| 2020-03-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage |
| https://bugs.webkit.org/show_bug.cgi?id=209791 |
| |
| Reviewed by Saam Barati. |
| |
| DFGArrayMode::alreadyChecked with NonArray+SlowPutArrayStorage should check NonArray condition. |
| |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::ArrayMode::alreadyChecked const): |
| * dfg/DFGArrayMode.h: |
| (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const): |
| |
| 2020-03-30 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Add support in named capture group identifiers for direct surrogate pairs |
| https://bugs.webkit.org/show_bug.cgi?id=178174 |
| |
| Reviewed by Darin Adler and Michael Saboff. |
| |
| This change: |
| |
| a) Adds support for unescaped astral symbols in RegExp identifier names [1], |
| aligning JSC with V8. |
| |
| b) Rewords InvalidUnicodeEscape error code to be used for \uXXXX escapes in |
| Unicode patterns and named groups/references instead of InvalidIdentityEscape, |
| matching error messages in V8 and SpiderMonkey. |
| |
| c) Adds hasError() checks after tryConsumeGroupName() so errors generated in |
| tryConsumeIdentifierCharacter() would not get overriden. |
| |
| d) Removes code duplication by using tryConsumeUnicodeEscape() for parsing \u |
| in parseEscape(); cleans up parsing \u{} escapes a bit, preferring ASSERTs |
| over hasError() checks. |
| |
| [1]: https://tc39.es/ecma262/#prod-RegExpIdentifierName |
| |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::parseEscape): |
| (JSC::Yarr::Parser::parseParenthesesBegin): |
| (JSC::Yarr::Parser::tryConsumeUnicodeEscape): |
| (JSC::Yarr::Parser::tryConsumeIdentifierCharacter): |
| |
| 2020-03-30 Ross Kirsling <ross.kirsling@sony.com> |
| |
| RegExp.prototype.exec must always access lastIndex |
| https://bugs.webkit.org/show_bug.cgi?id=209375 |
| |
| Reviewed by Saam Barati. |
| |
| From https://tc39.es/ecma262/#sec-regexpbuiltinexec: |
| 21.2.5.2.2 Runtime Semantics: RegExpBuiltinExec ( R, S ) |
| ... |
| 4. Let lastIndex be ? ToLength(? Get(R, "lastIndex")). |
| ... |
| 8. If global is false and sticky is false, set lastIndex to 0. |
| |
| That is, we're always obliged to verify that lastIndex is Number-coercible, even if we don't use the value. |
| |
| DFG, in particular, must make sure strength reductions don't apply when lastIndex isn't an unsigned integer |
| (i.e., when user code has written something strange to it). |
| foldToConstant already has an early out for this, but it needs to apply to convertToStatic too. |
| |
| Furthermore, ToLength clamps negative values to 0, so correct getRegExpObjectLastIndexAsUnsigned accordingly. |
| |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * runtime/RegExpObjectInlines.h: |
| (JSC::getRegExpObjectLastIndexAsUnsigned): |
| (JSC::RegExpObject::execInline): |
| (JSC::RegExpObject::matchInline): |
| |
| 2020-03-30 Don Olmstead <don.olmstead@sony.com> |
| |
| Non-unified build fixes late March 2020 edition |
| https://bugs.webkit.org/show_bug.cgi?id=209781 |
| |
| Unreviewed build fix. |
| |
| * jit/JITInlineCacheGenerator.h: |
| |
| 2020-03-30 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: provide a way to log messages from the network process |
| https://bugs.webkit.org/show_bug.cgi?id=204775 |
| |
| Reviewed by Brian Burg. |
| |
| ITP can be influenced by multiple pages simultaneously, meaning that sending a console |
| message to the Web Inspector that's connected to the page that caused a change may not be |
| useful as developers often don't test in complete isolation. As such, having a way to |
| broadcast a console message to all Web Inspectors ensures that any changes caused by any |
| page are always able to be seen, no matter which page is being actively inspected. |
| |
| * inspector/protocol/Console.json: |
| * inspector/scripts/codegen/generator.py: |
| * runtime/ConsoleTypes.h: |
| * runtime/ConsoleClient.cpp: |
| (JSC::appendMessagePrefix): |
| * inspector/ConsoleMessage.cpp: |
| (Inspector::messageSourceValue): |
| Add `ITPDebug` and `AdClickAttribution` message sources. |
| |
| 2020-03-30 Keith Miller <keith_miller@apple.com> |
| |
| Unreviewed, add FIXME. |
| |
| * runtime/IndexingType.h: |
| |
| 2020-03-30 Caio Lima <ticaiolima@gmail.com> |
| |
| [JSC] Public class field should accept "static" as field name |
| https://bugs.webkit.org/show_bug.cgi?id=209703 |
| |
| Reviewed by Ross Kirsling. |
| |
| It allows class fields being created using "static" as identifier |
| (https://tc39.es/ecma262/#prod-IdentifierName). |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseClass): |
| |
| 2020-03-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use CacheableIdentifier for all ById case |
| https://bugs.webkit.org/show_bug.cgi?id=209698 |
| |
| Reviewed by Saam Barati. |
| |
| StructureStubInfo & AccessCase holds CacheableIdentifier to keep cell identifiers alive. |
| We are assuming that operationGetById...'s identifier is always owned by CodeBlock, and |
| we call CacheableIdentifier::createFromIdentifierOwnedByCodeBlock for UniquedStringImpl*. |
| |
| This is wrong since GetById IC can be generated with identifier which is not owned by CodeBlock. |
| Let's consider the following case, |
| |
| 1. op_get_by_val gets GetById IC. CacheableIdentifier is kept by StructureStubInfo/AccessCase correctly. |
| 2. This CodeBlock gets DFG. |
| 3. DFG understand op_get_by_val and emit GetById DFG node since it only has one identifier. |
| 4. Then, DFG can generate GetById DFG code which generates GetById IC |
| 5. (4)'s GetById IC gets executed. But this IC considers that identifier is owned by CodeBlock since this is ById IC. |
| 6. New DFG CodeBlock starts compilation. And it gets feedback from (2)'s get_by_val's StructureStubInfo, so it emits GetById with non-cell CacheableIdentifier! |
| So it does not retain the cell. It just registers desired identifier. |
| 7. While compiling (6) (after parsing bytecode), (2)'s CodeBlock's DFG code & IC gets jettisoned. And then, identifier used in (6) gets destroyed too. |
| 8. (6)'s CodeBlock finalizes its compilation, registering desired identifiers to the actual CodeBlock. And it found the identifier gets destroyed. |
| |
| In this patch, |
| |
| 1. CacheableIdentifier::createFromIdentifierOwnedByCodeBlock is called only when the creator knowns that this is owned by the CodeBlock. |
| Typically, this is when the code generator generates IC. |
| 2. operationGetById... functions get CacheableIdentifier instead of UniquedStringImpl*. So it propagates whether the given CacheableIdentifier |
| is created from CodeBlock's identifier or cells. |
| 3. AccessCase holds this propagated CacheableIdentifiers. If CacheableIdentifiers is created from a cell in some tier's IC, then it continues to be represented as |
| a cell-origin CacheableIdentifiers regardless of whether the current IC is GetById / GetByVal. Then GC marks it correctly. |
| 4. This patch does the same thing to all the ICs. |
| 5. This patch extends StructureStubInfo / AccessCase to pave the way to use them in PutByVal / InByVal by introducing CacheableIdentifier for Put and In. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::fromStructureStubInfo): |
| * bytecode/GetByStatus.cpp: |
| (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::initGetByIdSelf): |
| (JSC::StructureStubInfo::initPutByIdReplace): |
| (JSC::StructureStubInfo::initInByIdSelf): |
| (JSC::StructureStubInfo::visitAggregate): |
| (JSC::StructureStubInfo::setCacheType): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::identifier): |
| (JSC::StructureStubInfo::considerCachingBy): |
| (JSC::StructureStubInfo::getByIdSelfIdentifier): Deleted. |
| (JSC::StructureStubInfo::considerCachingById): Deleted. |
| (JSC::StructureStubInfo::considerCachingByVal): Deleted. |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::canBecomeGetArrayLength): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| (JSC::DFG::ByteCodeParser::handleGetById): |
| (JSC::DFG::ByteCodeParser::emitPutById): |
| (JSC::DFG::ByteCodeParser::handlePutById): |
| (JSC::DFG::ByteCodeParser::parseGetById): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| (JSC::DFG::ByteCodeParser::handlePutByVal): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| (JSC::DFG::FixupPhase::addStringReplacePrimordialChecks): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToInById): |
| (JSC::DFG::Node::hasCacheableIdentifier): |
| (JSC::DFG::Node::cacheableIdentifier): |
| (JSC::DFG::Node::hasIdentifier): |
| (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper): |
| (JSC::DFG::Node::OpInfoWrapper::operator=): |
| * dfg/DFGOpInfo.h: |
| (JSC::DFG::OpInfo::OpInfo): |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetById): |
| (JSC::DFG::SpeculativeJIT::compileGetByIdFlush): |
| (JSC::DFG::SpeculativeJIT::compileInById): |
| (JSC::DFG::SpeculativeJIT::compilePutByIdFlush): |
| (JSC::DFG::SpeculativeJIT::compilePutById): |
| (JSC::DFG::SpeculativeJIT::compilePutByIdDirect): |
| (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::cachedPutById): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::cachedGetById): |
| (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::compile): |
| (JSC::DFG::SpeculativeJIT::compileDeleteById): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::cachedGetById): |
| (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::compile): |
| (JSC::DFG::SpeculativeJIT::compileDeleteById): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInById): |
| (JSC::FTL::DFG::LowerDFGToB3::getById): |
| (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): |
| * jit/JIT.h: |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::JITGetByIdGenerator::JITGetByIdGenerator): |
| (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): |
| (JSC::JITPutByIdGenerator::JITPutByIdGenerator): |
| (JSC::JITPutByIdGenerator::slowPathFunction): |
| (JSC::JITDelByIdGenerator::JITDelByIdGenerator): |
| (JSC::JITInByIdGenerator::JITInByIdGenerator): |
| * jit/JITInlineCacheGenerator.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emitSlow_op_del_by_id): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emitSlow_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| (JSC::JIT::emitSlow_op_in_by_id): |
| (JSC::JIT::emitByValIdentifierCheck): |
| (JSC::JIT::privateCompilePutByValWithCachedId): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emitSlow_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emitSlow_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| (JSC::JIT::emitSlow_op_in_by_id): |
| * jit/Repatch.cpp: |
| (JSC::appropriateGenericPutByIdFunction): |
| (JSC::appropriateOptimizingPutByIdFunction): |
| (JSC::tryCachePutByID): |
| (JSC::repatchPutByID): |
| (JSC::tryCacheInByID): |
| (JSC::repatchInByID): |
| (JSC::resetPutByID): |
| * jit/Repatch.h: |
| * runtime/CacheableIdentifier.cpp: |
| (JSC::CacheableIdentifier::dump const): |
| * runtime/CacheableIdentifier.h: |
| (JSC::CacheableIdentifier::createFromRawBits): |
| (JSC::CacheableIdentifier::rawBits const): |
| (JSC::CacheableIdentifier::CacheableIdentifier): |
| * runtime/CacheableIdentifierInlines.h: |
| (JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock): |
| (JSC::CacheableIdentifier::createFromImmortalIdentifier): |
| (JSC::CacheableIdentifier::CacheableIdentifier): |
| |
| 2020-03-28 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: support editing cookie key/values from inspector |
| https://bugs.webkit.org/show_bug.cgi?id=31157 |
| <rdar://problem/19281523> |
| |
| Reviewed by Timothy Hatcher. |
| |
| * inspector/protocol/Page.json: |
| Add a `session` parameter to `Page.Cookie` type and a new `Page.setCookie` command. |
| Remove the `size` parameter from `Page.Cookie` as this can be calculated in the frontend. |
| |
| 2020-03-27 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Make Operator an enum class to avoid Op* identifiers |
| https://bugs.webkit.org/show_bug.cgi?id=209637 |
| |
| Reviewed by Darin Adler. |
| |
| Currently, (e.g.) OpLShift is a value of enum Operator while OpLshift is an opcode. |
| Capitalization aside, it's confusing to be using Op* for disparate purposes like this. |
| Let's modernize the enum so that this confusion can go away as a side effect. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::emitIncOrDec): |
| (JSC::PostfixNode::emitBytecode): |
| (JSC::PrefixNode::emitBytecode): |
| (JSC::LogicalOpNode::emitBytecode): |
| (JSC::LogicalOpNode::emitBytecodeInConditionContext): |
| (JSC::emitReadModifyAssignment): |
| (JSC::ReadModifyDotNode::emitBytecode): |
| (JSC::ReadModifyBracketNode::emitBytecode): |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::makeBinaryNode): |
| (JSC::ASTBuilder::makeAssignNode): |
| * parser/Nodes.h: |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseAssignmentExpression): |
| (JSC::Parser<LexerType>::parseUnaryExpression): |
| |
| 2020-03-19 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Fix instances of new.target that should be syntax errors |
| https://bugs.webkit.org/show_bug.cgi?id=208040 |
| <rdar://problem/59653142> |
| |
| Reviewed by Michael Saboff. |
| |
| We were not throwing the appropriate syntax errors for the following usages of new.target: |
| - Class field initializers outside ordinary functions: we were missing a check that the |
| closestOrdinaryFunctionScope was not the global scope. |
| - Within an eval inside an arrow function: we were only checking that the EvalContextType should |
| be FunctionEvalContext, but that does not tell us whether it's an arrow function or an ordinary |
| function. To fix that we must thread that information from the executables to the parser. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::UnlinkedFunctionExecutable::link): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * debugger/DebuggerCallFrame.cpp: |
| (JSC::DebuggerCallFrame::evaluateWithScopeExtension): |
| * interpreter/Interpreter.cpp: |
| (JSC::eval): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| (JSC::Parser<LexerType>::parseMemberExpression): |
| * parser/Parser.h: |
| (JSC::parse): |
| * runtime/CodeCache.cpp: |
| (JSC::generateUnlinkedCodeBlockImpl): |
| * runtime/DirectEvalExecutable.cpp: |
| (JSC::DirectEvalExecutable::create): |
| (JSC::DirectEvalExecutable::DirectEvalExecutable): |
| * runtime/DirectEvalExecutable.h: |
| * runtime/EvalExecutable.cpp: |
| (JSC::EvalExecutable::EvalExecutable): |
| * runtime/EvalExecutable.h: |
| * runtime/FunctionExecutable.cpp: |
| (JSC::FunctionExecutable::FunctionExecutable): |
| * runtime/FunctionExecutable.h: |
| * runtime/GlobalExecutable.h: |
| (JSC::GlobalExecutable::GlobalExecutable): |
| * runtime/IndirectEvalExecutable.cpp: |
| (JSC::IndirectEvalExecutable::IndirectEvalExecutable): |
| * runtime/ModuleProgramExecutable.cpp: |
| (JSC::ModuleProgramExecutable::ModuleProgramExecutable): |
| * runtime/ProgramExecutable.cpp: |
| (JSC::ProgramExecutable::ProgramExecutable): |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::ScriptExecutable): |
| * runtime/ScriptExecutable.h: |
| (JSC::ScriptExecutable::isInsideOrdinaryFunction const): |
| |
| 2020-03-27 Keith Miller <keith_miller@apple.com> |
| |
| Add missing scope release to DataView's buffer getter |
| https://bugs.webkit.org/show_bug.cgi?id=209663 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::dataViewProtoGetterBuffer): |
| |
| 2020-03-26 Mark Lam <mark.lam@apple.com> |
| |
| Clear the entropy bits in the encodedStructureBits when deallocating a structureID. |
| https://bugs.webkit.org/show_bug.cgi?id=209632 |
| <rdar://problem/60943876> |
| |
| Reviewed by Saam Barati. |
| |
| We currently only use a 32-bit offset in the StructureIDTable's StructureOrOffset. |
| Though we will never store an offset value that is near 32-bit in size, let alone |
| 64-bit, there's no reason why we can't just use all 64-bits for the offset. |
| Doing so will also have the benefit of zero'ing out the entropy bits in the old |
| encodedStructureBits. This guarantees that there's no chance of coalition between |
| a "freed" structureID's entropy bits and the entropy bits in a dead cell due to |
| GC bugs. |
| |
| * runtime/StructureIDTable.h: |
| |
| 2020-03-26 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [Win] lld-link: error: /manifestdependency: is not allowed in .drectve |
| https://bugs.webkit.org/show_bug.cgi?id=204831 |
| |
| Reviewed by Ross Kirsling. |
| |
| * shell/DLLLauncherMain.cpp: Removed /manifestdependency for Microsoft.VC80.CRT which seems leftover of Bug 116562 (r178530). |
| |
| 2020-03-26 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Rename ANDEQUAL to BITANDEQUAL (etc.) throughout frontend |
| https://bugs.webkit.org/show_bug.cgi?id=209626 |
| |
| Reviewed by Mark Lam. |
| |
| Our frontend refers to `&=` `|=` `^=` as `ANDEQUAL` `OREQUAL` `XOREQUAL`, leaving the bitwiseness implied. |
| It's important to resolve this ambiguity now, as `&&=` `||=` `??=` are expected to reach Stage 3 next week. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::emitReadModifyAssignment): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| * parser/Nodes.h: |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseAssignmentExpression): |
| * parser/ParserTokens.h: |
| |
| 2020-03-26 Michael Saboff <msaboff@apple.com> |
| |
| Refactor YARR Stack Overflow Checks |
| https://bugs.webkit.org/show_bug.cgi?id=209435 |
| rdar://problem/58988252 |
| |
| Reviewed by Mark Lam. |
| |
| Refactored stack checks in YARR code including adding a stack check to the YARR JIT'ed code. |
| The C++ code including the parser, byte code compiler and interpreter now all use StackCheck. |
| The JIT'ed code needs a stack limit passed via a parameter since the JIT'ed code can be |
| called from the compiler thread when compiling DFG / FTL code. |
| |
| Instead of adding a new parameter, consolidated the two pattern context buffer values, buffer |
| pointer and size, with the new stack limit into a new MatchingContextHolder, an RAII object. |
| The MatchingContextHolder constructor uses either the VM stack limit or the current thread's |
| stack limit depending on how it is called. |
| |
| * runtime/RegExp.cpp: |
| (JSC::RegExp::finishCreation): |
| (JSC::RegExp::byteCodeCompileIfNecessary): |
| (JSC::RegExp::compile): |
| (JSC::RegExp::matchConcurrently): |
| (JSC::RegExp::compileMatchOnly): |
| * runtime/RegExp.h: |
| * runtime/RegExpInlines.h: |
| (JSC::RegExp::matchInline): |
| (JSC::PatternContextBufferHolder::PatternContextBufferHolder): Deleted. |
| (JSC::PatternContextBufferHolder::~PatternContextBufferHolder): Deleted. |
| (JSC::PatternContextBufferHolder::buffer): Deleted. |
| (JSC::PatternContextBufferHolder::size): Deleted. |
| (): Deleted. |
| * yarr/Yarr.h: |
| * yarr/YarrInterpreter.cpp: |
| (JSC::Yarr::Interpreter::matchDisjunction): |
| (JSC::Yarr::Interpreter::isSafeToRecurse): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::MatchingContextHolder::MatchingContextHolder): |
| (JSC::Yarr::MatchingContextHolder::~MatchingContextHolder): |
| (JSC::Yarr::YarrGenerator::initParenContextFreeList): |
| (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes): |
| (JSC::Yarr::YarrGenerator::compile): |
| (JSC::Yarr::YarrGenerator::initCallFrame): Deleted. |
| * yarr/YarrJIT.h: |
| (JSC::Yarr::MatchingContextHolder::offsetOfStackLimit): |
| (JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBuffer): |
| (JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBufferSize): |
| (JSC::Yarr::YarrCodeBlock::execute): |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor): |
| (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse): |
| (JSC::Yarr::YarrPattern::compile): |
| (JSC::Yarr::YarrPattern::YarrPattern): |
| (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const): Deleted. |
| * yarr/YarrPattern.h: |
| |
| 2020-03-26 Keith Miller <keith_miller@apple.com> |
| |
| TypedArrays should more gracefully handle OOM during slowDownAndWasteMemory |
| https://bugs.webkit.org/show_bug.cgi?id=209611 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Right now if we cannot allocate an ArrayBuffer for a TypedArray we |
| crash. However, since we use the primitive gigacage for |
| ArrayBuffer allocations we can likely still allocate an OOM error |
| object. In order to do this some changes were needed in |
| slowDownAndWasteMemory. Namely, we should not allocate the |
| butterfly until we know we have an ArrayBuffer. I also check that |
| all the transitive callers of slowDownAndWasteMemory can handle |
| failure. |
| |
| Lastly, this patch makes it so failure to allocate an ArrayBuffer |
| for a TypeArray during DFG watchpoint addition causes the code |
| block to be thrown away, rather than crash the process. |
| |
| * API/JSTypedArray.cpp: |
| (JSObjectGetTypedArrayBytesPtr): |
| (JSObjectGetTypedArrayBuffer): |
| * bytecode/Watchpoint.h: |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): |
| * runtime/GenericTypedArrayViewInlines.h: |
| (JSC::GenericTypedArrayView<Adaptor>::tryCreate): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::unsharedBuffer): |
| (JSC::JSArrayBufferView::unsharedJSBuffer): |
| (JSC::JSArrayBufferView::possiblySharedJSBuffer): |
| (JSC::JSArrayBufferView::slowDownAndWasteMemory): |
| (JSC::JSArrayBufferView::possiblySharedImpl): |
| * runtime/JSArrayBufferViewInlines.h: |
| (JSC::JSArrayBufferView::byteOffsetImpl): |
| |
| 2020-03-26 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, reverting r259035. |
| https://bugs.webkit.org/show_bug.cgi?id=209597 |
| |
| broke windows layout-tests (Requested by aakashjain on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "[Win] lld-link: error: /manifestdependency: is not allowed in |
| .drectve" |
| https://bugs.webkit.org/show_bug.cgi?id=204831 |
| https://trac.webkit.org/changeset/259035 |
| |
| 2020-03-25 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [Win] lld-link: error: /manifestdependency: is not allowed in .drectve |
| https://bugs.webkit.org/show_bug.cgi?id=204831 |
| |
| Reviewed by Ross Kirsling. |
| |
| * shell/DLLLauncherMain.cpp: Removed /manifestdependency for Microsoft.VC80.CRT which seems leftover of Bug 116562 (r178530). |
| |
| 2020-03-25 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength |
| https://bugs.webkit.org/show_bug.cgi?id=173867 |
| |
| Reviewed by Ross Kirsling. |
| |
| This change: |
| |
| a) Adds "lastIndex" ToLength coercion [1], which is observable, unlike ToLength coercion |
| of RegExpExec result [2] that we omit, just like the one in @@split [3]. |
| |
| b) Removes `lastPosition` checks/updates, as there are none in the spec, and it was |
| equivalent to checking `nextSourcePosition`. |
| |
| c) Removes reliance of @@replace on globals and also replaces @stringSubstrInternal |
| built-in with @stringSubstringInternal, as the former is Annex B and accepts size |
| as 2nd paramter, which is not very handy because ECMA-262 usually says "substring |
| of S consisting of the code units at indices X (inclusive) through Y (exclusive)". |
| |
| [1]: https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 11.c.iii.2.a) |
| [2]: https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 14.a) |
| [3]: https://tc39.es/ecma262/#sec-regexp.prototype-@@split (step 19.d.iv.6) |
| |
| * builtins/BuiltinNames.h: |
| * builtins/RegExpPrototype.js: |
| (getSubstitution): |
| (Symbol.replace): |
| (Symbol.split): |
| * builtins/StringPrototype.js: |
| (globalPrivate.repeatCharactersSlowPath): |
| * bytecode/LinkTimeConstant.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/StringPrototype.cpp: |
| (JSC::stringIndexOfImpl): |
| (JSC::stringProtoFuncIndexOf): |
| (JSC::builtinStringIndexOfInternal): |
| (JSC::stringProtoFuncSubstr): |
| (JSC::stringSubstringImpl): |
| (JSC::stringProtoFuncSubstring): |
| (JSC::builtinStringSubstringInternal): |
| (JSC::stringProtoFuncSubstrImpl): Deleted. |
| (JSC::builtinStringSubstrInternal): Deleted. |
| * runtime/StringPrototype.h: |
| |
| 2020-03-25 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Invalid numeric and named references should be early syntax errors |
| https://bugs.webkit.org/show_bug.cgi?id=178175 |
| |
| Reviewed by Ross Kirsling. |
| |
| This patch: |
| |
| 1. Fixes named reference parsing in parseEscape(), making /\k/u throw SyntaxError per spec [1]. |
| |
| 2. Reworks containsIllegalNamedForwardReferences(), making dangling (e.g. /\k<a>(?<b>.)/) and |
| incomplete (e.g. /\k<(?<a>.)/) named references throw SyntaxError if the non-Unicode pattern |
| contains a named group [2]. |
| |
| 3. Moves reparsing logic from YarrPattern to YarrParser, ensuring syntax errors due to illegal |
| references (named & numeric) are thrown at parse time; drops isValidNamedForwardReference() |
| from Delegate, refactors saveUnmatchedNamedForwardReferences(), and overall improves cohesion |
| of illegal references logic. |
| |
| [1]: https://tc39.es/ecma262/#prod-IdentityEscape |
| [2]: https://tc39.es/ecma262/#sec-regexpinitialize (step 7.b) |
| |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference): |
| (JSC::Yarr::Parser::Parser): |
| (JSC::Yarr::Parser::parseEscape): |
| (JSC::Yarr::Parser::parseParenthesesBegin): |
| (JSC::Yarr::Parser::parse): |
| (JSC::Yarr::Parser::handleIllegalReferences): |
| (JSC::Yarr::Parser::containsIllegalNamedForwardReference): |
| (JSC::Yarr::Parser::resetForReparsing): |
| (JSC::Yarr::parse): |
| (JSC::Yarr::Parser::CharacterClassParserDelegate::isValidNamedForwardReference): Deleted. |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPatternConstructor::atomBackReference): |
| (JSC::Yarr::YarrPatternConstructor::atomNamedForwardReference): |
| (JSC::Yarr::YarrPattern::compile): |
| (JSC::Yarr::YarrPatternConstructor::saveUnmatchedNamedForwardReferences): Deleted. |
| (JSC::Yarr::YarrPatternConstructor::isValidNamedForwardReference): Deleted. |
| * yarr/YarrPattern.h: |
| (JSC::Yarr::YarrPattern::resetForReparsing): |
| (JSC::Yarr::YarrPattern::containsIllegalBackReference): Deleted. |
| (JSC::Yarr::YarrPattern::containsIllegalNamedForwardReferences): Deleted. |
| * yarr/YarrSyntaxChecker.cpp: |
| (JSC::Yarr::SyntaxChecker::atomNamedBackReference): |
| (JSC::Yarr::SyntaxChecker::resetForReparsing): |
| (JSC::Yarr::SyntaxChecker::isValidNamedForwardReference): Deleted. |
| |
| 2020-03-25 Chris Dumez <cdumez@apple.com> |
| |
| Use JSC::EnsureStillAliveScope RAII object in the generated bindings code |
| https://bugs.webkit.org/show_bug.cgi?id=209552 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add method to EnsureStillAliveScope to retrieve its internal JSValue. |
| |
| * runtime/JSCJSValue.h: |
| (JSC::EnsureStillAliveScope::value const): |
| |
| 2020-03-25 Chris Dumez <cdumez@apple.com> |
| |
| Event listeners registered with 'once' option may get garbage collected too soon |
| https://bugs.webkit.org/show_bug.cgi?id=209504 |
| <rdar://problem/60541567> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add EnsureStillAliveScope RAII object for ensureStillAliveHere(). |
| |
| * runtime/JSCJSValue.h: |
| (JSC::EnsureStillAliveScope::EnsureStillAliveScope): |
| (JSC::EnsureStillAliveScope::~EnsureStillAliveScope): |
| |
| 2020-03-25 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| \b escapes inside character classes should be valid in Unicode patterns |
| https://bugs.webkit.org/show_bug.cgi?id=209528 |
| |
| Reviewed by Darin Adler. |
| |
| This change removes isIdentityEscapeAnError('b') check, allowing \b escapes |
| inside character classes in Unicode patterns match U+0008 (BACKSPACE) characters, |
| aligning JSC with V8 and SpiderMonkey. |
| |
| Grammar: https://tc39.es/ecma262/#prod-ClassEscape |
| ('b' comes before CharacterEscape :: IdentityEscape) |
| |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::parseEscape): |
| |
| 2020-03-24 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Introduce @tryGetByIdWithWellKnownSymbol instead of repurposing @tryGetById itself |
| https://bugs.webkit.org/show_bug.cgi?id=209524 |
| |
| Reviewed by Saam Barati and Yusuke Suzuki. |
| |
| r258865 allowed @tryGetById to take any ResolveNode, such that a built-in could pass a well-known symbol. |
| This is much more permissive than necessary, since we shouldn't really need a ResolveNode in the first place; |
| instead, let's make a new bytecode intrinsic function @tryGetByIdWithWellKnownSymbol for this purpose. |
| |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.hasObservableSideEffectsForRegExpSplit): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById): Revert change from r258865. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetByIdWithWellKnownSymbol): Added. |
| |
| 2020-03-24 Tadeu Zagallo <tzagallo@apple.com> |
| |
| LLIntGenerator must link switch jumps to otherwise redundant labels |
| https://bugs.webkit.org/show_bug.cgi?id=209333 |
| <rdar://problem/60827987> |
| |
| Reviewed by Saam Barati. |
| |
| The LLIntGenerator optimizes jumps at the end of blocks. It does so when a block ends, by checking if |
| the last instruction emitted was a jump, if it pointed to the end of the current block and if it was |
| the only jump that pointed there. If all those conditions are satisfied, the jump is removed and it's |
| not necessary to emit the label at the end of block, since the only jump that pointed to it was removed. |
| However, switches (br_table) are handled specially by the LLIntGenerator and therefore are not counted |
| in Label::unresolvedJumps, which was used to check whether we could skip emitting the label. |
| The end result is that we might skip linking a switch jump if it points to a block that ends with a jump. |
| |
| |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::addEndToUnreachable): |
| (JSC::Wasm::LLIntGenerator::linkSwitchTargets): |
| (JSC::GenericLabel<Wasm::GeneratorTraits>::setLocation): |
| |
| 2020-03-24 Saam Barati <sbarati@apple.com> |
| |
| Memory::fastMappedBytes() is wrong |
| https://bugs.webkit.org/show_bug.cgi?id=209488 |
| |
| Reviewed by Mark Lam. |
| |
| * wasm/WasmMemory.cpp: |
| (JSC::Wasm::Memory::fastMappedBytes): |
| |
| 2020-03-24 Keith Miller <keith_miller@apple.com> |
| |
| Fix isEmpty AssemblyHelpers function and add isNotEmpty |
| https://bugs.webkit.org/show_bug.cgi?id=209507 |
| |
| Reviewed by Saam Barati. |
| |
| This fixes the 32 version of my HasIndexedProperty patch as well |
| as properly names the functions for what they do. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::isEmpty): |
| (JSC::AssemblyHelpers::isNotEmpty): |
| |
| 2020-03-23 Keith Miller <keith_miller@apple.com> |
| |
| HasIndexedProperty should know about sane chain |
| https://bugs.webkit.org/show_bug.cgi?id=209457 |
| |
| Reviewed by Saam Barati. |
| |
| This patch makes it so HasIndexedProperty is aware of |
| sane chain. This is useful because, most of the time we do an |
| indexed in it is on an array. If the array has a sane chain (i.e. |
| no indexed properties on it's prototypes and has the default |
| prototype chain) then we can just test for the index being a hole. |
| |
| Note, we could also just convert OOB indices into false but that |
| should happen in another patch. |
| https://bugs.webkit.org/show_bug.cgi?id=209456 |
| |
| I didn't add any tests because it turns out we already have a ton. |
| I know this because I broke most of them repeatedly... >.> |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| (JSC::DFG::FixupPhase::setSaneChainIfPossible): |
| (JSC::DFG::FixupPhase::convertToHasIndexedProperty): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::speculateAndJump): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::isEmpty): |
| |
| 2020-03-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Caller of Delete IC should emit write-barrier onto owner |
| https://bugs.webkit.org/show_bug.cgi?id=209392 |
| <rdar://problem/60683173> |
| |
| Reviewed by Saam Barati. |
| |
| DeleteIC can change Structure of the owner cell in the fast path. However it is not emitting write-barrier, |
| while we are writing a Structure cell id into a JSObject's header. |
| In this patch, |
| |
| 1. Emit write-barrier in baseline. Be careful about when emitting write-barrier since it clobbers registers. |
| 2. DFG and FTL recognize DeleteById / DeleteByVal in DFGStoreBarrierInsertionPhase. |
| 3. DFGStoreBarrierInsertionPhase only accepts nodes which base is speculated as a Cell. Current DeleteById / DeleteByVal |
| can have UntypedUse base value, but we miss emitting write-barrier DeleteById / DeleteByVal with UntypedUse in the fast path. |
| In this patch, we optimize DeleteById / DeleteByVal only when we speculate child1 as a cell. We can take the further |
| steps after fixing this bug, e.g. (1) accepting UntypedUse in store-barrier-insertion[1] or (2) emitting write-barrier |
| if child1's speculation is UntypedUse. For now, we fix the bug by taking a generic path when child1 is not speculated |
| as a cell. And we can optimize it in a separate change[2]. |
| |
| This is following the design of PutIC. |
| Currently, we use ShouldFilterBase for emitWriteBarrier. But we could use UnconditionalWriteBarrier here since |
| we already filter non-cells in Baseline's hot path. I filed it as a separate bug in [3]. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=209396 |
| [2]: https://bugs.webkit.org/show_bug.cgi?id=209397 |
| [3]: https://bugs.webkit.org/show_bug.cgi?id=209395 |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compileDeleteById): |
| (JSC::DFG::SpeculativeJIT::compileDeleteByVal): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): |
| * jit/JIT.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emit_op_del_by_val): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emitWriteBarrier): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emit_op_put_by_id): |
| |
| 2020-03-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG OSR exit cannot find StructureStubInfo for put_by_val if CodeBlock is once converved from Baseline to LLInt |
| https://bugs.webkit.org/show_bug.cgi?id=209327 |
| <rdar://problem/60631061> |
| |
| Reviewed by Saam Barati. |
| |
| DFG compiles op_put_by_val as PutById and inlines SetterCall only when DFG found StructureStubInfo for this op_put_by_val. |
| However, it is still possible that DFG OSR exit cannot find StructureStubInfo for SetterCall generated by op_put_by_val. |
| Let's consider the following scenario. |
| |
| 1. Baseline CodeBlock (A) is compiled. |
| 2. (A) gets DFG (B). |
| 3. Since (A) collects enough information for put_by_val, (B) can get StructureStubInfo from (A) and compile it as inlined Setter call. |
| 4. (A)'s JITData is destroyed since it is not executed. Then, (A) becomes LLInt. |
| 5. The CodeBlock inlining (A) gets OSR exit. So (A) is executed and (A) eventually gets Baseline CodeBlock again. |
| 6. (B) gets OSR exit. (B) attempts to search for StructureStubInfo in (A) for PutById (originally, put_by_val). But it does not exist since (A)'s JITData is cleared once. |
| |
| We should just link to doneTarget of ByValInfo when the SetterCall is generated by `op_put_by_val`. ByValInfo and its doneTarget always exists per op_put_by_val. |
| |
| * bytecode/ByValInfo.h: |
| (JSC::ByValInfo::ByValInfo): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::findByValInfo): |
| * bytecode/CodeBlock.h: |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::privateCompileHasIndexedProperty): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::privateCompileHasIndexedProperty): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::privateCompilePutByVal): |
| (JSC::JIT::privateCompilePutByValWithCachedId): |
| |
| 2020-03-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed, address Yusuke's feedback on r258801. |
| |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.hasObservableSideEffectsForRegExpSplit): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById): |
| |
| 2020-03-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Catch parameters must not be lexically redeclared |
| https://bugs.webkit.org/show_bug.cgi?id=208976 |
| |
| Reviewed by Keith Miller. |
| |
| From https://tc39.es/ecma262/#sec-try-statement-static-semantics-early-errors: |
| Catch : catch ( CatchParameter ) Block |
| It is a Syntax Error if any element of the BoundNames of CatchParameter |
| also occurs in the LexicallyDeclaredNames of Block. |
| |
| In other words, let/const/class/function declarations in the immediate catch block scope |
| must not shadow catch parameters. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseTryStatement): |
| (JSC::Parser<LexerType>::parseBlockStatement): |
| * parser/Parser.h: |
| (JSC::Scope::Scope): |
| (JSC::Scope::setIsCatchBlockScope): Added. |
| (JSC::Scope::isCatchBlockScope): Added. |
| (JSC::Parser::declareVariable): |
| (JSC::Parser::declareFunction): |
| |
| 2020-03-23 Michael Catanzaro <mcatanzaro@gnome.org> |
| |
| REGRESSION(r249808): [GTK] Crash in JSC Config::permanentlyFreeze() on architecture ppc64el |
| https://bugs.webkit.org/show_bug.cgi?id=209236 |
| |
| Reviewed by Mark Lam. |
| |
| * heap/MarkedBlock.h: Use new CeilingOnPageSize. |
| * runtime/JSCConfig.cpp: |
| (JSC::Config::permanentlyFreeze): Use pageSize instead of vmPageSize. |
| * runtime/JSCConfig.h: Use new CeilingOnPageSize. |
| |
| 2020-03-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, rename keepAlive to ensureStillAliveHere |
| https://bugs.webkit.org/show_bug.cgi?id=209398 |
| |
| Based on Geoff and Mark's feedback, renaming keepAlive to ensureStillAliveHere |
| to make the effect of keepAlive clear. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): |
| (JSC::FTL::DFG::LowerDFGToB3::ensureStillAliveHere): |
| (JSC::FTL::DFG::LowerDFGToB3::keepAlive): Deleted. |
| * heap/HeapCell.cpp: |
| (JSC::ensureStillAliveHere): |
| (JSC::keepAlive): Deleted. |
| * heap/HeapCell.h: |
| (JSC::ensureStillAliveHere): |
| (JSC::HeapCell::use const): |
| (JSC::keepAlive): Deleted. |
| * runtime/JSCJSValue.cpp: |
| (JSC::ensureStillAliveHere): |
| (JSC::keepAlive): Deleted. |
| * runtime/JSCJSValue.h: |
| (JSC::ensureStillAliveHere): |
| (JSC::keepAlive): Deleted. |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| |
| 2020-03-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Add JSC::keepAlive(JSValue) |
| https://bugs.webkit.org/show_bug.cgi?id=209398 |
| |
| Reviewed by Mark Lam. |
| |
| Add JSC::keepAlive(JSValue). This is useful to make some JSValue variable alive from GC. |
| |
| * heap/HeapCell.cpp: |
| * runtime/JSCJSValue.cpp: |
| (JSC::keepAlive): |
| * runtime/JSCJSValue.h: |
| (JSC::keepAlive): |
| |
| 2020-03-20 Ross Kirsling <ross.kirsling@sony.com> |
| |
| hasObservableSideEffectsForRegExpSplit doesn't check for @@match override |
| https://bugs.webkit.org/show_bug.cgi?id=209363 |
| |
| Reviewed by Michael Saboff. |
| |
| Our RegExp.prototype[@@split] implementation has a fast path for unadultered RegExp objects, |
| but we're using that fast path even when @@match has been overridden. |
| |
| This is illegitimate because the RegExp species constructor calls IsRegExp, which hits the @@match getter. |
| |
| * builtins/BuiltinNames.h: |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.hasObservableSideEffectsForRegExpSplit): |
| * bytecode/LinkTimeConstant.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2020-03-20 Ross Kirsling <ross.kirsling@sony.com> |
| |
| RegExp.prototype[@@replace] doesn't coerce result index to integer |
| https://bugs.webkit.org/show_bug.cgi?id=209323 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| From https://tc39.es/ecma262/#sec-regexp.prototype-@@replace: |
| 21.2.5.10 RegExp.prototype [ @@replace ] ( string, replaceValue ) |
| ... |
| 14. For each result in results, do |
| ... |
| e. Let position be ? ToInteger(? Get(result, "index")). |
| f. Set position to max(min(position, lengthS), 0). |
| |
| result.index may be undefined, so it doesn't suffice to coerce it with comparison operators. |
| |
| * builtins/RegExpPrototype.js: |
| |
| 2020-03-20 Justin Michaud <justin@justinmichaud.com> |
| |
| Fix JSCOnly build without unified sources |
| https://bugs.webkit.org/show_bug.cgi?id=209343 |
| |
| Reviewed by Keith Miller. |
| |
| I managed to get clangd to work for code completion using the following command: |
| |
| ./Tools/Scripts/build-webkit --jsc-only --cmakeargs="-DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DENABLE_UNIFIED_BUILDS=OFF" && compdb -p WebKitBuild/Release/ list > compile_commands.json |
| |
| This patch fixes the build for non-unified sources, and adds some extra clangd files to .gitignore. |
| |
| * API/MarkedJSValueRefArray.h: |
| * jit/JITPropertyAccess.cpp: |
| |
| 2020-03-20 Tim Horton <timothy_horton@apple.com> |
| |
| Upstream a variety of Cocoa-platform HAVE and ENABLE macros |
| https://bugs.webkit.org/show_bug.cgi?id=209307 |
| |
| Reviewed by Andy Estes. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-03-20 Jacob Uphoff <jacob_uphoff@apple.com> |
| |
| Unreviewed, reverting r258748. |
| |
| This commit broke the Catalina build |
| |
| Reverted changeset: |
| |
| "Upstream a variety of Cocoa-platform HAVE and ENABLE macros" |
| https://bugs.webkit.org/show_bug.cgi?id=209307 |
| https://trac.webkit.org/changeset/258748 |
| |
| 2020-03-19 Tim Horton <timothy_horton@apple.com> |
| |
| Upstream a variety of Cocoa-platform HAVE and ENABLE macros |
| https://bugs.webkit.org/show_bug.cgi?id=209307 |
| |
| Reviewed by Andy Estes. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-03-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] StructureStubInfo::bufferedStructures should not ref/deref UniquedStringImpl |
| https://bugs.webkit.org/show_bug.cgi?id=209266 |
| <rdar://problem/60508312> |
| |
| Reviewed by Saam Barati. |
| |
| StructureStubInfo::bufferedStructures includes RefPtr<UniquedStringImpl>. So destroying StructureStubInfo in |
| CodeBlock::finalizeUnconditionally can access to AtomStringTable, and get nullptr AtomStringTable since |
| CodeBlock::finalizeUnconditionally can be executed in heap-thread. |
| |
| Temporarily setting AtomStringTable in the heap-thread when executing GC End phase is dangerous: Web worker's |
| JSC VM is releasing heapAccess when waiting for the next message in the RunLoop. This potentially means that |
| Web worker's main thread can run concurrently with Web worker's JSC VM's End phase heap-thread until the web |
| worker takes JSLock. (This is not a problem in WebCore since WebCore JSC VM never releases heapAccess. We cannot |
| take the same design since we would like to run End phase even if web worker is not getting any messages). |
| |
| And removing resetJITData in CodeBlock::finalizeUnconditionally does not fix as well since CodeBlock::finalizeUnconditionally |
| calls StructureStubInfo::visitWeakReferences, and it removes some of entries of StructureStubInfo::bufferedStructures after |
| ByVal extension is introduced into StructureStubInfo. |
| |
| This patch uses CacheableIdentifier for bufferedStructures. We make BufferedStructure class which holds Structure and CacheableIdentifier. |
| And StructureStubInfo holds HashSet<BufferedStructure>. We also visit CacheableIdentifier in StructureStubInfo::visitAggregate. To allow |
| concurrent collector to run this, we introduce m_bufferedStructuresLock in StructureStubInfo to guard m_bufferedStructures. |
| |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::StructureStubInfo): |
| (JSC::StructureStubInfo::addAccessCase): |
| (JSC::StructureStubInfo::reset): |
| (JSC::StructureStubInfo::visitAggregate): |
| (JSC::StructureStubInfo::visitWeakReferences): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::considerCaching): |
| (JSC::StructureStubInfo::getByIdSelfIdentifier): |
| (JSC::StructureStubInfo::cacheType const): |
| (JSC::StructureStubInfo::clearBufferedStructures): |
| (JSC::StructureStubInfo::BufferedStructure::BufferedStructure): |
| (JSC::StructureStubInfo::BufferedStructure::isHashTableDeletedValue const): |
| (JSC::StructureStubInfo::BufferedStructure::hash const): |
| (JSC::StructureStubInfo::BufferedStructure::operator==): |
| (JSC::StructureStubInfo::BufferedStructure::operator!=): |
| (JSC::StructureStubInfo::BufferedStructure::Hash::hash): |
| (JSC::StructureStubInfo::BufferedStructure::Hash::equal): |
| (JSC::StructureStubInfo::BufferedStructure::structure const): |
| (JSC::StructureStubInfo::BufferedStructure::byValId const): |
| * jit/JITOperations.cpp: |
| * runtime/CacheableIdentifier.h: |
| (JSC::CacheableIdentifier::hash const): |
| |
| 2020-03-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix after r258717 |
| https://bugs.webkit.org/show_bug.cgi?id=199295 |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2020-03-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| sanitizeStackForVMImpl writes below stack pointer, triggers huge warning spam from valgrind |
| https://bugs.webkit.org/show_bug.cgi?id=199295 |
| |
| Reviewed by Mark Lam. |
| |
| During sanitizeStackForVMImpl, we should not access to the region beyond the stack-pointer. |
| This patch changes stack-pointer while sanitizeStackForVMImpl is zero-filling the old stack region. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2020-03-19 Charlie Turner <cturner@igalia.com> |
| |
| Fix many warnings with Clang 7.0 on GTK x86-64 in Debug. |
| https://bugs.webkit.org/show_bug.cgi?id=209146 |
| |
| Reviewed by Darin Adler. |
| |
| * runtime/JSCellInlines.h: |
| (JSC::CallFrame::deprecatedVM const): A reference may not be NULL, so |
| this ASSERT() can never trip. |
| |
| 2020-03-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Add a way to mark a rejected promise as handled |
| https://bugs.webkit.org/show_bug.cgi?id=209241 |
| |
| Reviewed by Michael Saboff. |
| |
| Some of WebCore promise implementations (WebAnimation etc.) want to reject promise |
| as handled state to suppress UnhandledPromiseRejection tracking. For example, a |
| lot of WebCore implementations expose Promise DOM attributes which will be rejected |
| at some conditions. But we do not want to force users setting a handler for each such an |
| attribute. |
| |
| This patch adds `JSPromise::rejectAsHandled` C++ function. This simply sets isHandledFlag |
| before executing `JSPromise::reject` if we are not calling a reject function yet. |
| |
| * runtime/JSPromise.cpp: |
| (JSC::JSPromise::rejectAsHandled): |
| * runtime/JSPromise.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::functionRejectPromiseAsHandled): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2020-03-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DeleteIC patchpoint in FTL should require tag and mask registers |
| https://bugs.webkit.org/show_bug.cgi?id=209197 |
| <rdar://problem/60531308> |
| |
| Reviewed by Tadeu Zagallo and Saam Barati. |
| |
| DeleteIC patchpoint is emitting `branchIfNotCell` machine code. This requires a mask register |
| while we are not reserving them when creating a patchpoint. |
| |
| In general, our IC code is assuming usual CCallHelpers environment which provides macro-assembler |
| scratch, tag, and mask registers. We should offer them even if IC is emitted from FTL. In this |
| patch, we offer tag and mask registers for Delete IC even if this IC is not currently using tag |
| register. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): |
| |
| 2020-03-17 Tadeu Zagallo <tzagallo@apple.com> |
| |
| AccessCase::canReplace should allow a Getter to replace an IntrinsicGetter |
| https://bugs.webkit.org/show_bug.cgi?id=209158 |
| <rdar://problem/59222012> |
| |
| Reviewed by Saam Barati. |
| |
| When we override an intrinsic getter with a user defined getter, we might end up with the |
| same offset and attributes. In which case, an inline cache that contained an entry for the |
| intrisic getter will believe that it is still valid, and add a new getter access case, |
| leading to duplicate entries for the same structure. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::canReplace const): |
| |
| 2020-03-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JSMapIterator and JSSetIterator are CellType |
| https://bugs.webkit.org/show_bug.cgi?id=209168 |
| <rdar://problem/59705631> |
| |
| Reviewed by Saam Barati. |
| |
| They are JSCell, not JSObject since they are not used as a user-observable set/map iterators in JSC. |
| However, their JSType is ObjectType. They should use CellType instead. |
| |
| * runtime/JSMapIterator.h: |
| * runtime/JSSetIterator.h: |
| |
| 2020-03-16 Keith Miller <keith_miller@apple.com> |
| |
| JavaScript identifier grammar supports unescaped astral symbols, but JSC doesn’t |
| https://bugs.webkit.org/show_bug.cgi?id=208998 |
| |
| Reviewed by Michael Saboff. |
| |
| This patch fixes a bug in the parser that allows for surrogate pairs when parsing identifiers. |
| It also makes a few other changes to the parser: |
| |
| 1) When looking for keywords we just need to check that subsequent |
| character cannot be a identifier part or an escape start. |
| |
| 2) The only time we call parseIdentifierSlowCase is when we hit an |
| escape start or a surrogate pair so we can optimize that to just |
| copy everything up slow character into our buffer. |
| |
| 3) We shouldn't allow for asking if a UChar is an identifier start/part. |
| |
| * KeywordLookupGenerator.py: |
| (Trie.printSubTreeAsC): |
| (Trie.printAsC): |
| * parser/Lexer.cpp: |
| (JSC::isNonLatin1IdentStart): |
| (JSC::isIdentStart): |
| (JSC::isSingleCharacterIdentStart): |
| (JSC::cannotBeIdentStart): |
| (JSC::isIdentPart): |
| (JSC::isSingleCharacterIdentPart): |
| (JSC::cannotBeIdentPartOrEscapeStart): |
| (JSC::Lexer<LChar>::currentCodePoint const): |
| (JSC::Lexer<UChar>::currentCodePoint const): |
| (JSC::Lexer<LChar>::parseIdentifier): |
| (JSC::Lexer<UChar>::parseIdentifier): |
| (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| (JSC::Lexer<T>::scanRegExp): |
| (JSC::isIdentPartIncludingEscapeTemplate): Deleted. |
| (JSC::isIdentPartIncludingEscape): Deleted. |
| * parser/Lexer.h: |
| (JSC::Lexer::setOffsetFromSourcePtr): Deleted. |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::printUnexpectedTokenText): |
| * parser/ParserTokens.h: |
| |
| 2020-03-13 Sergio Villar Senin <svillar@igalia.com> |
| |
| [WebXR] IDLs, stubs and build configuration for WPE |
| https://bugs.webkit.org/show_bug.cgi?id=208702 |
| |
| Reviewed by Dean Jackson. |
| |
| * Configurations/FeatureDefines.xcconfig: Added ENABLE_WEBXR, off by default. |
| |
| 2020-03-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| reportZappedCellAndCrash should handle PreciseAllocation in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=209042 |
| |
| Reviewed by Mark Lam. |
| |
| This patch adds support of PreciseAllocation cells to reportZappedCellAndCrash, since now it is frequently used |
| as a lower-tier cells in IsoSubspace. |
| |
| * heap/IsoSubspace.h: |
| * heap/IsoSubspaceInlines.h: |
| (JSC::IsoSubspace::forEachLowerTierFreeListedPreciseAllocation): |
| * runtime/JSCell.cpp: |
| (JSC::reportZappedCellAndCrash): |
| |
| 2020-03-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Should not use variable-length-array (VLA) |
| https://bugs.webkit.org/show_bug.cgi?id=209043 |
| |
| Reviewed by Mark Lam. |
| |
| This patch disables variable-length-array (VLA). If this feature uses user-input, user can |
| control the stack height consumed by C++ code. This patch avoids using VLA. To achieve that, |
| |
| 1. We set `-Wvla` warning option to trigger warnings if it is used. |
| 2. Introduce MarkedJSValueRefArray for API. This replaces `JSValueRef arguments[variableLength]` use case. |
| MarkedJSValueRefArray registers itself to JSC GC so that GC can mark it as a strong root. |
| |
| * API/JSContext.mm: |
| (+[JSContext currentArguments]): |
| * API/JSValue.mm: |
| (-[JSValue callWithArguments:]): |
| (-[JSValue constructWithArguments:]): |
| (-[JSValue invokeMethod:withArguments:]): |
| * API/MarkedJSValueRefArray.cpp: Added. |
| (JSC::MarkedJSValueRefArray::MarkedJSValueRefArray): |
| (JSC::MarkedJSValueRefArray::~MarkedJSValueRefArray): |
| (JSC::MarkedJSValueRefArray::visitAggregate): |
| * API/MarkedJSValueRefArray.h: Added. |
| * API/tests/minidom.c: |
| (print): |
| * API/tests/testapi.cpp: |
| (TestAPI::markedJSValueArrayAndGC): |
| (testCAPIViaCpp): |
| * Configurations/Base.xcconfig: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * heap/Heap.cpp: |
| (JSC::Heap::addCoreConstraints): |
| (JSC::Heap::addMarkedJSValueRefArray): |
| * heap/Heap.h: |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace::activeWeakSetsBegin): Deleted. |
| (JSC::MarkedSpace::activeWeakSetsEnd): Deleted. |
| (JSC::MarkedSpace::newActiveWeakSetsBegin): Deleted. |
| (JSC::MarkedSpace::newActiveWeakSetsEnd): Deleted. |
| * runtime/ArgList.h: |
| |
| 2020-03-14 Saam Barati <sbarati@apple.com> |
| |
| Unreviewed. Fix windows build by making configSizeToProtect stay 4KB. |
| |
| * runtime/JSCConfig.h: |
| |
| 2020-03-13 Saam Barati <sbarati@apple.com> |
| |
| configSizeToProtect should be 16KB |
| https://bugs.webkit.org/show_bug.cgi?id=209068 |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/JSCConfig.h: |
| |
| 2020-03-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix JSC / test262 tests |
| https://bugs.webkit.org/show_bug.cgi?id=209033 |
| <rdar://problem/58946936> |
| |
| Follow-up change for DisallowGC causes crash because CodeBlock is nullptr when function call is non JS calls. |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| |
| 2020-03-13 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Missing arithMode for ArithAbs and ArithNegate in DFGClobberize |
| https://bugs.webkit.org/show_bug.cgi?id=208685 |
| <rdar://problem/60115088> |
| |
| Reviewed by Saam Barati. |
| |
| In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their |
| respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent |
| to an Unchecked version of the same node. |
| |
| Thanks to Samuel Groß of Google Project Zero for identifying this bug. |
| |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| |
| 2020-03-13 Myles C. Maxfield <mmaxfield@apple.com> |
| |
| [Cocoa] Push applicationSDKVersion() down from WebCore into WTF |
| https://bugs.webkit.org/show_bug.cgi?id=209030 |
| |
| Reviewed by Simon Fraser. |
| |
| dyld_get_program_sdk_version() gives you the wrong answer in the Web Process (or at least |
| not the answer you actually want). There are already facilities for the UI Process to tell |
| the Web Process what the real value is, but those functions are currently in WebCore, |
| which is inaccessible to WTF. This patch is in preparation for |
| https://bugs.webkit.org/show_bug.cgi?id=208969 which needs to know this information in WTF. |
| |
| I also found a few places which were calling dyld_get_program_sdk_version() in JavaScriptCore |
| and WebCore (which is wrong because those libraries exist in the Web Process), and have fixed |
| them up to use applicationSDKVersion() instead. |
| |
| * API/JSWrapperMap.mm: |
| (supportsInitMethodConstructors): |
| |
| 2020-03-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Reload CodeBlock or suppress GC while setting up calls |
| https://bugs.webkit.org/show_bug.cgi?id=209033 |
| <rdar://problem/58946936> |
| |
| Reviewed by Saam Barati. |
| |
| The sequence of Interpreter::execute is the following. |
| |
| 1. Getting CodeBlock from Executable |
| 2. Doing a lot of setups |
| 3. Setting (1)'s CodeBlock to ProtoFrame |
| 4. Calling code through Executable |
| |
| During (2), it would be possible that GC happens and it replaces CodeBlock in Executable. |
| Then, when executing JITCode with CodeBlock in (4), we use new JITCode with old CodeBlock. |
| |
| In this patch, |
| |
| For ProgramExecutable, FunctionExecutable, ModuleProgramExecutable, we ensure that no GC happens |
| after getting CodeBlock by placing DisallowGC. For EvalExecutable, we reload CodeBlock after setting |
| up environment. It is possible that FunctionExecutable* stored in CodeBlock can be different when |
| executing a new CodeBlock, but this is OK since this different does not appear and we do not rely on |
| this: we are touching `name` of FunctionExecutable* which is retrieved from CodeBlock. But this name |
| will not be changed since this is derived from UnlinkedFunctionExecutable which is shared by multiple |
| CodeBlocks. And FunctionExecutable* generation ordering must be the same for every CodeBlock generation |
| from the same UnlinkedCodeBlock. |
| |
| * bytecode/CodeBlock.h: |
| (JSC::ScriptExecutable::prepareForExecution): |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/InterpreterInlines.h: |
| (JSC::Interpreter::execute): |
| * runtime/DisallowScope.h: |
| (JSC::DisallowScope::disable): |
| * runtime/StringPrototype.cpp: |
| |
| 2020-03-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Delete IC creation should check mayNeedToCheckCell/canCacheDeleteIC regardless of Structure::outOfLineCapacity |
| https://bugs.webkit.org/show_bug.cgi?id=209027 |
| |
| Reviewed by Saam Barati. |
| |
| Delete IC code generation assumes that mayNeedToCheckCell (it is replaced with canCacheDeleteIC) is false |
| while we are looking into this status only if Structure::outOfLineCapacity meets a certain condition. We should avoid |
| create Delete IC when mayNeedToCheckCell/canCacheDeleteIC is true regardless of Structure::outOfLineCapacity |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::createDelete): |
| (JSC::AccessCase::generateImpl): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::mayHaveIndexingHeader const): |
| (JSC::Structure::canCacheDeleteIC const): |
| |
| 2020-03-13 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Bound functions should pass correct NewTarget value |
| https://bugs.webkit.org/show_bug.cgi?id=209057 |
| |
| Reviewed by Keith Miller. |
| |
| This change implements steps 5-6 of bound function's [[Construct]] method [1], |
| fixing bound function subclasses and aligning JSC with V8 and SpiderMonkey. |
| |
| [1]: https://tc39.es/ecma262/#sec-bound-function-exotic-objects-construct-argumentslist-newtarget |
| |
| * runtime/JSBoundFunction.cpp: |
| (JSC::boundThisNoArgsFunctionConstruct): |
| (JSC::boundFunctionConstruct): |
| |
| 2020-03-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, change ASSERT to ASSERT_WITH_SECURITY_IMPLICATION since it is now enabled under ENABLE(SECURITY_ASSERTIONS) |
| https://bugs.webkit.org/show_bug.cgi?id=209041 |
| <rdar://problem/59705631> |
| |
| * runtime/JSCast.h: |
| (JSC::jsCast): |
| |
| 2020-03-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Report crashed cell in jsCast in debug builds |
| https://bugs.webkit.org/show_bug.cgi?id=209041 |
| <rdar://problem/59705631> |
| |
| Reviewed by Mark Lam. |
| |
| To collect more information when crashing with jsCast, we attempt to use reportZappedCellAndCrash. |
| If it succeeds, we can get more information in registers. We enable this only for ASSERT_ENABLED |
| build. For non ASSERT_ENABLED, we keep the original assertion since this assertion can be enabled |
| via ENABLE(SECURITY_ASSERTIONS). |
| |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMarkStack): |
| (JSC::SlotVisitor::visitChildren): |
| (JSC::SlotVisitor::reportZappedCellAndCrash): Deleted. |
| * heap/SlotVisitor.h: |
| * runtime/JSCast.h: |
| (JSC::jsCast): |
| * runtime/JSCell.cpp: |
| (JSC::reportZappedCellAndCrash): |
| * runtime/JSCell.h: |
| |
| 2020-03-12 Keith Miller <keith_miller@apple.com> |
| |
| DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray |
| https://bugs.webkit.org/show_bug.cgi?id=209035 |
| |
| Reviewed by Saam Barati. |
| |
| It might be possible to produce a graph where the last reference to a TypedArray |
| is via a GetByVal or PutByVal. Since those nodes don't create any reference to the |
| TypedArray in B3 we may end up not keeping the TypedArray alive until after the |
| storage access. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): |
| |
| 2020-03-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use CacheableIdentifier in ByValInfo |
| https://bugs.webkit.org/show_bug.cgi?id=208978 |
| |
| Reviewed by Saam Barati. |
| |
| CodeBlock::finalizeUnconditionally discards JITData. And this includes ByValInfo, which holds Identifier. |
| However, finalizeUnconditionally is only guaranteeing that the main thread is not working. It can be invoked |
| in the heap thread, and it is not not setting the AtomStringTable for this heap thread. If Identifier destroys |
| AtomStringImpl, which fails to unregister itself from the table. |
| |
| In this patch, |
| |
| 1. We explicitly set nullptr for the current AtomStringTable to catch the bug as soon as possible in GC end phase. |
| 2. We use CacheableIdentifier in ByValInfo to avoid destroying Identifier in CodeBlock::finalizeUnconditionally. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/ByValInfo.cpp: Added. |
| (JSC::ByValInfo::visitAggregate): |
| * bytecode/ByValInfo.h: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::stronglyVisitStrongReferences): |
| * bytecode/CodeBlock.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handlePutByVal): |
| * heap/Heap.cpp: |
| (JSC::Heap::runEndPhase): |
| * jit/JIT.h: |
| * jit/JITOperations.cpp: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitByValIdentifierCheck): |
| * runtime/CacheableIdentifier.h: |
| |
| 2020-03-11 Keith Miller <keith_miller@apple.com> |
| |
| Test262-runner should always consider crashes as new failures |
| https://bugs.webkit.org/show_bug.cgi?id=208943 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| BigInt.asUintN() / BigInt.asIntN() should not crash when called even if we have |
| not implemented them yet... |
| |
| * runtime/BigIntConstructor.cpp: |
| (JSC::bigIntConstructorFuncAsUintN): |
| (JSC::bigIntConstructorFuncAsIntN): |
| |
| 2020-03-11 Keith Miller <keith_miller@apple.com> |
| |
| Throws incorrectly a syntax error when declaring a top level catch variable the same as a parameter |
| https://bugs.webkit.org/show_bug.cgi?id=189914 |
| |
| Reviewed by Saam Barati. |
| |
| When we are parsing catch block parameters we should increment the statement depth so we don't think |
| we are trying to shadow top level lexical variables in the same statement depth. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseTryStatement): |
| |
| 2020-03-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Fix iso-subspace static_assert for JSJavaScriptCallFramePrototype |
| https://bugs.webkit.org/show_bug.cgi?id=208874 |
| |
| Reviewed by Saam Barati. |
| |
| This static_assert should ensure the condition for JSJavaScriptCallFramePrototype, not for JSInjectedScriptHostPrototype. |
| |
| * inspector/JSJavaScriptCallFramePrototype.h: |
| |
| 2020-03-09 Don Olmstead <don.olmstead@sony.com> |
| |
| Remove obsolete feature flags |
| https://bugs.webkit.org/show_bug.cgi?id=208830 |
| |
| Reviewed by Alex Christensen. |
| |
| Remove ENABLE_CUSTOM_SCHEME_HANDLER and ENABLE_MAC_VIDEO_TOOLBOX since they |
| are no longer used. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-03-09 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| @putByValDirect does not perform [[DefineOwnProperty]] correctly |
| https://bugs.webkit.org/show_bug.cgi?id=208708 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This change adds inSparseIndexingMode() check to canDoFastPutDirectIndex(), fixing slow path |
| of @putByValDirect() to perform [[DefineOwnProperty]] according to spec [1] and aligning JSC |
| with V8 and SpiderMonkey. |
| |
| This patch preserves existing behavior for Arguments exotic objects (thus the checks order) |
| and aligns slow path checks in JSObject::putDirectIndexSlowOrBeyondVectorLength |
| with JSObject::defineOwnIndexedProperty. |
| |
| JetStream2 benchmark is neutral. |
| |
| [1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor |
| |
| * runtime/JSObject.cpp: |
| (JSC::canDoFastPutDirectIndex): |
| |
| 2020-03-09 Antoine Quint <graouts@apple.com> |
| |
| Remove the compile-time flag for Pointer Events |
| https://bugs.webkit.org/show_bug.cgi?id=208821 |
| <rdar://problem/60223471> |
| |
| Reviewed by Dean Jackson. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-03-09 Caio Lima <ticaiolima@gmail.com> |
| |
| Tail calls are broken on ARM_THUMB2 and MIPS |
| https://bugs.webkit.org/show_bug.cgi?id=197797 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| `prepareForTailCall` operation expects that header size + parameters |
| size is aligned with stack (alignment is 16-bytes for every architecture). |
| This means that headerSizeInBytes + argumentsIncludingThisInBytes needs |
| to be multiple of 16. This was not being preserved during getter IC code |
| for 32-bits. The code generated was taking in account only |
| headerSizeInRegisters (it is 4 on 32-bits) and argumentsIncludingThis |
| (that is always 1 for getters) and allocating 32-bytes when applying |
| operation `(headerSize + argumentsIncludingThis) * 8 - sizeof(CallerFrameAndPC)`. |
| This results in a stack frame with size of 40 bytes (after we push |
| `lr` and `sp`). Since `prepareForTailCall` expects frames to be |
| 16-bytes aligned, it will then calculate the top of such frame |
| considering it is 48 bytes, cloberring values of previous frame and |
| causing unexpected behavior. This patch is fixing how this IC code |
| calculates the stack frame using `roundArgumentCountToAlignFrame(numberOfParameters)` |
| aligning with what we do on code without IC installed. |
| This was not a problem for getter and setter IC on 64-bits because |
| `roundArgumentCountToAlignFrame(1) == 1` and `roundArgumentCountToAlignFrame(2) == 3` |
| while it is `roundArgumentCountToAlignFrame(1) == 2` and |
| `roundArgumentCountToAlignFrame(2) == 2` for MIPS and ARMv7. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| |
| 2020-03-08 Brady Eidson <beidson@apple.com> |
| |
| Remember completed subranges during incremental PDF loading. |
| https://bugs.webkit.org/show_bug.cgi?id=208785 |
| |
| Reviewed by Tim Horton. |
| |
| Move 'using WTF::Range' from the WTF/Range.h header to these JSC users. |
| |
| The alternative to making these 3 changes was to make over 20 changes up in the WebCore/WebKits |
| to resolve the conflict with WebCore::Range. |
| |
| * b3/B3HeapRange.h: |
| * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: |
| * heap/JITStubRoutineSet.h: |
| |
| 2020-03-07 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON |
| https://bugs.webkit.org/show_bug.cgi?id=208766 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Stringifier::toJSON): Add missing RELEASE_AND_RETURN. |
| |
| 2020-03-07 Mark Lam <mark.lam@apple.com> |
| |
| Remove bad assertion in FTLLowerDFGToB3's compileDelBy(). |
| https://bugs.webkit.org/show_bug.cgi?id=208764 |
| <rdar://problem/59940095> |
| |
| Reviewed by Keith Miller. |
| |
| The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal |
| JS to pass in the same value as the base and subscript. The runtime will handle |
| it properly. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): |
| |
| 2020-03-05 Sam Weinig <weinig@apple.com> |
| |
| Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h |
| https://bugs.webkit.org/show_bug.cgi?id=207436 |
| <rdar://problem/59296762> |
| |
| Reviewed by Darin Adler. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| Remove JSC related defines. |
| |
| 2020-03-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Enable public class fields |
| https://bugs.webkit.org/show_bug.cgi?id=208756 |
| |
| Reviewed by Mark Lam. |
