredPropertyValueWatchpoint, ObjectPropertyChangeAdaptiveWatchpoint, |
| and ObjectToStringAdaptiveInferredPropertyValueWatchpoint. |
| - life cycle is handled by those 3 subclasses. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::~CodeBlock): |
| |
| 2019-08-16 Justin Michaud <justin_michaud@apple.com> |
| |
| Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value |
| https://bugs.webkit.org/show_bug.cgi?id=200782 |
| |
| Reviewed by Saam Barati. |
| |
| Speculate that putByVals on typed arrays are in bounds initially, and add an extra rule to integer range optimization to |
| remove CheckInBounds when we are looping over two arrays. We do this by fixing a bug in the llint slow paths that marked |
| typed array accesses as out of bounds, and we also add an extra step to integer range optimization to search for equality |
| relationships on the RHS value. |
| |
| Microbenchmarks give a 40% improvement on the memcpy loop test, and neutral on the out-of-bounds typed array test. |
| |
| * dfg/DFGIntegerRangeOptimizationPhase.cpp: |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::putByVal): |
| * jit/JITOperations.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/JSGenericTypedArrayView.h: |
| * runtime/JSObject.h: |
| (JSC::JSObject::putByIndexInline): |
| (JSC::JSObject::canGetIndexQuickly const): |
| (JSC::JSObject::getIndexQuickly const): |
| (JSC::JSObject::tryGetIndexQuickly const): |
| (JSC::JSObject::canSetIndexQuickly): |
| (JSC::JSObject::setIndexQuickly): |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::canGetIndexQuicklyForTypedArray const): |
| (JSC::JSObject::canSetIndexQuicklyForTypedArray const): |
| (JSC::JSObject::getIndexQuicklyForTypedArray const): |
| (JSC::JSObject::setIndexQuicklyForTypedArray): |
| |
| 2019-08-16 Mark Lam <mark.lam@apple.com> |
| |
| [Re-land] ProxyObject should not be allow to access its target's private properties. |
| https://bugs.webkit.org/show_bug.cgi?id=200739 |
| <rdar://problem/53972768> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Re-landing this after r200829 which resolves the test262 failure uncovered by this patch. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): |
| (JSC::ProxyObject::performHasProperty): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::performDelete): |
| (JSC::ProxyObject::performDefineOwnProperty): |
| |
| 2019-08-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Promise.prototype.finally should accept non-promise objects |
| https://bugs.webkit.org/show_bug.cgi?id=200829 |
| |
| Reviewed by Mark Lam. |
| |
| According to the Promise.prototype.finally spec step 2[1], we should check @isObject instead of @isPromise, |
| since Promise.prototype.finally should accept thenable objects that are defined by user libraries (like, bluebird for example). |
| This patch changes this check to the specified one. |
| |
| [1]: https://tc39.es/proposal-promise-finally/ |
| |
| * builtins/PromisePrototype.js: |
| (finally): |
| |
| 2019-08-16 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Promise constructor should check argument before [[Construct]] |
| https://bugs.webkit.org/show_bug.cgi?id=198976 |
| |
| Reviewed by Ross Kirsling. |
| |
| Check if argument is a function before invoking `createSubclassStructure`. |
| (step 2 of https://tc39.es/ecma262/#sec-promise-executor) |
| |
| * builtins/PromiseOperations.js: |
| (globalPrivate.initializePromise): Remove typeof check. |
| * runtime/JSPromiseConstructor.cpp: |
| (JSC::constructPromise): Add isFunction check. |
| |
| 2019-08-16 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r248709. |
| |
| Caused test/built-ins/Promise/prototype/finally/this-value- |
| non-promise.js to fail on test262 bot |
| |
| Reverted changeset: |
| |
| "ProxyObject should not be allow to access its target's |
| private properties." |
| https://bugs.webkit.org/show_bug.cgi?id=200739 |
| https://trac.webkit.org/changeset/248709 |
| |
| 2019-08-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF] Add makeUnique<T>, which ensures T is fast-allocated, WTF_MAKE_FAST_ALLOCATED annotation part |
| https://bugs.webkit.org/show_bug.cgi?id=200620 |
| |
| Reviewed by Geoffrey Garen. |
| |
| Three patches including this one were originally one patch. I split it into three pieces to make roll-out easy. |
| This part, we annotate classes / structs with WTF_MAKE_FAST_ALLOCATED and WTF_MAKE_STRUCT_FAST_ALLOCATED if |
| they are allocated from std::make_unique. The second patch will switch `std::make_unique` to `WTF::makeUnique` and |
| the third patch will insert a static_assert that makeUnique-allocated class T is FastMalloc-ed. |
| One insight from this patch is that we tend to forget adding WTF_MAKE_STRUCT_FAST_ALLOCATED if it is just a data struct. |
| |
| * debugger/Debugger.h: |
| * inspector/scripts/codegen/objc_generator_templates.py: |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/domain-availability.json-result: |
| * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result: |
| * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result: |
| * inspector/scripts/tests/generic/expected/should-strip-comments.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: |
| * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/version.json-result: |
| * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| |
| 2019-08-15 Brent Fulgham <bfulgham@apple.com> |
| |
| [FTW] Enable CoreFoundation use if building for Apple target |
| https://bugs.webkit.org/show_bug.cgi?id=200799 |
| |
| Reviewed by Alex Christensen. |
| |
| * PlatformFTW.cmake: Add missing files. |
| |
| 2019-08-15 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| DateConversion::formatDateTime incorrectly formats negative years |
| https://bugs.webkit.org/show_bug.cgi?id=199964 |
| |
| Reviewed by Ross Kirsling. |
| |
| Currently, year is always padded to max length of 4, including the minus sign "-". |
| With this change, only absolute value of year is padded to max length of 4 and |
| preceded by minus sign "-" if the year is negative. |
| (steps 6-10 of https://tc39.es/ecma262/#sec-datestring) |
| |
| * runtime/DateConversion.cpp: |
| (JSC::appendNumber): |
| |
| 2019-08-15 Mark Lam <mark.lam@apple.com> |
| |
| More missing exception checks in String.prototype. |
| https://bugs.webkit.org/show_bug.cgi?id=200762 |
| <rdar://problem/54333896> |
| |
| Reviewed by Michael Saboff. |
| |
| * runtime/StringPrototype.cpp: |
| (JSC::replaceUsingRegExpSearch): |
| (JSC::operationStringProtoFuncReplaceRegExpString): |
| (JSC::stringProtoFuncLastIndexOf): |
| (JSC::stringProtoFuncToLowerCase): |
| (JSC::stringProtoFuncToUpperCase): |
| |
| 2019-08-15 Joseph Pecoraro <pecoraro@apple.com> |
| |
| for-await-of has bad error message if used in non-async function |
| https://bugs.webkit.org/show_bug.cgi?id=200758 |
| |
| Reviewed by Ross Kirsling. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseForStatement): |
| Improve error message. |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Air does not appropriately propagate ConstFloatValue to stackmap |
| https://bugs.webkit.org/show_bug.cgi?id=200759 |
| |
| Reviewed by Saam Barati. |
| |
| In B3MoveConstant phase, we convert ConstFloatValue and ConstDoubleValue to memory access to the table |
| to avoid large immediates *except for* stackmap argument case. This is because materializing constant doubles |
| and floats as memory-access before passing it to stackmap is wasteful: the stackmap may not use it actually, or |
| stackmap can do better job if it knows the parameter is constant. |
| |
| Based on the above operation, B3LowerToAir phase strongly assumes that all ConstFloatValue and ConstDoubleValue |
| are removed except for the case used for parameter of stackmap. With r192377, B3LowerToAir catch this case, and |
| propagate constant double value as ValueRep in stackmap. While B3LowerToAir does this correctly for ConstDoubleValue, |
| we missed adding this support for ConstFloatValue. |
| |
| This patch adds r192377's support for ConstFloatValue to propagate ConstFloatValue correctly to the stackmap. |
| This issue starts appearing since Wasm BBQ-B3 OSR starts putting ConstFloatValue to OSR-tier-up patchpoint. |
| |
| * b3/B3LowerToAir.cpp: |
| * b3/B3ValueKey.h: |
| (JSC::B3::ValueKey::ValueKey): |
| (JSC::B3::ValueKey::floatValue const): |
| * b3/B3ValueRep.h: |
| (JSC::B3::ValueRep::constantFloat): |
| (JSC::B3::ValueRep::floatValue const): |
| * b3/testb3.h: |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_5.cpp: |
| (testPatchpointManyWarmAnyImms): |
| (testPatchpointManyColdAnyImms): |
| (testPatchpointManyImms): Deleted. |
| |
| 2019-08-14 Keith Rollin <krollin@apple.com> |
| |
| Remove support for macOS < 10.13 |
| https://bugs.webkit.org/show_bug.cgi?id=200694 |
| <rdar://problem/54278851> |
| |
| Reviewed by Youenn Fablet. |
| |
| Update conditionals that reference __MAC_OS_X_VERSION_MIN_REQUIRED and |
| __MAC_OS_X_VERSION_MAX_ALLOWED, assuming that they both have values >= |
| 101300. This means that expressions like |
| "__MAC_OS_X_VERSION_MIN_REQUIRED < 101300" are always False and |
| "__MAC_OS_X_VERSION_MIN_REQUIRED >= 101300" are always True. |
| |
| * API/WebKitAvailability.h: |
| |
| 2019-08-14 Mark Lam <mark.lam@apple.com> |
| |
| ProxyObject should not be allow to access its target's private properties. |
| https://bugs.webkit.org/show_bug.cgi?id=200739 |
| <rdar://problem/53972768> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): |
| (JSC::ProxyObject::performHasProperty): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::performDelete): |
| (JSC::ProxyObject::performDefineOwnProperty): |
| |
| 2019-08-14 Mark Lam <mark.lam@apple.com> |
| |
| Missing exception check in string compare. |
| https://bugs.webkit.org/show_bug.cgi?id=200743 |
| <rdar://problem/53975356> |
| |
| Reviewed by Michael Saboff. |
| |
| * runtime/JSString.cpp: |
| (JSC::JSString::equalSlowCase const): |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for MacroAssemblerARM64E change |
| https://bugs.webkit.org/show_bug.cgi?id=200703 |
| |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::farJump): |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Less contended MetaAllocator |
| https://bugs.webkit.org/show_bug.cgi?id=200278 |
| |
| Reviewed by Mark Lam. |
| |
| The profiler result of JetStream2/bomb-workers shows that we are having contention under MetaAllocator::currentStatistics. |
| This function is called in ExecutableAllocator::memoryPressureMultiplier, and it is called from ExecutableCounter's threshold |
| calculation. But MetaAllocator::currentStatistics takes a global lock inside MetaAllocator and causes contention. However, |
| we do not need to have a lock actually: clients of MetaAllocator::currentStatistics typically use bytesReserved and bytesAllocated |
| information. However, since our executable allocator is fixed-sized, bytesReserved is always the fixed size. So just reading bytesAllocated |
| racily is enough. |
| |
| This patch attempts to reduce the contention by the following two things. |
| |
| 1. Read bytesAllocated racily instead of calling MetaAllocator::currentStatistics. Then ExecutableCounter does not need to take a lock. |
| 2. page lifetime management APIs of MetaAllocator should take a second `count` parameter to batch the system calls. |
| |
| * jit/ExecutableAllocator.cpp: |
| (JSC::ExecutableAllocator::underMemoryPressure): |
| (JSC::ExecutableAllocator::memoryPressureMultiplier): |
| (JSC::ExecutableAllocator::allocate): |
| (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::memoryStart): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::memoryEnd): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::isJITPC): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion): Deleted. |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make PAC jump and return more explicit |
| https://bugs.webkit.org/show_bug.cgi?id=200703 |
| |
| Reviewed by Mark Lam. |
| |
| This patch refactors our macro assembler, mainly related to PAC. |
| |
| 1. Make far-jump explicit by renaming `jump` to `farJump`. |
| 2. Remove unused makeTailRecursiveCall and tailRecursiveCall. |
| 3. Do not make `ARM64EAssembler::ret` as `retab`. MacroAssemblerARM64E should call `retab` explicitly instead. |
| |
| * assembler/ARM64EAssembler.h: |
| (JSC::ARM64EAssembler::ret): Deleted. |
| * assembler/MacroAssembler.h: |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::farJump): |
| (JSC::MacroAssemblerARM64::makeTailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerARM64::tailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::farJump): |
| (JSC::MacroAssemblerARM64E::ret): |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::farJump): |
| (JSC::MacroAssemblerARMv7::relativeTableJump): |
| (JSC::MacroAssemblerARMv7::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerARMv7::makeTailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerMIPS.h: |
| (JSC::MacroAssemblerMIPS::farJump): |
| (JSC::MacroAssemblerMIPS::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerMIPS::makeTailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerX86.h: |
| (JSC::MacroAssemblerX86::farJump): |
| (JSC::MacroAssemblerX86::jump): Deleted. |
| (JSC::MacroAssemblerX86::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerX86::makeTailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::farJump): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::farJump): |
| (JSC::MacroAssemblerX86_64::jump): Deleted. |
| (JSC::MacroAssemblerX86_64::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerX86_64::makeTailRecursiveCall): Deleted. |
| * b3/B3LowerMacros.cpp: |
| * b3/testb3_6.cpp: |
| (testInterpreter): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): |
| (JSC::DFG::SpeculativeJIT::emitSwitchImm): |
| (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitGenerationThunkGenerator): |
| (JSC::DFG::osrEntryThunkGenerator): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::jumpToExceptionHandler): |
| * jit/JIT.cpp: |
| (JSC::JIT::emitEnterOptimizationCheck): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| * jit/ThunkGenerators.cpp: |
| (JSC::slowPathFor): |
| (JSC::virtualThunkFor): |
| * llint/LLIntThunks.cpp: |
| (JSC::LLInt::generateThunkWithJumpTo): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::throwExceptionFromWasmThunkGenerator): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::emitThrowWasmToJSException): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::loadFromFrameAndJump): |
| |
| 2019-08-14 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Remove bad semicolon in generation of ObjC methods |
| https://bugs.webkit.org/show_bug.cgi?id=200655 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: |
| (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations): |
| Do not include a semicolon in the method implementation. |
| |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| Updated results. |
| |
| 2019-08-13 Saam Barati <sbarati@apple.com> |
| |
| Add a way to opt out of kern TCSM for layout tests |
| https://bugs.webkit.org/show_bug.cgi?id=200649 |
| <rdar://problem/51304923> |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| * assembler/CPU.cpp: |
| (JSC::isKernTCSMAvailable): |
| * runtime/Options.h: |
| |
| 2019-08-13 Sam Weinig <weinig@apple.com> |
| |
| Rename StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32) to avoid accidental change in behavior when replacing append with flexibleAppend |
| https://bugs.webkit.org/show_bug.cgi?id=200675 |
| |
| Reviewed by Darin Adler. |
| |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::tryConsumeGroupName): |
| (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression): |
| Update for rename from StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32). |
| |
| 2019-08-13 Mark Lam <mark.lam@apple.com> |
| |
| Add phase, block, and node numbers to left margin of DFG graph dumps. |
| https://bugs.webkit.org/show_bug.cgi?id=200693 |
| |
| Reviewed by Saam Barati. |
| |
| When scrolling through the DFG graph dumps, it's easy to get lost as to which phase |
| or block one is looking at, especially if the blocks are long. This patch adds |
| node index, block number, and phase number on the left margin of the dumps. |
| Here's a sample: |
| |
| 53: %Bd:Function = 0x1079fd960:[Function, {}, NonArray, Proto:0x1079d8000, Leaf] |
| 53: %Bf:Function = 0x1079b0700:[Function, {name:100, prototype:101, length:102, stackTraceLimit:103}, NonArray, Proto:0x1079d8000, Leaf] |
| 53: %Bj:Function = 0x1079fd5e0:[Function, {name:100, length:101, toString:102, apply:103, call:104, bind:105, Symbol.hasInstance:106, caller:107, arguments:108, constructor:109}, NonArray, Proto:0x1079c0000, Leaf] |
| 53: %CV:JSGlobalLexicalEnvironment = 0x1079fd6c0:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf] |
| |
| 53: Phase liveness analysis changed the IR. |
| |
| 54: Beginning DFG phase OSR availability analysis. |
| 54: Before OSR availability analysis: |
| |
| 54: DFG for foo#DXMNag:[0x1079a4850->0x1079a4130->0x1079c7600, DFGFunctionCall, 204 (NeverInline)]: |
| 54: Fixpoint state: FixpointConverged; Form: SSA; Unification state: GloballyUnified; Ref count state: ExactRefCount |
| 54: Argument formats for entrypoint index: 0 : FlushedJSValue, FlushedCell, FlushedJSValue |
| |
| 0 54: Block #0 (bc#0): (OSR target) |
| 0 54: Execution count: 1.000000 |
| 0 54: Predecessors: |
| 0 54: Successors: |
| 0 54: Dominated by: #0 |
| 0 54: Dominates: #0 |
| 0 54: Dominance Frontier: |
| 0 54: Iterated Dominance Frontier: |
| 0 54: Backwards dominates by: #root #0 |
| 0 54: Backwards dominates: #0 |
| 0 54: Control equivalent to: #0 |
| 0 54: States: StructuresAreWatched |
| 0 54: Live: |
| 0 54: Values |
| 0 0 54: 53:< 1:-> JSConstant(JS|UseAsOther, Other, Null, bc#0, ExitValid) |
| 1 0 54: 64:< 2:-> JSConstant(JS|UseAsOther, NonBoolInt32, Int32: 10, bc#0, ExitValid) |
| 2 0 54: 3:< 5:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) |
| 3 0 54: 32:< 1:-> JSConstant(JS|UseAsOther, Bool, False, bc#0, ExitValid) |
| 4 0 54: 19:< 2:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x1079d4000 with butterfly 0x0 (Structure %CV:JSGlobalLexicalEnvironment), StructureID: 31423, bc#0, ExitValid) |
| |
| The numbers in the left margin before the ':' are node index (i.e. the index of the |
| node in the block, not to be confused with node->index() which is the node ID), block |
| number, and phase number respectively. Now, we can scroll thru the dumps quickly |
| and tell at a glance when we've scrolled passed the end of a phase, or block. |
| These sets of numbers can also serve as a positional marker that we can search for |
| to return to a node in the dump after scrolling away. |
| |
| Currently, these numbers are only added to the DFG part. The FTL (from lowering |
| to B3 onwards) does not have this feature yet. |
| |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::DesiredWatchpoints::dumpInContext const): |
| * dfg/DFGDesiredWatchpoints.h: |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dumpCodeOrigin): |
| (JSC::DFG::Graph::dump): |
| (JSC::DFG::Graph::dumpBlockHeader): |
| (JSC::DFG::Prefix::dump const): |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Prefix::Prefix): |
| (JSC::DFG::Prefix::clearBlockIndex): |
| (JSC::DFG::Prefix::clearNodeIndex): |
| (JSC::DFG::Prefix::enable): |
| (JSC::DFG::Prefix::disable): |
| (JSC::DFG::Graph::prefix): |
| (JSC::DFG::Graph::nextPhase): |
| * dfg/DFGPhase.cpp: |
| (JSC::DFG::Phase::beginPhase): |
| * dfg/DFGPhase.h: |
| (JSC::DFG::runAndLog): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * dfg/DFGValueRepReductionPhase.cpp: |
| (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble): |
| |
| 2019-08-13 Michael Saboff <msaboff@apple.com> |
| |
| REGRESSION (r248533): JSC Command - Need to initializeMainThread() before processing config file |
| https://bugs.webkit.org/show_bug.cgi?id=200677 |
| |
| Reviewed by Mark Lam. |
| |
| We need to initialize the main thread before calling processConfigFile() since it uses RefCounted objects |
| which have "is main thread" ASSERTS. |
| |
| * jsc.cpp: |
| (jscmain): |
| |
| 2019-08-13 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Styles: show @supports CSS groupings |
| https://bugs.webkit.org/show_bug.cgi?id=200419 |
| <rdar://problem/53971948> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/CSS.json: |
| Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated |
| and wasn't used by Web Inspector. |
| |
| * inspector/scripts/codegen/objc_generator_templates.py: |
| * inspector/scripts/codegen/generate_objc_header.py: |
| (ObjCHeaderGenerator.generate_output): |
| Add support for including files at the end of <WebInspector/RWIProtocol.h> for compatibility |
| statements so that changes to the Web Inspector protocol don't break other clients. |
| |
| 2019-08-13 Joseph Pecoraro <pecoraro@apple.com> |
| |
| JSContext Inspector: Basic CommandLineAPI doesn't work |
| https://bugs.webkit.org/show_bug.cgi?id=200659 |
| <rdar://problem/54245476> |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/InjectedScriptSource.js: |
| (BasicCommandLineAPI): |
| Use `method` directly since it already has been setup nicely and doesn't |
| need to be bound. Technically this allows someone to add properties to |
| the CommandLineAPI methods in basic mode (`dir.property = 1`) but that |
| seems harmless. |
| |
| 2019-08-12 Sam Weinig <weinig@apple.com> |
| |
| Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation |
| https://bugs.webkit.org/show_bug.cgi?id=200614 |
| |
| Reviewed by Darin Adler. |
| |
| Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and |
| StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...). |
| |
| Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to |
| StringBuilder::appendSubstring(...). |
| |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * runtime/ConfigFile.cpp: |
| (JSC::ConfigFile::parse): |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::Lexer::lexStringSlow): |
| * tools/FunctionOverrides.cpp: |
| (JSC::parseClause): |
| Update for renames. |
| |
| 2019-08-12 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [WPE][GTK] Fix building without unified sources |
| https://bugs.webkit.org/show_bug.cgi?id=200641 |
| |
| Reviewed by Žan Doberšek. |
| |
| * b3/B3PatchpointSpecial.cpp: Add missing inclusion of the B3ProcedureInlines.h header. |
| * heap/SlotVisitor.cpp: Add missing inclusion of the BlockDirectoryInlines.h header. |
| |
| 2019-08-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF][JSC] Make JSC and WTF aggressively-fast-malloced |
| https://bugs.webkit.org/show_bug.cgi?id=200611 |
| |
| Reviewed by Saam Barati. |
| |
| This patch aggressively puts many classes into FastMalloc. In JSC side, we grep `std::make_unique` etc. to find potentially system-malloc-allocated classes. |
| After this patch, all the JSC related allocations in JetStream2 cli is done from bmalloc. In the future, it would be nice that we add `WTF::makeUnique<T>` helper |
| function and throw a compile error if `T` is not FastMalloc annotated[1]. |
| |
| Putting WebKit classes in FastMalloc has many benefits. |
| |
| 1. Simply, it is fast. |
| 2. vmmap can tell the amount of memory used for WebKit. |
| 3. bmalloc can isolate WebKit memory allocation from the rest of the world. This is useful since we can know more about what component is corrupting the memory |
| from the memory corruption crash. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=200620 |
| |
| * API/ObjCCallbackFunction.mm: |
| * assembler/AbstractMacroAssembler.h: |
| * b3/B3PhiChildren.h: |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| * b3/air/AirDisassembler.h: |
| * bytecode/AccessCaseSnippetParams.h: |
| * bytecode/CallVariant.h: |
| * bytecode/DeferredSourceDump.h: |
| * bytecode/ExecutionCounter.h: |
| * bytecode/GetByIdStatus.h: |
| * bytecode/GetByIdVariant.h: |
| * bytecode/InByIdStatus.h: |
| * bytecode/InByIdVariant.h: |
| * bytecode/InstanceOfStatus.h: |
| * bytecode/InstanceOfVariant.h: |
| * bytecode/PutByIdStatus.h: |
| * bytecode/PutByIdVariant.h: |
| * bytecode/ValueProfile.h: |
| * dfg/DFGAbstractInterpreter.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::newVariableAccessData): |
| * dfg/DFGFlowIndexing.h: |
| * dfg/DFGFlowMap.h: |
| * dfg/DFGLiveCatchVariablePreservationPhase.cpp: |
| (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData): |
| * dfg/DFGMaximalFlushInsertionPhase.cpp: |
| (JSC::DFG::MaximalFlushInsertionPhase::newVariableAccessData): |
| * dfg/DFGOSRExit.h: |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGVariableAccessData.h: |
| * disassembler/ARM64/A64DOpcode.h: |
| * inspector/remote/socket/RemoteInspectorMessageParser.h: |
| * inspector/remote/socket/RemoteInspectorSocket.h: |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: |
| * jit/PCToCodeOriginMap.h: |
| * runtime/BasicBlockLocation.h: |
| * runtime/DoublePredictionFuzzerAgent.h: |
| * runtime/JSRunLoopTimer.h: |
| * runtime/PromiseDeferredTimer.h: |
| (JSC::PromiseDeferredTimer::create): PromiseDeferredTimer should be allocated as `Ref<>` instead of `std::unique_ptr` since it is inheriting ThreadSafeRefCounted<>. |
| Holding such a class with std::unique_ptr could lead to potentially dangerous operations (like, someone holds it with Ref<> while it is deleted by std::unique_ptr<>). |
| * runtime/RandomizingFuzzerAgent.h: |
| * runtime/SymbolTable.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * tools/JSDollarVM.cpp: |
| * tools/SigillCrashAnalyzer.cpp: |
| * wasm/WasmFormat.h: |
| * wasm/WasmMemory.cpp: |
| * wasm/WasmSignature.h: |
| * yarr/YarrJIT.h: |
| |
| 2019-08-12 Chris Dumez <cdumez@apple.com> |
| |
| Add threading assertions to RefCounted |
| https://bugs.webkit.org/show_bug.cgi?id=200507 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::Plan): |
| Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team |
| investigates. |
| |
| 2019-08-12 Chris Dumez <cdumez@apple.com> |
| |
| Unreviewed, rolling out r248525. |
| |
| Revert new threading assertions while I work on fixing the |
| issues they exposed |
| |
| Reverted changeset: |
| |
| "Add threading assertions to RefCounted" |
| https://bugs.webkit.org/show_bug.cgi?id=200507 |
| https://trac.webkit.org/changeset/248525 |
| |
| 2019-08-11 Chris Dumez <cdumez@apple.com> |
| |
| Add threading assertions to RefCounted |
| https://bugs.webkit.org/show_bug.cgi?id=200507 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::Plan): |
| Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team |
| investigates. |
| |
| 2019-08-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive |
| https://bugs.webkit.org/show_bug.cgi?id=199864 |
| |
| Reviewed by Saam Barati. |
| |
| Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this. |
| |
| JSObject::put(object): |
| if (can-do-fast-path(object)) |
| return fast-path(object); |
| // slow-path |
| do { |
| object-put-check-and-setter-calls(object); // (1) |
| object = object->prototype; |
| } while (is-object(object)); |
| return do-put(object); |
| |
| Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding |
| extra checks to this put. |
| |
| Derived::put(object): |
| if (do-extra-check(object)) |
| fail |
| return JSObject::put(object) |
| |
| The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in |
| JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that |
| we skip the check. |
| |
| Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to |
| perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot |
| does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and |
| Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves |
| large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot. |
| |
| To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects |
| that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject. |
| When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks. |
| |
| Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1]. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=200562 |