| |
| This patch turns public-class-fields feature on, implemented in r254653. |
| To separate from private-class-fields, this patch renames the flag from useClassFields to usePublicClassFields, |
| and first enable public-class-fields feature. |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::FunctionCallValueNode::emitBytecode): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseClass): |
| * runtime/OptionsList.h: |
| |
| 2020-03-06 Mark Lam <mark.lam@apple.com> |
| |
| Add "AndOrdered" to the names of ordered DoubleConditions. |
| https://bugs.webkit.org/show_bug.cgi?id=208736 |
| |
| Reviewed by Keith Miller. |
| |
| Renamed the following: |
| DoubleEqual ==> DoubleEqualAndOrdered |
| DoubleNotEqual ==> DoubleNotEqualAndOrdered |
| DoubleGreaterThan ==> DoubleGreaterThanAndOrdered |
| DoubleGreaterThanOrEqual ==> DoubleGreaterThanOrEqualAndOrdered |
| DoubleLessThan ==> DoubleLessThanAndOrdered |
| DoubleLessThanOrEqual ==> DoubleLessThanOrEqualAndOrdered |
| |
| The comment for these enums in MacroAssemblerARM64.h says: |
| // These conditions will only evaluate to true if the comparison is ordered - i.e. neither operand is NaN. |
| |
| Adding "AndOrdered" to their names makes this property explicit. |
| |
| From reading the original names, one might intuitively think that these conditions |
| map directly to the C++ double comparisons. This intuition is incorrect. |
| Consider the DoubleNotEqual case: let's compare 2 doubles, a and b: |
| |
| result = (a != b); |
| |
| For C++, if either a or b are NaNs, then a != b will actually return true. |
| This is contrary to the behavior documented in the MacroAssemblerARM64.h comment |
| above about how DoubleNotEqual should behave. In our code, DoubleNotEqual actually |
| means DoubleNotEqualAndOrdered. The C++ != behavior actually matches our |
| DoubleNotEqualOrUnordered condition instead. |
| |
| The tendency to want to associate DoubleNotEqual with the behavior of the C++ |
| != operator is precisely why we should give these conditions better names. |
| Adding the "AndOperand" name make the expected behavior explicit in the name, and |
| leave no room for confusion with C++ double comparison semantics. |
| |
| * assembler/MacroAssembler.cpp: |
| (WTF::printInternal): |
| * assembler/MacroAssembler.h: |
| (JSC::MacroAssembler::invert): |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare): |
| (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare): |
| (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare): |
| (JSC::MacroAssemblerARM64::floatingPointCompare): |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::branchDouble): |
| * assembler/MacroAssemblerMIPS.h: |
| (JSC::MacroAssemblerMIPS::branchDouble): |
| (JSC::MacroAssemblerMIPS::branchDoubleNonZero): |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::branchDoubleNonZero): |
| (JSC::MacroAssemblerX86Common::moveConditionallyDouble): |
| (JSC::MacroAssemblerX86Common::invert): |
| (JSC::MacroAssemblerX86Common::floatingPointCompare): |
| (JSC::MacroAssemblerX86Common::jumpAfterFloatingPointCompare): |
| (JSC::MacroAssemblerX86Common::moveConditionallyAfterFloatingPointCompare): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::truncateDoubleToUint64): |
| (JSC::MacroAssemblerX86_64::truncateFloatToUint64): |
| * assembler/testmasm.cpp: |
| (JSC::testCompareDouble): |
| (JSC::testCompareDoubleSameArg): |
| (JSC::testMoveConditionallyFloatingPoint): |
| (JSC::testMoveDoubleConditionallyDouble): |
| (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase): |
| (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase): |
| (JSC::testMoveDoubleConditionallyFloat): |
| (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase): |
| (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase): |
| (JSC::testMoveConditionallyFloatingPointSameArg): |
| (JSC::run): |
| * b3/B3LowerToAir.cpp: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::compileClampDoubleToByte): |
| (JSC::DFG::SpeculativeJIT::compileArithRounding): |
| (JSC::DFG::SpeculativeJIT::compileArithMinMax): |
| (JSC::DFG::SpeculativeJIT::compileArithPow): |
| (JSC::DFG::SpeculativeJIT::compileStrictEq): |
| (JSC::DFG::SpeculativeJIT::compileArrayIndexOf): |
| (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::branchIfNotNaN): |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emitSlow_op_jless): |
| (JSC::JIT::emitSlow_op_jlesseq): |
| (JSC::JIT::emitSlow_op_jgreater): |
| (JSC::JIT::emitSlow_op_jgreatereq): |
| * jit/JITArithmetic32_64.cpp: |
| (JSC::JIT::emitBinaryDoubleOp): |
| * jit/ThunkGenerators.cpp: |
| (JSC::floorThunkGenerator): |
| (JSC::roundThunkGenerator): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>): |
| (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>): |
| |
| 2020-03-06 David Kilzer <ddkilzer@apple.com> |
| |
| REGRESSION (r258038): Build failure on Windows 10 bots |
| <https://bugs.webkit.org/show_bug.cgi?id=208731> |
| <rdar://problem/59222568> |
| |
| * assembler/testmasm.cpp: |
| (JSC::testCompareDouble): |
| (JSC::testCompareDoubleSameArg): |
| (JSC::testMoveConditionallyFloatingPoint): |
| (JSC::testMoveConditionallyFloatingPointSameArg): |
| - Add RELEASE_ASSERT_NOT_REACHED() statements to try to fix the |
| bots. |
| |
| 2020-03-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Put remaining fixed-sized cells into IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=208754 |
| |
| Reviewed by Keith Miller. |
| |
| Put remaining fixed-sized cells into IsoSubspace. Now all the fixed-sized cells have their own IsoSubspaces. |
| |
| 1. JSArray (We need to care about RAMification number, or compensate RAMification regression with improvements). |
| 2. Inspector's objects |
| 3. All prototype objects have one IsoSubspace since they are plain objects. |
| |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::JSInjectedScriptHost): |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHostPrototype.h: |
| * inspector/JSJavaScriptCallFrame.cpp: |
| (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame): |
| * inspector/JSJavaScriptCallFrame.h: |
| * inspector/JSJavaScriptCallFramePrototype.h: |
| * jsc.cpp: |
| (JSC::Masquerader::subspaceFor): |
| (JSCMemoryFootprint::subspaceFor): |
| * runtime/ArrayIteratorPrototype.h: |
| * runtime/ArrayPrototype.h: |
| * runtime/AsyncFromSyncIteratorPrototype.h: |
| * runtime/AsyncFunctionPrototype.h: |
| * runtime/AsyncGeneratorFunctionPrototype.h: |
| * runtime/AsyncGeneratorPrototype.h: |
| * runtime/AsyncIteratorPrototype.h: |
| * runtime/AtomicsObject.h: |
| * runtime/BigIntPrototype.h: |
| * runtime/ConsoleObject.h: |
| * runtime/DatePrototype.h: |
| * runtime/ErrorPrototype.h: |
| * runtime/ExceptionHelpers.h: |
| * runtime/GeneratorFunctionPrototype.h: |
| * runtime/GeneratorPrototype.h: |
| * runtime/InspectorInstrumentationObject.h: |
| * runtime/IntlCollatorPrototype.h: |
| * runtime/IntlDateTimeFormatPrototype.h: |
| * runtime/IntlNumberFormatPrototype.h: |
| * runtime/IntlObject.h: |
| * runtime/IntlPluralRulesPrototype.h: |
| * runtime/IteratorPrototype.h: |
| * runtime/JSArray.h: |
| (JSC::JSArray::subspaceFor): |
| * runtime/JSArrayBufferPrototype.h: |
| * runtime/JSDataViewPrototype.h: |
| * runtime/JSDestructibleObject.h: |
| (JSC::JSDestructibleObject::subspaceFor): Deleted. |
| * runtime/JSGenericTypedArrayViewPrototype.h: |
| * runtime/JSModuleLoader.h: |
| * runtime/JSONObject.h: |
| * runtime/JSObject.h: |
| * runtime/JSObjectInlines.h: |
| (JSC::JSFinalObject::subspaceFor): |
| (JSC::JSObject::subspaceFor): Deleted. |
| * runtime/JSPromisePrototype.h: |
| (JSC::JSPromisePrototype::subspaceFor): |
| * runtime/JSTypedArrayViewPrototype.h: |
| * runtime/MapIteratorPrototype.h: |
| * runtime/MapPrototype.h: |
| * runtime/MathObject.h: |
| * runtime/NativeErrorPrototype.h: |
| * runtime/ObjectPrototype.h: |
| * runtime/ReflectObject.h: |
| * runtime/RegExpPrototype.h: |
| * runtime/RegExpStringIteratorPrototype.h: |
| * runtime/SetIteratorPrototype.h: |
| * runtime/SetPrototype.h: |
| * runtime/StringIteratorPrototype.h: |
| * runtime/SymbolPrototype.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * runtime/WeakMapPrototype.h: |
| * runtime/WeakObjectRefPrototype.h: |
| * runtime/WeakSetPrototype.h: |
| * tools/JSDollarVM.cpp: |
| * tools/JSDollarVM.h: |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/WebAssemblyCompileErrorPrototype.h: |
| * wasm/js/WebAssemblyGlobalPrototype.h: |
| * wasm/js/WebAssemblyInstancePrototype.h: |
| * wasm/js/WebAssemblyLinkErrorPrototype.h: |
| * wasm/js/WebAssemblyMemoryPrototype.h: |
| * wasm/js/WebAssemblyModulePrototype.h: |
| * wasm/js/WebAssemblyRuntimeErrorPrototype.h: |
| * wasm/js/WebAssemblyTablePrototype.h: |
| |
| 2020-03-06 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSON.stringify should call replacer on deleted properties |
| https://bugs.webkit.org/show_bug.cgi?id=208725 |
| |
| Reviewed by Ross Kirsling. |
| |
| This change removes extra `hasProperty` check from `appendNextProperty` as |
| it does not exist in the spec [1], aligning JSC with V8 and SpiderMonkey. |
| |
| This patch also replaces 3 usages of `getPropertySlot` with semantically |
| equivalent (yet more concise) `get` and inlines `toJSONImpl` (this change |
| is performance-neutral). |
| |
| [1]: https://tc39.es/ecma262/#sec-serializejsonobject (steps 6, 8.a) |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Stringifier::toJSON): |
| (JSC::Stringifier::Holder::appendNextProperty): |
| (JSC::Stringifier::toJSONImpl): Deleted. |
| |
| 2020-03-06 Mark Lam <mark.lam@apple.com> |
| |
| Fix some issues in the ARM64 moveConditionallyAfterFloatingPointCompare() and moveDoubleConditionallyAfterFloatingPointCompare(). |
| https://bugs.webkit.org/show_bug.cgi?id=208731 |
| <rdar://problem/59222568> |
| |
| Reviewed by Saam Barati. |
| |
| Both the ARM64 moveConditionallyAfterFloatingPointCompare() and |
| moveDoubleConditionallyAfterFloatingPointCompare() had the following issues: |
| |
| 1. For the DoubleNotEqual condition, they fail to set the result register if |
| one or both of the comparison operands is a NaN. |
| |
| 2. For the DoubleEqualOrUnordered condition, they can clobber the else case |
| input register if one of the comparison operands is a NaN. |
| |
| This patch fixes both of these, and exhaustive testmasm test cases for affected |
| MacroAssembler instruction emitters using these functions. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare): |
| (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare): |
| * assembler/testmasm.cpp: |
| (JSC::testCompareDouble): |
| (JSC::testCompareDoubleSameArg): |
| (JSC::testMoveConditionallyFloatingPoint): |
| (JSC::testMoveConditionallyDouble2): |
| (JSC::testMoveConditionallyDouble3): |
| (JSC::testMoveConditionallyDouble3DestSameAsThenCase): |
| (JSC::testMoveConditionallyDouble3DestSameAsElseCase): |
| (JSC::testMoveConditionallyFloat2): |
| (JSC::testMoveConditionallyFloat3): |
| (JSC::testMoveConditionallyFloat3DestSameAsThenCase): |
| (JSC::testMoveConditionallyFloat3DestSameAsElseCase): |
| (JSC::testMoveDoubleConditionallyDouble): |
| (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase): |
| (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase): |
| (JSC::testMoveDoubleConditionallyFloat): |
| (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase): |
| (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase): |
| (JSC::testMoveConditionallyFloatingPointSameArg): |
| (JSC::testMoveConditionallyDouble2SameArg): |
| (JSC::testMoveConditionallyDouble3SameArg): |
| (JSC::testMoveConditionallyFloat2SameArg): |
| (JSC::testMoveConditionallyFloat3SameArg): |
| (JSC::testMoveDoubleConditionallyDoubleSameArg): |
| (JSC::testMoveDoubleConditionallyFloatSameArg): |
| (JSC::run): |
| |
| 2020-03-05 Paulo Matos <pmatos@igalia.com> |
| |
| [JSCOnly] 32-bits warning on memset of JSValue |
| https://bugs.webkit.org/show_bug.cgi?id=204411 |
| |
| Reviewed by Mark Lam. |
| |
| Fixes warning on 32bit builds. This is required because GCC knows |
| it is not safe to use memset on non-POD types and warns against its use. |
| |
| * heap/GCMemoryOperations.h: |
| (JSC::gcSafeZeroMemory): |
| |
| 2020-03-04 Mark Lam <mark.lam@apple.com> |
| |
| Handle an out of memory error while constructing the BytecodeGenerator. |
| https://bugs.webkit.org/show_bug.cgi?id=208622 |
| <rdar://problem/59341136> |
| |
| Reviewed by Saam Barati. |
| |
| Added the ability to handle out of memory errors encountered during the |
| construction of the BytecodeGenerator. Currently, we only use this for the |
| case where we fail to instantiate a ScopedArgumentsTable. |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::generate): |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| * bytecompiler/BytecodeGeneratorBase.h: |
| * runtime/ScopedArgumentsTable.cpp: |
| (JSC::ScopedArgumentsTable::tryCreate): |
| * runtime/ScopedArgumentsTable.h: |
| * runtime/SymbolTable.h: |
| |
| 2020-03-04 Paulo Matos <pmatos@igalia.com> |
| |
| JSC 32bits broken in debug mode by r257399 |
| https://bugs.webkit.org/show_bug.cgi?id=208439 |
| |
| Reviewed by Carlos Alberto Lopez Perez. |
| |
| Use uses() method call instead of gpr() on assert to that it |
| works for both 64 and 32 bits. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| |
| 2020-03-03 Saam Barati <sbarati@apple.com> |
| |
| Refactor FixedVMPoolExecutableAllocator to not have member functions which are really just helper functions |
| https://bugs.webkit.org/show_bug.cgi?id=208537 |
| |
| Reviewed by Mark Lam. |
| |
| There were a few member functions in FixedVMPoolExecutableAllocator that were |
| essentially helper functions. I've factored them out, and made FixedVMPoolExecutableAllocator |
| call them directly. This refactoring is needed when I implement the 1GB |
| executable pool on arm64 since the implementation of that will create split |
| implementations of something like FixedVMPoolExecutableAllocator. |
| |
| * jit/ExecutableAllocator.cpp: |
| (JSC::jitWriteThunkGenerator): |
| (JSC::genericWriteToJITRegion): |
| (JSC::initializeSeparatedWXHeaps): |
| (JSC::initializeJITPageReservation): |
| (JSC::ExecutableAllocator::isValid const): |
| (JSC::ExecutableAllocator::underMemoryPressure): |
| (JSC::ExecutableAllocator::memoryPressureMultiplier): |
| (JSC::ExecutableAllocator::allocate): |
| (JSC::ExecutableAllocator::isValidExecutableMemory): |
| (JSC::ExecutableAllocator::getLock const): |
| (JSC::ExecutableAllocator::committedByteCount): |
| (JSC::ExecutableAllocator::dumpProfile): |
| (JSC::startOfFixedExecutableMemoryPoolImpl): |
| (JSC::endOfFixedExecutableMemoryPoolImpl): |
| (JSC::isJITPC): |
| |
| 2020-03-03 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Introduce JSRemoteInspectorServerStart API for socket-based RWI. |
| https://bugs.webkit.org/show_bug.cgi?id=208349 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * API/JSRemoteInspectorServer.cpp: Added. |
| (JSRemoteInspectorServerStart): |
| * API/JSRemoteInspectorServer.h: Added. |
| * CMakeLists.txt: |
| |
| 2020-03-03 Basuke Suzuki <basuke.suzuki@sony.com> |
| |
| [WinCairo][PlayStation] Add interface to get listening port of RemoteInspectorServer |
| https://bugs.webkit.org/show_bug.cgi?id=208391 |
| |
| Reviewed by Don Olmstead. |
| |
| When passing zero as a port argument, system will pick an available port for it. |
| Without this method, client cannot get which port is listening. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::start): |
| (Inspector::RemoteInspectorServer::getPort): |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| |
| 2020-03-03 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] @hasOwnLengthProperty returns wrong value if "length" is attempted to be modified |
| https://bugs.webkit.org/show_bug.cgi?id=208497 |
| <rdar://problem/59913544> |
| |
| Reviewed by Mark Lam. |
| |
| When "length" of JSFunction is attempted to be modified, we put a flag. And @hasOwnLengthProperty |
| does not correctly use this flag to return a value for the fast path. This affects on "length" |
| property of bound functions. For example, |
| |
| function userFunction(a) { } |
| userFunction.length = 20; // This field is read-only. So, it is not changed. |
| userFunction.bind().length; // Should be 1, but it returns 0. |
| |
| 1. We rename m_hasModifiedLength to m_hasModifiedLengthForNonHostFunction and m_hasModifiedName |
| to m_hasModifiedNameForNonHostFunction since we are not tracking these states for host-functions |
| which can eagerly initialize them. |
| 2. We rename areNameAndLengthOriginal to canAssumeNameAndLengthAreOriginal to allow it to return |
| "false" for host functions. If it returns true, we go to the fast path. |
| 3. Correctly use canAssumeNameAndLengthAreOriginal information in @hasOwnLengthProperty. |
| |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::FunctionRareData): |
| * runtime/FunctionRareData.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::put): |
| (JSC::JSFunction::deleteProperty): |
| (JSC::JSFunction::defineOwnProperty): |
| * runtime/JSFunction.h: |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::canAssumeNameAndLengthAreOriginal): |
| (JSC::JSFunction::areNameAndLengthOriginal): Deleted. |
| * runtime/JSGlobalObject.cpp: |
| (JSC::hasOwnLengthProperty): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionHasOwnLengthProperty): |
| |
| 2020-03-02 Alan Coon <alancoon@apple.com> |
| |
| Add new Mac target numbers |
| https://bugs.webkit.org/show_bug.cgi?id=208398 |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| * Configurations/Base.xcconfig: |
| * Configurations/DebugRelease.xcconfig: |
| * Configurations/Version.xcconfig: |
| * Configurations/WebKitTargetConditionals.xcconfig: |
| |
| 2020-03-02 Justin Michaud <justin_michaud@apple.com> |
| |
| Delete by val caching does not keep the subscript alive |
| https://bugs.webkit.org/show_bug.cgi?id=208393 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Before, the provided test case crashed with asan because we did not keep deleteByVal |
| subscripts alive. This patch changes CacheableIdentifier to make this mistake harder |
| to make again, by making the constructor calls more explicit when CacheableIdentifier |
| will not keep an Identifier alive. |
| |
| * jit/JITOperations.cpp: |
| * jit/Repatch.cpp: |
| (JSC::tryCachePutByID): |
| (JSC::tryCacheDeleteBy): |
| (JSC::repatchDeleteBy): |
| (JSC::tryCacheInByID): |
| (JSC::tryCacheInstanceOf): |
| (JSC::tryCacheDelBy): Deleted. |
| (JSC::repatchDelBy): Deleted. |
| * jit/Repatch.h: |
| * runtime/CacheableIdentifier.h: |
| * runtime/CacheableIdentifierInlines.h: |
| (JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock): |
| (JSC::CacheableIdentifier::createFromCell): |
| |
| 2020-03-02 Paulo Matos <pmatos@igalia.com> |
| |
| Fix JSC 32bit alignment increase gcc warning |
| https://bugs.webkit.org/show_bug.cgi?id=208445 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Use reinterpret_cast_ptr<>() instead of reinterpret_cast<>() to |
| avoid GCC warning about increase in alignment requirement for cast |
| target type. |
| |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::compileExit): |
| |
| 2020-03-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix wrong assertion |
| https://bugs.webkit.org/show_bug.cgi?id=208404 |
| <rdar://problem/59956592> |
| |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedUniquedStringImplBase::decode const): |
| |
| 2020-03-01 Charles Turner <cturner@igalia.com> |
| |
| undefined reference to `JSC::ExecutableBase::hasJITCodeForCall() const' |
| https://bugs.webkit.org/show_bug.cgi?id=207890 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Encountered on arm-buildroot-linux-gnueabihf with GCC 9.2.0. |
| |
| * runtime/NativeExecutable.cpp: Inclusion of |
| ExecutableBaseInlines.h resolves the issue for me. |
| |
| 2020-02-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Remove std::lock_guard |
| https://bugs.webkit.org/show_bug.cgi?id=206451 |
| |
| Reviewed by Anders Carlsson. |
| |
| * API/JSVirtualMachine.mm: |
| (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): |
| (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): |
| * API/glib/JSCVirtualMachine.cpp: |
| (addWrapper): |
| (removeWrapper): |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::analyzeNode): |
| (JSC::HeapSnapshotBuilder::analyzeEdge): |
| (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): |
| (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): |
| (JSC::HeapSnapshotBuilder::analyzeIndexEdge): |
| (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell): |
| * heap/MachineStackMarker.cpp: |
| (JSC::MachineThreads::tryCopyOtherThreadStacks): |
| * runtime/JSRunLoopTimer.cpp: |
| (JSC::JSRunLoopTimer::timerDidFire): |
| |
| 2020-02-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] BuiltinNames' HashMap should be small |
| https://bugs.webkit.org/show_bug.cgi?id=208404 |
| |
| Reviewed by Mark Lam. |
| |
| This patch converts public-to-private-name-map from HashMap<RefPtr<UniquedStringImpl>, SymbolImpl*> to HashSet<String> to save half of memory. |
| The key is that private names have the same string content to the public names. We can just query with string content to the HashSet of |
| private names, and we can get private names. |
| |
| The problem is that we also have a hack inserting string <-> non-private well-known Symbol mappings into this table. These symbols do not have |
| the same content to the public string. So the above assumption is broken. |
| |
| To make the above assumption valid, we have a separate small HashMap which holds string <-> non-private well-known Symbol mappings. Since # of |
| well-known Symbols are only 13, this new HashMap is taking at most 512B for entries, which is much smaller compared to the saved memory by |
| converting HashMap to HashSet for private names (32KB). |
| |
| To allow it, we introduce new well-known Symbol identifier syntax to builtin JS, which is "@@iterator" format. If there is two "@", we parse this |
| identifier as a well-known Symbol. |
| |
| * builtins/ArrayConstructor.js: |
| (from.wrapper.iterator): |
| (from): |
| (from.wrapper.iteratorSymbol): Deleted. |
| * builtins/ArrayPrototype.js: |
| (globalPrivate.concatSlowPath): |
| (concat): |
| * builtins/BuiltinNames.cpp: |
| (JSC::BuiltinNames::BuiltinNames): |
| (JSC::CharBufferSeacher::hash): |
| (JSC::CharBufferSeacher::equal): |
| (JSC::lookUpPrivateNameImpl): |
| (JSC::lookUpWellKnownSymbolImpl): |
| (JSC::BuiltinNames::lookUpPrivateName const): |
| (JSC::BuiltinNames::lookUpWellKnownSymbol const): |
| * builtins/BuiltinNames.h: |
| (JSC::BuiltinNames::lookUpPrivateName const): |
| (JSC::BuiltinNames::lookUpWellKnownSymbol const): |
| (JSC::BuiltinNames::checkPublicToPrivateMapConsistency): |
| (JSC::BuiltinNames::appendExternalName): |
| (JSC::BuiltinNames::getPublicName const): Deleted. |
| * builtins/GlobalOperations.js: |
| (globalPrivate.speciesConstructor): |
| * builtins/IteratorHelpers.js: |
| (performIteration): |
| * builtins/StringPrototype.js: |
| (match): |
| (matchAll): |
| (intrinsic.StringPrototypeReplaceIntrinsic.replace): |
| (replaceAll): |
| (search): |
| (split): |
| * builtins/TypedArrayConstructor.js: |
| (from.wrapper.iterator): |
| (from): |
| (from.wrapper.iteratorSymbol): Deleted. |
| * builtins/TypedArrayPrototype.js: |
| (globalPrivate.typedArraySpeciesConstructor): |
| (map): |
| (filter): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<LChar>::parseIdentifier): |
| (JSC::Lexer<UChar>::parseIdentifier): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedUniquedStringImplBase::encode): |
| (JSC::CachedUniquedStringImplBase::decode const): |
| * runtime/CommonIdentifiers.cpp: |
| (JSC::CommonIdentifiers::CommonIdentifiers): |
| (JSC::CommonIdentifiers::lookUpPrivateName const): Deleted. |
| (JSC::CommonIdentifiers::getPublicName const): Deleted. |
| * runtime/CommonIdentifiers.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::functionGetPrivateProperty): |
| |
| 2020-02-28 Saam Barati <sbarati@apple.com> |
| |
| Clean up code with how we choose Gigacage sizes and whether or not to use Wasm fast memory |
| https://bugs.webkit.org/show_bug.cgi?id=208392 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/OptionsList.h: |
| |
| 2020-02-27 Saam Barati <sbarati@apple.com> |
| |
| Fix debug arm64 Wasm tests |
| https://bugs.webkit.org/show_bug.cgi?id=208362 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv): |
| |
| We were assuming that "-1" is a valid imm on arm64, but it's not, we need |
| to use big imm. |
| |
| 2020-02-27 Justin Michaud <justin_michaud@apple.com> |
| |
| Poly proto should work with property delete transitions |
| https://bugs.webkit.org/show_bug.cgi?id=208261 |
| |
| Reviewed by Saam Barati. |
| |
| This patch fixes a bug where the combination of inline caching |
| and poly proto cause us to cache a setter call along a prototype chain that |
| is no longer the correct setter to call. This is exposed as a result of |
| https://bugs.webkit.org/show_bug.cgi?id=206430 since DefineOwnProperty used |
| to transition to uncacheable dictionary. |
| |
| The case looks like this: |
| A - setter for x redefines x |
| | |
| B |
| | |
| C |
| |
| We set (new C).x |
| |
| Right now, we first call A's setter, then we try to figure out what the state of things |
| were before it was called in order to cache it. We just assume that A's setter still exists, and we cache it |
| without ever checking, In this patch, we ensure that the property exists and the attributes match in order to prevent crashing. |
| |
| In the code, A = target, C = base. |
| |
| Get is correct because it collects caching information before any calls. |
| |
| The bug https://bugs.webkit.org/show_bug.cgi?id=208337 tracks the remaining semantic bugs around this code. |
| |
| * jit/Repatch.cpp: |
| (JSC::tryCachePutByID): |
| |
| 2020-02-27 Basuke Suzuki <basuke.suzuki@sony.com> |
| |
| [WinCairo] Fix RemoteInspector reconnect issue |
| https://bugs.webkit.org/show_bug.cgi?id=208256 |
| |
| Reviewed by Devin Rousso. |
| |
| Call target's disconnection sequence asynchronously to avoid deadlock. |
| |
| * inspector/remote/RemoteConnectionToTarget.cpp: |
| (Inspector::RemoteConnectionToTarget::close): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: |
| (Inspector::RemoteInspectorSocketEndpoint::workerThread): |
| |
| 2020-02-26 Mark Lam <mark.lam@apple.com> |
| |
| Enhance JSObjectGetProperty() to mitigate against null object pointers. |
| https://bugs.webkit.org/show_bug.cgi?id=208275 |
| <rdar://problem/59826325> |
| |
| Reviewed by Robin Morisset. |
| |
| * API/JSObjectRef.cpp: |
| (JSObjectGetProperty): |
| |
| 2020-02-26 Saam Barati <sbarati@apple.com> |
| |
| Make testair pass on arm64 |
| https://bugs.webkit.org/show_bug.cgi?id=208258 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| testElideMoveThenRealloc and testElideSimpleMove were never tested |
| on arm64. This patch makes those tests work. |
| - testElideMoveThenRealloc was using a BitImm that is invalid on arm64 |
| - testElideSimpleMove was testing for the wrong disassembly |
| |
| * b3/air/testair.cpp: |
| |
| 2020-02-26 Don Olmstead <don.olmstead@sony.com> |
| |
| Allow setting of stack sizes for threads |
| https://bugs.webkit.org/show_bug.cgi?id=208223 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Specify ThreadType at the Thread::create callsite. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::notifyIsSafeToCollect): |
| |
| 2020-02-26 Caio Lima <ticaiolima@gmail.com> |
| |
| [JSC][MIPS] Adding support to Checkpoints |
| https://bugs.webkit.org/show_bug.cgi?id=208196 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch is adding changes to properly support OSR to |
| checkpoints on MIPS. It required fixes on JIT probe and some |
| adjustment on Offlineasm to correct generate `$gp` load when executing |
| `checkpoint_osr_exit_from_inlined_call_trampoline`. |
| |
| * assembler/MacroAssemblerMIPS.cpp: |
| |
| Probe trampoline needs to allocate 16 bytes for 4 arguments to |
| properly follow C calling conventions. This space is used by callee |
| when the JSC is compiled with `-O0` flags |
| (Check "DEFAULT C CALLING CONVENTION (O32)" section on |
| https://www.mips.com/downloads/mips32-instruction-set-quick-reference-v1-01). |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| As we need to do on ARMv7, 64-bits arguments needs to be passed in |
| register pairs `$a1:$a0` or `$a3:$a2` (little-endian mode). Since `$a0` |
| contais `CallFrame*`, we need to pass `EncodedJSValue` on `$a3:$a2` |
| pair. |
| |
| * offlineasm/mips.rb: |
| |
| Following the same reason for return locations on OSR to LLInt, we |
| need to adjust `$gp` using `$ra` instead of `$t9` on |
| `checkpoint_osr_exit_from_inlined_call_trampoline`, given it is only |
| reachable through `ret` operations. For detailed explanation, check |
| ChangeLog of https://trac.webkit.org/changeset/252713. |
| |
| 2020-02-25 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: safari app extension isolated worlds and injected files use the extension's identifier instead of its name |
| https://bugs.webkit.org/show_bug.cgi?id=206911 |
| <rdar://problem/58026635> |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/protocol/Browser.json: Added. |
| Add a `Browser` agent that can communicate with the inspected page's containing browser. It |
| lives in the UIProcess alongside the `Target` agent (meaning there should only be one per |
| debuggable rather than one per target) and as such is not routed through the `Target` agent. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources.make: |
| |
| 2020-02-25 Justin Michaud <justin_michaud@apple.com> |
| |
| Inline Cache delete by id/val |
| https://bugs.webkit.org/show_bug.cgi?id=207522 |
| |
| Reviewed by Keith Miller and Filip Pizlo. |
| |
| We add inline caching for deleteById/val for baseline only. We also fix a concurrency bug in ICStats used for testing. |
| We add three new access cases (no inline code is emitted at this time): |
| - Delete is a cached delete of an existing property |
| - DeleteMiss is a delete of a property that does not exist |
| - DeleteNonConfigurable is a delete of a property that exists, but should not be deleted. |
| There are no conditions required for these caches, since the structure id must change and the prototype does not matter. |
| This gives the following microbenchmark results: |
| |
| delete-property-keeps-cacheable-structure (neutral) |
| delete-property-inline-cache definitely 3.9096x faster |
| delete-property-inline-cache-polymorphic definitely 1.5239x faster |
| delete-property-from-prototype-chain (neutral) |
| |
| * API/JSCallbackObject.h: |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::deleteProperty): |
| (JSC::JSCallbackObject<Parent>::deletePropertyByIndex): |
| * API/JSObjectRef.cpp: |
| (JSObjectDeletePropertyForKey): |
| (JSObjectDeleteProperty): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::create): |
| (JSC::AccessCase::createTransition): |
| (JSC::AccessCase::createDelete): |
| (JSC::AccessCase::requiresIdentifierNameMatch const): |
| (JSC::AccessCase::requiresInt32PropertyCheck const): |
| (JSC::AccessCase::needsScratchFPR const): |
| (JSC::AccessCase::forEachDependentCell const): |
| (JSC::AccessCase::doesCalls const): |
| (JSC::AccessCase::canReplace const): |
| (JSC::AccessCase::dump const): |
| (JSC::AccessCase::propagateTransitions const): |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCase.h: |
| (JSC::AccessCase::structure const): |
| (JSC::AccessCase::newStructure const): |
| * bytecode/PolymorphicAccess.cpp: |
| (WTF::printInternal): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::reset): |
| * bytecode/StructureStubInfo.h: |
| * debugger/DebuggerScope.cpp: |
| (JSC::DebuggerScope::deleteProperty): |
| * debugger/DebuggerScope.h: |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::link): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::addDelById): |
| (JSC::DFG::JITCompiler::addDelByVal): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted. |
| (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted. |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compileDeleteById): |
| (JSC::DFG::SpeculativeJIT::compileDeleteByVal): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compileDeleteById): |
| (JSC::DFG::SpeculativeJIT::compileDeleteByVal): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): |
| * jit/ICStats.h: |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileSlowCases): |
| (JSC::JIT::link): |
| * jit/JIT.h: |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::JITDelByValGenerator::JITDelByValGenerator): |
| (JSC::JITDelByValGenerator::generateFastPath): |
| (JSC::JITDelByValGenerator::finalize): |
| (JSC::JITDelByIdGenerator::JITDelByIdGenerator): |
| (JSC::JITDelByIdGenerator::generateFastPath): |
| (JSC::JITDelByIdGenerator::finalize): |
| * jit/JITInlineCacheGenerator.h: |
| (JSC::JITDelByValGenerator::JITDelByValGenerator): |
| (JSC::JITDelByValGenerator::slowPathJump const): |
| (JSC::JITDelByIdGenerator::JITDelByIdGenerator): |
| (JSC::JITDelByIdGenerator::slowPathJump const): |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emitSlow_op_del_by_id): |
| (JSC::JIT::emit_op_del_by_val): |
| (JSC::JIT::emitSlow_op_del_by_val): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emit_op_del_by_val): |
| (JSC::JIT::emitSlow_op_del_by_val): |
| (JSC::JIT::emitSlow_op_del_by_id): |
| * jit/Repatch.cpp: |
| (JSC::tryCachePutByID): |
| (JSC::tryCacheDelBy): |
| (JSC::repatchDelBy): |
| (JSC::resetPutByID): |
| (JSC::resetDelBy): |
| * jit/Repatch.h: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/CacheableIdentifierInlines.h: |
| (JSC::CacheableIdentifier::CacheableIdentifier): |
| * runtime/ClassInfo.h: |
| * runtime/ClonedArguments.cpp: |
| (JSC::ClonedArguments::deleteProperty): |
| * runtime/ClonedArguments.h: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/DeletePropertySlot.h: Added. |
| (JSC::DeletePropertySlot::DeletePropertySlot): |
| (JSC::DeletePropertySlot::setConfigurableMiss): |
| (JSC::DeletePropertySlot::setNonconfigurable): |
| (JSC::DeletePropertySlot::setHit): |
| (JSC::DeletePropertySlot::isCacheableDelete const): |
| (JSC::DeletePropertySlot::isDeleteHit const): |
| (JSC::DeletePropertySlot::isConfigurableDeleteMiss const): |
| (JSC::DeletePropertySlot::isNonconfigurable const): |
| (JSC::DeletePropertySlot::cachedOffset const): |
| (JSC::DeletePropertySlot::disableCaching): |
| (JSC::DeletePropertySlot::isCacheable const): |
| * runtime/ErrorConstructor.cpp: |
| (JSC::ErrorConstructor::deleteProperty): |
| * runtime/ErrorConstructor.h: |
| * runtime/ErrorInstance.cpp: |
| (JSC::ErrorInstance::deleteProperty): |
| * runtime/ErrorInstance.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::put): |
| (JSC::GenericArguments<Type>::deleteProperty): |
| * runtime/GetterSetter.h: |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::deleteProperty): |
| * runtime/JSArray.h: |
| * runtime/JSCJSValue.h: |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::deleteProperty): |
| * runtime/JSCell.h: |
| * runtime/JSDataView.cpp: |
| (JSC::JSDataView::deleteProperty): |
| * runtime/JSDataView.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::deleteProperty): |
| * runtime/JSFunction.h: |
| * runtime/JSGenericTypedArrayView.h: |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty): |
| (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::addFunction): |
| * runtime/JSLexicalEnvironment.cpp: |
| (JSC::JSLexicalEnvironment::deleteProperty): |
| * runtime/JSLexicalEnvironment.h: |
| * runtime/JSModuleEnvironment.cpp: |
| (JSC::JSModuleEnvironment::deleteProperty): |
| * runtime/JSModuleEnvironment.h: |
| * runtime/JSModuleNamespaceObject.cpp: |
| (JSC::JSModuleNamespaceObject::deleteProperty): |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSONObject.cpp: |
| (JSC::Walker::walk): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::deleteProperty): |
| (JSC::JSObject::deletePropertyByIndex): |
| (JSC::validateAndApplyPropertyDescriptor): |
| * runtime/JSObject.h: |
| * runtime/JSProxy.cpp: |
| (JSC::JSProxy::deleteProperty): |
| * runtime/JSProxy.h: |
| * runtime/JSSymbolTableObject.cpp: |
| (JSC::JSSymbolTableObject::deleteProperty): |
| * runtime/JSSymbolTableObject.h: |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::deleteProperty): |
| * runtime/ProxyObject.h: |
| * runtime/RegExpObject.cpp: |
| (JSC::RegExpObject::deleteProperty): |
| * runtime/RegExpObject.h: |
| * runtime/StrictEvalActivation.cpp: |
| (JSC::StrictEvalActivation::deleteProperty): |
| * runtime/StrictEvalActivation.h: |
| * runtime/StringObject.cpp: |
| (JSC::StringObject::deleteProperty): |
| * runtime/StringObject.h: |
| * runtime/Structure.cpp: |
| (JSC::Structure::removePropertyTransition): |
| (JSC::Structure::removePropertyTransitionFromExistingStructureImpl): |
| (JSC::Structure::removePropertyTransitionFromExistingStructure): |
| (JSC::Structure::removePropertyTransitionFromExistingStructureConcurrently): |
| (JSC::Structure::removeNewPropertyTransition): |
| (JSC::Structure::dump const): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::hasIndexingHeader const): |
| (JSC::Structure::mayHaveIndexingHeader const): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionHasOwnLengthProperty): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2020-02-24 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF] Attach WARN_UNUSED_RETURN to makeScopeExit and fix existing wrong usage |
| https://bugs.webkit.org/show_bug.cgi?id=208162 |
| |
| Reviewed by Robin Morisset. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseUnaryExpression): |
| |
| 2020-02-24 Keith Miller <keith_miller@apple.com> |
| |
| LLInt should fast path for jtrue/false on Symbols and Objects |
| https://bugs.webkit.org/show_bug.cgi?id=208151 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| 64-bit interpreter can fast path the case where an object or symbol |
| is passed to a jtrue or jfalse opcode. This is because these values |
| are always truthy. |
| |
| Also, fix some weird indentation in LowLevelInterpreter.asm. |
| |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/JSType.h: |
| |
| 2020-02-24 Caio Lima <ticaiolima@gmail.com> |
| |
| [JSC] 32-bits debug build broken after r257212 |
| https://bugs.webkit.org/show_bug.cgi?id=208149 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Changing `Structure::setCachedPrototypeChain` to use |
| `m_cachedPrototypeChainOrRareData.setMayBeNull`, since `chain` may be |
| null. |
| |
| * runtime/StructureInlines.h: |
| (JSC::Structure::setCachedPrototypeChain): |
| |
| 2020-02-24 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix watchOS build |
| https://bugs.webkit.org/show_bug.cgi?id=207827 |
| |
| While watchOS does not use FTL at all, it still compiles. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): |
| (JSC::FTL::DFG::LowerDFGToB3::loadStructureClassInfo): |
| (JSC::FTL::DFG::LowerDFGToB3::loadStructureCachedPrototypeChainOrRareData): |
| |
| 2020-02-24 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for 32bit pointer architectures |
| https://bugs.webkit.org/show_bug.cgi?id=207827 |
| |
| * runtime/Structure.h: |
| |
| 2020-02-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Shrink Structure |
| https://bugs.webkit.org/show_bug.cgi?id=207827 |
| |
| Reviewed by Saam Barati. |
| |
| This patch shrinks sizeof(Structure) from 112 to 96 (16 bytes) in architectures using 64 bit pointers. |
| Structure is one of the most frequently allocated JSCell in JSC. So it is worth doing |
| all the sort of bit hacks to make it compact as much as possible. |
| |
| 1. Put outOfLineTypeFlags, maxOffset and transitionOffset into highest bits of m_propertyTableUnsafe, |
| m_cachedPrototypeChain, m_classInfo, and m_transitionPropertyName. Do not use PackedPtr here since |
| some of them are concurrently accessed by GC. |
| 2. Put m_inlineCapacity into lower 8 bits of m_propertyHash. |
| 3. Remove m_lock, and use Structure::cellLock() instead. |
| 4. Remove m_cachedPrototypeChain clearing from the concurrent collector since it is dead code, it was old code. |
| We were setting m_cachedPrototypeChain only if Structure is for JSObject. Clearing happened only if it was not |
| a Structure for JSObject. |
| 5. Previous Structure is held as StructureID m_previous. And m_previousOrRareData becomes m_cachedPrototypeChainOrRareData. |
| |
| Many pairs are using CompactPointerTuple to make code clean. |
| Combining all of the above techniques saves us 16 bytes. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::create): |
| (JSC::AccessCase::propagateTransitions const): |
| * bytecode/AccessCase.h: |
| (JSC::AccessCase::structure const): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCheckSubClass): |
| (JSC::DFG::SpeculativeJIT::compileObjectKeys): |
| (JSC::DFG::SpeculativeJIT::compileCreateThis): |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::emitLoadClassInfoFromStructure): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_create_this): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_create_this): |
| * jit/Repatch.cpp: |
| (JSC::tryCachePutByID): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/ClonedArguments.cpp: |
| (JSC::ClonedArguments::createStructure): |
| * runtime/ConcurrentJSLock.h: |
| (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase): |
| (JSC::GCSafeConcurrentJSLockerImpl::GCSafeConcurrentJSLockerImpl): |
| (JSC::GCSafeConcurrentJSLockerImpl::~GCSafeConcurrentJSLockerImpl): |
| (JSC::ConcurrentJSLockerImpl::ConcurrentJSLockerImpl): |
| (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker): Deleted. |
| (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker): Deleted. |
| (JSC::ConcurrentJSLocker::ConcurrentJSLocker): Deleted. |
| * runtime/JSCell.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::deleteProperty): |
| (JSC::JSObject::shiftButterflyAfterFlattening): |
| * runtime/JSObject.h: |
| (JSC::JSObject::getDirectConcurrently const): |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::prepareToPutDirectWithoutTransition): |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| * runtime/Structure.cpp: |
| (JSC::StructureTransitionTable::contains const): |
| (JSC::StructureTransitionTable::get const): |
| (JSC::StructureTransitionTable::add): |
| (JSC::Structure::dumpStatistics): |
| (JSC::Structure::Structure): |
| (JSC::Structure::create): |
| (JSC::Structure::findStructuresAndMapForMaterialization): |
| (JSC::Structure::materializePropertyTable): |
| (JSC::Structure::addPropertyTransitionToExistingStructureImpl): |
| (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): |
| (JSC::Structure::addNewPropertyTransition): |
| (JSC::Structure::removeNewPropertyTransition): |
| (JSC::Structure::changePrototypeTransition): |
| (JSC::Structure::attributeChangeTransition): |
| (JSC::Structure::toDictionaryTransition): |
| (JSC::Structure::takePropertyTableOrCloneIfPinned): |
| (JSC::Structure::nonPropertyTransitionSlow): |
| (JSC::Structure::flattenDictionaryStructure): |
| (JSC::Structure::pin): |
| (JSC::Structure::pinForCaching): |
| (JSC::Structure::allocateRareData): |
| (JSC::Structure::ensurePropertyReplacementWatchpointSet): |
| (JSC::Structure::copyPropertyTableForPinning): |
| (JSC::Structure::add): |
| (JSC::Structure::remove): |
| (JSC::Structure::visitChildren): |
| (JSC::Structure::canCachePropertyNameEnumerator const): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::get): |
| (JSC::Structure::ruleOutUnseenProperty const): |
| (JSC::Structure::seenProperties const): |
| (JSC::Structure::addPropertyHashAndSeenProperty): |
| (JSC::Structure::forEachPropertyConcurrently): |
| (JSC::Structure::transitivelyTransitionedFrom): |
| (JSC::Structure::cachedPrototypeChain const): |
| (JSC::Structure::setCachedPrototypeChain): |
| (JSC::Structure::prototypeChain const): |
| (JSC::Structure::propertyReplacementWatchpointSet): |
| (JSC::Structure::checkOffsetConsistency const): |
| (JSC::Structure::add): |
| (JSC::Structure::remove): |
| (JSC::Structure::removePropertyWithoutTransition): |
| (JSC::Structure::setPropertyTable): |
| (JSC::Structure::clearPropertyTable): |
| (JSC::Structure::setOutOfLineTypeFlags): |
| (JSC::Structure::setInlineCapacity): |
| (JSC::Structure::setClassInfo): |
| (JSC::Structure::setPreviousID): |
| (JSC::Structure::clearPreviousID): |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::createStructure): |
| (JSC::StructureRareData::create): |
| (JSC::StructureRareData::StructureRareData): |
| (JSC::StructureRareData::visitChildren): |
| * runtime/StructureRareData.h: |
| * runtime/StructureRareDataInlines.h: |
| (JSC::StructureRareData::setCachedPrototypeChain): |
| (JSC::StructureRareData::setPreviousID): Deleted. |
| (JSC::StructureRareData::clearPreviousID): Deleted. |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMHelper::functionGetStructureTransitionList): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2020-02-20 Mark Lam <mark.lam@apple.com> |
| |
| Make support for bytecode caching more robust against file corruption. |
| https://bugs.webkit.org/show_bug.cgi?id=207972 |
| <rdar://problem/59260595> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| If a bytecode cache file is corrupted, we currently will always crash every time |
| we try to read it (in perpetuity as long as the corrupted cache file continues to |
| exist on disk). To guard against this, we'll harden the bytecode caching mechanism |
| as follows: |
| |
| 1. Modify the writeCache operation to always write the cache file in a transactional |
| manner i.e. we'll first write to a .tmp file, and then rename the .tmp file to |
| the cache file only if the entire file has been written in completeness. |
| |
| This ensures that we won't get corrupted cache files due to interrupted writes. |
| |
| 2. Modify the writeCache operation to also compute a SHA1 hash of the cache file |
| and append the hash at end of the file. Modify the readCache operation to |
| first authenticate the SHA1 hash before allowing the cache file to be used. |
| If the hash does not match, the file is bad, and we'll just delete it. |
| |
| This ensures that we won't be crashing while decoding a corrupted cache file. |
| |
| Manually tested with the following scenarios and ensuring that the client recovers |
| with no crashes: |
| |
| 1. no cache file on disk. |
| 2. a 0-sized cache file on a disk. |
| 3. a truncated cache file on disk. |
| 4. a corrupted cache file on disk. |
| 5. an uncorrupted cache file on disk. |
| |
| Also added some static_asserts in CachedTypes.cpp to document some invariants that |
| the pre-existing code is dependent on. |
| |
| * API/JSScript.mm: |
| (-[JSScript readCache]): |
| (-[JSScript writeCache:]): |
| * runtime/CachedTypes.cpp: |
| |
| 2020-02-19 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Computed Properties with increment sometimes produces incorrect results |
| https://bugs.webkit.org/show_bug.cgi?id=170934 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| When the key and value of a computed property each have side effects, the eval order should be key-before-value. |
| Not only have we had this backwards, we've also been giving them both the same target register. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::PropertyListNode::emitPutConstantProperty): |
| |
| 2020-02-19 Keith Miller <keith_miller@apple.com> |
| |
| Disable Wasm reference types by default |
| https://bugs.webkit.org/show_bug.cgi?id=207952 |
| |
| Reviewed by Mark Lam. |
| |
| * runtime/OptionsList.h: |
| |
| 2020-02-19 Stephan Szabo <stephan.szabo@sony.com> |
| |
| [PlayStation] Get jsc test wrappers using find_package |
| https://bugs.webkit.org/show_bug.cgi?id=207914 |
| |
| Reviewed by Ross Kirsling. |
| |
| * shell/PlatformPlayStation.cmake: |
| |
| 2020-02-18 Keith Miller <keith_miller@apple.com> |
| |
| Add an os_log PrintStream |
| https://bugs.webkit.org/show_bug.cgi?id=207898 |
| |
| Reviewed by Mark Lam. |
| |
| Add jsc option to write dataLogs to os_log. |
| |
| * runtime/Options.cpp: |
| (JSC::Options::initialize): |
| * runtime/OptionsList.h: |
| |
| 2020-02-18 Paulo Matos <pmatos@igalia.com> |
| |
| Fix order (in MIPS) under which CS-registers are saved/restored |
| https://bugs.webkit.org/show_bug.cgi?id=207752 |
| |
| Reviewed by Keith Miller. |
| |
| This has been causing several segfaults on MIPS with JIT enabled |
| because during an OSR to baseline, the order in which LLInt was |
| saving the registers was not in sync with the way baseline was |
| restoring them. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2020-02-18 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Computed function properties compute their keys twice |
| https://bugs.webkit.org/show_bug.cgi?id=207297 |
| |
| Reviewed by Keith Miller. |
| |
| If a pseudo-String is used as the key of a computed function property, |
| any side effects from resolving the string value occur in duplicate. |
| |
| The cause has two parts: |
| - We aren't ensuring that the string value is resolved before doing SetFunctionName and PutByVal. |
| - Our implementation of SetFunctionName (https://tc39.es/ecma262/#sec-setfunctionname) |
| calls toString on a non-symbol argument, instead of assuming the type is a string. |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::shouldSetFunctionName): Added. |
| (JSC::BytecodeGenerator::emitSetFunctionName): Added. |
| (JSC::BytecodeGenerator::emitSetFunctionNameIfNeededImpl): Deleted. |
| (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded): Deleted. |
| * bytecompiler/BytecodeGenerator.h: |
| Split the "if needed" logic out into its own function. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::PropertyListNode::emitBytecode): |
| (JSC::PropertyListNode::emitPutConstantProperty): |
| (JSC::DefineFieldNode::emitBytecode): |
| Never emit OpSetFunctionName for a name of unknown type. |
| (But also, don't perform a needless ToPropertyKey for non-function computed property keys.) |
| |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::setFunctionName): |
| Don't call toString, assert isString. |
| |
| 2020-02-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JITThunk should be HashSet<Weak<NativeExecutable>> with appropriate GC weakness handling |
| https://bugs.webkit.org/show_bug.cgi?id=207715 |
| |
| Reviewed by Darin Adler. |
| |
| This patch refines JITThunks GC-aware Weak hash map for NativeExecutable. Previously, we have |
| HashMap<std::tuple<TaggedNativeFunction, TaggedNativeFunction, String>, Weak<NativeExecutable>> table. |
| But this is not good because the first tuple's information is already in NativeExecutable. |
| But we were using this design since Weak<NativeExecutable> can be nullified because of Weak<>. If this |
| happens, we could have invalid Entry in HashMap which does not have corresponding values. This will |
| cause crash when rehasing requires hash code for this entry. |
| |
| But this HashMap is very bad in terms of memory usage. Each entry has 32 bytes, and this table gets enough |
| large. We identified that this table is consuming much memory in Membuster. So it is worth designing |
| carefully crafted data structure which only holds Weak<NativeExecutable> by leveraging the deep interaction |
| with our GC implementation. |
| |
| This patch implements new design of JITThunks, which uses HashSet<Weak<NativeExecutable>> and carefully crafted |
| HashTraits / KeyTraits to handle Weak<> well. |
| |
| 1. Each Weak should have finalizer, and this finalizer should remove dead Weak<NativeExecutable> from HashSet. |
| |
| This is ensuring that all the keys in HashSet is, even if Weak<> is saying it is Dead, it still has an way |
| to access content of NativeExecutable if the content is not a JS objects. For example, we can get function |
| pointer from dead Weak<NativeExecutable> if it is not yet finalized. Since we remove all finalized Weak<> |
| from the table, this finalizer mechanism allows us to access function pointers etc. from Weak<NativeExecutable> |
| so long as it is held in this table. |
| |
| 2. Getting NativeExecutable* from JITThunks should have special protocol. |
| |
| When getting NativeExecutable* from JITThunks, we do the following, |
| |
| 1. First, we check we have an Entry in JITThunks. If it does not exist, we should insert it anyway. |
| 1.1. If it exists, we should check whether this Weak<NativeExecutable> is dead or not. It is possible that |
| dead one is still in the table because "dead" does not mean that it is "finalized". Until finalizing happens (and |
| it can be delayed by incremental-sweeper), Weak<NativeExecutable> can be dead but still accessible. So the table |
| is still holding dead one. If we get dead one, we should insert a new one. |
| 1.2. If it is not dead, we return it. |
| 2. Second, we create a new NativeExecutable and insert it. In that case, it is possible that the table already has Weak<NativeExecutable>, |
| but it is dead. In that case, we need to explicitly replace it with newly created one since old one is holding old content. If we |
| replaced, finalizer of Weak<> will not be invoked since it immediately deallocates Weak<>. So, it does not happen that this newly |
| inserted NativeExecutable* is removed by the finalizer registered by the old Weak<>. |
| |
| This change makes memory usage of JITThunks table 1/4. |
| |
| * heap/Weak.cpp: |
| (JSC::weakClearSlowCase): |
| * heap/Weak.h: |
| (JSC::Weak::Weak): |
| (JSC::Weak::isHashTableEmptyValue const): |
| (JSC::Weak::unsafeImpl const): |
| (WTF::HashTraits<JSC::Weak<T>>::isEmptyValue): |
| * heap/WeakInlines.h: |
| (JSC::Weak<T>::Weak): |
| * jit/JITThunks.cpp: |
| (JSC::JITThunks::JITThunks): |
| (JSC::JITThunks::WeakNativeExecutableHash::hash): |
| (JSC::JITThunks::WeakNativeExecutableHash::equal): |
| (JSC::JITThunks::HostKeySearcher::hash): |
| (JSC::JITThunks::HostKeySearcher::equal): |
| (JSC::JITThunks::NativeExecutableTranslator::hash): |
| (JSC::JITThunks::NativeExecutableTranslator::equal): |
| (JSC::JITThunks::NativeExecutableTranslator::translate): |
| (JSC::JITThunks::finalize): |
| (JSC::JITThunks::hostFunctionStub): |
| (JSC::JITThunks::clearHostFunctionStubs): Deleted. |
| * jit/JITThunks.h: |
| * runtime/NativeExecutable.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::functionGCSweepAsynchronously): |
| (JSC::functionCreateEmptyFunctionWithName): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2020-02-17 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register |
| https://bugs.webkit.org/show_bug.cgi?id=207849 |
| |
| Reviewed by Mark Lam. |
| |
| When generating the call IC, we should select the callee saves using BoundsChecking mode in order |
| to obey to the calling conventions described in r256665. Currently, we won't restore the memory size |
| register when calling the Wasm LLInt through the call IC. |
| |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::calleeSaves const): |
| |
| 2020-02-17 Per Arne Vollan <pvollan@apple.com> |
| |
| Mach lookup to com.apple.webinspector should not be allowed in WebKit's WebContent process |
| https://bugs.webkit.org/show_bug.cgi?id=203214 |
| |
| Reviewed by Brent Fulgham. |
| |
| Add static flag in RemoteInspector to indicate whether a sandbox extension is needed. The remote inspector will only be |
| started if the sandbox extension is not needed. Only the WebContent process will need a sandbox extension, since this |
| patch removes mach access to 'com.apple.webinspector' for this process. Also add name and domain for the |
| 'Enable Remote Inspector' setting, since this will be used in the UI process. |
| |
| * inspector/remote/RemoteInspector.cpp: |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/RemoteInspectorConstants.h: |
| * inspector/remote/cocoa/RemoteInspectorCocoa.mm: |
| (Inspector::RemoteInspector::singleton): |
| |
| 2020-02-16 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| Remove remaining WTF_EXPORT and WTF_IMPORT by replacing them with WTF_EXPORT_DECLARATION and WTF_IMPORT_DECLARATION |
| https://bugs.webkit.org/show_bug.cgi?id=207746 |
| |
| Reviewed by Don Olmstead. |
| |
| * runtime/JSExportMacros.h: |
| |
| 2020-02-16 Paulo Matos <pmatos@igalia.com> |
| |
| Remove nonArgGPR1 for ARMv7 and ARM64 (unused) |
| https://bugs.webkit.org/show_bug.cgi?id=207753 |
| |
| Reviewed by Darin Adler. |
| |
| Cleanup commit - nonArgGPR1 is unused for both ARMv7 |
| and ARM64. |
| |
| * jit/GPRInfo.h: |
| |
| 2020-02-14 Tadeu Zagallo <tzagallo@apple.com> and Michael Saboff <msaboff@apple.com> |
| |
| [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention. |
| https://bugs.webkit.org/show_bug.cgi?id=207727 |
| |
| Reviewed by Mark Lam. |
| |
| The Wasm JIT has unusual calling conventions, which were further complicated by the addition |
| of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly |
| saving and restoring the callee save registers used for the memory base and size). Here's a summary |
| of the calling convention: |
| |
| - When entering Wasm from JS, the wrapper must: |
| - Preserve the base and size when entering LLInt regardless of the mode. (Prior to this |
| patch we only preserved the base in Signaling mode) |
| - Preserve the memory base in either mode, and the size for BoundsChecking. |
| - Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB |
| and wasmInstance, but must *not* preserve memoryBase and memorySize. |
| - Changes to memoryBase and memorySize are visible to the caller. This means that: |
| - Intra-module calls can assume these registers are up-to-date even if the memory was |
| resized. The only exception here is if the LLInt calls a signaling JIT, in which case |
| the JIT will not update the size register, since it won't be using it. |
| - Inter-module and JS calls require the caller to reload these registers. These calls may |
| result in memory changes (e.g. the callee may call memory.grow). |
| - A Signaling JIT caller must be aware that the LLInt may trash the size register, since |
| it always bounds checks. |
| |
| * llint/WebAssembly.asm: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::addCall): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addCall): |
| * wasm/WasmCallee.cpp: |
| (JSC::Wasm::LLIntCallee::calleeSaveRegisters): |
| * wasm/WasmCallingConvention.h: |
| * wasm/WasmLLIntPlan.cpp: |
| (JSC::Wasm::LLIntPlan::didCompleteCompilation): |
| * wasm/WasmMemoryInformation.cpp: |
| (JSC::Wasm::PinnedRegisterInfo::get): |
| (JSC::Wasm::getPinnedRegisters): Deleted. |
| |
| 2020-02-13 Stephan Szabo <stephan.szabo@sony.com> |
| |
| [PlayStation] Make special udis86 C file handling only happen for Visual Studio |
| https://bugs.webkit.org/show_bug.cgi?id=207729 |
| |
| Reviewed by Don Olmstead. |
| |
| * PlatformPlayStation.cmake: |
| |
| 2020-02-13 Caio Lima <ticaiolima@gmail.com> |
| |
| [ESNext][BigInt] We don't support BigInt literal as PropertyName |
| https://bugs.webkit.org/show_bug.cgi?id=206888 |
| |
| Reviewed by Ross Kirsling. |
| |
| According to spec (https://tc39.es/ecma262/#prod-PropertyName), |
| BigInt literals are valid property names. Given that, we should not |
| throw a SyntaxError when using BigInt literals on destructuring |
| pattern, method declaration, object literals, etc. |
| This patch is adding BigInt literal as a valid syntax to PropertyName. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseDestructuringPattern): |
| (JSC::Parser<LexerType>::parseClass): |
| (JSC::Parser<LexerType>::parseInstanceFieldInitializerSourceElements): |
| (JSC::Parser<LexerType>::parseProperty): |
| (JSC::Parser<LexerType>::parseGetterSetter): |
| * parser/ParserArena.cpp: |
| (JSC::IdentifierArena::makeBigIntDecimalIdentifier): |
| * parser/ParserArena.h: |
| |
| 2020-02-12 Mark Lam <mark.lam@apple.com> |
| |
| Add options for debugging WASM code. |
| https://bugs.webkit.org/show_bug.cgi?id=207677 |
| <rdar://problem/59411390> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Specifically ... |
| |
| JSC_useBBQJIT - allows the BBQ JIT to be used if true |
| JSC_useOMGJIT - allows the OMG JIT to be used if true |
| JSC_useWasmLLIntPrologueOSR - allows prologue OSR from Wasm LLInt if true |
| JSC_useWasmLLIntLoopOSR - allows loop OSR from Wasm LLInt if true |
| JSC_useWasmLLIntEpilogueOSR - allows epilogue OSR from Wasm LLInt if true |
| JSC_wasmFunctionIndexRangeToCompile=N:M - wasm function index range to allow compilation on, e.g. 1:100 |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * runtime/Options.cpp: |
| (JSC::Options::ensureOptionsAreCoherent): |
| * runtime/OptionsList.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::BBQPlan): |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::OMGPlan): |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::shouldJIT): |
| (JSC::Wasm::operationWasmTriggerOSREntryNow): |
| (JSC::Wasm::operationWasmTriggerTierUpNow): |
| * wasm/WasmSlowPaths.cpp: |
| (JSC::LLInt::shouldJIT): |
| (JSC::LLInt::WASM_SLOW_PATH_DECL): |
| |
| 2020-02-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Compact JITCodeMap by storing BytecodeIndex and CodeLocation separately |
| https://bugs.webkit.org/show_bug.cgi?id=207673 |
| |
| Reviewed by Mark Lam. |
| |
| While BytecodeIndex is 4 bytes, CodeLocation is 8 bytes. So the tuple of them "JITCodeMap::Entry" |
| becomes 16 bytes because it adds 4 bytes padding. We should store BytecodeIndex and CodeLocation separately |
| to avoid this padding. |
| |
| This patch introduces JITCodeMapBuilder. We use this to build JITCodeMap data structure as a immutable final result. |
| |
| * jit/JIT.cpp: |
| (JSC::JIT::link): |
| * jit/JITCodeMap.h: |
| (JSC::JITCodeMap::JITCodeMap): |
| (JSC::JITCodeMap::find const): |
| (JSC::JITCodeMap::operator bool const): |
| (JSC::JITCodeMap::codeLocations const): |
| (JSC::JITCodeMap::indexes const): |
| (JSC::JITCodeMapBuilder::append): |
| (JSC::JITCodeMapBuilder::finalize): |
| (JSC::JITCodeMap::Entry::Entry): Deleted. |
| (JSC::JITCodeMap::Entry::bytecodeIndex const): Deleted. |
| (JSC::JITCodeMap::Entry::codeLocation): Deleted. |
| (JSC::JITCodeMap::append): Deleted. |
| (JSC::JITCodeMap::finish): Deleted. |
| |
| 2020-02-12 Pavel Feldman <pavel.feldman@gmail.com> |
| |
| Web Inspector: encode binary web socket frames using base64 |
| https://bugs.webkit.org/show_bug.cgi?id=207448 |
| |
| Previous representation of binary frames is lossy using fromUTF8WithLatin1Fallback, |
| this patch consistently encodes binary data using base64. |
| |
| Reviewed by Timothy Hatcher. |
| |
| * inspector/protocol/Network.json: |
| |
| 2020-02-12 Simon Fraser <simon.fraser@apple.com> |
| |
| Remove CSS_DEVICE_ADAPTATION |
| https://bugs.webkit.org/show_bug.cgi?id=203479 |
| |
| Reviewed by Tim Horton. |
| |
| CSS Working Group resolved to remove @viewport <https://github.com/w3c/csswg-drafts/issues/4766>, |
| so remove the code. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-02-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Compact StructureTransitionTable |
| https://bugs.webkit.org/show_bug.cgi?id=207616 |
| |
| Reviewed by Mark Lam. |
| |
| Some of StructureTransitionTable are shown as very large HashMap and we can compact it by encoding key. |
| We leverage 48bit pointers and 8byte alignment of UniquedStringImpl* to encode other parameters into it. |
| |
| * runtime/Structure.cpp: |
| (JSC::StructureTransitionTable::contains const): |
| (JSC::StructureTransitionTable::get const): |
| (JSC::StructureTransitionTable::add): |
| * runtime/Structure.h: |
| * runtime/StructureTransitionTable.h: |
| (JSC::StructureTransitionTable::Hash::Key::Key): |
| (JSC::StructureTransitionTable::Hash::Key::isHashTableDeletedValue const): |
| (JSC::StructureTransitionTable::Hash::Key::impl const): |
| (JSC::StructureTransitionTable::Hash::Key::isAddition const): |
| (JSC::StructureTransitionTable::Hash::Key::attributes const): |
| (JSC::StructureTransitionTable::Hash::Key::operator==): |
| (JSC::StructureTransitionTable::Hash::Key::operator!=): |
| (JSC::StructureTransitionTable::Hash::hash): |
| (JSC::StructureTransitionTable::Hash::equal): |
| |
| 2020-02-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make RegExpCache small |
| https://bugs.webkit.org/show_bug.cgi?id=207619 |
| |
| Reviewed by Mark Lam. |
| |
| We can compact RegExpKey by using PackedRefPtr, so that we can shrink memory consumption of RegExpCache. |
| |
| * runtime/RegExpKey.h: |
| |
| 2020-02-10 Mark Lam <mark.lam@apple.com> |
| |
| Placate exception check validator in GenericArguments<Type>::put(). |
| https://bugs.webkit.org/show_bug.cgi?id=207485 |
| <rdar://problem/59302535> |
| |
| Reviewed by Robin Morisset. |
| |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::put): |
| |
| 2020-02-10 Mark Lam <mark.lam@apple.com> |
| |
| Missing exception check in GenericArguments<Type>::deletePropertyByIndex(). |
| https://bugs.webkit.org/show_bug.cgi?id=207483 |
| <rdar://problem/59302616> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::deletePropertyByIndex): |
| |
| 2020-02-10 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r256091. |
| |
| Broke internal builds |
| |
| Reverted changeset: |
| |
| "Move trivial definitions from FeatureDefines.xcconfig to |
| PlatformEnableCocoa.h" |
| https://bugs.webkit.org/show_bug.cgi?id=207155 |
| https://trac.webkit.org/changeset/256091 |
| |
| 2020-02-10 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r256103. |
| |
| This patch is blocking the rollout of r256091 |
| |
| Reverted changeset: |
| |
| "Move JavaScriptCore related feature defines from |
| FeatureDefines.xcconfig to PlatformEnableCocoa.h" |
| https://bugs.webkit.org/show_bug.cgi?id=207436 |
| https://trac.webkit.org/changeset/256103 |
| |
| 2020-02-09 Keith Rollin <krollin@apple.com> |
| |
| Re-enable LTO for ARM builds |
| https://bugs.webkit.org/show_bug.cgi?id=207402 |
| <rdar://problem/49190767> |
| |
| Reviewed by Sam Weinig. |
| |
| Bug 190758 re-enabled LTO for Production builds for x86-family CPUs. |
| Enabling it for ARM was left out due to a compiler issue. That issue |
| has been fixed, and so now we can re-enable LTO for ARM. |
| |
| * Configurations/Base.xcconfig: |
| |
| 2020-02-08 Sam Weinig <weinig@apple.com> |
| |
| Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h |
| https://bugs.webkit.org/show_bug.cgi?id=207436 |
| |
| Reviewed by Tim Horton. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| Remove ENABLE_FAST_JIT_PERMISSIONS and ENABLE_FTL_JIT. |
| |
| 2020-02-08 Sam Weinig <weinig@apple.com> |
| |
| Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h |
| https://bugs.webkit.org/show_bug.cgi?id=207155 |
| |
| Reviewed by Tim Horton. |
| |
| Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;) |
| from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one |
| also has a default value in PlatformEnable.h |
| |
| To support the move, DerivedSources.make has been updated to generate the list |
| of ENABLE_* features by directly from preprocessing Platform.h, rather than |
| just getting the partial list from the xcconfig file. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| * DerivedSources.make: |
| |
| 2020-02-07 Robin Morisset <rmorisset@apple.com> |
| |
| Throw OutOfMemory exception instead of crashing if DirectArguments/ScopedArguments can't be created |
| https://bugs.webkit.org/show_bug.cgi?id=207423 |
| |
| Reviewed by Mark Lam. |
| |