| |
| * runtime/ClassInfo.h: |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::putToPrimitive): |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::doPutPropertySecurityCheck): |
| * runtime/JSCell.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::putInlineSlow): |
| (JSC::JSObject::getOwnPropertyDescriptor): |
| * runtime/JSObject.h: |
| (JSC::JSObject::doPutPropertySecurityCheck): |
| * runtime/JSTypeInfo.h: |
| (JSC::TypeInfo::hasPutPropertySecurityCheck const): |
| |
| 2019-08-08 Per Arne Vollan <pvollan@apple.com> |
| |
| [Win] Fix internal build |
| https://bugs.webkit.org/show_bug.cgi?id=200519 |
| |
| Reviewed by Alex Christensen. |
| |
| The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts |
| folder after building JSC. |
| |
| * JavaScriptCore.vcxproj/JavaScriptCore.proj: |
| |
| 2019-08-08 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Page: don't allow the domain to be disabled |
| https://bugs.webkit.org/show_bug.cgi?id=200109 |
| |
| Reviewed by Brian Burg. |
| |
| The `PageAgent` is relied on by many of the other agents, so much so that it doesn't make |
| sense to support the ability to "disable" (as well as "enable") the agent. |
| |
| When the first frontend connects, we should treat the `PageAgent` as active and available. |
| |
| * inspector/protocol/Page.json: |
| Remove `enable`/`disable`. |
| |
| 2019-08-08 Michael Saboff <msaboff@apple.com> |
| |
| OpenSource MemoryFootprint API for JSC command line tool |
| https://bugs.webkit.org/show_bug.cgi?id=200541 |
| |
| Reviewed by Saam Barati. |
| |
| Use wtf/spi/darwin/ProcessMemoryFootprint.h instead of WebKitAdditions/MemoryFootprint.h |
| for process memory stats. |
| |
| * jsc.cpp: |
| (MemoryFootprint::MemoryFootprint): |
| |
| 2019-08-08 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: rename `queryObjects` to `queryInstances` for clarity |
| https://bugs.webkit.org/show_bug.cgi?id=200520 |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/InjectedScriptSource.js: |
| (queryInstances): Added. |
| (queryObjects): |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::queryInstances): Added. |
| (Inspector::JSInjectedScriptHost::queryObjects): Deleted. |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): Added. |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryObjects): Deleted. |
| |
| 2019-08-08 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Add "jump if (not) undefined or null" bytecode ops |
| https://bugs.webkit.org/show_bug.cgi?id=200480 |
| |
| Reviewed by Saam Barati. |
| |
| This patch introduces fused jumps for op_is_undefined_or_null, which ignores "masquerade as undefined" behavior. |
| |
| This lets us fix a edge-case bug in RequireObjectCoercible (where `({ length } = document.all)` was a TypeError) |
| and moreover provides a very useful optimization for the new ?. and ?? operators, which have semantics centered |
| around op_jundefined_or_null and op_jnundefined_or_null, respectively. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/Opcode.h: |
| (JSC::isBranch): |
| * bytecode/PreciseJumpTargetsInlines.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::Label::setLocation): |
| (JSC::BytecodeGenerator::emitJumpIfTrue): |
| (JSC::BytecodeGenerator::emitJumpIfFalse): |
| (JSC::BytecodeGenerator::emitRequireObjectCoercible): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| * jit/JIT.h: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_jundefined_or_null): Added. |
| (JSC::JIT::emit_op_jnundefined_or_null): Added. |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_jundefined_or_null): Added. |
| (JSC::JIT::emit_op_jnundefined_or_null): Added. |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-08-07 Devin Rousso <drousso@apple.com> |
| |
| Rebase inspector generator tests. |
| |
| Rubber-stamped by Brian Burg. |
| |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: |
| * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| |
| 2019-08-07 Caio Lima <ticaiolima@gmail.com> |
| |
| High number of cache miss on localTimeOffset |
| https://bugs.webkit.org/show_bug.cgi?id=200444 |
| |
| Reviewed by Darin Adler. |
| |
| This patch is separating the `LocalTimeOffsetCache` for each |
| `WTF::TimeType` to avoid constant cache miss on pathological cases |
| where `gregorianDateTimeToMS` and `msToGregorianDateTime` are |
| intercaleted with `inputTimeType == WTF::LocalTime`. Such case |
| happens during execution of Facebook Messenger |
| (https://www.messenger.com). |
| |
| * runtime/JSDateMath.cpp: |
| (JSC::localTimeOffset): |
| (JSC::gregorianDateTimeToMS): |
| * runtime/VM.cpp: |
| (JSC::VM::resetDateCache): |
| * runtime/VM.h: |
| (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache): |
| (JSC::LocalTimeOffsetCache::reset): |
| |
| 2019-08-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values |
| https://bugs.webkit.org/show_bug.cgi?id=200494 |
| |
| Reviewed by Saam Barati. |
| |
| The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>. |
| But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm. |
| This patch filters out these values with `HashSet<Callee*>::isValidValue`. |
| |
| * wasm/WasmCalleeRegistry.h: |
| (JSC::Wasm::CalleeRegistry::isValidCallee): |
| |
| 2019-08-06 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r248289. |
| https://bugs.webkit.org/show_bug.cgi?id=200488 |
| |
| Broke internal builds (Requested by drousso on #webkit). |
| |
| Reverted changeset: |
| |
| "Web Inspector: Styles: show @supports CSS groupings" |
| https://bugs.webkit.org/show_bug.cgi?id=200419 |
| https://trac.webkit.org/changeset/248289 |
| |
| 2019-08-06 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: allow comments in protocol JSON |
| https://bugs.webkit.org/show_bug.cgi?id=200104 |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/scripts/generate-inspector-protocol-bindings.py: |
| (generate_from_specification.load_specification): |
| |
| * inspector/scripts/tests/generic/should-strip-comments.json: Added. |
| * inspector/scripts/tests/generic/expected/should-strip-comments.json-result: Added. |
| |
| 2019-08-06 Per Arne Vollan <pvollan@apple.com> |
| |
| [Win] Fix AppleWin build |
| https://bugs.webkit.org/show_bug.cgi?id=200455 |
| |
| Reviewed by Alex Christensen. |
| |
| * CMakeLists.txt: |
| * shell/CMakeLists.txt: |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Styles: show @supports CSS groupings |
| https://bugs.webkit.org/show_bug.cgi?id=200419 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/CSS.json: |
| Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated |
| and wasn't used by Web Inspector. |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Can't use $0, $1 etc when inspecting Google Docs pages because the content uses these for function names |
| https://bugs.webkit.org/show_bug.cgi?id=195834 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Allow the user to alias saved results by providing a different prefix (e.g. "$") from within |
| Web Inspector. When changing the alias, all existing saved results will update to be |
| reference-able from the new alias. |
| |
| * inspector/protocol/Runtime.json: |
| Add `setSavedResultAlias` command. |
| |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| (Inspector::InspectorRuntimeAgent::setSavedResultAlias): Added. |
| |
| * inspector/InjectedScriptHost.h: |
| (Inspector::InjectedScriptHost::setSavedResultAlias): Added. |
| (Inspector::InjectedScriptHost::savedResultAlias const): Added. |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::savedResultAlias const): Added. |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): Added. |
| Store the saved result alias on the `InjectedScriptHost` since it is a shared object among |
| all `InjectedScript`. |
| |
| * inspector/InjectedScriptSource.js: |
| (BasicCommandLineAPI): |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Timelines: disable related agents when the tab is closed |
| https://bugs.webkit.org/show_bug.cgi?id=200118 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Rework how `enable`/`disable` is used for timeline-related agents so that events are not sent |
| and data isn't kept alive when the Timelines tab isn't enabled. |
| |
| * inspector/protocol/Timeline.json: |
| Add `enable`/`disable` commands. |
| |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend): |
| (Inspector::InspectorHeapAgent::enable): |
| (Inspector::InspectorHeapAgent::disable): |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: rename "Stylesheet" to "Style Sheet" to match spec text |
| https://bugs.webkit.org/show_bug.cgi?id=200422 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Page.json: |
| |
| 2019-08-05 Michael Saboff <msaboff@apple.com> |
| |
| JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray |
| https://bugs.webkit.org/show_bug.cgi?id=199997 |
| |
| Reviewed by Saam Barati. |
| |
| No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray() |
| and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a |
| CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array |
| and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where |
| it won't be set. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): |
| |
| 2019-08-03 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: DOM: add a special breakpoint for "All Events" |
| https://bugs.webkit.org/show_bug.cgi?id=200285 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Similar to the existing "All Requests" breakpoint, there should be a way to set a breakpoint |
| that would pause for any DOM event, regardless of the event's name. This is useful for |
| situations where the event name isn't known, or where one simply wants to pause on the next |
| entry to the event loop. |
| |
| Along these lines, make the "requestAnimationFrame", "setTimeout", and "setInterval" |
| event breakpoints into special breakpoints that can be added/removed via the create |
| breakpoint context menu. This simplifies the process for setting these breakpoints, and also |
| makes them more discoverable (most people wouldn't consider them to be "events"). |
| |
| * inspector/protocol/Debugger.json: |
| - Rename the `EventListener` pause reason to `Listener`. |
| - Split the `Timer` pause reason into `Interval` and `Timeout`. |
| |
| * inspector/protocol/DOMDebugger.json: |
| - Split the `timer` type into `interval` and `timeout`. |
| - Make `eventName` optional for `addEventBreakpoint`/`removeEventBreakpoint`. When omitted, |
| the corresponding breakpoint that is added/removed is treated as a global breakpoint that |
| applies to all events of that type (e.g. a global `listener` breakpoint would pause for |
| any event that is fired). |
| |
| 2019-08-02 Keith Miller <keith_miller@apple.com> |
| |
| Address comments on r248178 |
| https://bugs.webkit.org/show_bug.cgi?id=200411 |
| |
| Reviewed by Saam Barati. |
| |
| * b3/B3Opcode.h: |
| * b3/B3Procedure.h: |
| (JSC::B3::Procedure::tuples const): |
| * b3/B3Validate.cpp: |
| * b3/testb3_1.cpp: |
| (main): |
| |
| 2019-08-02 Mark Lam <mark.lam@apple.com> |
| |
| [ARM64E] Harden the diversity of the DOMJIT::Signature::unsafeFunction pointer. |
| https://bugs.webkit.org/show_bug.cgi?id=200292 |
| <rdar://problem/53706881> |
| |
| Reviewed by Geoffrey Garen. |
| |
| Previously, DOMJIT::Signature::functionWithoutTypeCheck was signed as a C function |
| pointer. We can do better by signing it like a vtbl function pointer. |
| |
| No new tests needed. The DOMJIT mechanism is covered by existing tests. |
| |
| I also manually confirmed that DOMJIT::Signature::functionWithoutTypeCheck is signed |
| exactly as expected by reading its bits out of memory (not letting Clang have a |
| chance to resign it into a C function pointer) and comparing it against manually |
| signed bits with the expected diversifier. |
| |
| * assembler/MacroAssemblerCodeRef.h: |
| (JSC::CFunctionPtr::CFunctionPtr): |
| (JSC::CFunctionPtr::get const): |
| (JSC::CFunctionPtr::address const): |
| (JSC::CFunctionPtr::operator bool const): |
| (JSC::CFunctionPtr::operator! const): |
| (JSC::CFunctionPtr::operator== const): |
| (JSC::CFunctionPtr::operator!= const): |
| |
| - Introduce a CFunctionPtr abstraction that is used to hold pointers to C functions. |
| It can instantiated in 4 ways: |
| |
| 1. The default constructor. |
| 2. A constructor that takes a nullptr_t. |
| |
| These 2 forms will instantiate a CFunctionPtr with a nullptr. |
| |
| 3. A constructor that takes the name of a function. |
| 4. A constructor that takes a function pointer. |
| |
| Form 3 already knows that we're initializing with a real function, and |
| that Clang will give it to use signed as a C function pointer. So, it |
| doesn't do any assertions. This form is useful for initializing CFunctionPtrs |
| embedded in const data structures. |
| |
| Form 4 is an explicit constructor that takes an arbitrary function |
| pointer, but does not know if that pointer is already signed as a C function |
| pointer. Hence, this form will do a RELEASE_ASSERT that the given function |
| pointer is actually signed as a C function pointer. |
| |
| Once instantiated, we are guaranteed that a C function pointer is either null |
| or contains a signed C function pointer. |
| |
| * domjit/DOMJITSignature.h: |
| (JSC::DOMJIT::Signature::Signature): |
| - Sign functionWithoutTypeCheck as WTF_VTBL_FUNCPTR_PTRAUTH(DOMJITFunctionPtrTag). |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCallDOM): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| - Use the new CFunctionPtr to document that the retrieved signature->functionWithoutTypeCheck |
| is signed as a C function pointer. |
| |
| * runtime/ClassInfo.h: |
| - Update MethodTable to sign its function pointers using the new WTF_VTBL_FUNCPTR_PTRAUTH_STR |
| to be consistent. No longer need to roll its own PTRAUTH macro. |
| |
| * runtime/JSCPtrTag.h: |
| - Add DOMJITFunctionPtrTag. |
| |
| * tools/JSDollarVM.cpp: |
| - Update to work with the new DOMJIT::Signature constructor. |
| |
| 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Support WebAssembly in SamplingProfiler |
| https://bugs.webkit.org/show_bug.cgi?id=200329 |
| |
| Reviewed by Saam Barati. |
| |
| The sampling profiler support is critical to investigate what is actually time-consuming. This patch adds the sampling profiler support for Wasm functions |
| to list up hot Wasm functions with compilation mode (BBQ or OMG). This allows us to investigate the hot functions in JetStream2 wasm tests. |
| |
| In order to retrieve wasm function information from the sampling profiler safely, we need to know whether the given Wasm CalleeBits is valid in the call frame. |
| To achieve this, we start collecting valid Wasm::Callee pointers in a global hash set. Previously, each Wasm::Callee registered its code region to a hash set |
| for wasm fault signal handler to know whether the faulted program-counter is in wasm region. We reuse and change this mechanism. Instead of registering code region, |
| we register Wasm::Callee* to a hash set. The sampling profiler reuses this hash set to determine whether the given bits is a valid Wasm::Callee. |
| |
| The sampling profiler retrieves the information safely from valid Wasm::Callee* pointer. It is possible that this Wasm::Callee is about to be dead: ref-count is 0, |
| now in the middle of the destructor of Wasm::Callee. Even in that case, fields of Wasm::Callee are still valid and can be accessed since destroying these fields happens |
| after we unregister Wasm::Callee from the global hash set. |
| |
| We retrieve Wasm::IndexOrName and Wasm::CompilationMode. Copying them does not involve any allocations, locking etc. So we can safely copy them while some of threads are suspended. |
| |
| This patch also fixes the issue that we never called `unregisterCode` while every Wasm::Calllee registers its code region through `registerCode`. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * runtime/InitializeThreading.cpp: |
| (JSC::initializeThreading): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::FrameWalker::FrameWalker): |
| (JSC::FrameWalker::recordJSFrame): |
| (JSC::CFrameWalker::CFrameWalker): |
| (JSC::SamplingProfiler::takeSample): |
| (JSC::SamplingProfiler::processUnverifiedStackTraces): |
| (JSC::SamplingProfiler::StackFrame::displayName): |
| (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests): |
| (JSC::SamplingProfiler::StackFrame::functionStartLine): |
| (JSC::SamplingProfiler::StackFrame::functionStartColumn): |
| (JSC::SamplingProfiler::StackFrame::sourceID): |
| (JSC::SamplingProfiler::StackFrame::url): |
| (JSC::SamplingProfiler::reportTopBytecodes): |
| (WTF::printInternal): |
| * runtime/SamplingProfiler.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::functionIsWasmSupported): |
| (JSC::JSDollarVM::finishCreation): |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlanInlines.h: |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| * wasm/WasmCallee.cpp: |
| (JSC::Wasm::Callee::Callee): |
| (JSC::Wasm::Callee::~Callee): |
| * wasm/WasmCallee.h: |
| (JSC::Wasm::Callee::create): Deleted. |
| (JSC::Wasm::Callee::entrypoint const): Deleted. |
| (JSC::Wasm::Callee::calleeSaveRegisters): Deleted. |
| (JSC::Wasm::Callee::indexOrName const): Deleted. |
| * wasm/WasmCalleeRegistry.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h. |
| (JSC::Wasm::CalleeRegistry::initialize): |
| (JSC::Wasm::CalleeRegistry::singleton): |
| * wasm/WasmCalleeRegistry.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp. |
| (JSC::Wasm::CalleeRegistry::getLock): |
| (JSC::Wasm::CalleeRegistry::registerCallee): |
| (JSC::Wasm::CalleeRegistry::unregisterCallee): |
| (JSC::Wasm::CalleeRegistry::isValidCallee): |
| * wasm/WasmCompilationMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h. |
| (JSC::Wasm::makeString): |
| * wasm/WasmCompilationMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h. |
| * wasm/WasmFaultSignalHandler.cpp: |
| (JSC::Wasm::trapHandler): |
| (JSC::Wasm::enableFastMemory): |
| (JSC::Wasm::registerCode): Deleted. |
| (JSC::Wasm::unregisterCode): Deleted. |
| * wasm/WasmFaultSignalHandler.h: |
| * wasm/WasmIndexOrName.h: |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| |
| 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] LazyJSValue should be robust for empty JSValue |
| https://bugs.webkit.org/show_bug.cgi?id=200388 |
| |
| Reviewed by Saam Barati. |
| |
| If the Switch DFG node is preceded by ForceOSRExit or something that invalidates the basic block, |
| it can take a FrozenValue as a child which includes empty value instead of string, number etc. |
| If this Switch node is kept and we reached to DFGCFGSimplificationPhase, it will use this FrozenValue. |
| However, LazyJSValue using this FrozenValue strongly assumes that FrozenValue is never holding empty value. |
| But this assumption is wrong. This patch makes LazyJSValue robust for empty value. |
| |
| * dfg/DFGLazyJSValue.cpp: |
| (JSC::DFG::LazyJSValue::tryGetStringImpl const): |
| (JSC::DFG::LazyJSValue::tryGetString const): |
| (JSC::DFG::LazyJSValue::strictEqual const): |
| (JSC::DFG::LazyJSValue::switchLookupValue const): |
| |
| 2019-08-02 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Storage: disable related agents when the tab is closed |
| https://bugs.webkit.org/show_bug.cgi?id=200117 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Rework how `enable`/`disable` is used for storage-related agents so that events are not sent |
| and data isn't kept alive when the Storage tab isn't enabled. |
| |
| * inspector/protocol/ApplicationCache.json: |
| Add `disable` command. |
| |
| 2019-08-01 Keith Miller <keith_miller@apple.com> |
| |
| B3 should support tuple types |
| https://bugs.webkit.org/show_bug.cgi?id=200327 |
| |
| Reviewed by Filip Pizlo. |
| |
| As part of the Wasm multi-value proposal, we need to teach B3 that |
| patchpoints can return more than one value. This is done by |
| adding a new B3::Type called Tuple. Unlike, other B3 types Tuple |
| is actually an encoded index into a numeric B3::Type vector on the |
| procedure. This lets us distinguish any two tuples from each |
| other, moreover, it's possible to get the vector of types with |
| just the B3::Tuple type and the procedure. |
| |
| Since most B3 operations only expect to see a single numeric child |
| there is a new Opcode, Extract, that takes yields the some, fixed, |
| entry from a tuple value. Extract would be the only other change |
| needed to make tuples work in B3 except that some optimizations |
| expect to be able to take any non-Void value and stick it into a |
| Variable of the same type. This means both Get/Set from a variable |
| have to support Tuples as well. For simplicity and consistency, |
| the ability to accept tuples is also applied to Phi and Upsilon. |
| |
| In order to lower a Tuple, B3Lowering needs to have a Tmp for each |
| nested type in a Tuple. While we could reuse the existing |
| IndexedTables to hold the extra information we need to lower |
| Tuples, we instead use a two new HashTables for Value->Tmp(s) and |
| Phi->Tmp(s). It's expected that Tuples will be sufficiently |
| uncommon the overhead of tracking everything together would be |
| prohibitive. On the other hand, we don't worry about this for |
| Variables because we don't expect those to make it to lowering. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * b3/B3Bank.h: |
| (JSC::B3::bankForType): |
| * b3/B3CheckValue.cpp: |
| (JSC::B3::CheckValue::CheckValue): |
| * b3/B3ExtractValue.cpp: Copied from Source/JavaScriptCore/b3/B3ProcedureInlines.h. |
| (JSC::B3::ExtractValue::~ExtractValue): |
| (JSC::B3::ExtractValue::dumpMeta const): |
| * b3/B3ExtractValue.h: Copied from Source/JavaScriptCore/b3/B3FixSSA.h. |
| * b3/B3FixSSA.h: |
| * b3/B3LowerMacros.cpp: |
| * b3/B3LowerMacrosAfterOptimizations.cpp: |
| * b3/B3LowerToAir.cpp: |
| * b3/B3NativeTraits.h: |
| * b3/B3Opcode.cpp: |
| (JSC::B3::invertedCompare): |
| (WTF::printInternal): |
| * b3/B3Opcode.h: |
| (JSC::B3::opcodeForConstant): |
| * b3/B3PatchpointSpecial.cpp: |
| (JSC::B3::PatchpointSpecial::forEachArg): |
| (JSC::B3::PatchpointSpecial::isValid): |
| (JSC::B3::PatchpointSpecial::admitsStack): |
| (JSC::B3::PatchpointSpecial::generate): |
| * b3/B3PatchpointValue.cpp: |
| (JSC::B3::PatchpointValue::dumpMeta const): |
| (JSC::B3::PatchpointValue::PatchpointValue): |
| * b3/B3PatchpointValue.h: |
| * b3/B3Procedure.cpp: |
| (JSC::B3::Procedure::addTuple): |
| (JSC::B3::Procedure::isValidTuple const): |
| (JSC::B3::Procedure::tupleForType const): |
| (JSC::B3::Procedure::addIntConstant): |
| (JSC::B3::Procedure::addConstant): |
| * b3/B3Procedure.h: |
| (JSC::B3::Procedure::returnCount const): |
| * b3/B3ProcedureInlines.h: |
| (JSC::B3::Procedure::extractFromTuple const): |
| * b3/B3ReduceStrength.cpp: |
| * b3/B3StackmapSpecial.cpp: |
| (JSC::B3::StackmapSpecial::isValidImpl): |
| (JSC::B3::StackmapSpecial::isArgValidForType): |
| (JSC::B3::StackmapSpecial::isArgValidForRep): |
| (JSC::B3::StackmapSpecial::isArgValidForValue): Deleted. |
| * b3/B3StackmapSpecial.h: |
| * b3/B3StackmapValue.h: |
| * b3/B3Type.cpp: |
| (WTF::printInternal): |
| * b3/B3Type.h: |
| (JSC::B3::Type::Type): |
| (JSC::B3::Type::tupleFromIndex): |
| (JSC::B3::Type::kind const): |
| (JSC::B3::Type::tupleIndex const): |
| (JSC::B3::Type::hash const): |
| (JSC::B3::Type::operator== const): |
| (JSC::B3::Type::operator!= const): |
| (JSC::B3::Type::isInt const): |
| (JSC::B3::Type::isFloat const): |
| (JSC::B3::Type::isNumeric const): |
| (JSC::B3::Type::isTuple const): |
| (JSC::B3::sizeofType): |
| (JSC::B3::isInt): Deleted. |
| (JSC::B3::isFloat): Deleted. |
| * b3/B3TypeMap.h: |
| (JSC::B3::TypeMap::at): |
| * b3/B3Validate.cpp: |
| * b3/B3Value.cpp: |
| (JSC::B3::Value::isRounded const): |
| (JSC::B3::Value::effects const): |
| (JSC::B3::Value::typeFor): |
| * b3/B3Value.h: |
| * b3/B3ValueInlines.h: |
| * b3/B3ValueKey.cpp: |
| (JSC::B3::ValueKey::intConstant): |
| * b3/B3ValueKey.h: |
| (JSC::B3::ValueKey::hash const): |
| * b3/B3ValueRep.h: |
| * b3/B3Width.h: |
| (JSC::B3::widthForType): |
| * b3/air/AirArg.cpp: |
| (JSC::B3::Air::Arg::canRepresent const): |
| * b3/air/AirArg.h: |
| * b3/air/AirCCallingConvention.cpp: |
| (JSC::B3::Air::cCallResult): |
| * b3/air/AirLowerMacros.cpp: |
| (JSC::B3::Air::lowerMacros): |
| * b3/testb3.h: |
| (populateWithInterestingValues): |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_3.cpp: |
| (testStorePartial8BitRegisterOnX86): |
| * b3/testb3_5.cpp: |
| (testPatchpointWithRegisterResult): |
| (testPatchpointWithStackArgumentResult): |
| (testPatchpointWithAnyResult): |
| * b3/testb3_6.cpp: |
| (testPatchpointDoubleRegs): |
| (testSomeEarlyRegister): |
| * b3/testb3_7.cpp: |
| (testShuffleDoesntTrashCalleeSaves): |
| (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead): |
| (testSimpleTuplePair): |
| (testSimpleTuplePairUnused): |
| (testSimpleTuplePairStack): |
| (tailDupedTuplePair): |
| (tuplePairVariableLoop): |
| (tupleNestedLoop): |
| (addTupleTests): |
| * b3/testb3_8.cpp: |
| (testLoad): |
| (addLoadTests): |
| * ftl/FTLAbbreviatedTypes.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConvention::marshallArgument const): |
| (JSC::Wasm::CallingConvention::setupFrameInPrologue const): |
| (JSC::Wasm::CallingConvention::setupCall const): |
| (JSC::Wasm::CallingConventionAir::setupCall const): |
| |
| 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use "destroy" function directly for JSWebAssemblyCodeBlock and WebAssemblyFunction |
| https://bugs.webkit.org/show_bug.cgi?id=200385 |
| |
| Reviewed by Mark Lam. |
| |
| These CellTypes are not using classInfo stored in the cells, so we can just call JSWebAssemblyCodeBlock::destroy |
| and WebAssemblyFunction::destroy directly. |
| |
| * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: |
| (JSC::JSWebAssemblyCodeBlockDestroyFunc::operator() const): |
| * wasm/js/WebAssemblyFunctionHeapCellType.cpp: |
| (JSC::WebAssemblyFunctionDestroyFunc::operator() const): |
| |
| 2019-08-02 Mark Lam <mark.lam@apple.com> |
| |
| Gardening: build fix. |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| <rdar://problem/53570112> |
| |
| Not reviewed. |
| |
| * assembler/CPU.cpp: |
| (JSC::hwPhysicalCPUMax): |
| |
| 2019-08-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| GetterSetter type confusion during DFG compilation |
| https://bugs.webkit.org/show_bug.cgi?id=199903 |
| |
| Reviewed by Mark Lam. |
| |
| In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists. |
| However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding |
| CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable. |
| |
| Let's consider the following graph. |
| |
| 129:<!0:-> PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid) |
| 130:<!0:-> PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid) |
| ... |
| 158:<!0:-> GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R<Final>/FlushedCell), R:Stack(-8), bc#187, ExitValid) predicting Final |
| 210:< 1:-> DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid) |
| ... |
| 162:<!0:-> CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid) |
| 163:< 1:-> GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid) |
| 164:< 1:-> GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) |
| |
| At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value. |
| This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it |
| does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now. |
| |
| But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime, |
| @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value. |
| |
| 124:< 2:-> JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid) |
| ... |
| 126:< 2:-> GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) |
| |
| AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following. |
| |
| |
| JSValue base = forNode(node->child1()).m_value; |
| if (base) { |
| GetterSetter* getterSetter = jsCast<GetterSetter*>(base); |
| ... |
| |
| Then, jsCast casts the above object with GetterSetter accidentally. |
| |
| In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge |
| filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one. |
| But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope. |
| |
| In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met. |
| We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::castConstant): Deleted. |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): |
| |
| 2019-08-01 Mark Lam <mark.lam@apple.com> |
| |
| Add crash diagnostics for debugging unexpected zapped cells. |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| <rdar://problem/53570112> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add a check for zapped cells in SlotVisitor::appendToMarkStack() and |
| SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with |
| some diagnostic info. |
| |
| To facilitate this, we've made the following changes: |
| 1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all |
| cells are at least 16 bytes long. |
| 2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the |
| cell header info intact (including the cell JSType). |
| 3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash |
| the reason immediately after the first 8 bytes. This is the same location as |
| FreeCell::scrambledNext. However, since a cell is not expected to be zapped |
| and on the free list at the same time, it is also fine to do this. |
| 4. Added a few utility functions to MarkedBlock for checking if a cell points |
| into the block. |
| 5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes. |
| 6. Added some comments to document the hashes of known subspaces. |
| 7. Added Options::dumpZappedCellCrashData() to make this check conditional. |
| We use this option to disable this check for slower machines so that their |
| PLT5 performance is not impacted. |
| |
| * assembler/CPU.cpp: |
| (JSC::hwL3CacheSize): |
| (JSC::hwPhysicalCPUMax): |
| * assembler/CPU.h: |
| (JSC::hwL3CacheSize): |
| (JSC::hwPhysicalCPUMax): |
| * heap/FreeList.h: |
| (JSC::FreeCell::offsetOfScrambledNext): |
| * heap/HeapCell.h: |
| (JSC::HeapCell::zap): |
| (JSC::HeapCell::isZapped const): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::stopAllocating): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::start const): |
| (JSC::MarkedBlock::Handle::end const): |
| (JSC::MarkedBlock::Handle::contains const): |
| * heap/MarkedBlockInlines.h: |
| (JSC::MarkedBlock::Handle::specializedSweep): |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace::forEachSubspace): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMarkStack): |
| (JSC::SlotVisitor::visitChildren): |
| (JSC::SlotVisitor::reportZappedCellAndCrash): |
| * heap/SlotVisitor.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): |
| * runtime/Options.cpp: |
| (JSC::Options::initialize): |
| * runtime/Options.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::JSDollarVM::finishCreation): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpSubspaceHashes): |
| * tools/VMInspector.h: |
| |
| 2019-08-01 Keith Miller <keith_miller@apple.com> |
| |
| Fix bug in testMulImm32SignExtend |
| https://bugs.webkit.org/show_bug.cgi?id=200358 |
| |
| Reviewed by Mark Lam. |
| |
| Also, have it run in more configurations. |
| |
| * b3/testb3_2.cpp: |
| (testMulImm32SignExtend): |
| * b3/testb3_3.cpp: |
| (addArgTests): |
| |
| 2019-07-31 Mark Lam <mark.lam@apple.com> |
| |
| Rename DOMJIT safe/unsafeFunction to functionWithTypeChecks and functionWithoutTypeChecks. |
| https://bugs.webkit.org/show_bug.cgi?id=200323 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The DOMJIT has a notion of a safeFunction and an unsafeFunction. The safeFunction |
| is effectively the same as the unsafeFunction with added type check. The DFG/FTL |
| will emit code to call the unsafeFunction if it has already emitted the needed |
| type check or proven that it isn't needed. Otherwise, the DFG/FTL will emit |
| code to call the safeFunction (which does its own type check) instead. |
| |
| This patch renames these functions to better describe their difference. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCallDOM): |
| * domjit/DOMJITSignature.h: |
| (JSC::DOMJIT::Signature::Signature): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| * tools/JSDollarVM.cpp: |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITFunctionObject::safeFunction): Deleted. |
| (JSC::DOMJITFunctionObject::unsafeFunction): Deleted. |
| (JSC::DOMJITCheckSubClassObject::safeFunction): Deleted. |
| (JSC::DOMJITCheckSubClassObject::unsafeFunction): Deleted. |
| |
| 2019-07-31 Alex Christensen <achristensen@webkit.org> |
| |
| Begin organizing b3 tests |
| https://bugs.webkit.org/show_bug.cgi?id=200330 |
| |
| Reviewed by Keith Miller. |
| |
| * b3/testb3.h: |
| * b3/testb3_1.cpp: |
| (run): |
| (zero): Deleted. |
| (negativeZero): Deleted. |
| * b3/testb3_2.cpp: |
| (testBitXorTreeArgs): |
| (testBitXorTreeArgsEven): |
| (testBitXorTreeArgImm): |
| (testBitAndTreeArg32): |
| (testBitOrTreeArg32): |
| (testBitAndArgs): |
| (testBitAndSameArg): |
| (testBitAndNotNot): |
| (testBitAndNotImm): |
| (testBitAndImms): |
| (testBitAndArgImm): |
| (testBitAndImmArg): |
| (testBitAndBitAndArgImmImm): |
| (testBitAndImmBitAndArgImm): |
| (testBitAndArgs32): |
| (testBitAndSameArg32): |
| (testBitAndImms32): |
| (testBitAndArgImm32): |
| (testBitAndImmArg32): |
| (testBitAndBitAndArgImmImm32): |
| (testBitAndImmBitAndArgImm32): |
| (testBitAndWithMaskReturnsBooleans): |
| (testBitAndArgDouble): |
| (testBitAndArgsDouble): |
| (testBitAndArgImmDouble): |
| (testBitAndImmsDouble): |
| (testBitAndArgFloat): |
| (testBitAndArgsFloat): |
| (testBitAndArgImmFloat): |
| (testBitAndImmsFloat): |
| (testBitAndArgsFloatWithUselessDoubleConversion): |
| (testBitOrArgs): |
| (testBitOrSameArg): |
| (testBitOrAndAndArgs): |
| (testBitOrAndSameArgs): |
| (testBitOrNotNot): |
| (testBitOrNotImm): |
| (testBitOrImms): |
| (testBitOrArgImm): |
| (testBitOrImmArg): |
| (testBitOrBitOrArgImmImm): |
| (testBitOrImmBitOrArgImm): |
| (testBitOrArgs32): |
| (testBitOrSameArg32): |
| (testBitOrImms32): |
| (testBitOrArgImm32): |
| (testBitOrImmArg32): |
| (addBitTests): |
| * b3/testb3_3.cpp: |
| (testSShrArgs): |
| (testSShrImms): |
| (testSShrArgImm): |
| (testSShrArg32): |
| (testSShrArgs32): |
| (testSShrImms32): |
| (testSShrArgImm32): |
| (testZShrArgs): |
| (testZShrImms): |
| (testZShrArgImm): |
| (testZShrArg32): |
| (testZShrArgs32): |
| (testZShrImms32): |
| (testZShrArgImm32): |
| (zero): |
| (negativeZero): |
| (addArgTests): |
| (addCallTests): |
| (addShrTests): |
| * b3/testb3_4.cpp: |
| (addSExtTests): |
| * b3/testb3_6.cpp: |
| (testSShrShl32): |
| (testSShrShl64): |
| (addSShrShTests): |
| |
| 2019-07-31 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: support emulateUserGesture parameter in Debugger.evaluateOnCallFrame |
| https://bugs.webkit.org/show_bug.cgi?id=200272 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| When paused, evaluating in the console should still respect the "Emulate User Gesture" checkbox. |
| |
| * inspector/protocol/Debugger.json: |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): |
| |
| 2019-07-31 Alex Christensen <achristensen@webkit.org> |
| |
| Split testb3 into multiple files |
| https://bugs.webkit.org/show_bug.cgi?id=200326 |
| |
| Reviewed by Keith Miller. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * b3/testb3.cpp: Removed. |
| * b3/testb3.h: Added. |
| (hiddenTruthBecauseNoReturnIsStupid): |
| (usage): |
| (shouldBeVerbose): |
| (compileProc): |
| (invoke): |
| (compileAndRun): |
| (lowerToAirForTesting): |
| (checkDisassembly): |
| (checkUsesInstruction): |
| (checkDoesNotUseInstruction): |
| (populateWithInterestingValues): |
| (floatingPointOperands): |
| (int64Operands): |
| (int32Operands): |
| (add32): |
| (modelLoad): |
| (float>): |
| (double>): |
| * b3/testb3_1.cpp: Added. |
| (zero): |
| (negativeZero): |
| (shouldRun): |
| (testRotR): |
| (testRotL): |
| (testRotRWithImmShift): |
| (testRotLWithImmShift): |
| (testComputeDivisionMagic): |
| (run): |
| (main): |
| (dllLauncherEntryPoint): |
| * b3/testb3_2.cpp: Added. |
| (test42): |
| (testLoad42): |
| (testLoadAcq42): |
| (testLoadWithOffsetImpl): |
| (testLoadOffsetImm9Max): |
| (testLoadOffsetImm9MaxPlusOne): |
| (testLoadOffsetImm9MaxPlusTwo): |
| (testLoadOffsetImm9Min): |
| (testLoadOffsetImm9MinMinusOne): |
| (testLoadOffsetScaledUnsignedImm12Max): |
| (testLoadOffsetScaledUnsignedOverImm12Max): |
| (testBitXorTreeArgs): |
| (testBitXorTreeArgsEven): |
| (testBitXorTreeArgImm): |
| (testAddTreeArg32): |
| (testMulTreeArg32): |
| (testBitAndTreeArg32): |
| (testBitOrTreeArg32): |
| (testArg): |
| (testReturnConst64): |
| (testReturnVoid): |
| (testAddArg): |
| (testAddArgs): |
| (testAddArgImm): |
| (testAddImmArg): |
| (testAddArgMem): |
| (testAddMemArg): |
| (testAddImmMem): |
| (testAddArg32): |
| (testAddArgs32): |
| (testAddArgMem32): |
| (testAddMemArg32): |
| (testAddImmMem32): |
| (testAddNeg1): |
| (testAddNeg2): |
| (testAddArgZeroImmZDef): |
| (testAddLoadTwice): |
| (testAddArgDouble): |
| (testAddArgsDouble): |
| (testAddArgImmDouble): |
| (testAddImmArgDouble): |
| (testAddImmsDouble): |
| (testAddArgFloat): |
| (testAddArgsFloat): |
| (testAddFPRArgsFloat): |
| (testAddArgImmFloat): |
| (testAddImmArgFloat): |
| (testAddImmsFloat): |
| (testAddArgFloatWithUselessDoubleConversion): |
| (testAddArgsFloatWithUselessDoubleConversion): |
| (testAddArgsFloatWithEffectfulDoubleConversion): |
| (testAddMulMulArgs): |
| (testMulArg): |
| (testMulArgStore): |
| (testMulAddArg): |
| (testMulArgs): |
| (testMulArgNegArg): |
| (testMulNegArgArg): |
| (testMulArgImm): |
| (testMulImmArg): |
| (testMulArgs32): |
| (testMulArgs32SignExtend): |
| (testMulImm32SignExtend): |
| (testMulLoadTwice): |
| (testMulAddArgsLeft): |
| (testMulAddArgsRight): |
| (testMulAddArgsLeft32): |
| (testMulAddArgsRight32): |
| (testMulSubArgsLeft): |
| (testMulSubArgsRight): |
| (testMulSubArgsLeft32): |
| (testMulSubArgsRight32): |
| (testMulNegArgs): |
| (testMulNegArgs32): |
| (testMulArgDouble): |
| (testMulArgsDouble): |
| (testMulArgImmDouble): |
| (testMulImmArgDouble): |
| (testMulImmsDouble): |
| (testMulArgFloat): |
| (testMulArgsFloat): |
| (testMulArgImmFloat): |
| (testMulImmArgFloat): |
| (testMulImmsFloat): |
| (testMulArgFloatWithUselessDoubleConversion): |
| (testMulArgsFloatWithUselessDoubleConversion): |
| (testMulArgsFloatWithEffectfulDoubleConversion): |
| (testDivArgDouble): |
| (testDivArgsDouble): |
| (testDivArgImmDouble): |
| (testDivImmArgDouble): |
| (testDivImmsDouble): |
| (testDivArgFloat): |
| (testDivArgsFloat): |
| (testDivArgImmFloat): |
| (testDivImmArgFloat): |
| (testDivImmsFloat): |
| (testModArgDouble): |
| (testModArgsDouble): |
| (testModArgImmDouble): |
| (testModImmArgDouble): |
| (testModImmsDouble): |
| (testModArgFloat): |
| (testModArgsFloat): |
| (testModArgImmFloat): |
| (testModImmArgFloat): |
| (testModImmsFloat): |
| (testDivArgFloatWithUselessDoubleConversion): |
| (testDivArgsFloatWithUselessDoubleConversion): |
| (testDivArgsFloatWithEffectfulDoubleConversion): |
| (testUDivArgsInt32): |
| (testUDivArgsInt64): |
| (testUModArgsInt32): |
| (testUModArgsInt64): |
| (testSubArg): |
| (testSubArgs): |
| (testSubArgImm): |
| (testSubNeg): |
| (testNegSub): |
| (testNegValueSubOne): |
| (testSubSub): |
| (testSubSub2): |
| (testSubAdd): |
| (testSubFirstNeg): |
| (testSubImmArg): |
| (testSubArgMem): |
| (testSubMemArg): |
| (testSubImmMem): |
| (testSubMemImm): |
| (testSubArgs32): |
| (testSubArgImm32): |
| (testSubImmArg32): |
| (testSubMemArg32): |
| (testSubArgMem32): |
| (testSubImmMem32): |
| (testSubMemImm32): |
| (testNegValueSubOne32): |
| (testNegMulArgImm): |
| (testSubMulMulArgs): |
| (testSubArgDouble): |
| (testSubArgsDouble): |
| (testSubArgImmDouble): |
| (testSubImmArgDouble): |
| (testSubImmsDouble): |
| (testSubArgFloat): |
| (testSubArgsFloat): |
| (testSubArgImmFloat): |
| (testSubImmArgFloat): |
| (testSubImmsFloat): |
| (testSubArgFloatWithUselessDoubleConversion): |
| (testSubArgsFloatWithUselessDoubleConversion): |
| (testSubArgsFloatWithEffectfulDoubleConversion): |
| (testTernarySubInstructionSelection): |
| (testNegDouble): |
| (testNegFloat): |
| (testNegFloatWithUselessDoubleConversion): |
| (testBitAndArgs): |
| (testBitAndSameArg): |
| (testBitAndNotNot): |
| (testBitAndNotImm): |
| (testBitAndImms): |
| (testBitAndArgImm): |
| (testBitAndImmArg): |
| (testBitAndBitAndArgImmImm): |
| (testBitAndImmBitAndArgImm): |
| (testBitAndArgs32): |
| (testBitAndSameArg32): |
| (testBitAndImms32): |
| (testBitAndArgImm32): |
| (testBitAndImmArg32): |
| (testBitAndBitAndArgImmImm32): |
| (testBitAndImmBitAndArgImm32): |
| (testBitAndWithMaskReturnsBooleans): |
| (bitAndDouble): |
| (testBitAndArgDouble): |
| (testBitAndArgsDouble): |
| (testBitAndArgImmDouble): |
| (testBitAndImmsDouble): |
| (bitAndFloat): |
| (testBitAndArgFloat): |
| (testBitAndArgsFloat): |
| (testBitAndArgImmFloat): |
| (testBitAndImmsFloat): |
| (testBitAndArgsFloatWithUselessDoubleConversion): |
| (testBitOrArgs): |
| (testBitOrSameArg): |
| (testBitOrAndAndArgs): |
| (testBitOrAndSameArgs): |
| (testBitOrNotNot): |
| (testBitOrNotImm): |
| (testBitOrImms): |
| (testBitOrArgImm): |
| (testBitOrImmArg): |
| (testBitOrBitOrArgImmImm): |
| (testBitOrImmBitOrArgImm): |
| (testBitOrArgs32): |
| (testBitOrSameArg32): |
| (testBitOrImms32): |
| (testBitOrArgImm32): |
| (testBitOrImmArg32): |
| * b3/testb3_3.cpp: Added. |
| (testBitOrBitOrArgImmImm32): |
| (testBitOrImmBitOrArgImm32): |
| (bitOrDouble): |
| (testBitOrArgDouble): |
| (testBitOrArgsDouble): |
| (testBitOrArgImmDouble): |
| (testBitOrImmsDouble): |
| (bitOrFloat): |
| (testBitOrArgFloat): |
| (testBitOrArgsFloat): |
| (testBitOrArgImmFloat): |
| (testBitOrImmsFloat): |
| (testBitOrArgsFloatWithUselessDoubleConversion): |
| (testBitXorArgs): |
| (testBitXorSameArg): |
| (testBitXorAndAndArgs): |
| (testBitXorAndSameArgs): |
| (testBitXorImms): |
| (testBitXorArgImm): |
| (testBitXorImmArg): |
| (testBitXorBitXorArgImmImm): |
| (testBitXorImmBitXorArgImm): |
| (testBitXorArgs32): |
| (testBitXorSameArg32): |
| (testBitXorImms32): |
| (testBitXorArgImm32): |
| (testBitXorImmArg32): |
| (testBitXorBitXorArgImmImm32): |
| (testBitXorImmBitXorArgImm32): |
| (testBitNotArg): |
| (testBitNotImm): |
| (testBitNotMem): |
| (testBitNotArg32): |
| (testBitNotImm32): |
| (testBitNotMem32): |
| (testNotOnBooleanAndBranch32): |
| (testBitNotOnBooleanAndBranch32): |
| (testShlArgs): |
| (testShlImms): |
| (testShlArgImm): |
| (testShlSShrArgImm): |
| (testShlArg32): |
| (testShlArgs32): |
| (testShlImms32): |
| (testShlArgImm32): |
| (testShlZShrArgImm32): |
| (testSShrArgs): |
| (testSShrImms): |
| (testSShrArgImm): |
| (testSShrArg32): |
| (testSShrArgs32): |
| (testSShrImms32): |
| (testSShrArgImm32): |
| (testZShrArgs): |
| (testZShrImms): |
| (testZShrArgImm): |
| (testZShrArg32): |
| (testZShrArgs32): |
| (testZShrImms32): |
| (testZShrArgImm32): |
| (countLeadingZero): |
| (testClzArg64): |
| (testClzMem64): |
| (testClzArg32): |
| (testClzMem32): |
| (testAbsArg): |
| (testAbsImm): |
| (testAbsMem): |
| (testAbsAbsArg): |
| (testAbsNegArg): |
| (testAbsBitwiseCastArg): |
| (testBitwiseCastAbsBitwiseCastArg): |
| (testAbsArgWithUselessDoubleConversion): |
| (testAbsArgWithEffectfulDoubleConversion): |
| (testCeilArg): |
| (testCeilImm): |
| (testCeilMem): |
| (testCeilCeilArg): |
| (testFloorCeilArg): |
| (testCeilIToD64): |
| (testCeilIToD32): |
| (testCeilArgWithUselessDoubleConversion): |
| (testCeilArgWithEffectfulDoubleConversion): |
| (testFloorArg): |
| (testFloorImm): |
| (testFloorMem): |
| (testFloorFloorArg): |
| (testCeilFloorArg): |
| (testFloorIToD64): |
| (testFloorIToD32): |
| (testFloorArgWithUselessDoubleConversion): |
| (testFloorArgWithEffectfulDoubleConversion): |
| (correctSqrt): |
| (testSqrtArg): |
| (testSqrtImm): |
| (testSqrtMem): |
| (testSqrtArgWithUselessDoubleConversion): |
| (testSqrtArgWithEffectfulDoubleConversion): |
| (testCompareTwoFloatToDouble): |
| (testCompareOneFloatToDouble): |
| (testCompareFloatToDoubleThroughPhi): |
| (testDoubleToFloatThroughPhi): |
| (testReduceFloatToDoubleValidates): |
| (testDoubleProducerPhiToFloatConversion): |
| (testDoubleProducerPhiToFloatConversionWithDoubleConsumer): |
| (testDoubleProducerPhiWithNonFloatConst): |
| (testDoubleArgToInt64BitwiseCast): |
| (testDoubleImmToInt64BitwiseCast): |
| (testTwoBitwiseCastOnDouble): |
| (testBitwiseCastOnDoubleInMemory): |
| (testBitwiseCastOnDoubleInMemoryIndexed): |
| (testInt64BArgToDoubleBitwiseCast): |
| (testInt64BImmToDoubleBitwiseCast): |
| (testTwoBitwiseCastOnInt64): |
| (testBitwiseCastOnInt64InMemory): |
| (testBitwiseCastOnInt64InMemoryIndexed): |
| (testFloatImmToInt32BitwiseCast): |
| (testBitwiseCastOnFloatInMemory): |
| (testInt32BArgToFloatBitwiseCast): |
| (testInt32BImmToFloatBitwiseCast): |
| (testTwoBitwiseCastOnInt32): |
| (testBitwiseCastOnInt32InMemory): |
| (testConvertDoubleToFloatArg): |
| (testConvertDoubleToFloatImm): |
| (testConvertDoubleToFloatMem): |
| (testConvertFloatToDoubleArg): |
| (testConvertFloatToDoubleImm): |
| (testConvertFloatToDoubleMem): |
| (testConvertDoubleToFloatToDoubleToFloat): |
| (testLoadFloatConvertDoubleConvertFloatStoreFloat): |
| (testFroundArg): |
| (testFroundMem): |
| (testIToD64Arg): |
| (testIToF64Arg): |
| (testIToD32Arg): |
| (testIToF32Arg): |
| (testIToD64Mem): |
| (testIToF64Mem): |
| (testIToD32Mem): |
| (testIToF32Mem): |
| (testIToD64Imm): |
| (testIToF64Imm): |
| (testIToD32Imm): |
| (testIToF32Imm): |
| (testIToDReducedToIToF64Arg): |
| (testIToDReducedToIToF32Arg): |
| (testStore32): |
| (testStoreConstant): |
| (testStoreConstantPtr): |
| (testStore8Arg): |
| (testStore8Imm): |
| (testStorePartial8BitRegisterOnX86): |
| (testStore16Arg): |
| (testStore16Imm): |
| (testTrunc): |
| (testAdd1): |
| (testAdd1Ptr): |
| (testNeg32): |
| (testNegPtr): |
| (testStoreAddLoad32): |
| * b3/testb3_4.cpp: Added. |
| (testStoreRelAddLoadAcq32): |
| (testStoreAddLoadImm32): |
| (testStoreAddLoad8): |
| (testStoreRelAddLoadAcq8): |
| (testStoreRelAddFenceLoadAcq8): |
| (testStoreAddLoadImm8): |
| (testStoreAddLoad16): |
| (testStoreRelAddLoadAcq16): |
| (testStoreAddLoadImm16): |
| (testStoreAddLoad64): |
| (testStoreRelAddLoadAcq64): |
| (testStoreAddLoadImm64): |
| (testStoreAddLoad32Index): |
| (testStoreAddLoadImm32Index): |
| (testStoreAddLoad8Index): |
| (testStoreAddLoadImm8Index): |
| (testStoreAddLoad16Index): |
| (testStoreAddLoadImm16Index): |
| (testStoreAddLoad64Index): |
| (testStoreAddLoadImm64Index): |
| (testStoreSubLoad): |
| (testStoreAddLoadInterference): |
| (testStoreAddAndLoad): |
| (testStoreNegLoad32): |
| (testStoreNegLoadPtr): |
| (testAdd1Uncommuted): |
| (testLoadOffset): |
| (testLoadOffsetNotConstant): |
| (testLoadOffsetUsingAdd): |
| (testLoadOffsetUsingAddInterference): |
| (testLoadOffsetUsingAddNotConstant): |
| (testLoadAddrShift): |
| (testFramePointer): |
| (testOverrideFramePointer): |
| (testStackSlot): |
| (testLoadFromFramePointer): |
| (testStoreLoadStackSlot): |
| (testStoreFloat): |
| (testStoreDoubleConstantAsFloat): |
| (testSpillGP): |
| (testSpillFP): |
| (testInt32ToDoublePartialRegisterStall): |
| (testInt32ToDoublePartialRegisterWithoutStall): |
| (testBranch): |
| (testBranchPtr): |
| (testDiamond): |
| (testBranchNotEqual): |
| (testBranchNotEqualCommute): |
| (testBranchNotEqualNotEqual): |
| (testBranchEqual): |
| (testBranchEqualEqual): |
| (testBranchEqualCommute): |
| (testBranchEqualEqual1): |
| (testBranchEqualOrUnorderedArgs): |
| (testBranchNotEqualAndOrderedArgs): |
| (testBranchEqualOrUnorderedDoubleArgImm): |
| (testBranchEqualOrUnorderedFloatArgImm): |
| (testBranchEqualOrUnorderedDoubleImms): |
| (testBranchEqualOrUnorderedFloatImms): |
| (testBranchEqualOrUnorderedFloatWithUselessDoubleConversion): |
| (testBranchFold): |
| (testDiamondFold): |
| (testBranchNotEqualFoldPtr): |
| (testBranchEqualFoldPtr): |
| (testBranchLoadPtr): |
| (testBranchLoad32): |
| (testBranchLoad8S): |
| (testBranchLoad8Z): |
| (testBranchLoad16S): |
| (testBranchLoad16Z): |
| (testBranch8WithLoad8ZIndex): |
| (testComplex): |
| (testBranchBitTest32TmpImm): |
| (testBranchBitTest32AddrImm): |
| (testBranchBitTest32TmpTmp): |
| (testBranchBitTest64TmpTmp): |
| (testBranchBitTest64AddrTmp): |
| (testBranchBitTestNegation): |
| (testBranchBitTestNegation2): |
| (testSimplePatchpoint): |
| (testSimplePatchpointWithoutOuputClobbersGPArgs): |
| (testSimplePatchpointWithOuputClobbersGPArgs): |
| (testSimplePatchpointWithoutOuputClobbersFPArgs): |
| (testSimplePatchpointWithOuputClobbersFPArgs): |
| (testPatchpointWithEarlyClobber): |
| (testPatchpointCallArg): |
| (testPatchpointFixedRegister): |
| (testPatchpointAny): |
| (testPatchpointGPScratch): |
| (testPatchpointFPScratch): |
| (testPatchpointLotsOfLateAnys): |
| (testPatchpointAnyImm): |
| * b3/testb3_5.cpp: Added. |
| (testPatchpointManyImms): |
| (testPatchpointWithRegisterResult): |
| (testPatchpointWithStackArgumentResult): |
| (testPatchpointWithAnyResult): |
| (testSimpleCheck): |
| (testCheckFalse): |
| (testCheckTrue): |
| (testCheckLessThan): |
| (testCheckMegaCombo): |
| (testCheckTrickyMegaCombo): |
| (testCheckTwoMegaCombos): |
| (testCheckTwoNonRedundantMegaCombos): |
| (testCheckAddImm): |
| (testCheckAddImmCommute): |
| (testCheckAddImmSomeRegister): |
| (testCheckAdd): |
| (testCheckAdd64): |
| (testCheckAddFold): |
| (testCheckAddFoldFail): |
| (testCheckAddArgumentAliasing64): |
| (testCheckAddArgumentAliasing32): |
| (testCheckAddSelfOverflow64): |
| (testCheckAddSelfOverflow32): |
| (testCheckSubImm): |
| (testCheckSubBadImm): |
| (testCheckSub): |
| (doubleSub): |
| (testCheckSub64): |
| (testCheckSubFold): |
| (testCheckSubFoldFail): |
| (testCheckNeg): |
| (testCheckNeg64): |
| (testCheckMul): |
| (testCheckMulMemory): |
| (testCheckMul2): |
| (testCheckMul64): |
| (testCheckMulFold): |
| (testCheckMulFoldFail): |
| (testCheckMulArgumentAliasing64): |
| (testCheckMulArgumentAliasing32): |
| (testCheckMul64SShr): |
| (genericTestCompare): |
| (modelCompare): |
| (testCompareLoad): |
| (testCompareImpl): |
| (testCompare): |
| (testEqualDouble): |
| (simpleFunction): |
| (testCallSimple): |
| (testCallRare): |
| (testCallRareLive): |
| (testCallSimplePure): |
| (functionWithHellaArguments): |
| (testCallFunctionWithHellaArguments): |
| (functionWithHellaArguments2): |
| (testCallFunctionWithHellaArguments2): |
| (functionWithHellaArguments3): |
| (testCallFunctionWithHellaArguments3): |
| (testReturnDouble): |
| (testReturnFloat): |
| (simpleFunctionDouble): |
| (testCallSimpleDouble): |
| (simpleFunctionFloat): |
| (testCallSimpleFloat): |
| (functionWithHellaDoubleArguments): |
| (testCallFunctionWithHellaDoubleArguments): |
| (functionWithHellaFloatArguments): |
| (testCallFunctionWithHellaFloatArguments): |
| (testLinearScanWithCalleeOnStack): |
| (testChillDiv): |
| (testChillDivTwice): |
| (testChillDiv64): |
| (testModArg): |
| (testModArgs): |
| (testModImms): |
| (testModArg32): |
| (testModArgs32): |
| (testModImms32): |
| (testChillModArg): |
| (testChillModArgs): |
| (testChillModImms): |
| (testChillModArg32): |
| (testChillModArgs32): |
| (testChillModImms32): |
| (testLoopWithMultipleHeaderEdges): |
| (testSwitch): |
| (testSwitchSameCaseAsDefault): |
| (testSwitchChillDiv): |
| (testSwitchTargettingSameBlock): |
| (testSwitchTargettingSameBlockFoldPathConstant): |
| (testTruncFold): |
| (testZExt32): |
| (testZExt32Fold): |
| (testSExt32): |
| (testSExt32Fold): |
| (testTruncZExt32): |
| (testTruncSExt32): |
| (testSExt8): |
| (testSExt8Fold): |
| (testSExt8SExt8): |
| (testSExt8SExt16): |
| (testSExt8BitAnd): |
| (testBitAndSExt8): |
| (testSExt16): |
| (testSExt16Fold): |
| (testSExt16SExt16): |
| (testSExt16SExt8): |
| (testSExt16BitAnd): |
| (testBitAndSExt16): |
| (testSExt32BitAnd): |
| * b3/testb3_6.cpp: Added. |
| (testBitAndSExt32): |
| (testBasicSelect): |
| (testSelectTest): |
| (testSelectCompareDouble): |
| (testSelectCompareFloat): |
| (testSelectCompareFloatToDouble): |
| (testSelectDouble): |
| (testSelectDoubleTest): |
| (testSelectDoubleCompareDouble): |
| (testSelectDoubleCompareFloat): |
| (testSelectFloatCompareFloat): |
| (testSelectDoubleCompareDoubleWithAliasing): |
| (testSelectFloatCompareFloatWithAliasing): |
| (testSelectFold): |
| (testSelectInvert): |
| (testCheckSelect): |
| (testCheckSelectCheckSelect): |
| (testCheckSelectAndCSE): |
| (b3Pow): |
| (testPowDoubleByIntegerLoop): |
| (testTruncOrHigh): |
| (testTruncOrLow): |
| (testBitAndOrHigh): |
| (testBitAndOrLow): |
| (testBranch64Equal): |
| (testBranch64EqualImm): |
| (testBranch64EqualMem): |
| (testBranch64EqualMemImm): |
| (testStore8Load8Z): |
| (testStore16Load16Z): |
| (testSShrShl32): |
| (testSShrShl64): |
| (testTrivialInfiniteLoop): |
| (testFoldPathEqual): |
| (testLShiftSelf32): |
| (testRShiftSelf32): |
| (testURShiftSelf32): |
| (testLShiftSelf64): |
| (testRShiftSelf64): |
| (testURShiftSelf64): |
| (testPatchpointDoubleRegs): |
| (testSpillDefSmallerThanUse): |
| (testSpillUseLargerThanDef): |
| (testLateRegister): |
| (interpreterPrint): |
| (testInterpreter): |
| (testReduceStrengthCheckBottomUseInAnotherBlock): |
| (testResetReachabilityDanglingReference): |
| (testEntrySwitchSimple): |
| (testEntrySwitchNoEntrySwitch): |
| (testEntrySwitchWithCommonPaths): |
| (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint): |
| (testEntrySwitchLoop): |
| (testSomeEarlyRegister): |
| (testBranchBitAndImmFusion): |
| (testTerminalPatchpointThatNeedsToBeSpilled): |
| (testTerminalPatchpointThatNeedsToBeSpilled2): |
| (testPatchpointTerminalReturnValue): |
| (testMemoryFence): |
| (testStoreFence): |
| (testLoadFence): |
| (testTrappingLoad): |
| (testTrappingStore): |
| (testTrappingLoadAddStore): |
| (testTrappingLoadDCE): |
| (testTrappingStoreElimination): |
| (testMoveConstants): |
| (testPCOriginMapDoesntInsertNops): |
| * b3/testb3_7.cpp: Added. |
| (testPinRegisters): |
| (testX86LeaAddAddShlLeft): |
| (testX86LeaAddAddShlRight): |
| (testX86LeaAddAdd): |
| (testX86LeaAddShlRight): |
| (testX86LeaAddShlLeftScale1): |
| (testX86LeaAddShlLeftScale2): |
| (testX86LeaAddShlLeftScale4): |
| (testX86LeaAddShlLeftScale8): |
| (testAddShl32): |
| (testAddShl64): |
| (testAddShl65): |
| (testReduceStrengthReassociation): |
| (testLoadBaseIndexShift2): |
| (testLoadBaseIndexShift32): |
| (testOptimizeMaterialization): |
| (generateLoop): |
| (makeArrayForLoops): |
| (generateLoopNotBackwardsDominant): |
| (oneFunction): |
| (noOpFunction): |
| (testLICMPure): |
| (testLICMPureSideExits): |
| (testLICMPureWritesPinned): |
| (testLICMPureWrites): |
| (testLICMReadsLocalState): |
| (testLICMReadsPinned): |
| (testLICMReads): |
| (testLICMPureNotBackwardsDominant): |
| (testLICMPureFoiledByChild): |
| (testLICMPureNotBackwardsDominantFoiledByChild): |
| (testLICMExitsSideways): |
| (testLICMWritesLocalState): |
| (testLICMWrites): |
| (testLICMFence): |
| (testLICMWritesPinned): |
| (testLICMControlDependent): |
| (testLICMControlDependentNotBackwardsDominant): |
| (testLICMControlDependentSideExits): |
| (testLICMReadsPinnedWritesPinned): |
| (testLICMReadsWritesDifferentHeaps): |
| (testLICMReadsWritesOverlappingHeaps): |
| (testLICMDefaultCall): |
| (testDepend32): |
| (testDepend64): |
| (testWasmBoundsCheck): |
| (testWasmAddress): |
| (testFastTLSLoad): |
| (testFastTLSStore): |
| (doubleEq): |
| (doubleNeq): |
| (doubleGt): |
| (doubleGte): |
| (doubleLt): |
| (doubleLte): |
| (testDoubleLiteralComparison): |
| (testFloatEqualOrUnorderedFolding): |
| (testFloatEqualOrUnorderedFoldingNaN): |
| (testFloatEqualOrUnorderedDontFold): |
| (functionNineArgs): |
| (testShuffleDoesntTrashCalleeSaves): |
| (testDemotePatchpointTerminal): |
| (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead): |
| (testInfiniteLoopDoesntCauseBadHoisting): |