| AllocationFailureMode::Assert is problematic because fuzzers keep producing spurious error reports when they generate code that tries allocating infinite amount of memory. |
| The right approach is to use AllocationFailureMode::ReturnNull, and throw a JS exception upon receiving null. |
| |
| In this patch I fixed two functions that were using AllocationFailureMode::Assert: |
| DirectArguments::DirectArguments::overrideThings |
| GenericArguments<Type>::initModifiedArgumentsDescriptor |
| |
| No test added, because the only test we have is highly non-deterministic/flaky (only triggers about 10 to 20% of the time even before the fix). |
| |
| * runtime/DirectArguments.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::deletePropertyByIndex): |
| (JSC::GenericArguments<Type>::defineOwnProperty): |
| (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): |
| (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary): |
| (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): |
| * runtime/ScopedArguments.h: |
| |
| 2020-02-07 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r256051. |
| |
| Broke internal builds. |
| |
| Reverted changeset: |
| |
| "Move trivial definitions from FeatureDefines.xcconfig to |
| PlatformEnableCocoa.h" |
| https://bugs.webkit.org/show_bug.cgi?id=207155 |
| https://trac.webkit.org/changeset/256051 |
| |
| 2020-02-07 Sam Weinig <weinig@apple.com> |
| |
| Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h |
| https://bugs.webkit.org/show_bug.cgi?id=207155 |
| |
| Reviewed by Tim Horton. |
| |
| Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;) |
| from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one |
| also has a default value in PlatformEnable.h |
| |
| To support the move, DerivedSources.make has been updated to generate the list |
| of ENABLE_* features by directly from preprocessing Platform.h, rather than |
| just getting the partial list from the xcconfig file. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| * DerivedSources.make: |
| |
| 2020-02-07 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures |
| https://bugs.webkit.org/show_bug.cgi?id=207356 |
| |
| Reviewed by Mark Lam. |
| |
| Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address. |
| This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation |
| regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd |
| since they can add more constant registers. |
| |
| Relanding it by fixing dead-lock. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::shrinkToFit): |
| * bytecode/CodeBlock.h: |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compile): |
| (JSC::DFG::JITCompiler::compileFunction): |
| * dfg/DFGJITFinalizer.cpp: |
| (JSC::DFG::JITFinalizer::finalizeCommon): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): |
| * jit/JIT.cpp: |
| (JSC::JIT::link): |
| * jit/JIT.h: |
| * jit/JITInlines.h: |
| (JSC::JIT::emitLoadDouble): |
| (JSC::JIT::emitLoadInt32ToDouble): Deleted. |
| |
| 2020-02-06 Robin Morisset <rmorisset@apple.com> |
| |
| Most of B3 and Air does not need to include CCallHelpers.h |
| https://bugs.webkit.org/show_bug.cgi?id=206975 |
| |
| Reviewed by Mark Lam. |
| |
| They only do to use CCallHelpers::Jump or CCallHelpers::Label. |
| But CCallHelpers inherit those from MacroAssembler. And MacroAssembler.h is dramatically cheaper to include (since CCallHelpers includes AssemblyHelpers which includes CodeBlock.h which includes roughly the entire runtime). |
| |
| * b3/B3CheckSpecial.cpp: |
| * b3/B3CheckSpecial.h: |
| * b3/B3LowerMacros.cpp: |
| * b3/B3PatchpointSpecial.cpp: |
| (JSC::B3::PatchpointSpecial::generate): |
| * b3/B3PatchpointSpecial.h: |
| * b3/B3StackmapGenerationParams.cpp: |
| (JSC::B3::StackmapGenerationParams::successorLabels const): |
| * b3/B3StackmapGenerationParams.h: |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| * b3/air/AirCCallSpecial.cpp: |
| * b3/air/AirCCallSpecial.h: |
| * b3/air/AirCode.cpp: |
| * b3/air/AirCode.h: |
| (JSC::B3::Air::Code::entrypointLabel const): |
| * b3/air/AirCustom.cpp: |
| (JSC::B3::Air::CCallCustom::generate): |
| (JSC::B3::Air::ShuffleCustom::generate): |
| (JSC::B3::Air::WasmBoundsCheckCustom::generate): |
| * b3/air/AirCustom.h: |
| (JSC::B3::Air::PatchCustom::generate): |
| (JSC::B3::Air::EntrySwitchCustom::generate): |
| * b3/air/AirDisassembler.cpp: |
| (JSC::B3::Air::Disassembler::addInst): |
| * b3/air/AirDisassembler.h: |
| * b3/air/AirGenerationContext.h: |
| * b3/air/AirInst.h: |
| * b3/air/AirPrintSpecial.cpp: |
| (JSC::B3::Air::PrintSpecial::generate): |
| * b3/air/AirPrintSpecial.h: |
| * b3/air/AirSpecial.h: |
| * b3/air/AirValidate.cpp: |
| * b3/air/opcode_generator.rb: |
| |
| 2020-02-06 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r255987. |
| https://bugs.webkit.org/show_bug.cgi?id=207369 |
| |
| JSTests failures (Requested by yusukesuzuki on #webkit). |
| |
| Reverted changeset: |
| |
| "[JSC] CodeBlock::shrinkToFit should shrink |
| m_constantRegisters and m_constantsSourceCodeRepresentation in |
| 64bit architectures" |
| https://bugs.webkit.org/show_bug.cgi?id=207356 |
| https://trac.webkit.org/changeset/255987 |
| |
| 2020-02-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures |
| https://bugs.webkit.org/show_bug.cgi?id=207356 |
| |
| Reviewed by Mark Lam. |
| |
| Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address. |
| This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation |
| regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd |
| since they can add more constant registers. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::shrinkToFit): |
| * bytecode/CodeBlock.h: |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compile): |
| (JSC::DFG::JITCompiler::compileFunction): |
| * dfg/DFGJITFinalizer.cpp: |
| (JSC::DFG::JITFinalizer::finalizeCommon): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): |
| * jit/JIT.cpp: |
| (JSC::JIT::link): |
| * jit/JIT.h: |
| * jit/JITInlines.h: |
| (JSC::JIT::emitLoadDouble): |
| (JSC::JIT::emitLoadInt32ToDouble): Deleted. |
| |
| 2020-02-05 Don Olmstead <don.olmstead@sony.com> |
| |
| [PlayStation] Build a shared JavaScriptCore |
| https://bugs.webkit.org/show_bug.cgi?id=198446 |
| |
| Reviewed by Fujii Hironori. |
| |
| Add TARGET_OBJECTS for bmalloc and WTF so JavaScriptCore links. Add bmalloc and |
| WTF compile definitions so exports are exposed. |
| |
| * PlatformPlayStation.cmake: |
| |
| 2020-02-05 Justin Michaud <justin_michaud@apple.com> |
| |
| Deleting a property should not turn structures into uncacheable dictionaries |
| https://bugs.webkit.org/show_bug.cgi?id=206430 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Instead, we should allow it to transition to a new regular structure like adding a property does. This means that we have to: |
| |
| 1) Break the assumption that structure transition offsets increase monotonically |
| |
| We add a new flag to tell that a structure has deleted its property, and update materializePropertyTable to use it. |
| |
| 2) Add a new transition map and transition kind for deletes |
| |
| We cache the delete transition. We will not transition back to a previous structure if you add then immediately remove a property. |
| |
| 3) Find some heuristic for when we should actually transition to uncacheable dictionary. |
| |
| Since deleting properties is expected to be rare, we just walk the structure list and count its size on removal. |
| |
| This patch also fixes a related bug in addProperty, where we did not use a GCSafeConcurrentJSLocker, and adds an option to trigger the bug. Finally, we add some helper methods to dollarVM to test. |
| |
| This gives a 24x speedup on delete-property-keeps-cacheable-structure.js, and is neutral on delete-property-from-prototype-chain.js (which was already generating code using the inline cache). |
| |
| * heap/HeapInlines.h: |
| (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::deleteProperty): |
| * runtime/OptionsList.h: |
| * runtime/PropertyMapHashTable.h: |
| (JSC::PropertyTable::get): |
| (JSC::PropertyTable::add): |
| (JSC::PropertyTable::addDeletedOffset): |
| (JSC::PropertyTable::reinsert): |
| * runtime/Structure.cpp: |
| (JSC::StructureTransitionTable::contains const): |
| (JSC::StructureTransitionTable::get const): |
| (JSC::StructureTransitionTable::add): |
| (JSC::Structure::Structure): |
| (JSC::Structure::materializePropertyTable): |
| (JSC::Structure::addNewPropertyTransition): |
| (JSC::Structure::removePropertyTransition): |
| (JSC::Structure::removePropertyTransitionFromExistingStructure): |
| (JSC::Structure::removeNewPropertyTransition): |
| (JSC::Structure::toUncacheableDictionaryTransition): |
| (JSC::Structure::remove): |
| (JSC::Structure::visitChildren): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::forEachPropertyConcurrently): |
| (JSC::Structure::add): |
| (JSC::Structure::remove): |
| (JSC::Structure::removePropertyWithoutTransition): |
| * runtime/StructureTransitionTable.h: |
| (JSC::StructureTransitionTable::Hash::hash): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMHelper::functionGetStructureTransitionList): |
| (JSC::functionGetConcurrently): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2020-02-05 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Sources: add a special breakpoint for controlling whether `debugger` statements pause |
| https://bugs.webkit.org/show_bug.cgi?id=206818 |
| |
| Reviewed by Timothy Hatcher. |
| |
| * inspector/protocol/Debugger.json: |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements): Added. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::DebuggerStatementNode::emitBytecode): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::dumpLineColumnEntry): |
| * interpreter/Interpreter.h: |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::debug): |
| (WTF::printInternal): |
| * debugger/Debugger.h: |
| (JSC::Debugger::setPauseOnDebuggerStatements): Added. |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::didReachDebuggerStatement): Added. |
| (JSC::Debugger::didReachBreakpoint): Deleted. |
| Replace `DebugHookType::DidReachBreakpoint` with `DebugHookType::DidReachDebuggerStatement`, |
| as it is only actually used for `debugger;` statements, not breakpoints. |
| |
| 2020-02-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Structure::setMaxOffset and setTransitionOffset are racy |
| https://bugs.webkit.org/show_bug.cgi?id=207249 |
| |
| Reviewed by Mark Lam. |
| |
| We hit crash in JSTests/stress/array-slice-osr-exit-2.js. The situation is following. |
| |
| 1. The mutator thread (A) is working. |
| 2. The concurrent collector (B) is working. |
| 3. A attempts to set m_maxOffset in StructureRareData by allocating it. First, A sets Structure::m_maxOffset to useRareDataFlag. |
| 3. B is in JSObject::visitButterflyImpl, and executing Structure::maxOffset(). |
| 4. B detects that m_maxOffset is useRareDataFlag. |
| 5. B attempts to load rareData, but this is not a StructureRareData since A is just now setting up StructureRareData. |
| 6. B crashes. |
| |
| Set useRareDataFlag after StructureRareData is set. Ensuring this store-order by using storeStoreFence. |
| |
| * runtime/Structure.h: |
| |
| 2020-02-04 Adrian Perez de Castro <aperez@igalia.com> |
| |
| Non-unified build fixes early February 2020 edition |
| https://bugs.webkit.org/show_bug.cgi?id=207227 |
| |
| Reviewed by Don Olmstead. |
| |
| * bytecode/PolyProtoAccessChain.h: Add missing inclusions of StructureIDTable.h and VM.h |
| |
| 2020-02-04 Alex Christensen <achristensen@webkit.org> |
| |
| Fix Mac CMake build |
| https://bugs.webkit.org/show_bug.cgi?id=207231 |
| |
| * PlatformMac.cmake: |
| |
| 2020-02-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use PackedRefPtr in UnlinkedCodeBlock |
| https://bugs.webkit.org/show_bug.cgi?id=207229 |
| |
| Reviewed by Mark Lam. |
| |
| Use PackedRefPtr in UnlinkedCodeBlock to compact it from 168 to 160, which saves 16 bytes (10%) per UnlinkedCodeBlock since |
| we have 16 bytes alignment for GC cells. |
| |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::sourceURLDirective const): |
| (JSC::UnlinkedCodeBlock::sourceMappingURLDirective const): |
| (JSC::UnlinkedCodeBlock::setSourceURLDirective): |
| (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedCodeBlock::sourceURLDirective const): |
| (JSC::CachedCodeBlock::sourceMappingURLDirective const): |
| (JSC::CachedCodeBlock<CodeBlockType>::encode): |
| * runtime/CodeCache.cpp: |
| (JSC::CodeCache::getUnlinkedGlobalCodeBlock): |
| |
| 2020-02-04 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Quantifiers after lookahead assertions should be syntax errors in Unicode patterns only |
| https://bugs.webkit.org/show_bug.cgi?id=206988 |
| |
| Reviewed by Darin Adler and Ross Kirsling. |
| |
| This change adds SyntaxError for quantifiable assertions in Unicode patterns, |
| aligning JSC with V8 and SpiderMonkey. |
| |
| Grammar: https://tc39.es/ecma262/#prod-annexB-Term |
| (/u flag precludes the use of QuantifiableAssertion) |
| |
| Return value of parseParenthesesEnd() now matches with parseEscape() and |
| parseAtomEscape(). |
| |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::parseParenthesesBegin): |
| (JSC::Yarr::Parser::parseParenthesesEnd): |
| (JSC::Yarr::Parser::parseTokens): |
| |
| 2020-02-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Introduce UnlinkedCodeBlockGenerator and reduce sizeof(UnlinkedCodeBlock) |
| https://bugs.webkit.org/show_bug.cgi?id=207087 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| While UnlinkedCodeBlock is immutable once it is created from BytecodeGenerator, it has many mutable Vectors. |
| This is because we are using UnlinkedCodeBlock as a builder of UnlinkedCodeBlock itself too in BytecodeGenerator. |
| Since Vector takes 16 bytes to allow efficient expansions, it is nice if we can use RefCountedArray instead when |
| we know this Vector is immutable. |
| |
| In this patch, we introduce UnlinkedCodeBlockGenerator wrapper. BytecodeGenerator, BytecodeRewriter, BytecodeDumper, |
| and BytecodeGeneratorification interact with UnlinkedCodeBlockGenerator instead of UnlinkedCodeBlock. And UnlinkedCodeBlockGenerator |
| will generate the finalized UnlinkedCodeBlock. This design allows us to use RefCountedArray for data in UnlinkedCodeBlock, |
| which is (1) smaller and (2) doing shrinkToFit operation when creating it from Vector. |
| |
| This patch reduces sizeof(UnlinkedCodeBlock) from 256 to 168, 88 bytes reduction. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/BytecodeBasicBlock.cpp: |
| (JSC::BytecodeBasicBlock::compute): |
| * bytecode/BytecodeBasicBlock.h: |
| * bytecode/BytecodeDumper.cpp: |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::BytecodeGeneratorification::BytecodeGeneratorification): |
| (JSC::GeneratorLivenessAnalysis::run): |
| (JSC::BytecodeGeneratorification::run): |
| (JSC::performGeneratorification): |
| * bytecode/BytecodeGeneratorification.h: |
| * bytecode/BytecodeRewriter.h: |
| (JSC::BytecodeRewriter::BytecodeRewriter): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::setConstantIdentifierSetRegisters): |
| (JSC::CodeBlock::setConstantRegisters): |
| (JSC::CodeBlock::handlerForIndex): |
| (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::numberOfSwitchJumpTables const): |
| (JSC::CodeBlock::numberOfStringSwitchJumpTables const): |
| (JSC::CodeBlock::addSwitchJumpTable): Deleted. |
| (JSC::CodeBlock::addStringSwitchJumpTable): Deleted. |
| * bytecode/HandlerInfo.h: |
| (JSC::HandlerInfoBase::handlerForIndex): |
| * bytecode/JumpTable.h: |
| (JSC::SimpleJumpTable::add): Deleted. |
| * bytecode/PreciseJumpTargets.cpp: |
| (JSC::computePreciseJumpTargets): |
| (JSC::recomputePreciseJumpTargets): |
| (JSC::findJumpTargetsForInstruction): |
| * bytecode/PreciseJumpTargets.h: |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| (JSC::UnlinkedCodeBlock::visitChildren): |
| (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): |
| (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const): |
| (JSC::UnlinkedCodeBlock::handlerForIndex): |
| (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted. |
| (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted. |
| (JSC::UnlinkedCodeBlock::setInstructions): Deleted. |
| (JSC::UnlinkedCodeBlock::applyModification): Deleted. |
| (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted. |
| (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget): Deleted. |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::expressionInfo): |
| (JSC::UnlinkedCodeBlock::setNumParameters): |
| (JSC::UnlinkedCodeBlock::numberOfIdentifiers const): |
| (JSC::UnlinkedCodeBlock::identifiers const): |
| (JSC::UnlinkedCodeBlock::bitVector): |
| (JSC::UnlinkedCodeBlock::constantRegisters): |
| (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): |
| (JSC::UnlinkedCodeBlock::constantIdentifierSets): |
| (JSC::UnlinkedCodeBlock::numberOfJumpTargets const): |
| (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables const): |
| (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables const): |
| (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): |
| (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers const): |
| (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const): |
| (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): |
| (JSC::UnlinkedCodeBlock::addParameter): Deleted. |
| (JSC::UnlinkedCodeBlock::addIdentifier): Deleted. |
| (JSC::UnlinkedCodeBlock::addBitVector): Deleted. |
| (JSC::UnlinkedCodeBlock::addSetConstant): Deleted. |
| (JSC::UnlinkedCodeBlock::addConstant): Deleted. |
| (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted. |
| (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted. |
| (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted. |
| (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted. |
| (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted. |
| (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted. |
| (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted. |
| (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets): Deleted. |
| * bytecode/UnlinkedCodeBlockGenerator.cpp: Added. |
| (JSC::UnlinkedCodeBlockGenerator::getLineAndColumn const): |
| (JSC::UnlinkedCodeBlockGenerator::addExpressionInfo): |
| (JSC::UnlinkedCodeBlockGenerator::addTypeProfilerExpressionInfo): |
| (JSC::UnlinkedCodeBlockGenerator::finalize): |
| (JSC::UnlinkedCodeBlockGenerator::handlerForBytecodeIndex): |
| (JSC::UnlinkedCodeBlockGenerator::handlerForIndex): |
| (JSC::UnlinkedCodeBlockGenerator::applyModification): |
| (JSC::UnlinkedCodeBlockGenerator::addOutOfLineJumpTarget): |
| (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset): |
| (JSC::UnlinkedCodeBlockGenerator::dump const): |
| * bytecode/UnlinkedCodeBlockGenerator.h: Added. |
| (JSC::UnlinkedCodeBlockGenerator::UnlinkedCodeBlockGenerator): |
| (JSC::UnlinkedCodeBlockGenerator::vm): |
| (JSC::UnlinkedCodeBlockGenerator::isConstructor const): |
| (JSC::UnlinkedCodeBlockGenerator::constructorKind const): |
| (JSC::UnlinkedCodeBlockGenerator::superBinding const): |
| (JSC::UnlinkedCodeBlockGenerator::scriptMode const): |
| (JSC::UnlinkedCodeBlockGenerator::needsClassFieldInitializer const): |
| (JSC::UnlinkedCodeBlockGenerator::isStrictMode const): |
| (JSC::UnlinkedCodeBlockGenerator::usesEval const): |
| (JSC::UnlinkedCodeBlockGenerator::parseMode const): |
| (JSC::UnlinkedCodeBlockGenerator::isArrowFunction): |
| (JSC::UnlinkedCodeBlockGenerator::derivedContextType const): |
| (JSC::UnlinkedCodeBlockGenerator::evalContextType const): |
| (JSC::UnlinkedCodeBlockGenerator::isArrowFunctionContext const): |
| (JSC::UnlinkedCodeBlockGenerator::isClassContext const): |
| (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const): |
| (JSC::UnlinkedCodeBlockGenerator::numVars const): |
| (JSC::UnlinkedCodeBlockGenerator::numParameters const): |
| (JSC::UnlinkedCodeBlockGenerator::thisRegister const): |
| (JSC::UnlinkedCodeBlockGenerator::scopeRegister const): |
| (JSC::UnlinkedCodeBlockGenerator::wasCompiledWithDebuggingOpcodes const): |
| (JSC::UnlinkedCodeBlockGenerator::hasCheckpoints const): |
| (JSC::UnlinkedCodeBlockGenerator::hasTailCalls const): |
| (JSC::UnlinkedCodeBlockGenerator::setHasCheckpoints): |
| (JSC::UnlinkedCodeBlockGenerator::setHasTailCalls): |
| (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals): |
| (JSC::UnlinkedCodeBlockGenerator::setNumVars): |
| (JSC::UnlinkedCodeBlockGenerator::setThisRegister): |
| (JSC::UnlinkedCodeBlockGenerator::setScopeRegister): |
| (JSC::UnlinkedCodeBlockGenerator::setNumParameters): |
| (JSC::UnlinkedCodeBlockGenerator::metadata): |
| (JSC::UnlinkedCodeBlockGenerator::addOpProfileControlFlowBytecodeOffset): |
| (JSC::UnlinkedCodeBlockGenerator::numberOfJumpTargets const): |
| (JSC::UnlinkedCodeBlockGenerator::addJumpTarget): |
| (JSC::UnlinkedCodeBlockGenerator::jumpTarget const): |
| (JSC::UnlinkedCodeBlockGenerator::lastJumpTarget const): |
| (JSC::UnlinkedCodeBlockGenerator::numberOfSwitchJumpTables const): |
| (JSC::UnlinkedCodeBlockGenerator::addSwitchJumpTable): |
| (JSC::UnlinkedCodeBlockGenerator::switchJumpTable): |
| (JSC::UnlinkedCodeBlockGenerator::numberOfStringSwitchJumpTables const): |
| (JSC::UnlinkedCodeBlockGenerator::addStringSwitchJumpTable): |
| (JSC::UnlinkedCodeBlockGenerator::stringSwitchJumpTable): |
| (JSC::UnlinkedCodeBlockGenerator::numberOfExceptionHandlers const): |
| (JSC::UnlinkedCodeBlockGenerator::exceptionHandler): |
| (JSC::UnlinkedCodeBlockGenerator::addExceptionHandler): |
| (JSC::UnlinkedCodeBlockGenerator::bitVector): |
| (JSC::UnlinkedCodeBlockGenerator::addBitVector): |
| (JSC::UnlinkedCodeBlockGenerator::numberOfConstantIdentifierSets const): |
| (JSC::UnlinkedCodeBlockGenerator::constantIdentifierSets): |
| (JSC::UnlinkedCodeBlockGenerator::addSetConstant): |
| (JSC::UnlinkedCodeBlockGenerator::constantRegister const): |
| (JSC::UnlinkedCodeBlockGenerator::constantRegisters): |
| (JSC::UnlinkedCodeBlockGenerator::getConstant const): |
| (JSC::UnlinkedCodeBlockGenerator::constantsSourceCodeRepresentation): |
| (JSC::UnlinkedCodeBlockGenerator::addConstant): |
| (JSC::UnlinkedCodeBlockGenerator::addFunctionDecl): |
| (JSC::UnlinkedCodeBlockGenerator::addFunctionExpr): |
| (JSC::UnlinkedCodeBlockGenerator::numberOfIdentifiers const): |
| (JSC::UnlinkedCodeBlockGenerator::identifier const): |
| (JSC::UnlinkedCodeBlockGenerator::addIdentifier): |
| (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset): |
| (JSC::UnlinkedCodeBlockGenerator::replaceOutOfLineJumpTargets): |
| (JSC::UnlinkedCodeBlockGenerator::metadataSizeInBytes): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::generate): |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::initializeNextParameter): |
| (JSC::BytecodeGenerator::emitPushFunctionNameScope): |
| (JSC::prepareJumpTableForSwitch): |
| (JSC::ForInContext::finalize): |
| (JSC::StructureForInContext::finalize): |
| (JSC::IndexedForInContext::finalize): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/BytecodeGeneratorBaseInlines.h: |
| (JSC::BytecodeGeneratorBase<Traits>::newRegister): |
| (JSC::BytecodeGeneratorBase<Traits>::addVar): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedVector::encode): |
| (JSC::CachedVector::decode const): |
| * wasm/WasmFunctionCodeBlock.h: |
| (JSC::Wasm::FunctionCodeBlock::setNumVars): |
| (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals): |
| |
| 2020-02-04 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: REGRESSION(r248287): Console: function objects saved to a $n will be invoked instead of just referenced when evaluating in the Console |
| https://bugs.webkit.org/show_bug.cgi?id=207180 |
| <rdar://problem/58860268> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/InjectedScriptSource.js: |
| (CommandLineAPI): |
| Instead of deciding whether to wrap the value given for a `$n` getter based on if the value |
| is already a function, always wrap getter values in a function so that if the value being |
| stored in the getter is already a function, it isn't used as the callback for the getter and |
| therefore invoked when the getter is referenced. |
| |
| 2020-02-03 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use PackedPtr for VariableEnvironment |
| https://bugs.webkit.org/show_bug.cgi?id=207172 |
| |
| Reviewed by Mark Lam. |
| |
| Since VariableEnvironment's KeyValue is key: pointer + value: 2 byte, using PackedPtr can make it 8 bytes, 50% reduction. |
| |
| * parser/VariableEnvironment.h: |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedRefPtr::encode): |
| (JSC::CachedRefPtr::decode const): CachedTypes should handle PackedPtr too since VariableEnvironment starts using it. |
| |
| 2020-02-03 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| \0 identity escapes should be syntax errors in Unicode patterns only |
| https://bugs.webkit.org/show_bug.cgi?id=207114 |
| |
| Reviewed by Darin Adler. |
| |
| This change adds a separate check for null character because `strchr` |
| always returns a non-null pointer when called with '\0' as second argument. |
| |
| Grammar: https://tc39.es/ecma262/#prod-annexB-IdentityEscape |
| (/u flag precludes the use of SourceCharacterIdentityEscape) |
| |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::isIdentityEscapeAnError): |
| |
| 2020-02-01 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Non-alphabetical \c escapes should be syntax errors in Unicode patterns only |
| https://bugs.webkit.org/show_bug.cgi?id=207091 |
| |
| Reviewed by Darin Adler. |
| |
| This change adds SyntaxError for non-alphabetical and identity \c escapes |
| in Unicode patterns, aligning JSC with V8 and SpiderMonkey. |
| |
| Grammar: https://tc39.es/ecma262/#prod-annexB-ClassEscape |
| (/u flag precludes the use of ClassControlLetter) |
| |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::parseEscape): |
| |
| 2020-01-31 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Hold StructureID instead of Structure* in PolyProtoAccessChain and DFG::CommonData |
| https://bugs.webkit.org/show_bug.cgi?id=207086 |
| |
| Reviewed by Mark Lam. |
| |
| PolyProtoAccessChain and DFG::CommonData are kept alive so long as associated AccessCase / DFG/FTL CodeBlock |
| is alive. They hold Vector<Structure*> / Vector<WriteBarrier<Structure*>>, but access frequency is low. And |
| We should hold Vector<StructureID> instead to cut 50% of the size. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::commit): |
| (JSC::AccessCase::forEachDependentCell const): |
| (JSC::AccessCase::doesCalls const): |
| (JSC::AccessCase::visitWeak const): |
| (JSC::AccessCase::propagateTransitions const): |
| (JSC::AccessCase::generateWithGuard): |
| * bytecode/AccessCase.h: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::propagateTransitions): |
| (JSC::CodeBlock::determineLiveness): |
| (JSC::CodeBlock::stronglyVisitWeakReferences): |
| * bytecode/GetByStatus.cpp: |
| (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): |
| * bytecode/InByIdStatus.cpp: |
| (JSC::InByIdStatus::computeFor): |
| (JSC::InByIdStatus::computeForStubInfo): |
| (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback): |
| * bytecode/InByIdStatus.h: |
| * bytecode/InstanceOfStatus.cpp: |
| (JSC::InstanceOfStatus::computeFor): |
| (JSC::InstanceOfStatus::computeForStubInfo): |
| * bytecode/InstanceOfStatus.h: |
| * bytecode/PolyProtoAccessChain.cpp: |
| (JSC::PolyProtoAccessChain::create): |
| (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const): |
| (JSC::PolyProtoAccessChain::dump const): |
| * bytecode/PolyProtoAccessChain.h: |
| (JSC::PolyProtoAccessChain::chain const): |
| (JSC::PolyProtoAccessChain::forEach const): |
| (JSC::PolyProtoAccessChain::slotBaseStructure const): |
| (JSC::PolyProtoAccessChain:: const): Deleted. |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PutByIdStatus.cpp: |
| (JSC::PutByIdStatus::computeForStubInfo): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::summary const): |
| (JSC::StructureStubInfo::summary): |
| * bytecode/StructureStubInfo.h: |
| * dfg/DFGCommonData.h: |
| * dfg/DFGDesiredWeakReferences.cpp: |
| (JSC::DFG::DesiredWeakReferences::reallyAdd): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): |
| * jit/Repatch.cpp: |
| (JSC::tryCacheGetBy): |
| (JSC::tryCachePutByID): |
| (JSC::tryCacheInByID): |
| |
| 2020-01-31 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] ShrinkToFit some vectors kept by JIT data structures |
| https://bugs.webkit.org/show_bug.cgi?id=207085 |
| |
| Reviewed by Mark Lam. |
| |
| 1. We are allocating RareCaseProfile by using SegmentedVector since JIT code is directly accessing to RareCaseProfile*. But when creating RareCaseProfile, we can know |
| how many RareCaseProfiles should we create: RareCaseProfile is created per slow paths of Baseline JIT bytecode. Since we already scan bytecode for the main paths, |
| we can count it and use this number when creating RareCaseProfile. |
| 2. Vectors held by PolymorphicAccess and PolymorphicCallStubRoutine should be kept small by calling shrinkToFit. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::setRareCaseProfiles): |
| (JSC::CodeBlock::shrinkToFit): |
| (JSC::CodeBlock::addRareCaseProfile): Deleted. |
| * bytecode/CodeBlock.h: |
| * bytecode/PolyProtoAccessChain.cpp: |
| (JSC::PolyProtoAccessChain::create): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/ValueProfile.h: |
| (JSC::RareCaseProfile::RareCaseProfile): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JIT.h: |
| * jit/PolymorphicCallStubRoutine.cpp: |
| (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): |
| |
| 2020-01-31 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG::CommonData::shrinkToFit called before DFG::Plan::reallyAdd is called |
| https://bugs.webkit.org/show_bug.cgi?id=207083 |
| |
| Reviewed by Mark Lam. |
| |
| We are calling DFG::CommonData::shrinkToFit, but calling this too early: we execute |
| DFG::Plan::reallyAdd(DFG::CommonData*) after that, and this adds many entries to |
| DFG::CommonData*. We should call DFG::CommonData::shrinkToFit after calling DFG::Plan::reallyAdd. |
| |
| To implement it, we make DFG::JITCode::shrinkToFit virtual function in JSC::JITCode. Then, we |
| can also implement FTL::JITCode::shrinkToFit which was previously not implemented. |
| |
| * dfg/DFGJITCode.cpp: |
| (JSC::DFG::JITCode::shrinkToFit): |
| * dfg/DFGJITCode.h: |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compile): |
| (JSC::DFG::JITCompiler::compileFunction): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): |
| * ftl/FTLJITCode.cpp: |
| (JSC::FTL::JITCode::shrinkToFit): |
| * ftl/FTLJITCode.h: |
| * jit/JITCode.cpp: |
| (JSC::JITCode::shrinkToFit): |
| * jit/JITCode.h: |
| |
| 2020-01-31 Saam Barati <sbarati@apple.com> |
| |
| GetButterfly should check if the input value is an object in safe to execute |
| https://bugs.webkit.org/show_bug.cgi?id=207082 |
| |
| Reviewed by Mark Lam. |
| |
| We can only hoist GetButterfly when we know the incoming value is an object. |
| We might want to reconsider making GetButterfly use ObjectUse as its edge |
| kind, but that's out of the scope of this patch. Currently, we use CellUse |
| for GetButterfly node's child1. |
| |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| |
| 2020-01-31 Saam Barati <sbarati@apple.com> |
| |
| safe to execute should return false when we know code won't be moved |
| https://bugs.webkit.org/show_bug.cgi?id=207074 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We use safeToExecute to determine inside LICM whether it's safe to execute |
| a node somewhere else in the program. We were returning true for nodes |
| we knew would never be moved, because they were effectful. Things like Call |
| and GetById. This patch makes those nodes return false now, since we want |
| to make it easier to audit the nodes that return true. This makes that audit |
| easier, since it gets rid of the obvious things that will never be hoisted. |
| |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| |
| 2020-01-31 Saam Barati <sbarati@apple.com> |
| |
| GetGetterSetterByOffset and GetGetter/GetSetter are not always safe to execute |
| https://bugs.webkit.org/show_bug.cgi?id=206805 |
| <rdar://problem/58898161> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch fixes two bugs. The first is GetGetterSetterByOffset. Previously, |
| we were just checking that we could load the value safely. However, because |
| GetGetterSetterByOffset returns a GetterSetter object, we can only safely |
| move this node into a context where it's guaranteed that the offset loaded |
| will return a GetterSetter. |
| |
| The second fix is GetGetter/GetSetter were both always marked as safe to execute. |
| However, they're only safe to execute when the incoming value to load from |
| is a GetterSetter object. |
| |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| |
| 2020-01-31 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Unmatched ] or } brackets should be syntax errors in Unicode patterns only |
| https://bugs.webkit.org/show_bug.cgi?id=207023 |
| |
| Reviewed by Darin Adler. |
| |
| This change adds SyntaxError for Unicode patterns, aligning JSC with |
| V8 and SpiderMonkey. |
| |
| Grammar: https://tc39.es/ecma262/#prod-annexB-Term |
| (/u flag precludes the use of ExtendedAtom and thus ExtendedPatternCharacter) |
| |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::parseTokens): |
| |
| 2020-01-31 Don Olmstead <don.olmstead@sony.com> |
| |
| [CMake] Add _PRIVATE_LIBRARIES to framework |
| https://bugs.webkit.org/show_bug.cgi?id=207004 |
| |
| Reviewed by Konstantin Tokarev. |
| |
| Move uses of PRIVATE within _LIBRARIES to _PRIVATE_LIBRARIES. Any _LIBRARIES appended |
| afterwards will have that visibility set erroneously. |
| |
| * PlatformFTW.cmake: |
| |
| 2020-01-30 Mark Lam <mark.lam@apple.com> |
| |
| Some improvements to DFG and FTL dumps to improve readability and searchability. |
| https://bugs.webkit.org/show_bug.cgi?id=207024 |
| |
| Reviewed by Saam Barati. |
| |
| This patch applies the following changes: |
| |
| 1. Prefix Air and B2 dumps with a tierName prefix. |
| The tierName prefix strings are as follows: |
| |
| "FTL ", "DFG ", "b3 ", "Air ", "asm " |
| |
| The choice to use a lowercase "b3" and "asm" with upper case "Air" is |
| deliberate because I found this combination to be easier to read and scan as |
| prefixes of the dump lines. See dump samples below. |
| |
| 2. Make DFG node IDs consistently expressed as D@<node index> e.g. D@104. |
| The definition of the node will be the id followed by a colon e.g. D@104: |
| This makes it easy to search references to this node anywhere in the dump. |
| |
| Make B3 nodes expressed as b@<node index> e.g. b@542. |
| This also makes it searchable since there's now no ambiguity between b@542 and |
| D@542. |
| |
| The choice to use a lowercase "b" and an uppercase "D" is intentional because |
| "b@542" and "d@542" looks too similar, and I prefer to not use too much |
| uppercase. Plus this makes the node consistent in capitalization with the |
| tierName prefixes above of "b3 " and "DFG " respectively. |
| |
| Here's a sample of what the dumps now look like: |
| |
| DFG graph dump: |
| <code> |
| ... |
| 6 55: <-- foo#DFndCW:<0x62d0000b8140, bc#65, Call, known callee: Object: 0x62d000035920 with butterfly 0x0 (Structure %AN:Function), StructureID: 12711, numArgs+this = 1, numFixup = 0, stackOffset = -16 (loc0 maps to loc16)> |
| 3 6 55: D@79:< 3:-> ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid) |
| 4 6 55: D@3:<!0:-> KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#71, ExitInvalid) |
| 5 6 55: D@85:<!0:-> MovHint(Check:Untyped:D@79, MustGen, loc7, W:SideState, ClobbersExit, bc#71, ExitInvalid) |
| 6 6 55: D@102:< 1:-> CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid) |
| 7 6 55: D@104:<!0:-> Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid) |
| ... |
| </code> |
| |
| B3 graph dump: |
| <code> |
| ... |
| b3 BB#14: ; frequency = 10.000000 |
| b3 Predecessors: #13 |
| b3 Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [], ExitsSideways|Reads:Top, D@79) |
| b3 Int32 b@539 = LessThan(b@531, $100(b@578), D@102) |
| b3 Void b@542 = Branch(b@539, Terminal, D@104) |
| b3 Successors: Then:#2, Else:#15 |
| ... |
| </code> |
| |
| Air graph dump: |
| <code> |
| ... |
| Air BB#5: ; frequency = 10.000000 |
| Air Predecessors: #4 |
| Air Move -96(%rbp), %rax, b@531 |
| Air Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531 |
| Air Branch32 LessThan, %rax, $100, b@542 |
| Air Successors: #1, #6 |
| ... |
| </code> |
| |
| FTL disassembly dump: |
| <code> |
| ... |
| Air BB#5: ; frequency = 10.000000 |
| Air Predecessors: #4 |
| DFG D@42:< 2:-> JSConstant(JS|PureInt, Int32, Int32: 1, bc#0, ExitInvalid) |
| DFG D@79:< 3:-> ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid) |
| b3 Int32 b@1 = Const32(1) |
| b3 Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [%rax, %rbx, %rbp, %r12], ExitsSideways|Reads:Top, D@79) |
| Air Move -96(%rbp), %rax, b@531 |
| asm 0x4576b9c04712: mov -0x60(%rbp), %rax |
| Air Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531 |
| asm 0x4576b9c04716: inc %eax |
| asm 0x4576b9c04718: jo 0x4576b9c04861 |
| DFG D@89:< 1:-> JSConstant(JS|PureNum|UseAsOther, NonBoolInt32, Int32: 100, bc#0, ExitInvalid) |
| DFG D@102:< 1:-> CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid) |
| DFG D@104:<!0:-> Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid) |
| b3 Int32 b@578 = Const32(100, D@89) |
| b3 Int32 b@539 = LessThan(b@531, $100(b@578), D@102) |
| b3 Void b@542 = Branch(b@539, Terminal, D@104) |
| Air Branch32 LessThan, %rax, $100, b@542 |
| asm 0x4576b9c0471e: cmp $0x64, %eax |
| asm 0x4576b9c04721: jl 0x4576b9c0462f |
| Air Successors: #1, #6 |
| ... |
| </code> |
| |
| * b3/B3BasicBlock.cpp: |
| (JSC::B3::BasicBlock::deepDump const): |
| * b3/B3Common.cpp: |
| * b3/B3Common.h: |
| * b3/B3Generate.cpp: |
| (JSC::B3::generateToAir): |
| * b3/B3Procedure.cpp: |
| (JSC::B3::Procedure::dump const): |
| * b3/B3Value.cpp: |
| * b3/air/AirBasicBlock.cpp: |
| (JSC::B3::Air::BasicBlock::deepDump const): |
| (JSC::B3::Air::BasicBlock::dumpHeader const): |
| (JSC::B3::Air::BasicBlock::dumpFooter const): |
| * b3/air/AirCode.cpp: |
| (JSC::B3::Air::Code::dump const): |
| * b3/air/AirCode.h: |
| * b3/air/AirDisassembler.cpp: |
| (JSC::B3::Air::Disassembler::dump): |
| * b3/air/AirGenerate.cpp: |
| (JSC::B3::Air::prepareForGeneration): |
| * dfg/DFGCommon.cpp: |
| * dfg/DFGCommon.h: |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| (JSC::DFG::Graph::dumpBlockHeader): |
| * dfg/DFGNode.cpp: |
| (WTF::printInternal): |
| * ftl/FTLCompile.cpp: |
| (JSC::FTL::compile): |
| * ftl/FTLCompile.h: |
| * ftl/FTLState.cpp: |
| (JSC::FTL::State::State): |
| |
| 2020-01-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF] Remove PackedIntVector |
| https://bugs.webkit.org/show_bug.cgi?id=207018 |
| |
| Reviewed by Mark Lam. |
| |
| * bytecode/BytecodeBasicBlock.h: |
| |
| 2020-01-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove unnecessary allocations in BytecodeBasicBlock |
| https://bugs.webkit.org/show_bug.cgi?id=206986 |
| |
| Reviewed by Mark Lam. |
| |
| We know that BytecodeBasicBlock itself takes 2MB in Gmail. And each BytecodeBasicBlock has Vector<unsigned> |
| and Vector<BytecodeBasicBlock*>. |
| |
| BytecodeBasicBlock holds all the offset per bytecode as unsigned in m_offsets. But this offset is |
| only used when reverse iterating a bytecode in a BytecodeBasicBlock. We can hold a length of each |
| bytecode instead, which is much smaller (unsigned v.s. uint8_t). |
| |
| Since each BytecodeBasicBlock has index, we should hold successors in Vector<unsigned> instead of Vector<BytecodeBasicBlock*>. |
| |
| We are also allocating BytecodeBasicBlock in makeUnique<> and having them in Vector<std::unique_ptr<BytecodeBasicBlock>>. |
| But this is not necessary since only BytecodeBasicBlock::compute can modify this vector. We should generate Vector<BytecodeBasicBlock> |
| from BytecodeBasicBlock::compute. |
| |
| We are also planning purging BytecodeBasicBlock in UnlinkedCodeBlock if it is not used so much. But this will be done in a separate patch. |
| |
| * bytecode/BytecodeBasicBlock.cpp: |
| (JSC::BytecodeBasicBlock::BytecodeBasicBlock): |
| (JSC::BytecodeBasicBlock::addLength): |
| (JSC::BytecodeBasicBlock::shrinkToFit): |
| (JSC::BytecodeBasicBlock::computeImpl): |
| (JSC::BytecodeBasicBlock::compute): |
| * bytecode/BytecodeBasicBlock.h: |
| (JSC::BytecodeBasicBlock::delta const): |
| (JSC::BytecodeBasicBlock::successors const): |
| (JSC::BytecodeBasicBlock::operator bool const): |
| (JSC::BytecodeBasicBlock::addSuccessor): |
| (JSC::BytecodeBasicBlock::offsets const): Deleted. |
| (JSC::BytecodeBasicBlock:: const): Deleted. |
| (JSC::BytecodeBasicBlock::BytecodeBasicBlock): Deleted. |
| (JSC::BytecodeBasicBlock::addLength): Deleted. |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::BytecodeGeneratorification::BytecodeGeneratorification): |
| * bytecode/BytecodeGraph.h: |
| (JSC::BytecodeGraph::blockContainsBytecodeOffset): |
| (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset): |
| (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset): |
| (JSC::BytecodeGraph::at const): |
| (JSC::BytecodeGraph::operator[] const): |
| (JSC::BytecodeGraph::begin): |
| (JSC::BytecodeGraph::end): |
| (JSC::BytecodeGraph::first): |
| (JSC::BytecodeGraph::last): |
| (JSC::BytecodeGraph::BytecodeGraph): |
| (JSC::BytecodeGraph::begin const): Deleted. |
| (JSC::BytecodeGraph::end const): Deleted. |
| * bytecode/BytecodeLivenessAnalysis.cpp: |
| (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex): |
| (JSC::BytecodeLivenessAnalysis::computeFullLiveness): |
| (JSC::BytecodeLivenessAnalysis::computeKills): |
| (JSC::BytecodeLivenessAnalysis::dumpResults): |
| * bytecode/BytecodeLivenessAnalysis.h: |
| * bytecode/BytecodeLivenessAnalysisInlines.h: |
| (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex): |
| (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock): |
| (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex): |
| (JSC::BytecodeLivenessPropagation::runLivenessFixpoint): |
| * bytecode/InstructionStream.h: |
| (JSC::InstructionStream::MutableRef::operator-> const): |
| (JSC::InstructionStream::MutableRef::ptr const): |
| (JSC::InstructionStream::MutableRef::unwrap const): |
| * bytecode/Opcode.h: |
| * generator/Section.rb: |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::initialize): |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoop::execute): |
| |
| 2020-01-30 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Incomplete braced quantifiers should be banned in Unicode patterns only |
| https://bugs.webkit.org/show_bug.cgi?id=206776 |
| |
| Reviewed by Darin Adler. |
| |
| This change adds SyntaxError for Unicode patterns, aligning JSC with |
| V8 and SpiderMonkey, and also capitalizes "Unicode" in error messages. |
| |
| Grammar: https://tc39.es/ecma262/#prod-annexB-Term |
| (/u flag precludes the use of ExtendedAtom and thus InvalidBracedQuantifier) |
| |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::parseTokens): |
| |
| 2020-01-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make SourceProviderCacheItem small |
| https://bugs.webkit.org/show_bug.cgi?id=206987 |
| |
| Reviewed by Mark Lam. |
| |
| We know this becomes very large when parsing a large script, and it is noticeable in some of RAMification tests. |
| We should use PackedPtr to shrink size of SourceProviderCacheItem. |
| |
| * parser/Parser.h: |
| (JSC::Scope::restoreFromSourceProviderCache): |
| * parser/SourceProviderCacheItem.h: |
| (JSC::SourceProviderCacheItem::usedVariables const): |
| (JSC::SourceProviderCacheItem::SourceProviderCacheItem): |
| |
| 2020-01-30 Keith Miller <keith_miller@apple.com> |
| |
| Parser needs to restore unary stack state when backtracking |
| https://bugs.webkit.org/show_bug.cgi?id=206972 |
| |
| Reviewed by Saam Barati. |
| |
| Previously we would try to parse possibly stale unary operator |
| stack entries after backtracking from a parse error. This would |
| cause us to think one token was a different token while reparsing |
| after backtracking. Additionally, this patch fixes an issue where |
| the syntax checker would think assignment expressions were resolve |
| expressions. Intrestingly, this was not tested in test262. |
| |
| Lastly, I tried adding some assertions to improve help diagnose |
| when our source text locations are incorrect. |
| |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitExpressionInfo): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ThisNode::emitBytecode): |
| (JSC::ResolveNode::emitBytecode): |
| (JSC::EmptyVarExpression::emitBytecode): |
| (JSC::EmptyLetExpression::emitBytecode): |
| (JSC::ForInNode::emitLoopHeader): |
| (JSC::ForOfNode::emitBytecode): |
| (JSC::DefineFieldNode::emitBytecode): |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::unaryTokenStackDepth const): |
| (JSC::ASTBuilder::setUnaryTokenStackDepth): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::Lexer): |
| * parser/Lexer.h: |
| (JSC::Lexer::setLineNumber): |
| * parser/Nodes.cpp: |
| (JSC::FunctionMetadataNode::operator== const): |
| * parser/Nodes.h: |
| (JSC::ThrowableExpressionData::ThrowableExpressionData): |
| (JSC::ThrowableExpressionData::setExceptionSourceCode): |
| (JSC::ThrowableExpressionData::checkConsistency const): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::isArrowFunctionParameters): |
| (JSC::Parser<LexerType>::parseSourceElements): |
| (JSC::Parser<LexerType>::parseModuleSourceElements): |
| (JSC::Parser<LexerType>::parseStatementListItem): |
| (JSC::Parser<LexerType>::parseAssignmentElement): |
| (JSC::Parser<LexerType>::parseForStatement): |
| (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement): |
| (JSC::Parser<LexerType>::parseFunctionInfo): |
| (JSC::Parser<LexerType>::parseClass): |
| (JSC::Parser<LexerType>::parseExportDeclaration): |
| (JSC::Parser<LexerType>::parseAssignmentExpression): |
| (JSC::Parser<LexerType>::parseYieldExpression): |
| (JSC::Parser<LexerType>::parseProperty): |
| (JSC::Parser<LexerType>::parseMemberExpression): |
| (JSC::Parser<LexerType>::parseUnaryExpression): |
| * parser/Parser.h: |
| (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext): |
| (JSC::Parser::internalSaveParserState): |
| (JSC::Parser::restoreParserState): |
| (JSC::Parser::internalSaveState): |
| (JSC::Parser::swapSavePointForError): |
| (JSC::Parser::createSavePoint): |
| (JSC::Parser::internalRestoreState): |
| (JSC::Parser::restoreSavePointWithError): |
| (JSC::Parser::restoreSavePoint): |
| (JSC::Parser::createSavePointForError): Deleted. |
| * parser/ParserTokens.h: |
| (JSC::JSTextPosition::JSTextPosition): |
| (JSC::JSTextPosition::checkConsistency): |
| * parser/SyntaxChecker.h: |
| (JSC::SyntaxChecker::operatorStackPop): |
| |
| 2020-01-29 Mark Lam <mark.lam@apple.com> |
| |
| Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase(). |
| https://bugs.webkit.org/show_bug.cgi?id=206981 |
| <rdar://problem/58985736> |
| |
| Reviewed by Keith Miller. |
| |
| InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only |
| called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(), |
| which in turn is only called from InternalFunction::createSubclassStructureSlow(). |
| |
| InternalFunction::createSubclassStructureSlow() only allows a call to |
| FunctionRareData::createInternalFunctionAllocationStructureFromBase() under |
| certain conditions. One of these conditions is that the baseGlobalObject is |
| different than the newTarget's globalObject. |
| |
| InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an |
| ASSERT on the same set of conditions, with one ommission: the one above. This |
| patch fixes the ASSERT by adding the missing condition to match the check in |
| InternalFunction::createSubclassStructureSlow(). |
| |
| * bytecode/InternalFunctionAllocationProfile.h: |
| (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase): |
| |
| 2020-01-29 Robin Morisset <rmorisset@apple.com> |
| |
| Remove Options::enableSpectreMitigations |
| https://bugs.webkit.org/show_bug.cgi?id=193885 |
| |
| Reviewed by Saam Barati. |
| |
| From what I remember we decided to remove the spectre-specific mitigations we had tried (in favor of things like process-per-origin). |
| I don't think anyone is using the SpectreGadget we had added for experiments either. |
| So this patch removes the following three options, and all the code that depended on them: |
| - enableSpectreMitigations (was true, only used in one place) |
| - enableSpectreGadgets (was false) |
| - zeroStackFrame (was false, and was an experiment about Spectre variant 4 if I remember correctly) |
| |
| * b3/air/AirCode.cpp: |
| (JSC::B3::Air::defaultPrologueGenerator): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compile): |
| (JSC::DFG::JITCompiler::compileFunction): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCurrentBlock): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| * jit/AssemblyHelpers.h: |
| * jit/JIT.cpp: |
| (JSC::JIT::compileWithoutLinking): |
| * runtime/OptionsList.h: |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::initCallFrame): |
| |
| 2020-01-29 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: add instrumentation for showing existing Web Animations |
| https://bugs.webkit.org/show_bug.cgi?id=205434 |
| <rdar://problem/28328087> |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/protocol/Animation.json: |
| Add types/commands/events for instrumenting the lifecycle of `Animation` objects, as well as |
| commands for getting the JavaScript wrapper object and the target DOM node. |
| |
| 2020-01-29 Robin Morisset <rmorisset@apple.com> |
| |
| Don't include CCallHelpers.h in B3Procedure.h |
| https://bugs.webkit.org/show_bug.cgi?id=206966 |
| |
| Reviewed by Saam Barati. |
| |
| I verified through -ftime-trace and it massively speeds up a few of the compilation units (e.g. UnifiedSource10.cpp). |
| |
| * b3/B3Procedure.cpp: |
| * b3/B3Procedure.h: |
| * b3/testb3_6.cpp: |
| (testEntrySwitchSimple): |
| (testEntrySwitchNoEntrySwitch): |
| (testEntrySwitchWithCommonPaths): |
| (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint): |
| (testEntrySwitchLoop): |
| * ftl/FTLCompile.cpp: |
| (JSC::FTL::compile): |
| * wasm/WasmParser.h: |
| |
| 2020-01-29 Justin Michaud <justin_michaud@apple.com> |
| |
| Fix small memory regression caused by r206365 |
| https://bugs.webkit.org/show_bug.cgi?id=206557 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Put StructureRareData::m_giveUpOnObjectToStringValueCache into m_objectToStringValue to prevent increasing StructureRareData's size. We make a special value for the pointer |
| objectToStringCacheGiveUpMarker() to signal that we should not cache the string value. As a result, adding m_transitionOffset does not increase the size of the class. |
| |
| * runtime/Structure.h: |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::StructureRareData): |
| (JSC::StructureRareData::visitChildren): |
| (JSC::StructureRareData::setObjectToStringValue): |
| (JSC::StructureRareData::clearObjectToStringValue): |
| * runtime/StructureRareData.h: |
| * runtime/StructureRareDataInlines.h: |
| (JSC::StructureRareData::objectToStringValue const): |
| |
| 2020-01-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Give up IC when unknown structure transition happens |
| https://bugs.webkit.org/show_bug.cgi?id=206846 |
| |
| Reviewed by Mark Lam. |
| |
| When we are creating Put IC for a new property, we grab the old Structure before performing |
| the put. For a custom ::put, our convention is that the implemented ::put should mark the PutPropertySlot |
| as non-cachable. The IC code relies on this in order to work correctly. If we didn't mark it as non-cacheable, |
| a semantic failure can happen. This patch hardens the code against this semantic failure case by giving up trying |
| to cache the IC when the newStructure calculated from oldStructure does not match against |
| the actual structure after the put operation. |
| |
| * jit/Repatch.cpp: |
| (JSC::tryCachePutByID): |
| (JSC::repatchPutByID): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/Structure.cpp: |
| (JSC::Structure::flattenDictionaryStructure): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus): |
| (JSC::JSDollarVM::finishCreation): |
| (JSC::JSDollarVM::visitChildren): |
| * tools/JSDollarVM.h: |
| |
| 2020-01-28 Robin Morisset <rmorisset@apple.com> |
| |
| Remove the include of BytecodeGenerator.h in CodeCache.h |
| https://bugs.webkit.org/show_bug.cgi?id=206851 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This reduces the number of times that BytecodeStructs.h has to be parsed from 33 to 25 times, and unblocks https://bugs.webkit.org/show_bug.cgi?id=206720. |
| |
| * runtime/CodeCache.cpp: |
| (JSC::generateUnlinkedCodeBlockForFunctions): |
| (JSC::generateUnlinkedCodeBlockImpl): |
| (JSC::generateUnlinkedCodeBlock): |
| (JSC::generateUnlinkedCodeBlockForDirectEval): |
| (JSC::recursivelyGenerateUnlinkedCodeBlockForProgram): |
| (JSC::recursivelyGenerateUnlinkedCodeBlockForModuleProgram): |
| * runtime/CodeCache.h: |
| * runtime/Completion.cpp: |
| (JSC::generateProgramBytecode): |
| (JSC::generateModuleBytecode): |
| * runtime/DirectEvalExecutable.cpp: |
| (JSC::DirectEvalExecutable::create): |
| * runtime/JSGlobalObject.cpp: |
| * runtime/VM.cpp: |
| |
| 2020-01-28 Mark Lam <mark.lam@apple.com> |
| |
| Some website needs more stack space. |
| https://bugs.webkit.org/show_bug.cgi?id=206891 |
| |
| Reviewed by Saam Barati. |
| |
| We're bumping the maximum stack usage limit (JSC_maxPerThreadStackUsage) to 5M |
| to give websites a little more stack space when available. The actual useable |
| stack space is still the minimum of JSC_maxPerThreadStackUsage and the stack size |
| that the OS provisions, minus some overhead. |
| |
| * runtime/OptionsList.h: |
| |
| 2020-01-27 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| [GTK] Remote Inspector: add support for service workers targets |
| https://bugs.webkit.org/show_bug.cgi?id=206821 |
| |
| Reviewed by Žan Doberšek. |
| |
| Handle ServiceWorker target type. |
| |
| * inspector/remote/glib/RemoteInspectorGlib.cpp: |
| (Inspector::targetDebuggableType): |
| (Inspector::RemoteInspector::listingForInspectionTarget const): |
| |
| 2020-01-27 Jonathan Bedard <jbedard@apple.com> |
| |
| Fix OpenSource iphoneos arm64e build |
| https://bugs.webkit.org/show_bug.cgi?id=206703 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/MachineContext.h: |
| (JSC::MachineContext::stackPointerImpl): Conditionalize function existence on |
| USE(DARWIN_REGISTER_MACROS). |
| (JSC::MachineContext::stackPointer): Use Darwin's register macros if available. |
| (JSC::MachineContext::setStackPointer): Ditto. |
| (JSC::MachineContext::instructionPointerImpl): Conditionalize function existence |
| on USE(DARWIN_REGISTER_MACROS). |
| (JSC::MachineContext::instructionPointer): Use Darwin's register macros if available. |
| (JSC::MachineContext::setInstructionPointer): Ditto. |
| (JSC::MachineContext::linkRegister): Ditto. |
| (JSC::MachineContext::setLinkRegister): Ditto. |
| (JSC::MachineContext::linkRegisterImpl): Deleted. |
| |
| 2020-01-27 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: unable to evaluate in the isolated world of content scripts injected by safari app extensions |
| https://bugs.webkit.org/show_bug.cgi?id=206110 |
| <rdar://problem/16945643> |
| |
| Reviewed by Timothy Hatcher, Joseph Pecoraro, and Brian Burg. |
| |
| In addition to evaluating in subframe execution contexts, add the ability for Web Inspector |
| to evaluate in non-normal isolated worlds. |
| |
| * inspector/protocol/Runtime.json: |
| Introduce an `ExecutionContextType` enum instead of `isPageContext` so the frontend can |
| decide whether/how to show a picker for that execution context. |
| |
| 2020-01-27 Stephan Szabo <stephan.szabo@sony.com> |
| |
| Python 3: generate-js-builtins hits SyntaxWarning for "is 0" |
| https://bugs.webkit.org/show_bug.cgi?id=206840 |
| |
| Reviewed by Jonathan Bedard. |
| |
| * Scripts/generate-js-builtins.py: Replace is 0 with == 0 |
| |
| 2020-01-27 David Kilzer <ddkilzer@apple.com> |
| |
| REGRESSION (r250009): testair crashes in (anonymous namespace)::matchAll |
| <https://webkit.org/b/206797> |
| <rdar://problem/58893221> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * b3/air/testair.cpp: |
| ((anonymous namespace)::matchAll): Don't replace `str` in the |
| body of the for loop since `match` references it. |
| |
| 2020-01-27 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r255159. |
| |
| Broke the watchOS build. |
| |
| Reverted changeset: |
| |
| "Fix OpenSource iphoneos arm64e build" |
| https://bugs.webkit.org/show_bug.cgi?id=206703 |
| https://trac.webkit.org/changeset/255159 |
| |
| 2020-01-27 Jonathan Bedard <jbedard@apple.com> |
| |
| Fix OpenSource iphoneos arm64e build |
| https://bugs.webkit.org/show_bug.cgi?id=206703 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/MachineContext.h: |
| (JSC::MachineContext::stackPointerImpl): Conditionalize function existence on |
| USE(DARWIN_REGISTER_MACROS). |
| (JSC::MachineContext::stackPointer): Use Darwin's register macros if available. |
| (JSC::MachineContext::setStackPointer): Ditto. |
| (JSC::MachineContext::instructionPointerImpl): Conditionalize function existence |
| on USE(DARWIN_REGISTER_MACROS). |
| (JSC::MachineContext::instructionPointer): Use Darwin's register macros if available. |
| (JSC::MachineContext::setInstructionPointer): Ditto. |
| (JSC::MachineContext::linkRegister): Ditto. |
| (JSC::MachineContext::setLinkRegister): Ditto. |
| (JSC::MachineContext::linkRegisterImpl): Deleted. |
| |
| 2020-01-27 Paulo Matos <pmatos@igalia.com> |
| |
| Remove internal fields in promise assertion for 32bits |
| https://bugs.webkit.org/show_bug.cgi?id=206823 |
| |
| Reviewed by Mark Lam. |
| |
| This assertion was removed for 64bits under bug 201159 but left around |
| in 32bits. |
| |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| |
| 2020-01-26 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Invalid ranges in character classes should be banned in Unicode patterns only |
| https://bugs.webkit.org/show_bug.cgi?id=206768 |
| |
| Reviewed by Darin Adler. |
| |
| In ES5, grammar of CharacterRange was ambiguous, resulting in invalid ranges |
| like /[\d-a]/ being allowed. As of ES2015, invalid ranges are SyntaxError in |
| Unicode patterns, yet still allowed in regular ones to avoid breaking the web. |
| (https://tc39.es/ecma262/#sec-patterns-static-semantics-early-errors-annexb) |
| |
| This change adds SyntaxError for Unicode patterns and updates explanatory |
| comments. ErrorCode::CharacterClassOutOfOrder is renamed for consistency |
| with newly added error code and ErrorCode::ParenthesesTypeInvalid. |
| |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate): |
| (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter): |
| (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBuiltInCharacterClass): |
| (JSC::Yarr::Parser::parseCharacterClass): |
| |
| 2020-01-24 Mark Lam <mark.lam@apple.com> |
| |
| Move singleton Intl string locales out of JSGlobalObject. |
| https://bugs.webkit.org/show_bug.cgi?id=206791 |
| <rdar://problem/58889037> |
| |
| Reviewed by Yusuke Suzuki and Andy Wagoner. |
| |
| We were creating an instance of these for each JSGlobalObject when they can be a |
| global singleton since they are always initialized with the same intl data |
| (barring a mid-flight change in intl settings, which we don't support even in the |
| existing code). |
| |
| It turns out that intlPluralRulesAvailableLocales() wasn't called anywhere. |
| IntlPluralRules code currently just uses intlNumberFormatAvailableLocales(). |
| To document that this is intentional, we do the following: |
| 1. have IntlPluralRules code call intlPluralRulesAvailableLocales(), and |
| 2. have intlPluralRulesAvailableLocales() call intlNumberFormatAvailableLocales() |
| for its implementation. |
| See https://bugs.webkit.org/show_bug.cgi?id=206791#c7 and |
| https://bugs.webkit.org/show_bug.cgi?id=206791#c8. |
| |
| In addMissingScriptLocales(), I'm deliberately naming the string with underscores |
| because it's much easier to read pa_PK_String and see that it refers to "pa-PK" |
| as opposed to paPKString. Ditto for zh_CN_String, zh_HK_String, zh_SG_String, |
| and zh_TW_String. |
| |
| * runtime/IntlCollator.cpp: |
| (JSC::IntlCollator::initializeCollator): |
| * runtime/IntlCollatorConstructor.cpp: |
| (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): |
| * runtime/IntlDateTimeFormat.cpp: |
| (JSC::IntlDateTimeFormat::initializeDateTimeFormat): |
| * runtime/IntlDateTimeFormatConstructor.cpp: |
| (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlNumberFormat.cpp: |
| (JSC::IntlNumberFormat::initializeNumberFormat): |
| * runtime/IntlNumberFormatConstructor.cpp: |
| (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlObject.cpp: |
| (JSC::convertICULocaleToBCP47LanguageTag): |
| (JSC::addMissingScriptLocales): |
| (JSC::intlCollatorAvailableLocales): |
| (JSC::intlDateTimeFormatAvailableLocales): |
| (JSC::intlNumberFormatAvailableLocales): |
| (JSC::defaultLocale): |
| * runtime/IntlObject.h: |
| * runtime/IntlPluralRules.cpp: |
| (JSC::IntlPluralRules::initializePluralRules): |
| * runtime/IntlPluralRulesConstructor.cpp: |
| (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::addMissingScriptLocales): Deleted. |
| (JSC::JSGlobalObject::intlCollatorAvailableLocales): Deleted. |
| (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales): Deleted. |
| (JSC::JSGlobalObject::intlNumberFormatAvailableLocales): Deleted. |
| (JSC::JSGlobalObject::intlPluralRulesAvailableLocales): Deleted. |
| * runtime/JSGlobalObject.h: |
| |
| 2020-01-24 Mark Lam <mark.lam@apple.com> |
| |
| IntlObject's cached strings should be immortal and safe for concurrent access. |
| https://bugs.webkit.org/show_bug.cgi?id=206779 |
| <rdar://problem/58831763> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| In IntlObject's numberingSystemsForLocale(), we have a never destroyed |
| cachedNumberingSystems which is a singleton vector of Strings which are shared |
| multiple VMs. Hence, the strings in this vector should be a StaticStringImpl |
| so that it will be immortal, and can be access concurrently from multiple VMs |
| on different threads without any ref/deref'ing race issues. |
| |
| * runtime/IntlObject.cpp: |
| (JSC::numberingSystemsForLocale): |
| |
| 2020-01-24 Caio Lima <ticaiolima@gmail.com> |
| |
| [ARMv7][JIT] Implement checkpoint support |
| https://bugs.webkit.org/show_bug.cgi?id=206611 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch is adding code path to properly support checkpoint on ARMv7. |
| |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareOSREntry): |
| |
| We changed the scratch buffer population to properly handle |
| callee-saved registers on 32-bits. For more details, check comments on |
| source code. |
| |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::compileExit): |
| * jit/GPRInfo.h: |
| (JSC::GPRInfo::toRegister): |
| (JSC::GPRInfo::toIndex): |
| |
| We are adding back `regCS1` to be used as GPRReg on DFG and |
| scratch registers. This was necessary because some code generated by |
| GetByVal IC requires at least 9 registers available. |
| Given that, we also added such register to `dfgCalleeSaveRegisters` |
| set. |
| |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emitPutByValWithCachedId): |
| * jit/RegisterSet.cpp: |
| (JSC::RegisterSet::dfgCalleeSaveRegisters): |
| * llint/LowLevelInterpreter.asm: |
| |
| 2020-01-24 Keith Miller <keith_miller@apple.com> |
| |
| JSC should produce a module map. |
| https://bugs.webkit.org/show_bug.cgi?id=206717 |
| |
| Reviewed by Mark Lam. |
| |
| * Configurations/JavaScriptCore.xcconfig: |
| * JavaScriptCore.modulemap: |
| |
| 2020-01-24 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r255052. |
| https://bugs.webkit.org/show_bug.cgi?id=206758 |
| |
| "Broke production builds" (Requested by rmorisset on #webkit). |
| |
| Reverted changeset: |
| |
| "Break the dependency between jsc and DerivedSources" |
| https://bugs.webkit.org/show_bug.cgi?id=206720 |
| https://trac.webkit.org/changeset/255052 |
| |
| 2020-01-24 Adrian Perez de Castro <aperez@igalia.com> |
| |
| Fix various non-unified build issues introduced since r254751 |
| https://bugs.webkit.org/show_bug.cgi?id=206736 |
| |
| Reviewed by Carlos Garcia Campos. |
| |
| * tools/CompilerTimingScope.cpp: Add missing inclusions of wtf/Vector.h and wtf/text/WTFString.h |
| |
| 2020-01-24 Paulo Matos <pmatos@igalia.com> |
| |
| Fix number of callee saved register count on MIPS |
| https://bugs.webkit.org/show_bug.cgi?id=206732 |
| |
| Reviewed by Žan Doberšek. |
| |
| MIPS has been issuing illegal instruction errors due to stack corruption. |
| This is caused by an incorrect number of CalleeSaveRegisterCount |
| that should be set to 3 since r254674. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2020-01-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG OSR exit is not marking CodeBlock::m_hasLinkedOSRExit when the exit target is checkpoint |
| https://bugs.webkit.org/show_bug.cgi?id=206726 |
| <rdar://problem/58827849> |
| |
| Reviewed by Saam Barati. |
| |
| The problem was that DFG OSR exit is not marking CodeBlock::m_hasLinkedOSRExit appropriately when an exit target bytecode-index is a checkpoint. |
| Let's consider the following scenario. |
| |
| 1. The caller CodeBlock "A" has Baseline code. |
| 2. Compile DFG code exiting to the checkpoint of "A". We are not marking "A"'s CodeBlock::m_hasLinkedOSRExit. |
| 3. GC happens and we decide dropping Baseline code for "A" since it is not marked. Switching it to LLInt. |
| 4. However, DFG OSR exit code is compiled by assuming that "A" is Baseline. So LLInt registers are not recovered correctly. |
| 5. Then, exiting to LLInt of "A", LLInt sees that LLInt registers have garbage. |
| |
| In this patch, we correctly set a bit of CodeBlock::m_hasLinkedOSRExit when the exit target is checkpoint. |
| |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| |
| 2020-01-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for Windows |
| https://bugs.webkit.org/show_bug.cgi?id=206706 |
| |
| Definition still existed. |
| |
| * parser/Parser.h: |
| |
| 2020-01-23 Robin Morisset <rmorisset@apple.com> |
| |
| Break the dependency between jsc and DerivedSources |
| https://bugs.webkit.org/show_bug.cgi?id=206720 |
| |
| Reviewed by Mark Lam. |
| |
| According to Tadeu, the slowdown of production builds (by more than 20%) when he landed his bytecode patch was caused by a new dependency of the jsc binary on DerivedSources/, which was needed because of DerivedSources/BytecodeStructs.h being included in CommonSlowPaths.h which is transitively included in jsc.cpp. |
| Now that BytecodeStructs.h is no longer included in CommonSlowPaths.h (see https://bugs.webkit.org/show_bug.cgi?id=206566), I'm trying to break the dependency, to recover from this compile time regression. |
| |
| * Configurations/JSC.xcconfig: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2020-01-23 Robin Morisset <rmorisset@apple.com> |
| |
| Remove dead option useFTLTBAA |
| https://bugs.webkit.org/show_bug.cgi?id=206725 |
| |
| Reviewed by Mark Lam. |
| |