| * b3/testb3_8.cpp: Added. |
| (testAtomicWeakCAS): |
| (testAtomicStrongCAS): |
| (testAtomicXchg): |
| (addAtomicTests): |
| (testLoad): |
| (addLoadTests): |
| |
| 2019-07-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Emit write barrier after storing instead of before storing |
| https://bugs.webkit.org/show_bug.cgi?id=200193 |
| |
| Reviewed by Saam Barati. |
| |
| I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers. |
| |
| 1. Some write-barriers are emitted before stores happen |
| |
| Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this. |
| |
| 1. Cell "A" is not marked yet |
| 2. Write-barrier is emitted onto "A" |
| 3. Concurrent collector scans "A" |
| 4. Store to "A"'s field happens |
| 5. (4)'s field is not rescaned |
| |
| We should emit write-barrier after stores. This patch places write-barriers after stores happen. |
| |
| 2. Should emit write-barrier after the stored fields are reachable from the owner. |
| |
| We have code that is logically the same to the following. |
| |
| ``` |
| auto data = std::make_unique<XXX>(); |
| data->m_field.set(vm, owner, value); |
| |
| storeStoreBarrier(); |
| owner->m_data = WTFMove(data); |
| ``` |
| |
| This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored. |
| The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not |
| effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock. |
| |
| I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock. |
| But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called. |
| |
| Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::addAccessCase): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::considerCaching): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): |
| * jit/JITOperations.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::setupGetByIdPrototypeCache): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/LazyPropertyInlines.h: |
| (JSC::ElementType>::setMayBeNull): |
| * runtime/RegExpCachedResult.h: |
| (JSC::RegExpCachedResult::record): |
| |
| 2019-07-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make StructureChain less-tricky by using Auxiliary Buffer |
| https://bugs.webkit.org/show_bug.cgi?id=200192 |
| |
| Reviewed by Saam Barati. |
| |
| StructureChain has a bit tricky write barrier / mutator fence to use UniqueArray for its underlying storage. |
| But, since the size of StructureChain is fixed at initialization, we should allocate an underlying storage from auxiliary memory and |
| set it in its constructor instead of finishCreation. We can store values in the finishCreation so that we do not need to have |
| a hacky write-barrier and mutator fence. Furthermore, we can make StructureChain non-destructible. |
| |
| This patch leverages auxiliary buffer for the implementation of StructureChain. And it also adds a test that stresses StructureChain creation. |
| |
| * runtime/StructureChain.cpp: |
| (JSC::StructureChain::StructureChain): |
| (JSC::StructureChain::create): |
| (JSC::StructureChain::finishCreation): |
| (JSC::StructureChain::visitChildren): |
| (JSC::StructureChain::destroy): Deleted. |
| * runtime/StructureChain.h: |
| |
| 2019-07-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Increment bytecode age only when SlotVisitor is first-visit |
| https://bugs.webkit.org/show_bug.cgi?id=200196 |
| |
| Reviewed by Robin Morisset. |
| |
| WriteBarrier can cause multiple visits for the same UnlinkedCodeBlock. But this does not mean that we are having multiple cycles of GC. |
| We should increment the age of the UnlinkedCodeBlock only when the SlotVisitor is saying that this is the first visit. |
| |
| In practice,this almost never happens. Multiple visits can happen only when the marked UnlinkedCodeBlock gets a write-barrier. But, mutation |
| of UnlinkedCodeBlock is rare or none after it is initialized. I ran all the JSTests and I cannot find any tests that get re-visiting of UnlinkedCodeBlock. |
| This patch extends JSTests/stress/reparsing-unlinked-codeblock.js to ensure that UnlinkedCodeBlockJettisoning feature is working after this change. |
| |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::visitChildren): |
| * heap/SlotVisitor.h: |
| (JSC::SlotVisitor::isFirstVisit const): |
| * parser/Parser.cpp: |
| * parser/Parser.h: |
| (JSC::parse): |
| (JSC::parseFunctionForFunctionConstructor): |
| * runtime/Options.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::functionParseCount): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2019-07-28 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247886. |
| https://bugs.webkit.org/show_bug.cgi?id=200214 |
| |
| "Causes PLT5 regression on some machines" (Requested by mlam|a |
| on #webkit). |
| |
| Reverted changeset: |
| |
| "Add crash diagnostics for debugging unexpected zapped cells." |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| https://trac.webkit.org/changeset/247886 |
| |
| 2019-07-27 Justin Michaud <justin_michaud@apple.com> |
| |
| [X86] Emit BT instruction for shift + mask in B3 |
| https://bugs.webkit.org/show_bug.cgi?id=199891 |
| |
| Reviewed by Keith Miller. |
| |
| - Add a new BranchTestBit air opcode, matching the intel bt instruction |
| - Select this instruction for the following patterns: |
| if (a & (1<<b)) |
| if ((a>>b)&1) |
| if ((~a>>b)&1) |
| if (~a & (1<<b)) |
| - 15% perf progression on the nonconstant microbenchmark, neutral otherwise. |
| - Note: we cannot fuse loads when we have bitBase=Load, bitOffset=Tmp, since the X86 instruction has |
| different behaviour in this mode. It will read past the current dword/qword instead of wrapping around. |
| |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::branchTestBit32): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::branchTestBit64): |
| * assembler/X86Assembler.h: |
| (JSC::X86Assembler::bt_ir): |
| (JSC::X86Assembler::bt_im): |
| (JSC::X86Assembler::btw_ir): |
| (JSC::X86Assembler::btw_im): |
| * assembler/testmasm.cpp: |
| (JSC::int64Operands): |
| (JSC::testBranchTestBit32RegReg): |
| (JSC::testBranchTestBit32RegImm): |
| (JSC::testBranchTestBit32AddrImm): |
| (JSC::testBranchTestBit64RegReg): |
| (JSC::testBranchTestBit64RegImm): |
| (JSC::testBranchTestBit64AddrImm): |
| (JSC::run): |
| * b3/B3LowerToAir.cpp: |
| * b3/air/AirOpcode.opcodes: |
| * b3/testb3.cpp: |
| (JSC::B3::testBranchBitTest32TmpImm): |
| (JSC::B3::testBranchBitTest32AddrImm): |
| (JSC::B3::testBranchBitTest32TmpTmp): |
| (JSC::B3::testBranchBitTest64TmpTmp): |
| (JSC::B3::testBranchBitTest64AddrTmp): |
| (JSC::B3::run): |
| |
| 2019-07-26 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Potential GC fix for JSPropertyNameEnumerator |
| https://bugs.webkit.org/show_bug.cgi?id=200151 |
| |
| Reviewed by Mark Lam. |
| |
| We have been seeing some JSPropertyNameEnumerator::visitChildren crashes for a long time. The crash frequency itself is not high, but it has existed for a long time. |
| The crash happens when visiting m_propertyNames. It is also possible that this crash is caused by random corruption somewhere, but JSPropertyNameEnumerator |
| has some tricky (and potentially dangerous) implementations anyway. |
| |
| 1. JSPropertyNameEnumerator have Vector<WriteBarrier<JSString>> and it is extended in finishCreation with a lock. |
| We should use Auxiliary memory for this use case. And we should set this memory in the constructor so that |
| we do not extend it in finishCreation, and we do not need a lock. |
| 2. JSPropertyNameEnumerator gets StructureID before allocating JSPropertyNameEnumerator. This is potentially dangerous because the conservative scan |
| cannot find the Structure* since we could only have StructureID. Since allocation code happens after StructureID is retrieved, it is possible that |
| the allocation causes GC and Structure* is collected. |
| |
| In this patch, we align JSPropertyNameEnumerator implementation to the modern one to avoid using Vector<WriteBarrier<JSString>>. And we can make JSPropertyNameEnumerator |
| a non-destructible cell. Since JSCell's destructor is one of the cause of various issues, we should avoid it if we can. |
| |
| No behavior change. This patch adds a test stressing JSPropertyNameEnumerator. |
| |
| * dfg/DFGOperations.cpp: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/JSPropertyNameEnumerator.cpp: |
| (JSC::JSPropertyNameEnumerator::create): |
| (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator): |
| (JSC::JSPropertyNameEnumerator::finishCreation): |
| (JSC::JSPropertyNameEnumerator::visitChildren): |
| (JSC::JSPropertyNameEnumerator::destroy): Deleted. |
| * runtime/JSPropertyNameEnumerator.h: |
| * runtime/VM.cpp: |
| (JSC::VM::emptyPropertyNameEnumeratorSlow): |
| * runtime/VM.h: |
| (JSC::VM::emptyPropertyNameEnumerator): |
| |
| 2019-07-26 Mark Lam <mark.lam@apple.com> |
| |
| Add crash diagnostics for debugging unexpected zapped cells. |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| <rdar://problem/53570112> |
| |
| Reviewed by Yusuke Suzuki, Saam Barati, and Michael Saboff. |
| |
| Add a check for zapped cells in SlotVisitor::appendToMarkStack() and |
| SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with |
| some diagnostic info. |
| |
| To facilitate this, we've made the following changes: |
| 1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all |
| cells are at least 16 bytes long. |
| 2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the |
| cell header info intact (including the cell JSType). |
| 3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash |
| the reason immediately after the first 8 bytes. This is the same location as |
| FreeCell::scrambledNext. However, since a cell is not expected to be zapped |
| and on the free list at the same time, it is also fine to do this. |
| 4. Added a few utility functions to MarkedBlock for checking if a cell points |
| into the block. |
| 5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes. |
| 6. Added some comments to document the hashes of known subspaces. |
| |
| * heap/FreeList.h: |
| (JSC::FreeCell::offsetOfScrambledNext): |
| * heap/HeapCell.h: |
| (JSC::HeapCell::zap): |
| (JSC::HeapCell::isZapped const): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::stopAllocating): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::start const): |
| (JSC::MarkedBlock::Handle::end const): |
| (JSC::MarkedBlock::Handle::contains const): |
| * heap/MarkedBlockInlines.h: |
| (JSC::MarkedBlock::Handle::specializedSweep): |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace::forEachSubspace): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMarkStack): |
| (JSC::SlotVisitor::visitChildren): |
| (JSC::SlotVisitor::reportZappedCellAndCrash): |
| * heap/SlotVisitor.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::JSDollarVM::finishCreation): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpSubspaceHashes): |
| * tools/VMInspector.h: |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use unalignedLoad for JSRopeString fiber accesses |
| https://bugs.webkit.org/show_bug.cgi?id=200148 |
| |
| Reviewed by Mark Lam. |
| |
| JSRopeString always have some subsequent bytes that can be accessible because MarkedBlock has Footer. |
| We use WTF::unalignedLoad to get fibers. And it will be converted to one load CPU instruction. |
| |
| * heap/MarkedBlock.h: |
| * runtime/JSString.h: |
| |
| 2019-07-25 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Legacy numeric literals should not permit separators or BigInt |
| https://bugs.webkit.org/show_bug.cgi?id=199984 |
| |
| Reviewed by Keith Miller. |
| |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::parseOctal): |
| (JSC::Lexer<T>::parseDecimal): |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix due to C++17's std::invoke_result_t |
| https://bugs.webkit.org/show_bug.cgi?id=200139 |
| |
| Use std::result_of for now until all the supported environments implement it. |
| |
| * heap/IsoSubspace.h: |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Ensure PackedCellPtr only takes non-large-allocation pointers |
| https://bugs.webkit.org/show_bug.cgi?id=200139 |
| |
| Reviewed by Mark Lam. |
| |
| PackedCellPtr will compact a pointer by leveraging the fact that JSCell pointers are 16byte aligned. |
| But this fact only holds when the JSCell is not large allocation. Currently, we are using PackedCellPtr |
| only for the cell types which meets the above requirement. But we would like to ensure that statically. |
| |
| In this patch, we add additional static/runtime assertions to ensure this invariant. We accept a cell |
| type of either (1) it is "final" annotated and sizeof(T) is <= MarkedSpace::largeCutoff or (2) it |
| is allocated from IsoSubspace. |
| |
| This patch does not change any behaviors. It just adds extra static/runtime assertions. |
| |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::subspaceFor): |
| * bytecode/CodeBlockJettisoningWatchpoint.h: |
| * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: |
| * dfg/DFGAdaptiveStructureWatchpoint.h: |
| * heap/IsoSubspace.h: |
| * heap/PackedCellPtr.h: |
| (JSC::PackedCellPtr::PackedCellPtr): |
| * runtime/FunctionRareData.h: |
| (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): |
| * runtime/ObjectToStringAdaptiveStructureWatchpoint.h: |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make visitChildren implementation more idiomatic |
| https://bugs.webkit.org/show_bug.cgi?id=200121 |
| |
| Reviewed by Mark Lam. |
| |
| This patch makes visitChildren implementations more idiomatic: cast, assert, and calling Base::visitChildren. |
| While this does not find interesting issues, it is still nice to have consistent implementations. |
| StructureChain::visitChildren missed Base::visitChildren, but it does not have much effect since StructureChain |
| is immortal cell. |
| |
| * bytecode/ExecutableToCodeBlockEdge.cpp: |
| (JSC::ExecutableToCodeBlockEdge::visitChildren): |
| * runtime/AbstractModuleRecord.cpp: |
| (JSC::AbstractModuleRecord::visitChildren): |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::visitChildren): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::visitChildren): |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): |
| * runtime/JSImmutableButterfly.cpp: |
| (JSC::JSImmutableButterfly::visitChildren): |
| * runtime/JSModuleEnvironment.cpp: |
| (JSC::JSModuleEnvironment::visitChildren): |
| * runtime/JSModuleRecord.cpp: |
| (JSC::JSModuleRecord::visitChildren): |
| * runtime/JSPropertyNameEnumerator.cpp: |
| (JSC::JSPropertyNameEnumerator::visitChildren): |
| * runtime/JSString.cpp: |
| (JSC::JSString::visitChildren): |
| * runtime/SparseArrayValueMap.cpp: |
| (JSC::SparseArrayValueMap::visitChildren): |
| * runtime/StructureChain.cpp: |
| (JSC::StructureChain::visitChildren): |
| * runtime/SymbolTable.cpp: |
| (JSC::SymbolTable::visitChildren): |
| * tools/JSDollarVM.cpp: |
| (JSC::Root::visitChildren): |
| (JSC::ImpureGetter::visitChildren): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::visitChildren): |
| |
| 2019-07-25 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [ESNext] Implement nullish coalescing |
| https://bugs.webkit.org/show_bug.cgi?id=200072 |
| |
| Reviewed by Darin Adler. |
| |
| Implement the nullish coalescing proposal, which has now reached Stage 3 at TC39. |
| |
| This introduces a ?? operator which: |
| - acts like || but checks for nullishness instead of truthiness |
| - has a precedence lower than || (or any other binary operator) |
| - must be disambiguated with parentheses when combined with || or && |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::CoalesceNode::emitBytecode): Added. |
| Bytecode must use OpIsUndefinedOrNull and not OpNeqNull because of document.all. |
| |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::makeBinaryNode): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| * parser/NodeConstructors.h: |
| (JSC::CoalesceNode::CoalesceNode): Added. |
| * parser/Nodes.h: |
| Introduce new token and AST node. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseBinaryExpression): |
| Implement early error. |
| |
| * parser/ParserTokens.h: |
| Since this patch needs to shift the value of every binary operator token anyway, |
| let's only bother to increment their LSBs when we actually have a precedence conflict. |
| |
| * parser/ResultType.h: |
| (JSC::ResultType::definitelyIsNull const): Added. |
| (JSC::ResultType::mightBeUndefinedOrNull const): Added. |
| (JSC::ResultType::forCoalesce): Added. |
| We can do better than forLogicalOp here; let's be as accurate as possible. |
| |
| * runtime/Options.h: |
| Add runtime feature flag. |
| |
| 2019-07-24 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Three checks are missing in Proxy internal methods |
| https://bugs.webkit.org/show_bug.cgi?id=198630 |
| |
| Reviewed by Darin Adler. |
| |
| Add three missing checks in Proxy internal methods. |
| These checks are necessary to maintain the invariants of the essential internal methods. |
| (https://github.com/tc39/ecma262/pull/666) |
| |
| 1. [[GetOwnProperty]] shouldn't return non-configurable and non-writable descriptor when the target's property is writable. |
| 2. [[Delete]] should return `false` when the target has property and is not extensible. |
| 3. [[DefineOwnProperty]] should return `true` for a non-writable input descriptor when the target's property is non-configurable and writable. |
| |
| Shipping in SpiderMonkey since https://hg.mozilla.org/integration/autoland/rev/3a06bc818bc4 (version 69) |
| Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/e846ad9fa5109428be50b1989314e0e4e7267919 |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): Add writability check. |
| (JSC::ProxyObject::performDelete): Add extensibility check. |
| (JSC::ProxyObject::performDefineOwnProperty): Add writability check. |
| |
| 2019-07-24 Mark Lam <mark.lam@apple.com> |
| |
| Remove some unused code. |
| https://bugs.webkit.org/show_bug.cgi?id=200101 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::zap): Deleted. |
| * heap/MarkedBlock.h: |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMutatorMarkStack): Deleted. |
| * heap/SlotVisitor.h: |
| |
| 2019-07-24 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer. |
| https://bugs.webkit.org/show_bug.cgi?id=200100 |
| <rdar://problem/53474939> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::CopyFunction::CopyFunction): |
| (JSC::ARM64Assembler::CopyFunction::operator()): |
| - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because |
| retagCodePtr() would auth, assert, and re-pac the pointer. This is needed in |
| general because retagCodePtr() doesn't know that you will consume the pointer |
| immediately (and therefore crash imminently if a failed auth is encountered). |
| Since we know here that we will call with the auth'ed pointer immediately, we |
| can skip the assert. |
| |
| This also has the benefit of letting Clang do a peephole optimization to emit |
| a blrab instruction with the intended diversifier, instead of emitting multiple |
| instructions to auth the pointer into a C function, and then using a blraaz to |
| do a C function call. |
| |
| (JSC::ARM64Assembler::linkJumpOrCall): |
| (JSC::ARM64Assembler::linkCompareAndBranch): |
| (JSC::ARM64Assembler::linkConditionalBranch): |
| (JSC::ARM64Assembler::linkTestAndBranch): |
| * assembler/LinkBuffer.cpp: |
| (JSC::LinkBuffer::copyCompactAndLinkCode): |
| * runtime/JSCPtrTag.h: |
| |
| 2019-07-24 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: print the target of `console.screenshot` last so the target is the closest item to the image |
| https://bugs.webkit.org/show_bug.cgi?id=199308 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/ConsoleMessage.h: |
| (Inspector::ConsoleMessage::arguments const): |
| |
| * inspector/ScriptArguments.h: |
| * inspector/ScriptArguments.cpp: |
| (Inspector::ScriptArguments::getFirstArgumentAsString const): Added. |
| (Inspector::ScriptArguments::getFirstArgumentAsString): Deleted. |
| |
| 2019-07-23 Justin Michaud <justin_michaud@apple.com> |
| |
| Sometimes we miss removable CheckInBounds |
| https://bugs.webkit.org/show_bug.cgi?id=200018 |
| |
| Reviewed by Saam Barati. |
| |
| We failed to remove the CheckInBounds bounds because we did not see that the index was nonnegative. This is because we do not see the relationship between the two |
| separate zero constants that appear in the IR for the given test case. This patch re-adds the hack to de-duplicate m_zero that was removed in |
| <https://trac.webkit.org/changeset/241228/webkit>. |
| |
| * dfg/DFGIntegerRangeOptimizationPhase.cpp: |
| |
| 2019-07-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up |
| https://bugs.webkit.org/show_bug.cgi?id=200024 |
| |
| Reviewed by Saam Barati. |
| |
| Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack. |
| |
| * interpreter/CLoopStack.cpp: |
| (JSC::CLoopStack::CLoopStack): |
| |
| 2019-07-22 Saam Barati <sbarati@apple.com> |
| |
| Turn off Wasm fast memory on iOS |
| https://bugs.webkit.org/show_bug.cgi?id=200016 |
| <rdar://problem/53417726> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We turned them on when we disabled Gigacage on iOS. However, we re-enabled |
| Gigacage on iOS, but forgot to turn wasm fast memories back off. |
| |
| * runtime/Options.h: |
| |
| 2019-07-22 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed non-unified build fix. |
| |
| * runtime/CachedTypes.h: |
| |
| 2019-07-20 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make DFG Local CSE and AI conservative for huge basic block |
| https://bugs.webkit.org/show_bug.cgi?id=199929 |
| <rdar://problem/49309924> |
| |
| Reviewed by Filip Pizlo. |
| |
| In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior. |
| The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine! |
| DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop. |
| DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that. |
| As a result, the main thread is blocked due to this pathological compilation. |
| |
| By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block. |
| In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase. |
| We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand, |
| DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock. |
| |
| We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost |
| is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes |
| ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming. |
| Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly |
| related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem, |
| and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG. |
| |
| This patch has two changes. |
| |
| 1. DFG AI has structure transition tracking which has quadratic complexity |
| |
| Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block. |
| CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm. |
| For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000). |
| We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1]. |
| |
| 2. DFG Local CSE has quadratic complexity |
| |
| Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited, |
| each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering |
| implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in |
| JetStream2 and Speedometer2 so I'll track it in a separate bug[2]. |
| |
| This patch reduces the compilation time from ~11 seconds to ~200 ms. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=199959 |
| [2]: https://bugs.webkit.org/show_bug.cgi?id=200014 |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions): |
| * dfg/DFGCSEPhase.cpp: |
| * runtime/Options.h: |
| |
| 2019-07-22 Zhifei Fang <zhifei_fang@apple.com> |
| |
| Need to skip test cache directory data vault for non internal build |
| https://bugs.webkit.org/show_bug.cgi?id=199951 |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| * API/tests/testapi.mm: |
| (testBytecodeCacheValidation): "Cache directory `/private/tmp` is not a data vault" this error message will only be created for internal build see JSScript.mm:97 |
| |
| 2019-07-17 Antoine Quint <graouts@apple.com> |
| |
| Disable Pointer Events prior to watchOS 6 |
| https://bugs.webkit.org/show_bug.cgi?id=199890 |
| <rdar://problem/53206113> |
| |
| Reviewed by Dean Jackson. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-07-17 Keith Miller <keith_miller@apple.com> |
| |
| Force useLLInt to true on arm64_32 |
| https://bugs.webkit.org/show_bug.cgi?id=199882 |
| <rdar://problem/53207586> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Some jsc tests set useLLInt=false but on arm64_32 we don't support the JIT. |
| This causes the option coherency checker to get angry. We should force |
| useLLInt=true on arm64_32 unless useJIT=true. |
| |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| |
| 2019-07-17 Christopher Reid <chris.reid@sony.com> |
| |
| Bytecode cache should use FileSystem |
| https://bugs.webkit.org/show_bug.cgi?id=199759 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Update bytecode cache to use platform generic FileSystem calls. |
| |
| * API/JSScript.mm: |
| * CMakeLists.txt: |
| * jsc.cpp: |
| * runtime/CachePayload.cpp: |
| * runtime/CachePayload.h: |
| * runtime/CachedBytecode.h: |
| * runtime/CachedTypes.cpp: |
| * runtime/CachedTypes.h: |
| * runtime/CodeCache.cpp: |
| * runtime/CodeCache.h: |
| * runtime/Completion.cpp: |
| * runtime/Completion.h: |
| |
| 2019-07-17 Mark Lam <mark.lam@apple.com> |
| |
| ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds. |
| https://bugs.webkit.org/show_bug.cgi?id=199821 |
| <rdar://problem/52452328> |
| |
| Reviewed by Filip Pizlo. |
| |
| Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal |
| nodes in the SSAConversionPhase. SetLocal nodes are always preceded by MovHint nodes, |
| and the SSAConversionPhase always inserts a KillStack node before a MovHint node. |
| Hence, a PutStack node is always preceded by a KillStack node. |
| |
| However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series |
| of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack |
| nodes. However, it neglects to prepend KillStack nodes as well. Since the |
| ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes |
| added during ArgumentsElimination will not be preceded by KillStack nodes. |
| |
| This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase |
| before it inserts a MovHint and a PutStack node. |
| |
| Consider this test case which can manifest the above issue as a crash: |
| |
| function inlinee(value) { |
| ... |
| let tmp = value + 1; |
| } |
| |
| function reflect() { |
| return inlinee.apply(undefined, arguments); |
| } |
| |
| function test(arr) { |
| let object = inlinee.apply(undefined, arr); // Uses a lot of SetArgumentMaybe nodes. |
| reflect(); // Calls with a LoadVararg, which gets converted into a PutStack of a constant. |
| } |
| |
| In this test case, we have a scenario where a SetArgumentMaybe's stack |
| slot is reused as the stack slot for a PutStack later. Here, the PutStack will |
| put a constant undefined value. Coincidentally, the SetArgumentMaybe may also |
| initialize that stack slot to a constant undefined value. Note that by the time |
| the PutStack executes, the SetArgumentMaybe's stack slot is dead. The liveness of |
| these 2 values are distinct. |
| |
| However, because we were missing a KillStack before the PutStack, OSR availability |
| analysis gets misled into thinking that the PutStack constant value is still in the |
| stack slot because the value left there by the SetArgumentMaybe hasn't been killed |
| off yet. As a result, OSR exit code will attempt to recover the PutStack's undefined |
| constant by loading from the stack slot instead of materializing it. Since |
| SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR |
| exit when we try to recover the PutStack constant value from the stack slot, and |
| end up using what ever junk value we read from there. |
| |
| Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack |
| removes this conflation of the PutStack's constant value with the SetArgumentMaybe's |
| constant value in the same stack slot. And, OSR availability analysis will no |
| longer be misled to load the PutStack's constant value from the stack, but will |
| materialize the constant instead. |
| |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| |
| 2019-07-17 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247505. |
| https://bugs.webkit.org/show_bug.cgi?id=199871 |
| |
| "Caused failed ASSERT in stress test" (Requested by creid on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "Bytecode cache should use FileSystem" |
| https://bugs.webkit.org/show_bug.cgi?id=199759 |
| https://trac.webkit.org/changeset/247505 |
| |
| 2019-07-16 Christopher Reid <chris.reid@sony.com> |
| |
| Bytecode cache should use FileSystem |
| https://bugs.webkit.org/show_bug.cgi?id=199759 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Update bytecode cache to use platform generic FileSystem calls. |
| |
| * API/JSScript.mm: |
| * CMakeLists.txt: |
| * jsc.cpp: |
| * runtime/CachePayload.cpp: |
| * runtime/CachePayload.h: |
| * runtime/CachedBytecode.h: |
| * runtime/CachedTypes.cpp: |
| * runtime/CachedTypes.h: |
| * runtime/CodeCache.cpp: |
| * runtime/CodeCache.h: |
| * runtime/Completion.cpp: |
| * runtime/Completion.h: |
| |
| 2019-07-16 Joonghun Park <pjh0718@gmail.com> |
| |
| [GTK] Fix a build warning in JavaScriptCore/API/tests/testapi.c |
| https://bugs.webkit.org/show_bug.cgi?id=199824 |
| |
| Reviewed by Alex Christensen. |
| |
| * API/tests/testapi.c: |
| (main): |
| |
| 2019-07-15 Keith Miller <keith_miller@apple.com> |
| |
| JSGlobalObject type macros should support feature flags and WeakRef should have one |
| https://bugs.webkit.org/show_bug.cgi?id=199601 |
| |
| Reviewed by Mark Lam. |
| |
| This patch refactors the various builtin type macros to have a |
| parameter, which is the feature flag enabling it. Since most |
| builtin types are enabled by default this patch adds a new global |
| bool typeExposedByDefault for clarity. Note, because static hash |
| tables have no concept of feature flags we can't use feature flags |
| with lazy properties. This is probably not a big deal as features |
| that are off by default won't be allocated anywhere we care about |
| memory usage anyway. |
| |
| * runtime/CommonIdentifiers.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::stringObjectStructure const): |
| (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted. |
| * runtime/Options.h: |
| * wasm/js/JSWebAssembly.cpp: |
| |
| 2019-07-15 Keith Miller <keith_miller@apple.com> |
| |
| A Possible Issue of Object.create method |
| https://bugs.webkit.org/show_bug.cgi?id=199744 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We should call toObject on the properties argument if it was not undefined. |
| See: https://tc39.es/ecma262/#sec-object.create |
| |
| * runtime/ObjectConstructor.cpp: |
| (JSC::objectConstructorCreate): |
| |
| 2019-07-15 Saagar Jha <saagarjha@apple.com> |
| |
| Keyword lookup can use memcmp to get around unaligned load undefined behavior |
| https://bugs.webkit.org/show_bug.cgi?id=199650 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Replace KeywordLookup's hand-rolled "memcmp" with the standard version, which reduces the need to deal with |
| endianness and unaligned loads. |
| |
| * KeywordLookupGenerator.py: |
| (Trie.printSubTreeAsC): Use memcmp instead of macros to test for matches. |
| (Trie.printAsC): Unspecialize Lexer::parseKeyword as templating over the character type reduces the amount of |
| code we need to generate and moves this task out of the Python script and into the C++ compiler. |
| |
| 2019-07-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Improve wasm wpt test results by fixing miscellaneous issues |
| https://bugs.webkit.org/show_bug.cgi?id=199783 |
| |
| Reviewed by Mark Lam. |
| |
| This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score. |
| I picked trivial ones in this patch to make this easily reviewable. |
| |
| 1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly. |
| 2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change |
| is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation |
| follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage |
| some of utility functions) in our WebAssembly JS API implementation. |
| 3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to |
| WebIDL spec, and it means that [[Get]] result is not undefined. |
| 4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL. |
| 5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js. |
| * jit/Repatch.cpp: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::moduleLoaderParseModule): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::JSWebAssembly::create): |
| (JSC::JSWebAssembly::finishCreation): |
| (JSC::reject): |
| (JSC::webAssemblyModuleValidateAsyncInternal): |
| (JSC::webAssemblyCompileFunc): |
| (JSC::resolve): |
| (JSC::JSWebAssembly::webAssemblyModuleValidateAsync): |
| (JSC::instantiate): |
| (JSC::compileAndInstantiate): |
| (JSC::JSWebAssembly::instantiate): |
| (JSC::webAssemblyModuleInstantinateAsyncInternal): |
| (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyValidateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::toNonWrappingUint32): |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::WebAssemblyCompileErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::WebAssemblyInstanceConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::WebAssemblyLinkErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| (JSC::WebAssemblyMemoryConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleCustomSections): |
| (JSC::WebAssemblyModuleConstructor::finishCreation): |
| * wasm/js/WebAssemblyPrototype.cpp: Removed. |
| * wasm/js/WebAssemblyPrototype.h: Removed. |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| (JSC::WebAssemblyTableConstructor::finishCreation): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| |
| 2019-07-15 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| Unreviewed, rolling out r247440. |
| |
| Broke builds |
| |
| Reverted changeset: |
| |
| "[JSC] Improve wasm wpt test results by fixing miscellaneous |
| issues" |
| https://bugs.webkit.org/show_bug.cgi?id=199783 |
| https://trac.webkit.org/changeset/247440 |
| |
| 2019-07-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Improve wasm wpt test results by fixing miscellaneous issues |
| https://bugs.webkit.org/show_bug.cgi?id=199783 |
| |
| Reviewed by Mark Lam. |
| |
| This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score. |
| I picked trivial ones in this patch to make this easily reviewable. |
| |
| 1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly. |
| 2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change |
| is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation |
| follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage |
| some of utility functions) in our WebAssembly JS API implementation. |
| 3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to |
| WebIDL spec, and it means that [[Get]] result is not undefined. |
| 4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL. |
| 5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js. |
| * jit/Repatch.cpp: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::moduleLoaderParseModule): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::JSWebAssembly::create): |
| (JSC::JSWebAssembly::finishCreation): |
| (JSC::reject): |
| (JSC::webAssemblyModuleValidateAsyncInternal): |
| (JSC::webAssemblyCompileFunc): |
| (JSC::resolve): |
| (JSC::JSWebAssembly::webAssemblyModuleValidateAsync): |
| (JSC::instantiate): |
| (JSC::compileAndInstantiate): |
| (JSC::JSWebAssembly::instantiate): |
| (JSC::webAssemblyModuleInstantinateAsyncInternal): |
| (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyValidateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::toNonWrappingUint32): |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::WebAssemblyCompileErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::WebAssemblyInstanceConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::WebAssemblyLinkErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| (JSC::WebAssemblyMemoryConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleCustomSections): |
| (JSC::WebAssemblyModuleConstructor::finishCreation): |
| * wasm/js/WebAssemblyPrototype.cpp: Removed. |
| * wasm/js/WebAssemblyPrototype.h: Removed. |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| (JSC::WebAssemblyTableConstructor::finishCreation): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| |
| 2019-07-15 Youenn Fablet <youenn@apple.com> |
| |
| Enable a debug WebRTC mode without any encryption |
| https://bugs.webkit.org/show_bug.cgi?id=199177 |
| <rdar://problem/52074986> |
| |
| Reviewed by Eric Carlson. |
| |
| * inspector/protocol/Page.json: |
| |
| 2019-07-15 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, attempt to fix production builds after r247403. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2019-07-15 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Concurrent GC should not rely on current phase to determine if it's safe to steal conn |
| https://bugs.webkit.org/show_bug.cgi?id=199786 |
| <rdar://problem/52505197> |
| |
| Reviewed by Saam Barati. |
| |
| In r246507, we fixed a race condition in the concurrent GC where the mutator might steal |
| the conn from the collector thread while it transitions from the End phase to NotRunning. |
| However, that fix was not sufficient. In the case that the mutator steals the conn, and the |
| execution interleaves long enough for the mutator to progress to a different collection phase, |
| the collector will resume in a phase other than NotRunning, and hence the check added to |
| NotRunning will not suffice. To fix that, we add a new variable to track whether the collector |
| thread is running (m_collectorThreadIsRunning) and use it to determine whether it's safe to |
| steal the conn, rather than relying on m_currentPhase. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::runNotRunningPhase): |
| (JSC::Heap::requestCollection): |
| * heap/Heap.h: |
| |
| 2019-07-12 Keith Miller <keith_miller@apple.com> |
| |
| Add API to get all the dependencies of a given JSScript |
| https://bugs.webkit.org/show_bug.cgi?id=199746 |
| |
| Reviewed by Saam Barati. |
| |
| The method only returns the dependencies if the module was |
| actually evaluated. Technically, we know what the dependencies are |
| at the satisfy phase but for API simplicity we only provide that |
| information if the module graph was complete enough to at least |
| run. |
| |
| This patch also fixes an issue where we would allow import |
| specifiers that didn't start "./" or "/". For reference, We have |
| this restriction to be consistent with the web/node. The |
| restriction exists in order to preserve namespace for |
| builtin-modules. |
| |
| Lastly, this patch makes it so that we copy all scripts in the |
| API/tests/testapiScripts directory so they don't have to be |
| individually added to the xcode project. |
| |
| * API/JSAPIGlobalObject.mm: |
| (JSC::computeValidImportSpecifier): |
| (JSC::JSAPIGlobalObject::moduleLoaderResolve): |
| (JSC::JSAPIGlobalObject::moduleLoaderImportModule): |
| * API/JSContext.mm: |
| (-[JSContext dependencyIdentifiersForModuleJSScript:]): |
| * API/JSContextPrivate.h: |
| * API/JSScript.h: |
| * API/tests/testapi.mm: |
| (testFetchWithTwoCycle): |
| (testFetchWithThreeCycle): |
| (testModuleBytecodeCache): |
| (+[JSContextFileLoaderDelegate newContext]): |
| (-[JSContextFileLoaderDelegate fetchModuleScript:]): |
| (-[JSContextFileLoaderDelegate findScriptForKey:]): |
| (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]): |
| (testDependenciesArray): |
| (testDependenciesEvaluationError): |
| (testDependenciesSyntaxError): |
| (testDependenciesBadImportId): |
| (testDependenciesMissingImport): |
| (testObjectiveCAPI): |
| * API/tests/testapiScripts/dependencyListTests/badModuleImportId.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/bar.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/foo.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/missingImport.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/referenceError.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/syntaxError.js: Added. |
| * API/tests/testapiScripts/testapi-function-overrides.js: Renamed from Source/JavaScriptCore/API/tests/testapi-function-overrides.js. |
| * API/tests/testapiScripts/testapi.js: Renamed from Source/JavaScriptCore/API/tests/testapi.js. |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * builtins/ModuleLoader.js: |
| (dependencyKeysIfEvaluated): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::JSModuleLoader::dependencyKeysIfEvaluated): |
| * runtime/JSModuleLoader.h: |
| * shell/CMakeLists.txt: |
| |
| 2019-07-12 Justin Michaud <justin_michaud@apple.com> |
| |
| B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y)) |
| https://bugs.webkit.org/show_bug.cgi?id=196371 |
| |
| Reviewed by Keith Miller. |
| |
| Adding these strength reductions gives 2x a (x86) and 3x (arm64) performance improvement |
| on the microbenchmark. |
| |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.cpp: |
| (JSC::B3::testSubSub): |
| (JSC::B3::testSubSub2): |
| (JSC::B3::testSubAdd): |
| (JSC::B3::testSubFirstNeg): |
| (JSC::B3::run): |
| |
| 2019-07-12 Caio Lima <ticaiolima@gmail.com> |
| |
| [BigInt] Add ValueBitLShift into DFG |
| https://bugs.webkit.org/show_bug.cgi?id=192664 |
| |
| Reviewed by Saam Barati. |
| |
| This patch is splitting the `BitLShift` into `ArithBitLShift` and |
| `ValueBitLShift` to handle BigInt speculation more efficiently during |
| DFG and FTL layers. Following the same approach of other `ValueBitOps`, |
| `ValueBitLShift` handles Untyped and BigInt speculations, while |
| `ArithBitLShift` handles number and boolean operands and always results into |
| Int32. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/Opcode.h: |
| * dfg/DFGAbstractInterpreter.h: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| We moved `BitLShift` constant fold rules to a new method |
| `handleConstantBinaryBitwiseOp` to be reused by `ArithBitLShift` and |
| `ValueBitLShift`. This also enables support of constant folding on other |
| bitwise operations like `ValueBitAnd`, `ValueBitOr` and `ValueBitXor`, when |
| their binary use kind is UntypedUse. Such cases can happen on those |
| nodes because fixup phase is conservative. |
| |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| |
| We parse `op_lshift` as `ArithBitLShift` when its operands are numbers. |
| Otherwise, we fallback to `ValueBitLShift` and rely on fixup phase to |
| convert `ValueBitLShift` into `ArithBitLShift` when possible. |
| |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| |
| `ArithBitLShift` has the same clobberize rules as former `BitLShift`. |
| `ValueBitLShift` only clobberize world when it is UntypedUse. |
| |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| |
| `ValueBitLShift` can GC when `BigIntUse` because it allocates new |
| JSBigInts to perform this operation. It also can GC on UntypedUse |
| because of observable user code. |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| |
| `ValueBitLShift` and `ArithBitLShift` has the same fixup rules of |
| other binary bitwise operations. In the case of `ValueBitLShift` |
| We check if we should speculate on BigInt or Untyped and fallback to |
| `ArithBitLShift` when both cheks fail. |
| |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| |
| We updated `operationValueBitLShift` to handle BigInt cases. Also, we |
| added `operationBitLShiftBigInt` that is used when we compile |
| `ValueBitLValueBitLShift(BigIntUse)`. |
| |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| |
| `ValueBitLShift`'s prediction propagation rules differs from other |
| bitwise operations, because using only heap prediction for this node causes |
| significant performance regression on Octane's zlib and mandreel. |
| The reason is because of cases where a function is compiled but the |
| instruction `op_lshift` was never executed before. If we use |
| `getPrediction()` we will emit a `ForceOSRExit`, resulting in more OSR |
| than desired. To solve such issue, we are then using |
| `getPredictionWithoutOSR()` and falling back to `getHeapPrediction()` |
| only on cases where we can't rely on node's input types. |
| |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): |
| (JSC::DFG::SpeculativeJIT::compileShiftOp): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::shiftOp): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted. |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-07-12 Keith Miller <keith_miller@apple.com> |
| |
| getIndexQuickly should be const |
| https://bugs.webkit.org/show_bug.cgi?id=199747 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/Butterfly.h: |
| (JSC::Butterfly::indexingPayload const): |
| (JSC::Butterfly::arrayStorage const): |
| (JSC::Butterfly::contiguousInt32 const): |
| (JSC::Butterfly::contiguousDouble const): |
| (JSC::Butterfly::contiguous const): |
| * runtime/JSObject.h: |
| (JSC::JSObject::canGetIndexQuickly const): |
| (JSC::JSObject::getIndexQuickly const): |
| (JSC::JSObject::tryGetIndexQuickly const): |
| (JSC::JSObject::canGetIndexQuickly): Deleted. |
| (JSC::JSObject::getIndexQuickly): Deleted. |
| |
| 2019-07-11 Justin Michaud <justin_michaud@apple.com> |
| |
| Add b3 macro lowering for CheckMul on arm64 |
| https://bugs.webkit.org/show_bug.cgi?id=199251 |
| |
| Reviewed by Robin Morisset. |
| |
| - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check. |
| - Add a new opcode to air on arm64 for smull (multiplySignExtend32). |
| - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). |
| - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, |
| and no change on the no-constant benchmark. |
| Also, skip some of the b3 tests that were failing before this patch so that the new tests can run |
| to completion. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::multiplySignExtend32): |
| * assembler/testmasm.cpp: |
| (JSC::testMul32SignExtend): |
| (JSC::run): |
| * b3/B3LowerMacros.cpp: |
| * b3/B3LowerToAir.cpp: |
| * b3/air/AirOpcode.opcodes: |
| * b3/testb3.cpp: |
| (JSC::B3::testMulArgs32SignExtend): |
| (JSC::B3::testMulImm32SignExtend): |
| (JSC::B3::testMemoryFence): |
| (JSC::B3::testStoreFence): |
| (JSC::B3::testLoadFence): |
| (JSC::B3::testPinRegisters): |
| (JSC::B3::run): |
| |
| 2019-07-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, revert r243617. |
| https://bugs.webkit.org/show_bug.cgi?id=196341 |
| |
| Mark pointed out that JSVirtualMachine can be gone in the other thread while we are executing GC constraint-solving. |
| This patch does not account that JavaScriptCore.framework is multi-thread safe: JSVirtualMachine wrapper can be destroyed, |
| and [JSVirtualMachine dealloc] can be executed in any threads while the VM is retained and used in the other thread (e.g. |
| destroyed from AutoReleasePool in some thread). |
| |
| * API/JSContext.mm: |
| (-[JSContext initWithVirtualMachine:]): |
| (-[JSContext dealloc]): |
| (-[JSContext initWithGlobalContextRef:]): |
| (-[JSContext wrapperMap]): |
| (+[JSContext contextWithJSGlobalContextRef:]): |
| * API/JSVirtualMachine.mm: |
| (initWrapperCache): |
| (wrapperCache): |
| (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): |
| (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): |
| (-[JSVirtualMachine initWithContextGroupRef:]): |
| (-[JSVirtualMachine dealloc]): |
| (+[JSVirtualMachine virtualMachineWithContextGroupRef:]): |
| (-[JSVirtualMachine contextForGlobalContextRef:]): |
| (-[JSVirtualMachine addContext:forGlobalContextRef:]): |
| (scanExternalObjectGraph): |
| (scanExternalRememberedSet): |
| * API/JSVirtualMachineInternal.h: |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::setWrapperMap): |
| (JSC::JSGlobalObject::setAPIWrapper): Deleted. |
| (JSC::JSGlobalObject::apiWrapper const): Deleted. |
| * runtime/VM.h: |
| |
| 2019-07-10 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Optimize join of large empty arrays |
| https://bugs.webkit.org/show_bug.cgi?id=199636 |
| |
| Reviewed by Mark Lam. |
| |
| Replicate the behavior of `str.repeat(count)` when performing `new Array(count + 1).join(str)`. |
| I added two new microbenchmarks: |
| - large-empty-array-join, which does not use the result of the join and runs ~44x faster and uses ~18x less memory. |
| - large-empty-array-join-resolve-rope, which uses the result of the join and runs 2x faster. |
| |
| baseline diff |
| large-empty-array-join 2713.9698+-72.7621 ^ 61.2335+-10.4836 ^ definitely 44.3217x faster |
| large-empty-array-join-resolve-string 26.5517+-0.3995 ^ 12.9309+-0.5516 ^ definitely 2.0533x faster |
| |
| large-empty-array-join memory usage with baseline (dirty): |
| 733012 kB current_mem |
| 756824 kB lifetime_peak |
| |
| large-empty-array-join memory usage with diff (dirty): |
| 41904 kB current_mem |
| 41972 kB lifetime_peak |
| |
| Additionally, I ran JetStream2, sunspider and v8-spider and all were neutral. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::fastJoin): |
| |
| 2019-07-08 Keith Miller <keith_miller@apple.com> |
| |
| Enable Intl.PluralRules and Intl.NumberFormatToParts by default |
| https://bugs.webkit.org/show_bug.cgi?id=199288 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| These features have been around for a while. We should turn them on by default. |
| |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototype::finishCreation): |
| * runtime/IntlObject.cpp: |
| (JSC::IntlObject::finishCreation): Deleted. |
| * runtime/IntlObject.h: |
| * runtime/Options.h: |
| |
| 2019-07-08 Antoine Quint <graouts@apple.com> |
| |
| [Pointer Events] Enable only on the most recent version of the supported iOS family |
| https://bugs.webkit.org/show_bug.cgi?id=199562 |
| <rdar://problem/52766511> |
| |
| Reviewed by Dean Jackson. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-07-06 Michael Saboff <msaboff@apple.com> |
| |
| switch(String) needs to check for exceptions when resolving the string |
| https://bugs.webkit.org/show_bug.cgi?id=199541 |
| |
| Reviewed by Mark Lam. |
| |
| Added exception checks for resolved Strings in switch processing for all tiers. |
| |
| * dfg/DFGOperations.cpp: |
| * jit/JITOperations.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| |
| 2019-07-05 Mark Lam <mark.lam@apple.com> |
| |
| ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero. |
| https://bugs.webkit.org/show_bug.cgi?id=199533 |
| <rdar://problem/52669111> |
| |
| Reviewed by Filip Pizlo. |
| |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| |
| 2019-07-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix build failure on ARM64_32 |
| https://bugs.webkit.org/show_bug.cgi?id=182434 |
| |
| Implicit narrowing from uint64_t to uint32_t happens. We should explicitly narrow it because we already checked |
| the `length` is <= UINT32_MAX. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSpeciesCreate): |
| |
| 2019-07-05 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [JSC] Clean up ArraySpeciesCreate |
| https://bugs.webkit.org/show_bug.cgi?id=182434 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We have duplicate code in arraySpeciesCreate, filter, map, concatSlowPath of ArrayPrototype.js |
| and speciesConstructArray of ArrayPrototype.cpp. This patch fixes cross-realm Array constructor |
| detection in native speciesConstructArray, upgrades `length` type to correctly handle large integers, |
| and exposes it as @arraySpeciesCreate. Also removes now unused @isArrayConstructor private function. |
| Native speciesConstructArray is preferred because it has fast path via speciesWatchpointIsValid. |
| |
| Thoroughly benchmarked: this change progresses ARES-6 by 0-1%. |
| |
| * builtins/ArrayPrototype.js: |
| (filter): |
| (map): |
| (globalPrivate.concatSlowPath): |
| (globalPrivate.arraySpeciesCreate): Deleted. |
| * builtins/BuiltinNames.h: |
| * runtime/ArrayConstructor.cpp: |
| (JSC::arrayConstructorPrivateFuncIsArrayConstructor): Deleted. |
| * runtime/ArrayConstructor.h: |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSpeciesCreate): |
| * runtime/ArrayPrototype.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2019-07-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Unreviewed, change the value used to scribble Heap::m_worldState |
| https://bugs.webkit.org/show_bug.cgi?id=199498 |
| |
| Follow-up after r247160. The value used to scribble should have the |
| conn bit set. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::~Heap): |
| |
| 2019-07-05 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r247115. |
| |
| Breaks lldbWebKitTester (and by extension, test-webkitpy) |
| |
| Reverted changeset: |
| |
| "[WHLSL] Standard library is too big to directly include in |
| WebCore" |
| https://bugs.webkit.org/show_bug.cgi?id=198186 |
| https://trac.webkit.org/changeset/247115 |
| |
| 2019-07-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Scribble Heap::m_worldState on destructor |
| https://bugs.webkit.org/show_bug.cgi?id=199498 |
| |
| Reviewed by Sam Weinig. |
| |
| The worldState is dumped when we crash due to a failed checkConn, and |
| this will make it clear if the heap has already been destroyed. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::~Heap): |
| |
| 2019-07-03 Sam Weinig <weinig@apple.com> |
| |
| Adopt simple structured bindings in more places |
| https://bugs.webkit.org/show_bug.cgi?id=199247 |
| |
| Reviewed by Alex Christensen. |
| |
| Replaces simple uses of std::tie() with structured bindings. Does not touch |
| uses of std::tie() that are not initial declarations, use std::ignore or in |
| case where the binding is captured by a lambda, as structured bindings don't |
| work for those cases yet. |
| |
| * runtime/PromiseDeferredTimer.cpp: |
| (JSC::PromiseDeferredTimer::doWork): |
| * wasm/WasmFaultSignalHandler.cpp: |
| (JSC::Wasm::trapHandler): |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::createSourceBufferFromValue): |
| * wasm/js/WebAssemblyPrototype.cpp: |
| (JSC::webAssemblyValidateFunc): |
| |
| 2019-07-03 Keith Miller <keith_miller@apple.com> |
| |
| PACCage should first cage leaving PAC bits intact then authenticate |
| https://bugs.webkit.org/show_bug.cgi?id=199372 |
| |
| Reviewed by Saam Barati. |
| |
| This ordering prevents someone from taking a signed pointer from |
| outside the gigacage and using it in a struct that expects a caged |
| pointer. Previously, the PACCaging just double checked that the PAC |
| bits were valid for the original pointer. |
| |
| |
| +---------------------------+ |
| | | | | |
| | "PAC" | "base" | "offset" +----+ |
| | | | | | |
| +---------------------------+ | Caging |
| | | |
| | | |
| | v |
| | +---------------------------+ |
| | | | | | |
| | Bit Merge | 00000 | base | "offset" | |
| | | | | | |
| | +---------------------------+ |
| | | |
| | | |
| v | Bit Merge |
| +---------------------------+ | |
| | | | | | |
| | "PAC" | base | "offset" +<--------+ |
| | | | | |
| +---------------------------+ |
| | |
| | |
| | Authenticate |
| | |
| v |
| +---------------------------+ |
| | | | | |
| | Auth | base | "offset" | |
| | | | | |
| +---------------------------+ |
| |
| The above ascii art graph shows how the PACCage system works. The |
| key take away is that even if someone passes in a valid, signed |
| pointer outside the cage it will still fail to authenticate as the |
| "base" bits will change before authentication. |
| |
| |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-07-03 Paulo Matos <pmatos@igalia.com> |
| |
| Refactoring of architectural Register Information |
| https://bugs.webkit.org/show_bug.cgi?id=198604 |
| |
| Reviewed by Keith Miller. |
| |
| The goal of this patch is to centralize the register information per platform |
| but access it in a platform independent way. The patch as been implemented for all |
| known platforms: ARM64, ARMv7, MIPS, X86 and X86_64. Register information has |
| been centralized in an architecture per-file: each file is called assembler/<arch>Registers.h. |
| |
| RegisterInfo.h is used as a forwarding header to choose which register information to load. |
| assembler/<arch>Assembler.h and jit/RegisterSet.cpp use this information in a platform |
| independent way. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::gprName): Use register names from register info file. |
| (JSC::ARM64Assembler::sprName): likewise. |
| (JSC::ARM64Assembler::fprName): likewise. |
| * assembler/ARM64Registers.h: Added. |
| * assembler/ARMv7Assembler.h: |
| (JSC::ARMv7Assembler::gprName): Use register names from register info file. |
| (JSC::ARMv7Assembler::sprName): likewise. |
| (JSC::ARMv7Assembler::fprName): likewise. |
| * assembler/ARMv7Registers.h: Added. |
| * assembler/MIPSAssembler.h: |
| (JSC::MIPSAssembler::gprName): Use register names from register info file. |
| (JSC::MIPSAssembler::sprName): likewise. |
| (JSC::MIPSAssembler::fprName): likewise. |
| * assembler/MIPSRegisters.h: Added. |
| * assembler/RegisterInfo.h: Added. |
| * assembler/X86Assembler.h: |
| (JSC::X86Assembler::gprName): Use register names from register info file. |
| (JSC::X86Assembler::sprName): likewise. |
| (JSC::X86Assembler::fprName): likewise. |
| * assembler/X86Registers.h: Added. |
| * assembler/X86_64Registers.h: Added. |
| * jit/GPRInfo.h: Fix typo in comment (s/basline/baseline). |
| * jit/RegisterSet.cpp: |
| (JSC::RegisterSet::reservedHardwareRegisters): Use register properties from register info file. |
| (JSC::RegisterSet::calleeSaveRegisters): likewise. |
| |
| 2019-07-02 Michael Saboff <msaboff@apple.com> |
| |
| Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code |
| https://bugs.webkit.org/show_bug.cgi?id=199395 |
| |
| Reviewed by Filip Pizlo. |
| |
| For destructuring assignmests, the assignment might throw a reference error if |
| the RHS cannot be coerced. The current bytecode generated for such assignments |
| optimizes out the TDZ check after the coercible check. |
| |
| By saving the current state of the TDZ stack before processing the setting of |
| target destructured values and then restoring afterwards, we won't optimize out |
| later TDZ check(s). |
| |
| A similar change of saving / restoring the TDZ stack where exceptions might |
| happen was done for for..in loops in change set r232219. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ObjectPatternNode::bindValue const): |
| |
| 2019-07-02 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247041. |
| https://bugs.webkit.org/show_bug.cgi?id=199425 |
| |
| broke some iOS arm64e tests (Requested by keith_miller on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "PACCage should first cage leaving PAC bits intact then |
| authenticate" |
| https://bugs.webkit.org/show_bug.cgi?id=199372 |
| https://trac.webkit.org/changeset/247041 |
| |
| 2019-07-02 Keith Miller <keith_miller@apple.com> |
| |
| Frozen Arrays length assignment should throw in strict mode |
| https://bugs.webkit.org/show_bug.cgi?id=199365 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::put): |
| |
| 2019-07-02 Paulo Matos <pmatos@linki.tools> |
| |
| Fix typo in if/else block and remove dead assignment |
| https://bugs.webkit.org/show_bug.cgi?id=199352 |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPattern::dumpPattern): Fix typo in if/else block and remove dead assignment |
| |
| 2019-07-02 Keith Miller <keith_miller@apple.com> |
| |
| PACCage should first cage leaving PAC bits intact then authenticate |
| https://bugs.webkit.org/show_bug.cgi?id=199372 |
| |
| Reviewed by Saam Barati. |
| |
| This ordering prevents someone from taking a signed pointer from |
| outside the gigacage and using it in a struct that expects a caged |
| pointer. Previously, the PACCaging just double checked that the PAC |
| bits were valid for the original pointer. |
| |
| |
| +---------------------------+ |
| | | | | |
| | "PAC" | "base" | "offset" +----+ |
| | | | | | |
| +---------------------------+ | Caging |
| | | |
| | | |
| | v |
| | +---------------------------+ |
| | | | | | |
| | Bit Merge | 00000 | base | "offset" | |
| | | | | | |
| | +---------------------------+ |
| | | |
| | | |
| v | Bit Merge |
| +---------------------------+ | |
| | | | | | |
| | "PAC" | base | "offset" +<--------+ |
| | | | | |
| +---------------------------+ |
| | |
| | |
| | Authenticate |
| | |
| v |
| +---------------------------+ |
| | | | | |
| | Auth | base | "offset" | |
| | | | | |
| +---------------------------+ |
| |
| The above ascii art graph shows how the PACCage system works. The |
| key take away is that even if someone passes in a valid, signed |
| pointer outside the cage it will still fail to authenticate as the |
| "base" bits will change before authentication. |
| |
| |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-07-01 Justin Michaud <justin_michaud@apple.com> |
| |
| [Wasm-References] Disable references by default |
| https://bugs.webkit.org/show_bug.cgi?id=199390 |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/Options.h: |
| |
| 2019-07-01 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r246946. |
| |
| Caused JSC test crashes on arm64 |
| |
| Reverted changeset: |
| |
| "Add b3 macro lowering for CheckMul on arm64" |
| https://bugs.webkit.org/show_bug.cgi?id=199251 |
| https://trac.webkit.org/changeset/246946 |
| |
| 2019-06-28 Justin Michaud <justin_michaud@apple.com> |
| |
| Add b3 macro lowering for CheckMul on arm64 |
| https://bugs.webkit.org/show_bug.cgi?id=199251 |
| |
| Reviewed by Robin Morisset. |
| |
| - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check. |
| - Add a new opcode to air on arm64 for smull (multiplySignExtend32). |
| - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). |
| - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, |
| and no change on the no-constant benchmark. |
| Also, skip some of the b3 tests that were failing before this patch so that the new tests can run |
| to completion. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::multiplySignExtend32): |
| * assembler/testmasm.cpp: |
| (JSC::testMul32SignExtend): |
| (JSC::run): |
| * b3/B3LowerMacros.cpp: |
| * b3/B3LowerToAir.cpp: |
| * b3/air/AirOpcode.opcodes: |
| * b3/testb3.cpp: |
| (JSC::B3::testMulArgs32SignExtend): |
| (JSC::B3::testMulImm32SignExtend): |
| (JSC::B3::testMemoryFence): |
| (JSC::B3::testStoreFence): |
| (JSC::B3::testLoadFence): |
| (JSC::B3::testPinRegisters): |
| (JSC::B3::run): |
| |
| 2019-06-28 Konstantin Tokarev <annulen@yandex.ru> |
| |
| Remove traces of ENABLE_ICONDATABASE remaining after its removal in 219733 |
| https://bugs.webkit.org/show_bug.cgi?id=199317 |
| |
| Reviewed by Michael Catanzaro. |
| |
| While IconDatabase and all code using it was removed, |
| ENABLE_ICONDATABASE still exists as build option and C++ macro. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-27 Mark Lam <mark.lam@apple.com> |
| |
| FTL keepAlive()'s patchpoint should also declare that it reads HeapRange::top(). |
| https://bugs.webkit.org/show_bug.cgi?id=199291 |
| |
| Reviewed by Yusuke Suzuki and Filip Pizlo. |
| |
| The sole purpose of keepAlive() is to communicate to B3 that an LValue |
| needs to be kept alive past the last opportunity for a GC. The only way |
| we can get a GC is via a function call. Hence, what keepAlive() really |
| needs to communicate is that the LValue needs to be kept alive past the |
| last function call. Function calls read and write HeapRange::top(). |
| Currently, B3 does not shuffle writes. Hence, simply inserting the |
| keepAlive() after the calls that can GC is sufficient. |
| |
| But to be strictly correct, keepAlive() should also declare that it reads |
| HeapRange::top(). This will guarantee that the keepAlive patchpoint won't |
| ever be moved before the function call should B3 gain the ability to shuffle |
| writes in the future. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::keepAlive): |
| |
| 2019-06-27 Beth Dakin <bdakin@apple.com> |
| |
| Upstream use of MACCATALYST |
| https://bugs.webkit.org/show_bug.cgi?id=199245 |
| rdar://problem/51687723 |
| |
| Reviewed by Tim Horton. |
| |
| * Configurations/Base.xcconfig: |
| * Configurations/FeatureDefines.xcconfig: |
| * Configurations/JavaScriptCore.xcconfig: |
| * Configurations/SDKVariant.xcconfig: |
| |
| 2019-06-27 Saam Barati <sbarati@apple.com> |
| |
| Make WEBGPU enabled only on Mojave and later. |
| |
| Rubber-stamped by Myles C. Maxfield. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-27 Don Olmstead <don.olmstead@sony.com> |
| |
| [FTW] Build JavaScriptCore |
| https://bugs.webkit.org/show_bug.cgi?id=199254 |
| |
| Reviewed by Brent Fulgham. |
| |
| * PlatformFTW.cmake: Added. |
| |
| 2019-06-27 Konstantin Tokarev <annulen@yandex.ru> |
| |
| Use JSC_GLIB_API_ENABLED instead of USE(GLIB) as a compile-time check for GLib JSC API |
| https://bugs.webkit.org/show_bug.cgi?id=199270 |
| |
| Reviewed by Michael Catanzaro. |
| |
| This change allows building code with enabled USE(GLIB) but without |
| GLib JSC API. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::releaseDelayedReleasedObjects): |
| * heap/Heap.h: |
| * heap/HeapInlines.h: |
| |
| 2019-06-27 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: throw an error if console.count/console.countReset is called with an object that throws an error from toString |
| https://bugs.webkit.org/show_bug.cgi?id=199252 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Parse the arguments passed to `console.count` and `console.countReset` before sending it to |
| the `ConsoleClient` so that an error can be thrown if the first argument doesn't `toString` |
| nicely (e.g. without throwing an error). |
| |
| Generate call stacks for `console.countReset` to match other `console` methods. Also do this |
| for `console.time`, `console.timeLog`, and `console.timeEnd`. Limit the call stack to only |
| have the top frame, so no unnecessary/extra data is sent to the frontend (right now, only |
| the call location is displayed). |
| |
| Rename `title` to `label` for `console.time`, `console.timeLog`, and `console.timeEnd` to |
| better match the spec. |
| |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::valueOrDefaultLabelString): |
| (JSC::consoleProtoFuncCount): |
| (JSC::consoleProtoFuncCountReset): |
| (JSC::consoleProtoFuncTime): |
| (JSC::consoleProtoFuncTimeLog): |
| (JSC::consoleProtoFuncTimeEnd): |
| |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::count): |
| (Inspector::JSGlobalObjectConsoleClient::countReset): |
| (Inspector::JSGlobalObjectConsoleClient::time): |
| (Inspector::JSGlobalObjectConsoleClient::timeLog): |
| (Inspector::JSGlobalObjectConsoleClient::timeEnd): |
| |
| * inspector/agents/InspectorConsoleAgent.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::startTiming): |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| (Inspector::InspectorConsoleAgent::getCounterLabel): Deleted. |
| |
| * inspector/ConsoleMessage.h: |
| * inspector/ConsoleMessage.cpp: |
| (Inspector::ConsoleMessage::ConsoleMessage): |
| Allow `ConsoleMessage`s to be created with both `ScriptArguments` and a `ScriptCallStack`. |
| |
| 2019-06-27 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [CMake] Bump cmake_minimum_required version to 3.10 |
| https://bugs.webkit.org/show_bug.cgi?id=199181 |
| |
| Reviewed by Don Olmstead. |
| |
| * CMakeLists.txt: |
| |
| 2019-06-26 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [RemoteInspector] Add address argument to listen for RemoteInspectorServer Socket implementation. |
| https://bugs.webkit.org/show_bug.cgi?id=199035 |
| |
| Reviewed by Ross Kirsling. |
| |
| Added new argument `address` to start listening. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::start): |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: |
| (Inspector::Socket::listen): |
| * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: |
| (Inspector::Socket::listen): |
| |
| 2019-06-26 Keith Miller <keith_miller@apple.com> |
| |
| speciesConstruct needs to throw if the result is a DataView |
| https://bugs.webkit.org/show_bug.cgi?id=199231 |
| |
| Reviewed by Mark Lam. |
| |
| Previously, we only checked that the result was a |
| JSArrayBufferView, which can include DataViews. This is incorrect |
| as the result should be only be a TypedArray. |
| |
| * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: |
| (JSC::speciesConstruct): |
| |
| 2019-06-26 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Implement console.countReset |
| https://bugs.webkit.org/show_bug.cgi?id=199200 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::countReset): |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::getCounterLabel): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| * inspector/agents/InspectorConsoleAgent.h: |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::ConsoleObject::finishCreation): |
| (JSC::consoleProtoFuncCountReset): |
| |
| 2019-06-26 Keith Miller <keith_miller@apple.com> |
| |
| remove unneeded didBecomePrototype() calls |
| https://bugs.webkit.org/show_bug.cgi?id=199221 |
| |
| Reviewed by Saam Barati. |
| |
| Since we now set didBecomePrototype in Structure::create we don't |
| need to set it expliticly in most of our finishCreation |
| methods. The only exception to this is object prototype, which we |
| set as the prototype of function prototype late (via |
| setPrototypeWithoutTransition). |
| |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| * inspector/JSJavaScriptCallFramePrototype.cpp: |
| (Inspector::JSJavaScriptCallFramePrototype::finishCreation): |
| * runtime/ArrayIteratorPrototype.cpp: |
| (JSC::ArrayIteratorPrototype::finishCreation): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::ArrayPrototype::finishCreation): |
| * runtime/AsyncFromSyncIteratorPrototype.cpp: |
| (JSC::AsyncFromSyncIteratorPrototype::finishCreation): |
| * runtime/AsyncFunctionPrototype.cpp: |
| (JSC::AsyncFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorFunctionPrototype.cpp: |
| (JSC::AsyncGeneratorFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorPrototype.cpp: |
| (JSC::AsyncGeneratorPrototype::finishCreation): |
| * runtime/AsyncIteratorPrototype.cpp: |
| (JSC::AsyncIteratorPrototype::finishCreation): |
| * runtime/GeneratorFunctionPrototype.cpp: |
| (JSC::GeneratorFunctionPrototype::finishCreation): |
| * runtime/GeneratorPrototype.cpp: |
| (JSC::GeneratorPrototype::finishCreation): |
| * runtime/IteratorPrototype.cpp: |
| (JSC::IteratorPrototype::finishCreation): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/MapIteratorPrototype.cpp: |
| (JSC::MapIteratorPrototype::finishCreation): |
| * runtime/MapPrototype.cpp: |
| (JSC::MapPrototype::finishCreation): |
| * runtime/ObjectPrototype.cpp: |
| (JSC::ObjectPrototype::finishCreation): |
| * runtime/RegExpStringIteratorPrototype.cpp: |
| (JSC::RegExpStringIteratorPrototype::finishCreation): |
| * runtime/SetIteratorPrototype.cpp: |
| (JSC::SetIteratorPrototype::finishCreation): |
| * runtime/SetPrototype.cpp: |
| (JSC::SetPrototype::finishCreation): |
| * runtime/StringIteratorPrototype.cpp: |
| (JSC::StringIteratorPrototype::finishCreation): |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::WeakMapPrototype::finishCreation): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::WeakObjectRefPrototype::finishCreation): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::WeakSetPrototype::finishCreation): |
| |
| 2019-06-25 Keith Miller <keith_miller@apple.com> |
| |
| Structure::create should call didBecomePrototype() |
| https://bugs.webkit.org/show_bug.cgi?id=196315 |
| |
| Reviewed by Filip Pizlo. |
| |
| Structure::create should also assert that the indexing type makes sense |
| for the prototype being used. |
| |
| * runtime/JSObject.h: |
| * runtime/Structure.cpp: |
| (JSC::Structure::isValidPrototype): |
| (JSC::Structure::changePrototypeTransition): |
| * runtime/Structure.h: |
| (JSC::Structure::create): Deleted. |
| * runtime/StructureInlines.h: |
| (JSC::Structure::create): |
| (JSC::Structure::setPrototypeWithoutTransition): |
| |
| 2019-06-25 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Implement console.timeLog |
| https://bugs.webkit.org/show_bug.cgi?id=199184 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::timeLog): |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| * inspector/agents/InspectorConsoleAgent.h: |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::ConsoleObject::finishCreation): |
| (JSC::consoleProtoFuncTimeLog): |
| |
| 2019-06-25 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size |
| https://bugs.webkit.org/show_bug.cgi?id=198518 |
| |
| Reviewed by Keith Miller. |
| |
| r245586 made some bad assumptions about the size of size_t, which we can solve using the |
| CPU(ADDRESS32) guard that I didn't know about. |
| |
| This solution was developed by Mark Lam and Keith Miller. I'm just preparing the patch. |
| |
| * runtime/MatchResult.h: |
| |
| 2019-06-24 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r246714. |
| https://bugs.webkit.org/show_bug.cgi?id=199179 |
| |
| revert to do patch in a different way. (Requested by keith_mi_ |
| on #webkit). |
| |
| Reverted changeset: |
| |
| "All prototypes should call didBecomePrototype()" |
| https://bugs.webkit.org/show_bug.cgi?id=196315 |
| https://trac.webkit.org/changeset/246714 |
| |
| 2019-06-24 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Add Array.prototype.{flat,flatMap} to unscopables |
| https://bugs.webkit.org/show_bug.cgi?id=194322 |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::ArrayPrototype::finishCreation): |
| |
| 2019-06-24 Mark Lam <mark.lam@apple.com> |
| |
| ArraySlice needs to keep the source array alive. |
| https://bugs.webkit.org/show_bug.cgi?id=197374 |
| <rdar://problem/50304429> |
| |
| Reviewed by Michael Saboff and Filip Pizlo. |
| |
| The implementation of the FTL ArraySlice intrinsics may GC while allocating the |
| result array and its butterfly. Previously, ArraySlice already keeps the source |
| butterfly alive in order to copy from it to the new butterfly after the allocation. |
| Unfortunately, this is not enough. We also need to keep the source array alive |
| so that GC will scan the values in the butterfly as well. Note: the butterfly |
| does not have a visitChildren() method to do this scan. It's the parent object's |
| responsibility to do the scanning. |
| |
| This patch fixes this by introducing a keepAlive() utility method, and we use it |
| to keep the source array alive while allocating the result array and butterfly. |
| |
| keepAlive() works by using a patchpoint to communicate to B3 that a value (the |
| source array in this case) is still in use. It also uses a fence to keep B3 from |
| relocating the patchpoint, which may defeat the fix. |
| |
| For the DFG's SpeculativeJIT::compileArraySlice(), we may have lucked out and the |
| source array cell is kept alive. This patch makes it explicit that we should |
| keep its cell alive till after the result array has been allocated. |
| |
| For the Baseline JIT and LLInt, we use the arrayProtoFuncSlice() runtime function |
| and there is no issue because the source array (in "thisObj") is in the element |
| copying loop that follows the allocation of the result array. However, for |
| documentation purposes, this patch adds a call to HeapCell::use() to indicate that |
| the source array need to kept alive at least until after the allocation of the |
| result array. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileArraySlice): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): |
| (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): |
| (JSC::FTL::DFG::LowerDFGToB3::keepAlive): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSlice): |
| |
| 2019-06-22 Robin Morisset <rmorisset@apple.com> and Yusuke Suzuki <ysuzuki@apple.com> |
| |
| All prototypes should call didBecomePrototype() |
| https://bugs.webkit.org/show_bug.cgi?id=196315 |
| |
| Reviewed by Saam Barati. |
| |
| Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor. |
| |
| I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't |
| create structures with invalid prototypes. |
| It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation(). |
| Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype. |
| |
| * runtime/BigIntPrototype.cpp: |
| (JSC::BigIntPrototype::finishCreation): |
| * runtime/BooleanPrototype.cpp: |
| (JSC::BooleanPrototype::finishCreation): |
| * runtime/DatePrototype.cpp: |
| (JSC::DatePrototype::finishCreation): |
| * runtime/ErrorConstructor.cpp: |
| (JSC::ErrorConstructor::finishCreation): |
| * runtime/ErrorPrototype.cpp: |
| (JSC::ErrorPrototype::finishCreation): |
| * runtime/FunctionConstructor.cpp: |
| (JSC::FunctionConstructor::finishCreation): |
| * runtime/FunctionPrototype.cpp: |
| (JSC::FunctionPrototype::finishCreation): |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototype::finishCreation): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototype::finishCreation): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototype::finishCreation): |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototype::finishCreation): |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::JSArrayBufferPrototype::finishCreation): |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::JSDataViewPrototype::finishCreation): |
| * runtime/JSGenericTypedArrayViewPrototypeInlines.h: |
| (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::createConsoleProperty): |
| * runtime/JSPromisePrototype.cpp: |
| (JSC::JSPromisePrototype::finishCreation): |
| * runtime/JSTypedArrayViewConstructor.cpp: |
| (JSC::JSTypedArrayViewConstructor::finishCreation): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::JSTypedArrayViewPrototype::finishCreation): |
| * runtime/NumberPrototype.cpp: |
| (JSC::NumberPrototype::finishCreation): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::RegExpPrototype::finishCreation): |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| * runtime/Structure.cpp: |
| (JSC::Structure::isValidPrototype): |
| (JSC::Structure::changePrototypeTransition): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::setPrototypeWithoutTransition): |
| * runtime/SymbolPrototype.cpp: |
| (JSC::SymbolPrototype::finishCreation): |
| * wasm/js/WebAssemblyCompileErrorPrototype.cpp: |
| (JSC::WebAssemblyCompileErrorPrototype::finishCreation): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| (JSC::WebAssemblyInstancePrototype::finishCreation): |
| * wasm/js/WebAssemblyLinkErrorPrototype.cpp: |
| (JSC::WebAssemblyLinkErrorPrototype::finishCreation): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| (JSC::WebAssemblyMemoryPrototype::finishCreation): |
| * wasm/js/WebAssemblyModulePrototype.cpp: |
| (JSC::WebAssemblyModulePrototype::finishCreation): |
| * wasm/js/WebAssemblyPrototype.cpp: |
| (JSC::WebAssemblyPrototype::finishCreation): |
| * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: |
| (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::WebAssemblyTablePrototype::finishCreation): |
| |
| 2019-06-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Strict, Sloppy and Arrow functions should have different classInfo |
| https://bugs.webkit.org/show_bug.cgi?id=197631 |
| |
| Reviewed by Saam Barati. |
| |
| If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class. |
| This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we |
| cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked |
| by comparing classInfo of the cached structure and the given base structure. This implicitly assume that |
| each builtin class's InternalFunction creates an instance based on one structure. |
| |
| However, Function constructor is an exception: Function constructor creates an instance which has different |
| structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function |
| instance with strict function structure. |
| |
| As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code. |
| |
| class A extends Function { }; |
| let a = new A("'use strict'"); |
| let b = new A(""); |
| |
| While `a` and `b` should have different structures, `A` caches the structure for `a`, and reuse it even the given |
| code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions |
| because they have different properties. However, in the above case, a and b have the same structure while they have |
| different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache. |
| |
| In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design |
| works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each |
| structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the |
| cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL |
| optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization. |
| |
| Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array |
| structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile. |
| |
| * runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that |
| sizeof(JSAsyncFunction) == sizeof(JSFunction). |
| * runtime/JSAsyncGeneratorFunction.cpp: |
| * runtime/JSAsyncGeneratorFunction.h: Ditto. |
| * runtime/JSFunction.cpp: |
| * runtime/JSFunction.h: |
| * runtime/JSGeneratorFunction.h: Ditto. |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2019-06-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] ClassExpr should not store result in the middle of evaluation |
| https://bugs.webkit.org/show_bug.cgi?id=199106 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Let's consider the case, |
| |
| let a = class A { |
| static get[a=0x12345678]() { |
| } |
| }; |
| |
| When evaluating `class A` expression, we should not use the local register for `let a` |
| until we finally store it to that register. Otherwise, `a=0x12345678` will override it. |
| Out BytecodeGenerator does that this by using tempDestination and finalDestination, but |
| we did not do that in ClassExprNode. |
| |
| This patch leverages tempDestination and finalDestination to store `class A` result finally, |
| while we attempt to reduce mov. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ClassExprNode::emitBytecode): |
| |
| 2019-06-21 Sihui Liu <sihui_liu@apple.com> |
| |
| openDatabase should return an empty object when WebSQL is disabled |
| https://bugs.webkit.org/show_bug.cgi?id=198805 |
| |
| Reviewed by Geoffrey Garen. |
| |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): |
| * runtime/JSFunction.h: |
| |
| 2019-06-21 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Remove extra check in RegExp @matchSlow |
| https://bugs.webkit.org/show_bug.cgi?id=198846 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Type of RegExp `exec` result is already asserted in @regExpExec. |
| |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.matchSlow): Remove isObject check. |
| |
| 2019-06-20 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs |
| https://bugs.webkit.org/show_bug.cgi?id=199044 |
| |
| Reviewed by Saam Barati. |
| |
| Fix parsing table indices from the element section. The byte that we previously read as the table index actually tells us how to parse the table index. |
| Fix some areas where we got the isSubtype check wrong, causing funcrefs to not be considred anyrefs. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::unify): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseElement): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::unify): |
| |
| 2019-06-18 Darin Adler <darin@apple.com> |
| |
| Tidy up the remaining bits of the AtomicString to AtomString rename |
| https://bugs.webkit.org/show_bug.cgi?id=198990 |
| |
| Reviewed by Michael Catanzaro. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Use flagIsAtom. |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): Ditto. |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): Ditto. |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): Ditto. |