| It is likely from when the FTL used LLVM, before B3/Air were written, making this option completely obsolete (and it is currently unused). |
| |
| * runtime/OptionsList.h: |
| |
| 2020-01-23 Robin Morisset <rmorisset@apple.com> |
| |
| Remove dead options "dumpAllDFGNodes"/"showAllDFGNodes" |
| https://bugs.webkit.org/show_bug.cgi?id=204372 |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/OptionsList.h: |
| |
| 2020-01-23 Saam Barati <sbarati@apple.com> |
| |
| Get rid of didFinishParsing and make parseInner return its results |
| https://bugs.webkit.org/show_bug.cgi?id=206706 |
| |
| Reviewed by Mark Lam and Keith Miller and Yusuke Suzuki. |
| |
| This is paving the way for eagerly parsing immediately invoked functions. |
| Before, we'd just end up setting member fields inside ::didFinishParsing, |
| and then read them out inside ::parse. However, this is not going to work |
| when we are in a world where we're generating AST nodes for more than one |
| function at a time. This patch paves the way for that. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| (JSC::Parser<LexerType>::parseInner): |
| (JSC::Parser<LexerType>::didFinishParsing): Deleted. |
| * parser/Parser.h: |
| (JSC::Parser<LexerType>::parse): |
| |
| 2020-01-23 Robin Morisset <rmorisset@apple.com> |
| |
| Don't include BytecodeStructs.h in CommonSlowPaths.h |
| https://bugs.webkit.org/show_bug.cgi?id=206566 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Simple improvement to compile times. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * dfg/DFGOSREntry.cpp: |
| * jit/JIT.h: |
| * jit/JITInlines.h: |
| * jit/JITOperations.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| * runtime/CommonSlowPaths.h: |
| * wasm/WasmSlowPaths.cpp: |
| |
| 2020-01-23 Saam Barati <sbarati@apple.com> |
| |
| OptimizeAssociativeExpressionTrees should reset value owners before running |
| https://bugs.webkit.org/show_bug.cgi?id=206670 |
| <rdar://problem/58535628> |
| |
| Reviewed by Robin Morisset. |
| |
| We have a crash inside OptimizeAssociativeExpressionTrees and we don't know |
| how to reproduce it. Also, based on Mark's auditing of the crash site's |
| assembly, Mark thinks we're crashing on a "currupt" basic block. |
| |
| After I audited the code, I saw that we rely on value owners in this phase. |
| However, we don't actually reset them before running the phase. This patch |
| adds that as a speculative fix for the crash we're seeing. |
| |
| * b3/B3OptimizeAssociativeExpressionTrees.cpp: |
| (JSC::B3::OptimizeAssociativeExpressionTrees::run): |
| |
| 2020-01-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix calculation of kindBits |
| https://bugs.webkit.org/show_bug.cgi?id=206650 |
| |
| * bytecode/Operands.h: |
| |
| 2020-01-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Bits from Operand should fit in bits reserved in AbstractHeap's Payload |
| https://bugs.webkit.org/show_bug.cgi?id=206619 |
| <rdar://problem/58270260> |
| |
| Reviewed by Keith Miller. |
| |
| We extended JSC::Operand to have an additional field representing OperandKind. |
| However, we have restriction in DFG::AbstractHeap's Payload that Operand's raw |
| bits format need to fit in reserved bits in Payload's raw bits format, 49 bits. |
| Since we ordered fields of Operand "m_kind" and "m_operand", in little endian |
| architecture, raw bits format of Operand can exceed 49 bits if m_operand is |
| large enough. |
| |
| This patch fixes the order to ensure that Operand's raw bit format always fits |
| in 49 bits. |
| |
| * bytecode/Operands.h: |
| (JSC::Operand::Operand): |
| (JSC::Operand::asBits const): |
| * dfg/DFGAbstractHeap.h: |
| |
| 2020-01-22 Mark Lam <mark.lam@apple.com> |
| |
| Restore nullification of DFG::Plan::m_vm when the plan is cancelled. |
| https://bugs.webkit.org/show_bug.cgi?id=206633 |
| <rdar://problem/58811967> |
| |
| Reviewed by Robin Morisset. |
| |
| In r253243, I replaced the nullification of Plan::m_vm in Plan::cancel() with |
| code to decorate the m_vm pointer with a nuke bit. The thinking is that keeping |
| the VM pointer in nuked form allows us to do certain assertions, as well as |
| implementing code in support of keeping Box<Identifier>s alive. It is only |
| correct to use the nuked VM pointer if and only if the VM is guaranteed to |
| outlive the Plan. r253243 guarantees this condition. |
| |
| In r254464, I replaced the use of Box<Identifier> with CacheableIdentifier. |
| This obviated all the support code added above, and rolled out most of it. |
| However, I opted to keep the nuked VM pointer in the DFG::Plan to as a debugging |
| aid (it's nice to be able to know which VM the Plan came from). |
| |
| However, r254464 also undid the guarantee that the VM will outlive the Plan. |
| As a result, a nuked VM pointer is no longer guaranteed to point to a valid VM. |
| Some worker layout tests, run on an ASAN build, detected that the pointer is |
| pointing to an already freed VM and failed with a crash. |
| |
| This patch fixes this issue by completely reverting the nuked VM pointer code, |
| and restores nullification of the m_vm pointer in Plan::cancel(). |
| |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::computeCompileTimes const): |
| (JSC::DFG::Plan::cancel): |
| * dfg/DFGPlan.h: |
| (JSC::DFG::Plan::vm const): |
| (JSC::DFG::Plan::unnukedVM const): Deleted. |
| (JSC::DFG::Plan::nuke): Deleted. |
| (JSC::DFG::Plan::unnuke): Deleted. |
| |
| 2020-01-22 Keith Miller <keith_miller@apple.com> |
| |
| Remove DFGAbstractHeap::typeInfoType since it's immutable |
| https://bugs.webkit.org/show_bug.cgi?id=206638 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| |
| 2020-01-22 Keith Miller <keith_miller@apple.com> |
| |
| InternalField and CheckNeutered DFG nodes are not always safe to execute |
| https://bugs.webkit.org/show_bug.cgi?id=206632 |
| |
| Reviewed by Saam Barati. |
| |
| We currently mark (Get/Set)InternalField/CheckNeutered nodes as safe to execute everywhere. However, |
| GetInternalField, etc. rely on a proof that the cell passed to it is a subclass of InteralFieldObject. |
| This combination means we may hoist the nodes past the check guarding them. |
| |
| Also, remove a bogus assertion that we will have proven the value passed to CheckNeutered is a TypedArray. |
| It's not valid to require that AI preserve a precise model of all invariants since phases can make changes |
| that AI doesn't understand. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCheckNeutered): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckNeutered): |
| |
| 2020-01-22 Saam Barati <sbarati@apple.com> |
| |
| Add an option for logging total phase times |
| https://bugs.webkit.org/show_bug.cgi?id=206623 |
| |
| Reviewed by Robin Morisset and Keith Miller. |
| |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * jsc.cpp: |
| (runJSC): |
| * runtime/OptionsList.h: |
| * tools/CompilerTimingScope.cpp: |
| (JSC::CompilerTimingScope::CompilerTimingScope): |
| (JSC::CompilerTimingScope::~CompilerTimingScope): |
| (JSC::logTotalPhaseTimes): |
| * tools/CompilerTimingScope.h: |
| |
| 2020-01-22 Caio Lima <ticaiolima@gmail.com> |
| |
| [32-bits][JIT] Fix build issues. |
| https://bugs.webkit.org/show_bug.cgi?id=206603 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch is adjusting places to use VirtualRegister instead of |
| offset directly, to make 32-bit JIT compilable again. Original authors |
| of this patch are Paulo Matos and Guillaume Emont. |
| |
| * jit/JIT.h: |
| * jit/JITArithmetic32_64.cpp: |
| (JSC::JIT::emit_compareAndJump): |
| (JSC::JIT::emit_compareUnsignedAndJump): |
| (JSC::JIT::emit_compareUnsigned): |
| (JSC::JIT::emit_compareAndJumpSlow): |
| (JSC::JIT::emit_op_unsigned): |
| (JSC::JIT::emit_op_inc): |
| (JSC::JIT::emit_op_dec): |
| (JSC::JIT::emitBinaryDoubleOp): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::emitPutCallResult): |
| (JSC::JIT::emit_op_ret): |
| (JSC::JIT::compileSetupFrame): |
| (JSC::JIT::compileCallEvalSlowCase): |
| (JSC::JIT::compileOpCall): |
| * jit/JITInlines.h: |
| (JSC::JIT::emitLoadTag): |
| (JSC::JIT::emitLoadPayload): |
| (JSC::JIT::emitGetVirtualRegister): |
| (JSC::JIT::emitJumpSlowCaseIfNotJSCell): |
| (JSC::JIT::getOperandConstantInt): |
| (JSC::JIT::emitGet): Deleted. |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_mov): |
| (JSC::JIT::emit_op_end): |
| (JSC::JIT::emit_op_new_object): |
| (JSC::JIT::emitSlow_op_new_object): |
| (JSC::JIT::emit_op_overrides_has_instance): |
| (JSC::JIT::emit_op_instanceof): |
| (JSC::JIT::emitSlow_op_instanceof): |
| (JSC::JIT::emitSlow_op_instanceof_custom): |
| (JSC::JIT::emit_op_is_empty): |
| (JSC::JIT::emit_op_is_undefined): |
| (JSC::JIT::emit_op_is_undefined_or_null): |
| (JSC::JIT::emit_op_is_boolean): |
| (JSC::JIT::emit_op_is_number): |
| (JSC::JIT::emit_op_is_cell_with_type): |
| (JSC::JIT::emit_op_is_object): |
| (JSC::JIT::emit_op_to_primitive): |
| (JSC::JIT::emit_op_set_function_name): |
| (JSC::JIT::emit_op_not): |
| (JSC::JIT::emit_op_jfalse): |
| (JSC::JIT::emit_op_jtrue): |
| (JSC::JIT::emit_op_jeq_null): |
| (JSC::JIT::emit_op_jneq_null): |
| (JSC::JIT::emit_op_jundefined_or_null): |
| (JSC::JIT::emit_op_jnundefined_or_null): |
| (JSC::JIT::emit_op_jneq_ptr): |
| (JSC::JIT::emit_op_eq): |
| (JSC::JIT::emitSlow_op_eq): |
| (JSC::JIT::emit_op_jeq): |
| (JSC::JIT::emit_op_neq): |
| (JSC::JIT::emitSlow_op_neq): |
| (JSC::JIT::emit_op_jneq): |
| (JSC::JIT::compileOpStrictEq): |
| (JSC::JIT::compileOpStrictEqJump): |
| (JSC::JIT::emit_op_eq_null): |
| (JSC::JIT::emit_op_neq_null): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::emit_op_to_number): |
| (JSC::JIT::emit_op_to_numeric): |
| (JSC::JIT::emit_op_to_string): |
| (JSC::JIT::emit_op_to_object): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_get_parent_scope): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emit_op_enter): |
| (JSC::JIT::emit_op_get_scope): |
| (JSC::JIT::emit_op_create_this): |
| (JSC::JIT::emit_op_to_this): |
| (JSC::JIT::emit_op_check_tdz): |
| (JSC::JIT::emit_op_has_structure_property): |
| (JSC::JIT::emit_op_has_indexed_property): |
| (JSC::JIT::emitSlow_op_has_indexed_property): |
| (JSC::JIT::emit_op_get_direct_pname): |
| (JSC::JIT::emit_op_enumerator_structure_pname): |
| (JSC::JIT::emit_op_enumerator_generic_pname): |
| (JSC::JIT::emit_op_profile_type): |
| (JSC::JIT::emit_op_log_shadow_chicken_prologue): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_put_getter_by_id): |
| (JSC::JIT::emit_op_put_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_by_val): |
| (JSC::JIT::emit_op_put_setter_by_val): |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emit_op_del_by_val): |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| (JSC::JIT::emit_op_put_by_val): |
| (JSC::JIT::emitGenericContiguousPutByVal): |
| (JSC::JIT::emitArrayStoragePutByVal): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emitSlow_op_put_by_val): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emitSlow_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emitSlow_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| (JSC::JIT::emitSlow_op_in_by_id): |
| (JSC::JIT::emitResolveClosure): |
| (JSC::JIT::emit_op_resolve_scope): |
| (JSC::JIT::emitLoadWithStructureCheck): |
| (JSC::JIT::emitGetClosureVar): |
| (JSC::JIT::emit_op_get_from_scope): |
| (JSC::JIT::emitSlow_op_get_from_scope): |
| (JSC::JIT::emitPutGlobalVariable): |
| (JSC::JIT::emitPutGlobalVariableIndirect): |
| (JSC::JIT::emitPutClosureVar): |
| (JSC::JIT::emit_op_put_to_scope): |
| (JSC::JIT::emit_op_get_from_arguments): |
| (JSC::JIT::emit_op_put_to_arguments): |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| * jit/JSInterfaceJIT.h: |
| (JSC::JSInterfaceJIT::emitJumpIfNotJSCell): |
| (JSC::JSInterfaceJIT::emitLoadInt32): |
| (JSC::JSInterfaceJIT::emitLoadDouble): |
| |
| 2020-01-22 Caio Lima <ticaiolima@gmail.com> |
| |
| [ARMv7] Assembler is generating wrong instruction for ldr r2, [r3, #7] |
| https://bugs.webkit.org/show_bug.cgi?id=206231 |
| |
| Reviewed by Mark Lam. |
| |
| When generating code for `ldr` on ARMv7, we were encoding immediates not |
| multiple of 4 using Encoding T1, which only accepts multiple of 4 as |
| immediates. This patch fixes such issue and allow us generate proper |
| code when offset imemdiates are not multiple of 4. |
| |
| * assembler/ARMv7Assembler.h: |
| (JSC::ARMv7Assembler::ldr): |
| |
| 2020-01-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Add CheckArrayOrEmpty to handle the case when hoisting CheckArray for places where input can be empty |
| https://bugs.webkit.org/show_bug.cgi?id=206571 |
| <rdar://problem/58757016> |
| |
| Reviewed by Saam Barati. |
| |
| Since we hoist CheckArray too in DFGTypeCheckHoistingPhase, we have the same problem to CheckStructureOrEmpty: we |
| could insert CheckArray where the input can include Empty. We should have CheckArrayOrEmpty as we have CheckStructureOrEmpty |
| for CheckStructure: CheckArrayOrEmpty accepts empty or cell with specified array-modes. |
| |
| * dfg/DFGAbstractInterpreter.h: |
| (JSC::DFG::AbstractInterpreter::filterArrayModes): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterArrayModes): |
| * dfg/DFGAbstractValue.cpp: |
| (JSC::DFG::AbstractValue::filterArrayModes): |
| * dfg/DFGAbstractValue.h: |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertCheckArrayOrEmptyToCheckArray): |
| (JSC::DFG::Node::hasArrayMode): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::checkArray): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGTypeCheckHoistingPhase.cpp: |
| (JSC::DFG::TypeCheckHoistingPhase::run): |
| * dfg/DFGValidate.cpp: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckArrayOrEmpty): |
| |
| 2020-01-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Attempt to fix BytecodeIndex handling in 32bit |
| https://bugs.webkit.org/show_bug.cgi?id=206577 |
| |
| Reviewed by Keith Miller. |
| |
| This patch mechanically lists up places using Instruction* as BytecodeIndex and fixes it, |
| since 32bit also starts using an offset as BytecodeIndex. This patch also fixes several |
| places where LLInt PB is not handled correctly in 32bit after we start using PB register |
| even in 32bit. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::bytecodeIndexFromCallSiteIndex): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileOpCall): |
| * jit/JITInlines.h: |
| (JSC::JIT::updateTopCallFrame): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoop::execute): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::tryGetBytecodeIndex): |
| (JSC::SamplingProfiler::processUnverifiedStackTraces): |
| |
| 2020-01-22 Saam Barati <sbarati@apple.com> |
| |
| Throw away baseline code if there is an optimized replacement |
| https://bugs.webkit.org/show_bug.cgi?id=202503 |
| <rdar://problem/58552041> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch's goal is to help us save JIT executable memory by throwing |
| away baseline code when it has an optimized replacement. To make it |
| easy to reason about, we do this when finalizing a GC, when the CodeBlock |
| is not on the stack, and when no OSR exits are linked to jump to the baseline |
| code. Also, as a measure to combat a performance regression, we only throw |
| away code on the second GC cycle in which it is eligible for this. |
| When we downgrade Baseline to LLInt, we also throw away all JIT data |
| and unlink all incoming calls. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::CodeBlock): |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::finalizeUnconditionally): |
| (JSC::CodeBlock::resetJITData): |
| (JSC::CodeBlock::optimizedReplacement): |
| (JSC::CodeBlock::hasOptimizedReplacement): |
| (JSC::CodeBlock::tallyFrequentExitSites): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::setJITCode): |
| * dfg/DFGDriver.cpp: |
| (JSC::DFG::compileImpl): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * heap/CodeBlockSet.cpp: |
| (JSC::CodeBlockSet::isCurrentlyExecuting): |
| * heap/CodeBlockSet.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| (JSC::Heap::runEndPhase): |
| |
| 2020-01-21 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Date parse logic should be less redundant |
| https://bugs.webkit.org/show_bug.cgi?id=206560 |
| |
| Reviewed by Darin Adler. |
| |
| Our date parsing logic is doing an excessive amount of NaN-checking; |
| let's streamline this by having one JSC-side helper function instead of two. |
| |
| * runtime/JSDateMath.cpp: |
| (JSC::parseDate): |
| (JSC::parseDateFromNullTerminatedCharacters): Deleted. |
| (JSC::parseES5DateFromNullTerminatedCharacters): Deleted. |
| |
| 2020-01-21 Rob Buis <rbuis@igalia.com> |
| |
| Add build flag for stale-while-revalidate |
| https://bugs.webkit.org/show_bug.cgi?id=204169 |
| |
| Reviewed by Youenn Fablet. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-01-21 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Object allocation sinking is missing PutHint for sunken allocations |
| https://bugs.webkit.org/show_bug.cgi?id=203799 |
| <rdar://problem/56852162> |
| |
| Reviewed by Saam Barati. |
| |
| Consider the following graph: |
| |
| Block #0: |
| 1: PhantomCreateActivation() |
| 2: PhantomNewFunction() |
| PutHint(@2, @1, FunctionActivationPLoc) |
| Branch(#1, #2) |
| |
| Block #1: |
| 3: MaterializeCreateActivation() |
| PutHint(@2, @3, FunctionActivationPLoc) |
| Upsilon(@3, ^5) |
| Jump(#3) |
| |
| Block #2: |
| 4: MaterializeCreateActivation() |
| PutHint(@2, @4, FunctionActivationPLoc) |
| Upsilon(@4, ^5) |
| Jump(#3) |
| |
| Block #3: |
| 5: Phi() |
| ExitOK() |
| |
| On Block #3, we need to emit a PutHint after the Phi, since we might exit after it. However, |
| object allocation sinking skipped this Phi because it was checking whether the base of the |
| location that caused us to create this Phi (@2) was live, but it's dead in the graph (there |
| are no pointers to it). The issue is that, even though there are no pointers to the base, the |
| location `PromotedHeapLocation(@2, FunctionActivationPLoc)` is still live, so we should PutHint |
| to it. We fix it by checking for liveness of the location rather than its base. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| |
| 2020-01-21 Mark Lam <mark.lam@apple.com> |
| |
| Rename JSPromiseFields abstract heap to JSInternalFields. |
| https://bugs.webkit.org/show_bug.cgi?id=206518 |
| <rdar://problem/58751778> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This is because it is used for all internal fields, not just the ones in JSPromise. |
| |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| |
| 2020-01-17 Sam Weinig <weinig@apple.com> |
| |
| Platform.h is out of control Part 8: Macros are used inconsistently |
| https://bugs.webkit.org/show_bug.cgi?id=206425 |
| |
| Reviewed by Darin Adler. |
| |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::cacheFlush): |
| (JSC::ARM64Assembler::xOrSp): |
| (JSC::ARM64Assembler::xOrZr): |
| * assembler/ARM64Registers.h: |
| * assembler/ARMv7Assembler.h: |
| (JSC::ARMv7Assembler::cacheFlush): |
| * assembler/ARMv7Registers.h: |
| * assembler/AssemblerCommon.h: |
| (JSC::isDarwin): |
| * b3/air/AirCCallingConvention.cpp: |
| * jit/ExecutableAllocator.h: |
| * jit/ThunkGenerators.cpp: |
| * jsc.cpp: |
| * runtime/MathCommon.cpp: |
| Use OS(DARWIN) more consistently for darwin level functionality. |
| |
| * bytecode/CodeOrigin.h: |
| * runtime/JSString.h: |
| Update to use OS_CONSTANT. |
| |
| * disassembler/ARM64/A64DOpcode.cpp: |
| * disassembler/ARM64Disassembler.cpp: |
| * disassembler/UDis86Disassembler.cpp: |
| * disassembler/UDis86Disassembler.h: |
| * disassembler/X86Disassembler.cpp: |
| * disassembler/udis86/udis86.c: |
| * disassembler/udis86/udis86_decode.c: |
| * disassembler/udis86/udis86_itab_holder.c: |
| * disassembler/udis86/udis86_syn-att.c: |
| * disassembler/udis86/udis86_syn-intel.c: |
| * disassembler/udis86/udis86_syn.c: |
| * interpreter/Interpreter.cpp: |
| * interpreter/Interpreter.h: |
| * interpreter/InterpreterInlines.h: |
| (JSC::Interpreter::getOpcodeID): |
| * llint/LowLevelInterpreter.cpp: |
| * tools/SigillCrashAnalyzer.cpp: |
| Switch to using ENABLE rather than USE for features internal to WebKit |
| |
| 2020-01-20 Gus Caplan <me@gus.host> |
| |
| Remove own toString from NativeError prototype |
| https://bugs.webkit.org/show_bug.cgi?id=204629 |
| |
| Reviewed by Ross Kirsling. |
| |
| NativeError prototypes are expected to inherit toString from |
| Error.prototype. See https://github.com/tc39/ecma262/issues/1794 |
| for additional details. |
| |
| * runtime/ErrorPrototype.cpp: |
| (JSC::ErrorPrototypeBase::ErrorPrototypeBase): |
| (JSC::ErrorPrototypeBase::finishCreation): |
| (JSC::ErrorPrototype::ErrorPrototype): |
| (JSC::ErrorPrototype::create): Deleted. |
| (JSC::ErrorPrototype::finishCreation): Deleted. |
| * runtime/ErrorPrototype.h: |
| (JSC::ErrorPrototype::createStructure): Deleted. |
| * runtime/NativeErrorPrototype.cpp: |
| (JSC::NativeErrorPrototype::NativeErrorPrototype): |
| * runtime/NativeErrorPrototype.h: |
| |
| 2020-01-20 David Kilzer <ddkilzer@apple.com> |
| |
| Fix missing header guards and clean up empty files in bmalloc, WTF, JavaScriptCore |
| <https://webkit.org/b/206481> |
| |
| Reviewed by Darin Adler. |
| |
| * dfg/DFGPrePostNumbering.cpp: Remove empty file. |
| * dfg/DFGPrePostNumbering.h: Remove empty file. |
| * runtime/OptionEntry.h: Remove empty file. |
| |
| * API/JSCallbackObjectFunctions.h: |
| * b3/testb3.h: |
| * heap/IsoInlinedHeapCellType.h: |
| * wasm/WasmGeneratorTraits.h: |
| - Add #pragma once. |
| |
| 2020-01-18 Caitlin Potter <caitp@igalia.com> |
| |
| [JSC] add DFG/FTL support for op_to_property_key |
| https://bugs.webkit.org/show_bug.cgi?id=206368 |
| |
| Reviewed by Saam Barati. |
| |
| Implement DFG/FTL support for the op_to_property_key opcode. This operates |
| similar to the LLInt and base JIT implementations, in which we avoid invoking |
| the full ToPropertyKey operation if the source operand is already a String or |
| Symbol at runtime. |
| |
| If DFG/FTL are confident the value will be a String or Symbol at compile time, |
| the operation is omitted entirely in the final graph. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToToString): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileToPrimitive): |
| (JSC::DFG::SpeculativeJIT::compileToPropertyKey): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey): |
| |
| 2020-01-17 Saam Barati <sbarati@apple.com> |
| |
| Air O0 should have better stack allocation |
| https://bugs.webkit.org/show_bug.cgi?id=206436 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This patch adds a simple stack slot allocator to Air O0 to make code |
| use smaller stack frames. The huge stack frames from the old stack |
| allocator were leading to stack overflows in some programs. Before, |
| each Tmp got its own stack slot. The new allocator works similar to O0's |
| register allocator. This stack allocator linearizes the program and uses live |
| range end as an opportunity to place the stack slot on a free list of |
| available stack slots. This patch also fixes an issue in our linearization code |
| where the head of a block and the tail of another block would share the |
| same linearization index. This didn't matter for register allocation, but |
| does matter for the stack allocator. So "live at head", and "live at tail" |
| now get their own linearization index. |
| |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::generate): |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| * b3/air/AirLiveness.h: |
| |
| 2020-01-17 David Kilzer <ddkilzer@apple.com> |
| |
| [JSC] Add missing header guards |
| <https://webkit.org/b/206448> |
| |
| Reviewed by Mark Lam. |
| |
| * heap/IsoHeapCellType.h: |
| * wasm/WasmFaultSignalHandler.h: |
| - Add #pragma once header guard. |
| |
| 2020-01-17 Mark Lam <mark.lam@apple.com> |
| |
| JSModuleLoader's printableModuleKey() should never throw. |
| https://bugs.webkit.org/show_bug.cgi?id=206461 |
| <rdar://problem/58696678> |
| |
| Reviewed by Michael Saboff. |
| |
| Hence, it should be using a CatchScope instead of a ThrowScope. |
| |
| * runtime/JSModuleLoader.cpp: |
| (JSC::printableModuleKey): |
| |
| 2020-01-17 Justin Michaud <justin_michaud@apple.com> |
| |
| Separate storage of Structure::m_offset into transition and max offset |
| https://bugs.webkit.org/show_bug.cgi?id=206365 |
| |
| Reviewed by Saam Barati. |
| |
| Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Other transitions |
| assume that the transition offset (m_offset) is monotonically increasing. In order to support structure transitions for deletion that |
| do not involve turning into a dictionary (<https://bugs.webkit.org/show_bug.cgi?id=206430>), we first need to separate the transition |
| offset (the offset of the property that was added/deleted) from the maximum offset. |
| |
| For example, suppose we have the following operations: |
| Structure 1 (pinned property table, transitionOffset = _, maxOffset = 2): x y z (delete y, assuming that deletion transitions have been added) |
| Structure 2 (transitionOffset = 1, maxOffset = 2): x _ z (add w) |
| Structure 3 (transitionOffset = 1, maxOffset = 2): x w z |
| |
| Note that without splitting the two, Structures 2/3 would be impossible to represent. |
| |
| This change: |
| |
| We split the existing Structure::m_offset into two 16-bit fields, transitionOffset and maxOffset, and put them in 32-bit rare data fields if they overflow. We also rename _inPrevious fields to |
| transition_ and lastOffset to maxOffset to make the code more clear. |
| |
| * runtime/ClonedArguments.cpp: |
| (JSC::ClonedArguments::createStructure): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties): |
| (JSC::JSObject::visitButterflyImpl): |
| * runtime/JSObject.h: |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::prepareToPutDirectWithoutTransition): |
| * runtime/ObjectInitializationScope.cpp: |
| (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized): |
| * runtime/PropertyOffset.h: |
| (JSC::numberOfOutOfLineSlotsForMaxOffset): |
| (JSC::numberOfSlotsForMaxOffset): |
| (JSC::numberOfOutOfLineSlotsForLastOffset): Deleted. |
| (JSC::numberOfSlotsForLastOffset): Deleted. |
| * runtime/Structure.cpp: |
| (JSC::StructureTransitionTable::contains const): |
| (JSC::StructureTransitionTable::get const): |
| (JSC::StructureTransitionTable::add): |
| (JSC::Structure::Structure): |
| (JSC::Structure::create): |
| (JSC::Structure::materializePropertyTable): |
| (JSC::Structure::addPropertyTransitionToExistingStructureImpl): |
| (JSC::Structure::addNewPropertyTransition): |
| (JSC::Structure::changePrototypeTransition): |
| (JSC::Structure::attributeChangeTransition): |
| (JSC::Structure::toDictionaryTransition): |
| (JSC::Structure::nonPropertyTransitionSlow): |
| (JSC::Structure::flattenDictionaryStructure): |
| (JSC::Structure::pin): |
| (JSC::Structure::pinForCaching): |
| (JSC::Structure::add): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::forEachPropertyConcurrently): |
| (JSC::Structure::checkOffsetConsistency const): |
| (JSC::Structure::add): |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::StructureRareData): |
| * runtime/StructureRareData.h: |
| |
| 2020-01-17 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSON.parse should lookup prototype chains during revival |
| https://bugs.webkit.org/show_bug.cgi?id=205769 |
| |
| Reviewed by Saam Barati. |
| |
| This patch makes JSON.parse use [[Get]] instead of [[GetOwnProperty]] during revival, |
| aligning JSC with the spec (step 1 of https://tc39.es/ecma262/#sec-internalizejsonproperty), |
| SpiderMonkey, and V8. |
| |
| User-provided `reviver` can delete properties that are not yet inspected by itself, |
| making usage [[GetOwnProperty]] non-compliant to the spec. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Walker::walk): |
| |
| 2020-01-17 Caio Lima <ticaiolima@gmail.com> |
| |
| Bytecode checkpoints break 32bit tests |
| https://bugs.webkit.org/show_bug.cgi?id=206404 |
| |
| Unreviewed. |
| |
| * llint/LowLevelInterpreter32_64.asm: |
| |
| Reverting change introduced by r254735 that makes 32-bit codes crash |
| when calling into LLInt slow path. |
| |
| 2020-01-16 Robin Morisset <rmorisset@apple.com> |
| |
| [ESNext] Enables a way to throw an error on ByteCodeGenerator step |
| https://bugs.webkit.org/show_bug.cgi?id=180139 |
| |
| Reviewed by Mark Lam. |
| |
| This is a minimal fix that only deals with overly huge BigInts. |
| A more thorough solution is rather low priority (since it has neither securities nor performance impact). |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::addBigIntConstant): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ConstantNode::emitBytecode): |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::parseInt): |
| |
| 2020-01-16 Keith Miller <keith_miller@apple.com> |
| |
| Reland bytecode checkpoints since bugs have been fixed |
| https://bugs.webkit.org/show_bug.cgi?id=206361 |
| |
| Unreviewed, reland. |
| |
| The watch bugs have been fixed by https://trac.webkit.org/changeset/254674 |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/MacroAssemblerCodeRef.h: |
| * assembler/ProbeFrame.h: |
| (JSC::Probe::Frame::operand): |
| (JSC::Probe::Frame::setOperand): |
| * b3/testb3.h: |
| (populateWithInterestingValues): |
| (floatingPointOperands): |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCaseSnippetParams.cpp: |
| (JSC::SlowPathCallGeneratorWithArguments::generateImpl): |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::BytecodeDumperBase::dumpValue): |
| (JSC::BytecodeDumper<Block>::registerName const): |
| (JSC::BytecodeDumper<Block>::constantName const): |
| (JSC::Wasm::BytecodeDumper::constantName const): |
| * bytecode/BytecodeDumper.h: |
| * bytecode/BytecodeIndex.cpp: |
| (JSC::BytecodeIndex::dump const): |
| * bytecode/BytecodeIndex.h: |
| (JSC::BytecodeIndex::BytecodeIndex): |
| (JSC::BytecodeIndex::offset const): |
| (JSC::BytecodeIndex::checkpoint const): |
| (JSC::BytecodeIndex::asBits const): |
| (JSC::BytecodeIndex::hash const): |
| (JSC::BytecodeIndex::operator bool const): |
| (JSC::BytecodeIndex::pack): |
| (JSC::BytecodeIndex::fromBits): |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeLivenessAnalysis.cpp: |
| (JSC::enumValuesEqualAsIntegral): |
| (JSC::tmpLivenessForCheckpoint): |
| * bytecode/BytecodeLivenessAnalysis.h: |
| * bytecode/BytecodeLivenessAnalysisInlines.h: |
| (JSC::virtualRegisterIsAlwaysLive): |
| (JSC::virtualRegisterThatIsNotAlwaysLiveIsLive): |
| (JSC::virtualRegisterIsLive): |
| (JSC::operandIsAlwaysLive): Deleted. |
| (JSC::operandThatIsNotAlwaysLiveIsLive): Deleted. |
| (JSC::operandIsLive): Deleted. |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::bytecodeIndexForExit const): |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): |
| (JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::numTmps const): |
| (JSC::CodeBlock::isKnownNotImmediate): |
| (JSC::CodeBlock::isTemporaryRegister): |
| (JSC::CodeBlock::constantRegister): |
| (JSC::CodeBlock::getConstant const): |
| (JSC::CodeBlock::constantSourceCodeRepresentation const): |
| (JSC::CodeBlock::replaceConstant): |
| (JSC::CodeBlock::isTemporaryRegisterIndex): Deleted. |
| (JSC::CodeBlock::isConstantRegisterIndex): Deleted. |
| * bytecode/CodeOrigin.h: |
| * bytecode/FullBytecodeLiveness.h: |
| (JSC::FullBytecodeLiveness::virtualRegisterIsLive const): |
| (JSC::FullBytecodeLiveness::operandIsLive const): Deleted. |
| * bytecode/InlineCallFrame.h: |
| (JSC::InlineCallFrame::InlineCallFrame): |
| (JSC::InlineCallFrame::setTmpOffset): |
| (JSC::CodeOrigin::walkUpInlineStack const): |
| (JSC::CodeOrigin::inlineStackContainsActiveCheckpoint const): |
| (JSC::remapOperand): |
| (JSC::unmapOperand): |
| (JSC::CodeOrigin::walkUpInlineStack): Deleted. |
| * bytecode/LazyOperandValueProfile.h: |
| (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey): |
| (JSC::LazyOperandValueProfileKey::hash const): |
| (JSC::LazyOperandValueProfileKey::operand const): |
| * bytecode/MethodOfGettingAValueProfile.cpp: |
| (JSC::MethodOfGettingAValueProfile::fromLazyOperand): |
| (JSC::MethodOfGettingAValueProfile::emitReportValue const): |
| (JSC::MethodOfGettingAValueProfile::reportValue): |
| * bytecode/MethodOfGettingAValueProfile.h: |
| * bytecode/Operands.h: |
| (JSC::Operand::Operand): |
| (JSC::Operand::tmp): |
| (JSC::Operand::kind const): |
| (JSC::Operand::value const): |
| (JSC::Operand::virtualRegister const): |
| (JSC::Operand::asBits const): |
| (JSC::Operand::isTmp const): |
| (JSC::Operand::isArgument const): |
| (JSC::Operand::isLocal const): |
| (JSC::Operand::isHeader const): |
| (JSC::Operand::isConstant const): |
| (JSC::Operand::toArgument const): |
| (JSC::Operand::toLocal const): |
| (JSC::Operand::operator== const): |
| (JSC::Operand::isValid const): |
| (JSC::Operand::fromBits): |
| (JSC::Operands::Operands): |
| (JSC::Operands::numberOfLocals const): |
| (JSC::Operands::numberOfTmps const): |
| (JSC::Operands::tmpIndex const): |
| (JSC::Operands::argumentIndex const): |
| (JSC::Operands::localIndex const): |
| (JSC::Operands::tmp): |
| (JSC::Operands::tmp const): |
| (JSC::Operands::argument): |
| (JSC::Operands::argument const): |
| (JSC::Operands::local): |
| (JSC::Operands::local const): |
| (JSC::Operands::sizeFor const): |
| (JSC::Operands::atFor): |
| (JSC::Operands::atFor const): |
| (JSC::Operands::ensureLocals): |
| (JSC::Operands::ensureTmps): |
| (JSC::Operands::getForOperandIndex): |
| (JSC::Operands::getForOperandIndex const): |
| (JSC::Operands::operandIndex const): |
| (JSC::Operands::operand): |
| (JSC::Operands::operand const): |
| (JSC::Operands::hasOperand const): |
| (JSC::Operands::setOperand): |
| (JSC::Operands::at const): |
| (JSC::Operands::at): |
| (JSC::Operands::operator[] const): |
| (JSC::Operands::operator[]): |
| (JSC::Operands::operandForIndex const): |
| (JSC::Operands::operator== const): |
| (JSC::Operands::isArgument const): Deleted. |
| (JSC::Operands::isLocal const): Deleted. |
| (JSC::Operands::virtualRegisterForIndex const): Deleted. |
| (JSC::Operands::setOperandFirstTime): Deleted. |
| * bytecode/OperandsInlines.h: |
| (JSC::Operand::dump const): |
| (JSC::Operands<T>::dumpInContext const): |
| (JSC::Operands<T>::dump const): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::hasCheckpoints const): |
| (JSC::UnlinkedCodeBlock::setHasCheckpoints): |
| (JSC::UnlinkedCodeBlock::constantRegister const): |
| (JSC::UnlinkedCodeBlock::getConstant const): |
| (JSC::UnlinkedCodeBlock::isConstantRegisterIndex const): Deleted. |
| * bytecode/ValueProfile.h: |
| (JSC::ValueProfileAndVirtualRegisterBuffer::ValueProfileAndVirtualRegisterBuffer): |
| (JSC::ValueProfileAndVirtualRegisterBuffer::~ValueProfileAndVirtualRegisterBuffer): |
| (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer): Deleted. |
| (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer): Deleted. |
| (JSC::ValueProfileAndOperandBuffer::forEach): Deleted. |
| * bytecode/ValueRecovery.cpp: |
| (JSC::ValueRecovery::recover const): |
| * bytecode/ValueRecovery.h: |
| * bytecode/VirtualRegister.h: |
| (JSC::virtualRegisterIsLocal): |
| (JSC::virtualRegisterIsArgument): |
| (JSC::VirtualRegister::VirtualRegister): |
| (JSC::VirtualRegister::isValid const): |
| (JSC::VirtualRegister::isLocal const): |
| (JSC::VirtualRegister::isArgument const): |
| (JSC::VirtualRegister::isConstant const): |
| (JSC::VirtualRegister::toConstantIndex const): |
| (JSC::operandIsLocal): Deleted. |
| (JSC::operandIsArgument): Deleted. |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::initializeNextParameter): |
| (JSC::BytecodeGenerator::initializeParameters): |
| (JSC::BytecodeGenerator::emitEqualityOpImpl): |
| (JSC::BytecodeGenerator::emitCallVarargs): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::setUsesCheckpoints): |
| * bytecompiler/RegisterID.h: |
| (JSC::RegisterID::setIndex): |
| * dfg/DFGAbstractHeap.cpp: |
| (JSC::DFG::AbstractHeap::Payload::dumpAsOperand const): |
| (JSC::DFG::AbstractHeap::dump const): |
| * dfg/DFGAbstractHeap.h: |
| (JSC::DFG::AbstractHeap::Payload::Payload): |
| (JSC::DFG::AbstractHeap::AbstractHeap): |
| (JSC::DFG::AbstractHeap::operand const): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGArgumentPosition.h: |
| (JSC::DFG::ArgumentPosition::dump): |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| * dfg/DFGArgumentsUtilities.cpp: |
| (JSC::DFG::argumentsInvolveStackSlot): |
| (JSC::DFG::emitCodeToGetArgumentsArrayLength): |
| * dfg/DFGArgumentsUtilities.h: |
| * dfg/DFGAtTailAbstractState.h: |
| (JSC::DFG::AtTailAbstractState::operand): |
| * dfg/DFGAvailabilityMap.cpp: |
| (JSC::DFG::AvailabilityMap::pruneByLiveness): |
| * dfg/DFGAvailabilityMap.h: |
| (JSC::DFG::AvailabilityMap::closeStartingWithLocal): |
| * dfg/DFGBasicBlock.cpp: |
| (JSC::DFG::BasicBlock::BasicBlock): |
| (JSC::DFG::BasicBlock::ensureTmps): |
| * dfg/DFGBasicBlock.h: |
| * dfg/DFGBlockInsertionSet.cpp: |
| (JSC::DFG::BlockInsertionSet::insert): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::ByteCodeParser): |
| (JSC::DFG::ByteCodeParser::ensureTmps): |
| (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): |
| (JSC::DFG::ByteCodeParser::newVariableAccessData): |
| (JSC::DFG::ByteCodeParser::getDirect): |
| (JSC::DFG::ByteCodeParser::get): |
| (JSC::DFG::ByteCodeParser::setDirect): |
| (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): |
| (JSC::DFG::ByteCodeParser::getLocalOrTmp): |
| (JSC::DFG::ByteCodeParser::setLocalOrTmp): |
| (JSC::DFG::ByteCodeParser::setArgument): |
| (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): |
| (JSC::DFG::ByteCodeParser::findArgumentPosition): |
| (JSC::DFG::ByteCodeParser::flushImpl): |
| (JSC::DFG::ByteCodeParser::flushForTerminalImpl): |
| (JSC::DFG::ByteCodeParser::flush): |
| (JSC::DFG::ByteCodeParser::flushDirect): |
| (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal): |
| (JSC::DFG::ByteCodeParser::phantomLocalDirect): |
| (JSC::DFG::ByteCodeParser::flushForTerminal): |
| (JSC::DFG::ByteCodeParser::addToGraph): |
| (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand const): |
| (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): |
| (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute): |
| (JSC::DFG::ByteCodeParser::allocateTargetableBlock): |
| (JSC::DFG::ByteCodeParser::allocateUntargetableBlock): |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| (JSC::DFG::ByteCodeParser::inlineCall): |
| (JSC::DFG::ByteCodeParser::handleVarargsInlining): |
| (JSC::DFG::ByteCodeParser::handleInlining): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): |
| (JSC::DFG::ByteCodeParser::parse): |
| (JSC::DFG::ByteCodeParser::getLocal): Deleted. |
| (JSC::DFG::ByteCodeParser::setLocal): Deleted. |
| * dfg/DFGCFAPhase.cpp: |
| (JSC::DFG::CFAPhase::injectOSR): |
| * dfg/DFGCPSRethreadingPhase.cpp: |
| (JSC::DFG::CPSRethreadingPhase::run): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeSet): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): |
| (JSC::DFG::CPSRethreadingPhase::propagatePhis): |
| (JSC::DFG::CPSRethreadingPhase::phiStackFor): |
| * dfg/DFGCSEPhase.cpp: |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGCombinedLiveness.cpp: |
| (JSC::DFG::addBytecodeLiveness): |
| * dfg/DFGCommonData.cpp: |
| (JSC::DFG::CommonData::addCodeOrigin): |
| (JSC::DFG::CommonData::addUniqueCallSiteIndex): |
| (JSC::DFG::CommonData::lastCallSite const): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGDriver.cpp: |
| (JSC::DFG::compileImpl): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGForAllKills.h: |
| (JSC::DFG::forAllKilledOperands): |
| (JSC::DFG::forAllKilledNodesAtNodeIndex): |
| (JSC::DFG::forAllKillsInBlock): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| (JSC::DFG::Graph::dumpBlockHeader): |
| (JSC::DFG::Graph::substituteGetLocal): |
| (JSC::DFG::Graph::isLiveInBytecode): |
| (JSC::DFG::Graph::localsAndTmpsLiveInBytecode): |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| (JSC::DFG::Graph::localsLiveInBytecode): Deleted. |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Graph::forAllLocalsAndTmpsLiveInBytecode): |
| (JSC::DFG::Graph::forAllLiveInBytecode): |
| (JSC::DFG::Graph::forAllLocalsLiveInBytecode): Deleted. |
| * dfg/DFGInPlaceAbstractState.cpp: |
| (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState): |
| * dfg/DFGInPlaceAbstractState.h: |
| (JSC::DFG::InPlaceAbstractState::operand): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::linkOSRExits): |
| (JSC::DFG::JITCompiler::noticeOSREntry): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::emitStoreCallSiteIndex): |
| * dfg/DFGLiveCatchVariablePreservationPhase.cpp: |
| (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation): |
| (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch): |
| (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData): |
| * dfg/DFGMovHintRemovalPhase.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::StackAccessData::StackAccessData): |
| (JSC::DFG::Node::hasArgumentsChild): |
| (JSC::DFG::Node::argumentsChild): |
| (JSC::DFG::Node::operand): |
| (JSC::DFG::Node::hasUnlinkedOperand): |
| (JSC::DFG::Node::unlinkedOperand): |
| (JSC::DFG::Node::hasLoadVarargsData): |
| (JSC::DFG::Node::local): Deleted. |
| (JSC::DFG::Node::hasUnlinkedLocal): Deleted. |
| (JSC::DFG::Node::unlinkedLocal): Deleted. |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: |
| (JSC::DFG::OSRAvailabilityAnalysisPhase::run): |
| (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareOSREntry): |
| (JSC::DFG::prepareCatchOSREntry): |
| * dfg/DFGOSREntrypointCreationPhase.cpp: |
| (JSC::DFG::OSREntrypointCreationPhase::run): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::emitRestoreArguments): |
| (JSC::DFG::OSRExit::compileExit): |
| (JSC::DFG::jsValueFor): Deleted. |
| (JSC::DFG::restoreCalleeSavesFor): Deleted. |
| (JSC::DFG::saveCalleeSavesFor): Deleted. |
| (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted. |
| (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted. |
| (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted. |
| (JSC::DFG::createDirectArgumentsDuringExit): Deleted. |
| (JSC::DFG::createClonedArgumentsDuringExit): Deleted. |
| (JSC::DFG::emitRestoreArguments): Deleted. |
| (JSC::DFG::OSRExit::executeOSRExit): Deleted. |
| (JSC::DFG::reifyInlinedCallFrames): Deleted. |
| (JSC::DFG::adjustAndJumpToTarget): Deleted. |
| (JSC::DFG::printOSRExit): Deleted. |
| * dfg/DFGOSRExit.h: |
| * dfg/DFGOSRExitBase.h: |
| (JSC::DFG::OSRExitBase::isExitingToCheckpointHandler const): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGOpInfo.h: |
| (JSC::DFG::OpInfo::OpInfo): |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGPhantomInsertionPhase.cpp: |
| * dfg/DFGPreciseLocalClobberize.h: |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::read): |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::write): |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::def): |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate): |
| * dfg/DFGPredictionInjectionPhase.cpp: |
| (JSC::DFG::PredictionInjectionPhase::run): |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGPutStackSinkingPhase.cpp: |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileMovHint): |
| (JSC::DFG::SpeculativeJIT::compileCurrentBlock): |
| (JSC::DFG::SpeculativeJIT::checkArgumentTypes): |
| (JSC::DFG::SpeculativeJIT::compileVarargsLength): |
| (JSC::DFG::SpeculativeJIT::compileLoadVarargs): |
| (JSC::DFG::SpeculativeJIT::compileForwardVarargs): |
| (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::recordSetLocal): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStackLayoutPhase.cpp: |
| (JSC::DFG::StackLayoutPhase::run): |
| (JSC::DFG::StackLayoutPhase::assign): |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitThunkGenerator): Deleted. |
| * dfg/DFGThunks.h: |
| * dfg/DFGTypeCheckHoistingPhase.cpp: |
| (JSC::DFG::TypeCheckHoistingPhase::run): |
| (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries): |
| * dfg/DFGValidate.cpp: |
| * dfg/DFGVarargsForwardingPhase.cpp: |
| * dfg/DFGVariableAccessData.cpp: |
| (JSC::DFG::VariableAccessData::VariableAccessData): |
| (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): |
| (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): |
| (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): |
| * dfg/DFGVariableAccessData.h: |
| (JSC::DFG::VariableAccessData::operand): |
| (JSC::DFG::VariableAccessData::local): Deleted. |
| * dfg/DFGVariableEvent.cpp: |
| (JSC::DFG::VariableEvent::dump const): |
| * dfg/DFGVariableEvent.h: |
| (JSC::DFG::VariableEvent::spill): |
| (JSC::DFG::VariableEvent::setLocal): |
| (JSC::DFG::VariableEvent::movHint): |
| (JSC::DFG::VariableEvent::spillRegister const): |
| (JSC::DFG::VariableEvent::operand const): |
| (JSC::DFG::VariableEvent::bytecodeRegister const): Deleted. |
| * dfg/DFGVariableEventStream.cpp: |
| (JSC::DFG::VariableEventStream::logEvent): |
| (JSC::DFG::VariableEventStream::reconstruct const): |
| * dfg/DFGVariableEventStream.h: |
| (JSC::DFG::VariableEventStream::appendAndLog): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLForOSREntryJITCode.cpp: |
| (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileExtractOSREntryLocal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetStack): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetCallee): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame): |
| (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue): |
| (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): |
| (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee): |
| (JSC::FTL::DFG::LowerDFGToB3::callPreflight): |
| (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor): |
| (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::addressFor): |
| (JSC::FTL::DFG::LowerDFGToB3::payloadFor): |
| (JSC::FTL::DFG::LowerDFGToB3::tagFor): |
| * ftl/FTLOSREntry.cpp: |
| (JSC::FTL::prepareOSREntry): |
| * ftl/FTLOSRExit.cpp: |
| (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor): |
| * ftl/FTLOSRExit.h: |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileStub): |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::operationMaterializeObjectInOSR): |
| * ftl/FTLOutput.cpp: |
| (JSC::FTL::Output::select): |
| * ftl/FTLOutput.h: |
| * ftl/FTLSelectPredictability.h: Copied from Source/JavaScriptCore/ftl/FTLForOSREntryJITCode.cpp. |
| * ftl/FTLSlowPathCall.h: |
| (JSC::FTL::callOperation): |
| * generator/Checkpoints.rb: Added. |
| * generator/Opcode.rb: |
| * generator/Section.rb: |
| * heap/Heap.cpp: |
| (JSC::Heap::gatherScratchBufferRoots): |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::callSiteAsRawBits const): |
| (JSC::CallFrame::unsafeCallSiteAsRawBits const): |
| (JSC::CallFrame::callSiteIndex const): |
| (JSC::CallFrame::unsafeCallSiteIndex const): |
| (JSC::CallFrame::setCurrentVPC): |
| (JSC::CallFrame::bytecodeIndex): |
| (JSC::CallFrame::codeOrigin): |
| * interpreter/CallFrame.h: |
| (JSC::CallSiteIndex::CallSiteIndex): |
| (JSC::CallSiteIndex::operator bool const): |
| (JSC::CallSiteIndex::operator== const): |
| (JSC::CallSiteIndex::bits const): |
| (JSC::CallSiteIndex::fromBits): |
| (JSC::CallSiteIndex::bytecodeIndex const): |
| (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): |
| (JSC::CallFrame::callee const): |
| (JSC::CallFrame::unsafeCallee const): |
| (JSC::CallFrame::addressOfCodeBlock const): |
| (JSC::CallFrame::argumentCountIncludingThis const): |
| (JSC::CallFrame::offsetFor): |
| (JSC::CallFrame::setArgumentCountIncludingThis): |
| (JSC::CallFrame::setReturnPC): |
| * interpreter/CallFrameInlines.h: |
| (JSC::CallFrame::r): |
| (JSC::CallFrame::uncheckedR): |
| (JSC::CallFrame::guaranteedJSValueCallee const): |
| (JSC::CallFrame::jsCallee const): |
| (JSC::CallFrame::codeBlock const): |
| (JSC::CallFrame::unsafeCodeBlock const): |
| (JSC::CallFrame::setCallee): |
| (JSC::CallFrame::setCodeBlock): |
| * interpreter/CheckpointOSRExitSideState.h: Copied from Source/JavaScriptCore/dfg/DFGThunks.h. |
| * interpreter/Interpreter.cpp: |
| (JSC::eval): |
| (JSC::sizeOfVarargs): |
| (JSC::loadVarargs): |
| (JSC::setupVarargsFrame): |
| (JSC::UnwindFunctor::operator() const): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| * interpreter/Interpreter.h: |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::readInlinedFrame): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): |
| (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32): |
| (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64): |
| (JSC::AssemblyHelpers::emitPutToCallFrameHeader): |
| (JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue): |
| (JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue): |
| (JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue): |
| (JSC::AssemblyHelpers::addressFor): |
| (JSC::AssemblyHelpers::tagFor): |
| (JSC::AssemblyHelpers::payloadFor): |
| (JSC::AssemblyHelpers::calleeFrameSlot): |
| (JSC::AssemblyHelpers::calleeArgumentSlot): |
| (JSC::AssemblyHelpers::calleeFrameTagSlot): |
| (JSC::AssemblyHelpers::calleeFramePayloadSlot): |
| (JSC::AssemblyHelpers::calleeFrameCallerFrame): |
| (JSC::AssemblyHelpers::argumentCount): |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::CallFrameShuffler): |
| * jit/CallFrameShuffler.h: |
| (JSC::CallFrameShuffler::setCalleeJSValueRegs): |
| (JSC::CallFrameShuffler::assumeCalleeIsCell): |
| * jit/JIT.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_op_unsigned): |
| (JSC::JIT::emit_compareAndJump): |
| (JSC::JIT::emit_compareAndJumpImpl): |
| (JSC::JIT::emit_compareUnsignedAndJump): |
| (JSC::JIT::emit_compareUnsignedAndJumpImpl): |
| (JSC::JIT::emit_compareUnsigned): |
| (JSC::JIT::emit_compareUnsignedImpl): |
| (JSC::JIT::emit_compareAndJumpSlow): |
| (JSC::JIT::emit_compareAndJumpSlowImpl): |
| (JSC::JIT::emit_op_inc): |
| (JSC::JIT::emit_op_dec): |
| (JSC::JIT::emit_op_mod): |
| (JSC::JIT::emitBitBinaryOpFastPath): |
| (JSC::JIT::emit_op_bitnot): |
| (JSC::JIT::emitRightShiftFastPath): |
| (JSC::JIT::emitMathICFast): |
| (JSC::JIT::emitMathICSlow): |
| (JSC::JIT::emit_op_div): |
| * jit/JITCall.cpp: |
| (JSC::JIT::emitPutCallResult): |
| (JSC::JIT::compileSetupFrame): |
| (JSC::JIT::compileOpCall): |
| * jit/JITExceptions.cpp: |
| (JSC::genericUnwind): |
| * jit/JITInlines.h: |
| (JSC::JIT::isOperandConstantDouble): |
| (JSC::JIT::getConstantOperand): |
| (JSC::JIT::emitPutIntToCallFrameHeader): |
| (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): |
| (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): |
| (JSC::JIT::linkSlowCaseIfNotJSCell): |
| (JSC::JIT::isOperandConstantChar): |
| (JSC::JIT::getOperandConstantInt): |
| (JSC::JIT::getOperandConstantDouble): |
| (JSC::JIT::emitInitRegister): |
| (JSC::JIT::emitLoadTag): |
| (JSC::JIT::emitLoadPayload): |
| (JSC::JIT::emitGet): |
| (JSC::JIT::emitPutVirtualRegister): |
| (JSC::JIT::emitLoad): |
| (JSC::JIT::emitLoad2): |
| (JSC::JIT::emitLoadDouble): |
| (JSC::JIT::emitLoadInt32ToDouble): |
| (JSC::JIT::emitStore): |
| (JSC::JIT::emitStoreInt32): |
| (JSC::JIT::emitStoreCell): |
| (JSC::JIT::emitStoreBool): |
| (JSC::JIT::emitStoreDouble): |
| (JSC::JIT::emitJumpSlowCaseIfNotJSCell): |
| (JSC::JIT::isOperandConstantInt): |
| (JSC::JIT::emitGetVirtualRegister): |
| (JSC::JIT::emitGetVirtualRegisters): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_mov): |
| (JSC::JIT::emit_op_end): |
| (JSC::JIT::emit_op_new_object): |
| (JSC::JIT::emitSlow_op_new_object): |
| (JSC::JIT::emit_op_overrides_has_instance): |
| (JSC::JIT::emit_op_instanceof): |
| (JSC::JIT::emitSlow_op_instanceof): |
| (JSC::JIT::emit_op_is_empty): |
| (JSC::JIT::emit_op_is_undefined): |
| (JSC::JIT::emit_op_is_undefined_or_null): |
| (JSC::JIT::emit_op_is_boolean): |
| (JSC::JIT::emit_op_is_number): |
| (JSC::JIT::emit_op_is_cell_with_type): |
| (JSC::JIT::emit_op_is_object): |
| (JSC::JIT::emit_op_ret): |
| (JSC::JIT::emit_op_to_primitive): |
| (JSC::JIT::emit_op_set_function_name): |
| (JSC::JIT::emit_op_not): |
| (JSC::JIT::emit_op_jfalse): |
| (JSC::JIT::emit_op_jeq_null): |
| (JSC::JIT::emit_op_jneq_null): |
| (JSC::JIT::emit_op_jundefined_or_null): |
| (JSC::JIT::emit_op_jnundefined_or_null): |
| (JSC::JIT::emit_op_jneq_ptr): |
| (JSC::JIT::emit_op_eq): |
| (JSC::JIT::emit_op_jeq): |
| (JSC::JIT::emit_op_jtrue): |
| (JSC::JIT::emit_op_neq): |
| (JSC::JIT::emit_op_jneq): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::compileOpStrictEq): |
| (JSC::JIT::compileOpStrictEqJump): |
| (JSC::JIT::emit_op_to_number): |
| (JSC::JIT::emit_op_to_numeric): |
| (JSC::JIT::emit_op_to_string): |
| (JSC::JIT::emit_op_to_object): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_get_parent_scope): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emit_op_eq_null): |
| (JSC::JIT::emit_op_neq_null): |
| (JSC::JIT::emit_op_enter): |
| (JSC::JIT::emit_op_get_scope): |
| (JSC::JIT::emit_op_to_this): |
| (JSC::JIT::emit_op_create_this): |
| (JSC::JIT::emit_op_check_tdz): |
| (JSC::JIT::emitSlow_op_eq): |
| (JSC::JIT::emitSlow_op_neq): |
| (JSC::JIT::emitSlow_op_instanceof_custom): |
| (JSC::JIT::emit_op_new_regexp): |
| (JSC::JIT::emitNewFuncCommon): |
| (JSC::JIT::emitNewFuncExprCommon): |
| (JSC::JIT::emit_op_new_array): |
| (JSC::JIT::emit_op_new_array_with_size): |
| (JSC::JIT::emit_op_has_structure_property): |
| (JSC::JIT::emit_op_has_indexed_property): |
| (JSC::JIT::emitSlow_op_has_indexed_property): |
| (JSC::JIT::emit_op_get_direct_pname): |
| (JSC::JIT::emit_op_enumerator_structure_pname): |
| (JSC::JIT::emit_op_enumerator_generic_pname): |
| (JSC::JIT::emit_op_profile_type): |
| (JSC::JIT::emit_op_log_shadow_chicken_prologue): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| (JSC::JIT::emit_op_argument_count): |
| (JSC::JIT::emit_op_get_rest_length): |
| (JSC::JIT::emit_op_get_argument): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_catch): |
| * jit/JITOperations.cpp: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| (JSC::JIT::emit_op_put_by_val): |
| (JSC::JIT::emitGenericContiguousPutByVal): |
| (JSC::JIT::emitArrayStoragePutByVal): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emitSlow_op_put_by_val): |
| (JSC::JIT::emit_op_put_getter_by_id): |
| (JSC::JIT::emit_op_put_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_by_val): |
| (JSC::JIT::emit_op_put_setter_by_val): |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emit_op_del_by_val): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| (JSC::JIT::emitSlow_op_in_by_id): |
| (JSC::JIT::emitResolveClosure): |
| (JSC::JIT::emit_op_resolve_scope): |
| (JSC::JIT::emitLoadWithStructureCheck): |
| (JSC::JIT::emitGetClosureVar): |
| (JSC::JIT::emit_op_get_from_scope): |
| (JSC::JIT::emitSlow_op_get_from_scope): |
| (JSC::JIT::emitPutGlobalVariable): |
| (JSC::JIT::emitPutGlobalVariableIndirect): |
| (JSC::JIT::emitPutClosureVar): |
| (JSC::JIT::emit_op_put_to_scope): |
| (JSC::JIT::emit_op_get_from_arguments): |
| (JSC::JIT::emit_op_put_to_arguments): |
| (JSC::JIT::emitWriteBarrier): |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * jit/JSInterfaceJIT.h: |
| (JSC::JSInterfaceJIT::emitLoadJSCell): |
| (JSC::JSInterfaceJIT::emitJumpIfNotJSCell): |
| (JSC::JSInterfaceJIT::emitLoadInt32): |
| (JSC::JSInterfaceJIT::emitLoadDouble): |
| (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr): |
| (JSC::JSInterfaceJIT::emitPutToCallFrameHeader): |
| (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader): |
| * jit/SetupVarargsFrame.cpp: |
| (JSC::emitSetupVarargsFrameFastCase): |
| * jit/SpecializedThunkJIT.h: |
| (JSC::SpecializedThunkJIT::loadDoubleArgument): |
| (JSC::SpecializedThunkJIT::loadCellArgument): |
| (JSC::SpecializedThunkJIT::loadInt32Argument): |
| * jit/ThunkGenerators.cpp: |
| (JSC::absThunkGenerator): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::getNonConstantOperand): |
| (JSC::LLInt::getOperand): |
| (JSC::LLInt::genericCall): |
| (JSC::LLInt::varargsSetup): |
| (JSC::LLInt::commonCallEval): |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::handleVarargsCheckpoint): |
| (JSC::LLInt::dispatchToNextInstruction): |
| (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): |
| (JSC::LLInt::slow_path_checkpoint_osr_exit): |
| (JSC::LLInt::llint_throw_stack_overflow_error): |
| * llint/LLIntSlowPaths.h: |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/ArgList.h: |
| (JSC::MarkedArgumentBuffer::fill): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedCodeBlock::hasCheckpoints const): |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| (JSC::CachedCodeBlock<CodeBlockType>::encode): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/ConstructData.cpp: |
| (JSC::construct): |
| * runtime/ConstructData.h: |
| * runtime/DirectArguments.cpp: |
| (JSC::DirectArguments::copyToArguments): |
| * runtime/DirectArguments.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::copyToArguments): |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::copyToArguments): |
| * runtime/JSArray.h: |
| * runtime/JSImmutableButterfly.cpp: |
| (JSC::JSImmutableButterfly::copyToArguments): |
| * runtime/JSImmutableButterfly.h: |
| * runtime/JSLock.cpp: |
| (JSC::JSLock::willReleaseLock): |
| * runtime/ModuleProgramExecutable.cpp: |
| (JSC::ModuleProgramExecutable::create): |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| * runtime/ScopedArguments.cpp: |
| (JSC::ScopedArguments::copyToArguments): |
| * runtime/ScopedArguments.h: |
| * runtime/VM.cpp: |
| (JSC::VM::scanSideState const): |
| (JSC::VM::addCheckpointOSRSideState): |
| (JSC::VM::findCheckpointOSRSideState): |
| * runtime/VM.h: |
| (JSC::VM::hasCheckpointOSRSideState const): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpRegisters): |
| * wasm/WasmFunctionCodeBlock.h: |
| (JSC::Wasm::FunctionCodeBlock::getConstant const): |
| (JSC::Wasm::FunctionCodeBlock::getConstantType const): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::setUsesCheckpoints const): |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::operationWasmToJSException): |
| * wasm/WasmSlowPaths.cpp: |
| |
| 2020-01-16 Keith Miller <keith_miller@apple.com> |
| |
| Revert 254725 since it breaks tests |
| https://bugs.webkit.org/show_bug.cgi?id=206391 |
| |
| Unreviewed, revert. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| |
| 2020-01-16 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Object allocation sinking is missing PutHint for sunken allocations |
| https://bugs.webkit.org/show_bug.cgi?id=203799 |
| <rdar://problem/56852162> |
| |
| Reviewed by Saam Barati. |
| |
| Consider the following graph: |
| |
| Block #0: |
| 1: PhantomCreateActivation() |
| 2: PhantomNewFunction() |
| PutHint(@2, @1, FunctionActivationPLoc) |
| Branch(#1, #2) |
| |
| Block #1: |
| 3: MaterializeCreateActivation() |
| PutHint(@2, @3, FunctionActivationPLoc) |
| Upsilon(@3, ^5) |
| Jump(#3) |
| |
| Block #2: |
| 4: MaterializeCreateActivation() |
| PutHint(@2, @4, FunctionActivationPLoc) |
| Upsilon(@4, ^5) |
| Jump(#3) |
| |
| Block #3: |
| 5: Phi() |
| ExitOK() |
| |
| On Block #3, we need to emit a PutHint after the Phi, since we might exit after it. However, |
| object allocation sinking skipped this Phi because it was checking whether the base of the |
| location that caused us to create this Phi (@2) was live, but it's dead in the graph (there |
| are no pointers to it). The issue is that, even though there are no pointers to the base, the |
| location `PromotedHeapLocation(@2, FunctionActivationPLoc)` is still live, so we should PutHint |
| to it. We fix it by checking for liveness of the location rather than its base. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| |
| 2020-01-16 Robin Morisset <rmorisset@apple.com> |
| |
| Try to simplify the template deduction used by callOperation in DFGSpeculativeJIT |
| https://bugs.webkit.org/show_bug.cgi?id=206329 |
| |
| Reviewed by Keith Miller. |
| |
| The change is very simple: stop using NoResultTag in callOperation, since it is redundant with !FunctionTraits<OperationType>::hasResult |
| |
| * dfg/DFGSlowPathGenerator.h: |
| (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compilePutAccessorById): |
| (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById): |
| (JSC::DFG::SpeculativeJIT::compilePutDynamicVar): |
| (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal): |
| (JSC::DFG::SpeculativeJIT::compileDefineDataProperty): |
| (JSC::DFG::SpeculativeJIT::compileDefineAccessorProperty): |
| (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::callOperation): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| |
| 2020-01-16 Robin Morisset <rmorisset@apple.com> |
| |
| Teach the bytecode that arithmetic operations can return bigints |
| https://bugs.webkit.org/show_bug.cgi?id=205416 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add already has the correct ResultType, but previously Sub/Mult/Div/Mod/Pow/Negate were always claimed to return Number, |
| and when BigInt is enabled they can also return BigInt. |
| UnaryPlus is left unchanged as it is invalid on a BigInt (to keep asm.js working as intended). |
| |
| * parser/NodeConstructors.h: |
| (JSC::NegateNode::NegateNode): |
| (JSC::PowNode::PowNode): |
| (JSC::MultNode::MultNode): |
| (JSC::DivNode::DivNode): |
| (JSC::ModNode::ModNode): |
| (JSC::SubNode::SubNode): |
| * parser/ResultType.h: |
| (JSC::ResultType::bigIntOrNumberType): Added. |
| (JSC::ResultType::forNonAddArith): |
| (JSC::ResultType::forUnaryArith): |
| |
| 2020-01-16 Robin Morisset <rmorisset@apple.com> |
| |
| Use dataLogIf more regularly |
| https://bugs.webkit.org/show_bug.cgi?id=206332 |
| |
| Reviewed by Keith Miller. |
| |
| There is lots of code that reads |
| if (Options::foobar()) |
| dataLogLn("...") |
| |
| There are a couple of benefits to replacing those by dataLogLnIf(Options::foobar(), "..."): |
| - Readability, by reducing the number of lines taken by logging |
| - Less lines appearing as not-taken in test coverage wrongly (wrongly because we probably don't care for the coverage of logging code) |
| - possibly a tiny perf benefit since dataLogIf correctly uses UNLIKELY. |
| |
| This patch is a fairly trivial refactoring where I looked for that pattern and replaced it everywhere it appeared in JSC. |
| |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::performGeneratorification): |
| * bytecode/BytecodeLivenessAnalysis.cpp: |
| (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis): |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::visitWeak): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| (JSC::CodeBlock::noticeIncomingCall): |
| (JSC::CodeBlock::optimizationThresholdScalingFactor): |
| (JSC::CodeBlock::optimizeNextInvocation): |
| (JSC::CodeBlock::dontOptimizeAnytimeSoon): |
| (JSC::CodeBlock::optimizeAfterWarmUp): |
| (JSC::CodeBlock::optimizeAfterLongWarmUp): |
| (JSC::CodeBlock::optimizeSoon): |
| (JSC::CodeBlock::forceOptimizationSlowPathConcurrently): |
| (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): |
| (JSC::CodeBlock::shouldOptimizeNow): |
| * bytecode/DFGExitProfile.cpp: |
| (JSC::DFG::ExitProfile::add): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseCodeBlock): |
| * dfg/DFGCFAPhase.cpp: |
| * dfg/DFGJITCode.cpp: |
| (JSC::DFG::JITCode::optimizeNextInvocation): |
| (JSC::DFG::JITCode::dontOptimizeAnytimeSoon): |
| (JSC::DFG::JITCode::optimizeAfterWarmUp): |
| (JSC::DFG::JITCode::optimizeSoon): |
| (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently): |
| (JSC::DFG::JITCode::setOSREntryBlock): |
| * dfg/DFGJumpReplacement.cpp: |
| (JSC::DFG::JumpReplacement::fire): |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareOSREntry): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::compileExit): |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * dfg/DFGToFTLDeferredCompilationCallback.cpp: |
| (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): |
| (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): |
| * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: |
| (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): |
| (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::completeAllReadyPlansForVM): |
| * ftl/FTLOSREntry.cpp: |
| (JSC::FTL::prepareOSREntry): |
| * heap/Heap.cpp: |
| (JSC::Heap::lastChanceToFinalize): |
| (JSC::Heap::sweepSynchronously): |
| (JSC::Heap::collectNow): |
| (JSC::Heap::runBeginPhase): |
| (JSC::Heap::runFixpointPhase): |
| (JSC::Heap::runReloopPhase): |
| (JSC::Heap::runEndPhase): |
| (JSC::Heap::finalize): |
| (JSC::Heap::willStartCollection): |
| (JSC::Heap::updateAllocationLimits): |
| (JSC::Heap::notifyIsSafeToCollect): |
| * heap/MarkStackMergingConstraint.cpp: |
| (JSC::MarkStackMergingConstraint::prepareToExecuteImpl): |
| * heap/MarkedSpace.cpp: |
| * heap/MarkingConstraint.cpp: |
| (JSC::MarkingConstraint::prepareToExecute): |
| * heap/MarkingConstraintSet.cpp: |
| (JSC::MarkingConstraintSet::executeConvergence): |
| (JSC::MarkingConstraintSet::executeConvergenceImpl): |
| (JSC::MarkingConstraintSet::executeAll): |
| * heap/MarkingConstraintSolver.cpp: |
| (JSC::MarkingConstraintSolver::execute): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMarkStack): |
| (JSC::SlotVisitor::visitChildren): |
| (JSC::SlotVisitor::didRace): |
| * heap/StochasticSpaceTimeMutatorScheduler.cpp: |
| (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection): |
| (JSC::StochasticSpaceTimeMutatorScheduler::didExecuteConstraints): |
| * jit/JIT.cpp: |
| (JSC::JIT::link): |
| * jit/JITExceptions.cpp: |
| (JSC::genericUnwind): |
| * jit/JITOperations.cpp: |
| * jit/JITToDFGDeferredCompilationCallback.cpp: |
| (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): |
| (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete): |
| * jit/JITWorklist.cpp: |
| (JSC::JITWorklist::Plan::finalize): |
| * jit/PolymorphicCallStubRoutine.cpp: |
| (JSC::PolymorphicCallNode::unlink): |
| * jit/Repatch.cpp: |
| (JSC::unlinkFor): |
| (JSC::linkVirtualFor): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::jitCompileAndSetHeuristics): |
| (JSC::LLInt::entryOSR): |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * parser/ModuleAnalyzer.cpp: |
| (JSC::ModuleAnalyzer::analyze): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::JSModuleLoader::importModule): |
| (JSC::JSModuleLoader::resolveSync): |
| (JSC::JSModuleLoader::fetch): |
| (JSC::JSModuleLoader::evaluate): |
| (JSC::moduleLoaderModuleDeclarationInstantiation): |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::installCode): |
| * runtime/VM.cpp: |
| (JSC::VM::throwException): |
| * tools/CompilerTimingScope.cpp: |
| (JSC::CompilerTimingScope::CompilerTimingScope): |
| (JSC::CompilerTimingScope::~CompilerTimingScope): |
| * wasm/WasmMemory.cpp: |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::resolve): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::jitCompile): |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPattern::compile): |
| |
| 2020-01-16 Robin Morisset <rmorisset@apple.com> |
| |
| Reduce the code generated by DFGSlowPathGenerator.h |
| https://bugs.webkit.org/show_bug.cgi?id=206330 |
| |
| Reviewed by Mark Lam. |
| |
| The FunctionType parameter is only needed by CallResultAndArgumentsSlowPathGenerator, not by its base class CallSlowPathGenerator. |
| Moving it allows saving about 200kB from JavaScriptCore (in Release mode), by reducing the number of instantiations of the methods of CallSlowPathGenerator. |
| |
| * dfg/DFGSlowPathGenerator.h: |
| (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator): |
| (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator): |
| |
| 2020-01-16 Don Olmstead <don.olmstead@sony.com> |
| |
| Non-unified build fixes mid January 2020 edition |
| https://bugs.webkit.org/show_bug.cgi?id=206363 |
| |
| Unreviewed build fix. |
| |
| * interpreter/StackVisitor.cpp: |
| |
| 2020-01-16 Jonathan Bedard <jbedard@apple.com> |
| |
| Pass JSToken by const reference |
| https://bugs.webkit.org/show_bug.cgi?id=206321 |
| |
| Reviewed by Saam Barati. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::createBindingPattern): Pass JSToken by const reference. |
| * parser/Parser.h: Ditto. |
| |
| 2020-01-16 Mark Lam <mark.lam@apple.com> |
| |
| operationToObject() should check for a null errorMessage. |
| https://bugs.webkit.org/show_bug.cgi?id=206339 |
| <rdar://problem/58449666> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| r224280 introduced operationToObject() with an option to specify a custom error |
| message. r254252 added a scenario where the passed in error message is null but |
| did not update operationToObject() to allow for this. This patch adds the |
| missing null check. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2020-01-16 Per Arne Vollan <pvollan@apple.com> |
| |
| [Win] Fix AppleWin build |
| https://bugs.webkit.org/show_bug.cgi?id=206299 |
| |
| Reviewed by Brent Fulgham. |
| |
| Include required target. Build internal builds with VS2019. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.vcxproj/JavaScriptCore.proj: |
| |
| 2020-01-16 Caio Lima <ticaiolima@gmail.com> |
| |
| [JSC] 32-bit platforms should use a PC base register |
| https://bugs.webkit.org/show_bug.cgi?id=203563 |
| |
| Reviewed by Keith Miller. |
| |
| We are moving 32-bits LLInt implementation to follow the model useb by |
| 64-bits architectures. It means that we now use PC and PB registers to |
| represent current Instruction. This patch will reduce the changes |
| we have from those architectures and mainly allow the usage of new |
| version of BytecodeIndex::m_packedBits. This also allow us remove |
| divergences on CallSiteIndex. |
| The change required the inclusion of a new callee-save register on |
| ARMv7 (r10), MIPS($s1) and CLOOP. Further changes necessary for |
| Baseline and DFG will come in a following patch. |
| |
| * assembler/MIPSRegisters.h: |
| * interpreter/CallFrame.cpp: |
| * jit/GPRInfo.h: |
| (JSC::GPRInfo::toRegister): |
| (JSC::GPRInfo::toIndex): |
| * jit/RegisterSet.cpp: |
| (JSC::RegisterSet::vmCalleeSaveRegisters): |
| (JSC::RegisterSet::llintBaselineCalleeSaveRegisters): |
| * llint/LLIntData.h: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoop::execute): |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm.rb: |
| * offlineasm/mips.rb: |
| |
| 2020-01-15 Caitlin Potter <caitp@igalia.com> |
| |
| [JSC] Add support for public class fields |
| https://bugs.webkit.org/show_bug.cgi?id=174212 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Implements the instance class fields proposal (https://tc39.es/proposal-class-fields/), |
| minus support for private fields (split into a separate patch). |
| |
| In summary, class fields are initialized by a synthetic JSFunction. In its unlinked state, |
| the UnlinkedFunctionExecutable for the function includes an ordered list of JSTokenLocations |
| pointing to the start of each class field in the class. Each of these fields are parsed and |
| included as DefineFieldNodes, which implement the appropriate DefineField behaviour in the |
| proposal. This synthetic function is only created, and only loaded, if there are class fields |
| present. The decision to use a synthetic function was for simplicity. There are a number of |
| factors which make inlining the initialization complicated, though we may opt to do this in |
| the future. For reference, the complexities are: instance fields and constructor in different |
| currently in different parsing arenas, distinct scopes between the 2 which require work to manage, |
| and complexity in doing to this work for child classes, where the location of initialization can |
| depend, and in some cases occur more than once. |
| |
| Computed property fields require a new bytecode, op_to_property_key, as an implementation |
| detail. It is necessary in the proposal to convert computed properties to property keys |
| during class evaluation, rather than during field initialization. Additionally, we allocate |
| the class lexical scope when computed class fields are used (previously, only when there was |
| a class name), as a location to keep the computed property keys. They can be loaded from the |
| scope via indexed keys. |
| |
| To illustrate computed field names in action, consider the following pseudocode: |
| |
| <during class evaluation> |
| 1) fieldName = emitNode({expr}) |
| 2) fieldName = emitToPropertyKey(fieldName) |
| 3) classScope[numComputedNames++] = fieldName |
| |
| <during class field initialization> |
| 1) fieldName = emitGetFromScope(classScope, computedFieldNameIndex++) |
| 2) value = emitNode({initializer}) |
| 3) instance[fieldName] = value |
| |
| The feature is currently hidden behind the feature flag JSC::Options::useClassFields. |
| |
| 2020-01-15 Adrian Perez de Castro <aperez@igalia.com> |
| |
| Offlineasm warnings with newer Ruby versions |
| https://bugs.webkit.org/show_bug.cgi?id=206233 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Avoid a warning about using Object#=~ on Annotation instances, which |
| has been deprecated in Ruby 2.7. |
| |
| * offlineasm/parser.rb: Swap checks to prevent applying the =~ operator |
| to Annotation instances, which do not define it. |
| |
| 2020-01-15 Keith Miller <keith_miller@apple.com> |
| |
| Revert bytecode checkpoints since it breaks watch |
| https://bugs.webkit.org/show_bug.cgi?id=206301 |
| |
| Unreviewed, revert. |
| |
| 2020-01-15 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Object.preventExtensions should throw if not successful |
| https://bugs.webkit.org/show_bug.cgi?id=206131 |
| |
| Reviewed by Ross Kirsling. |
| |
| With this change, Object.preventExtensions throws TypeError if [[PreventExtensions]] |
| returns `false`. This is possible if Object.preventExtensions is called on a Proxy object. |
| (step 3 of https://tc39.es/ecma262/#sec-object.preventextensions) |
| |
| * runtime/ObjectConstructor.cpp: |
| (JSC::objectConstructorPreventExtensions): |
| |
| 2020-01-15 Jonathan Bedard <jbedard@apple.com> |
| |
| webkitpy: Remove self assignments |
| https://bugs.webkit.org/show_bug.cgi?id=206294 |
| |
| Reviewed by Aakash Jain. |
| |
| * inspector/scripts/codegen/generator.py: |
| (Generator.js_name_for_parameter_type): |
| |
| 2020-01-14 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r254480, r254496, and r254517. |
| https://bugs.webkit.org/show_bug.cgi?id=206278 |
| |
| "It regressed JetStream2 and Speedometer2" (Requested by |
| saamyjoon on #webkit). |
| |
| Reverted changesets: |
| |
| "Throw away baseline code if there is an optimized |
| replacement" |
| https://bugs.webkit.org/show_bug.cgi?id=202503 |
| https://trac.webkit.org/changeset/254480 |
| |
| "Unreviewed. Change useLLInt=0 to forceBaseline=1" |
| https://trac.webkit.org/changeset/254496 |
| |
| "Add an option that enables/disables throwing away baseline |
| JIT code" |
| https://bugs.webkit.org/show_bug.cgi?id=206244 |
| https://trac.webkit.org/changeset/254517 |
| |
| 2020-01-14 Keith Miller <keith_miller@apple.com> |
| |
| Fix scanSideState assertion |
| https://bugs.webkit.org/show_bug.cgi?id=206257 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/VM.cpp: |
| (JSC::VM::scanSideState const): |
| |
| 2020-01-14 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: crash in DumpRenderTree at com.apple.JavaScriptCore: WTF::RefCountedBase::hasOneRef const |
| https://bugs.webkit.org/show_bug.cgi?id=206191 |
| <rdar://problem/58415623> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::attach): |
| (GatherSourceProviders::GatherSourceProviders): Deleted. |
| (GatherSourceProviders::operator()): Deleted. |
| Use `RefPtr<SourceProvider>` instead of `SourceProvider*` in case the `FunctionExecutable` |
| is destroyed after the `SourceProvider*` is saved, which would destroy the `SourceProvider` |
| as well. |
| |
| 2020-01-14 Saam Barati <sbarati@apple.com> |
| |
| Add an option that enables/disables throwing away baseline JIT code |
| https://bugs.webkit.org/show_bug.cgi?id=206244 |
| |
| Reviewed by Robin Morisset. |
| |
| This option is now set to false as I investigate a perf regression with |
| the original patch. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeUnconditionally): |
| * runtime/OptionsList.h: |
| |
| 2020-01-13 Darin Adler <darin@apple.com> |
| |
| Use even more "shortest form" formatting, and less "fixed precision" and "fixed width" |
| https://bugs.webkit.org/show_bug.cgi?id=198918 |
| |
| Reviewed by Sam Weinig. |
| |
| * API/tests/ExecutionTimeLimitTest.cpp: |
| (testExecutionTimeLimit): Rewrote the string creation code to use makeString instead |
| of StringBuilder and no longer use any fixed precision. |
| |
| * runtime/Options.cpp: |
| (JSC::OptionReader::Option::dump const): Dump doubles with shortest form instead of |
| fixed precision. |
| |
| 2020-01-14 David Kilzer <ddkilzer@apple.com> |
| |
| Enable -Wconditional-uninitialized in bmalloc, WTF, JavaScriptCore |
| <https://webkit.org/b/206190> |
| <rdar://problem/58540387> |
| |
| Reviewed by Mark Lam. |
| |
| Initialize stack variables to fix warnings. |
| |
| * Configurations/Base.xcconfig: |
| (WARNING_CFLAGS): Add -Wconditional-uninitialized. |
| * b3/B3LowerToAir.cpp: |
| (LowerToAir::appendCAS): |
| * b3/testb3_4.cpp: |
| (testLoadAddrShift): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty): |
| Move declaration of `notEmpty` into if block since it's not used |
| outside that scope. |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| * ftl/FTLThunks.cpp: |
| (JSC::FTL::registerClobberCheck): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::webAssemblyTableProtoFuncSet): |
| variables. |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| |
| 2020-01-13 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| Unreviewed sort-Xcode-project-file |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2020-01-13 Keith Miller <keith_miller@apple.com> |
| |
| scanSideState scans too much side state |
| https://bugs.webkit.org/show_bug.cgi?id=206166 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| The old code would would scan tmps + sizeof(tmps) but sizeof(tmps) |
| is not the length of the array. instead we should scan tmps + |
| maxNumCheckpointTmps. |
| |
| * interpreter/CheckpointOSRExitSideState.h: |
| * runtime/VM.cpp: |
| (JSC::VM::scanSideState const): |
| |
| 2020-01-13 Saam Barati <sbarati@apple.com> |
| |
| Throw away baseline code if there is an optimized replacement |
| https://bugs.webkit.org/show_bug.cgi?id=202503 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch's goal is to help us save JIT executable memory by throwing |
| away baseline code when it has an optimized replacement. To make it |
| easy to reason about, we do this when finalizing a GC, and when the |
| CodeBlock is not on the stack. When we do this, we throw away all JIT |
| data and unlink all incoming calls. |
| |
| This patch also paves the way for the LOL tier by making it so we always |
| exit to the LLInt. This allows the code in CodeBlock finalization to not |
| have to consider whether or not an an OSR exit is wired to baseline |
| JIT code, since all exits are now to the LLInt. Because of this, this |
| patch removes the forceOSRExitToLLInt option. Also, this patch renames |
| the useLLInt option to forceBaseline and inverts its meaning. |
| Options::forceBaseline=true implies that code will start off executing in |
| the baseline JIT instead of the LLInt. However, it won't prevent us from |
| emitting an OSR exit which jumps to LLInt code. |
| |
| * API/tests/ExecutionTimeLimitTest.cpp: |
| (testExecutionTimeLimit): |
| * API/tests/PingPongStackOverflowTest.cpp: |
| (testPingPongStackOverflow): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::finalizeUnconditionally): |
| (JSC::CodeBlock::resetJITData): |
| (JSC::CodeBlock::optimizedReplacement): |
| (JSC::CodeBlock::hasOptimizedReplacement): |
| (JSC::CodeBlock::tallyFrequentExitSites): |
| (JSC::CodeBlock::findStubInfo): Deleted. |
| (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted. |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::setJITCode): |
| * dfg/DFGDriver.cpp: |
| (JSC::DFG::compileImpl): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| * heap/CodeBlockSet.cpp: |
| (JSC::CodeBlockSet::isCurrentlyExecuting): |
| * heap/CodeBlockSet.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| (JSC::Heap::runEndPhase): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::dispatchToNextInstruction): |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| (JSC::Options::initialize): |
| (JSC::Options::ensureOptionsAreCoherent): |
| * runtime/OptionsList.h: |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::prepareForExecutionImpl): |
| |
| 2020-01-13 Mark Lam <mark.lam@apple.com> |
| |
| Replace uses of Box<Identifier> with a new CacheableIdentifier class. |
| https://bugs.webkit.org/show_bug.cgi?id=205544 |
| <rdar://problem/58041800> |
| |
| Reviewed by Saam Barati. |
| |
| The introduction of the use of Box<Identifier> was to get around having to |
| ref/deref the underlying UniqedStringImpl in Identifiers from the compiler |
| and GC threads. However, it proves to be difficult to control when these |
| Box<Identifier>s get destructed, and requires that we find all the places in |
| the compier and GC threads where this can happen, and apply keep alive tactics |
| there to defer destruction of the Box<Identifier> to the mutator thread. |
| |
| This patch fixes this by replacing uses of Box<Identifier> with |
| CacheableIdentifier, which is effectively a tagged union of a JSCell* or a |
| UniquedStringImpl*. The JSCell*, in this case, can be either a Symbol* or a |
| JSString* that is backed by an atom string. The VM runtime ensures that we'll |
| never try to cache an identifier from a JSCell that is not one of these. This |
| CacheableIdentifier can be destructed from the compiler or GC thread. Since it |
| doesn't hold a ref of the underlying UniquedStringImpl, it won't try to deref |
| it on destruction. |
| |
| Instead, we'll need to visit CacheableIdentifiers during GC scans to keep the |
| JSCell in it alive, and that JSCell will, in turn, keep the underlying |
| UniquedStringImpl alive. |
| |
| This patch also does the following: |
| |
| 1. Add a visitAggregate() method to StructureStubInfo, PolymorphicAccess, and |
| AccessCase to visit the CacheableIdentifier's JSCell identifier. This |
| visitAggregate() is called from CodeBlock::stronglyVisitStrongReferences(). |
| |
| When we write barrier a CodeBlock, it guarantees that its visitAggregate() |
| methods is called. However, it does not guarantee that its propagateTransitions() |
| method will be called. Since the CacheableIdentifier's reference to a cell |
| should be a strong reference, visiting it via a StructureStubInfo::visitAggregate() |
| method is the right thing to do. |
| See https://bugs.webkit.org/show_bug.cgi?id=205544#c7 for an example of why |
| propagateTransitions() doesn't always do the job. |
| |
| StructureStubInfo::visitWeakReferences() is also inappropriate for this |
| because it is only called after all marking is done. It is also not meant |
| to keep cells alive but merely for clearing weak references to dead cells. |
| |
| 2. Also add to visitAggregate() for ModuleNamespaceData's m_identifier in |
| GetByStatus::markIfCheap(). |
| |
| 3. Remove previously applied keep alive tactics to work around Box<Identifier> |
| destruction. This also retores the allowance to destruct DFG::Plans on a |
| compiler thread. |
| |
| 4. Added a JSString:getValueImpl() helper. |
| |
| 5. Added a write barrier in DFG and FTL JITFinalizer's finalizeCommon() to ensure |
| that frozen values are scanned by the GC. |
| |
| During compilation, the frozen values were previously protected by the Plan. |
| After finalization, they should be protected by the CodeBlock. Hence, we |
| should barrier the CodeBlock since the last GC scan of the CodeBlock may have |
| happened before the frozen values were registered with the CodeBlock. |
| |
| GC considerations: |
| ================== |
| The following also addresses Yusuke's concerns in https://bugs.webkit.org/show_bug.cgi?id=205544#c10. |
| |
| CacheableIdentifier is only stored as fields in 4 classes/structs: |
| |
| 1. AccessCase::m_identifier |
| 2. GetByIdVariant::m_identifier |
| 3. ModuleNamespaceData::m_identifier |
| 4. StructureStubInfo::m_getByIdSelfIdentifier |
| |
| AccessCase::m_identifier |
| ======================== |
| While the access case is being created and added in tryCacheGetBy(), the |
| CacheableIdentifier is still on the stack and protected from the GC. At the |
| bottom of tryCacheGetBy(), StructureStubInfo::addAccessCase() is called to add |
| the access case. |
| |
| StructureStubInfo::addAccessCase() will barrier the owner CodeBlock at its end, |
| and CodeBlock::stronglyVisitStrongReferences() will visit the StructureStubInfo, |
| which in turn visits the AccessCase. StructureStubInfo::visitAggregate() has |
| been added for this purpose. |
| |
| GetByIdVariant::m_identifier |
| ============================ |
| GetByIdVariant is only stored in GetByStatus. Both GetByIdVariant and GetByStatus |
| are only created and handled in the DFG/FTL compiler threads. While the compiler |
| thread is working with them, they are safe from the GC because the GC won't collect |
| objects until the compiler thread is at a SafePoint. |
| |
| At compiler SafePoints, any GetByStatus that needs to be persisted is stored in |
| DFG::Plan::m_recordedStatuses. The Plan will visit the m_recordedStatuses in |
| Plan::checkLivenessAndVisitChildren(). |
| |
| At the end of compilation, Plan::m_recordedStatuses is transferred over to the owner |
| CodeBlock's DFG::CommonData in Plan::finalizeWithoutNotifyingCallback(). |
| Plan::finalizeWithoutNotifyingCallback() will also barrier the owner CodeBlock at |
| its end. |
| |
| Thereafter, CodeBlock::stronglyVisitStrongReferences() will visit the recordedStatuses. |
| |
| ModuleNamespaceData::m_identifier |
| ================================= |
| ModuleNamespaceData is only stored in a GetByStatus, and is therefore protected |
| similarly as the GetByIdVariant::m_identifier case above. |
| |
| StructureStubInfo::m_getByIdSelfIdentifier |
| ========================================== |
| StructureStubInfo::initGetByIdSelf() is called from inside tryCacheGetBy(). |
| StructureStubInfo::initGetByIdSelf() will barrier the owner CodeBlock. The |
| CacheableIdentifier here is protected in the same way as the AccessCase::m_identifier |
| case above. |
| |
| DesiredIdentifiers |
| ================== |
| The compiler thread may also stash a CacheableIdentifier's uid in its |
| DesiredIdentifiers. Normally, the identifiers stashed in DesiredIdentifiers are |
| from identifiers that the CodeBlock already knows abut and manages (e.g. from |
| GetByIds). For uids from a cell-based CacheableIdentifier variable is passed to |
| a GetByVal, we need kep the cell alive in order to keep the uid alive. This is |
| achieved by freezing the cell with freezeStrong() in the op_get_by_val case in |
| the DFG BytecodeParser. |
| |
| Reseting a StructureStubInfo while its IC code is still executing on the stack |
| ============================================================================== |
| The concern is that IC code may call slow path / getter functions that may in turn: |
| |
| 1. reset the IC, and |
| 2. run the GC. |
| |
| This can be a problem if: |
| |
| 1. there is a scenario where we return from the slow path / getter function |
| and run IC code that uses the cell / uid from the CacheableIdentifier. |
| |
| This is because the StructureStubInfo is what visits the that cell, which |
| in turn its uid alive. Once the StructureStubInfo is reset, it will no |
| longer be associated with any AccessCase or the m_getByIdSelfIdentifier. |
| As such they will not be visited, and the CacheableIdentifier may be collected |
| by the GC. |
| |
| In practice, the generated IC code never uses the cell / uid after it calls |
| any slow path / getter function. I've verified this by auditing the code |
| generation in InlineAccess::generateSelfInAccess() and PolymorphicAccess::regenerate(). |
| Hence, there's no issue with using a collected cell / uid. |
| |
| 2. there is a scenario where a slow path / getter function makes use of the cell / uid |
| from the CacheableIdentifier but does not protect it. |
| |
| The only 2 slow path functions: |
| operationGetByValGeneric() |
| operationGetByValOptimize() |
| |
| operationGetByValGeneric() does not use any CacheableIdentifier from the StructureStubInfo. |
| |
| operationGetByValOptimize() modifies the StructureStubInfo in tryCacheGetBy() |
| under the protection of a GCSafeConcurrentJSLocker, and can reset the |
| StructureStubInfo. However, it does not use any CacheableIdentifier after |
| that. |
| |
| Hence, there's also no GC issue here. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::AccessCase): |
| (JSC::AccessCase::create): |
| (JSC::AccessCase::fromStructureStubInfo): |
| (JSC::AccessCase::commit): |
| (JSC::AccessCase::canReplace const): |
| (JSC::AccessCase::dump const): |
| (JSC::AccessCase::visitAggregate const): |
| (JSC::AccessCase::generateWithGuard): |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCase.h: |
| (JSC::AccessCase::uid const): |
| (JSC::AccessCase::identifier const): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::propagateTransitions): |
| (JSC::CodeBlock::stronglyVisitStrongReferences): |
| * bytecode/GetByIdVariant.cpp: |
| (JSC::GetByIdVariant::GetByIdVariant): |
| (JSC::GetByIdVariant::attemptToMerge): |
| (JSC::GetByIdVariant::visitAggregate): |
| (JSC::GetByIdVariant::dumpInContext const): |
| * bytecode/GetByIdVariant.h: |
| (JSC::GetByIdVariant::identifier const): |
| (JSC::GetByIdVariant::overlaps): |
| * bytecode/GetByStatus.cpp: |
| (JSC::GetByStatus::computeFromLLInt): |
| (JSC::GetByStatus::computeFor): |
| (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): |
| (JSC::GetByStatus::visitAggregate): |
| (JSC::GetByStatus::singleIdentifier const): |
| * bytecode/GetByStatus.h: |
| * bytecode/GetterSetterAccessCase.cpp: |
| (JSC::GetterSetterAccessCase::GetterSetterAccessCase): |
| (JSC::GetterSetterAccessCase::create): |
| * bytecode/GetterSetterAccessCase.h: |
| * bytecode/InstanceOfAccessCase.cpp: |
| (JSC::InstanceOfAccessCase::InstanceOfAccessCase): |
| * bytecode/IntrinsicGetterAccessCase.cpp: |
| (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase): |
| (JSC::IntrinsicGetterAccessCase::create): |
| * bytecode/IntrinsicGetterAccessCase.h: |
| * bytecode/ModuleNamespaceAccessCase.cpp: |
| (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase): |
| (JSC::ModuleNamespaceAccessCase::create): |
| * bytecode/ModuleNamespaceAccessCase.h: |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::visitAggregate): |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PolymorphicAccess.h: |
| * bytecode/ProxyableAccessCase.cpp: |
| (JSC::ProxyableAccessCase::ProxyableAccessCase): |
| (JSC::ProxyableAccessCase::create): |
| * bytecode/ProxyableAccessCase.h: |
| * bytecode/RecordedStatuses.cpp: |
| (JSC::RecordedStatuses::visitAggregate): |
| * bytecode/RecordedStatuses.h: |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::initGetByIdSelf): |
| (JSC::StructureStubInfo::addAccessCase): |
| (JSC::StructureStubInfo::visitAggregate): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::getByIdSelfIdentifier): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseGetById): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGDesiredIdentifiers.cpp: |
| (JSC::DFG::DesiredIdentifiers::ensure): |
| (JSC::DFG::DesiredIdentifiers::at const): |
| (JSC::DFG::DesiredIdentifiers::reallyAdd): |
| (JSC::DFG::DesiredIdentifiers::processCodeBlockIdentifiersIfNeeded): Deleted. |
| * dfg/DFGDesiredIdentifiers.h: |
| * dfg/DFGJITFinalizer.cpp: |
| (JSC::DFG::JITFinalizer::finalizeCommon): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::~Plan): |
| (JSC::DFG::Plan::checkLivenessAndVisitChildren): |
| (JSC::DFG::Plan::cancel): |
| * dfg/DFGPlan.h: |
| (JSC::DFG::Plan::keepAliveIdentifier): Deleted. |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::removeAllReadyPlansForVM): |
| (JSC::DFG::Worklist::removeDeadPlans): |
| (JSC::DFG::Worklist::removeNonCompilingPlansForVM): |
| (JSC::DFG::Worklist::deleteCancelledPlansForVM): Deleted. |
| * dfg/DFGWorklist.h: |
| * ftl/FTLJITFinalizer.cpp: |
| (JSC::FTL::JITFinalizer::finalizeCommon): |
| * jit/JITOperations.cpp: |
| * jit/Repatch.cpp: |
| (JSC::tryCacheGetBy): |
| (JSC::repatchGetBy): |
| (JSC::tryCacheArrayGetByVal): |
| (JSC::tryCacheInstanceOf): |
| * jit/Repatch.h: |
| * runtime/CacheableIdentifier.cpp: Added. |
| (JSC::CacheableIdentifier::dump const): |
| * runtime/CacheableIdentifier.h: Added. |
| (JSC::CacheableIdentifier::CacheableIdentifier): |
| (JSC::CacheableIdentifier::isUid const): |
| (JSC::CacheableIdentifier::isCell const): |
| (JSC::CacheableIdentifier::isSymbol const): |
| (JSC::CacheableIdentifier::operator bool const): |
| * runtime/CacheableIdentifierInlines.h: Added. |
| (JSC::CacheableIdentifier::CacheableIdentifier): |
| (JSC::CacheableIdentifier::cell const): |
| (JSC::CacheableIdentifier::uid const): |
| (JSC::CacheableIdentifier::isCacheableIdentifierCell): |
| (JSC::CacheableIdentifier::isSymbolCell const): |
| (JSC::CacheableIdentifier::isStringCell const): |
| (JSC::CacheableIdentifier::setCellBits): |
| (JSC::CacheableIdentifier::setUidBits): |
| (JSC::CacheableIdentifier::visitAggregate const): |
| (JSC::CacheableIdentifier::operator== const): |
| (JSC::CacheableIdentifier::operator!= const): |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::functionCallBase): |
| * runtime/JSString.h: |
| (JSC::JSString::getValueImpl const): |
| * runtime/VM.cpp: |
| (JSC::VM::ensureWatchpointSetForImpureProperty): |
| (JSC::VM::addImpureProperty): |
| (JSC::VM::registerWatchpointForImpureProperty): Deleted. |
| * runtime/VM.h: |
| |
| 2020-01-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put JSProxy in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=206187 |
| |
| Reviewed by Mark Lam. |
| |
| 1. Put JSProxy in IsoSubspace. |
| 2. Make JSProxy non-destructible since derived class JSWindowProxy is having its own IsoSubspace with destructibility. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::resetPrototype): |
| (JSC::JSGlobalObject::finishCreation): |
| * runtime/JSNonDestructibleProxy.cpp: Removed. |
| * runtime/JSNonDestructibleProxy.h: Removed. |
| * runtime/JSProxy.h: |
| (JSC::JSProxy::subspaceFor): |
| * runtime/JSStringIterator.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2020-01-11 Keith Miller <keith_miller@apple.com> |
| |
| CheckNeutered needs to claim it reads JSType in clobberize. |
| https://bugs.webkit.org/show_bug.cgi?id=206136 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| CheckNeutered needs to read JSType otherwise it can get hoisted |
| past the TypedArray check guarding it. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| |
| 2020-01-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use internal object field mechanism to implement JSStringIterator |
| https://bugs.webkit.org/show_bug.cgi?id=206144 |
| |
| Reviewed by Ross Kirsling. |
| |
| This patch uses internal object field mechanism to implement JSStringIterator, |
| and we also put JSStringIterator into IsoSubspace. |
| |
| * builtins/BuiltinNames.h: |
| * builtins/StringIteratorPrototype.js: |
| (next): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitIsStringIterator): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::stringIteratorInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getStringIteratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putStringIteratorInternalField): |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::getInternalProperties): |
| * runtime/JSCast.h: |
| * runtime/JSStringIterator.cpp: |
| (JSC::JSStringIterator::finishCreation): |
| (JSC::JSStringIterator::clone): |
| (JSC::JSStringIterator::visitChildren): |
| (JSC::JSStringIterator::iteratedValue const): Deleted. |
| * runtime/JSStringIterator.h: |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| * runtime/StringPrototype.cpp: |
| (JSC::stringProtoFuncIterator): |
| * runtime/VM.cpp: |
| * runtime/VM.h: |
| |
| 2020-01-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove IsDone from JSArrayIterator |
| https://bugs.webkit.org/show_bug.cgi?id=206140 |
| |
| Reviewed by Keith Miller. |
| |
| We can store `-1` in Index field to represent whether the iterator is closed. |
| While this patch does not change the allocation size of JSArrayIterator, this style can |
| shrink the size of JSStringIterator when we implement it in the same style. |
| |
| We also rename iterationKindKeyValue to iterationKindEntries. |
| |
| * builtins/ArrayIteratorPrototype.js: |
| (globalPrivate.arrayIteratorNextHelper): |
| * builtins/MapIteratorPrototype.js: |
| (globalPrivate.mapIteratorNext): |
| * builtins/MapPrototype.js: |
| (entries): |
| * builtins/SetIteratorPrototype.js: |
| (globalPrivate.setIteratorNext): |
| * builtins/SetPrototype.js: |
| (entries): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::arrayIteratorInternalFieldIndex): |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::cloneArrayIteratorObject): |
| * runtime/JSArrayIterator.cpp: |
| (JSC::JSArrayIterator::finishCreation): |
| * runtime/JSArrayIterator.h: |
| |
| 2020-01-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Consistently use "var" in builtin JS |
| https://bugs.webkit.org/show_bug.cgi?id=206157 |
| |
| Reviewed by Mark Lam. |
| |
| let / const requires additional bytecode to make it Empty initialized for now. |
| For builtin JS, we would like to keep it as efficient and compact as we can |
| so we should use `var` consistently. |
| |
| * builtins/ArrayPrototype.js: |
| (sort.stringComparator): |
| (sort.compactSparse): |
| (sort.compactSlow): |
| (sort.compact): |
| (sort.merge): |
| (sort.mergeSort): |
| (sort.bucketSort): |
| (sort.comparatorSort): |
| (sort.stringSort): |
| (sort): |
| (globalPrivate.concatSlowPath): |
| (concat): |
| * builtins/FunctionPrototype.js: |
| (call): |
| (overriddenName.string_appeared_here.symbolHasInstance): |
| * builtins/GlobalOperations.js: |
| (globalPrivate.copyDataProperties): |
| (globalPrivate.copyDataPropertiesNoExclusions): |
| * builtins/IteratorHelpers.js: |
| (performIteration): |
| * builtins/ModuleLoader.js: |
| (async loadModule): |
| (async loadAndEvaluateModule): |
| (async requestImportModule): |
| (dependencyKeysIfEvaluated): |
| * builtins/ObjectConstructor.js: |
| (fromEntries): |
| * builtins/PromisePrototype.js: |
| (finally): |
| (valueThunk): |
| (globalPrivate.getThenFinally): |
| (thrower): |
| (globalPrivate.getCatchFinally): |
| (const.valueThunk): Deleted. |
| (const.thrower): Deleted. |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.advanceStringIndex): |
| (globalPrivate.regExpExec): |
| (globalPrivate.hasObservableSideEffectsForRegExpMatch): |
| (globalPrivate.matchSlow): |
| (overriddenName.string_appeared_here.match): |
| (overriddenName.string_appeared_here.matchAll): |
| (getSubstitution): |
| (overriddenName.string_appeared_here.replace): |
| (overriddenName.string_appeared_here.search): |
| (globalPrivate.hasObservableSideEffectsForRegExpSplit): |
| (overriddenName.string_appeared_here.split): |
| (intrinsic.RegExpTestIntrinsic.test): |
| * builtins/RegExpStringIteratorPrototype.js: |
| (next): |
| * builtins/StringPrototype.js: |
| (match): |
| (matchAll): |
| (globalPrivate.hasObservableSideEffectsForStringReplace): |
| (intrinsic.StringPrototypeReplaceIntrinsic.replace): |
| (globalPrivate.createHTML): |
| * builtins/TypedArrayConstructor.js: |
| (of): |
| (from): |
| * builtins/TypedArrayPrototype.js: |
| (globalPrivate.typedArraySpeciesConstructor): |
| (globalPrivate.typedArrayClampArgumentToStartOrEnd): |
| (fill): |
| (find): |
| (subarray): |
| |
| 2020-01-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WebCore] Reorganize JSType in WebCore to offer more bits to JSC |
| https://bugs.webkit.org/show_bug.cgi?id=206141 |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/JSType.h: |
| |
| 2020-01-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, suppress warnings in GCC, part 2 |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| |
| * bytecode/ArithProfile.h: |
| |
| 2020-01-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, suppress warnings in GCC |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| |
| * bytecode/ArithProfile.h: |
| |
| 2020-01-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Flush old tables in End phase |
| https://bugs.webkit.org/show_bug.cgi?id=206120 |
| <rdar://problem/58039989> |
| |
| Reviewed by Mark Lam. |
| |
| stopThePeriphery is stopping compiler threads and main thread (mutator), which means making m_worldIsStopped = true. |
| It is not for stopping all heap threads including a concurrent marker. The concurrent collector can work while executing |
| stopThePeriphery. This means that concurrent collectors can access to the old StructureIDTable while it is destroyed |
| in stopThePeriphery. Destroying old StructureIDTable in GC End phase, this is appropriate phase that we can ensure no |
| other threads (accessing to heap) are working including concurrent markers, mutator, and compiler threads. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::runEndPhase): |
| (JSC::Heap::stopThePeriphery): |
| |
| 2020-01-10 Caitlin Potter <caitp@igalia.com> and Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Object.keys should throw if called on module namespace object with uninitialized binding |
| https://bugs.webkit.org/show_bug.cgi?id=205983 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| If JSModuleNamespaceObject::getOwnPropertyNames method is called by |
| Object.keys or for/in loop, it should invoke [[GetOwnProperty]] on |
| every binding so a ReferenceError is thrown if the binding is uninitialized. |
| |
| Complete call stack of internal methods and abstract ops is in "info" meta of |
| JSTests/test262/test/language/module-code/namespace/internals/object-keys-binding-uninit.js |
| |
| * runtime/JSModuleNamespaceObject.cpp: |
| (JSC::JSModuleNamespaceObject::getOwnPropertyNames): |
| |
| 2020-01-10 Saam Barati <sbarati@apple.com> |
| |
| ObjectAllocationSinkingPhase doesn't model pointers to allocations in control flow properly |
| https://bugs.webkit.org/show_bug.cgi?id=204738 |
| <rdar://problem/57553238> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Allocation sinking phase conducts a points to analysis. It uses this |
| information for programs like: |
| |
| ``` |
| 1: NewObject |
| 2: NewObject |
| 3: PutByOffset(@2, @1, "x") |
| 4: GetByOffset(@2, "x") |
| ``` |
| |
| It solves the points to problem knowing @4 points to @1. |
| |
| It tracks this data in the LocalHeap data structure. This is used to track |
| the heap across blocks, and it includes a merge function to handle control |
| flow merges. However, this merge function would not always merge the pointer |
| sets together. It sometimes would merge them together, since it had a fast |
| path check inside merge, which would just copy the contents of the block to be |
| merged with itself if it were this block's first time merging. This fast path happened |
| to hide the bug in general case merge code. If we didn't take this fast path, |
| we would just never transfer pointer sets from predecessor to successor. This |
| could lead to all kinds of issues, including using the incorrect phantom node |
| in IR instead of its materialized version. It could also lead to the phase not |
| sinking objects it is capable of sinking. |
| |
| This patch makes it so that we merge together the pointer sets. We always add |
| new pointers to the set. So in pointer A->B, if the set has yet to see A, we |
| add it. If the set already contains pointer A->B, and we encounter a new |
| pointer A->C, or if we encounter a merge without any A->* pointer, we mark |
| the A pointer as top, marking it A->TOP. We do this to ensure that we fixpoint. |
| We're guaranteed that m_pointers is monotonically increasing (module liveness |
| pruning, which is a constant). And once something is TOP, it never becomes |
| anything else. (Instead of marking a pointer top, we used to just remove it |
| from the set, but this has issues, as it could lead to us ping-ponging in |
| our fixpoint analysis, add, remove, add, remove, etc.) |
| |
| So the merge rules are: |
| {A->B} merge {A->B} => {A->B} |
| {A->B} merge {A->C} => {A->TOP} |
| {A->B} merge {A->TOP} => {A->TOP} |
| {A->B} merge {} => {A->TOP} |
| |
| |
| Thanks to Samuel Groß of Google Project Zero for identifying this bug. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| |
| 2020-01-10 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| Unreviewed. Fix GTK and WPE API docs generation |
| |
| Add index for new symbols in 2.28. |
| |
| * API/glib/docs/jsc-glib-docs.sgml: |
| |
| 2020-01-10 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| [GLIB] Add GLib specific API for JSC JSValueRef.h's JSValueMakeFromJSONString and JSValueCreateJSONString methods |
| https://bugs.webkit.org/show_bug.cgi?id=205161 |
| |
| Reviewed by Adrian Perez de Castro. |
| |
| Add jsc_value_new_from_json() and jsc_value_to_json(). |
| |
| * API/glib/JSCValue.cpp: |
| (jsc_value_new_from_json): |
| (jsc_value_to_json): |
| * API/glib/JSCValue.h: |
| * API/glib/docs/jsc-glib-4.0-sections.txt: |
| |
| 2020-01-10 Adrian Perez de Castro <aperez@igalia.com> |
| |
| Fix various non-unified build issues introduced since r253538 |
| https://bugs.webkit.org/show_bug.cgi?id=205996 |
| |
| Reviewed by Youenn Fablet. |
| |
| * bytecode/ExecutableToCodeBlockEdge.cpp: Add missing inclusion of JSObjectInlines.h and |
| StructureInlines.h |
| * dfg/DFGVariableEvent.cpp: Add missing inclusion of OperandsInlines.h |
| * runtime/NarrowingNumberPredictionFuzzerAgent.cpp: Add missing inclusion of CodeBlock.h |
| * runtime/WideningNumberPredictionFuzzerAgent.cpp: Ditto. |
| * wasm/WasmOperations.cpp: Add missing inclusion of ButterflyInlines.h |
| |
| 2020-01-09 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r254234. |
| https://bugs.webkit.org/show_bug.cgi?id=206011 |
| |
| Broke production builds (Requested by ap on #webkit). |
| |
| Reverted changeset: |
| |
| "build-jsc should invoke make instead of calling xcodebuild |
| directly" |
| https://bugs.webkit.org/show_bug.cgi?id=205960 |
| https://trac.webkit.org/changeset/254234 |
| |
| 2020-01-08 Keith Miller <keith_miller@apple.com> |
| |
| [JSC] Introduce JSArrayIterator |
| https://bugs.webkit.org/show_bug.cgi?id=204043 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch introduces JSArrayIterator that changes the iterator object |
| from a JSFinalObject to an InternalFieldsObject. This makes accessing it |
| much easier from C++ code and makes the iterator object smaller. It also |
| means that the JS code for the next function is much simpler and can *almost* |
| be inlined without shenanigans. |
| |
| As part of this patch the keys/values/entries functions have been converted to |
| C++ with intrinsics since that's slightly more efficient in the LLInt/Baseline. |
| |
| Lastly, this patch also add a custom ISOSubspace for JSArrayIterator objects. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/ArrayIteratorPrototype.js: |
| (next): |
| (globalPrivate.arrayIteratorNextHelper): |
| (globalPrivate.arrayIteratorValueNext): Deleted. |
| (globalPrivate.arrayIteratorKeyNext): Deleted. |
| (globalPrivate.arrayIteratorKeyValueNext): Deleted. |
| * builtins/ArrayPrototype.js: |
| (globalPrivate.ArrayIterator): Deleted. |
| (values): Deleted. |
| (keys): Deleted. |
| (entries): Deleted. |
| * builtins/TypedArrayPrototype.js: |
| (values): Deleted. |
| (keys): Deleted. |
| (entries): Deleted. |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitIsArrayIterator): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::arrayIteratorInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getArrayIteratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putArrayIteratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isAsyncGenerator): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet): Deleted. |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isUndefinedOrNull): Deleted. |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGHeapLocation.cpp: |
| (WTF::printInternal): |
| * dfg/DFGHeapLocation.h: |
| * dfg/DFGMayExit.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToPhantomNewObject): |
| (JSC::DFG::Node::convertToPhantomNewArrayIterator): |
| (JSC::DFG::Node::convertToPhantomCreateActivation): |
| (JSC::DFG::Node::hasStructure): |
| (JSC::DFG::Node::hasObjectMaterializationData): |
| (JSC::DFG::Node::isPhantomAllocation): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGPromotedHeapLocation.cpp: |
| (WTF::printInternal): |
| * dfg/DFGPromotedHeapLocation.h: |
| (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const): |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCheckNeutered): |
| (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor): |
| (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayIterator): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * dfg/DFGTypeCheckHoistingPhase.cpp: |
| (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): |
| (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): |
| * dfg/DFGValidate.cpp: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckNeutered): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayIterator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObjectImpl): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject): |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::operationPopulateObjectInOSR): |
| (JSC::FTL::operationMaterializeObjectInOSR): |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::subtype): |
| (Inspector::JSInjectedScriptHost::getInternalProperties): |
| (Inspector::cloneArrayIteratorObject): |
| (Inspector::JSInjectedScriptHost::iteratorEntries): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::ArrayPrototype::finishCreation): |
| (JSC::createArrayIteratorObject): |
| (JSC::arrayProtoFuncValues): |
| (JSC::arrayProtoFuncEntries): |
| (JSC::arrayProtoFuncKeys): |
| * runtime/CommonIdentifiers.h: |
| * runtime/Intrinsic.cpp: |
| (JSC::intrinsicName): |
| * runtime/Intrinsic.h: |
| * runtime/IterationKind.h: |
| (): Deleted. |
| * runtime/JSArrayIterator.cpp: Added. |
| (JSC::JSArrayIterator::create): |
| (JSC::JSArrayIterator::createWithInitialValues): |
| (JSC::JSArrayIterator::createStructure): |
| (JSC::JSArrayIterator::JSArrayIterator): |
| (JSC::JSArrayIterator::finishCreation): |
| (JSC::JSArrayIterator::visitChildren): |
| * runtime/JSArrayIterator.h: Added. |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::arrayIteratorPrototype const): |
| (JSC::JSGlobalObject::arrayIteratorStructure const): |
| * runtime/JSMapIterator.h: |
| * runtime/JSSetIterator.h: |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::createTypedArrayIteratorObject): |
| (JSC::typedArrayViewProtoFuncValues): |
| (JSC::typedArrayProtoViewFuncEntries): |
| (JSC::typedArrayViewProtoFuncKeys): |
| (JSC::JSTypedArrayViewPrototype::finishCreation): |
| * runtime/VM.cpp: |
| * runtime/VM.h: |
| |
| 2020-01-08 Michael Saboff <msaboff@apple.com> |
| |
| Instruction.h: Multiplication result converted to larger type |
| https://bugs.webkit.org/show_bug.cgi?id=205945 |
| |
| Reviewed by Mark Lam. |
| |
| * bytecode/Instruction.h: |
| (JSC::BaseInstruction::size const): |
| Changed the types to size_t so that the computation is computed accordingly. |
| |
| |
| 2020-01-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Reduce binary size by purging C++ type information in Objective-C fields and parameters |
| https://bugs.webkit.org/show_bug.cgi?id=205905 |
| |
| Reviewed by Saam Barati. |
| |
| * API/JSWrapperMap.mm: |
| (-[JSObjCClassInfo dealloc]): |
| |
| 2020-01-08 Saam Barati <sbarati@apple.com> |
| |
| build-jsc should invoke make instead of calling xcodebuild directly |
| https://bugs.webkit.org/show_bug.cgi?id=205960 |
| |
| Reviewed by Keith Miller. |
| |
| The various jsc, and test* binaries can all be compiled in parallel. |
| This patch makes that happen when building with make via the CLI |
| that these are built in parallel. To make this work, in Xcode, I needed |
| to mark these binaries as depending on JavaScriptCore.framework. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Makefile: |
| |
| 2020-01-08 Tuomas Karkkainen <tuomas.webkit@apple.com> |
| |
| Add FuzzerAgents that narrow and widen number predictions |
| https://bugs.webkit.org/show_bug.cgi?id=203993 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add two FuzzerAgents such that for any predictions that are originally subsets of SpecFullNumber: |
| - one adds more number types to the prediction |
| - the other removes some of the number types from the prediction |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * runtime/NarrowingNumberPredictionFuzzerAgent.cpp: Added. |
| * runtime/NarrowingNumberPredictionFuzzerAgent.h: Added. |
| * runtime/NumberPredictionFuzzerAgent.cpp: Added. |
| * runtime/NumberPredictionFuzzerAgent.h: Added. |
| * runtime/OptionsList.h: |
| * runtime/VM.cpp: |
| * runtime/WideningNumberPredictionFuzzerAgent.cpp: Added. |
| * runtime/WideningNumberPredictionFuzzerAgent.h: Added. |
| |
| 2020-01-08 Michael Saboff <msaboff@apple.com> |
| |
| TypeProfiler.h: Multiplication result converted to larger type |
| https://bugs.webkit.org/show_bug.cgi?id=205947 |
| |
| Reviewed by Mark Lam. |
| |
| Added cast to keep the hash() calculation unsigned. |
| |
| * runtime/TypeProfiler.h: |
| (JSC::QueryKey::hash const): |
| |
| 2020-01-08 Michael Saboff <msaboff@apple.com> |
| |
| JSArrayBufferView.h: Multiplication result converted to larger type |
| https://bugs.webkit.org/show_bug.cgi?id=205943 |
| |
| Reviewed by Saam Barati. |
| |
| Added cast to size_t to make the whole calculation size_t. |
| |
| * runtime/JSArrayBufferView.h: |
| (JSC::JSArrayBufferView::sizeOf): |
| |
| 2020-01-08 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Proxy's [[OwnPropertyKeys]] is correct only in PropertyNameMode::StringsAndSymbols |
| https://bugs.webkit.org/show_bug.cgi?id=205772 |
| |
| Reviewed by Ross Kirsling. |
| |
| This change fixes two spec compatibility issues: |
| (steps 8-11 of https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys) |
| |
| 1. If Object.getOwnPropertyNames is called on Proxy with "ownKeys" trap, |
| symbol keys of Proxy's target are ignored during invariants validation. |
| |
| 2. If Object.getOwnPropertySymbols is called on Proxy with "ownKeys" trap, |
| string keys of Proxy's target are ignored during invariants validation. |
| |
| Given that per spec `uncheckedResultKeys` contains both strings and symbols, |
| `seenKeys` and explanation comment about it is removed. |
| |
| Specifying PrivateSymbolMode::Exclude eliminates any chance of false TypeErrors |
| during invariants validation, since user code can't possibly return a private symbol |
| from "ownKeys" trap, yet an object with private symbols can be Proxy's target. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| |
| 2020-01-08 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| RegExp.prototype[Symbol.replace] does not support named capture groups |
| https://bugs.webkit.org/show_bug.cgi?id=205783 |
| |
| Reviewed by Ross Kirsling. |
| |
| This patch adds named capture groups support to RegExp.prototype[Symbol.replace], |
| for both functional and string pattern replacement. |
| (steps 14.j-l of https://tc39.es/ecma262/#sec-regexp.prototype-@@replace) |
| |
| This method is used in slow path of String.prototype.replace (RegExp subclass handling), |
| yet it also can be invoked directly in user code. |
| |
| * builtins/RegExpPrototype.js: |
| (getSubstitution): |
| (Symbol.replace): |
| |
| 2020-01-07 Saam Barati <sbarati@apple.com> |
| |
| AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result can be an int32 |
| https://bugs.webkit.org/show_bug.cgi?id=205906 |
| <rdar://problem/56108519> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The runtime code for ValueMod and ValueDiv produces an int32 when the result |
| is of int32 value. However, the AI was saying the result is in double format. |
| This patch fixes AI to produce a JSValue in the right format. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantDivOp): |
| |
| 2020-01-07 Said Abou-Hallawa <sabouhallawa@apple.com> |
| |
| Implement css3-images image-orientation |
| https://bugs.webkit.org/show_bug.cgi?id=89052 |
| |
| Reviewed by Simon Fraser. |
| |
| Remove the ENABLE_CSS_IMAGE_ORIENTATION feature flag. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-01-07 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed restabilization of non-unified build. |
| |
| * bytecode/MethodOfGettingAValueProfile.h: |
| * dfg/DFGVariableEvent.h: |
| * dfg/DFGVariableEventStream.cpp: |
| * interpreter/CheckpointOSRExitSideState.h: |
| |
| 2020-01-07 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove vm accessor in JSVirtualMachine to reduce binary size |
| https://bugs.webkit.org/show_bug.cgi?id=205880 |
| |
| Reviewed by Mark Lam. |
| |
| Objective-C has reflection mechanism. This means that fields, methods, and their types |
| need to hold its string representations in binary even if we are using release build. |
| While typical Objective-C class does not have large size of type names, C++ struct / class |
| has very large one, and putting them in Objective-C method names, parameter types, or fields |
| makes binary size very large. |
| |
| By analyzing JavaScriptCore binary, I found that Objective-C method type symbols are taking 200~KB |
| binary size. (Section __objc_methtype: 235081 (addr 0x105e9a3 offset 17164707)). And it is due to |
| JSC::VM type included in `[JSVirtualMachine vm]` accessor. |
| |
| This patch removes this accessor and gets 200KB binary size reduction. |
| |
| * API/JSScript.mm: |
| (-[JSScript readCache]): |
| (-[JSScript sourceCode]): |
| (-[JSScript jsSourceCode]): |
| (-[JSScript writeCache:]): |
| * API/JSVirtualMachine.mm: |
| (-[JSVirtualMachine JSContextGroupRef]): |
| (-[JSVirtualMachine isWebThreadAware]): |
| (-[JSVirtualMachine vm]): Deleted. |
| * API/JSVirtualMachineInternal.h: |
| |
| 2020-01-07 Keith Miller <keith_miller@apple.com> |
| |
| Unreviewed non-arm64e build fix. |
| |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::reifyInlinedCallFrames): |
| |
| 2020-01-07 Keith Miller <keith_miller@apple.com> |
| |
| Bytecode checkpoint fixes for arm64(e) |
| https://bugs.webkit.org/show_bug.cgi?id=205871 |
| |
| Reviewed by Michael Saboff. |
| |
| The original bytecode checkpoint patch had a couple of bugs on |
| arm64(e). For arm64 generally, when osr exiting to an inline |
| varargs frame we didn't set the return value of callee before |
| moving the call frame register into a0 for the slow path |
| call. This meant we clobber the return value on arm64 as a0 == r0. |
| |
| On arm64e the osr exit compiler set the tag for the return pc for |
| an inline frame to JSEntryTag but the code expected |
| NoTag. Additionally, in the stack unwinder, we were using the |
| JSEntryTag but we should have been stripping the tag from the |
| stack value. |
| |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::reifyInlinedCallFrames): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| * interpreter/Interpreter.cpp: |
| (JSC::UnwindFunctor::operator() const): |
| * llint/LowLevelInterpreter.asm: |
| |
| 2020-01-07 Chris Fleizach <cfleizach@apple.com> |
| |
| AX: Enable ACCESSIBILITY_ISOLATED_TREE |
| https://bugs.webkit.org/show_bug.cgi?id=205535 |
| <rdar://problem/58131075> |
| |
| Reviewed by Zalan Bujtas. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2020-01-06 Yoshiaki Jitsukawa <yoshiaki.jitsukawa@sony.com> |
| |
| [PlayStation] Update port cmake |
| https://bugs.webkit.org/show_bug.cgi?id=205846 |
| |
| Reviewed by Don Olmstead. |
| |
| * PlatformPlayStation.cmake: |
| Workaround of compilation errors with VisualStudio generator, which gives -std=c++* options to C sources. |
| |
| 2020-01-06 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| String.prototype.replace() incorrectly handles named references on RegExp w/o named groups |
| https://bugs.webkit.org/show_bug.cgi?id=205785 |
| |
| Reviewed by Ross Kirsling. |
| |
| This patch fixes substitution of named references by ignoring "$<" sequences |
| for a RegExp without named capture groups, removing some index tweaking. |
| (step 11 of https://tc39.es/ecma262/#sec-getsubstitution) |
| |
| Also this change removes 2 obsolete FIXMEs regarding possible spec changes. |
| |
| * runtime/StringPrototype.cpp: |
| (JSC::substituteBackreferencesSlow): |
| |
| 2020-01-06 Mark Lam <mark.lam@apple.com> |
| |
| Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED. |
| https://bugs.webkit.org/show_bug.cgi?id=205776 |
| |
| Reviewed by Saam Barati. |
| |
| * API/tests/testapi.c: |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::replaceWithLoad): |
| (JSC::ARM64Assembler::replaceWithAddressComputation): |
| * assembler/AssemblerBuffer.h: |
| (JSC::AssemblerBuffer::LocalWriter::LocalWriter): |
| * assembler/LinkBuffer.cpp: |
| (JSC::LinkBuffer::copyCompactAndLinkCode): |
| * assembler/ProbeStack.cpp: |
| (JSC::Probe::Stack::Stack): |
| * assembler/ProbeStack.h: |
| * b3/B3FoldPathConstants.cpp: |
| * b3/B3LowerToAir.cpp: |
| * b3/B3MemoryValue.cpp: |
| (JSC::B3::MemoryValue::MemoryValue): |
| * b3/B3Opcode.cpp: |
| * b3/B3Type.h: |
| * b3/B3TypeMap.h: |
| * b3/B3Width.h: |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::generate): |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| * b3/air/AirAllocateRegistersByGraphColoring.cpp: |
| * b3/air/AirArg.cpp: |
| * b3/air/AirArg.h: |
| * b3/air/AirCode.h: |
| * b3/air/AirEmitShuffle.cpp: |
| (JSC::B3::Air::emitShuffle): |
| * builtins/BuiltinExecutables.cpp: |
| (JSC::BuiltinExecutables::createExecutable): |
| * bytecode/AccessCase.cpp: |
| * bytecode/AccessCase.h: |
| * bytecode/CallVariant.cpp: |
| (JSC::variantListWithVariant): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndex): |
| * bytecode/CodeBlockHash.cpp: |
| (JSC::CodeBlockHash::dump const): |
| * bytecode/StructureStubInfo.cpp: |
| * bytecode/StructureStubInfo.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::FunctionCallResolveNode::emitBytecode): |
| * bytecompiler/RegisterID.h: |
| (JSC::RegisterID::RegisterID): |
| (JSC::RegisterID::setIndex): |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::removeBreakpoint): |
| * debugger/DebuggerEvalEnabler.h: |
| (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler): |
| (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions): |
| * dfg/DFGAbstractValue.cpp: |
| * dfg/DFGAbstractValue.h: |
| (JSC::DFG::AbstractValue::merge): |
| (JSC::DFG::AbstractValue::checkConsistency const): |
| (JSC::DFG::AbstractValue::assertIsRegistered const): |
| * dfg/DFGArithMode.h: |
| (JSC::DFG::doesOverflow): |
| * dfg/DFGBasicBlock.cpp: |
| (JSC::DFG::BasicBlock::BasicBlock): |
| * dfg/DFGBasicBlock.h: |
| (JSC::DFG::BasicBlock::didLink): |
| * dfg/DFGCFAPhase.cpp: |
| (JSC::DFG::CFAPhase::performBlockCFA): |
| * dfg/DFGCommon.h: |
| (JSC::DFG::validationEnabled): |
| * dfg/DFGCommonData.cpp: |
| (JSC::DFG::CommonData::finalizeCatchEntrypoints): |
| * dfg/DFGDesiredWatchpoints.h: |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGEdge.h: |
| (JSC::DFG::Edge::makeWord): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGJITCode.cpp: |
| (JSC::DFG::JITCode::finalizeOSREntrypoints): |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| * dfg/DFGScoreBoard.h: |
| (JSC::DFG::ScoreBoard::assertClear): |
| * dfg/DFGSlowPathGenerator.h: |
| (JSC::DFG::SlowPathGenerator::generate): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCurrentBlock): |
| (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): |
| (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): |
| (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileMakeRope): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::fillSpeculateCell): |
| * dfg/DFGStructureAbstractValue.cpp: |
| * dfg/DFGStructureAbstractValue.h: |
| (JSC::DFG::StructureAbstractValue::assertIsRegistered const): |
| * dfg/DFGVarargsForwardingPhase.cpp: |
| * dfg/DFGVirtualRegisterAllocationPhase.cpp: |
| (JSC::DFG::VirtualRegisterAllocationPhase::run): |
| * ftl/FTLLink.cpp: |
| (JSC::FTL::link): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::callPreflight): |
| (JSC::FTL::DFG::LowerDFGToB3::callCheck): |
| (JSC::FTL::DFG::LowerDFGToB3::crash): |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::operationMaterializeObjectInOSR): |
| * heap/BlockDirectory.cpp: |
| (JSC::BlockDirectory::assertNoUnswept): |
| * heap/GCSegmentedArray.h: |
| (JSC::GCArraySegment::GCArraySegment): |
| * heap/GCSegmentedArrayInlines.h: |
| (JSC::GCSegmentedArray<T>::clear): |
| (JSC::GCSegmentedArray<T>::expand): |
| (JSC::GCSegmentedArray<T>::validatePrevious): |
| * heap/HandleSet.cpp: |
| * heap/HandleSet.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::updateAllocationLimits): |
| * heap/Heap.h: |
| * heap/MarkedBlock.cpp: |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::assertValidCell const): |
| (JSC::MarkedBlock::assertMarksNotStale): |
| * heap/MarkedSpace.cpp: |
| (JSC::MarkedSpace::beginMarking): |
| (JSC::MarkedSpace::endMarking): |
| (JSC::MarkedSpace::assertNoUnswept): |
| * heap/PreciseAllocation.cpp: |
| * heap/PreciseAllocation.h: |
| (JSC::PreciseAllocation::assertValidCell const): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::SlotVisitor): |
| (JSC::SlotVisitor::appendJSCellOrAuxiliary): |
| * heap/SlotVisitor.h: |
| * inspector/InspectorProtocolTypes.h: |
| (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::assertValueHasExpectedType): |
| * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: |
| (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): |
| (CppProtocolTypesImplementationGenerator): |
| (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum): |
| * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: |
| * interpreter/FrameTracers.h: |
| (JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer): |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::Interpreter): |
| * interpreter/Interpreter.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::prepareCallOperation): |
| * jit/BinarySwitch.cpp: |
| (JSC::BinarySwitch::BinarySwitch): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::setupStubArgs): |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::emitDeltaCheck): |
| (JSC::CallFrameShuffler::prepareAny): |
| * jit/JIT.cpp: |
| (JSC::JIT::assertStackPointerOffset): |
| (JSC::JIT::compileWithoutLinking): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emitSlow_op_loop_hint): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_from_scope): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_from_scope): |
| * jit/Repatch.cpp: |
| (JSC::linkPolymorphicCall): |
| * jit/ThunkGenerators.cpp: |
| (JSC::emitPointerValidation): |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LLIntOfflineAsmConfig.h: |
| * parser/Lexer.cpp: |
| * parser/Lexer.h: |
| (JSC::isSafeBuiltinIdentifier): |
| (JSC::Lexer<T>::lexExpectIdentifier): |
| * runtime/ArgList.h: |
| (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck): |
| (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck): |
| * runtime/Butterfly.h: |
| (JSC::ContiguousData::ContiguousData): |
| (JSC::ContiguousData::Data::Data): |
| * runtime/HashMapImpl.h: |
| (JSC::HashMapImpl::checkConsistency const): |
| (JSC::HashMapImpl::assertBufferIsEmpty const): |
| * runtime/JSCellInlines.h: |
| (JSC::JSCell::methodTable const): |
| * runtime/JSFunction.cpp: |
| * runtime/JSFunction.h: |
| (JSC::JSFunction::assertTypeInfoFlagInvariants): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/JSGlobalObject.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::visitChildren): |
| (JSC::JSFinalObject::visitChildren): |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::validatePutOwnDataProperty): |
| * runtime/JSSegmentedVariableObject.h: |
| (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject): |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::Lexer::lex): |
| * runtime/LiteralParser.h: |
| * runtime/Operations.h: |
| (JSC::scribbleFreeCells): |
| * runtime/OptionsList.h: |
| * runtime/VM.cpp: |
| (JSC::VM::computeCanUseJIT): |
| * runtime/VM.h: |
| (JSC::VM::canUseJIT): |
| * runtime/VarOffset.h: |
| (JSC::VarOffset::checkSanity const): |
| * runtime/WeakMapImpl.h: |
| (JSC::WeakMapImpl::checkConsistency const): |
| (JSC::WeakMapImpl::assertBufferIsEmpty const): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::validateInst): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser::validationFail const): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::checkConsistency): |
| * wasm/WasmPlan.cpp: |
| (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast): |
| * wasm/WasmSectionParser.h: |
| * wasm/WasmSections.h: |
| * wasm/WasmSignatureInlines.h: |
| (JSC::Wasm::SignatureInformation::get): |
| * wasm/WasmWorklist.cpp: |
| (JSC::Wasm::Worklist::enqueue): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::previousInstanceOffset const): |
| |
| 2020-01-06 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Proxy's [[OwnPropertyKeys]] is incorrect in DontEnumPropertiesMode::Exclude |
| https://bugs.webkit.org/show_bug.cgi?id=203818 |
| |
| Reviewed by Keith Miller. |
| |
| This change fixes two spec compatibility issues: |
| |
| 1. If Object.keys is called on Proxy w/o "ownKeys" trap, filtering non-enumerable |
| properties are not observed by "getOwnPropertyDescriptor" trap. |
| (step 4 of https://tc39.es/ecma262/#sec-enumerableownpropertynames) |
| |
| 2. If Object.keys is called on Proxy with "ownKeys" trap, non-enumerable |
| properties of Proxy's target are ignored during invariants validation. |
| (step 11 of https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys) |
| |
| Instead of extracting DontEnum filtering to lambda function, a wrapper method for |
| ProxyObject::performGetOwnPropertyNames was introduced to avoid creating & |
| filling intermediate PropertyNameArray instance (in case of DontEnumPropertiesMode::Include) |
| and avoid having inner EnumerationMode in ProxyObject::performGetOwnPropertyNames. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| (JSC::ProxyObject::performGetOwnEnumerablePropertyNames): |
| (JSC::ProxyObject::getOwnPropertyNames): |
| * runtime/ProxyObject.h: |
| |
| 2020-01-05 Sam Weinig <weinig@apple.com> |
| |
| Further simplify StringBuilder usage by standardizing hex formating to a single hex() function |
| https://bugs.webkit.org/show_bug.cgi?id=205759 |
| |
| Reviewed by Dean Jackson. |
| |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::json): |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::encode): |
| (JSC::globalFuncEscape): |
| Replace appendUnsignedAsHex() and appendByteAsHex() with append(hex()). |
| |
| 2020-01-05 Ross Kirsling <ross.kirsling@sony.com> |
| |
| JavaScript: Invalid date parse for ISO 8601 strings when no timezone given |
| https://bugs.webkit.org/show_bug.cgi?id=89071 |
| |
| Reviewed by Darin Adler. |
| |
| Since ES2016, the specification for Date.parse has included the following statement: |
| When the UTC offset representation is absent, date-only forms are interpreted as a UTC time |
| and date-time forms are interpreted as a local time. |
| |
| This patch updates us from the old ES5 behavior, which treated offsetless date-time forms as UTC. |
| |
| * runtime/JSDateMath.cpp: |
| (JSC::parseDateFromNullTerminatedCharacters): |
| (JSC::parseES5DateFromNullTerminatedCharacters): Added. |
| (JSC::parseDate): |
| * runtime/JSDateMath.h: |
| Make a local time adjustment if necessary after calling WTF::parseES5DateFromNullTerminatedCharacters. |
| |
| 2020-01-04 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSON.parse should initialize wrapper object with [[DefineOwnProperty]] |
| https://bugs.webkit.org/show_bug.cgi?id=205767 |
| |
| Reviewed by Darin Adler. |
| |
| This patch makes JSON.parse use [[DefineOwnProperty]] instead of [[Set]] to initialize wrapper object, |
| aligning JSC with the spec (step 7.c of https://tc39.es/ecma262/#sec-json.parse) and other engines. |
| Performing [[Set]] was observable by a setter on Object.prototype (with empty String key). |
| Also removes two extra exceptions checks. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Stringifier::stringify): |
| (JSC::Walker::walk): |
| |
| 2020-01-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] MarkedBlock::Handle and BlockDirectory should be shrunk |
| https://bugs.webkit.org/show_bug.cgi?id=205712 |
| |
| Reviewed by Mark Lam. |
| |
| This patch shrinks MarkedBlock::Handle and BlockDirectory by leveraging the fact that Vector's size and capacity is unsigned. |
| In these data structures, we use `size_t` to hold a index, but this can be converted to unsigned since we guarantee that this |
| never exceeds unsigned since these numbers are derived from Vector's size / capacity, or index inside MarkedBlock (which is up |
| to 64KB in some architectures). MarkedBlock::Handle is allocated per MarkedBlock, and in Gmail, it takes 1MB. We can save |
| some bytes just using `unsigned`. In addition, this patch removes `m_prev` and `m_next` fields in MarkedBlock::Handle since |
| it is never used. |
| |
| * heap/AtomIndices.h: |
| * heap/BlockDirectory.cpp: |
| (JSC::BlockDirectory::findBlockForAllocation): |
| (JSC::BlockDirectory::addBlock): |
| * heap/IsoCellSet.cpp: |
| (JSC::IsoCellSet::addSlow): |
| (JSC::IsoCellSet::didResizeBits): |
| (JSC::IsoCellSet::didRemoveBlock): |
| * heap/IsoCellSet.h: |
| * heap/IsoCellSetInlines.h: |
| (JSC::IsoCellSet::forEachMarkedCell): |
| (JSC::IsoCellSet::forEachMarkedCellInParallel): |
| (JSC::IsoCellSet::forEachLiveCell): |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::didResizeBits): |
| (JSC::IsoSubspace::didRemoveBlock): |
| * heap/IsoSubspace.h: |
| * heap/LocalAllocator.h: |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::didAddToDirectory): |
| (JSC::MarkedBlock::Handle::didRemoveFromDirectory): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::index const): |
| * heap/Subspace.cpp: |
| (JSC::Subspace::didResizeBits): |
| (JSC::Subspace::didRemoveBlock): |
| * heap/Subspace.h: |
| |
| 2020-01-03 Simon Fraser <simon.fraser@apple.com> |
| |
| Add some shared schemes to the WebKit.xcworkspace |
| https://bugs.webkit.org/show_bug.cgi?id=205698 |
| |
| Reviewed by Tim Horton. |
| |
| Make WebKit.xcworkspace show the following schemes by default: |
| All Source |
| All Tools |
| WTF |
| JavaScriptCore |
| WebCore |