| (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent): Ditto. |
| |
| 2019-06-19 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Optimize `resolve` method lookup in Promise static methods |
| https://bugs.webkit.org/show_bug.cgi?id=198864 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Lookup `resolve` method only once in Promise.{all,allSettled,race}. |
| (https://github.com/tc39/ecma262/pull/1506) |
| |
| Already implemented in V8. |
| |
| * builtins/PromiseConstructor.js: |
| |
| 2019-06-19 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Some of the ASSERTs in CachedTypes.cpp should be RELEASE_ASSERTs |
| https://bugs.webkit.org/show_bug.cgi?id=199030 |
| |
| Reviewed by Mark Lam. |
| |
| These assertions represent strong assumptions that the cache makes so |
| it's not safe to keep executing if they fail. |
| |
| * runtime/CachedTypes.cpp: |
| (JSC::Encoder::malloc): |
| (JSC::Encoder::Page::alignEnd): |
| (JSC::Decoder::ptrForOffsetFromBase): |
| (JSC::Decoder::handleForEnvironment const): |
| (JSC::Decoder::setHandleForEnvironment): |
| (JSC::CachedPtr::get const): |
| (JSC::CachedOptional::encode): |
| (JSC::CachedOptional::decodeAsPtr const): Deleted. |
| |
| 2019-06-19 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [WPE][GTK] Fix build with unified sources disabled |
| https://bugs.webkit.org/show_bug.cgi?id=198752 |
| |
| Reviewed by Michael Catanzaro. |
| |
| * runtime/WeakObjectRefConstructor.h: Add missing inclusion of InternalFunction.h |
| and forward declaration of WeakObjectRefPrototype. |
| * wasm/js/WebAssemblyFunction.cpp: Add missing inclusion of JSWebAssemblyHelpers.h |
| |
| 2019-06-19 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Rename anyfunc to funcref |
| https://bugs.webkit.org/show_bug.cgi?id=198983 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Anyfunc should become funcref since it was renamed in the spec. We should also support the string 'anyfunc' in the table constructor since this is |
| the only non-binary-format place where it is exposed to users. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::gFuncref): |
| (JSC::Wasm::AirIRGenerator::tmpForType): |
| (JSC::Wasm::AirIRGenerator::emitCCall): |
| (JSC::Wasm::AirIRGenerator::moveOpForValueType): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addLocal): |
| (JSC::Wasm::AirIRGenerator::addConstant): |
| (JSC::Wasm::AirIRGenerator::addRefFunc): |
| (JSC::Wasm::AirIRGenerator::addReturn): |
| (JSC::Wasm::AirIRGenerator::gAnyfunc): Deleted. |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConventionAir::marshallArgument const): |
| (JSC::Wasm::CallingConventionAir::setupCall const): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::isValueType): |
| (JSC::Wasm::isSubtype): |
| (JSC::Wasm::TableInformation::wasmType const): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseTableHelper): |
| (JSC::Wasm::SectionParser::parseElement): |
| (JSC::Wasm::SectionParser::parseInitExpr): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addRefFunc): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| * wasm/wasm.json: |
| |
| 2019-06-19 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [CMake][Win] CombinedDomains.json is generated twice in JavaScriptCore_CopyPrivateHeaders and JavaScriptCore projects |
| https://bugs.webkit.org/show_bug.cgi?id=198853 |
| |
| Reviewed by Don Olmstead. |
| |
| JavaScriptCore_CopyPrivateHeaders target needs to have a direct or |
| indirect dependency of JavaScriptCore target for CMake Visual |
| Studio generator to eliminate duplicated custom commands. |
| |
| * CMakeLists.txt: Added JavaScriptCore as a dependency of JavaScriptCore_CopyPrivateHeaders. |
| |
| 2019-06-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JSLock should be WebThread aware |
| https://bugs.webkit.org/show_bug.cgi?id=198911 |
| |
| Reviewed by Geoffrey Garen. |
| |
| Since WebKitLegacy content rendering is done in WebThread instead of the main thread in iOS, user of WebKitLegacy (e.g. UIWebView) needs |
| to grab the WebThread lock (which is a recursive lock) in the main thread when touching the WebKitLegacy content. |
| But, WebKitLegacy can expose JSContext for the web view. And we can interact with the JS content through JavaScriptCore APIs. However, |
| since WebThread is a concept in WebCore, JavaScriptCore APIs do not grab the WebThread lock. As a result, WebKitLegacy web content can be |
| modified from the main thread without grabbing the WebThread lock through JavaScriptCore APIs. |
| |
| This patch makes JSC aware of WebThread: JSLock grabs the WebThread lock before grabbing JS's lock. While this seems layering violation, |
| we already have many USE(WEB_THREAD) and WebThread aware code in WTF. Eventually, we should move WebThread code from WebCore to WTF since |
| JSC and WTF need to be aware of WebThread. But, for now, we just use the function pointer exposed by WebCore. |
| |
| Since both JSLock and the WebThread lock are recursive locks, nested locking is totally OK. The possible problem is the order of locking. |
| We ensure that we always grab locks in (1) the WebThread lock and (2) JSLock order. |
| |
| In JSLock, we take the WebThread lock, but we do not unlock it. This is how we use the WebThread lock: the WebThread lock is released |
| automatically when RunLoop finishes the current cycle, and in WebKitLegacy, we do not call unlocking function of the WebThread lock except |
| for some edge cases. |
| |
| * API/JSVirtualMachine.mm: |
| (-[JSVirtualMachine isWebThreadAware]): |
| * API/JSVirtualMachineInternal.h: |
| * runtime/JSLock.cpp: |
| (JSC::JSLockHolder::JSLockHolder): |
| (JSC::JSLock::lock): |
| (JSC::JSLockHolder::init): Deleted. |
| * runtime/JSLock.h: |
| (JSC::JSLock::makeWebThreadAware): |
| (JSC::JSLock::isWebThreadAware const): |
| |
| 2019-06-18 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for Table.size, grow and fill instructions |
| https://bugs.webkit.org/show_bug.cgi?id=198761 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add support for Table.size, grow and fill instructions. This also required |
| adding support for two-byte opcodes to the ops generator. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::gAnyref): |
| (JSC::Wasm::AirIRGenerator::tmpForType): |
| (JSC::Wasm::AirIRGenerator::addTableSize): |
| (JSC::Wasm::AirIRGenerator::addTableGrow): |
| (JSC::Wasm::AirIRGenerator::addTableFill): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addTableSize): |
| (JSC::Wasm::B3IRGenerator::addTableGrow): |
| (JSC::Wasm::B3IRGenerator::addTableFill): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::TableInformation::wasmType const): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::doWasmTableGrow): |
| (JSC::Wasm::doWasmTableFill): |
| * wasm/WasmInstance.h: |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::grow): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableSize): |
| (JSC::Wasm::Validate::addTableGrow): |
| (JSC::Wasm::Validate::addTableFill): |
| * wasm/generateWasmOpsHeader.py: |
| (opcodeMacroizer): |
| (ExtTableOpType): |
| * wasm/wasm.json: |
| |
| 2019-06-18 Keith Miller <keith_miller@apple.com> |
| |
| Unreviewed, fix signature of currentWeakRefVersion to return an uintptr_t. |
| |
| * runtime/VM.h: |
| (JSC::VM::currentWeakRefVersion const): |
| |
| 2019-06-18 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for multiple tables |
| https://bugs.webkit.org/show_bug.cgi?id=198760 |
| |
| Reviewed by Saam Barati. |
| |
| Support multiple wasm tables. We turn tableInformation into a tables array, and update all of the |
| existing users to give a table index. The array of Tables in Wasm::Instance is hung off the tail |
| to make it easier to use from jit code. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addTableGet): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::addTableGet): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::Element::Element): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::Instance): |
| (JSC::Wasm::Instance::create): |
| (JSC::Wasm::Instance::extraMemoryAllocated const): |
| (JSC::Wasm::Instance::table): |
| (JSC::Wasm::Instance::setTable): |
| * wasm/WasmInstance.h: |
| (JSC::Wasm::Instance::updateCachedMemory): |
| (JSC::Wasm::Instance::offsetOfGlobals): |
| (JSC::Wasm::Instance::offsetOfTablePtr): |
| (JSC::Wasm::Instance::allocationSize): |
| (JSC::Wasm::Instance::table): Deleted. |
| (JSC::Wasm::Instance::setTable): Deleted. |
| (JSC::Wasm::Instance::offsetOfTable): Deleted. |
| * wasm/WasmModuleInformation.h: |
| (JSC::Wasm::ModuleInformation::tableCount const): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseImport): |
| (JSC::Wasm::SectionParser::parseTableHelper): |
| (JSC::Wasm::SectionParser::parseTable): |
| (JSC::Wasm::SectionParser::parseElement): |
| * wasm/WasmTable.h: |
| (JSC::Wasm::Table::owner const): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableSet): |
| (JSC::Wasm::Validate::addCallIndirect): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): |
| (JSC::JSWebAssemblyInstance::visitChildren): |
| * wasm/js/JSWebAssemblyInstance.h: |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| (JSC::WebAssemblyModuleRecord::evaluate): |
| * wasm/wasm.json: |
| |
| 2019-06-18 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [ESNExt] String.prototype.matchAll |
| https://bugs.webkit.org/show_bug.cgi?id=186694 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Implement String.prototype.matchAll. |
| (https://tc39.es/ecma262/#sec-string.prototype.matchall) |
| |
| Also rename @globalPrivate @constructor functions and C++ variables holding them. |
| |
| Shipping in Chrome since version 73. |
| Shipping in Firefox since version 67. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Scripts/wkbuiltins/builtins_generate_combined_header.py: |
| (get_var_name): |
| (generate_section_for_global_private_code_name_macro): |
| * Sources.txt: |
| * builtins/ArrayPrototype.js: |
| (globalPrivate.ArrayIterator): |
| (values): |
| (keys): |
| (entries): |
| (globalPrivate.createArrayIterator): Deleted. |
| * builtins/AsyncFromSyncIteratorPrototype.js: |
| (globalPrivate.createAsyncFromSyncIterator): |
| (globalPrivate.AsyncFromSyncIterator): |
| (globalPrivate.AsyncFromSyncIteratorConstructor): Deleted. |
| * builtins/BuiltinNames.h: |
| * builtins/MapPrototype.js: |
| (globalPrivate.MapIterator): |
| (values): |
| (keys): |
| (entries): |
| (globalPrivate.createMapIterator): Deleted. |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.RegExpStringIterator): |
| (overriddenName.string_appeared_here.matchAll): |
| * builtins/RegExpStringIteratorPrototype.js: Added. |
| (next): |
| * builtins/SetPrototype.js: |
| (globalPrivate.SetIterator): |
| (values): |
| (entries): |
| (globalPrivate.createSetIterator): Deleted. |
| * builtins/StringPrototype.js: |
| (matchAll): |
| * builtins/TypedArrayPrototype.js: |
| (values): |
| (keys): |
| (entries): |
| * runtime/CommonIdentifiers.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::RegExpPrototype::finishCreation): |
| * runtime/RegExpStringIteratorPrototype.cpp: Added. |
| (JSC::RegExpStringIteratorPrototype::finishCreation): |
| * runtime/RegExpStringIteratorPrototype.h: Added. |
| * runtime/StringPrototype.cpp: |
| |
| 2019-06-18 Keith Miller <keith_miller@apple.com> |
| |
| Add support for WeakRef |
| https://bugs.webkit.org/show_bug.cgi?id=198710 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add support for WeakRefs which are now at stage 3 |
| (https://tc39.es/proposal-weakrefs). This patch doesn't add |
| support for FinalizationGroups, which I'll add in another patch. |
| |
| Some other things of interest. Per the spec, we cannot collect a |
| weak refs target unless it has not been dereffed (or created) in |
| the current microtask turn. i.e. WeakRefs are only allowed to be |
| collected at the end of a drain of the Microtask queue. My |
| understanding for this behavior is to reduce implementation |
| dependence on specific GC behavior in a given browser. |
| |
| We track if a WeakRef is retaining its target by using a version |
| number on each WeakRef as well as on the VM. Whenever a WeakRef is |
| derefed we update its version number to match the VM's then |
| WriteBarrier ourselves. During marking if the VM and the WeakRef |
| have the same version number, the target is visited. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * heap/Heap.cpp: |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionReleaseWeakRefs): |
| * runtime/CommonIdentifiers.h: |
| * runtime/JSGlobalObject.cpp: |
| * runtime/JSGlobalObject.h: |
| * runtime/JSWeakObjectRef.cpp: Added. |
| (JSC::JSWeakObjectRef::finishCreation): |
| (JSC::JSWeakObjectRef::visitChildren): |
| (JSC::JSWeakObjectRef::finalizeUnconditionally): |
| (JSC::JSWeakObjectRef::toStringName): |
| * runtime/JSWeakObjectRef.h: Added. |
| * runtime/VM.cpp: |
| (JSC::VM::drainMicrotasks): |
| * runtime/VM.h: |
| (JSC::VM::setOnEachMicrotaskTick): |
| (JSC::VM::finalizeSynchronousJSExecution): |
| (JSC::VM::currentWeakRefVersion const): |
| * runtime/WeakObjectRefConstructor.cpp: Added. |
| (JSC::WeakObjectRefConstructor::finishCreation): |
| (JSC::WeakObjectRefConstructor::WeakObjectRefConstructor): |
| (JSC::callWeakRef): |
| (JSC::constructWeakRef): |
| * runtime/WeakObjectRefConstructor.h: Added. |
| (JSC::WeakObjectRefConstructor::create): |
| (JSC::WeakObjectRefConstructor::createStructure): |
| * runtime/WeakObjectRefPrototype.cpp: Added. |
| (JSC::WeakObjectRefPrototype::finishCreation): |
| (JSC::getWeakRef): |
| (JSC::protoFuncWeakRefDeref): |
| * runtime/WeakObjectRefPrototype.h: Added. |
| |
| 2019-06-18 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Add missing mutator fence in compileNewFunction |
| https://bugs.webkit.org/show_bug.cgi?id=198849 |
| <rdar://problem/51733890> |
| |
| Reviewed by Saam Barati. |
| |
| Follow-up after r246553. Saam pointed out that we still need a mutator |
| fence before allocating the FunctionRareData, since the allocation |
| might trigger a slow path call. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| |
| 2019-06-18 Tadeu Zagallo <tzagallo@apple.com> |
| |
| DFG code should not reify the names of builtin functions with private names |
| https://bugs.webkit.org/show_bug.cgi?id=198849 |
| <rdar://problem/51733890> |
| |
| Reviewed by Filip Pizlo. |
| |
| Builtin functions that have a private name call setHasReifiedName from finishCreation. |
| When compiled with DFG and FTL, that does not get called and the function ends up reifying |
| its name. In order to fix that, we initialize FunctionRareData and set m_hasReifiedName to |
| true from compileNewFunction in both DFG and FTL. |
| |
| * bytecode/InternalFunctionAllocationProfile.h: |
| (JSC::InternalFunctionAllocationProfile::offsetOfStructure): |
| * bytecode/ObjectAllocationProfile.h: |
| (JSC::ObjectAllocationProfileWithPrototype::offsetOfPrototype): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| * runtime/FunctionExecutable.h: |
| * runtime/FunctionRareData.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::finishCreation): |
| * runtime/JSFunction.h: |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::isAnonymousBuiltinFunction const): |
| |
| 2019-06-18 Keith Miller <keith_miller@apple.com> |
| |
| MaybeParseAsGeneratorForScope sometimes loses track of its scope ref |
| https://bugs.webkit.org/show_bug.cgi?id=198969 |
| <rdar://problem/51620714> |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Sometimes if the parser has enough nested scopes |
| MaybeParseAsGeneratorForScope can lose track of the ScopeRef it |
| should be tracking. This is because the parser sometimes relocates |
| its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should |
| hold the scope ref it's watching. |
| |
| * parser/Parser.cpp: |
| (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope): |
| (JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope): |
| |
| 2019-06-17 Justin Michaud <justin_michaud@apple.com> |
| |
| Validate that table element type is funcref if using an element section |
| https://bugs.webkit.org/show_bug.cgi?id=198910 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add missing validation when attempting to add an element section to an anyref table. |
| |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseElement): |
| |
| 2019-06-17 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Concurrent GC should check the conn before starting a new collection cycle |
| https://bugs.webkit.org/show_bug.cgi?id=198913 |
| <rdar://problem/49515149> |
| |
| Reviewed by Filip Pizlo. |
| |
| Heap::requestCollection tries to steal the conn as an optimization to avoid waking up the collector |
| thread if it's idle. We determine if the collector is idle by ensuring that there are no pending collections |
| and that the current GC phase is NotRunning. However, that's not safe immediately after the concurrent |
| GC has finished processing the last pending request. The collector thread will runEndPhase and immediately |
| start runNotRunningPhase, without checking if it still has the conn. If the mutator has stolen the conn in |
| the mean time, this will lead to both threads collecting concurrently, and eventually we'll crash in checkConn, |
| since the collector is running but doesn't have the conn anymore. |
| |
| To solve this, we check if we still have the conn after holding the lock in runNotRunningPhase, in case the mutator |
| has stolen the conn. Ideally, we wouldn't let the mutator steal the conn in the first place, but that doesn't seem |
| trivial to determine. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::runNotRunningPhase): |
| |
| 2019-06-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Introduce DisposableCallSiteIndex to enforce type-safety |
| https://bugs.webkit.org/show_bug.cgi?id=197378 |
| |
| Reviewed by Saam Barati. |
| |
| Some of CallSiteIndex are disposable. This is because some of CallSiteIndex are allocated and freed at runtime (not DFG/FTL compile time). |
| The example is CallSiteIndex for exception handler in GCAwareJITStubRoutineWithExceptionHandler. If we do not allocate and free CallSiteIndex, |
| we will create a new CallSiteIndex continuously and leak memory. |
| |
| The other CallSiteIndex are not simply disposable because the ownership model is not unique one. They can be shared between multiple clients. |
| But not disposing them is OK because they are static one: they are allocated when compiling DFG/FTL, and we do not allocate such CallSiteIndex |
| at runtime. |
| |
| To make this difference explicit and avoid disposing non-disposable CallSiteIndex accidentally, we introduce DisposableCallSiteIndex type, and |
| enforce type-safety to some degree. |
| |
| We also correctly update the DisposableCallSiteIndex => CodeOrigin table when we are reusing the previously used DisposableCallSiteIndex. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::newExceptionHandlingCallSiteIndex): |
| (JSC::CodeBlock::removeExceptionHandlerForCallSite): |
| * bytecode/CodeBlock.h: |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PolymorphicAccess.h: |
| (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): Deleted. |
| * dfg/DFGCommonData.cpp: |
| (JSC::DFG::CommonData::addUniqueCallSiteIndex): |
| (JSC::DFG::CommonData::addDisposableCallSiteIndex): |
| (JSC::DFG::CommonData::removeDisposableCallSiteIndex): |
| (JSC::DFG::CommonData::removeCallSiteIndex): Deleted. |
| * dfg/DFGCommonData.h: |
| * interpreter/CallFrame.h: |
| (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): |
| (JSC::DisposableCallSiteIndex::fromCallSiteIndex): |
| * jit/GCAwareJITStubRoutine.cpp: |
| (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): |
| (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount): |
| (JSC::createJITStubRoutine): |
| * jit/GCAwareJITStubRoutine.h: |
| * jit/JITInlineCacheGenerator.h: |
| |
| 2019-06-17 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for Funcref in parameters and return types |
| https://bugs.webkit.org/show_bug.cgi?id=198157 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to |
| a funcref (nee anyfunc), we first make sure it is an exported wasm function or null. |
| |
| We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper |
| for it so that we never need to construct JSValues when handling references. This should make threads |
| easier to implement. |
| |
| Finally, we add some missing bounds checks for table.get/set. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::tmpForType): |
| (JSC::Wasm::AirIRGenerator::moveOpForValueType): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addLocal): |
| (JSC::Wasm::AirIRGenerator::addConstant): |
| (JSC::Wasm::AirIRGenerator::addRefFunc): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::setGlobal): |
| (JSC::Wasm::AirIRGenerator::addReturn): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addLocal): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addRefFunc): |
| (JSC::Wasm::B3IRGenerator::setGlobal): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConventionAir::marshallArgument const): |
| (JSC::Wasm::CallingConventionAir::setupCall const): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::isValueType): |
| (JSC::Wasm::isSubtype): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::Instance): |
| (JSC::Wasm::Instance::getFunctionWrapper const): |
| (JSC::Wasm::Instance::setFunctionWrapper): |
| * wasm/WasmInstance.h: |
| * wasm/WasmModuleInformation.h: |
| (JSC::Wasm::ModuleInformation::referencedFunctions const): |
| (JSC::Wasm::ModuleInformation::addReferencedFunction const): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseGlobal): |
| (JSC::Wasm::SectionParser::parseInitExpr): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableSet): |
| (JSC::Wasm::Validate::addRefIsNull): |
| (JSC::Wasm::Validate::addRefFunc): |
| (JSC::Wasm::Validate::setLocal): |
| (JSC::Wasm::Validate::addCall): |
| (JSC::Wasm::Validate::addCallIndirect): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::isWebAssemblyHostFunction): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::visitChildren): |
| * wasm/js/JSWebAssemblyRuntimeError.cpp: |
| (JSC::createJSWebAssemblyRuntimeError): |
| * wasm/js/JSWebAssemblyRuntimeError.h: |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| (JSC::Wasm::emitWasmToJSException): |
| * wasm/js/WasmToJS.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| * wasm/wasm.json: |
| |
| 2019-06-16 Darin Adler <darin@apple.com> |
| |
| Rename AtomicString to AtomString |
| https://bugs.webkit.org/show_bug.cgi?id=195276 |
| |
| Reviewed by Michael Catanzaro. |
| |
| * many files: Let do-webcore-rename do the renaming. |
| |
| 2019-06-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Grown region of WasmTable should be initialized with null |
| https://bugs.webkit.org/show_bug.cgi?id=198903 |
| |
| Reviewed by Saam Barati. |
| |
| Grown region of Wasmtable is now empty. We should initialize it with null. |
| We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to |
| align to the naming convention. |
| |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::grow): |
| (JSC::Wasm::Table::visitAggregate): |
| (JSC::Wasm::Table::visitChildren): Deleted. |
| * wasm/WasmTable.h: |
| * wasm/js/JSWebAssemblyTable.cpp: |
| (JSC::JSWebAssemblyTable::visitChildren): |
| |
| 2019-06-14 Keith Miller <keith_miller@apple.com> |
| |
| Restore PAC based cage. |
| https://bugs.webkit.org/show_bug.cgi?id=198872 |
| |
| Rubber-stamped by Saam Barati. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::bitFieldInsert64): |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| (JSC::run): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageWithoutUntagging): |
| (JSC::AssemblyHelpers::cageConditionally): |
| (JSC::AssemblyHelpers::cage): Deleted. |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitIntTypedArrayGetByVal): |
| (JSC::JIT::emitFloatTypedArrayGetByVal): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm64.rb: |
| * offlineasm/instructions.rb: |
| * offlineasm/registers.rb: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-06-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Yarr bytecode compilation failure should be gracefully handled |
| https://bugs.webkit.org/show_bug.cgi?id=198700 |
| |
| Reviewed by Michael Saboff. |
| |
| Currently, we assume that Yarr bytecode compilation does not fail. But in fact it can fail. |
| We should gracefully handle this failure as a runtime error, as we did for parse errors in [1]. |
| We also harden Yarr's consumed character calculation by using Checked. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=185755 |
| |
| * inspector/ContentSearchUtilities.cpp: |
| (Inspector::ContentSearchUtilities::findMagicComment): |
| * runtime/RegExp.cpp: |
| (JSC::RegExp::byteCodeCompileIfNecessary): |
| (JSC::RegExp::compile): |
| (JSC::RegExp::compileMatchOnly): |
| * runtime/RegExpInlines.h: |
| (JSC::RegExp::matchInline): |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrInterpreter.cpp: |
| (JSC::Yarr::ByteCompiler::ByteCompiler): |
| (JSC::Yarr::ByteCompiler::compile): |
| (JSC::Yarr::ByteCompiler::atomCharacterClass): |
| (JSC::Yarr::ByteCompiler::atomBackReference): |
| (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin): |
| (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin): |
| (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin): |
| (JSC::Yarr::ByteCompiler::atomParentheticalAssertionBegin): |
| (JSC::Yarr::ByteCompiler::popParenthesesStack): |
| (JSC::Yarr::ByteCompiler::closeAlternative): |
| (JSC::Yarr::ByteCompiler::closeBodyAlternative): |
| (JSC::Yarr::ByteCompiler::alternativeBodyDisjunction): |
| (JSC::Yarr::ByteCompiler::alternativeDisjunction): |
| (JSC::Yarr::ByteCompiler::emitDisjunction): |
| |
| 2019-06-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call |
| https://bugs.webkit.org/show_bug.cgi?id=198770 |
| |
| Reviewed by Saam Barati. |
| |
| Polymorphic call stub is a bit specially patched in JS call site. Typical JS call site for tail calls |
| are the following. |
| |
| if (callee == patchableCallee) { |
| restore callee saves for tail call |
| prepare for tail call |
| jump to the target function |
| } |
| restore callee saves for slow path |
| call the slow path function |
| |
| And linking patches patchableCallee, target function, and slow path function. But polymorphic call stub |
| patches the above `if` statement with the jump to the stub. |
| |
| jump to the polymorphic call stub |
| |
| This is because polymorphic call stub wants to use CallFrameShuffler to get scratch registers. As a result, |
| "restore callee saves for tail call" thing needs to be done in the polymorphic call stubs. While it is |
| correctly done for the major cases, we have `slowPath` skips, and that path missed restoring callee saves. |
| This skip happens if the callee is non JSCell or non JS function, so typically, InternalFunction is handled |
| in that path. |
| |
| This patch does that skips after restoring callee saves. |
| |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::CallLinkInfo): |
| * bytecode/CallLinkInfo.h: |
| (JSC::CallLinkInfo::setUpCall): |
| (JSC::CallLinkInfo::calleeGPR): |
| (JSC::CallLinkInfo::setCalleeGPR): Deleted. |
| * jit/Repatch.cpp: |
| (JSC::revertCall): |
| (JSC::linkVirtualFor): |
| (JSC::linkPolymorphicCall): |
| * jit/Repatch.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::virtualThunkFor): |
| |
| 2019-06-12 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r246322. |
| https://bugs.webkit.org/show_bug.cgi?id=198796 |
| |
| "It's a huge page load regression on iOS" (Requested by |
| saamyjoon on #webkit). |
| |
| Reverted changeset: |
| |
| "Roll out PAC cage" |
| https://bugs.webkit.org/show_bug.cgi?id=198726 |
| https://trac.webkit.org/changeset/246322 |
| |