| WebKit |
| WebKitLegacy |
| DumpRenderTree |
| WebKitTestRunner |
| TestWebKitAPI |
| MiniBrowser |
| MobileMiniBrowser. |
| |
| Also remove the MobileMiniBrowserUITests scheme. |
| |
| * JavaScriptCore.xcodeproj/xcshareddata/xcschemes/JavaScriptCore.xcscheme: Copied from Tools/MobileMiniBrowser/MobileMiniBrowser.xcodeproj/xcshareddata/xcschemes/MobileMiniBrowserUITests.xcscheme. |
| |
| 2020-01-03 Saam Barati <sbarati@apple.com> |
| |
| B3::ReduceLoopStrength should not do range based iteration on a vector it's mutating |
| https://bugs.webkit.org/show_bug.cgi?id=205703 |
| <rdar://problem/56459483> |
| |
| Reviewed by Mark Lam. |
| |
| B3::ReduceLoopStrength had code that did: |
| ``` |
| for (BasicBlock* pred : loopPostfooter->predecessors()) |
| loopPostfooter->removePredecessor(pred); |
| ``` |
| |
| This is wrong, since it's doing a range based iteration over the vector it is |
| mutating. The fix is to just do: |
| ``` |
| while (loopPostfooter->predecessors().size()) |
| loopPostfooter->removePredecessor(loopPostfooter->predecessors()[0]); |
| ``` |
| |
| * b3/B3ReduceLoopStrength.cpp: |
| (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): |
| |
| 2020-01-03 Saam Barati <sbarati@apple.com> |
| |
| AI rule for PutById can only observe transitions when it watches the condition |
| https://bugs.webkit.org/show_bug.cgi?id=205697 |
| <rdar://problem/56814254> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| There was a bug in AI where we were capturing a PutByIdStatus and |
| emitting a structure transition in AI state based on the variants inside this |
| PutByIdStatus. This, in principal, is a valid static analysis to perform. |
| However, we can only do this if we ensure that the snapshot we have in the |
| PutByIdStatus holds at runtime. We can do this by watching the property conditions |
| for the various variants. AI forgot to watch these conditions. This patch fixes that. |
| In practice, this also means we need to be slightly more strict about stating to |
| AI when we transition since some object property conditions aren't watchable, and need |
| to be verified at runtime via structure checks. This is ok in practice, since |
| we'll emit the code to do that inside constant folding (constant folding was |
| already doing this), which will continue to report the precise transition in |
| the abstract state. |
| |
| * dfg/DFGAbstractInterpreter.h: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| |
| 2020-01-02 Yusuke Suzuki <ysuzuki@apple.com> and Simon Fraser <simon.fraser@apple.com> |
| |
| Experiment: create lots of different malloc zones for easier accounting of memory use |
| https://bugs.webkit.org/show_bug.cgi?id=186422 |
| |
| Reviewed by Saam Barati. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * assembler/AssemblerBuffer.cpp: Copied from Source/JavaScriptCore/bytecode/InstructionStream.cpp. |
| * assembler/AssemblerBuffer.h: |
| (JSC::AssemblerData::AssemblerData): |
| (JSC::AssemblerData::operator=): |
| (JSC::AssemblerData::~AssemblerData): |
| (JSC::AssemblerData::grow): |
| * bytecode/AccessCase.cpp: |
| * bytecode/AccessCase.h: |
| * bytecode/BytecodeBasicBlock.cpp: |
| * bytecode/BytecodeBasicBlock.h: |
| * bytecode/CodeBlock.cpp: |
| * bytecode/CodeBlock.h: |
| * bytecode/InstructionStream.cpp: |
| * bytecode/InstructionStream.h: |
| * bytecode/PolymorphicAccess.cpp: |
| * bytecode/PolymorphicAccess.h: |
| * bytecode/UnlinkedMetadataTable.cpp: |
| (JSC::UnlinkedMetadataTable::finalize): |
| * bytecode/UnlinkedMetadataTable.h: |
| * bytecode/UnlinkedMetadataTableInlines.h: |
| (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable): |
| (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable): |
| (JSC::UnlinkedMetadataTable::link): |
| (JSC::UnlinkedMetadataTable::unlink): |
| * bytecode/ValueProfile.h: |
| (JSC::ValueProfileAndVirtualRegisterBuffer::ValueProfileAndVirtualRegisterBuffer): |
| * bytecode/Watchpoint.cpp: |
| * bytecode/Watchpoint.h: |
| * dfg/DFGBasicBlock.cpp: |
| * dfg/DFGBasicBlock.h: |
| * dfg/DFGNode.cpp: |
| * dfg/DFGNode.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| * dfg/DFGSpeculativeJIT.h: |
| * heap/BlockDirectory.cpp: |
| * heap/BlockDirectory.h: |
| * heap/FastMallocAlignedMemoryAllocator.cpp: |
| (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator): |
| (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory): |
| (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory): |
| (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory): |
| (JSC::FastMallocAlignedMemoryAllocator::freeMemory): |
| (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory): |
| * heap/FastMallocAlignedMemoryAllocator.h: |
| * heap/GCSegmentedArray.cpp: Copied from Source/JavaScriptCore/parser/SourceProviderCache.cpp. |
| * heap/GCSegmentedArray.h: |
| * heap/GCSegmentedArrayInlines.h: |
| (JSC::GCArraySegment<T>::create): |
| (JSC::GCArraySegment<T>::destroy): |
| * heap/GigacageAlignedMemoryAllocator.cpp: |
| (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator): |
| (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory): |
| (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory): |
| (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory): |
| (JSC::GigacageAlignedMemoryAllocator::freeMemory): |
| (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory): |
| * heap/GigacageAlignedMemoryAllocator.h: |
| * heap/IsoAlignedMemoryAllocator.cpp: |
| (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator): |
| (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator): |
| (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory): |
| (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory): |
| (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory): |
| (JSC::IsoAlignedMemoryAllocator::freeMemory): |
| * heap/IsoAlignedMemoryAllocator.h: |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::IsoSubspace): |
| * heap/MarkedBlock.cpp: |
| * heap/MarkedBlock.h: |
| * heap/WeakBlock.cpp: |
| (JSC::WeakBlock::create): |
| (JSC::WeakBlock::destroy): |
| * heap/WeakBlock.h: |
| * jit/JITCode.cpp: |
| * jit/JITCode.h: |
| * jit/RegisterAtOffsetList.cpp: |
| * jit/RegisterAtOffsetList.h: |
| * parser/Nodes.cpp: |
| * parser/Nodes.h: |
| * parser/ParserArena.cpp: |
| (JSC::ParserArena::deallocateObjects): |
| (JSC::ParserArena::allocateFreeablePool): |
| * parser/ParserArena.h: |
| * parser/SourceProvider.cpp: |
| * parser/SourceProvider.h: |
| * parser/SourceProviderCache.cpp: |
| * parser/SourceProviderCache.h: |
| * parser/SourceProviderCacheItem.h: |
| (JSC::SourceProviderCacheItem::create): |
| * runtime/CachePayload.cpp: |
| (JSC::CachePayload::makeMallocPayload): |
| * runtime/CachePayload.h: |
| * runtime/CachedBytecode.h: |
| (JSC::CachedBytecode::create): |
| * runtime/CachedTypes.cpp: |
| (JSC::Encoder::release): |
| (JSC::Encoder::Page::Page): |
| (JSC::CachedVector::encode): |
| (JSC::CachedVector::decode const): |
| (JSC::CachedInstructionStream::decode const): |
| * runtime/PropertyMapHashTable.h: |
| (JSC::PropertyTable::rehash): |
| * runtime/PropertyTable.cpp: |
| (JSC::PropertyTable::PropertyTable): |
| (JSC::PropertyTable::~PropertyTable): |
| * runtime/SymbolTable.cpp: |
| * runtime/SymbolTable.h: |
| * runtime/VM.cpp: |
| (JSC::VM::~VM): |
| * runtime/VM.h: |
| (JSC::ScratchBuffer::create): |
| (JSC::VM::exceptionFuzzingBuffer): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::Instance): |
| * wasm/WasmInstance.h: |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::Table): |
| (JSC::Wasm::FuncRefTable::FuncRefTable): |
| * wasm/WasmTable.h: |
| |
| 2020-01-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| REGRESSION (r253867): Six test262 tests broken |
| https://bugs.webkit.org/show_bug.cgi?id=205583 |
| |
| Reviewed by Mark Lam. |
| |
| If a function has empty name, a bound function should have "bound " name. |
| But Intl prototypes' bound functions are exceptions: these JSBoundFunctions have empty name. |
| In this patch, we pass `nullptr` for the JSBoundFunction::create's nameMayBeNull parameter of Intl prototypes' bound functions, |
| to generate empty string name for these bound functions instead of "bound "[1]. |
| This fixes test262 failures. |
| |
| [1]: https://tc39.es/ecma402/#sec-collator-compare-functions |
| |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototypeGetterCompare): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototypeGetterFormat): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototypeGetterFormat): |
| * runtime/JSBoundFunction.cpp: |
| (JSC::JSBoundFunction::create): |
| (JSC::JSBoundFunction::JSBoundFunction): |
| (JSC::JSBoundFunction::visitChildren): |
| * runtime/JSBoundFunction.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::reifyLazyBoundNameIfNeeded): |
| * runtime/SmallStrings.cpp: |
| (JSC::SmallStrings::initializeCommonStrings): |
| * runtime/SmallStrings.h: |
| (JSC::SmallStrings::boundPrefixString const): |
| |
| 2020-01-02 Sam Weinig <weinig@apple.com> |
| |
| Simplify StringBuilder API/align with makeString by removing appendFixed* functions and using FormatNumber struct instead |
| https://bugs.webkit.org/show_bug.cgi?id=205671 |
| |
| Reviewed by Alex Christensen. |
| |
| * API/tests/ExecutionTimeLimitTest.cpp: |
| (testExecutionTimeLimit): |
| * runtime/Options.cpp: |
| (JSC::OptionReader::Option::dump const): |
| Replace all uses of builder.appendFixedPrecisionNumber(...) with builder.append(FormattedNumber::fixedPrecision(...)). |
| |
| 2020-01-01 Mark Lam <mark.lam@apple.com> |
| |
| Declare some classes as final. |
| https://bugs.webkit.org/show_bug.cgi?id=205670 |
| |
| Reviewed by Sam Weinig. |
| |
| There are a few "Status" classes, all of whom have static computeFor() methods. |
| All of these classes do not have derived classes, and are independent of each |
| others in terms of inheritance relationships. By explicitly declaring them as |
| final, we can make it clear that a call to any unqualified computeFor() methods |
| within one of these classes must be from the self class, and that external calls |
| to any given computeFor() method qualified with a class name is defined in that |
| class (and is not inherited from another class). |
| |
| This detail may already be known to folks who are familiar with these classes. |
| Declaring them as final helps surface this independence for readers of the code |
| who is not already in the know. |
| |
| * bytecode/CallLinkStatus.h: |
| * bytecode/ComplexGetStatus.h: |
| * bytecode/GetByStatus.h: |
| * bytecode/InByIdStatus.h: |
| * bytecode/InstanceOfStatus.h: |
| * bytecode/PutByIdStatus.h: |
| |
| 2019-12-22 Jeff Miller <jeffm@apple.com> |
| |
| Update user-visible copyright strings to include 2020 |
| https://bugs.webkit.org/show_bug.cgi?id=205552 |
| |
| Reviewed by Darin Adler. |
| |
| * Info.plist: |
| |
| 2019-12-20 Darin Adler <darin@apple.com> |
| |
| Tidy a bit of StringBuilder usage |
| https://bugs.webkit.org/show_bug.cgi?id=205509 |
| |
| Reviewed by Sam Weinig. |
| |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): Remove unneeded check that |
| duplicates range checking that StringBuilder::appendSubstring does. |
| |
| 2019-12-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix after r253904 |
| https://bugs.webkit.org/show_bug.cgi?id=205553 |
| |
| * bytecompiler/BytecodeGeneratorBaseInlines.h: |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode16): |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32): |
| |
| 2019-12-30 Carlos Alberto Lopez Perez <clopez@igalia.com> |
| |
| REGRESSION(r253896): [GTK][WPE] Broke the build with GCC-7 |
| https://bugs.webkit.org/show_bug.cgi?id=205649 |
| |
| Reviewed by Mark Lam. |
| |
| Add WTF_INTERNAL macro to explicitly adjust the symbol visibility. |
| |
| * llint/LLIntSlowPaths.h: |
| |
| 2019-12-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove WTF::loadLoadFence from JSFunction::rareData() |
| https://bugs.webkit.org/show_bug.cgi?id=205625 |
| |
| Reviewed by Mark Lam. |
| |
| WTF::loadLoadFence() is not necessary when loading FunctionRareData from JSFunction since we ensured that stored FunctionRareData |
| is already baked by emitting WTF::storeStoreFence(). |
| |
| * runtime/JSFunction.h: |
| (JSC::JSFunction::rareData const): |
| (JSC::JSFunction::rareData): Deleted. |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::hasReifiedLength const): |
| (JSC::JSFunction::hasReifiedName const): |
| (JSC::JSFunction::areNameAndLengthOriginal): |
| (JSC::JSFunction::ensureRareDataAndAllocationProfile): |
| |
| 2019-12-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, rename `.executable` to `.isExecutable` |
| https://bugs.webkit.org/show_bug.cgi?id=205554 |
| |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-12-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JSFunction's m_executable / m_rareData should be merged |
| https://bugs.webkit.org/show_bug.cgi?id=205554 |
| |
| Reviewed by Mark Lam. |
| |
| This patch merges JSFunction::m_executable and JSFunction::m_rareData fields into one JSFunction::m_executableOrRareData field. |
| JSFunction is one of the most frequently allocated objects (e.g. it is common that anonymous JSFunction expression is used as a scope). |
| If we can save sizeof(JSFunction), we can get great savings in memory usage. |
| |
| JSFunction::m_scope field is touched every time we execute this function. (op_get_scope, or obtaining JSGlobalObject for host functions). |
| On the other hand, m_executable field can be skipped if JSFunction call is cached by CallLinkInfo. So compared to JSFunction::m_scope, |
| this field is less frequently touched. So, we merge m_executable and m_rareData fields into one, m_executableOrRareData. When it holds |
| ExecutableBase*, we do nothing. But when we create FunctionRareData, we put ExecutableBase in FunctionRareData and store FunctionRareData |
| to JSFunction::m_executableOrRareData field with `0x1` flag. |
| |
| This patch reduces sizeof(JSFunction) from 48 to 32. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| (JSC::DFG::SpeculativeJIT::compileGetExecutable): |
| (JSC::DFG::SpeculativeJIT::compileCreateThis): |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_create_this): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_create_this): |
| * jit/Repatch.cpp: |
| (JSC::linkPolymorphicCall): |
| * jit/ThunkGenerators.cpp: |
| (JSC::virtualThunkFor): |
| (JSC::nativeForGenerator): |
| (JSC::boundFunctionCallGenerator): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::create): |
| (JSC::FunctionRareData::visitChildren): |
| (JSC::FunctionRareData::FunctionRareData): |
| * runtime/FunctionRareData.h: |
| * runtime/JSBoundFunction.cpp: |
| (JSC::JSBoundFunction::create): |
| (JSC::JSBoundFunction::JSBoundFunction): |
| * runtime/JSBoundFunction.h: |
| * runtime/JSCustomGetterSetterFunction.cpp: |
| (JSC::JSCustomGetterSetterFunction::JSCustomGetterSetterFunction): |
| (JSC::JSCustomGetterSetterFunction::create): |
| * runtime/JSCustomGetterSetterFunction.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::create): |
| (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): |
| (JSC::JSFunction::JSFunction): |
| (JSC::JSFunction::finishCreation): |
| (JSC::JSFunction::allocateRareData): |
| (JSC::JSFunction::allocateAndInitializeRareData): |
| (JSC::JSFunction::initializeRareData): |
| (JSC::JSFunction::visitChildren): |
| (JSC::JSFunction::put): |
| (JSC::JSFunction::defineOwnProperty): |
| * runtime/JSFunction.h: |
| (JSC::JSFunction::executable const): |
| (JSC::JSFunction::offsetOfExecutableOrRareData): |
| (JSC::JSFunction::rareData): |
| (JSC::JSFunction::offsetOfExecutable): Deleted. |
| (JSC::JSFunction::offsetOfRareData): Deleted. |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::JSFunction): |
| (JSC::JSFunction::jsExecutable const): |
| (JSC::JSFunction::isHostFunction const): |
| (JSC::JSFunction::nativeFunction): |
| (JSC::JSFunction::nativeConstructor): |
| (JSC::JSFunction::hasReifiedLength const): |
| (JSC::JSFunction::hasReifiedName const): |
| (JSC::JSFunction::areNameAndLengthOriginal): |
| (JSC::JSFunction::ensureRareDataAndAllocationProfile): |
| * runtime/JSNativeStdFunction.cpp: |
| (JSC::JSNativeStdFunction::JSNativeStdFunction): |
| (JSC::JSNativeStdFunction::create): |
| * runtime/JSNativeStdFunction.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::create): |
| (JSC::WebAssemblyFunction::WebAssemblyFunction): |
| * wasm/js/WebAssemblyFunction.h: |
| * wasm/js/WebAssemblyFunctionBase.cpp: |
| (JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase): |
| * wasm/js/WebAssemblyFunctionBase.h: |
| * wasm/js/WebAssemblyWrapperFunction.cpp: |
| (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction): |
| (JSC::WebAssemblyWrapperFunction::create): |
| * wasm/js/WebAssemblyWrapperFunction.h: |
| |
| 2019-12-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] StructureChain should hold vector of StructureID |
| https://bugs.webkit.org/show_bug.cgi?id=205592 |
| |
| Reviewed by Mark Lam. |
| |
| StructureChain should keep vector of StructureID instead of Structure* to minimize the size of vector. |
| |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/JSPropertyNameEnumerator.h: |
| (JSC::propertyNameEnumerator): |
| * runtime/ProxyObject.h: |
| * runtime/Structure.cpp: |
| (JSC::Structure::canCachePropertyNameEnumerator const): |
| * runtime/Structure.h: |
| * runtime/StructureChain.cpp: |
| (JSC::StructureChain::StructureChain): |
| (JSC::StructureChain::create): |
| (JSC::StructureChain::finishCreation): |
| (JSC::StructureChain::visitChildren): |
| * runtime/StructureChain.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::isValid const): |
| |
| 2019-12-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Compact Bytecodes more by emitting 1-byte Opcode |
| https://bugs.webkit.org/show_bug.cgi?id=205553 |
| |
| Reviewed by Keith Miller. |
| |
| When emitting 16bit / 32bit bytecodes, we also emit 16bit / 32bit Opcode. |
| So the layout is the following. |
| |
| 8bit 16bit 16bit 16bit |
| - [op_wide16][ Opcode ][ Operand0 ][ Operand1 ] |
| |
| But this is unnecessary since Opcode must fit in 8bit. We should emit Opcode in 8bit in all cases. |
| |
| 8bit 8bit 16bit 16bit |
| - [op_wide16][Opcode][ Operand0 ][ Operand1 ] |
| |
| * bytecode/Instruction.h: |
| (JSC::BaseInstruction::size const): |
| * bytecompiler/BytecodeGeneratorBaseInlines.h: |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode16): |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32): |
| * generator/Argument.rb: |
| * generator/Opcode.rb: |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * llint/WebAssembly.asm: |
| |
| 2019-12-24 Keith Miller <keith_miller@apple.com> |
| |
| Fix ARM64E by adding missing pointer tag. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2019-12-23 Keith Miller <keith_miller@apple.com> |
| |
| DFG/FTL should be able to exit to the middle of a bytecode |
| https://bugs.webkit.org/show_bug.cgi?id=205232 |
| |
| Reviewed by Saam Barati. |
| |
| It can be valuable to exit to the middle of a bytecode for a couple of reasons. |
| 1) It can be used to combine bytecodes that share a majority of their operands, reducing bytecode steam size. |
| 2) It enables creating bytecodes that are easier to reconstruct useful optimization information from. |
| |
| To make exiting to the middle of a bytecode possible this patch |
| introduces the concept of a temporary operand. A temporary operand |
| is one that contains the result of effectful operations during the |
| process of executing a bytecode. tmp operands have no meaning when |
| executing in the LLInt or Baseline and are only used in the DFG to |
| preserve information for OSR exit. We use the term checkpoint to |
| refer to any point where an effectful component of a bytecode executes. |
| For example, in op_call_varargs there are two checkpoints the first is |
| before we have determined the number of variable arguments and the second |
| is the actual call. |
| |
| When the DFG OSR exits if there are any active checkpoints inline |
| call stack we will emit a jit probe that allocates a side state |
| object keyed off the frame pointer of the bytecode whose |
| checkpoint needs to be finished. We need side state because we may |
| recursively inline several copies of the same |
| function. Alternatively, we could call back into ourselves after |
| OSR and exit again from optimized code before finishing the |
| checkpoint of our caller. |
| |
| Another thing we need to be careful of is making sure we remove |
| side state as we unwind for an exception. To make sure we do this |
| correctly I've added an assertion to JSLock that there are no |
| pending checkpoint side states on the vm when releasing the lock. |
| |
| A large amount of this patch is trying to remove as much code that |
| refers to virtual registers as an int as possible. Instead, this |
| patch replaces them with the VirtualRegister class. There are also |
| a couple of new classes/enums added to JSC: |
| |
| 1) There is now a class, Operand, that represents the combination |
| of a VirtualRegister and a temporary. This is handy in the DFG to |
| model OSR exit values all together. Additionally, Operands<T> has |
| been updated to work with respect to Operand values. |
| |
| 2) CallFrameSlot is now an enum class instead of a struct of |
| constexpr values. This lets us implicitly convert CallFrameSlots |
| to VirtualRegisters without allowing all ints to implicity |
| convert. |
| |
| 3) FTL::SelectPredictability is a new enum that describes to the |
| FTL whether or not we think a select is going to be |
| predictable. SelectPredictability has four options: Unpredictable, |
| Predictable, LeftLikely, and RightLikely. Unpredictable means we |
| think a branch predictor won't do a good job guessing this value |
| so we should compile the select to a cmov. The other options mean |
| we either think we are going to pick the same value every time or |
| there's a reasonable chance the branch predictor will be able to |
| guess the value. |
| |
| In order to validate the correctness of this patch the various |
| varargs call opcodes have been reworked to use checkpoints. This |
| also fixed a long-standing issue where we could call length |
| getters twice if we OSR exit during LoadVarargs but before the |
| actually call. |
| |
| Lastly, we have not enabled the probe-based OSR exit for a long |
| time in production, thus this patch removes that code since it |
| would be a non-trivial amount of work to get checkpoints working |
| with probe OSR. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/MacroAssemblerCodeRef.h: |
| * assembler/ProbeFrame.h: |
| (JSC::Probe::Frame::operand): |
| (JSC::Probe::Frame::setOperand): |
| * b3/testb3.h: |
| (populateWithInterestingValues): |
| (floatingPointOperands): |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCaseSnippetParams.cpp: |
| (JSC::SlowPathCallGeneratorWithArguments::generateImpl): |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::BytecodeDumperBase::dumpValue): |
| (JSC::BytecodeDumper<Block>::registerName const): |
| (JSC::BytecodeDumper<Block>::constantName const): |
| (JSC::Wasm::BytecodeDumper::constantName const): |
| * bytecode/BytecodeDumper.h: |
| * bytecode/BytecodeIndex.cpp: |
| (JSC::BytecodeIndex::dump const): |
| * bytecode/BytecodeIndex.h: |
| (JSC::BytecodeIndex::BytecodeIndex): |
| (JSC::BytecodeIndex::offset const): |
| (JSC::BytecodeIndex::checkpoint const): |
| (JSC::BytecodeIndex::asBits const): |
| (JSC::BytecodeIndex::hash const): |
| (JSC::BytecodeIndex::operator bool const): |
| (JSC::BytecodeIndex::pack): |
| (JSC::BytecodeIndex::fromBits): |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeLivenessAnalysis.cpp: |
| (JSC::enumValuesEqualAsIntegral): |
| (JSC::tmpLivenessForCheckpoint): |
| * bytecode/BytecodeLivenessAnalysis.h: |
| * bytecode/BytecodeLivenessAnalysisInlines.h: |
| (JSC::virtualRegisterIsAlwaysLive): |
| (JSC::virtualRegisterThatIsNotAlwaysLiveIsLive): |
| (JSC::virtualRegisterIsLive): |
| (JSC::operandIsAlwaysLive): Deleted. |
| (JSC::operandThatIsNotAlwaysLiveIsLive): Deleted. |
| (JSC::operandIsLive): Deleted. |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::bytecodeIndexForExit const): |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): |
| (JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::numTmps const): |
| (JSC::CodeBlock::isKnownNotImmediate): |
| (JSC::CodeBlock::isTemporaryRegister): |
| (JSC::CodeBlock::constantRegister): |
| (JSC::CodeBlock::getConstant const): |
| (JSC::CodeBlock::constantSourceCodeRepresentation const): |
| (JSC::CodeBlock::replaceConstant): |
| (JSC::CodeBlock::isTemporaryRegisterIndex): Deleted. |
| (JSC::CodeBlock::isConstantRegisterIndex): Deleted. |
| * bytecode/CodeOrigin.h: |
| * bytecode/FullBytecodeLiveness.h: |
| (JSC::FullBytecodeLiveness::virtualRegisterIsLive const): |
| (JSC::FullBytecodeLiveness::operandIsLive const): Deleted. |
| * bytecode/InlineCallFrame.h: |
| (JSC::InlineCallFrame::InlineCallFrame): |
| (JSC::InlineCallFrame::setTmpOffset): |
| (JSC::CodeOrigin::walkUpInlineStack const): |
| (JSC::CodeOrigin::inlineStackContainsActiveCheckpoint const): |
| (JSC::remapOperand): |
| (JSC::unmapOperand): |
| (JSC::CodeOrigin::walkUpInlineStack): Deleted. |
| * bytecode/LazyOperandValueProfile.h: |
| (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey): |
| (JSC::LazyOperandValueProfileKey::hash const): |
| (JSC::LazyOperandValueProfileKey::operand const): |
| * bytecode/MethodOfGettingAValueProfile.cpp: |
| (JSC::MethodOfGettingAValueProfile::fromLazyOperand): |
| (JSC::MethodOfGettingAValueProfile::emitReportValue const): |
| (JSC::MethodOfGettingAValueProfile::reportValue): |
| * bytecode/MethodOfGettingAValueProfile.h: |
| * bytecode/Operands.h: |
| (JSC::Operand::Operand): |
| (JSC::Operand::tmp): |
| (JSC::Operand::kind const): |
| (JSC::Operand::value const): |
| (JSC::Operand::virtualRegister const): |
| (JSC::Operand::asBits const): |
| (JSC::Operand::isTmp const): |
| (JSC::Operand::isArgument const): |
| (JSC::Operand::isLocal const): |
| (JSC::Operand::isHeader const): |
| (JSC::Operand::isConstant const): |
| (JSC::Operand::toArgument const): |
| (JSC::Operand::toLocal const): |
| (JSC::Operand::operator== const): |
| (JSC::Operand::isValid const): |
| (JSC::Operand::fromBits): |
| (JSC::Operands::Operands): |
| (JSC::Operands::numberOfLocals const): |
| (JSC::Operands::numberOfTmps const): |
| (JSC::Operands::tmpIndex const): |
| (JSC::Operands::argumentIndex const): |
| (JSC::Operands::localIndex const): |
| (JSC::Operands::tmp): |
| (JSC::Operands::tmp const): |
| (JSC::Operands::argument): |
| (JSC::Operands::argument const): |
| (JSC::Operands::local): |
| (JSC::Operands::local const): |
| (JSC::Operands::sizeFor const): |
| (JSC::Operands::atFor): |
| (JSC::Operands::atFor const): |
| (JSC::Operands::ensureLocals): |
| (JSC::Operands::ensureTmps): |
| (JSC::Operands::getForOperandIndex): |
| (JSC::Operands::getForOperandIndex const): |
| (JSC::Operands::operandIndex const): |
| (JSC::Operands::operand): |
| (JSC::Operands::operand const): |
| (JSC::Operands::hasOperand const): |
| (JSC::Operands::setOperand): |
| (JSC::Operands::at const): |
| (JSC::Operands::at): |
| (JSC::Operands::operator[] const): |
| (JSC::Operands::operator[]): |
| (JSC::Operands::operandForIndex const): |
| (JSC::Operands::operator== const): |
| (JSC::Operands::isArgument const): Deleted. |
| (JSC::Operands::isLocal const): Deleted. |
| (JSC::Operands::virtualRegisterForIndex const): Deleted. |
| (JSC::Operands::setOperandFirstTime): Deleted. |
| * bytecode/OperandsInlines.h: |
| (JSC::Operand::dump const): |
| (JSC::Operands<T>::dumpInContext const): |
| (JSC::Operands<T>::dump const): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::hasCheckpoints const): |
| (JSC::UnlinkedCodeBlock::setHasCheckpoints): |
| (JSC::UnlinkedCodeBlock::constantRegister const): |
| (JSC::UnlinkedCodeBlock::getConstant const): |
| (JSC::UnlinkedCodeBlock::isConstantRegisterIndex const): Deleted. |
| * bytecode/ValueProfile.h: |
| (JSC::ValueProfileAndVirtualRegisterBuffer::ValueProfileAndVirtualRegisterBuffer): |
| (JSC::ValueProfileAndVirtualRegisterBuffer::~ValueProfileAndVirtualRegisterBuffer): |
| (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer): Deleted. |
| (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer): Deleted. |
| (JSC::ValueProfileAndOperandBuffer::forEach): Deleted. |
| * bytecode/ValueRecovery.cpp: |
| (JSC::ValueRecovery::recover const): |
| * bytecode/ValueRecovery.h: |
| * bytecode/VirtualRegister.h: |
| (JSC::virtualRegisterIsLocal): |
| (JSC::virtualRegisterIsArgument): |
| (JSC::VirtualRegister::VirtualRegister): |
| (JSC::VirtualRegister::isValid const): |
| (JSC::VirtualRegister::isLocal const): |
| (JSC::VirtualRegister::isArgument const): |
| (JSC::VirtualRegister::isConstant const): |
| (JSC::VirtualRegister::toConstantIndex const): |
| (JSC::operandIsLocal): Deleted. |
| (JSC::operandIsArgument): Deleted. |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::initializeNextParameter): |
| (JSC::BytecodeGenerator::initializeParameters): |
| (JSC::BytecodeGenerator::emitEqualityOpImpl): |
| (JSC::BytecodeGenerator::emitCallVarargs): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::setUsesCheckpoints): |
| * bytecompiler/RegisterID.h: |
| (JSC::RegisterID::setIndex): |
| * dfg/DFGAbstractHeap.cpp: |
| (JSC::DFG::AbstractHeap::Payload::dumpAsOperand const): |
| (JSC::DFG::AbstractHeap::dump const): |
| * dfg/DFGAbstractHeap.h: |
| (JSC::DFG::AbstractHeap::Payload::Payload): |
| (JSC::DFG::AbstractHeap::AbstractHeap): |
| (JSC::DFG::AbstractHeap::operand const): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGArgumentPosition.h: |
| (JSC::DFG::ArgumentPosition::dump): |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| * dfg/DFGArgumentsUtilities.cpp: |
| (JSC::DFG::argumentsInvolveStackSlot): |
| (JSC::DFG::emitCodeToGetArgumentsArrayLength): |
| * dfg/DFGArgumentsUtilities.h: |
| * dfg/DFGAtTailAbstractState.h: |
| (JSC::DFG::AtTailAbstractState::operand): |
| * dfg/DFGAvailabilityMap.cpp: |
| (JSC::DFG::AvailabilityMap::pruneByLiveness): |
| * dfg/DFGAvailabilityMap.h: |
| (JSC::DFG::AvailabilityMap::closeStartingWithLocal): |
| * dfg/DFGBasicBlock.cpp: |
| (JSC::DFG::BasicBlock::BasicBlock): |
| (JSC::DFG::BasicBlock::ensureTmps): |
| * dfg/DFGBasicBlock.h: |
| * dfg/DFGBlockInsertionSet.cpp: |
| (JSC::DFG::BlockInsertionSet::insert): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::ByteCodeParser): |
| (JSC::DFG::ByteCodeParser::ensureTmps): |
| (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): |
| (JSC::DFG::ByteCodeParser::newVariableAccessData): |
| (JSC::DFG::ByteCodeParser::getDirect): |
| (JSC::DFG::ByteCodeParser::get): |
| (JSC::DFG::ByteCodeParser::setDirect): |
| (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): |
| (JSC::DFG::ByteCodeParser::getLocalOrTmp): |
| (JSC::DFG::ByteCodeParser::setLocalOrTmp): |
| (JSC::DFG::ByteCodeParser::setArgument): |
| (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): |
| (JSC::DFG::ByteCodeParser::findArgumentPosition): |
| (JSC::DFG::ByteCodeParser::flushImpl): |
| (JSC::DFG::ByteCodeParser::flushForTerminalImpl): |
| (JSC::DFG::ByteCodeParser::flush): |
| (JSC::DFG::ByteCodeParser::flushDirect): |
| (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal): |
| (JSC::DFG::ByteCodeParser::phantomLocalDirect): |
| (JSC::DFG::ByteCodeParser::flushForTerminal): |
| (JSC::DFG::ByteCodeParser::addToGraph): |
| (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand const): |
| (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): |
| (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute): |
| (JSC::DFG::ByteCodeParser::allocateTargetableBlock): |
| (JSC::DFG::ByteCodeParser::allocateUntargetableBlock): |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| (JSC::DFG::ByteCodeParser::inlineCall): |
| (JSC::DFG::ByteCodeParser::handleVarargsInlining): |
| (JSC::DFG::ByteCodeParser::handleInlining): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): |
| (JSC::DFG::ByteCodeParser::parse): |
| (JSC::DFG::ByteCodeParser::getLocal): Deleted. |
| (JSC::DFG::ByteCodeParser::setLocal): Deleted. |
| * dfg/DFGCFAPhase.cpp: |
| (JSC::DFG::CFAPhase::injectOSR): |
| * dfg/DFGCPSRethreadingPhase.cpp: |
| (JSC::DFG::CPSRethreadingPhase::run): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeSet): |
| (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): |
| (JSC::DFG::CPSRethreadingPhase::propagatePhis): |
| (JSC::DFG::CPSRethreadingPhase::phiStackFor): |
| * dfg/DFGCSEPhase.cpp: |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGCombinedLiveness.cpp: |
| (JSC::DFG::addBytecodeLiveness): |
| * dfg/DFGCommonData.cpp: |
| (JSC::DFG::CommonData::addCodeOrigin): |
| (JSC::DFG::CommonData::addUniqueCallSiteIndex): |
| (JSC::DFG::CommonData::lastCallSite const): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGDriver.cpp: |
| (JSC::DFG::compileImpl): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGForAllKills.h: |
| (JSC::DFG::forAllKilledOperands): |
| (JSC::DFG::forAllKilledNodesAtNodeIndex): |
| (JSC::DFG::forAllKillsInBlock): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| (JSC::DFG::Graph::dumpBlockHeader): |
| (JSC::DFG::Graph::substituteGetLocal): |
| (JSC::DFG::Graph::isLiveInBytecode): |
| (JSC::DFG::Graph::localsAndTmpsLiveInBytecode): |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| (JSC::DFG::Graph::localsLiveInBytecode): Deleted. |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Graph::forAllLocalsAndTmpsLiveInBytecode): |
| (JSC::DFG::Graph::forAllLiveInBytecode): |
| (JSC::DFG::Graph::forAllLocalsLiveInBytecode): Deleted. |
| * dfg/DFGInPlaceAbstractState.cpp: |
| (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState): |
| * dfg/DFGInPlaceAbstractState.h: |
| (JSC::DFG::InPlaceAbstractState::operand): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::linkOSRExits): |
| (JSC::DFG::JITCompiler::noticeOSREntry): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::emitStoreCallSiteIndex): |
| * dfg/DFGLiveCatchVariablePreservationPhase.cpp: |
| (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation): |
| (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch): |
| (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData): |
| * dfg/DFGMovHintRemovalPhase.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::StackAccessData::StackAccessData): |
| (JSC::DFG::Node::hasArgumentsChild): |
| (JSC::DFG::Node::argumentsChild): |
| (JSC::DFG::Node::operand): |
| (JSC::DFG::Node::hasUnlinkedOperand): |
| (JSC::DFG::Node::unlinkedOperand): |
| (JSC::DFG::Node::hasLoadVarargsData): |
| (JSC::DFG::Node::local): Deleted. |
| (JSC::DFG::Node::hasUnlinkedLocal): Deleted. |
| (JSC::DFG::Node::unlinkedLocal): Deleted. |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: |
| (JSC::DFG::OSRAvailabilityAnalysisPhase::run): |
| (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareOSREntry): |
| (JSC::DFG::prepareCatchOSREntry): |
| * dfg/DFGOSREntrypointCreationPhase.cpp: |
| (JSC::DFG::OSREntrypointCreationPhase::run): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::emitRestoreArguments): |
| (JSC::DFG::OSRExit::compileExit): |
| (JSC::DFG::jsValueFor): Deleted. |
| (JSC::DFG::restoreCalleeSavesFor): Deleted. |
| (JSC::DFG::saveCalleeSavesFor): Deleted. |
| (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted. |
| (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted. |
| (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted. |
| (JSC::DFG::createDirectArgumentsDuringExit): Deleted. |
| (JSC::DFG::createClonedArgumentsDuringExit): Deleted. |
| (JSC::DFG::emitRestoreArguments): Deleted. |
| (JSC::DFG::OSRExit::executeOSRExit): Deleted. |
| (JSC::DFG::reifyInlinedCallFrames): Deleted. |
| (JSC::DFG::adjustAndJumpToTarget): Deleted. |
| (JSC::DFG::printOSRExit): Deleted. |
| * dfg/DFGOSRExit.h: |
| * dfg/DFGOSRExitBase.h: |
| (JSC::DFG::OSRExitBase::isExitingToCheckpointHandler const): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGOpInfo.h: |
| (JSC::DFG::OpInfo::OpInfo): |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGPhantomInsertionPhase.cpp: |
| * dfg/DFGPreciseLocalClobberize.h: |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::read): |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::write): |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::def): |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate): |
| * dfg/DFGPredictionInjectionPhase.cpp: |
| (JSC::DFG::PredictionInjectionPhase::run): |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGPutStackSinkingPhase.cpp: |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileMovHint): |
| (JSC::DFG::SpeculativeJIT::compileCurrentBlock): |
| (JSC::DFG::SpeculativeJIT::checkArgumentTypes): |
| (JSC::DFG::SpeculativeJIT::compileVarargsLength): |
| (JSC::DFG::SpeculativeJIT::compileLoadVarargs): |
| (JSC::DFG::SpeculativeJIT::compileForwardVarargs): |
| (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::recordSetLocal): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStackLayoutPhase.cpp: |
| (JSC::DFG::StackLayoutPhase::run): |
| (JSC::DFG::StackLayoutPhase::assign): |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitThunkGenerator): Deleted. |
| * dfg/DFGThunks.h: |
| * dfg/DFGTypeCheckHoistingPhase.cpp: |
| (JSC::DFG::TypeCheckHoistingPhase::run): |
| (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries): |
| * dfg/DFGValidate.cpp: |
| * dfg/DFGVarargsForwardingPhase.cpp: |
| * dfg/DFGVariableAccessData.cpp: |
| (JSC::DFG::VariableAccessData::VariableAccessData): |
| (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): |
| (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): |
| (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): |
| * dfg/DFGVariableAccessData.h: |
| (JSC::DFG::VariableAccessData::operand): |
| (JSC::DFG::VariableAccessData::local): Deleted. |
| * dfg/DFGVariableEvent.cpp: |
| (JSC::DFG::VariableEvent::dump const): |
| * dfg/DFGVariableEvent.h: |
| (JSC::DFG::VariableEvent::spill): |
| (JSC::DFG::VariableEvent::setLocal): |
| (JSC::DFG::VariableEvent::movHint): |
| (JSC::DFG::VariableEvent::spillRegister const): |
| (JSC::DFG::VariableEvent::operand const): |
| (JSC::DFG::VariableEvent::bytecodeRegister const): Deleted. |
| * dfg/DFGVariableEventStream.cpp: |
| (JSC::DFG::VariableEventStream::logEvent): |
| (JSC::DFG::VariableEventStream::reconstruct const): |
| * dfg/DFGVariableEventStream.h: |
| (JSC::DFG::VariableEventStream::appendAndLog): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLForOSREntryJITCode.cpp: |
| (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileExtractOSREntryLocal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetStack): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetCallee): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame): |
| (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue): |
| (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): |
| (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee): |
| (JSC::FTL::DFG::LowerDFGToB3::callPreflight): |
| (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor): |
| (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::addressFor): |
| (JSC::FTL::DFG::LowerDFGToB3::payloadFor): |
| (JSC::FTL::DFG::LowerDFGToB3::tagFor): |
| * ftl/FTLOSREntry.cpp: |
| (JSC::FTL::prepareOSREntry): |
| * ftl/FTLOSRExit.cpp: |
| (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor): |
| * ftl/FTLOSRExit.h: |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileStub): |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::operationMaterializeObjectInOSR): |
| * ftl/FTLOutput.cpp: |
| (JSC::FTL::Output::select): |
| * ftl/FTLOutput.h: |
| * ftl/FTLSelectPredictability.h: Copied from Source/JavaScriptCore/ftl/FTLForOSREntryJITCode.cpp. |
| * ftl/FTLSlowPathCall.h: |
| (JSC::FTL::callOperation): |
| * generator/Checkpoints.rb: Added. |
| * generator/Opcode.rb: |
| * generator/Section.rb: |
| * heap/Heap.cpp: |
| (JSC::Heap::gatherStackRoots): |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::callSiteAsRawBits const): |
| (JSC::CallFrame::unsafeCallSiteAsRawBits const): |
| (JSC::CallFrame::callSiteIndex const): |
| (JSC::CallFrame::unsafeCallSiteIndex const): |
| (JSC::CallFrame::setCurrentVPC): |
| (JSC::CallFrame::bytecodeIndex): |
| (JSC::CallFrame::codeOrigin): |
| * interpreter/CallFrame.h: |
| (JSC::CallSiteIndex::CallSiteIndex): |
| (JSC::CallSiteIndex::operator bool const): |
| (JSC::CallSiteIndex::operator== const): |
| (JSC::CallSiteIndex::bits const): |
| (JSC::CallSiteIndex::fromBits): |
| (JSC::CallSiteIndex::bytecodeIndex const): |
| (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): |
| (JSC::CallFrame::callee const): |
| (JSC::CallFrame::unsafeCallee const): |
| (JSC::CallFrame::addressOfCodeBlock const): |
| (JSC::CallFrame::argumentCountIncludingThis const): |
| (JSC::CallFrame::offsetFor): |
| (JSC::CallFrame::setArgumentCountIncludingThis): |
| (JSC::CallFrame::setReturnPC): |
| * interpreter/CallFrameInlines.h: |
| (JSC::CallFrame::r): |
| (JSC::CallFrame::uncheckedR): |
| (JSC::CallFrame::guaranteedJSValueCallee const): |
| (JSC::CallFrame::jsCallee const): |
| (JSC::CallFrame::codeBlock const): |
| (JSC::CallFrame::unsafeCodeBlock const): |
| (JSC::CallFrame::setCallee): |
| (JSC::CallFrame::setCodeBlock): |
| * interpreter/CheckpointOSRExitSideState.h: Copied from Source/JavaScriptCore/dfg/DFGThunks.h. |
| * interpreter/Interpreter.cpp: |
| (JSC::eval): |
| (JSC::sizeOfVarargs): |
| (JSC::loadVarargs): |
| (JSC::setupVarargsFrame): |
| (JSC::UnwindFunctor::operator() const): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| * interpreter/Interpreter.h: |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::readInlinedFrame): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): |
| (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32): |
| (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64): |
| (JSC::AssemblyHelpers::emitPutToCallFrameHeader): |
| (JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue): |
| (JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue): |
| (JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue): |
| (JSC::AssemblyHelpers::addressFor): |
| (JSC::AssemblyHelpers::tagFor): |
| (JSC::AssemblyHelpers::payloadFor): |
| (JSC::AssemblyHelpers::calleeFrameSlot): |
| (JSC::AssemblyHelpers::calleeArgumentSlot): |
| (JSC::AssemblyHelpers::calleeFrameTagSlot): |
| (JSC::AssemblyHelpers::calleeFramePayloadSlot): |
| (JSC::AssemblyHelpers::calleeFrameCallerFrame): |
| (JSC::AssemblyHelpers::argumentCount): |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::CallFrameShuffler): |
| * jit/CallFrameShuffler.h: |
| (JSC::CallFrameShuffler::setCalleeJSValueRegs): |
| (JSC::CallFrameShuffler::assumeCalleeIsCell): |
| * jit/JIT.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_op_unsigned): |
| (JSC::JIT::emit_compareAndJump): |
| (JSC::JIT::emit_compareAndJumpImpl): |
| (JSC::JIT::emit_compareUnsignedAndJump): |
| (JSC::JIT::emit_compareUnsignedAndJumpImpl): |
| (JSC::JIT::emit_compareUnsigned): |
| (JSC::JIT::emit_compareUnsignedImpl): |
| (JSC::JIT::emit_compareAndJumpSlow): |
| (JSC::JIT::emit_compareAndJumpSlowImpl): |
| (JSC::JIT::emit_op_inc): |
| (JSC::JIT::emit_op_dec): |
| (JSC::JIT::emit_op_mod): |
| (JSC::JIT::emitBitBinaryOpFastPath): |
| (JSC::JIT::emit_op_bitnot): |
| (JSC::JIT::emitRightShiftFastPath): |
| (JSC::JIT::emitMathICFast): |
| (JSC::JIT::emitMathICSlow): |
| (JSC::JIT::emit_op_div): |
| * jit/JITCall.cpp: |
| (JSC::JIT::emitPutCallResult): |
| (JSC::JIT::compileSetupFrame): |
| (JSC::JIT::compileOpCall): |
| * jit/JITExceptions.cpp: |
| (JSC::genericUnwind): |
| * jit/JITInlines.h: |
| (JSC::JIT::isOperandConstantDouble): |
| (JSC::JIT::getConstantOperand): |
| (JSC::JIT::emitPutIntToCallFrameHeader): |
| (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): |
| (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): |
| (JSC::JIT::linkSlowCaseIfNotJSCell): |
| (JSC::JIT::isOperandConstantChar): |
| (JSC::JIT::getOperandConstantInt): |
| (JSC::JIT::getOperandConstantDouble): |
| (JSC::JIT::emitInitRegister): |
| (JSC::JIT::emitLoadTag): |
| (JSC::JIT::emitLoadPayload): |
| (JSC::JIT::emitGet): |
| (JSC::JIT::emitPutVirtualRegister): |
| (JSC::JIT::emitLoad): |
| (JSC::JIT::emitLoad2): |
| (JSC::JIT::emitLoadDouble): |
| (JSC::JIT::emitLoadInt32ToDouble): |
| (JSC::JIT::emitStore): |
| (JSC::JIT::emitStoreInt32): |
| (JSC::JIT::emitStoreCell): |
| (JSC::JIT::emitStoreBool): |
| (JSC::JIT::emitStoreDouble): |
| (JSC::JIT::emitJumpSlowCaseIfNotJSCell): |
| (JSC::JIT::isOperandConstantInt): |
| (JSC::JIT::emitGetVirtualRegister): |
| (JSC::JIT::emitGetVirtualRegisters): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_mov): |
| (JSC::JIT::emit_op_end): |
| (JSC::JIT::emit_op_new_object): |
| (JSC::JIT::emitSlow_op_new_object): |
| (JSC::JIT::emit_op_overrides_has_instance): |
| (JSC::JIT::emit_op_instanceof): |
| (JSC::JIT::emitSlow_op_instanceof): |
| (JSC::JIT::emit_op_is_empty): |
| (JSC::JIT::emit_op_is_undefined): |
| (JSC::JIT::emit_op_is_undefined_or_null): |
| (JSC::JIT::emit_op_is_boolean): |
| (JSC::JIT::emit_op_is_number): |
| (JSC::JIT::emit_op_is_cell_with_type): |
| (JSC::JIT::emit_op_is_object): |
| (JSC::JIT::emit_op_ret): |
| (JSC::JIT::emit_op_to_primitive): |
| (JSC::JIT::emit_op_set_function_name): |
| (JSC::JIT::emit_op_not): |
| (JSC::JIT::emit_op_jfalse): |
| (JSC::JIT::emit_op_jeq_null): |
| (JSC::JIT::emit_op_jneq_null): |
| (JSC::JIT::emit_op_jundefined_or_null): |
| (JSC::JIT::emit_op_jnundefined_or_null): |
| (JSC::JIT::emit_op_jneq_ptr): |
| (JSC::JIT::emit_op_eq): |
| (JSC::JIT::emit_op_jeq): |
| (JSC::JIT::emit_op_jtrue): |
| (JSC::JIT::emit_op_neq): |
| (JSC::JIT::emit_op_jneq): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::compileOpStrictEq): |
| (JSC::JIT::compileOpStrictEqJump): |
| (JSC::JIT::emit_op_to_number): |
| (JSC::JIT::emit_op_to_numeric): |
| (JSC::JIT::emit_op_to_string): |
| (JSC::JIT::emit_op_to_object): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_get_parent_scope): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emit_op_eq_null): |
| (JSC::JIT::emit_op_neq_null): |
| (JSC::JIT::emit_op_enter): |
| (JSC::JIT::emit_op_get_scope): |
| (JSC::JIT::emit_op_to_this): |
| (JSC::JIT::emit_op_create_this): |
| (JSC::JIT::emit_op_check_tdz): |
| (JSC::JIT::emitSlow_op_eq): |
| (JSC::JIT::emitSlow_op_neq): |
| (JSC::JIT::emitSlow_op_instanceof_custom): |
| (JSC::JIT::emit_op_new_regexp): |
| (JSC::JIT::emitNewFuncCommon): |
| (JSC::JIT::emitNewFuncExprCommon): |
| (JSC::JIT::emit_op_new_array): |
| (JSC::JIT::emit_op_new_array_with_size): |
| (JSC::JIT::emit_op_has_structure_property): |
| (JSC::JIT::emit_op_has_indexed_property): |
| (JSC::JIT::emitSlow_op_has_indexed_property): |
| (JSC::JIT::emit_op_get_direct_pname): |
| (JSC::JIT::emit_op_enumerator_structure_pname): |
| (JSC::JIT::emit_op_enumerator_generic_pname): |
| (JSC::JIT::emit_op_profile_type): |
| (JSC::JIT::emit_op_log_shadow_chicken_prologue): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| (JSC::JIT::emit_op_argument_count): |
| (JSC::JIT::emit_op_get_rest_length): |
| (JSC::JIT::emit_op_get_argument): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_catch): |
| * jit/JITOperations.cpp: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| (JSC::JIT::emit_op_put_by_val): |
| (JSC::JIT::emitGenericContiguousPutByVal): |
| (JSC::JIT::emitArrayStoragePutByVal): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emitSlow_op_put_by_val): |
| (JSC::JIT::emit_op_put_getter_by_id): |
| (JSC::JIT::emit_op_put_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_by_val): |
| (JSC::JIT::emit_op_put_setter_by_val): |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emit_op_del_by_val): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| (JSC::JIT::emitSlow_op_in_by_id): |
| (JSC::JIT::emitResolveClosure): |
| (JSC::JIT::emit_op_resolve_scope): |
| (JSC::JIT::emitLoadWithStructureCheck): |
| (JSC::JIT::emitGetClosureVar): |
| (JSC::JIT::emit_op_get_from_scope): |
| (JSC::JIT::emitSlow_op_get_from_scope): |
| (JSC::JIT::emitPutGlobalVariable): |
| (JSC::JIT::emitPutGlobalVariableIndirect): |
| (JSC::JIT::emitPutClosureVar): |
| (JSC::JIT::emit_op_put_to_scope): |
| (JSC::JIT::emit_op_get_from_arguments): |
| (JSC::JIT::emit_op_put_to_arguments): |
| (JSC::JIT::emitWriteBarrier): |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * jit/JSInterfaceJIT.h: |
| (JSC::JSInterfaceJIT::emitLoadJSCell): |
| (JSC::JSInterfaceJIT::emitJumpIfNotJSCell): |
| (JSC::JSInterfaceJIT::emitLoadInt32): |
| (JSC::JSInterfaceJIT::emitLoadDouble): |
| (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr): |
| (JSC::JSInterfaceJIT::emitPutToCallFrameHeader): |
| (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader): |
| * jit/SetupVarargsFrame.cpp: |
| (JSC::emitSetupVarargsFrameFastCase): |
| * jit/SpecializedThunkJIT.h: |
| (JSC::SpecializedThunkJIT::loadDoubleArgument): |
| (JSC::SpecializedThunkJIT::loadCellArgument): |
| (JSC::SpecializedThunkJIT::loadInt32Argument): |
| * jit/ThunkGenerators.cpp: |
| (JSC::absThunkGenerator): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::getNonConstantOperand): |
| (JSC::LLInt::getOperand): |
| (JSC::LLInt::genericCall): |
| (JSC::LLInt::varargsSetup): |
| (JSC::LLInt::commonCallEval): |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::handleVarargsCheckpoint): |
| (JSC::LLInt::dispatchToNextInstruction): |
| (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): |
| (JSC::LLInt::slow_path_checkpoint_osr_exit): |
| (JSC::LLInt::llint_throw_stack_overflow_error): |
| * llint/LLIntSlowPaths.h: |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/ArgList.h: |
| (JSC::MarkedArgumentBuffer::fill): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedCodeBlock::hasCheckpoints const): |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| (JSC::CachedCodeBlock<CodeBlockType>::encode): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/ConstructData.cpp: |
| (JSC::construct): |
| * runtime/ConstructData.h: |
| * runtime/DirectArguments.cpp: |
| (JSC::DirectArguments::copyToArguments): |
| * runtime/DirectArguments.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::copyToArguments): |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::copyToArguments): |
| * runtime/JSArray.h: |
| * runtime/JSImmutableButterfly.cpp: |
| (JSC::JSImmutableButterfly::copyToArguments): |
| * runtime/JSImmutableButterfly.h: |
| * runtime/JSLock.cpp: |
| (JSC::JSLock::willReleaseLock): |
| * runtime/ModuleProgramExecutable.cpp: |
| (JSC::ModuleProgramExecutable::create): |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| * runtime/ScopedArguments.cpp: |
| (JSC::ScopedArguments::copyToArguments): |
| * runtime/ScopedArguments.h: |
| * runtime/VM.cpp: |
| (JSC::VM::addCheckpointOSRSideState): |
| (JSC::VM::findCheckpointOSRSideState): |
| (JSC::VM::scanSideState const): |
| * runtime/VM.h: |
| (JSC::VM::hasCheckpointOSRSideState const): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpRegisters): |
| * wasm/WasmFunctionCodeBlock.h: |
| (JSC::Wasm::FunctionCodeBlock::getConstant const): |
| (JSC::Wasm::FunctionCodeBlock::getConstantType const): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::setUsesCheckpoints const): |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::operationWasmToJSException): |
| * wasm/WasmSlowPaths.cpp: |
| |
| 2019-12-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Wasm OSR entry should capture top-most enclosing-stack |
| https://bugs.webkit.org/show_bug.cgi?id=205571 |
| |
| Reviewed by Keith Miller. |
| |
| OSR entry should capture the top-most enclosing-stack too. |
| Otherwise the def-node can be unreachable (since it is defined in BB which is unreachable from OSR entry point), |
| and eliminated. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::addLoop): |
| |
| 2019-12-23 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| WebDriver: fix handling of session timeouts for values higher than MAX_INT |
| https://bugs.webkit.org/show_bug.cgi?id=204114 |
| |
| Reviewed by Brian Burg. |
| |
| Fix generation of code with optional number in stack variable. |
| |
| * inspector/scripts/codegen/cpp_generator.py: |
| (CppGenerator.cpp_type_for_stack_in_parameter): Do not use Optional for numbers either. |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| |
| 2019-12-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix incorrect merging |
| https://bugs.webkit.org/show_bug.cgi?id=205327 |
| |
| r253862 and r253867 cause incorrect merging. This patch fixes it. |
| |
| * jit/ThunkGenerators.cpp: |
| (JSC::boundFunctionCallGenerator): |
| |
| 2019-12-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix debug failures due to missing exception checks |
| https://bugs.webkit.org/show_bug.cgi?id=205327 |
| |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::getOwnNonIndexPropertyNames): |
| (JSC::JSFunction::put): |
| (JSC::JSFunction::defineOwnProperty): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::defineOwnNonIndexProperty): |
| |
| 2019-12-21 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Improve our bound function implementation |
| https://bugs.webkit.org/show_bug.cgi?id=205327 |
| |
| Reviewed by Keith Miller. |
| |
| This patch improves Function#bind, and calling bound function with bound arguments. |
| |
| 1. Rename CallFrameSlot::argumentCount to CallFrameSlot::argumentCountIncludingThis. |
| 2. Do not include name in NativeExecutable for JSBoundFunction. Putting name in NativeExecutable is assuming that function + name pair is almost identical. |
| This is true in host functions except for JSBoundFunction. JSBoundFunction should hold its name in JSBoundFunction. |
| 3. Cache NativeExecutable for JSBoundFunction in the VM. We use a hash-map in JITThunk for NativeExecutables because we assume that host-function creation cannot be |
| done by the user program: each executable is pre-defined to exactly one object by the environment, and there is no way to create host-functions repeatedly from |
| the user-program. The only exception to this is JSBoundFunction so caching it on the VM avoids the hash-map lookup. This is not true for JSBoundFunction. |
| 4. ThunkGenerator should support JSBoundFunction call with bound arguments. It turns out that Speedometer2/React-Redux-TodoMVC is using bound function with |
| bound arguments. Additionally, it is used. This is really bad: when dispatching an event, we first call this function from C++, entering JS world, |
| going back to C++ world again, and entering JS world to call bound function again. By using ThunkGenerator, we can eliminate this back and forth by directly |
| calling the bound JS Executable from the thunk. Previously, bound arguments are stored in JSArray. But it is difficult to access them from thunk since we need to consider |
| have-a-bad-time case. Instead, we use JSImmutableButterfly to save bound arguments so that JIT thunk can quickly access arguments. To capture arguments as |
| JSImmutableButterfly in JS world, we introduce op_create_arguments_butterfly, and handle it in all tiers. |
| 5. It turns out that eager materialization of "length" in JSBoundFunction takes long time while it is rarely used. This patch makes length lazily reified for JSBoundFunction. |
| 6. To make Function.prototype.bind faster, we track whether "name" and "length" properties of JSFunction is modified or not. This skips has-own-length-property check, which |
| makes Function.prototype.bind 11~% faster. |
| |
| Combining things above, creation of JSBoundFunction is 80~% faster. And calling bound function with bound arguments is 3~x faster. |
| This improves Speedometer2/React-TodoMVC by ~3%. |
| |
| * builtins/FunctionPrototype.js: |
| (bind): |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCaseSnippetParams.cpp: |
| (JSC::SlowPathCallGeneratorWithArguments::generateImpl): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.cpp: |
| (JSC::computeUsesForBytecodeIndexImpl): |
| (JSC::computeDefsForBytecodeIndexImpl): |
| * bytecode/VirtualRegister.cpp: |
| (JSC::VirtualRegister::dump const): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitCreateArgumentsButterfly): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_createArgumentsButterfly): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| * dfg/DFGArgumentsUtilities.cpp: |
| (JSC::DFG::argumentsInvolveStackSlot): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::flushImpl): |
| (JSC::DFG::ByteCodeParser::handleVarargsInlining): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::isLiveInBytecode): |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Graph::forAllLocalsLiveInBytecode): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compileFunction): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::emitStoreCallSiteIndex): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: |
| (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::emitRestoreArguments): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::OSRExit::emitRestoreArguments): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::reifyInlinedCallFrames): |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPreciseLocalClobberize.h: |
| (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCreateArgumentsButterfly): |
| (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): |
| (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStackLayoutPhase.cpp: |
| (JSC::DFG::StackLayoutPhase::run): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLink.cpp: |
| (JSC::FTL::link): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): |
| (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): |
| (JSC::FTL::DFG::LowerDFGToB3::callPreflight): |
| * ftl/FTLSlowPathCall.h: |
| (JSC::FTL::callOperation): |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::callSiteAsRawBits const): |
| (JSC::CallFrame::unsafeCallSiteAsRawBits const): |
| (JSC::CallFrame::setCurrentVPC): |
| * interpreter/CallFrame.h: |
| (JSC::CallFrame::argumentCountIncludingThis const): |
| (JSC::CallFrame::setArgumentCountIncludingThis): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::jitAssertArgumentCountSane): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::argumentCount): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::prepareForTailCallSlow): |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::dump const): |
| (JSC::CallFrameShuffler::prepareForTailCall): |
| (JSC::CallFrameShuffler::prepareAny): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::compileWithoutLinking): |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileSetupFrame): |
| (JSC::JIT::compileOpCall): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileSetupFrame): |
| (JSC::JIT::compileOpCall): |
| * jit/JITInlines.h: |
| (JSC::JIT::updateTopCallFrame): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_argument_count): |
| (JSC::JIT::emit_op_get_rest_length): |
| (JSC::JIT::emit_op_get_argument): |
| * jit/SetupVarargsFrame.cpp: |
| (JSC::emitSetupVarargsFrameFastCase): |
| * jit/SpecializedThunkJIT.h: |
| (JSC::SpecializedThunkJIT::SpecializedThunkJIT): |
| * jit/ThunkGenerators.cpp: |
| (JSC::arityFixupGenerator): |
| (JSC::boundFunctionCallGenerator): |
| (JSC::boundThisNoArgsFunctionCallGenerator): Deleted. |
| * jit/ThunkGenerators.h: |
| * jsc.cpp: |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * llint/WebAssembly.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/ExecutableBase.h: |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::FunctionRareData): |
| * runtime/FunctionRareData.h: |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototypeGetterCompare): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototypeGetterFormat): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototypeGetterFormat): |
| * runtime/Intrinsic.cpp: |
| (JSC::intrinsicName): |
| * runtime/Intrinsic.h: |
| * runtime/JSBoundFunction.cpp: |
| (JSC::boundThisNoArgsFunctionCall): |
| (JSC::boundFunctionCall): |
| (JSC::boundThisNoArgsFunctionConstruct): |
| (JSC::boundFunctionConstruct): |
| (JSC::JSBoundFunction::create): |
| (JSC::JSBoundFunction::JSBoundFunction): |
| (JSC::JSBoundFunction::boundArgsCopy): |
| (JSC::JSBoundFunction::visitChildren): |
| * runtime/JSBoundFunction.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::finishCreation): |
| (JSC::JSFunction::name): |
| (JSC::JSFunction::getOwnPropertySlot): |
| (JSC::JSFunction::getOwnNonIndexPropertyNames): |
| (JSC::JSFunction::put): |
| (JSC::JSFunction::deleteProperty): |
| (JSC::JSFunction::defineOwnProperty): |
| (JSC::JSFunction::reifyLength): |
| (JSC::JSFunction::reifyLazyPropertyIfNeeded): |
| (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded): |
| (JSC::JSFunction::reifyLazyBoundNameIfNeeded): |
| * runtime/JSFunction.h: |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::areNameAndLengthOriginal): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::makeBoundFunction): |
| (JSC::hasOwnLengthProperty): |
| * runtime/JSObject.h: |
| (JSC::getJSFunction): |
| (JSC::getCallData): Deleted. |
| (JSC::getConstructData): Deleted. |
| * runtime/JSObjectInlines.h: |
| (JSC::getCallData): |
| (JSC::getConstructData): |
| * runtime/VM.cpp: |
| (JSC::thunkGeneratorForIntrinsic): |
| (JSC::VM::getBoundFunction): |
| * runtime/VM.h: |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-12-20 Darin Adler <darin@apple.com> |
| |
| Make JSString values from literals in a single consistent style |
| https://bugs.webkit.org/show_bug.cgi?id=205517 |
| |
| Reviewed by Saam Barati. |
| |
| Some call sites did it like this: |
| |
| jsNontrivialString(vm, "literal"_s) |
| |
| Others did it one of these: |
| |
| jsString(vm, "literal") |
| jsNontrivialString(vm, "literal") |
| |
| Changed all the call sites to do it the first, *slightly* more efficient, way. |
| |
| * runtime/ArrayIteratorPrototype.cpp: |
| (JSC::ArrayIteratorPrototype::finishCreation): |
| * runtime/AsyncFunctionPrototype.cpp: |
| (JSC::AsyncFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorFunctionPrototype.cpp: |
| (JSC::AsyncGeneratorFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorPrototype.cpp: |
| (JSC::AsyncGeneratorPrototype::finishCreation): |
| * runtime/BigIntPrototype.cpp: |
| (JSC::BigIntPrototype::finishCreation): |
| * runtime/GeneratorFunctionPrototype.cpp: |
| (JSC::GeneratorFunctionPrototype::finishCreation): |
| * runtime/GeneratorPrototype.cpp: |
| (JSC::GeneratorPrototype::finishCreation): |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototype::finishCreation): |
| * runtime/IntlDateTimeFormat.cpp: |
| (JSC::IntlDateTimeFormat::formatToParts): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototype::finishCreation): |
| * runtime/IntlNumberFormat.cpp: |
| (JSC::IntlNumberFormat::formatToParts): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototype::finishCreation): |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototype::finishCreation): |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::JSDataViewPrototype::finishCreation): |
| * runtime/JSModuleNamespaceObject.cpp: |
| (JSC::JSModuleNamespaceObject::finishCreation): |
| * runtime/JSONObject.cpp: |
| (JSC::JSONObject::finishCreation): |
| * runtime/JSPromisePrototype.cpp: |
| (JSC::JSPromisePrototype::finishCreation): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::typedArrayViewProtoGetterFuncToStringTag): |
| * runtime/MapIteratorPrototype.cpp: |
| (JSC::MapIteratorPrototype::finishCreation): |
| * runtime/MapPrototype.cpp: |
| (JSC::MapPrototype::finishCreation): |
| * runtime/MathObject.cpp: |
| (JSC::MathObject::finishCreation): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::regExpProtoGetterSource): |
| * runtime/RegExpStringIteratorPrototype.cpp: |
| (JSC::RegExpStringIteratorPrototype::finishCreation): |
| * runtime/SetIteratorPrototype.cpp: |
| (JSC::SetIteratorPrototype::finishCreation): |
| * runtime/SetPrototype.cpp: |
| (JSC::SetPrototype::finishCreation): |
| * runtime/StringIteratorPrototype.cpp: |
| (JSC::StringIteratorPrototype::finishCreation): |
| * runtime/SymbolPrototype.cpp: |
| (JSC::SymbolPrototype::finishCreation): |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::WeakMapPrototype::finishCreation): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::WeakObjectRefPrototype::finishCreation): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::WeakSetPrototype::finishCreation): |
| Call jsNontrivialString instead of jsString and use the _s suffix. |
| |
| 2019-12-21 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove m_globalObject field from JSFunction |
| https://bugs.webkit.org/show_bug.cgi?id=205533 |
| |
| Reviewed by Mark Lam. |
| |
| JSFunction::m_globalObject is used only when it is using NativeExecutable. |
| And when using NativeExecutable, JSCallee::m_scope is always pointing JSGlobalObject. |
| This patch removes JSFunction::m_globalObject field. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| * jit/ThunkGenerators.cpp: |
| (JSC::nativeForGenerator): |
| (JSC::boundThisNoArgsFunctionCallGenerator): |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::JSFunction): |
| * runtime/JSFunction.h: |
| (JSC::JSFunction::offsetOfGlobalObject): Deleted. |
| (JSC::JSFunction::globalObject const): Deleted. |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::JSFunction): |
| |
| 2019-12-20 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Memory usage statistics should be attainable without WebCore |
| https://bugs.webkit.org/show_bug.cgi?id=205366 |
| |
| Reviewed by Keith Miller. |
| |
| * API/JSBase.cpp: |
| (JSGetMemoryUsageStatistics): |
| * API/JSBasePrivate.h: |
| Add a private JSC API exposing the same Heap stats as WebCore's PerformanceLogging::memoryUsageStatistics. |
| |
| 2019-12-19 Saam Barati <sbarati@apple.com> |
| |
| Don't cache self customs on dictionaries |
| https://bugs.webkit.org/show_bug.cgi?id=205466 |
| <rdar://problem/58075545> |
| |
| Reviewed by Mark Lam. |
| |
| We had a bug where we would cache a custom value/accessor on a self property |
| of a cacheable dictionary object. This turns out to be wrong because the |
| inline cache won't fail (because we won't transition structures) if that |
| property is replaced with something else. We would do the right thing when |
| the custom was on the prototype chain, but when it was a self property, we |
| didn't. The reason customs are different from values/normal accessors is that |
| we dynamically load values/getters/setters from the object itself. For |
| customs, we cache the actual pointer value of the C function. This patch makes |
| it so we don't cache customs on dictionaries. |
| |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| (JSC::prepareChainForCaching): |
| (JSC::preparePrototypeChainForCaching): Deleted. |
| * bytecode/ObjectPropertyConditionSet.h: |
| * jit/Repatch.cpp: |
| (JSC::tryCacheGetBy): |
| (JSC::tryCachePutByID): |
| (JSC::tryCacheInByID): |
| (JSC::tryCacheInstanceOf): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::setupGetByIdPrototypeCache): |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::setObjectToStringValue): |
| |
| 2019-12-19 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: TypeError: InjectedScriptHost.isPromiseRejectedWithNativeGetterTypeError first argument must be a Promise |
| https://bugs.webkit.org/show_bug.cgi?id=205439 |
| |
| Reviewed by Brian Burg. |
| |
| Before r244312, we noticed that when Web Inspector would preview native getters that return |
| a `Promise`, Web Inspector would prevent `rejectionhandled` events from being fired since it |
| would always add a `.catch(() => {}` to any `Promise` that it was about to instrument in the |
| Console to avoid errors being added to the Console while expanding/collapsing value previews. |
| In order to prevent this, logic was added so that the `.catch(() => {})` was only added if |
| the `Promise` was returned from a native getter, such as from a `PromiseRejectionEvent`. |
| |
| In r244312, we made it such that this logic _required_ the `Promise` to already be rejected, |
| which is unnecessarily restrictive and not always the case nowadays. Instead, just check to |
| see if the result of the `Promise` is a native getter type error. |
| |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): |
| |
| 2019-12-18 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Elements: restrict showing paint flashing and compositing borders to the Web Inspector session |
| https://bugs.webkit.org/show_bug.cgi?id=205201 |
| |
| Reviewed by Timothy Hatcher. |
| |
| We often get bugs from users who turn on paint flashing or compositing borders, close Web |
| Inspector, reopen Web Inspector, and are then surprised when the page flashes red or these |
| borders exist all over the page. |
| |
| Given that the dark mode and print styles toggles are limited to the Web Inspector session, |
| we should make these have the same behavior. |
| |
| * inspector/protocol/Page.json: |
| Allow Web Inspector to override the `showDebugBorders` and `showRepaintCounter` settings via |
| the `inspectorOverride` key, rather than setting them manually via a special `Page` command. |
| |
| 2019-12-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] 8Bit JSRopeString can contain 16Bit string in its rope |
| https://bugs.webkit.org/show_bug.cgi?id=205323 |
| |
| Reviewed by Mark Lam. |
| |
| When resolving JSRopeString, it is possible that 8Bit JSRopeString becomes 16Bit resolved JSString. |
| This happens when we attempt to resolve it to produce AtomicStringImpl, and 16Bit version of the |
| resolved content is already in AtomicStringTable. This means that 16Bit flag never changes after resolving |
| JSString, but that of JSRopeString is some sort of hint, which can be changed. |
| |
| This means that 8Bit JSRopeString can include 16Bit JSString, since some of children can be changed from |
| 8Bit JSRopeString to resolved 16Bit JSString. Even in that case, we can still ensure that resolved string |
| can be represented as 8Bit. Let's see the example. |
| |
| A => B + C, 8Bit Rope |
| B => D + E, 8Bit Rope |
| C => 8Bit String |
| |
| And when we convert B to 16Bit String since content of `D + E` is already registered as 16Bit String in AtomicStringTable. |
| |
| A => B + C, 8Bit Rope |
| B => 16Bit String |
| C => 8Bit String |
| |
| When resolving A, creating 8Bit string buffer is totally OK since we know that whole A string can be represented in 8Bit. |
| When copying the content of B into 8Bit buffer, we should ignore upper 8Bit since they must be zero. |
| |
| In this patch, we completely share the implementation of resolveRopeInternalNoSubstring and resolveRopeSlowCase in 8Bit and |
| 16Bit case: we take result buffer CharacterType, but the underlying code must check `is8Bit()` for each fiber. |
| |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::dumpInContextAssumingStructure const): |
| * runtime/JSString.cpp: |
| (JSC::JSRopeString::resolveRopeInternal8 const): |
| (JSC::JSRopeString::resolveRopeInternal16 const): |
| (JSC::JSRopeString::resolveRopeInternalNoSubstring const): |
| (JSC::JSRopeString::resolveRopeWithFunction const): |
| (JSC::JSRopeString::resolveRopeSlowCase const): |
| (JSC::JSRopeString::resolveRopeInternal8NoSubstring const): Deleted. |
| (JSC::JSRopeString::resolveRopeInternal16NoSubstring const): Deleted. |
| (JSC::JSRopeString::resolveRopeSlowCase8 const): Deleted. |
| * runtime/JSString.h: |
| |
| 2019-12-17 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| [GLIB] jsc_context_evaluate_in_object should take the API lock before calling setGlobalScopeExtension |
| https://bugs.webkit.org/show_bug.cgi?id=205331 |
| |
| Reviewed by Žan Doberšek. |
| |
| We are now getting a crash due to an assert because the api lock is not held. |
| |
| * API/glib/JSCContext.cpp: |
| (jsc_context_evaluate_in_object): |
| |
| 2019-12-16 Mark Lam <mark.lam@apple.com> |
| |
| Relanding r253581: Changed jsc shell timeout mechanism to leverage the VMTraps and use CPUTime. |
| https://bugs.webkit.org/show_bug.cgi?id=205279 |
| <rdar://problem/57971874> |
| |
| Reviewed by Saam Barati. |
| |
| This fixes all the timeouts that occur due to CPU time starvation when |
| running JSC tests on a debug build. |
| |
| What this means is that the timeout mechanism may trigger asynchronous |
| OSR exits. If a test requires no OSR exits, that test should |
| requireOption("--usePollingTraps=true") so that the VMTraps will use its |
| polling implementation instead. |
| |
| I've tested this with a full run of the JSC stress tests with a debug |
| build and saw 0 timeouts. I've also tested it with a contrived tests that |
| loops forever, and saw the expected timeout crash. |
| |
| Will look into re-tuning needed timeout value (and other JSC tests timeout |
| cleanup) in https://bugs.webkit.org/show_bug.cgi?id=205298. |
| |
| Update: in the previously landed patch, I did a last minute sort of the cases |
| Int the switch statement in VMTraps::handleTraps() before posting my patch. |
| This is incorrect to do since one of the cases need to fall through to another |
| case. This patch undoes the sorting to the order I originally had the cases |
| in during development and testing. |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/InterpreterInlines.h: |
| (JSC::Interpreter::execute): |
| * jsc.cpp: |
| (startTimeoutTimer): |
| (timeoutCheckCallback): |
| (initializeTimeoutIfNeeded): |
| (startTimeoutThreadIfNeeded): |
| (runJSC): |
| (jscmain): |
| * runtime/JSCConfig.h: |
| * runtime/VM.h: |
| (JSC::VM::notifyNeedShellTimeoutCheck): |
| * runtime/VMTraps.cpp: |
| (JSC::VMTraps::handleTraps): |
| * runtime/VMTraps.h: |
| (JSC::VMTraps::Mask::Mask): |
| (JSC::VMTraps::Mask::allEventTypes): |
| (JSC::VMTraps::Mask::init): |
| (JSC::VMTraps::interruptingTraps): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::forEachVM): |
| * tools/VMInspector.h: |
| |
| 2019-12-16 Mark Lam <mark.lam@apple.com> |
| |
| Rolling out: r253581 is failing tests on a release build. |
| https://bugs.webkit.org/show_bug.cgi?id=205279 |
| <rdar://problem/57971874> |
| |
| Not reviewed. |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/InterpreterInlines.h: |
| (JSC::Interpreter::execute): |
| * jsc.cpp: |
| (startTimeoutThreadIfNeeded): |
| (runJSC): |
| (jscmain): |
| (startTimeoutTimer): Deleted. |
| (timeoutCheckCallback): Deleted. |
| (initializeTimeoutIfNeeded): Deleted. |
| * runtime/JSCConfig.h: |
| * runtime/VM.h: |
| (JSC::VM::notifyNeedDebuggerBreak): |
| (JSC::VM::notifyNeedShellTimeoutCheck): Deleted. |
| * runtime/VMTraps.cpp: |
| (JSC::VMTraps::handleTraps): |
| * runtime/VMTraps.h: |
| (JSC::VMTraps::Mask::Mask): |
| (JSC::VMTraps::Mask::allEventTypes): |
| (JSC::VMTraps::Mask::init): |
| (JSC::VMTraps::interruptingTraps): Deleted. |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::forEachVM): Deleted. |
| * tools/VMInspector.h: |
| |
| 2019-12-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| ASSERTION FAILED: length <= maximumLength in js-fixed-array-out-of-memory.js |
| https://bugs.webkit.org/show_bug.cgi?id=205259 |
| <rdar://problem/57978411> |
| |
| Reviewed by Mark Lam. |
| |
| JSImmutableButterfly has moderate size limit on its length, while JSFixedArray does not. |
| We should check this maximumLength when creating it in Spread. And if it exceeds, we should |
| throw OOM error. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileSpread): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileSpread): |
| * runtime/ArrayConventions.h: |
| * runtime/IndexingHeader.h: |
| * runtime/JSImmutableButterfly.h: |
| (JSC::JSImmutableButterfly::tryCreate): |
| (JSC::JSImmutableButterfly::allocationSize): |
| |
| 2019-12-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put non-dynamic scope cells in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=205311 |
| |
| Reviewed by Mark Lam. |
| |
| Put non-dynamic scope cells in IsoSubspace. |
| |
| - JSWithScope |
| - StrictEvalActivation |
| |
| * runtime/JSScope.h: |
| (JSC::JSScope::subspaceFor): |
| * runtime/JSSymbolTableObject.h: |
| * runtime/JSWithScope.h: |
| * runtime/StrictEvalActivation.h: |
| * runtime/VM.cpp: |
| * runtime/VM.h: |
| |
| 2019-12-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put DebuggerScope in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=205303 |
| |
| Reviewed by Mark Lam. |
| |
| Put DebuggerScope in IsoSubspace, and refine empty `subspaceFor` implementations. |
| |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::subspaceFor): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::subspaceFor): |
| * debugger/DebuggerScope.h: |
| * runtime/AbstractModuleRecord.h: |
| (JSC::AbstractModuleRecord::subspaceFor): |
| * runtime/JSArrayBufferView.h: |
| (JSC::JSArrayBufferView::subspaceFor): |
| * runtime/JSInternalFieldObjectImpl.h: |
| (JSC::JSInternalFieldObjectImpl::subspaceFor): |
| * runtime/JSWrapperObject.h: |
| (JSC::JSWrapperObject::subspaceFor): |
| * runtime/VM.cpp: |
| * runtime/VM.h: |
| |
| 2019-12-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Move JSCell::subspaceFor to JSObject::subspaceFor, removing destructibleCellSpace |
| https://bugs.webkit.org/show_bug.cgi?id=205300 |
| |
| Reviewed by Mark Lam. |
| |
| All non-JSObject JSCells have their own IsoSubspace / CompleteSubspace. We remove JSCell::subspaceFor function, |
| and move it to JSObject::subspaceFor. And we remove destructibleCellSpace since nobody uses it. |
| |
| * runtime/JSCell.h: |
| * runtime/JSCellInlines.h: |
| (JSC::JSCell::subspaceFor): Deleted. |
| * runtime/JSObject.h: |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::subspaceFor): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-16 Mark Lam <mark.lam@apple.com> |
| |
| Changed jsc shell timeout mechanism to leverage the VMTraps and use CPUTime. |
| https://bugs.webkit.org/show_bug.cgi?id=205279 |
| <rdar://problem/57971874> |
| |
| Reviewed by Saam Barati. |
| |
| This fixes all the timeouts that occur due to CPU time starvation when |
| running JSC tests on a debug build. |
| |
| What this means is that the timeout mechanism may trigger asynchronous |
| OSR exits. If a test requires no OSR exits, that test should |
| requireOption("--usePollingTraps=true") so that the VMTraps will use its |
| polling implementation instead. |
| |
| I've tested this with a full run of the JSC stress tests with a debug |
| build and saw 0 timeouts. I've also tested it with a contrived tests that |
| loops forever, and saw the expected timeout crash. |
| |
| Will look into re-tuning needed timeout value (and other JSC tests timeout |
| cleanup) in https://bugs.webkit.org/show_bug.cgi?id=205298. |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/InterpreterInlines.h: |
| (JSC::Interpreter::execute): |
| * jsc.cpp: |
| (timeoutCheckCallback): |
| (initializeTimeoutIfNeeded): |
| (startTimeoutThreadIfNeeded): |
| (runJSC): |
| (jscmain): |
| * runtime/JSCConfig.h: |
| * runtime/VM.h: |
| (JSC::VM::notifyNeedShellTimeoutCheck): |
| * runtime/VMTraps.cpp: |
| (JSC::VMTraps::handleTraps): |
| * runtime/VMTraps.h: |
| (JSC::VMTraps::Mask::Mask): |
| (JSC::VMTraps::Mask::allEventTypes): |
| (JSC::VMTraps::Mask::init): |
| (JSC::VMTraps::interruptingTraps): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::forEachVM): |
| * tools/VMInspector.h: |
| |
| 2019-12-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove ArrayBufferNeuteringWatchpointSet |
| https://bugs.webkit.org/show_bug.cgi?id=205194 |
| |
| Reviewed by Saam Barati. |
| |
| This patch removes ArrayBufferNeuteringWatchpointSet, and instead putting InlineWatchpointSet directly into ArrayBuffer, since this is much simpler. |
| The main reason why we are using ArrayBufferNeuteringWatchpointSet is not to increase sizeof(ArrayBuffer). But this complicates the implementation. |
| So, not to increase sizeof(ArrayBuffer), we use PackedRefPtr in ArrayBuffer, which is RefPtr while the pointer is packed. This gives us 8 bytes which is |
| suitable for placing InlineWatchpointSet without increasing sizeof(ArrayBuffer). We also convert Function<> in ArrayBuffer to PackedRefPtr<SharedTask<>>, |
| and share Gigacage::free destructor by multiple ArrayBuffer. This is memory efficient since this is the common case, and we can pack this field easily. |
| |
| * API/JSTypedArray.cpp: |
| (JSObjectMakeTypedArrayWithBytesNoCopy): |
| (JSObjectMakeArrayBufferWithBytesNoCopy): |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::tryGetFoldableView): |
| * runtime/ArrayBuffer.cpp: |
| (JSC::ArrayBuffer::primitiveGigacageDestructor): |
| (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): |
| (JSC::ArrayBufferContents::destroy): |
| (JSC::ArrayBufferContents::reset): |
| (JSC::ArrayBufferContents::tryAllocate): |
| (JSC::ArrayBufferContents::makeShared): |
| (JSC::ArrayBufferContents::shareWith): |
| (JSC::ArrayBuffer::createAdopted): |
| (JSC::ArrayBuffer::transferTo): |
| (JSC::ArrayBuffer::neuter): |
| (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer): |
| * runtime/ArrayBuffer.h: |
| (JSC::ArrayBuffer::neuteringWatchpointSet): |
| * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Removed. |
| * runtime/FileBasedFuzzerAgent.cpp: |
| (JSC::FileBasedFuzzerAgent::getPredictionInternal): |
| * runtime/FileBasedFuzzerAgentBase.cpp: |
| (JSC::FileBasedFuzzerAgentBase::createLookupKey): |
| * runtime/PredictionFileCreatingFuzzerAgent.cpp: |
| (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * wasm/js/JSWebAssemblyMemory.cpp: |
| (JSC::JSWebAssemblyMemory::buffer): |
| |
| 2019-12-14 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fix various non-unified build issues introduced since r251698 |
| https://bugs.webkit.org/show_bug.cgi?id=204891 |
| |
| Reviewed by Alex Christensen. |
| |
| * API/JSCallbackConstructor.h: Add missing inclusion of JSObject.h |
| * bytecompiler/BytecodeGeneratorBaseInlines.h: Add missing "#pragma once", which |
| caused build breakage when the same unified source would result in multiple inclusions of |
| the header. |
| * bytecompiler/NodesCodegen.cpp: Add missing inclusion of BytecodeGeneratorBaseInlines.h |
| * dfg/DFGDesiredIdentifiers.h: Add missing inclusion of Identifier.h |
| * heap/IsoSubspacePerVM.cpp: Add missing inclusion of MarkedSpaceInlines.h |
| * jit/GCAwareJITStubRoutine.h: Add missing forward declaration for CallLinkInfo. |
| * runtime/PredictionFileCreatingFuzzerAgent.cpp: Add missing inclusion of wtf/DataLog.h |
| * runtime/ScopedArgumentsTable.h: Add missing inclusion of VM.h |
| * wasm/WasmCallee.cpp: Add missing inclusion of WasmCallingConvention.h |
| * wasm/WasmLLIntTierUpCounter.h: Add missing inclusion of InstructionStream.h |
| * wasm/WasmSlowPaths.cpp: Add missing inclusion of WasmSignatureInlines.h |
| |
| 2019-12-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove JSFixedArray, and use JSImmutableButterfly instead |
| https://bugs.webkit.org/show_bug.cgi?id=204402 |
| |
| Reviewed by Mark Lam. |
| |
| This patch removes JSFixedArray, and use JSImmutableButterfly instead. JSFixedArray can be replaced by |
| JSImmutableButterfly with Contiguous shape. And further, we can create an array from JSImmutableButterfly |
| generated by Spread node in NewArrayBufferWithSpread. |
| |
| Currently, we are always creating contiguous JSImmutableButterfly from Spread. If it takes contiguous CoW |
| array, we can reuse JSImmutableButterfly of the input. But if it is CoW and not contiguous shape (like, |
| CopyOnWriteArrayWithInt32), we create a JSImmutableButterfly and copy it to this new butterfly. We can |
| extend it to accept non-contiguous JSImmutableButterfly in the future. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecompiler/BytecodeGenerator.cpp: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileSpread): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): |
| (JSC::DFG::SpeculativeJIT::compileObjectKeys): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::toButterfly): |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::operationMaterializeObjectInOSR): |
| * interpreter/Interpreter.cpp: |
| (JSC::sizeOfVarargs): |
| (JSC::loadVarargs): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/JSCast.h: |
| * runtime/JSFixedArray.cpp: Removed. |
| * runtime/JSFixedArray.h: Removed. |
| * runtime/JSImmutableButterfly.h: |
| (JSC::JSImmutableButterfly::createFromArray): |
| (JSC::JSImmutableButterfly::offsetOfPublicLength): |
| (JSC::JSImmutableButterfly::offsetOfVectorLength): |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-13 Saam Barati <sbarati@apple.com> |
| |
| Structure should have a bloom filter of seen identifiers |
| https://bugs.webkit.org/show_bug.cgi?id=205182 |
| |
| Reviewed by Yusuke Suzuki and Tadeu Zagallo. |
| |
| This patch adds a bloom filter of seen identifiers to Structure. This usually allows |
| us to quickly determine if a Structure *has not* seen a particular property. Based |
| on some logging I added in JetStream2 and Speedometer2, 70% of calls to Structure::get |
| result in us returning invalidOffset (e.g, the property does not exist). This patch |
| allows that path to be even faster. This bloom filter is just modeling what goes inside |
| Structure's property table. For that reason, we don't need to consider things inside |
| the static property table. We reason about the static property table inside JSObject's |
| property lookup. |
| |
| This patch appears to be a 0.5% progression on Speedometer2. |
| |
| * runtime/Structure.cpp: |
| (JSC::Structure::Structure): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::get): |
| (JSC::Structure::add): |
| |
| 2019-12-13 Mark Lam <mark.lam@apple.com> |
| |
| Fix bad exception assertion in ExceptionHelpers.cpp's createError(). |
| https://bugs.webkit.org/show_bug.cgi?id=205230 |
| <rdar://problem/57875688> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The code in createError() was doing the following: |
| |
| String valueDescription = errorDescriptionForValue(globalObject, value); |
| EXCEPTION_ASSERT(scope.exception() || !!valueDescription); |
| if (!valueDescription) { |
| scope.clearException(); |
| return createOutOfMemoryError(globalObject); |
| } |
| |
| If errorDescriptionForValue() throws an exception, then we expect the |
| valueDescription string to be null so that we can throw an OutOfMemoryError. |
| However, errorDescriptionForValue() can detect an imminent overflow in String |
| length and just return a null string without throwing an exception which fails |
| the above assertion. |
| |
| The fix is to simply do an explicit exception check in addition to the null string |
| check and remove the assertion. |
| |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::createError): |
| |
| 2019-12-13 Saam Barati <sbarati@apple.com> |
| |
| Add a Heap::finalize function that takes WTF::Function<void()> |
| https://bugs.webkit.org/show_bug.cgi?id=205211 |
| |
| Reviewed by Geoffrey Garen. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::addFinalizer): |
| (JSC::Heap::FinalizerOwner::finalize): |
| * heap/Heap.h: |
| |
| 2019-12-13 Jim Mason <jmason@ibinx.com> |
| |
| [GTK] WebKitGTK build hangs on g-ir-scanner |
| https://bugs.webkit.org/show_bug.cgi?id=204715 |
| |
| This patch fixes the static initialization order problem |
| introduced by Bug 204503. |
| |
| The patch replaces the static data members with statics that |
| are constructed only upon first access (i.e., the 'construct |
| on first use' idiom). |
| |
| Reviewed by Carlos Garcia Campos. |
| |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/glib/RemoteInspectorGlib.cpp: |
| (Inspector::RemoteInspector::start): |
| (Inspector::RemoteInspector::messageHandlers): |
| * inspector/remote/glib/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::messageHandlers): |
| (Inspector::RemoteInspectorServer::incomingConnectionCallback): |
| * inspector/remote/glib/RemoteInspectorServer.h: |
| |
| 2019-12-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Puts fixed-sized cells into IsoSubspace more |
| https://bugs.webkit.org/show_bug.cgi?id=205183 |
| |
| Reviewed by Saam Barati. |
| |
| This patch puts many of fixed-sized cells into IsoSubspace. |
| |
| - Exception |
| - JSPropertyNameEnumerator |
| - RegExp |
| - StructureChain |
| - MapBucket |
| - JSMapIterator |
| - ScopedArgumentsTable |
| - SetBucket |
| - JSSetIterator |
| - JSScriptFetchParameters |
| - JSScriptFetcher |
| - JSSourceCode |
| - JSTemplateObjectDescriptor |
| |
| * runtime/Exception.h: |
| * runtime/HashMapImpl.h: |
| (JSC::HashMapBucket::selectStructure): Deleted. |
| (JSC::HashMapBucket::info): Deleted. |
| (JSC::HashMapBucket::createStructure): Deleted. |
| (JSC::HashMapBucket::create): Deleted. |
| (JSC::HashMapBucket::createSentinel): Deleted. |
| (JSC::HashMapBucket::HashMapBucket): Deleted. |
| (JSC::HashMapBucket::setNext): Deleted. |
| (JSC::HashMapBucket::setPrev): Deleted. |
| (JSC::HashMapBucket::setKey): Deleted. |
| (JSC::HashMapBucket::setValue): Deleted. |
| (JSC::HashMapBucket::key const): Deleted. |
| (JSC::HashMapBucket::value const): Deleted. |
| (JSC::HashMapBucket::next const): Deleted. |
| (JSC::HashMapBucket::prev const): Deleted. |
| (JSC::HashMapBucket::deleted const): Deleted. |
| (JSC::HashMapBucket::makeDeleted): Deleted. |
| (JSC::HashMapBucket::offsetOfKey): Deleted. |
| (JSC::HashMapBucket::offsetOfValue): Deleted. |
| (JSC::HashMapBucket::offsetOfNext): Deleted. |
| (JSC::HashMapBucket::extractValue): Deleted. |
| * runtime/JSMapIterator.h: |
| * runtime/JSPropertyNameEnumerator.h: |
| * runtime/JSScriptFetchParameters.h: |
| * runtime/JSScriptFetcher.h: |
| * runtime/JSSetIterator.h: |
| * runtime/JSSourceCode.h: |
| * runtime/JSTemplateObjectDescriptor.h: |
| * runtime/RegExp.h: |
| * runtime/ScopedArgumentsTable.h: |
| * runtime/StructureChain.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Wasm init-expr should reject mutable globals |
| https://bugs.webkit.org/show_bug.cgi?id=205191 |
| |
| Reviewed by Mark Lam. |
| |
| For init-expr, expr must be a constant[1]. Constant expr, which is defined in Wasm spec, requires that, if the expr is GetGlobal, |
| global's mutability is immutable. Previously our imported globals are always immutable, so we are using ASSERT instead of checking |
| mutability in WasmSectionParser. But now, we have ability to import mutable globals. We should check mutability when parsing init-expr. |
| We do not have this check previously, which leads to spec-correctness issue that we can initialize globals/elements/data-segments |
| with snapshot values of mutable globals (this is safe, but this is not spec-compliant, and it is not reasonable semantics), while |
| such an attempt should be rejected when compiling Wasm modules. |
| |
| This patch adds necessary checks. |
| |
| [1]: https://webassembly.github.io/spec/core/valid/instructions.html#valid-constant |
| |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseInitExpr): |
| |
| 2019-12-12 Mark Lam <mark.lam@apple.com> |
| |
| Fix missing exception in JSValue::toWTFStringSlowCase(). |
| https://bugs.webkit.org/show_bug.cgi?id=205176 |
| <rdar://problem/57871899> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Also fix all the new exception check failures that fall out of change. |
| Also replaced some ASSERTs with EXCEPTION_ASSERT so that we can run the exception |
| check validation on a release build. |
| |
| * dfg/DFGOperations.cpp: |
| * jsc.cpp: |
| (dumpException): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncPush): |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::createError): |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::toWTFStringSlowCase const): |
| |
| 2019-12-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Lock-down JSGlobalObject and derived classes in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=205108 |
| |
| Reviewed by Mark Lam. |
| |
| This patch puts JSGlobalLexicalEnvironment and JSGlobalObject (and its derived classes including JSDOMWindow etc.) in IsoSubspace. |
| We were using `addFinalizer` feature to call destructors for these objects since they do not inherit JSDestructibleObject. But now |
| each derived classes has its IsoSubspace. So we do not need to use finalizer feature: just setting specialized HeapCellType works. |
| |
| * API/JSAPIGlobalObject.h: |
| * API/JSCallbackObject.cpp: |
| * API/glib/JSAPIWrapperGlobalObject.cpp: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/SuperSampler.h: |
| * heap/CellAttributes.h: |
| * heap/FreeList.h: |
| * heap/IsoHeapCellType.cpp: |
| (JSC::IsoHeapCellType::IsoHeapCellType): |
| * heap/IsoHeapCellType.h: |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::setIsFreeListed): Deleted. |
| * heap/MarkedBlockInlines.h: |
| (JSC::MarkedBlock::Handle::setIsFreeListed): |
| * jsc.cpp: |
| (GlobalObject::create): Deleted. |
| (GlobalObject::createStructure): Deleted. |
| (GlobalObject::javaScriptRuntimeFlags): Deleted. |
| (GlobalObject::finishCreation): Deleted. |
| (GlobalObject::addFunction): Deleted. |
| * runtime/JSGlobalLexicalEnvironment.h: |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::subspaceFor): |
| * runtime/JSSegmentedVariableObject.cpp: |
| (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject): |
| (JSC::JSSegmentedVariableObject::finishCreation): |
| (JSC::JSSegmentedVariableObject::destroy): Deleted. |
| * runtime/JSSegmentedVariableObject.h: |
| (JSC::JSSegmentedVariableObject::subspaceFor): |
| (JSC::JSSegmentedVariableObject::classInfo const): Deleted. |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * testRegExp.cpp: |
| (GlobalObject::create): Deleted. |
| (GlobalObject::createStructure): Deleted. |
| (GlobalObject::finishCreation): Deleted. |
| |
| 2019-12-12 Mark Lam <mark.lam@apple.com> |
| |
| Fix missing exception check in JSON Stringifier's gap function. |
| https://bugs.webkit.org/show_bug.cgi?id=205171 |
| <rdar://problem/57871842> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::gap): |
| |
| 2019-12-12 Mark Lam <mark.lam@apple.com> |
| |
| DFG and FTL expects String.prototype to not qualify for StringObjectUse. |
| https://bugs.webkit.org/show_bug.cgi?id=205147 |
| <rdar://problem/57748888> |
| |
| Reviewed by Saam Barati. |
| |
| Currently, String.prototype's JSType is StringObjectType. |
| |
| However, in the compiler, there are a few places that expect that the |
| String.prototype value to not qualify as StringObjectUse. These places are: |
| 1. SpeculatedType.cpp's speculationFromClassInfo() will speculate SpecObjectOther |
| for the StringPrototype object. |
| 2. DFGFixupPhase.cpp's addCheckStructureForOriginalStringObjectUse() only emits a |
| CheckStructure against globalObject->stringObjectStructure(). It does not |
| check against String.prototype's structure. |
| |
| To resolve this discrepancy, we can either do: |
| a. change String.prototype's JSType to something else. |
| b. fix the places in the compiler to accept String.prototype as StringObjectUse. |
| |
| (a) is trivial and cheap to do. (b) is doable but will result in less optimal |
| compiled code. Since passing String.prototype as a StringObject is expected to |
| be a rare thing in JS code, it's not worth incurring the cost for (b). In this |
| patch, we apply (a) to fix the discrepancy. |
| |
| Also added a specialization case to FOR_EACH_JS_DYNAMIC_CAST_JS_TYPE_OVERLOAD |
| for jsDynamicCast<StringObject> for completeness. |
| |
| * runtime/JSCast.h: |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| * runtime/StringPrototype.h: |
| |
| 2019-12-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] IsoHeapCellType should have destroy function member instead of specializing template function |
| https://bugs.webkit.org/show_bug.cgi?id=205152 |
| |
| Reviewed by Saam Barati. |
| |
| We were specializing MarkedBlock::Handle::specializedSweep in 5 different ways for each IsoSubspace-ed cell. |
| This bloats binary. Instead of specializing it with CellType, we specialize it with one functor, which invokes |
| function pointer held by IsoHeapCellType. This requires one indirect function call per cell. But this is OK since, |
| |
| 1. We were using JSDestructibleObject's cell->classInfo->methodTable.destroy function call to dispatch destruction, |
| before IsoSubspace replaces them with IsoHeapCellType-based destruction. Compared to that, the new one is still |
| saving one pointer chasing basically (classInfo dereference, we assume cell deference is no cost since it will |
| be done anyway). |
| 2. We still keep JSString's destroy function inlining by using IsoInlinedHeapCellType. This is important since |
| it is critical to performance and we had JSStringHeapCellType before we replaced it with IsoHeapCellType. |
| But IsoInlinedHeapCellType specialization is for only one class so generated binary size is the same to the |
| old code using JSStringHeapCellType. |
| |
| This saves 480KB binary-size in JavaScriptCore. And more importantly, after this patch, adding IsoSubspace |
| will not bloat code, so we can simply put things into IsoSubspace. |
| |
| This patch also removes `using namespace JSC;` in global code in JavaScriptCore except for API codes, since |
| it starts causing build failure due to unified builds: API defines JSType enum in a global scope, which is |
| different from our JSC::JSType. If we do `using namespace JSC;` in a global scope, it can lead to ambiguity of |
| looking up. |
| |
| * API/JSHeapFinalizerPrivate.cpp: |
| (JSContextGroupAddHeapFinalizer): |
| (JSContextGroupRemoveHeapFinalizer): |
| * API/JSHeapFinalizerPrivate.h: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * assembler/AbstractMacroAssembler.cpp: |
| * bindings/ScriptFunctionCall.cpp: |
| * bindings/ScriptObject.cpp: |
| * bindings/ScriptValue.cpp: |
| * heap/IsoHeapCellType.cpp: Copied from Source/JavaScriptCore/assembler/AbstractMacroAssembler.cpp. |
| (JSC::IsoHeapCellType::finishSweep): |
| (JSC::IsoHeapCellType::destroy): |
| * heap/IsoHeapCellType.h: |
| * heap/IsoInlinedHeapCellType.h: Copied from Source/JavaScriptCore/heap/IsoHeapCellType.h. |
| * heap/MutatorState.cpp: |
| * heap/Synchronousness.cpp: |
| * inspector/InjectedScriptHost.cpp: |
| * inspector/InjectedScriptManager.cpp: |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| * inspector/JSGlobalObjectInspectorController.cpp: |
| * inspector/JSGlobalObjectScriptDebugServer.cpp: |
| * inspector/JSInjectedScriptHost.cpp: |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| * inspector/JSJavaScriptCallFrame.cpp: |
| * inspector/JSJavaScriptCallFramePrototype.cpp: |
| * inspector/JavaScriptCallFrame.cpp: |
| * inspector/PerGlobalObjectWrapperWorld.cpp: |
| * inspector/ScriptCallStackFactory.cpp: |
| * inspector/ScriptDebugServer.cpp: |
| * inspector/agents/InspectorHeapAgent.cpp: |
| * inspector/agents/InspectorScriptProfilerAgent.cpp: |
| * inspector/agents/JSGlobalObjectAuditAgent.cpp: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put all API related JS cells into IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=205097 |
| |
| Reviewed by Mark Lam. |
| |
| This patch puts API related JS cells into IsoSubspace. |
| |
| * API/JSAPIGlobalObject.h: |
| (JSC::JSAPIGlobalObject::create): Deleted. |
| (JSC::JSAPIGlobalObject::createStructure): Deleted. |
| (JSC::JSAPIGlobalObject::JSAPIGlobalObject): Deleted. |
| * API/JSAPIValueWrapper.h: |
| * API/JSAPIWrapperObject.h: |
| (JSC::JSAPIWrapperObject::subspaceFor): |
| * API/JSAPIWrapperObject.mm: |
| (JSC::JSCallbackObject<JSAPIWrapperObject>::subspaceForImpl): |
| * API/JSCallbackConstructor.cpp: |
| (JSC::JSCallbackConstructor::JSCallbackConstructor): |
| * API/JSCallbackConstructor.h: |
| * API/JSCallbackObject.cpp: |
| (JSC::JSCallbackObject<JSNonFinalObject>::createStructure): |
| (JSC::JSCallbackObject<JSNonFinalObject>::subspaceForImpl): |
| (JSC::JSCallbackObject<JSGlobalObject>::subspaceForImpl): |
| (JSC::JSCallbackObject<JSDestructibleObject>::createStructure): Deleted. |
| * API/JSCallbackObject.h: |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::init): |
| * API/JSClassRef.cpp: |
| (OpaqueJSClass::prototype): |
| * API/JSObjectRef.cpp: |
| (JSObjectMake): |
| (JSObjectGetPrivate): |
| (JSObjectSetPrivate): |
| (JSObjectGetPrivateProperty): |
| (JSObjectSetPrivateProperty): |
| (JSObjectDeletePrivateProperty): |
| * API/JSValueRef.cpp: |
| (JSValueIsObjectOfClass): |
| * API/JSWeakObjectMapRefPrivate.cpp: |
| * API/glib/JSAPIWrapperGlobalObject.cpp: |
| (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::subspaceForImpl): |
| * API/glib/JSAPIWrapperGlobalObject.h: |
| (JSC::JSAPIWrapperGlobalObject::subspaceFor): |
| * API/glib/JSAPIWrapperObjectGLib.cpp: |
| (JSC::JSCallbackObject<JSAPIWrapperObject>::subspaceForImpl): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/JSSegmentedVariableObject.cpp: |
| (JSC::JSSegmentedVariableObject::finishCreation): |
| * runtime/JSSegmentedVariableObject.h: |
| (JSC::JSSegmentedVariableObject::classInfo const): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-10 Saam Barati <sbarati@apple.com> |
| |
| BytecodeDumper should print out of line jump targets |
| https://bugs.webkit.org/show_bug.cgi?id=205091 |
| |
| Reviewed by Tadeu Zagallo and Yusuke Suzuki. |
| |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::BytecodeDumperBase::dumpValue): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::outOfLineJumpOffset): |
| |
| 2019-12-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine |
| https://bugs.webkit.org/show_bug.cgi?id=204876 |
| |
| Reviewed by Saam Barati. |
| |
| When emitting GetterSetterAccessCase code in IC, we dynamically create CallLinkInfo which is owned by GetterSetterAccessCase, |
| and we use this pointer for GetterSetter calls (like, operationLinkCall etc.). The problem is that IC code is not destroyed |
| so long as it is live in the stack. For example, GetterSetterAccessCase might be destroyed when the StructureStubInfo is reset, |
| while executing the emitted code. So, the code is still pointing already-destroyed CallLinkInfo. |
| |
| In this patch, CallLinkInfo used for GetterSetterAccessCase code is owned by emitted code, which means, owned by |
| MarkingGCAwareJITStubRoutine. So it is kept so long as the code is live. We use Bag<CallLinkInfo> to create a CallLinkInfo, |
| and MarkingGCAwareJITStubRoutine owns it. |
| |
| The important question is whether we should call CallLinkInfo::visitWeak when the associated GetterSetterAccessCase is already |
| destroyed. We do not need to call it since (1) it is just clearing CallLinkInfo, and (2) this information will not be used |
| by anyone since associated GetterSetterAccessCase is already destroyed. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| * bytecode/GetterSetterAccessCase.h: |
| (JSC::GetterSetterAccessCase::callLinkInfo const): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PolymorphicAccess.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitDumbVirtualCall): |
| * jit/GCAwareJITStubRoutine.cpp: |
| (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine): |
| (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): |
| (JSC::createJITStubRoutine): |
| * jit/GCAwareJITStubRoutine.h: |
| (JSC::GCAwareJITStubRoutine::create): |
| (JSC::createJITStubRoutine): Deleted. |
| * jit/Repatch.cpp: |
| (JSC::linkSlowFor): |
| (JSC::linkVirtualFor): |
| |
| 2019-12-10 Mark Lam <mark.lam@apple.com> |
| |
| Worklist::deleteCancelledPlansForVM() should not assume that a cancelled plan is ready for deletion. |
| https://bugs.webkit.org/show_bug.cgi?id=205086 |
| <rdar://problem/57795002> |
| |
| Reviewed by Saam Barati. |
| |
| Consider this race scenario: |
| 1. The DFG thread finds a plan and started compiling, and it's holding a ref to |
| the plan while it's compiling. |
| 2. The GC thread discovers that we no longer need the plan and cancels it. |
| 3. After the plan is cancelled but while the DFG thread is still compiling, the |
| mutator thread calls Worklist::deleteCancelledPlansForVM(). |
| |
| Worklist::deleteCancelledPlansForVM() was assuming that by the time it is |
| called, Worklist::m_cancelledPlansPendingDestruction will contain the last ref |
| to the cancelled plan. However, this is an incorrect assumption, and the |
| assertion there that asserts refCount == 1 will fail. |
| |
| This patch fixes Worklist::deleteCancelledPlansForVM() to append the cancelled |
| plan back into m_cancelledPlansPendingDestruction if its refCount is not 1 |
| (implying that the compiler thread still has a ref to it), and defer deletion of |
| the plan to a subsequent call to deleteCancelledPlansForVM(). |
| |
| This patch also adds a WTFMove to Worklist::removeDeadPlans() when we append the |
| cancelled plan to m_cancelledPlansPendingDestruction there. This saves us one |
| unnecessary ref and deref of the plan. |
| |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::deleteCancelledPlansForVM): |
| (JSC::DFG::Worklist::removeDeadPlans): |
| |
| 2019-12-10 Saam Barati <sbarati@apple.com> |
| |
| methodOfGettingAValueProfileFor should return argument value profiles even when node and operandNode are the same origin |
| https://bugs.webkit.org/show_bug.cgi?id=205083 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Inside methodOfGettingAValueProfileFor, we only grab profiles when the child |
| node and the parent node were from different code origins. This policy doesn't |
| make sense when the child node is the load of an argument value. In that case, |
| we can always just grab the argument profile. |
| |
| We might want to reconsider this policy in general, since it's common for a |
| node to emit a GetLocal to grab its incoming arguments (this is frequently |
| done in the DFG when reloading locals across basic blocks). |
| |
| This fixes an OSR exit compile loop inside Speedometer 2's React-Redux-TodoMVC |
| benchmark. That benchmark would repeatedly exit inside CompareStrictEq by |
| repeatedly speculating Object. That node would run with 95% incoming Objects, |
| and 5% incoming strings, and because we didn't grab the argument value profile |
| during exit, we never updated the profile with the String type information. |
| |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| |
| 2019-12-10 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r253321. |
| https://bugs.webkit.org/show_bug.cgi?id=205084 |
| |
| 1% regression in RAMification (Requested by yusukesuzuki on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "[JSC] Put JSArray in IsoSubspace" |
| https://bugs.webkit.org/show_bug.cgi?id=205049 |
| https://trac.webkit.org/changeset/253321 |
| |
| 2019-12-10 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Reduce JSC's binary size |
| https://bugs.webkit.org/show_bug.cgi?id=204549 |
| |
| Reviewed by Saam Barati. |
| |
| The Wasm interpreter landed in r251886 and significantly increased JSC's binary size. To try and |
| offset that, here and some easy fixes that get us ~200kb back: |
| - We were generating 2 instances of dumpBytecode, at 30kb each. I changed the generator to emit a cpp |
| file instead, avoiding the duplication. |
| - We had 3 instances of computeUsesForBytecodeIndex at 11kb each. I kept the work that depended on the |
| template type in the template function and moved the massive switch into computeUsesForBytecodeIndexImpl. |
| I also did the same for computeDefsForBytecodeIndex. |
| - We had 8 instances of emit_compareAndJump(Slow) at 8kb (7kb for Slow) each. I kept the code |
| that extracts the data from the bytecode in the template, but moved the bulk of the function |
| into emit_compareAndJump(Slow)Impl. |
| |
| * CMakeLists.txt: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * Sources.txt: |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::BytecodeDumperBase::printLocationAndOp): |
| (JSC::BytecodeDumperBase::dumpValue): |
| * bytecode/BytecodeDumper.h: |
| (JSC::BytecodeDumperBase::~BytecodeDumperBase): |
| (JSC::BytecodeDumperBase::dumpValue): |
| (JSC::BytecodeDumperBase::BytecodeDumperBase): |
| (JSC::BytecodeDumper::BytecodeDumper): |
| * bytecode/BytecodeUseDef.cpp: Copied from Source/JavaScriptCore/bytecode/BytecodeUseDef.h. |
| (JSC::computeUsesForBytecodeIndexImpl): |
| (JSC::computeDefsForBytecodeIndexImpl): |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeIndex): |
| (JSC::computeDefsForBytecodeIndex): |
| * generator/DSL.rb: |
| * generator/Opcode.rb: |
| * generator/Options.rb: |
| * jit/JIT.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_compareAndJump): |
| (JSC::JIT::emit_compareAndJumpImpl): |
| (JSC::JIT::emit_compareUnsignedAndJump): |
| (JSC::JIT::emit_compareUnsignedAndJumpImpl): |
| (JSC::JIT::emit_compareUnsigned): |
| (JSC::JIT::emit_compareUnsignedImpl): |
| (JSC::JIT::emit_compareAndJumpSlow): |
| (JSC::JIT::emit_compareAndJumpSlowImpl): |
| |
| 2019-12-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put JSArray in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=205049 |
| |
| Reviewed by Mark Lam. |
| |
| Put JSArray in IsoSubspace. |
| |
| * runtime/ArrayPrototype.h: |
| * runtime/JSArray.h: |
| (JSC::JSArray::subspaceFor): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * tools/JSDollarVM.cpp: |
| |
| 2019-12-09 Mark Lam <mark.lam@apple.com> |
| |
| Fix the x86_64 probe so that we can get a full stack trace with libunwind and lldb. |
| https://bugs.webkit.org/show_bug.cgi?id=205050 |
| |
| Reviewed by Michael Saboff. |
| |
| Before this patch, the stack trace from inside a probe function is cut off at ctiMasmProbeTrampoline: |
| |
| (lldb) bt |
| * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) |
| ... |
| frame #4: 0x0000000100824607 JavaScriptCore`WTF::Function<void (JSC::Probe::Context&)>::operator(this=0x000000010b88bd00, in=0x00007ffeefbfd400)(JSC::Probe::Context&) const at Function.h:79:35 |
| frame #5: 0x0000000100823996 JavaScriptCore`JSC::stdFunctionCallback(context=0x00007ffeefbfd400) at MacroAssembler.cpp:53:5 |
| frame #6: 0x000000010082701e JavaScriptCore`JSC::Probe::executeProbe(state=0x00007ffeefbfd480) at ProbeContext.cpp:51:5 |
| frame #7: 0x000000010082614b JavaScriptCore`ctiMasmProbeTrampoline + 299 |
| (lldb) |
| |
| After this patch, we'll now get the full stack trace from inside the probe function: |
| |
| (lldb) bt |
| * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) |
| ... |
| frame #4: 0x0000000100826d17 JavaScriptCore`WTF::Function<void (JSC::Probe::Context&)>::operator(this=0x0000000106b878f8, in=0x00007ffeefbfd400)(JSC::Probe::Context&) const at Function.h:79:35 |
| frame #5: 0x0000000100826106 JavaScriptCore`JSC::stdFunctionCallback(context=0x00007ffeefbfd400) at MacroAssembler.cpp:53:5 |
| frame #6: 0x000000010082986e JavaScriptCore`JSC::Probe::executeProbe(state=0x00007ffeefbfd480) at ProbeContext.cpp:51:5 |
| frame #7: 0x00000001008289a2 JavaScriptCore`ctiMasmProbeTrampoline + 338 |
| frame #8: 0x0000466db28025be |
| frame #9: 0x0000000100754ffc JavaScriptCore`llint_entry at LowLevelInterpreter.asm:994 |
| frame #10: 0x0000000100738173 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:307 |
| frame #11: 0x0000000101489307 JavaScriptCore`JSC::JITCode::execute(this=0x0000000106ba1520, vm=0x0000000106d00000, protoCallFrame=0x00007ffeefbfd9b8) at JITCodeInlines.h:38:38 |
| frame #12: 0x0000000101488982 JavaScriptCore`JSC::Interpreter::executeProgram(this=0x0000000106bfd1f8, source=0x00007ffeefbff090, (null)=0x000000010d0e0000, thisObj=0x000000010d0e8020) at Interpreter.cpp:847:51 |
| frame #13: 0x00000001017d1f9c JavaScriptCore`JSC::evaluate(globalObject=0x000000010d0e0000, source=0x00007ffeefbff090, thisValue=JSValue @ 0x00007ffeefbfef60, returnedException=0x00007ffeefbff0b0) at Completion.cpp:146:38 |
| frame #14: 0x000000010005838f jsc`runWithOptions(globalObject=0x000000010d0e0000, options=0x00007ffeefbff620, success=0x00007ffeefbff48b) at jsc.cpp:2670:35 |
| frame #15: 0x000000010002a0da jsc`jscmain(this=0x00007ffeefbff5a0, vm=0x0000000106d00000, globalObject=0x000000010d0e0000, success=0x00007ffeefbff48b)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:3157:13 |
| frame #16: 0x0000000100006eff jsc`int runJSC<jscmain(int, char**)::$_6>(options=0x00007ffeefbff620, isWorker=false, func=0x00007ffeefbff5a0)::$_6 const&) at jsc.cpp:3003:9 |
| frame #17: 0x0000000100005988 jsc`jscmain(argc=10, argv=0x00007ffeefbff6c8) at jsc.cpp:3150:18 |
| frame #18: 0x000000010000575e jsc`main(argc=10, argv=0x00007ffeefbff6c8) at jsc.cpp:2498:15 |
| frame #19: 0x00007fff6cfc4da9 libdyld.dylib`start + 1 |
| frame #20: 0x00007fff6cfc4da9 libdyld.dylib`start + 1 |
| (lldb) |
| |
| The difference is that the x86_64 ctiMasmProbeTrampoline now uses the standard |
| function prologue, and keeps %rbp pointing to trampoline function's semblance of |
| a frame that libunwind can understand while it calls the probe function. |
| |
| * assembler/MacroAssemblerX86Common.cpp: |
| |
| 2019-12-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put CustomGetterSetter and DOMAttributeGetterSetter in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=205044 |
| |
| Reviewed by Sam Weinig. |
| |
| Put CustomGetterSetter and DOMAttributeGetterSetter in IsoSubspace. |
| |
| * runtime/CustomGetterSetter.h: |
| (JSC::CustomGetterSetter::subspaceFor): |
| * runtime/DOMAttributeGetterSetter.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove NativeStdFunctionCell |
| https://bugs.webkit.org/show_bug.cgi?id=205045 |
| |
| Reviewed by Sam Weinig. |
| |
| NativeStdFunctionCell is introduced because we were not able to make derived classes of JSFunction destructible. |
| But now we can do that by using IsoSubspace. And we already have IsoSubspace for JSNativeStdFunction. So we do |
| not need to have NativeStdFunctionCell cell. This patch removes it. And making JSNativeStdFunction destructible. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * inspector/InjectedScriptBase.cpp: |
| (Inspector::InjectedScriptBase::makeAsyncCall): |
| * runtime/JSNativeStdFunction.cpp: |
| (JSC::JSNativeStdFunction::JSNativeStdFunction): |
| (JSC::JSNativeStdFunction::visitChildren): |
| (JSC::JSNativeStdFunction::finishCreation): |
| (JSC::runStdFunction): |
| (JSC::JSNativeStdFunction::create): |
| * runtime/JSNativeStdFunction.h: |
| * runtime/NativeStdFunctionCell.cpp: Removed. |
| * runtime/NativeStdFunctionCell.h: Removed. |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-09 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Remove WasmValidate |
| https://bugs.webkit.org/show_bug.cgi?id=205037 |
| |
| Reviewed by Saam Barati. |
| |
| It's currently only used when JSC_useWasmLLInt is false and it creates an additional instantiation |
| of Wasm::FunctionParser, which adds about 100kb to the binary size. This does not introduce any |
| behavior changes with the default options, but it means that we'll generate bytecode when calling |
| WebAssembly.validate/new WebAssembly.Module even when the WasmLLInt is disabled. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::didReceiveFunctionData): |
| * wasm/WasmEntryPlan.cpp: |
| * wasm/WasmLLIntPlan.cpp: |
| * wasm/WasmModule.cpp: |
| (JSC::Wasm::makeValidationResult): |
| (JSC::Wasm::makeValidationCallback): |
| (JSC::Wasm::Module::validateSync): |
| (JSC::Wasm::Module::validateAsync): |
| * wasm/WasmModule.h: |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmPlan.cpp: |
| * wasm/WasmValidate.cpp: Removed. |
| * wasm/WasmValidate.h: Removed. |
| |
| 2019-12-09 Tadeu Zagallo <tzagallo@apple.com> |
| |
| REGRESSION(r253140): WebAssembly validation should check for unmatched else before calling addElse/addElseToUnreachable |
| https://bugs.webkit.org/show_bug.cgi?id=205022 |
| <rdar://problem/57748159> |
| |
| Reviewed by Saam Barati. |
| |
| When moving the validation code into the parser in r253140, I missed the validation check of whether |
| an if block was at the top of the control stack before calling addElse/addElseToUnreachable. |
| |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| |
| 2019-12-09 Mark Lam <mark.lam@apple.com> |
| |
| GetByIdVariant::dumpInContext() should not ref UniqueStringImpls. |
| https://bugs.webkit.org/show_bug.cgi?id=205023 |
| <rdar://problem/57747265> |
| |
| Reviewed by Saam Barati. |
| |
| This is because GetByIdVariant::dumpInContext() may be called from the compiler |
| thread. GetByIdVariant::dumpInContext() inadvertently invoking the String copy |
| constructor on an Identifier, which in turn, refs the underlying UniqueStringImpl. |
| This results in a race against the mutator to adjust the refCount. |
| |
| The fix is to have GetByIdVariant::dumpInContext() print the underlying |
| StringImpl instead of the Identifier itself. |
| |
| * bytecode/GetByIdVariant.cpp: |
| (JSC::GetByIdVariant::dumpInContext const): |
| |
| 2019-12-08 Yousuke Kimoto <yousuke.kimoto@sony.com> |
| |
| [WinCairo] Refine initialization and error handling in RemoteInspectorSocket |
| https://bugs.webkit.org/show_bug.cgi?id=204338 |
| |
| Reviewed by Fujii Hironori. |
| |
| RemoteInspectorSocket socket error handling is not enough, |
| which should be refined to avoid error cases. |
| |
| * inspector/remote/socket/RemoteInspectorSocket.h: Modifed return value checks to hanlde error cases. |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: Refined check error handling. |
| (Inspector::RemoteInspectorSocketEndpoint::createListener): |
| * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Ditto |
| (Inspector::Socket::connect): |
| (Inspector::Socket::listen): |
| (Inspector::Socket::setup): |
| (Inspector::Socket::isListening): |
| (Inspector::Socket::getPort): |
| (Inspector::Socket::preparePolling): |
| * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: Ditto |
| (Inspector::Socket::Socket::create): |
| (Inspector::Socket::setOpt): |
| (Inspector::Socket::bindAndListen): |
| (Inspector::Socket::connect): |
| (Inspector::Socket::accept): |
| (Inspector::Socket::createPair): |
| (Inspector::Socket::setup): |
| (Inspector::Socket::isListening): |
| (Inspector::Socket::getPort): |
| (Inspector::Socket::read): |
| (Inspector::Socket::write): |
| (Inspector::Socket::preparePolling): Initialized 'poll' with zero |
| |
| 2019-12-08 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Fix LLIntGenerator's checkConsistency contract |
| https://bugs.webkit.org/show_bug.cgi?id=204998 |
| <rdar://problem/57733405> |
| |
| Reviewed by Mark Lam. |
| |
| We check the consistency of the WebAssembly parser's expression stack every time the LLIntGenerator calls |
| push to allocate a new stack value. However, if we call push more than once (e.g. in a loop), the stack |
| is no longer consistent, since those values have not yet been placed in the parser's expression stack, so |
| the generator and parser's stacks are out of sync. Instead, whenever we need to push multiple values, we |
| should first manually call checkConsistency before any pushes, and all pushes after that should be replaced |
| with push(NoConsistencyCheck). |
| |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::callInformationForCaller): |
| (JSC::Wasm::LLIntGenerator::addArguments): |
| (JSC::Wasm::LLIntGenerator::addLocal): |
| |
| 2019-12-07 Mark Lam <mark.lam@apple.com> |
| |
| Object.prototype.isPrototypeOf() should check if the passed in value is a non-object first. |
| https://bugs.webkit.org/show_bug.cgi?id=204971 |
| <rdar://problem/57730080> |
| |
| Reviewed by Saam Barati. |
| |
| The spec says Object.prototype.isPrototypeOf() should do checks in the following |
| order: |
| 1. If Type(V) is not Object, return false. |
| 2. Let O be ? ToObject(this value). |
| ... |
| We were previously checking (2) before (1). This patch fixes this order. |
| |
| Ref: http://www.ecma-international.org/ecma-262/10.0/index.html#sec-object.prototype.isprototypeof |
| |
| * runtime/ObjectPrototype.cpp: |
| (JSC::objectProtoFuncIsPrototypeOf): |
| |
| 2019-12-07 Saam Barati <sbarati@apple.com> |
| |
| Unreviewed. Roll out r253201. It was not a progression on any benchmarks, and was 8% slower on JetStream 2 ML. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/BytecodeList.rb: |
| * bytecode/GetByValHistory.h: Added. |
| (JSC::GetByValHistory::observeNonUID): |
| (JSC::GetByValHistory::observe): |
| (JSC::GetByValHistory::count const): |
| (JSC::GetByValHistory::filter const): |
| (JSC::GetByValHistory::update): |
| * bytecode/PointerHistory.h: Removed. |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseGetById): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGGraph.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetById): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| * generator/DSL.rb: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/OptionsList.h: |
| |
| 2019-12-07 Mark Lam <mark.lam@apple.com> |
| |
| Remove invalid assertion in FTL's allocateJSArray(). |
| https://bugs.webkit.org/show_bug.cgi?id=204987 |
| <rdar://problem/57280725> |
| |
| Reviewed by Saam Barati. |
| |
| The assertion (in the compiler thread) does not take into account that the mutator |
| may be in the process of transiting to HavingABadTime. As a result, the assertion |
| may fail intermittently. This patch fixes this issue by removing this bad |
| assertion. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): |
| |
| 2019-12-07 Mark Lam <mark.lam@apple.com> |
| |
| Build fix for: The compiler thread should not adjust Identifier refCounts. |
| https://bugs.webkit.org/show_bug.cgi?id=204919 |
| <rdar://problem/57426861> |
| |
| Not reviewed. |
| |
| * bytecode/GetByStatus.cpp: |
| (JSC::GetByStatus::computeFor): |
| |
| 2019-12-07 Joonghun Park <jh718.park@samsung.com> |
| |
| Unreviewed. Remove the build warning below since r250009. |
| warning: comparison between signed and unsigned integer expressions [-Wsign-compare] |
| |
| This patch typecasts the "maybe signed" one as unsigned, which is the |
| same what the compilers would do, but making the typecast explicit |
| so that the warning go away. |
| |
| * b3/air/testair.cpp: |
| |
| 2019-12-07 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put JSWrapperObject derived classes in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204976 |
| |
| Reviewed by Mark Lam. |
| |
| Put JSWrapperObject derived classes in IsoSubspace. |
| |
| 1. StringObject |
| 2. NumberObject |
| 3. SymbolObject |
| 4. BigIntObject |
| 5. BooleanObject |
| |
| * runtime/BigIntObject.h: |
| * runtime/BooleanObject.h: |
| (JSC::BooleanObject::subspaceFor): |
| * runtime/BooleanPrototype.h: |
| * runtime/JSWrapperObject.h: |
| (JSC::JSWrapperObject::subspaceFor): |
| * runtime/NumberObject.h: |
| (JSC::NumberObject::subspaceFor): |
| * runtime/NumberPrototype.h: |
| * runtime/StringObject.h: |
| (JSC::StringObject::subspaceFor): |
| * runtime/StringPrototype.h: |
| * runtime/SymbolObject.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-07 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: non-regex Local Overrides and Script Blackboxing shouldn't apply to scripts that just contain the URL |
| https://bugs.webkit.org/show_bug.cgi?id=204954 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| If `isRegex` is false, add `^` and `$` to the beginning and end of the search string to |
| ensure that the search string is exactly matched, not just contained within the potentially |
| intercepted URL. |
| |
| This doesn't actually change functionality because the Web Inspector frontend wouldn't |
| replace the network response for these containing matches, as the frontend JavaScript |
| already correctly performed this logic, and would therefore `Network.interceptContinue`. |
| |
| * inspector/ContentSearchUtilities.h: |
| * inspector/ContentSearchUtilities.cpp: |
| (Inspector::ContentSearchUtilities::escapeStringForRegularExpressionSource): Added. |
| (Inspector::ContentSearchUtilities::createRegularExpressionForSearchString): Added. |
| (Inspector::ContentSearchUtilities::searchInTextByLines): |
| (Inspector::ContentSearchUtilities::createSearchRegexSource): Deleted. |
| (Inspector::ContentSearchUtilities::createSearchRegex): Deleted. |
| Rename functions for clarity. |
| |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::shouldBlackboxURL const): |
| |
| 2019-12-06 Zan Dobersek <zdobersek@igalia.com> |
| |
| [GTK][WPE] Use bmalloc's memory footprint API for JSC heap growth management |
| https://bugs.webkit.org/show_bug.cgi?id=204576 |
| |
| Reviewed by Saam Barati. |
| |
| Use the new USE(BMALLOC_MEMORY_FOOTPRINT_API) build guard to enable |
| bmalloc-based JSC heap growth management on iOS family ports as well |
| as additionally the Linux-based ports, if the configuration allows it |
| (i.e. system malloc enforcement kept disabled). |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::overCriticalMemoryThreshold): |
| (JSC::Heap::updateAllocationLimits): |
| (JSC::Heap::collectIfNecessaryOrDefer): |
| * heap/Heap.h: |
| Initialize the two member variables and fix a typo in one of them. |
| * runtime/Options.cpp: |
| (JSC::overrideDefaults): |
| Also guard two default overrides with the new flag. |
| |
| 2019-12-06 Mark Lam <mark.lam@apple.com> |
| |
| The compiler thread should not adjust Identifier refCounts. |
| https://bugs.webkit.org/show_bug.cgi?id=204919 |
| <rdar://problem/57426861> |
| |
| Reviewed by Saam Barati. |
| |
| 1. Previously, in the compiler thread, we would get a Symbol uid via |
| Symbol::privateName().uid(). Symbol::privateName() returns a copy of its |
| PrivateName, which in turn results in ref'ing the underlying SymbolImpl. |
| This results in a race between the mutator and compiler threads to adjust the |
| SymbolImpl's refCount, which may result in corruption. |
| |
| This patch fixes this by adding Symbol::uid() which return the underlying |
| SymbolImpl without ref'ing it. |
| |
| 2. Previously, in the compiler thread, we also create Box<Identifier> via its |
| copy constructor. The original Box<Identifier> is instantiated in the mutator. |
| The Box<Identifier> refs its internal Data, which is ThreadSafeRefCounted and |
| shared by all Box<Identifier> for the same underlying Identifier. |
| This ensures that the compiler thread does not ref the underlying Identifier. |
| |
| However, when the Box<Identifier> is destructed, it will also check if it holds |
| the last ref to its internal Data. If so, it will destruct its Data, and the |
| Identifier that it embeds. This results in the compiler thread trying to deref |
| the StringImpl referenced by the Identifier in a race against the mutator. |
| |
| This patch fixes this by ensuring that for any Box<Identifier> instance used |
| by the compiler thread, we will register another instance in the DFG::Plan |
| m_identifiersKeptAliveForCleanUp list, and let the mutator destruct that |
| Box<Identifier> later in the mutator. This ensures that the compiler thread |
| will never see the last reference to a Box<Identifier>'s internal Data and |
| avoid the race. |
| |
| 3. This patch also fixes the DFG::Worklist code to ensure that a DFG::Plan is |
| always destructed in the mutator, even if the Plan was cancelled. |
| |
| This, in turn, enables us to assert that the Plan is never destructed in the |
| compiler thread. |
| |
| * bytecode/GetByStatus.cpp: |
| (JSC::GetByStatus::computeFor): |
| (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): |
| * bytecode/GetByStatus.h: |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::detach): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseGetById): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::~Plan): |
| (JSC::DFG::Plan::computeCompileTimes const): |
| (JSC::DFG::Plan::cancel): |
| * dfg/DFGPlan.h: |
| (JSC::DFG::Plan::unnukedVM const): |
| (JSC::DFG::Plan::keepAliveIdentifier): |
| (JSC::DFG::Plan::nuke): |
| (JSC::DFG::Plan::unnuke): |
| * dfg/DFGSafepoint.cpp: |
| (JSC::DFG::Safepoint::cancel): |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::deleteCancelledPlansForVM): |
| (JSC::DFG::Worklist::removeAllReadyPlansForVM): |
| (JSC::DFG::Worklist::removeDeadPlans): |
| (JSC::DFG::Worklist::removeNonCompilingPlansForVM): |
| * dfg/DFGWorklist.h: |
| * runtime/Symbol.h: |
| |
| 2019-12-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put JSModuleNamespaceObject in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204973 |
| |
| Reviewed by Mark Lam. |
| |
| We found that we do not need to embed AbstractModuleRecord vector inside JSModuleNamespaceObject: we can just put it |
| in ExportEntry. So we can make it non-variable-sized cell. Further, this patch puts it in IsoSubspace. |
| |
| * runtime/CellSize.h: |
| (JSC::isDynamicallySizedType): |
| (JSC::cellSize): |
| * runtime/JSModuleNamespaceObject.cpp: |
| (JSC::JSModuleNamespaceObject::finishCreation): |
| (JSC::JSModuleNamespaceObject::visitChildren): |
| (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put ModuleRecords in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204972 |
| |
| Reviewed by Mark Lam. |
| |
| This patch is putting JSModuleRecord and WebAssemblyModuleRecord in IsoSubspace. |
| |
| * runtime/AbstractModuleRecord.cpp: |
| (JSC::AbstractModuleRecord::destroy): Deleted. |
| * runtime/AbstractModuleRecord.h: |
| (JSC::AbstractModuleRecord::subspaceFor): |
| * runtime/JSModuleRecord.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * wasm/js/WebAssemblyModuleRecord.h: |
| |
| 2019-12-06 Per Arne Vollan <pvollan@apple.com> |
| |
| Unreviewed build fix. Initialize local variable. |
| |
| * API/tests/testapi.cpp: |
| (TestAPI::promiseUnhandledRejection): |
| |
| 2019-12-06 Joonghun Park <jh718.park@samsung.com> |
| |
| Unreviewed. Change the format string portable by using "%" PRIx64 |
| instead of "%llx" for uint64_t argument. |
| |
| This patch removes the build warning below since r252978. |
| |
| warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, |
| but argument 3 has type ‘JSC::SpeculatedType {aka long unsigned int}’ [-Wformat=] |
| |
| * runtime/PredictionFileCreatingFuzzerAgent.cpp: |
| (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): |
| |
| 2019-12-06 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r253218. |
| https://bugs.webkit.org/show_bug.cgi?id=204968 |
| |
| Broke the build (Requested by ap on #webkit). |
| |
| Reverted changeset: |
| |
| "Remove various .order files." |
| https://bugs.webkit.org/show_bug.cgi?id=204959 |
| https://trac.webkit.org/changeset/253218 |
| |
| 2019-12-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JSCallee should be in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204961 |
| |
| Reviewed by Mark Lam. |
| |
| We should put JSCallee in IsoSubspace. Currently, we are also putting JSToWasmICCallee in IsoSusbapce |
| since it is a derived class of JSCallee, but I think we can remove this class completely. We are tracking |
| it in [1]. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=204960 |
| |
| * debugger/DebuggerScope.h: |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::execute): |
| * runtime/JSCallee.h: |
| (JSC::JSCallee::subspaceFor): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::globalCallee): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * wasm/js/JSToWasmICCallee.h: |
| (JSC::JSToWasmICCallee::function): Deleted. |
| (JSC::JSToWasmICCallee::JSToWasmICCallee): Deleted. |
| |
| 2019-12-06 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: add compiler UNLIKELY hints when checking if developer extras are enabled |
| https://bugs.webkit.org/show_bug.cgi?id=204875 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Move the check for whether developer extras are enabled from the agent to the client so that |
| when inspecting a webpage, we don't check for it twice, since `InspectorInstrumentation` |
| already checks for it too. |
| |
| * inspector/agents/InspectorConsoleAgent.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::developerExtrasEnabled const): Added. |
| (Inspector::InspectorConsoleAgent::addMessageToConsole): |
| (Inspector::InspectorConsoleAgent::startTiming): |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| (Inspector::InspectorConsoleAgent::takeHeapSnapshot): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| (Inspector::InspectorConsoleAgent::addConsoleMessage): |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): |
| (Inspector::JSGlobalObjectConsoleClient::count): |
| (Inspector::JSGlobalObjectConsoleClient::countReset): |
| (Inspector::JSGlobalObjectConsoleClient::profile): |
| (Inspector::JSGlobalObjectConsoleClient::profileEnd): |
| (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot): |
| (Inspector::JSGlobalObjectConsoleClient::time): |
| (Inspector::JSGlobalObjectConsoleClient::timeLog): |
| (Inspector::JSGlobalObjectConsoleClient::timeEnd): |
| (Inspector::JSGlobalObjectConsoleClient::timeStamp): |
| (Inspector::JSGlobalObjectConsoleClient::record): |
| (Inspector::JSGlobalObjectConsoleClient::recordEnd): |
| (Inspector::JSGlobalObjectConsoleClient::screenshot): |
| |
| 2019-12-06 Keith Miller <keith_miller@apple.com> |
| |
| Remove various .order files. |
| https://bugs.webkit.org/show_bug.cgi?id=204959 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| These files are all super out of date and likely don't do anything anymore. |
| The signatures of the functions have changed thus the mangled name has changed. |
| |
| * JavaScriptCore.order: Removed. |
| |
| 2019-12-06 Joonghun Park <jh718.park@samsung.com> |
| |
| Unreviewed. Revert r253207 because it causes compile error in Mac and ios build. |
| |
| * runtime/PredictionFileCreatingFuzzerAgent.cpp: |
| (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): |
| |
| 2019-12-06 Joonghun Park <jh718.park@samsung.com> |
| |
| Unreviewed. Remove build warning below since r252978. |
| |
| warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, |
| but argument 3 has type ‘JSC::SpeculatedType {aka long unsigned int}’ [-Wformat=] |
| |
| * runtime/PredictionFileCreatingFuzzerAgent.cpp: |
| (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): |
| |
| 2019-12-05 Saam Barati <sbarati@apple.com> |
| |
| get_by_id ICs should have a structure history used to indicate when we should skip generating an IC |
| https://bugs.webkit.org/show_bug.cgi?id=204904 |
| <rdar://problem/57631437> |
| |
| Reviewed by Yusuke Suzuki and Tadeu Zagallo. |
| |
| I implemented a similar policy for get_by_val for the number of unique seen |
| identifiers. This allows us to create a heuristic to directly call the slow |
| path when profiling information tells us if inline caching might not be |
| profitable. This patch implements a similar policy for get_by_id where we |
| profile the seen base value structures. If the LLInt observes enough |
| unique structures, we omit emitting the inline cache in the upper |
| tiers. |
| |
| The goal here was to try to speed up Speedometer2. Local testing showed |