| 2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSC should throw if proxy set returns falsish in strict mode context |
| https://bugs.webkit.org/show_bug.cgi?id=177398 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Throw TypeError exception if Proxy's `set` trap returns falsy value. |
| (step 6.c of https://tc39.es/ecma262/#sec-putvalue) |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::put): |
| (JSC::ProxyObject::putByIndexCommon): |
| * runtime/ProxyObject.h: |
| |
| 2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Error message for non-callable Proxy `construct` trap is misleading |
| https://bugs.webkit.org/show_bug.cgi?id=198637 |
| |
| Reviewed by Saam Barati. |
| |
| Just like other traps, Proxy `construct` trap is invoked with [[Call]], not [[Construct]]. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyConstruct): Tweak error message. |
| |
| 2019-06-10 Tadeu Zagallo <tzagallo@apple.com> |
| |
| AI BitURShift's result should not be unsigned |
| https://bugs.webkit.org/show_bug.cgi?id=198689 |
| <rdar://problem/51550063> |
| |
| Reviewed by Saam Barati. |
| |
| Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it. |
| This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but |
| get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber, |
| all we have to do is store the result as a signed int32. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| |
| 2019-06-11 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| Unreviewed build warning fixes |
| |
| Silence -Wreturn-type warning |
| |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::tryCreate): |
| |
| 2019-06-11 Saam Barati <sbarati@apple.com> |
| |
| Roll out PAC cage |
| https://bugs.webkit.org/show_bug.cgi?id=198726 |
| |
| Reviewed by Keith Miller. |
| |
| This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. |
| |
| The resulting state we're in is we have Gigacage enabled on arm64. |
| There is no more PAC caging. |
| |
| We're doing this because there are performance issues with PAC caging |
| that we haven't resolved yet. |
| |
| * assembler/CPU.h: |
| (JSC::isARM64E): Deleted. |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. |
| (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. |
| (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. |
| * b3/B3LowerToAir.cpp: |
| * b3/B3PatchpointSpecial.cpp: |
| (JSC::B3::PatchpointSpecial::admitsStack): |
| * b3/B3StackmapSpecial.cpp: |
| (JSC::B3::StackmapSpecial::forEachArgImpl): |
| (JSC::B3::StackmapSpecial::isArgValidForRep): |
| * b3/B3Validate.cpp: |
| * b3/B3ValueRep.cpp: |
| (JSC::B3::ValueRep::addUsedRegistersTo const): |
| (JSC::B3::ValueRep::dump const): |
| (WTF::printInternal): |
| * b3/B3ValueRep.h: |
| (JSC::B3::ValueRep::ValueRep): |
| (JSC::B3::ValueRep::isReg const): |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::newTypedArrayWithSize): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): |
| (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. |
| (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. |
| * heap/ConservativeRoots.cpp: |
| (JSC::ConservativeRoots::genericAddPointer): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * jit/IntrinsicEmitter.cpp: |
| (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitDirectArgumentsGetByVal): |
| (JSC::JIT::emitIntTypedArrayGetByVal): |
| (JSC::JIT::emitFloatTypedArrayGetByVal): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * jit/PolymorphicCallStubRoutine.cpp: |
| (JSC::PolymorphicCallNode::clearCallLinkInfo): |
| * jit/RegisterSet.h: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/ArrayBuffer.cpp: |
| (JSC::SharedArrayBufferContents::SharedArrayBufferContents): |
| (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): |
| (JSC::ArrayBufferContents::ArrayBufferContents): |
| (JSC::ArrayBufferContents::destroy): |
| (JSC::ArrayBufferContents::tryAllocate): |
| (JSC::ArrayBufferContents::makeShared): |
| (JSC::ArrayBufferContents::copyTo): |
| * runtime/ArrayBuffer.h: |
| (JSC::SharedArrayBufferContents::data const): |
| (JSC::ArrayBufferContents::data const): |
| (JSC::ArrayBuffer::data): |
| (JSC::ArrayBuffer::data const): |
| (JSC::ArrayBuffer::byteLength const): |
| * runtime/ArrayBufferView.cpp: |
| (JSC::ArrayBufferView::ArrayBufferView): |
| * runtime/ArrayBufferView.h: |
| (JSC::ArrayBufferView::baseAddress const): |
| (JSC::ArrayBufferView::setRangeImpl): |
| (JSC::ArrayBufferView::getRangeImpl): |
| (JSC::ArrayBufferView::byteLength const): Deleted. |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedScopedArgumentsTable::encode): |
| (JSC::CachedScopedArgumentsTable::decode const): |
| * runtime/CagedBarrierPtr.h: |
| (JSC::CagedBarrierPtr::CagedBarrierPtr): |
| (JSC::CagedBarrierPtr::set): |
| (JSC::CagedBarrierPtr::get const): |
| (JSC::CagedBarrierPtr::getMayBeNull const): |
| (JSC::CagedBarrierPtr::operator== const): |
| (JSC::CagedBarrierPtr::operator!= const): |
| (JSC::CagedBarrierPtr::operator bool const): |
| (JSC::CagedBarrierPtr::setWithoutBarrier): |
| (JSC::CagedBarrierPtr::operator* const): |
| (JSC::CagedBarrierPtr::operator-> const): |
| (JSC::CagedBarrierPtr::operator[] const): |
| (JSC::CagedBarrierPtr::getUnsafe const): Deleted. |
| (JSC::CagedBarrierPtr::at const): Deleted. |
| * runtime/DataView.cpp: |
| (JSC::DataView::DataView): |
| * runtime/DataView.h: |
| (JSC::DataView::get): |
| (JSC::DataView::set): |
| * runtime/DirectArguments.cpp: |
| (JSC::DirectArguments::visitChildren): |
| (JSC::DirectArguments::overrideThings): |
| (JSC::DirectArguments::unmapArgument): |
| * runtime/DirectArguments.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::visitChildren): |
| (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): |
| (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): |
| (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): |
| * runtime/GenericTypedArrayView.h: |
| * runtime/GenericTypedArrayViewInlines.h: |
| (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): |
| (JSC::JSArrayBufferView::JSArrayBufferView): |
| (JSC::JSArrayBufferView::finalize): |
| (JSC::JSArrayBufferView::slowDownAndWasteMemory): |
| * runtime/JSArrayBufferView.h: |
| (JSC::JSArrayBufferView::ConstructionContext::vector const): |
| (JSC::JSArrayBufferView::isNeutered): |
| (JSC::JSArrayBufferView::vector const): |
| (JSC::JSArrayBufferView::hasVector const): Deleted. |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): |
| (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): |
| (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): |
| * runtime/Options.h: |
| * runtime/ScopedArgumentsTable.cpp: |
| (JSC::ScopedArgumentsTable::clone): |
| (JSC::ScopedArgumentsTable::setLength): |
| * runtime/ScopedArgumentsTable.h: |
| * runtime/SymbolTable.h: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmInstance.h: |
| (JSC::Wasm::Instance::cachedMemory const): |
| (JSC::Wasm::Instance::updateCachedMemory): |
| * wasm/WasmMemory.cpp: |
| (JSC::Wasm::Memory::Memory): |
| (JSC::Wasm::Memory::~Memory): |
| (JSC::Wasm::Memory::grow): |
| (JSC::Wasm::Memory::dump const): |
| * wasm/WasmMemory.h: |
| (JSC::Wasm::Memory::memory const): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-06-10 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [WinCairo] Remove build warning from RemoteInspector. |
| https://bugs.webkit.org/show_bug.cgi?id=198724 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| In `RemoteInspectorConnectionClient.h`, an interface was defined with empty implementation. |
| This method is to be overwritten by sub classes so that parameter name is important |
| so they are commented out rather than just removing from the definition. |
| |
| * inspector/remote/RemoteInspector.h: |
| |
| 2019-06-10 Sam Weinig <weinig@apple.com> |
| |
| Remove Dashboard support |
| https://bugs.webkit.org/show_bug.cgi?id=198615 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-10 Devin Rousso <drousso@apple.com> |
| |
| Web Automation: add notifications for when remote automation is enabled/disabled |
| https://bugs.webkit.org/show_bug.cgi?id=198703 |
| <rdar://problem/50588975> |
| |
| Reviewed by Timothy Hatcher. |
| |
| * inspector/remote/RemoteInspectorConstants.h: |
| |
| 2019-06-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for non-DFG configurations, part 2 |
| https://bugs.webkit.org/show_bug.cgi?id=198023 |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeUnconditionally): |
| |
| 2019-06-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for non-DFG configurations |
| https://bugs.webkit.org/show_bug.cgi?id=198023 |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeUnconditionally): |
| |
| 2019-06-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode |
| https://bugs.webkit.org/show_bug.cgi?id=198023 |
| |
| Reviewed by Saam Barati. |
| |
| While CodeBlock is periodically jettisoned, UnlinkedCodeBlock and UnlinkedFunctionExecutable can be retained almost forever in certain type of applications. |
| When we execute a program, which has UnlinkedProgramCodeBlock retained in CodeCache. And UnlinkedProgramCodeBlock holds array of UnlinkedFunctionExecutable. |
| And UnlinkedFunctionExecutables hold UnlinkedFunctionCodeBlocks once it is generated. So eventually, this tree gets larger and larger until we purge |
| UnlinkedProgramCodeBlock from CodeCache. This is OK in the browser case. We navigate to various other pages, and UnlinkedProgramCodeBlocks should eventually |
| be pruned from CodeCache with the new ones. So this tree won't be retained forever. But the behavior is different in the other applications that do not have |
| navigations. If they only have one program which holds all, we basically retain this tree during executing this application. The same thing can happen in |
| web applications which does not have navigation and keeps alive for a long time. Once we hit CodeCache limit by periodically executing a new script, we will |
| hit the uppermost of memory footprint. But until that, we increase our memory footprint. |
| |
| However, destroying these UnlinkedCodeBlocks and UnlinkedFunctionExecutables causes a tricky problem. In the browser environment, navigation can happen at any |
| time. So even if the given UnlinkedCodeBlock seems unused in the current page, it can be used when navigating to a new page which is under the same domain. |
| One example is initializing function in a script. It is only executed once per page. So once it is executed, it seems that this UnlinkedCodeBlock is unused. |
| But this will be used when we navigate to a new page. Pruning code blocks based on usage could cause performance regression. |
| |
| But if our VM is mini VM mode, the story is different. In mini VM mode, we focus on memory footprint rather than performance e.g. daemons. The daemon never |
| reuse these CodeCache since we do not have the navigation. |
| |
| This patch logically makes UnlinkedFunctionExecutable -> UnlinkedCodeBlock reference weak when VM is mini mode. If UnlinkedCodeBlock is used in previous GC |
| cycle, we retain it. But if it is not used, and if UnlinkedFunctionExecutable is only the cell keeping UnlinkedCodeBlock alive, we destroy it. It is a |
| heuristic. In a super pathological case, it could increase memory footprint. Consider the following example. |
| |
| UnlinkedFunctionExecutable(A1) -> UnlinkedCodeBlock(B1) -> UnlinkedFunctionExecutable(C1) -> UnlinkedCodeBlock(D1) |
| ^ |
| CodeBlock(E1) |
| |
| We could delete A1, B1, and C1 while keeping D1. But if we eventually re-execute the same code corresponding to A1, B1, C1, they will be newly created, and |
| we will create duplicate UnlinkedCodeBlock and instructions stream for D1. |
| |
| UnlinkedCodeBlock(D1) |
| ^ |
| CodeBlock(E1) |
| |
| UnlinkedFunctionExecutable(A2) -> UnlinkedCodeBlock(B2) -> UnlinkedFunctionExecutable(C2) -> UnlinkedCodeBlock(D2) |
| |
| But this does not happen in practice and even it happens, we eventually discard D1 and D2 since CodeBlock E1 will be jettisoned anyway. So in practice, we do |
| not see memory footprint increase. We tested it in Gmail and the target application, but both said memory footprint reduction (30 MB / 400 MB and 1 MB /6 MB). |
| While this affects on performance much on tests which has navigation (1-3 % regression in Speedometer2, note that JetStream2 does not show regression in x64, |
| while it is not enabling mini mode), we do not apply this to non mini mode VM until we come up with a good strategy to fasten performance of re-generation. |
| Personally I think flushing destroyed UnlinkedCodeBlock to the disk sounds promising. |
| |
| If UnlinkedCodeBlock is generated from bytecode cache, we do not make UnlinkedFunctionExecutable -> UnlinkedCodeBlock link weak because the decoder of the bytecode |
| cache assumes that generated JSCells won't be destroyed while the parent cells of that cell are live. This is true in the current implementation, and this assumption |
| will be broken with this patch. So, for now, we do not make this link weak. Currently, our target application does not use bytecode cache so it is OK. |
| |
| This patch also introduce simple heuristic. We are counting UnlinkedCodeBlock's age. And once the age becomes maximum size, we make UnlinkedFunctionExecutable -> |
| UnlinkedCodeBlock link weak. We also use execution counter information to reset this age: CodeBlock will reset undelying UnlinkedCodeBlock's age if it has executed |
| While this heuristic is quite simple, it has some effect in practice. Basically what happens with this heuristic is that UnlinkedFunctionExecutable -> |
| UnlinkedCodeBlock link strong. When GC happens, we are executing some CodeBlocks, which become live. And ScriptExecutables -> UnlinkedFunctionExecutables held |
| by this CodeBlock become also live. Then UnlinkedFunctionExecutables can mark the child UnlinkedCodeBlocks if it is not so old. |
| If some of parent UnlinkedFunctionExecutable becomes dead, child UnlinkedCodeBlocks tends to be dead unless some live CodeBlock holds it. But it is OK for a first |
| heuristics since this means that parent code block is now considered old, reachable UnlinkedCodeBlock will be used when the parent is executed again. So destroying |
| the tree is OK even if the tree may include some new UnlinkedCodeBlock. While we could make more sophisticated mechanism to manage these lifetime, I think this is a |
| good starting point. |
| |
| Based on measurement, we pick 7 as a maximum age. If we pick 0, we can get more memory reduction (1 - 1.5 MB!), while we ends up reparsing codes so many times. |
| It seems that 7 can reduce fair amount of memory while doing small # of reparsing on average (usually, 1, 2. Sometimes, 100. But not 300, which is the case in 0). |
| If we want to get more memory reduction for the sake of performance, we could decrease this age limit. |
| |
| Since we do not have an automated script right now so it is a bit difficult to measure memory footprint precisely. But manual testing shows that this patch improves |
| memory footprint of our target application from about 6.5 MB to about 5.9 MB. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeUnconditionally): |
| * bytecode/CodeBlock.h: |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| (JSC::UnlinkedCodeBlock::visitChildren): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::age const): |
| (JSC::UnlinkedCodeBlock::resetAge): |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): |
| (JSC::UnlinkedFunctionExecutable::visitChildren): |
| (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor): |
| (JSC::UnlinkedFunctionExecutable::decodeCachedCodeBlocks): |
| (JSC::UnlinkedFunctionExecutable::finalizeUnconditionally): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| * runtime/CachedTypes.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): |
| * runtime/CodeSpecializationKind.h: |
| * runtime/Options.h: |
| * runtime/VM.cpp: |
| (JSC::VM::isInMiniMode): Deleted. |
| * runtime/VM.h: |
| (JSC::VM::isInMiniMode): |
| (JSC::VM::useUnlinkedCodeBlockJettisoning): |
| |
| 2019-06-10 Timothy Hatcher <timothy@apple.com> |
| |
| Integrate dark mode support for iOS. |
| https://bugs.webkit.org/show_bug.cgi?id=198687 |
| rdar://problem/51545643 |
| |
| Reviewed by Tim Horton. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-10 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [JSC] Linker fails when unified sources are not in use |
| https://bugs.webkit.org/show_bug.cgi?id=198722 |
| |
| Reviewed by Keith Miller. |
| |
| Added missing inclusions of headers in several files which make use of inline functions. |
| |
| * b3/B3AtomicValue.cpp: |
| * b3/B3BlockInsertionSet.cpp: |
| * b3/B3FenceValue.cpp: |
| * b3/B3LowerMacrosAfterOptimizations.cpp: |
| * b3/B3PureCSE.cpp: |
| * b3/B3StackmapValue.cpp: |
| * b3/B3SwitchValue.cpp: |
| * b3/B3UseCounts.cpp: |
| * b3/B3VariableValue.cpp: |
| * b3/B3WasmAddressValue.cpp: |
| * b3/B3WasmBoundsCheckValue.cpp: |
| * ftl/FTLCompile.cpp: |
| * wasm/WasmSectionParser.cpp: |
| * wasm/WasmTable.cpp: |
| * wasm/WasmValidate.cpp: |
| |
| 2019-06-10 Keith Miller <keith_miller@apple.com> |
| |
| Make new Symbol/Promise API public |
| https://bugs.webkit.org/show_bug.cgi?id=198709 |
| |
| Reviewed by Saam Barati. |
| |
| We also need to #ifdef some tests when building for older |
| platforms because the signatures for some methods are outdated on |
| those platforms. |
| |
| * API/JSObjectRef.h: |
| * API/JSObjectRefPrivate.h: |
| * API/JSValue.h: |
| * API/JSValuePrivate.h: |
| * API/JSValueRef.h: |
| * API/tests/testapi.mm: |
| (testObjectiveCAPIMain): |
| |
| 2019-06-09 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r246150, r246160, and r246166. |
| https://bugs.webkit.org/show_bug.cgi?id=198698 |
| |
| Regresses page loading time on iOS 13 (Requested by keith_m__ |
| on #webkit). |
| |
| Reverted changesets: |
| |
| "Reenable Gigacage on ARM64." |
| https://bugs.webkit.org/show_bug.cgi?id=198453 |
| https://trac.webkit.org/changeset/246150 |
| |
| "Unrevied build fix for FTL without Gigacage." |
| https://trac.webkit.org/changeset/246160 |
| |
| "Fix typo in cageWithoutUntagging" |
| https://bugs.webkit.org/show_bug.cgi?id=198617 |
| https://trac.webkit.org/changeset/246166 |
| |
| 2019-06-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use mergePrediction in ValuePow prediction propagation |
| https://bugs.webkit.org/show_bug.cgi?id=198648 |
| |
| Reviewed by Saam Barati. |
| |
| We are accidentally using setPrediction. This is wrong since prediction propagation (not processInvariant) |
| must extend the speculation types to ensure we eventually reach to the fixed point. setPrediction can discard |
| previously configured predictions, can lead to oscillation potentially. Use mergePrediction instead. |
| |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| |
| 2019-06-07 Tadeu Zagallo <tzagallo@apple.com> |
| |
| AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset |
| https://bugs.webkit.org/show_bug.cgi?id=198581 |
| <rdar://problem/51099753> |
| |
| Reviewed by Saam Barati. |
| |
| For GetGetterSetterByOffset, when the abstract interpreter fails to read the property |
| from the object, it gets the GetterSetter structure from the CodeBlock's global object. |
| However, that's not correct, since the global object for the base object might differ |
| from the CodeBlock's. Instead, we try to get the global object from the base, when it's |
| a constant object. Otherwise, we can't infer the value and only set the type. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| 2019-06-06 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: create CommandLineAPIHost lazily like the other agents |
| https://bugs.webkit.org/show_bug.cgi?id=196047 |
| <rdar://problem/49087835> |
| |
| Reviewed by Timothy Hatcher. |
| |
| * inspector/InjectedScriptManager.h: |
| * inspector/InjectedScriptManager.cpp: |
| (Inspector::InjectedScriptManager::connect): Added. |
| |
| 2019-06-06 Keith Miller <keith_miller@apple.com> |
| |
| Fix typo in cageWithoutUntagging |
| https://bugs.webkit.org/show_bug.cgi?id=198617 |
| |
| Reviewed by Saam Barati. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageWithoutUntagging): |
| (JSC::AssemblyHelpers::cageConditionally): |
| (JSC::AssemblyHelpers::cageWithoutUntaging): Deleted. |
| |
| 2019-06-06 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSON.parse throws incorrect exception when called w/o arguments |
| https://bugs.webkit.org/show_bug.cgi?id=198574 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Always coerce first argument to string and attempt to parse it. |
| (steps 1-2 of https://tc39.github.io/ecma262/#sec-json.parse) |
| |
| * runtime/JSONObject.cpp: |
| (JSC::JSONProtoFuncParse): Remove argumentCount check. |
| |
| 2019-06-06 Keith Miller <keith_miller@apple.com> |
| |
| Unrevied build fix for FTL without Gigacage. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| |
| 2019-06-06 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| aarch64: ‘JSC::ARM64Assembler::LinkRecord::<unnamed union>::RealTypes::m_compareRegister’ is too small to hold all values of ‘JSC::ARM64Assembler::RegisterID’ {aka ‘enum JSC::ARM64Registers::RegisterID’} |
| https://bugs.webkit.org/show_bug.cgi?id=198014 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| When building for aarch64, there is a huge warning spam here. It's impossible to see any |
| other warnings. This has been ongoing for so long I've begun to suspect that nobody works |
| on this architecture. |
| |
| Anyway, the problem is because we need eight bits to store all possible RegisterID values, |
| but the bitfield is only six bits wide. Fix it. The COMPILE_ASSERT checking the size of this |
| struct is still happy, so I presume the change is OK. |
| |
| * assembler/ARM64Assembler.h: |
| |
| 2019-06-06 Keith Miller <keith_miller@apple.com> |
| |
| Reenable Gigacage on ARM64. |
| https://bugs.webkit.org/show_bug.cgi?id=198453 |
| |
| Reviewed by Michael Saboff. |
| |
| This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the |
| old Gigacage however, arm64e uses both Gigacaging and PAC. In |
| order to ensure the PAC bits are not stripped in the caging |
| process we use the bit field insert instruction to take the low |
| bits from caging and the high bits from the PAC authentication. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::bitFieldInsert64): |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| (JSC::run): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageWithoutUntaging): |
| (JSC::AssemblyHelpers::cageConditionally): |
| (JSC::AssemblyHelpers::cage): Deleted. |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitIntTypedArrayGetByVal): |
| (JSC::JIT::emitFloatTypedArrayGetByVal): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm64.rb: |
| * offlineasm/instructions.rb: |
| * offlineasm/registers.rb: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-06-06 Michael Saboff <msaboff@apple.com> |
| |
| [ARM64E]: Add disassembler support for authenticated instructions |
| https://bugs.webkit.org/show_bug.cgi?id=198562 |
| |
| Reviewed by Keith Miller. |
| |
| Added support for all the instructions supported in ARM64EAssembler.h. |
| |
| * disassembler/ARM64/A64DOpcode.cpp: |
| (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format): |
| (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format): |
| (JSC::ARM64Disassembler::A64DOpcodeHint::format): |
| (JSC::ARM64Disassembler::A64DOpcodeHint::opName): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::format): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpName): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::format): |
| * disassembler/ARM64/A64DOpcode.h: |
| (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opName): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opNum): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::mBit): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::sBit): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::wBit): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::immediate10): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpCode): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op2): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op3): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op4): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::mBit): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::rm): |
| (JSC::ARM64Disassembler::A64DOpcodeHint::opName): Deleted. |
| |
| 2019-06-05 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only). |
| https://bugs.webkit.org/show_bug.cgi?id=198398 |
| |
| Reviewed by Saam Barati. |
| |
| Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec). |
| Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to |
| support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because |
| we need to write barrier it (so it should not restrict how we implement threads). This patch does, however, |
| restrict the implementation of function references to require every Ref.func to have an associated wrapper. This |
| can be done statically, so this too should not restrict our threads implementation. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::addTableGet): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addLocal): |
| (JSC::Wasm::B3IRGenerator::addTableGet): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::TableInformation::TableInformation): |
| (JSC::Wasm::TableInformation::type const): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseTableHelper): |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::Table): |
| (JSC::Wasm::Table::tryCreate): |
| (JSC::Wasm::Table::grow): |
| (JSC::Wasm::Table::clear): |
| (JSC::Wasm::Table::set): |
| (JSC::Wasm::Table::get): |
| (JSC::Wasm::Table::visitChildren): |
| (JSC::Wasm::FuncRefTable::FuncRefTable): |
| (JSC::Wasm::FuncRefTable::setFunction): |
| (JSC::Wasm::Table::~Table): Deleted. |
| (JSC::Wasm::Table::clearFunction): Deleted. |
| (JSC::Wasm::Table::setFunction): Deleted. |
| * wasm/WasmTable.h: |
| (JSC::Wasm::Table::length const): |
| (JSC::Wasm::Table::type const): |
| (JSC::Wasm::Table::setOwner): |
| (JSC::Wasm::FuncRefTable::offsetOfFunctions): |
| (JSC::Wasm::FuncRefTable::offsetOfInstances): |
| (JSC::Wasm::Table::offsetOfFunctions): Deleted. |
| (JSC::Wasm::Table::offsetOfInstances): Deleted. |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableSet): |
| (JSC::Wasm::Validate::addCallIndirect): |
| * wasm/js/JSWebAssemblyTable.cpp: |
| (JSC::JSWebAssemblyTable::JSWebAssemblyTable): |
| (JSC::JSWebAssemblyTable::finishCreation): |
| (JSC::JSWebAssemblyTable::visitChildren): |
| (JSC::JSWebAssemblyTable::grow): |
| (JSC::JSWebAssemblyTable::get): |
| (JSC::JSWebAssemblyTable::set): |
| (JSC::JSWebAssemblyTable::clear): |
| (JSC::JSWebAssemblyTable::getFunction): Deleted. |
| (JSC::JSWebAssemblyTable::clearFunction): Deleted. |
| (JSC::JSWebAssemblyTable::setFunction): Deleted. |
| * wasm/js/JSWebAssemblyTable.h: |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| (JSC::WebAssemblyModuleRecord::evaluate): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::webAssemblyTableProtoFuncGet): |
| (JSC::webAssemblyTableProtoFuncSet): |
| * wasm/wasm.json: |
| |
| 2019-06-05 Justin Michaud <justin_michaud@apple.com> |
| |
| WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0 |
| https://bugs.webkit.org/show_bug.cgi?id=198106 |
| |
| Reviewed by Saam Barati. |
| |
| Fix bug caused by using fcsel sX instead of fcsel dX on an f64 value in moveDoubleConditionally32. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::moveDoubleConditionally32): |
| |
| 2019-06-05 Alex Christensen <achristensen@webkit.org> |
| |
| Progress towards resurrecting Mac CMake build |
| https://bugs.webkit.org/show_bug.cgi?id=197132 |
| |
| Reviewed by Don Olmstead. |
| |
| * API/JSScript.mm: |
| (-[JSScript readCache]): |
| (-[JSScript sourceCode]): |
| (-[JSScript jsSourceCode]): |
| (-[JSScript writeCache:]): |
| * CMakeLists.txt: |
| |
| == Rolled over to ChangeLog-2019-06-05 == |