| this patch to repeatedly be 0.5% faster, but all the P values I got were |
| insignificant. So it appears it's either neutral or slightly faster. |
| |
| This patch also adjusts the policy of seeing a non-identifier inside |
| the PointerHistory data structure. Instead of increasing it to reach the |
| limit when we see a non-identifier, we just treat each execution with |
| a non-identifier to increment the count by 1. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/BytecodeList.rb: |
| * bytecode/GetByValHistory.h: Removed. |
| * bytecode/PointerHistory.h: Copied from Source/JavaScriptCore/bytecode/GetByValHistory.h. |
| (JSC::PointerHistory::observe): |
| (JSC::PointerHistory::observeNull): |
| (JSC::GetByValHistory::observeNonUID): Deleted. |
| (JSC::GetByValHistory::observe): Deleted. |
| (JSC::GetByValHistory::count const): Deleted. |
| (JSC::GetByValHistory::filter const): Deleted. |
| (JSC::GetByValHistory::update): Deleted. |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseGetById): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGGraph.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetById): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| * generator/DSL.rb: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/OptionsList.h: |
| |
| 2019-12-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Fix LLIntCallee's ownership |
| https://bugs.webkit.org/show_bug.cgi?id=204929 |
| |
| Reviewed by Saam Barati. |
| |
| Currently, after the LLIntPlan finished generating bytecode, the Module takes ownership of the Vector |
| of LLIntCallee's and passes a pointer to the Vector's storage to the CodeBlock. However, while we're |
| tiering up, the module might be destroyed and we'll try to access the LLIntCallee after we finish |
| compiling through the pointer held by the CodeBlock, which is now stale, since the Vector was owned |
| by the Module. In order to fix this, we move the Vector into a reference counted wrapper class, LLIntCallees, |
| and both the Module and the CodeBlock hold references to the wrapper. |
| |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::work): |
| * wasm/WasmCallee.h: |
| (JSC::Wasm::LLIntCallees::create): |
| (JSC::Wasm::LLIntCallees::at const): |
| (JSC::Wasm::LLIntCallees::data const): |
| (JSC::Wasm::LLIntCallees::LLIntCallees): |
| * wasm/WasmCodeBlock.cpp: |
| (JSC::Wasm::CodeBlock::create): |
| (JSC::Wasm::CodeBlock::CodeBlock): |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): |
| * wasm/WasmModule.cpp: |
| (JSC::Wasm::Module::Module): |
| (JSC::Wasm::Module::getOrCreateCodeBlock): |
| * wasm/WasmModule.h: |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| |
| 2019-12-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| REGRESSION(r253140): Wasm::FunctionParser needs to bounds check in SetLocal/TeeLocal |
| https://bugs.webkit.org/show_bug.cgi?id=204909 |
| |
| Reviewed by Keith Miller. |
| |
| When moving the code from WasmValidate.cpp to WasmFunctionParser.h, I missed that SetLocal and |
| TeeLocal used to call Wasm::Validate::getLocal, which would perform the bounds check. I just |
| added back the checks to the parser before accessing the local's type from m_locals. |
| |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| |
| 2019-12-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Fix bad assertion in LLIntPlan |
| https://bugs.webkit.org/show_bug.cgi?id=204893 |
| |
| Reviewed by Mark Lam. |
| |
| Before landing r253140 I introduced an assertion in Wasm::LLIntPlan that the pointer to previously |
| compiled callees must be non-null. However, it's perfectly valid for the pointer to be null when the |
| module has no functions. |
| |
| * wasm/WasmLLIntPlan.cpp: |
| (JSC::Wasm::LLIntPlan::LLIntPlan): |
| |
| 2019-12-05 Mark Lam <mark.lam@apple.com> |
| |
| computeIfUsingFuzzerAgent() is called before parsing command line arguments. |
| https://bugs.webkit.org/show_bug.cgi?id=204886 |
| |
| Reviewed by Saam Barati. |
| |
| Rolling out r253015 which introduced computeIfUsingFuzzerAgent(). |
| |
| * runtime/Options.cpp: |
| (JSC::Options::initialize): |
| (JSC::computeIfUsingFuzzerAgent): Deleted. |
| * runtime/Options.h: |
| (JSC::Options::isUsingFuzzerAgent): Deleted. |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator bool const): Deleted. |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| |
| 2019-12-05 Simon Fraser <simon.fraser@apple.com> |
| |
| Fix inspector/css test assertions after r253158 |
| https://bugs.webkit.org/show_bug.cgi?id=204924 |
| |
| Reviewed by Devin Rousso. |
| |
| Teach the inspector protocol about the ::highlight pseudoelement. |
| |
| * inspector/protocol/CSS.json: |
| |
| 2019-12-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] AI should convert IsCellWithType to constant when Structure set is finite |
| https://bugs.webkit.org/show_bug.cgi?id=204141 |
| |
| Reviewed by Mark Lam. |
| |
| We should fold IsCellWithType if Structure set is finite since we have a chance to know what JSType is. |
| The difference from the last patch is that we have `if (!(child.m_type & ~SpecCell))` check. Even if |
| structures meet the requirement, this structures do not guarantee that non cell types never come. We |
| should ensure it by using proven type. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| 2019-12-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put TypedArrays in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204867 |
| |
| Reviewed by Mark Lam. |
| |
| This patch puts TypedArrays in IsoSubspace. |
| |
| - JSArrayBuffer |
| - JSDataView |
| - JSInt8Array |
| - JSInt16Array |
| - JSInt32Array |
| - JSUint8Array |
| - JSUint8ClampedArray |
| - JSUint16Array |
| - JSUint32Array |
| - JSFloat32Array |
| - JSFloat64Array |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| * runtime/JSArrayBuffer.h: |
| * runtime/JSArrayBufferView.h: |
| (JSC::JSArrayBufferView::subspaceFor): |
| * runtime/JSDataView.h: |
| * runtime/JSGenericTypedArrayView.h: |
| * runtime/JSTypedArrays.h: |
| * runtime/TypedArrayAdaptors.h: |
| * runtime/VM.cpp: |
| * runtime/VM.h: |
| |
| 2019-12-04 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Validate and generate bytecode in one pass |
| https://bugs.webkit.org/show_bug.cgi?id=204474 |
| |
| Reviewed by Saam Barati. |
| |
| Currently, we traverse the WebAssembly code twice: |
| - a first serial pass that validates all functions |
| - a second concurrent pass that compiles all functions. |
| In this patch, we move the validation into the parser and update the LLIntPlan so that we no longer have |
| the first pass. Instead, we now validate concurrently at the same time we generate bytecode. |
| |
| As a result, when we call WebAssembly.validate, we'll still generate bytecode for the module, but it will |
| be thrown away. If the module is constructed with new WebAssembly.Module, we'll also eagerly generate |
| bytecode, but in this case the bytecode is kept and shared across all instantiations of this module. |
| |
| This is a 1.5x speedup when compiling the ZenGarden demo. |
| |
| * DerivedSources.make: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::ControlData::ControlData): |
| (JSC::Wasm::AirIRGenerator::ControlData::isIf): |
| (JSC::Wasm::AirIRGenerator::ControlData::isTopLevel): |
| (JSC::Wasm::AirIRGenerator::ControlData::branchTargetArity const): |
| (JSC::Wasm::AirIRGenerator::ControlData::branchTargetType const): |
| (JSC::Wasm::AirIRGenerator::emptyExpression): |
| (JSC::Wasm::AirIRGenerator::emitCallPatchpoint): |
| (JSC::Wasm::AirIRGenerator::tmpsForSignature): |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addRefIsNull): |
| (JSC::Wasm::AirIRGenerator::addTableGet): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::addTableGrow): |
| (JSC::Wasm::AirIRGenerator::addTableFill): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| (JSC::Wasm::AirIRGenerator::addBlock): |
| (JSC::Wasm::AirIRGenerator::addIf): |
| (JSC::Wasm::AirIRGenerator::addReturn): |
| (JSC::Wasm::AirIRGenerator::addEndToUnreachable): |
| (JSC::Wasm::AirIRGenerator::addCall): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| (JSC::Wasm::AirIRGenerator::unify): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::AirIRGenerator::dump): |
| (JSC::Wasm::parseAndCompileAir): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>): |
| * wasm/WasmAirIRGenerator.h: |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::ControlData::ControlData): |
| (JSC::Wasm::B3IRGenerator::ControlData::isIf): |
| (JSC::Wasm::B3IRGenerator::ControlData::isTopLevel): |
| (JSC::Wasm::B3IRGenerator::ControlData::signature const): |
| (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const): |
| (JSC::Wasm::B3IRGenerator::ControlData::branchTargetArity const): |
| (JSC::Wasm::B3IRGenerator::ControlData::branchTargetType const): |
| (JSC::Wasm::B3IRGenerator::emptyExpression): |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::addRefIsNull): |
| (JSC::Wasm::B3IRGenerator::addTableGet): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addTableGrow): |
| (JSC::Wasm::B3IRGenerator::addTableFill): |
| (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| (JSC::Wasm::B3IRGenerator::addBlock): |
| (JSC::Wasm::B3IRGenerator::addIf): |
| (JSC::Wasm::B3IRGenerator::addReturn): |
| (JSC::Wasm::B3IRGenerator::endBlock): |
| (JSC::Wasm::B3IRGenerator::addEndToUnreachable): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::B3IRGenerator::dump): |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::BBQPlan): |
| (JSC::Wasm::BBQPlan::work): |
| (JSC::Wasm::BBQPlan::compileFunction): |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| (JSC::Wasm::BBQPlan::didReceiveFunctionData): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmCodeBlock.cpp: |
| (JSC::Wasm::CodeBlock::create): |
| (JSC::Wasm::CodeBlock::CodeBlock): |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): |
| * wasm/WasmEntryPlan.cpp: |
| (JSC::Wasm::EntryPlan::EntryPlan): |
| (JSC::Wasm::EntryPlan::parseAndValidateModule): |
| (JSC::Wasm::EntryPlan::prepare): |
| (JSC::Wasm::EntryPlan::compileFunctions): |
| (JSC::Wasm::EntryPlan::complete): |
| * wasm/WasmEntryPlan.h: |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::splitStack): |
| (JSC::Wasm::FunctionParser::TypedExpression::TypedExpression): |
| (JSC::Wasm::FunctionParser::TypedExpression::type const): |
| (JSC::Wasm::FunctionParser::TypedExpression::value const): |
| (JSC::Wasm::FunctionParser::TypedExpression::operator ExpressionType const): |
| (JSC::Wasm::FunctionParser::TypedExpression::operator-> const): |
| (JSC::Wasm::FunctionParser::controlStack): |
| (JSC::Wasm::FunctionParser::validationFail const): |
| (JSC::Wasm::FunctionParser<Context>::parse): |
| (JSC::Wasm::FunctionParser<Context>::binaryCase): |
| (JSC::Wasm::FunctionParser<Context>::unaryCase): |
| (JSC::Wasm::FunctionParser<Context>::load): |
| (JSC::Wasm::FunctionParser<Context>::store): |
| (JSC::Wasm::FunctionParser<Context>::checkBranchTarget): |
| (JSC::Wasm::FunctionParser<Context>::unify): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::ControlType::topLevel): |
| (JSC::Wasm::LLIntGenerator::ControlType::loop): |
| (JSC::Wasm::LLIntGenerator::ControlType::isIf): |
| (JSC::Wasm::LLIntGenerator::ControlType::isTopLevel): |
| (JSC::Wasm::LLIntGenerator::ControlType::stackSize const): |
| (JSC::Wasm::LLIntGenerator::ControlType::signature const): |
| (JSC::Wasm::LLIntGenerator::ControlType::branchTargetArity const): |
| (JSC::Wasm::LLIntGenerator::ControlType::branchTargetType const): |
| (JSC::Wasm::LLIntGenerator::emptyExpression): |
| (JSC::Wasm::LLIntGenerator::dump): |
| (JSC::Wasm::LLIntGenerator::getDropKeepCount): |
| (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): |
| (JSC::Wasm::LLIntGenerator::splitStack): |
| (JSC::Wasm::parseAndCompileBytecode): |
| (JSC::Wasm::LLIntGenerator::LLIntGenerator): |
| (JSC::Wasm::LLIntGenerator::callInformationForCaller): |
| (JSC::Wasm::LLIntGenerator::addLocal): |
| (JSC::Wasm::LLIntGenerator::setLocal): |
| (JSC::Wasm::LLIntGenerator::addLoop): |
| (JSC::Wasm::LLIntGenerator::addBlock): |
| (JSC::Wasm::LLIntGenerator::addIf): |
| (JSC::Wasm::LLIntGenerator::addEndToUnreachable): |
| (JSC::Wasm::LLIntGenerator::addCall): |
| (JSC::Wasm::LLIntGenerator::addCallIndirect): |
| * wasm/WasmLLIntGenerator.h: |
| * wasm/WasmLLIntPlan.cpp: |
| (JSC::Wasm::LLIntPlan::LLIntPlan): |
| (JSC::Wasm::LLIntPlan::compileFunction): |
| (JSC::Wasm::LLIntPlan::didCompleteCompilation): |
| (JSC::Wasm::LLIntPlan::work): |
| (JSC::Wasm::LLIntPlan::didReceiveFunctionData): |
| * wasm/WasmLLIntPlan.h: |
| * wasm/WasmModule.cpp: |
| (JSC::Wasm::Module::Module): |
| (JSC::Wasm::makeValidationResult): |
| (JSC::Wasm::makeValidationCallback): |
| (JSC::Wasm::Module::validateSync): |
| (JSC::Wasm::Module::validateAsync): |
| (JSC::Wasm::Module::getOrCreateCodeBlock): |
| (JSC::Wasm::Module::compileSync): |
| (JSC::Wasm::Module::compileAsync): |
| * wasm/WasmModule.h: |
| (JSC::Wasm::Module::create): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmPlan.cpp: |
| (JSC::Wasm::Plan::Plan): |
| * wasm/WasmPlan.h: |
| (JSC::Wasm::Plan::dontFinalize): |
| * wasm/WasmSlowPaths.cpp: |
| (JSC::LLInt::slow_path_wasm_throw_exception): |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::throwExceptionFromWasmThunkGenerator): |
| * wasm/WasmThunks.h: |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::ControlData::isIf): |
| (JSC::Wasm::Validate::ControlData::isTopLevel): |
| (JSC::Wasm::Validate::ControlData::blockType const): |
| (JSC::Wasm::Validate::ControlData::signature const): |
| (JSC::Wasm::Validate::ControlData::branchTargetArity const): |
| (JSC::Wasm::Validate::ControlData::branchTargetType const): |
| (JSC::Wasm::Validate::emptyExpression): |
| (JSC::Wasm::Validate::addConstant): |
| (JSC::Wasm::Validate::Validate): |
| (JSC::Wasm::Validate::addArguments): |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableSet): |
| (JSC::Wasm::Validate::addTableSize): |
| (JSC::Wasm::Validate::addTableGrow): |
| (JSC::Wasm::Validate::addTableFill): |
| (JSC::Wasm::Validate::addRefIsNull): |
| (JSC::Wasm::Validate::addRefFunc): |
| (JSC::Wasm::Validate::addLocal): |
| (JSC::Wasm::Validate::getLocal): |
| (JSC::Wasm::Validate::setLocal): |
| (JSC::Wasm::Validate::getGlobal): |
| (JSC::Wasm::Validate::setGlobal): |
| (JSC::Wasm::Validate::addBlock): |
| (JSC::Wasm::Validate::addLoop): |
| (JSC::Wasm::Validate::addSelect): |
| (JSC::Wasm::Validate::addIf): |
| (JSC::Wasm::Validate::addElse): |
| (JSC::Wasm::Validate::addElseToUnreachable): |
| (JSC::Wasm::Validate::addReturn): |
| (JSC::Wasm::Validate::addBranch): |
| (JSC::Wasm::Validate::addSwitch): |
| (JSC::Wasm::Validate::addGrowMemory): |
| (JSC::Wasm::Validate::addCurrentMemory): |
| (JSC::Wasm::Validate::endBlock): |
| (JSC::Wasm::Validate::addEndToUnreachable): |
| (JSC::Wasm::Validate::addCall): |
| (JSC::Wasm::Validate::addCallIndirect): |
| (JSC::Wasm::Validate::load): |
| (JSC::Wasm::Validate::store): |
| (JSC::Wasm::Validate::addOp): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::Validate::dump): |
| (JSC::Wasm::validateFunction): |
| * wasm/WasmWorklist.cpp: |
| (JSC::Wasm::Worklist::enqueue): |
| * wasm/generateWasmOpsHeader.py: |
| (cppType): |
| (cppMacro): |
| (opcodeMacroizer): |
| (opcodeWithTypesMacroizer): |
| (opcodeWithTypesMacroizer.modifier): |
| (memoryLoadMacroizer): |
| (memoryLoadMacroizer.modifier): |
| (memoryStoreMacroizer): |
| (memoryStoreMacroizer.modifier): |
| * wasm/generateWasmValidateInlinesHeader.py: Removed. |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::instantiate): |
| (JSC::webAssemblyValidateFunc): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::constructJSWebAssemblyInstance): |
| |
| 2019-12-04 Mark Lam <mark.lam@apple.com> |
| |
| Fix missing exception check in ArrayPrototype's fastJoin(). |
| https://bugs.webkit.org/show_bug.cgi?id=204868 |
| <rdar://problem/57516684> |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::fastJoin): |
| |
| 2019-12-04 Mark Lam <mark.lam@apple.com> |
| |
| Fix a broken assertion in GetByStatus::computeForStubInfoWithoutExitSiteFeedback(). |
| https://bugs.webkit.org/show_bug.cgi?id=204866 |
| |
| Reviewed by Saam Barati. |
| |
| The assertion wrong assumes that access.offset() cannot be invalid unless the |
| access.type() is a Miss. However, if the AccessCase is a Custom value or accessor, |
| the offset is always invalid. This patch fixes this assertion. |
| |
| * bytecode/AccessCase.h: |
| (JSC::AccessCase::isCustom const): |
| * bytecode/GetByStatus.cpp: |
| (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): |
| |
| 2019-12-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, rolling out r252416, vimeo does not work |
| https://bugs.webkit.org/show_bug.cgi?id=204141 |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| 2019-12-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JSWebAssemblyGlobal creation should have exception check |
| https://bugs.webkit.org/show_bug.cgi?id=204857 |
| <rdar://problem/57618579> |
| |
| Reviewed by Mark Lam. |
| |
| Each WebAssembly cells have a path throwing an exception if WebAssembly is disabled. We lack exception checking after calling JSWebAssemblyGlobal::create |
| in WebAssemblyModuleRecord linking phase. While exception is never thrown in this place since this happens only when WebAssembly is enabled, we should put |
| `scope.assertNoException()` to satisfy exception verifier requirement. We also rename factory function of Wasm cells from "create" to "tryCreate" since it |
| can fail potentially. |
| |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::instantiate): |
| * wasm/js/JSWebAssemblyGlobal.cpp: |
| (JSC::JSWebAssemblyGlobal::tryCreate): |
| (JSC::JSWebAssemblyGlobal::create): Deleted. |
| * wasm/js/JSWebAssemblyGlobal.h: |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::tryCreate): |
| (JSC::JSWebAssemblyInstance::create): Deleted. |
| * wasm/js/JSWebAssemblyInstance.h: |
| * wasm/js/JSWebAssemblyMemory.cpp: |
| (JSC::JSWebAssemblyMemory::tryCreate): |
| (JSC::JSWebAssemblyMemory::create): Deleted. |
| * wasm/js/JSWebAssemblyMemory.h: |
| * wasm/js/JSWebAssemblyTable.cpp: |
| (JSC::JSWebAssemblyTable::tryCreate): |
| (JSC::JSWebAssemblyTable::create): Deleted. |
| * wasm/js/JSWebAssemblyTable.h: |
| * wasm/js/WebAssemblyGlobalConstructor.cpp: |
| (JSC::constructJSWebAssemblyGlobal): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::constructJSWebAssemblyInstance): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| |
| 2019-12-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put more cells into IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204845 |
| |
| Reviewed by Saam Barati. |
| |
| This patch puts following cells in IsoSubspace. |
| |
| - ClonedArguments |
| - JSMap |
| - JSSet |
| - RegExpObject |
| |
| * runtime/ClonedArguments.h: |
| * runtime/JSMap.h: |
| * runtime/JSSet.h: |
| * runtime/RegExpObject.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * runtime/WeakMapImpl.h: |
| (JSC::WeakMapImpl::subspaceFor): |
| |
| 2019-12-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove m_sharingMode field from JSArrayBufferPrototype and make it plain object |
| https://bugs.webkit.org/show_bug.cgi?id=204832 |
| |
| Reviewed by Saam Barati. |
| |
| m_sharingMode field is not necessary. Just remove it and make JSArrayBufferPrototype a plain object. |
| |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype): |
| (JSC::JSArrayBufferPrototype::finishCreation): |
| (JSC::JSArrayBufferPrototype::create): |
| * runtime/JSArrayBufferPrototype.h: |
| |
| 2019-12-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Place Wasm cells in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204829 |
| |
| Reviewed by Saam Barati. |
| |
| This patch places Wasm cells in IsoSubspace. We remove JSDestructibleObject inheritance in wasm cells since we |
| can call destructor through HeapCellType's specialization. We do not need to rely on m_classInfo->methodTable->destroy. |
| This patch does not include JSToWasmICCallee since now I'm exploring the way to remove it completely. |
| |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * wasm/js/JSWebAssemblyInstance.h: |
| * wasm/js/JSWebAssemblyMemory.cpp: |
| (JSC::JSWebAssemblyMemory::destroy): |
| * wasm/js/JSWebAssemblyMemory.h: |
| * wasm/js/JSWebAssemblyModule.h: |
| * wasm/js/JSWebAssemblyTable.h: |
| * wasm/js/WebAssemblyGlobalConstructor.h: |
| |
| 2019-12-04 Tim Horton <timothy_horton@apple.com> |
| |
| Introduce a GPU process |
| https://bugs.webkit.org/show_bug.cgi?id=204343 |
| |
| Reviewed by Simon Fraser. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| Add ENABLE(GPU_PROCESS). |
| |
| 2019-12-04 Yury Semikhatsky <yurys@chromium.org> |
| |
| Web Inspector: allow inspector to pause provisional page load and restore its state |
| https://bugs.webkit.org/show_bug.cgi?id=204170 |
| |
| Reviewed by Devin Rousso. |
| |
| Added an option to Target domain to pause all new targets on start waiting for |
| explicit 'resume' command from the inspector front-end. This allows to configure |
| inspector backend (including user agent overrides, breakpoints and instrumentation) |
| before navigation starts. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * inspector/InspectorTarget.cpp: Added. |
| (Inspector::InspectorTarget::pause): |
| (Inspector::InspectorTarget::resume): |
| (Inspector::InspectorTarget::setResumeCallback): |
| * inspector/InspectorTarget.h: |
| * inspector/agents/InspectorTargetAgent.cpp: |
| (Inspector::InspectorTargetAgent::willDestroyFrontendAndBackend): |
| (Inspector::InspectorTargetAgent::setPauseOnStart): |
| (Inspector::InspectorTargetAgent::resume): |
| (Inspector::buildTargetInfoObject): |
| (Inspector::InspectorTargetAgent::targetCreated): |
| (Inspector::InspectorTargetAgent::targetDestroyed): |
| * inspector/agents/InspectorTargetAgent.h: |
| * inspector/protocol/Target.json: |
| |
| 2019-12-03 Saam Barati <sbarati@apple.com> |
| |
| Remove "patch" struct from StructureStubInfo because it adds unnecessary padding |
| https://bugs.webkit.org/show_bug.cgi?id=204392 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| By doing this, we reduce the size of StructureStubInfo from 120 bytes to 112 |
| bytes. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateWithGuard): |
| (JSC::AccessCase::generateImpl): |
| * bytecode/GetterSetterAccessCase.cpp: |
| (JSC::GetterSetterAccessCase::emitDOMJITGetter): |
| * bytecode/InlineAccess.cpp: |
| (JSC::linkCodeInline): |
| (JSC::InlineAccess::generateSelfPropertyAccess): |
| (JSC::getScratchRegister): |
| (JSC::InlineAccess::generateSelfPropertyReplace): |
| (JSC::InlineAccess::generateArrayLength): |
| (JSC::InlineAccess::generateStringLength): |
| (JSC::InlineAccess::generateSelfInAccess): |
| (JSC::InlineAccess::rewireStubAsJump): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::inlineSize const): |
| (JSC::StructureStubInfo::patchableJump): |
| (JSC::StructureStubInfo::valueRegs const): |
| (JSC::StructureStubInfo::propertyRegs const): |
| (JSC::StructureStubInfo::baseRegs const): |
| (JSC::StructureStubInfo::baseGPR const): Deleted. |
| (JSC::StructureStubInfo::slowPathCallLocation): Deleted. |
| (JSC::StructureStubInfo::doneLocation): Deleted. |
| (JSC::StructureStubInfo::slowPathStartLocation): Deleted. |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): |
| (JSC::JITInlineCacheGenerator::finalize): |
| (JSC::JITByIdGenerator::JITByIdGenerator): |
| (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): |
| (JSC::JITPutByIdGenerator::JITPutByIdGenerator): |
| (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): |
| (JSC::JITGetByValGenerator::JITGetByValGenerator): |
| * jit/Repatch.cpp: |
| (JSC::tryCacheGetBy): |
| (JSC::repatchGetBy): |
| (JSC::repatchArrayGetByVal): |
| (JSC::tryCachePutByID): |
| (JSC::repatchPutByID): |
| (JSC::tryCacheInByID): |
| (JSC::repatchInByID): |
| (JSC::repatchInstanceOf): |
| (JSC::resetGetBy): |
| (JSC::resetPutByID): |
| (JSC::resetPatchableJump): |
| (JSC::resetInByID): |
| |
| 2019-12-03 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix build failure |
| https://bugs.webkit.org/show_bug.cgi?id=186552 |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::getGlobal): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::setGlobal): |
| |
| 2019-12-03 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove WebAssemblyToJSCallee |
| https://bugs.webkit.org/show_bug.cgi?id=204808 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This patch drops WebAssemblyToJSCallee. It was originally required to put small cell to retrieve VM from callee. |
| But now this limitation is removed. We can just put JSWebAssemblyModule in callee place instead. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::isAnyWasmCallee): |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding): |
| * jit/Repatch.cpp: |
| (JSC::webAssemblyOwner): |
| (JSC::linkFor): |
| (JSC::linkPolymorphicCall): |
| * runtime/JSCast.h: |
| * runtime/JSCell.cpp: |
| * runtime/JSCellInlines.h: |
| (JSC::isWebAssemblyModule): |
| (JSC::isWebAssemblyToJSCallee): Deleted. |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::webAssemblyWrapperFunctionStructure const): |
| (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure const): Deleted. |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::operationWasmToJSException): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::finishCreation): |
| (JSC::JSWebAssemblyInstance::visitChildren): |
| * wasm/js/JSWebAssemblyInstance.h: |
| * wasm/js/JSWebAssemblyModule.cpp: |
| (JSC::JSWebAssemblyModule::createStructure): |
| (JSC::JSWebAssemblyModule::finishCreation): |
| (JSC::JSWebAssemblyModule::visitChildren): |
| (JSC::JSWebAssemblyModule::callee const): Deleted. |
| * wasm/js/JSWebAssemblyModule.h: |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WebAssemblyToJSCallee.cpp: Removed. |
| * wasm/js/WebAssemblyToJSCallee.h: Removed. |
| |
| 2019-12-03 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Adopt the new WebAssembly.Global system |
| https://bugs.webkit.org/show_bug.cgi?id=186552 |
| |
| Reviewed by Keith Miller. |
| |
| This patch adds WebAssembly.Global implementation. It is already included in the Wasm spec (this means, it is not in |
| staging right now: it was stage-4, and included in the spec). WebAssembly.Global is a wrapper object around |
| "global" binding. This object can hold "immutable" and "mutable" global binding, and we can access Wasm globals through |
| this object. Furthermore, we can share mutable global binding through this object across WebAssembly modules. |
| |
| To implement it efficiently, this patch introduces BindingMode to Wasm globals. If the mode is EmbeddedInInstance, |
| we continue using the current existing mechanism. If the mode is Portable, we store a pointer to actual value in |
| Wasm globals array in Wasm::Instance, so that we can access it through one additional dereference. |
| And we mark all immutable globals as EmbeddedInInstance. If the binding is immutable, internally we do not need to |
| have one binding. We can just continue using the current mechanism since users cannot observe whether immutable bindings' |
| storage is shared or not. If the global is mutable, and it is exported outside of the module, we use Portable mode. |
| So, all the previously used wasm global bindings are EmbeddedInInstance. Only newly added "mutable" "exported" bindings |
| are Portable and requires one additional dereference. |
| |
| To access portable bindings efficiently, we add new Wasm bytecodes, `get_global_portable_binding`, `set_global_portable_binding`, |
| and `set_global_ref_portable_binding`. |
| |
| This patch improves WPT wasm coverage significantly. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/BytecodeList.rb: |
| * heap/HeapCell.cpp: |
| (JSC::keepAlive): |
| (JSC::HeapCell::use const): Deleted. |
| * heap/HeapCell.h: |
| (JSC::keepAlive): |
| (JSC::HeapCell::use const): |
| * llint/WebAssembly.asm: |
| * runtime/JSGlobalObject.cpp: |
| * runtime/JSGlobalObject.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::getGlobal): |
| (JSC::Wasm::AirIRGenerator::setGlobal): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::getGlobal): |
| (JSC::Wasm::B3IRGenerator::setGlobal): |
| * wasm/WasmFormat.h: |
| * wasm/WasmGlobal.cpp: Added. |
| (JSC::Wasm::Global::get const): |
| (JSC::Wasm::Global::set): |
| (JSC::Wasm::Global::visitAggregate): |
| * wasm/WasmGlobal.h: Added. |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::Instance): |
| (JSC::Wasm::Instance::setGlobal): |
| (JSC::Wasm::Instance::linkGlobal): |
| * wasm/WasmInstance.h: |
| (JSC::Wasm::Instance::loadI32Global const): |
| (JSC::Wasm::Instance::loadI64Global const): |
| (JSC::Wasm::Instance::setGlobal): |
| (JSC::Wasm::Instance::globalsToBinding): |
| (JSC::Wasm::Instance::getGlobalBinding): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::getGlobal): |
| (JSC::Wasm::LLIntGenerator::setGlobal): |
| * wasm/WasmModuleInformation.h: |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::operationWasmWriteBarrierSlowPath): |
| * wasm/WasmOperations.h: |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseImport): |
| (JSC::Wasm::SectionParser::parseGlobal): |
| (JSC::Wasm::SectionParser::parseExport): |
| (JSC::Wasm::SectionParser::parseInitExpr): |
| (JSC::Wasm::SectionParser::parseGlobalType): |
| * wasm/WasmSectionParser.h: |
| * wasm/WasmSlowPaths.cpp: |
| (JSC::LLInt::WASM_SLOW_PATH_DECL): |
| * wasm/WasmSlowPaths.h: |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::setGlobal): |
| * wasm/js/JSWebAssembly.cpp: |
| * wasm/js/JSWebAssemblyGlobal.cpp: Added. |
| (JSC::JSWebAssemblyGlobal::create): |
| (JSC::JSWebAssemblyGlobal::createStructure): |
| (JSC::JSWebAssemblyGlobal::JSWebAssemblyGlobal): |
| (JSC::JSWebAssemblyGlobal::finishCreation): |
| (JSC::JSWebAssemblyGlobal::destroy): |
| (JSC::JSWebAssemblyGlobal::visitChildren): |
| * wasm/js/JSWebAssemblyGlobal.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h. |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::visitChildren): |
| * wasm/js/JSWebAssemblyInstance.h: |
| * wasm/js/JSWebAssemblyMemory.cpp: |
| (JSC::JSWebAssemblyMemory::destroy): |
| * wasm/js/JSWebAssemblyMemory.h: |
| * wasm/js/JSWebAssemblyModule.h: |
| * wasm/js/JSWebAssemblyTable.h: |
| * wasm/js/WebAssemblyGlobalConstructor.cpp: Added. |
| (JSC::constructJSWebAssemblyGlobal): |
| (JSC::callJSWebAssemblyGlobal): |
| (JSC::WebAssemblyGlobalConstructor::create): |
| (JSC::WebAssemblyGlobalConstructor::createStructure): |
| (JSC::WebAssemblyGlobalConstructor::finishCreation): |
| (JSC::WebAssemblyGlobalConstructor::WebAssemblyGlobalConstructor): |
| * wasm/js/WebAssemblyGlobalConstructor.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h. |
| * wasm/js/WebAssemblyGlobalPrototype.cpp: Added. |
| (JSC::getGlobal): |
| (JSC::webAssemblyGlobalProtoFuncValueOf): |
| (JSC::webAssemblyGlobalProtoGetterFuncValue): |
| (JSC::webAssemblyGlobalProtoSetterFuncValue): |
| (JSC::WebAssemblyGlobalPrototype::create): |
| (JSC::WebAssemblyGlobalPrototype::createStructure): |
| (JSC::WebAssemblyGlobalPrototype::finishCreation): |
| (JSC::WebAssemblyGlobalPrototype::WebAssemblyGlobalPrototype): |
| * wasm/js/WebAssemblyGlobalPrototype.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h. |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| |
| 2019-12-02 Saam Barati <sbarati@apple.com> |
| |
| PropertySlot should not have Customs have a PropertyOffset of zero |
| https://bugs.webkit.org/show_bug.cgi?id=204566 |
| <rdar://problem/57466781> |
| |
| Reviewed by Keith Miller. |
| |
| We used to say that PropertyOffset of a cacheable custom was always zero. We |
| did this because we were using "invalidOffset" to indicate things aren't |
| cacheable. This patch refactors PropertySlot to not look at PropertyOffset |
| for cacheability, but instead just uses the cacheability bit. With that |
| change, we now say that customs always have the invalid PropertyOffset. This |
| fixes a bug where we used to watch for property changes at the offset inside |
| an AccessCase. We were doing this for the zero property offset for all |
| customs. This could trigger a crash inside startWatchingPropertyForReplacements |
| because the prototype Structure was a dictionary. We allow dictionaries to |
| be property holders of customs as long as the property is a custom and has |
| DontDelete property attribute, since DontDelete proves the custom will never |
| change. |
| |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/PropertySlot.h: |
| (JSC::PropertySlot::PropertySlot): |
| (JSC::PropertySlot::isCacheable const): |
| (JSC::PropertySlot::setValue): |
| (JSC::PropertySlot::setCustom): |
| (JSC::PropertySlot::setCacheableCustom): |
| (JSC::PropertySlot::setCustomGetterSetter): |
| (JSC::PropertySlot::setGetterSlot): |
| (JSC::PropertySlot::setCacheableGetterSlot): |
| (JSC::PropertySlot::setUndefined): |
| |
| 2019-12-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put some destructible objects to IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204771 |
| |
| Reviewed by Mark Lam. |
| |
| This patch puts DateInstance, ErrorInstance, and Intl objects in IsoSubspace. |
| By using specific IsoHeapCellType, we can use JSNonFinalObject as base-classes of |
| them instead of using JSDestructibleObject. We also introduce STATIC_ASSERT_ISO_SUBSPACE_SHARABLE |
| to ensure that derived class of some IsoSubspace'ed one is intentional and safe. |
| |
| * runtime/ArrayConstructor.h: |
| * runtime/AsyncFunctionConstructor.h: |
| * runtime/AsyncGeneratorFunctionConstructor.h: |
| * runtime/BigIntConstructor.h: |
| * runtime/BooleanConstructor.h: |
| * runtime/DateConstructor.h: |
| * runtime/DateInstance.cpp: |
| (JSC::DateInstance::destroy): Deleted. |
| * runtime/DateInstance.h: |
| * runtime/ErrorConstructor.h: |
| * runtime/ErrorInstance.cpp: |
| (JSC::ErrorInstance::destroy): Deleted. |
| * runtime/ErrorInstance.h: |
| (JSC::ErrorInstance::destroy): |
| (JSC::ErrorInstance::subspaceFor): |
| * runtime/FunctionConstructor.h: |
| * runtime/FunctionPrototype.h: |
| * runtime/GeneratorFunctionConstructor.h: |
| * runtime/IntlCollator.cpp: |
| (JSC::IntlCollator::IntlCollator): |
| (JSC::IntlCollator::destroy): Deleted. |
| * runtime/IntlCollator.h: |
| * runtime/IntlCollatorConstructor.h: |
| * runtime/IntlDateTimeFormat.cpp: |
| (JSC::IntlDateTimeFormat::IntlDateTimeFormat): |
| (JSC::IntlDateTimeFormat::destroy): Deleted. |
| * runtime/IntlDateTimeFormat.h: |
| * runtime/IntlDateTimeFormatConstructor.h: |
| * runtime/IntlNumberFormat.cpp: |
| (JSC::IntlNumberFormat::IntlNumberFormat): |
| (JSC::IntlNumberFormat::destroy): Deleted. |
| * runtime/IntlNumberFormat.h: |
| * runtime/IntlNumberFormatConstructor.h: |
| * runtime/IntlPluralRules.cpp: |
| (JSC::IntlPluralRules::IntlPluralRules): |
| (JSC::IntlPluralRules::destroy): Deleted. |
| * runtime/IntlPluralRules.h: |
| * runtime/IntlPluralRulesConstructor.h: |
| * runtime/JSArrayBufferConstructor.h: |
| * runtime/JSCell.h: |
| * runtime/JSObject.h: |
| * runtime/JSTypedArrayConstructors.h: |
| * runtime/JSTypedArrayViewConstructor.h: |
| * runtime/MapConstructor.h: |
| * runtime/NativeErrorConstructor.h: |
| * runtime/NullGetterFunction.h: |
| * runtime/NullSetterFunction.h: |
| * runtime/NumberConstructor.h: |
| * runtime/ObjectConstructor.h: |
| * runtime/ProxyConstructor.h: |
| * runtime/RegExpConstructor.h: |
| * runtime/SetConstructor.h: |
| * runtime/StringConstructor.h: |
| * runtime/SymbolConstructor.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * runtime/WeakMapConstructor.h: |
| * runtime/WeakObjectRefConstructor.h: |
| * runtime/WeakSetConstructor.h: |
| * tools/JSDollarVM.cpp: |
| * wasm/js/JSWebAssemblyCompileError.h: |
| * wasm/js/JSWebAssemblyLinkError.h: |
| * wasm/js/JSWebAssemblyRuntimeError.h: |
| * wasm/js/WebAssemblyCompileErrorConstructor.h: |
| * wasm/js/WebAssemblyInstanceConstructor.h: |
| * wasm/js/WebAssemblyLinkErrorConstructor.h: |
| * wasm/js/WebAssemblyMemoryConstructor.h: |
| * wasm/js/WebAssemblyModuleConstructor.h: |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.h: |
| * wasm/js/WebAssemblyTableConstructor.h: |
| |
| 2019-12-02 Mark Lam <mark.lam@apple.com> |
| |
| Only check each use...FuzzerAgent() option in VM constructor if any of the options are enabled. |
| https://bugs.webkit.org/show_bug.cgi?id=204763 |
| |
| Reviewed by Keith Miller. |
| |
| We know that we'll never use fuzzer agents in deployment. Hence, we shouldn't |
| spend time checking for them in the normal use case. This probably doesn't matter |
| much for Web processes, but for clients of JSC that repeatedly spawn and kill VMs, |
| it might matter more. We might want to eventually widen this idiom to include |
| other debugging / development options, but for now, I'm only covering the fuzzer |
| agent options. |
| |
| * runtime/Options.cpp: |
| (JSC::computeIfUsingFuzzerAgent): |
| (JSC::Options::initialize): |
| * runtime/Options.h: |
| (JSC::Options::isUsingFuzzerAgent): |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator bool const): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| |
| 2019-12-02 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [JSC] Remove BytecodeCacheVersion.h |
| https://bugs.webkit.org/show_bug.cgi?id=204760 |
| |
| Reviewed by Mark Lam. |
| |
| Having that as a phony make target causes a lot of unnecessary rebuilds. That was a workaround |
| the fact that we only need a new cache version when we rebuild CachedTypes.cpp, but there was |
| no straightforward way to get the current timestamp as an integer at that point. Instead, we now |
| just use a constexpr function that hashes __TIMESTAMP__. |
| |
| * CMakeLists.txt: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * runtime/CachedTypes.cpp: |
| (JSC::jscBytecodeCacheVersion): |
| (JSC::GenericCacheEntry::isUpToDate const): |
| |
| 2019-12-02 Mark Lam <mark.lam@apple.com> |
| |
| mozilla-tests.yaml/js1_5/Array/regress-101964.js is frequently failing on JSC EWS bots. |
| https://bugs.webkit.org/show_bug.cgi?id=200789 |
| <rdar://problem/54361916> |
| |
| Reviewed by Keith Miller. |
| |
| * tools/JSDollarVM.cpp: |
| (JSC::functionCurrentCPUTime): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2019-12-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put JSGenerator, JSAsyncGenerator, and JSPromise in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204764 |
| |
| Reviewed by Mark Lam. |
| |
| Put more things in IsoSubspace. They are defined by using JSInternalObjectImpl mechanism. |
| |
| - JSGenerator |
| - JSAsyncGenerator |
| - JSPromise |
| |
| * runtime/JSAsyncGenerator.h: |
| * runtime/JSGenerator.h: |
| * runtime/JSPromise.h: |
| (JSC::JSPromise::subspaceFor): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-12-01 Tuomas Karkkainen <tuomas.webkit@apple.com> |
| |
| Add FuzzerAgent that reads predictions from a file |
| https://bugs.webkit.org/show_bug.cgi?id=203898 |
| |
| Reviewed by Mark Lam. |
| |
| This patch adds a FuzzerAgent that reads predictions from a file. The predictions in the file are |
| correlated with the prediction sites using the name of the JavaScript source file, the opcode, and |
| start and end offsets in the source. There is also a separate FuzzerAgent that can be used to create |
| the prediction files. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * runtime/FileBasedFuzzerAgent.cpp: Added. |
| * runtime/FileBasedFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. |
| * runtime/FileBasedFuzzerAgentBase.cpp: Added. |
| * runtime/FileBasedFuzzerAgentBase.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. |
| * runtime/FuzzerPredictions.cpp: Added. |
| * runtime/FuzzerPredictions.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. |
| * runtime/Options.cpp: |
| * runtime/OptionsList.h: |
| * runtime/PredictionFileCreatingFuzzerAgent.cpp: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. |
| * runtime/PredictionFileCreatingFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. |
| * runtime/RandomizingFuzzerAgent.cpp: |
| * runtime/VM.cpp: |
| |
| 2019-12-01 Caio Lima <ticaiolima@gmail.com> |
| |
| [JSC][MIPS] CallFrame is being clobbered on InternalFunction execution |
| https://bugs.webkit.org/show_bug.cgi?id=203739 |
| |
| Reviewed by Saam Barati. |
| |
| MIPS calling conventions requires that we have stack space reserved |
| for 4 (16-bytes) arguments ($a0-$a3). The caller doesn't use |
| this space, but callee can still use it in case where they need to save |
| arguments or even reuse to another allocation. Since we were not |
| allocationg it during `makeHostFunctionCall`, the caller frame slot |
| was being clobberred by `callGenericTypedArrayView` execution, |
| resulting in a corrupted call frame stack. This patch is adjusting |
| this convention into ThunkGenerator and on `makeHostFunctionCall`. |
| |
| * jit/ThunkGenerators.cpp: |
| (JSC::nativeForGenerator): |
| * llint/LowLevelInterpreter32_64.asm: |
| |
| 2019-12-01 Caio Lima <ticaiolima@gmail.com> |
| |
| Implement GetByVal inline caching for 32-bit JITs |
| https://bugs.webkit.org/show_bug.cgi?id=204082 |
| |
| Reviewed by Saam Barati. |
| |
| We are adding 32-bit support for GetByVal cases added on r252684. |
| This requires changes on some of the IC code generated to properly |
| support JSVALUE32_64. The major difference from JSVALUE64 is the |
| usage of tagGPR to inspect value types and store results. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateWithGuard): |
| (JSC::AccessCase::generateImpl): |
| * bytecode/GetterSetterAccessCase.cpp: |
| (JSC::GetterSetterAccessCase::emitDOMJITGetter): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/StructureStubInfo.h: |
| |
| Since a generator can't have `thisGPR` and `propertyGPR` at se same time, |
| we created a new `union` to share `thisTagGPR` and `propertyTagGPR`, |
| matching the approach we have for `JITInlineCacheGenerator::patch.u`. |
| |
| (JSC::StructureStubInfo::propertyRegs const): |
| (JSC::StructureStubInfo::baseRegs const): |
| |
| To simplify scratch register allocation, we added `baseRegs()` and |
| `propertyRegs()` to `StructureStubInfo`, so we can easily retrive |
| payload and tag GPRs for those operands, keeping them locked. |
| |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::JITByIdGenerator::JITByIdGenerator): |
| (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): |
| (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): |
| (JSC::JITGetByValGenerator::JITGetByValGenerator): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| |
| 2019-11-29 Eike Rathke <erack@redhat.com> |
| |
| Use default implementation for JSVALUE64 with GCC on unknown platform. |
| https://bugs.webkit.org/show_bug.cgi?id=204701 |
| |
| Building on ppc64le and s390x failed with |
| #error "Unknown architecture." |
| Use the default implementation as fallback in these cases. |
| |
| Reviewed by Saam Barati. |
| |
| * heap/GCMemoryOperations.h: |
| (JSC::gcSafeMemcpy): |
| (JSC::gcSafeMemmove): |
| (JSC::gcSafeZeroMemory): |
| |
| 2019-11-28 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| Remove ENABLE_KEYBOARD_CODE_ATTRIBUTE and ENABLE_KEYBOARD_KEY_ATTRIBUTE macros |
| https://bugs.webkit.org/show_bug.cgi?id=204666 |
| |
| Reviewed by Ross Kirsling and Don Olmstead. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-11-26 Tuomas Karkkainen <tuomas.webkit@apple.com> |
| |
| Attempting to enable more than one FuzzerAgent should result in an error |
| https://bugs.webkit.org/show_bug.cgi?id=204607 |
| |
| Reviewed by Antti Koivisto. |
| |
| * runtime/VM.cpp: |
| * runtime/VM.h: |
| |
| 2019-11-26 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| [GLIB] The API lock should be held before calling JSC::createTypeError |
| https://bugs.webkit.org/show_bug.cgi?id=204573 |
| |
| Reviewed by Mark Lam. |
| |
| We are missing it in several places. This is causing a crash in test /jsc/object after r252298. |
| |
| * API/glib/JSCContext.cpp: |
| (jscContextGArrayToJSArray): |
| (jscContextJSArrayToGArray): |
| (jscContextGValueToJSValue): |
| (jscContextJSValueToGValue): |
| * API/glib/JSCValue.cpp: |
| (jsc_value_new_array): |
| (jscValueCallFunction): |
| |
| 2019-11-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] InternalFunction should be non-destructible |
| https://bugs.webkit.org/show_bug.cgi?id=204556 |
| |
| Reviewed by Mark Lam. |
| |
| InternalFunction and most of its subclasses should be non-destructible since they can be trivially |
| destructed and don't use a destroy function. For the few subclasses that do need a destroy function, |
| these should have different IsoSubspaces of their own. For each of these subclasses, we annotate |
| needsDestruction = true, define a specific HeapCellType for them, and pass the HeapCellType to their |
| IsoSubspace so that their destructors can be invoked. |
| |
| * API/ObjCCallbackFunction.h: |
| * API/glib/JSCCallbackFunction.cpp: |
| (JSC::JSCCallbackFunction::subspaceForImpl): Deleted. |
| * API/glib/JSCCallbackFunction.h: |
| (JSC::JSCCallbackFunction::subspaceFor): Deleted. |
| (JSC::JSCCallbackFunction::createStructure): Deleted. |
| (JSC::JSCCallbackFunction::functionCallback): Deleted. |
| (JSC::JSCCallbackFunction::constructCallback): Deleted. |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): |
| (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::InternalFunction): |
| * runtime/InternalFunction.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-11-25 Saam Barati <sbarati@apple.com> |
| |
| Unreviewed. Fix 32-bit build. |
| |
| * bytecode/GetByValHistory.h: |
| (JSC::GetByValHistory::observeNonUID): |
| (JSC::GetByValHistory::observe): |
| (JSC::GetByValHistory::count const): |
| (JSC::GetByValHistory::filter const): |
| |
| 2019-11-24 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Introduce IsoHeapCellType |
| https://bugs.webkit.org/show_bug.cgi?id=204555 |
| |
| Reviewed by Mark Lam. |
| |
| We introduce IsoHeapCellType<CellType>, which destroys cell based on CellType information, which should be in IsoSubspace. |
| By using this, we can avoid inheriting JSDestructibleObject. For each IsoSubspace, we know how to destroy cells if we use |
| IsoHeapCellType<CellType> without using methodTable. We start using it for, JSString, JSWeakMap, JSWeakSet, WebAssemblyFunction, |
| and JSWebAssemblyCodeBlock. And we use JSNonFinalObject for the base of JSWeakMap and JSWeakSet, which shrinks size of them |
| from 48 to 32. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * heap/IsoHeapCellType.h: Renamed from Source/JavaScriptCore/wasm/js/WebAssemblyFunctionHeapCellType.h. |
| * runtime/JSString.cpp: |
| (JSC::JSString::destroy): Deleted. |
| * runtime/JSString.h: |
| (JSC::JSString::destroy): |
| * runtime/JSStringHeapCellType.cpp: Removed. |
| * runtime/JSStringHeapCellType.h: Removed. |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * runtime/WeakMapImpl.h: |
| * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Removed. |
| * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Removed. |
| * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Removed. |
| |
| 2019-11-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] GetSubstitution is performed incorrectly via RegExp.prototype[@@replace] |
| https://bugs.webkit.org/show_bug.cgi?id=204490 |
| |
| Reviewed by Mark Lam. |
| |
| String.prototype.replace and RegExp.prototype[Symbol.replace] are meant to perform the same substitution |
| of $-backreferences (called GetSubstitution in the spec: https://tc39.es/ecma262/#sec-getsubstitution). |
| |
| The implementation of this in StringPrototype.cpp is correct but the one in RegExpPrototype.js is not. |
| In particular, the latter *removes* backreferences with out-of-range indices, instead of leaving them as-is. |
| |
| One thing that is *not* broken in either implementation and thus maintained here is the fact $10 is interpreted |
| as $1 followed by a 0 when we have 1 <= n < 10 captures (and analogously for other invalid $nn backreferences). |
| This behavior is consistent across all engines but currently described incorrectly in the spec; this patch thus |
| aligns with the spec PR currently open to correct this (https://github.com/tc39/ecma262/pull/1732). |
| |
| * builtins/RegExpPrototype.js: |
| (getSubstitution): Ensure that invalid backreferences remain untouched in the output string. |
| (replace): Fix off-by-one error when populating captures list. We shouldn't be reserving a slot for the full match. |
| |
| 2019-11-22 Saam Barati <sbarati@apple.com> |
| |
| Use LLInt profiling to rule out generating an IC for get_by_val |
| https://bugs.webkit.org/show_bug.cgi?id=204536 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| When I landed the get_by_val polymorphic inline caching patch, the prepack |
| benchmark in JetStream2 slowed down by 10%. Through some analysis, I found |
| out that we were slowing down because of the time we spent in the JITs |
| actually generating inline caches. This patch skips generating an inline |
| cache when it seems like it won't be profitable. The heuristic for doing this |
| is simple: |
| - If we see more than 4 identifiers in the LLInt, we won't generate an IC |
| in the upper tiers. |
| - If we see a non-identifier JSString in the LLInt, we won't generate an IC |
| in the upper tiers. |
| |
| This patch recovers the regression on prepack. |
| |
| * bytecode/BytecodeList.rb: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * generator/main.rb: |
| * heap/TinyBloomFilter.h: |
| (JSC::TinyBloomFilter::bits const): |
| (JSC::TinyBloomFilter::TinyBloomFilter): |
| * jit/JIT.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/Operations.h: |
| (JSC::getByValWithIndex): |
| * runtime/OptionsList.h: |
| |
| 2019-11-22 Per Arne Vollan <pvollan@apple.com> |
| |
| Fix compile error in release mode |
| https://bugs.webkit.org/show_bug.cgi?id=204534 |
| |
| Reviewed by Mark Lam. |
| |
| A compiler error is thrown in release mode when compiling FullBytecodeLiveness::getLiveness, |
| since not all paths are returning a value. |
| |
| * bytecode/FullBytecodeLiveness.h: |
| (JSC::FullBytecodeLiveness::getLiveness const): |
| |
| 2019-11-22 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Improve Wasm::LLIntGenerator |
| https://bugs.webkit.org/show_bug.cgi?id=204092 |
| |
| Reviewed by Saam Barati. |
| |
| This improves the Wasm::LLIntGenerator by: |
| - Changing LLIntGenerator::ExpressionType from RefPtr<RegisterID> to VirtualRegister: Instead of allocating and retaining |
| RegisterIDs we use VirtualRegisters directly and ensure that they match the WebAssembly stack, i.e. the parser's expression |
| stack should match the virtual registers. |
| - Removing redundant moves when materializing constants and performing local.get: instead of creating a new temporary |
| for each constant and local.get, we return the VirtualRegister for the constant/local slot directly. In order for this |
| to work, we still allocate the stack slot for the temporaries, since we have to materialize them before loops and branches. |
| - Adding a constructor to ControlType that takes the results ExpressionList as an rvalue instead of copying it |
| - Optimizing callInformationFor, which is now split into two functions. The callee does not care about arguments, and should |
| never allocate temporaries, and the caller case was optimized by avoiding unnecessary calls to newTemporary |
| - Delay holding the lock in LLintPlan::compileFunction, since we do not need to hold it while compiling the js-to-wasm entrypoint |
| |
| * bytecode/BytecodeList.rb: |
| * bytecompiler/Label.h: |
| (JSC::GenericLabel::location const): |
| (JSC::GenericLabel::unresolvedJumps const): |
| * generator/Wasm.rb: |
| * llint/WebAssembly.asm: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::endTopLevel): |
| (JSC::Wasm::AirIRGenerator::didPopValueFromStack): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::endTopLevel): |
| (JSC::Wasm::B3IRGenerator::didPopValueFromStack): |
| * wasm/WasmFunctionCodeBlock.cpp: |
| (JSC::Wasm::FunctionCodeBlock::addJumpTable): |
| * wasm/WasmFunctionCodeBlock.h: |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser::expressionStack): |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::ControlType::loop): |
| (JSC::Wasm::LLIntGenerator::ControlType::topLevel): |
| (JSC::Wasm::LLIntGenerator::ControlType::block): |
| (JSC::Wasm::LLIntGenerator::ControlType::if_): |
| (JSC::Wasm::LLIntGenerator::ControlType::targetArity const): |
| (JSC::Wasm::LLIntGenerator::ControlType::stackSize const): |
| (JSC::Wasm::LLIntGenerator::ControlType::ControlType): |
| (JSC::Wasm::LLIntGenerator::unifyValuesWithBlock): |
| (JSC::Wasm::LLIntGenerator::push): |
| (JSC::Wasm::LLIntGenerator::didPopValueFromStack): |
| (JSC::Wasm::LLIntGenerator::emptyExpression): |
| (JSC::Wasm::LLIntGenerator::addEndToUnreachable): |
| (JSC::Wasm::LLIntGenerator::dump): |
| (JSC::Wasm::LLIntGenerator::virtualRegisterForWasmLocal): |
| (JSC::Wasm::LLIntGenerator::jsNullConstant): |
| (JSC::Wasm::LLIntGenerator::zeroConstant): |
| (JSC::Wasm::LLIntGenerator::getDropKeepCount): |
| (JSC::Wasm::LLIntGenerator::dropKeep): |
| (JSC::Wasm::LLIntGenerator::walkExpressionStack): |
| (JSC::Wasm::LLIntGenerator::checkConsistency): |
| (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): |
| (JSC::Wasm::LLIntGenerator::materializeLocals): |
| (JSC::Wasm::LLIntGenerator::ConstantMapHashTraits::constructDeletedValue): |
| (JSC::Wasm::LLIntGenerator::ConstantMapHashTraits::isDeletedValue): |
| (JSC::Wasm::LLIntGenerator::LLIntGenerator): |
| (JSC::Wasm::LLIntGenerator::finalize): |
| (JSC::Wasm::LLIntGenerator::callInformationForCaller): |
| (JSC::Wasm::LLIntGenerator::callInformationForCallee): |
| (JSC::Wasm::LLIntGenerator::addArguments): |
| (JSC::Wasm::LLIntGenerator::addLocal): |
| (JSC::Wasm::LLIntGenerator::didFinishParsingLocals): |
| (JSC::Wasm::LLIntGenerator::addConstant): |
| (JSC::Wasm::LLIntGenerator::getLocal): |
| (JSC::Wasm::LLIntGenerator::setLocal): |
| (JSC::Wasm::LLIntGenerator::getGlobal): |
| (JSC::Wasm::LLIntGenerator::addLoop): |
| (JSC::Wasm::LLIntGenerator::addTopLevel): |
| (JSC::Wasm::LLIntGenerator::addBlock): |
| (JSC::Wasm::LLIntGenerator::addIf): |
| (JSC::Wasm::LLIntGenerator::addElse): |
| (JSC::Wasm::LLIntGenerator::addElseToUnreachable): |
| (JSC::Wasm::LLIntGenerator::addReturn): |
| (JSC::Wasm::LLIntGenerator::addBranch): |
| (JSC::Wasm::LLIntGenerator::addSwitch): |
| (JSC::Wasm::LLIntGenerator::endBlock): |
| (JSC::Wasm::LLIntGenerator::endTopLevel): |
| (JSC::Wasm::LLIntGenerator::addCall): |
| (JSC::Wasm::LLIntGenerator::addCallIndirect): |
| (JSC::Wasm::LLIntGenerator::addRefIsNull): |
| (JSC::Wasm::LLIntGenerator::addRefFunc): |
| (JSC::Wasm::LLIntGenerator::addTableGet): |
| (JSC::Wasm::LLIntGenerator::addTableSize): |
| (JSC::Wasm::LLIntGenerator::addTableGrow): |
| (JSC::Wasm::LLIntGenerator::addCurrentMemory): |
| (JSC::Wasm::LLIntGenerator::addGrowMemory): |
| (JSC::Wasm::LLIntGenerator::addSelect): |
| (JSC::Wasm::LLIntGenerator::load): |
| (JSC::GenericLabel<Wasm::GeneratorTraits>::setLocation): |
| * wasm/WasmLLIntPlan.cpp: |
| (JSC::Wasm::LLIntPlan::compileFunction): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::endTopLevel): |
| (JSC::Wasm::Validate::didPopValueFromStack): |
| |
| 2019-11-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG terminal's liveness should respect caller's opcodeID |
| https://bugs.webkit.org/show_bug.cgi?id=204317 |
| |
| Reviewed by Saam Barati. |
| |
| Let's consider the following example, which is freqneutly seen in Speedometer2/EmberJS-Debug. |
| |
| "use strict"; |
| |
| function assertImpl(cond) |
| { |
| if (!cond) |
| throw new Error(); |
| } |
| |
| function assert() |
| { |
| assertImpl.apply(undefined, arguments); |
| } |
| noInline(assert); |
| |
| When compiling `throw`, we emit a terminal node and put Phantom/PhantomLocal based on the bytecode liveness. |
| When collecting liveness for each frame, we use the liveness information of the bytecode `op_call_varargs` in assert function. |
| This means that op_call_varargs's uses are considered as live (like, `arguments` in this example). |
| But it is not necessary to mark it "live": if we are in assertImpl, `arguments` is already loaded into the stack, and we no longer |
| use `arguments` when exiting, and the execution after the exit. Marking this `arguments` live makes this `arguments` allocated |
| in DFG, but this is wasteful. |
| |
| In this patch, we introduce BeforeUse and AfterUse concept into bytecode liveness information. And use AfterUse information when |
| collecting liveness in the caller's frame in DFG. We only enable this for varargs for now since (1) applying this to the other ones |
| is not profitable, and (2) we need to be careful to make stack arguments live to allow materialization of arguments objects. |
| In op_call_varargs / op_tail_call_varargs / op_construct_varargs cases, uses are happen only for |callee|, |this|, and |arguments|. |
| And these are no longer necessary after calling. |
| |
| We don't use liveness information in the next bytecode since it misses uses marked by exception handlers. |
| |
| * bytecode/BytecodeLivenessAnalysis.cpp: |
| (JSC::BytecodeLivenessAnalysis::computeFullLiveness): |
| * bytecode/BytecodeLivenessAnalysis.h: |
| (JSC::BytecodeLivenessAnalysis::graph): |
| * bytecode/BytecodeLivenessAnalysisInlines.h: |
| (JSC::BytecodeLivenessPropagation::stepOverInstructionDef): |
| (JSC::BytecodeLivenessPropagation::stepOverInstructionUse): |
| (JSC::BytecodeLivenessPropagation::stepOverInstructionUseInExceptionHandler): |
| (JSC::BytecodeLivenessPropagation::stepOverInstruction): |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeIndex): |
| (JSC::computeDefsForBytecodeIndex): |
| * bytecode/FullBytecodeLiveness.h: |
| (JSC::FullBytecodeLiveness::getLiveness const): |
| (JSC::FullBytecodeLiveness::operandIsLive const): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::ForInContext::finalize): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::flushForTerminalImpl): |
| * dfg/DFGForAllKills.h: |
| (JSC::DFG::forAllKilledOperands): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::isLiveInBytecode): |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Graph::forAllLocalsLiveInBytecode): |
| (JSC::DFG::Graph::appropriateLivenessCalculationPoint): |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-11-22 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| Unreviewed. Fix GTK/WPE debug build after r252770 |
| |
| Just remove the ASSERT instead, since it now always receive a newly created Ref. |
| |
| * inspector/remote/glib/RemoteInspectorGlib.cpp: |
| (Inspector::RemoteInspector::setupConnection): |
| |
| 2019-11-22 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| Unreviewed. Fix GTK/WPE debug build after r252770 |
| |
| * inspector/remote/glib/RemoteInspectorGlib.cpp: |
| (Inspector::RemoteInspector::setupConnection): |
| |
| 2019-11-22 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| [GTK][WPE] RemoteInspector: use sockets instead of DBus |
| https://bugs.webkit.org/show_bug.cgi?id=204503 |
| |
| Reviewed by Žan Doberšek. |
| |
| It turns out DBus is event slower than expected. Using GSockets API we can simplify the code and make it a lot |
| more efficient. This will drastically reduce the time to run WebDriver tests in the bots. |
| |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/glib/RemoteInspectorGlib.cpp: |
| (Inspector::RemoteInspector::start): |
| (Inspector::RemoteInspector::stopInternal): |
| (Inspector::RemoteInspector::setupConnection): |
| (Inspector::RemoteInspector::pushListingsNow): |
| (Inspector::RemoteInspector::pushListingsSoon): |
| (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): |
| (Inspector::RemoteInspector::sendMessageToRemote): |
| * inspector/remote/glib/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::~RemoteInspectorServer): |
| (Inspector::RemoteInspectorServer::start): |
| (Inspector::RemoteInspectorServer::incomingConnectionCallback): |
| (Inspector::RemoteInspectorServer::incomingConnection): |
| (Inspector::RemoteInspectorServer::setTargetList): |
| (Inspector::RemoteInspectorServer::setupInspectorClient): |
| (Inspector::RemoteInspectorServer::setup): |
| (Inspector::RemoteInspectorServer::close): |
| (Inspector::RemoteInspectorServer::connectionDidClose): |
| (Inspector::RemoteInspectorServer::sendMessageToBackend): |
| (Inspector::RemoteInspectorServer::sendMessageToFrontend): |
| (Inspector::RemoteInspectorServer::startAutomationSession): |
| * inspector/remote/glib/RemoteInspectorServer.h: |
| (Inspector::RemoteInspectorServer::isRunning const): |
| |
| 2019-11-22 Mark Lam <mark.lam@apple.com> |
| |
| Fix missing exception check in replaceUsingStringSearch(). |
| https://bugs.webkit.org/show_bug.cgi?id=204496 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The CachedCall constructor can throw OutOfMemory or StackOverflow errors. |
| This was caught by existing JSC stress tests when we run with a debug build. |
| |
| Also placate the exception check validator in $vm's functionCallWithStackSize(). |
| |
| * runtime/StringPrototype.cpp: |
| (JSC::replaceUsingStringSearch): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionCallWithStackSize): |
| |
| 2019-11-21 Mark Lam <mark.lam@apple.com> |
| |
| replaceUsingStringSearch() should not use CachedCall with host functions. |
| https://bugs.webkit.org/show_bug.cgi?id=204494 |
| <rdar://problem/57421078> |
| |
| Reviewed by Ross Kirsling. |
| |
| The CachedCall mechanism does not support calling hist functions. |
| |
| * runtime/StringPrototype.cpp: |
| (JSC::replaceUsingStringSearch): |
| |
| 2019-11-21 Saam Barati <sbarati@apple.com> |
| |
| GetByStatus should not say it took the slow path for multiple identifiers and should have a way to indicate if the StructureStubInfo it saw took the slow path |
| https://bugs.webkit.org/show_bug.cgi?id=204435 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| I discovered some issues with get by val ICs when re-running the microbenchmarks |
| I wrote. I noticed that we were faster when not running with the DFG. The reason |
| for this is that we were only emitting a get by val IC in the DFG/FTL when we |
| observe the GetByStatus says it didn't "go to the slow path". The logic in GetByStatus |
| for building up a variant list was wrong for ICs with multiple identifiers. We have |
| a consistency check when building up the list to ensure that no two variants have |
| structure sets which overlap, because we wouldn't know which one to choose. However, |
| we were accidentally saying two GetByIdVariants overlap when they had different identifiers. |
| This patch fixes that bug by also doing an identifier comparison check. Two GetByIdVariants |
| with different identifiers do not overlap. |
| |
| We also used to say a GetByStatus "goes to the slow path" if any of the cases were an |
| array-like load. I wrote that code thinking that ArrayProfile would just handle it. |
| However, sometimes we have a get by val IC that both has string properties and int32 properties. |
| In these kinds of scenarios, an IC is super profitable. This patch now distinguishes |
| between a GetByStatus saying "we're a slow path" and if we actually observed the StructureStubInfo |
| go to the slow path. In the DFG/FTL, we only forgo emitting a get by val IC when observing a |
| prior StructureStubInfo that went to the slow path. |
| |
| I also realized are call to StructureStubInfo::considerCaching was wrong for get by val ICs. |
| We were only considering the Structure in isolation, not the { Structure, Identifier } |
| pair. For get by val, we need to consider the pair together, since {s1, "a"} |
| and {s1, "b"} will be two different access cases. |
| |
| This patch demonstrates that on these microbenchmarks, get by val ICs can |
| be between 50-200% faster. |
| |
| * bytecode/GetByIdVariant.cpp: |
| (JSC::GetByIdVariant::dumpInContext const): |
| * bytecode/GetByIdVariant.h: |
| (JSC::GetByIdVariant::overlaps): |
| * bytecode/GetByStatus.cpp: |
| (JSC::GetByStatus::GetByStatus): |
| (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): |
| (JSC::GetByStatus::makesCalls const): |
| (JSC::GetByStatus::slowVersion const): |
| (JSC::GetByStatus::merge): |
| (JSC::GetByStatus::dump const): |
| * bytecode/GetByStatus.h: |
| (JSC::GetByStatus::GetByStatus): |
| (JSC::GetByStatus::takesSlowPath const): |
| (JSC::GetByStatus::observedStructureStubInfoSlowPath const): |
| * bytecode/ICStatusUtils.h: |
| (JSC::appendICStatusVariant): |
| * bytecode/InByIdVariant.h: |
| (JSC::InByIdVariant::overlaps): |
| * bytecode/InstanceOfVariant.h: |
| (JSC::InstanceOfVariant::overlaps): |
| * bytecode/PutByIdVariant.h: |
| (JSC::PutByIdVariant::overlaps): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::visitWeakReferences): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::considerCaching): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * jit/JITOperations.cpp: |
| |
| 2019-11-21 Mark Lam <mark.lam@apple.com> |
| |
| Fix broken String.prototype.replace() and replaceAll(). |
| https://bugs.webkit.org/show_bug.cgi?id=204479 |
| <rdar://problem/57354854> |
| |
| Reviewed by Ross Kirsling and Yusuke Suzuki. |
| |
| String.prototype.replace() regressed due to r252683: <https://trac.webkit.org/r252683> |
| for webkit.org/b/202471. The patch failed to handle InternalFunctions. |
| |
| This patch also fixed a spec compliance bug for String.prototype.replace() i.e. |
| the replaceValue needs to be evaluated before we check if there's a match in the |
| source string. |
| Ref: 21.1.3.16-6 at https://www.ecma-international.org/ecma-262/10.0/#sec-string.prototype.replace |
| |
| For String.prototype.replaceAll(), make sure it "behaves just like |
| String.prototype.replace if searchValue is a global regular expression". |
| Ref: https://github.com/tc39/proposal-string-replaceall |
| |
| r252683 also made replaceUsingStringSearch() work the same way as |
| replaceUsingRegExpSearch(). I think this is the wrong trade off to make. |
| replaceUsingRegExpSearch() expects each search leg to do a RegExp search, which |
| is inherently expensive. We shouldn't make string searches slower just because |
| the RegExp search does it that way. |
| |
| However, at https://bugs.webkit.org/show_bug.cgi?id=202471#c22, Ross pointed out |
| that JetStream 2 results appeared to be neutral. I think we should double check |
| with a micro-benchmark as well. I'll leave this for a later patch. For now, the |
| goal of this patch is simply to achieve correctness. |
| Ref: https://bugs.webkit.org/show_bug.cgi?id=204481 |
| |
| * runtime/StringPrototype.cpp: |
| (JSC::replaceUsingRegExpSearch): |
| (JSC::replaceUsingStringSearch): |
| |
| 2019-11-21 Per Arne Vollan <pvollan@apple.com> |
| |
| Fix Win64 compile errors |
| https://bugs.webkit.org/show_bug.cgi?id=204471 |
| |
| Reviewed by Brent Fulgham. |
| |
| Fix warnings being treated as errors. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::requiresIdentifierNameMatch const): |
| (JSC::AccessCase::requiresInt32PropertyCheck const): |
| (JSC::AccessCase::needsScratchFPR const): |
| (JSC::AccessCase::doesCalls const): |
| (JSC::AccessCase::canReplace const): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| * jit/JITOperations.cpp: |
| (JSC::profiledAdd): |
| * jit/Repatch.cpp: |
| (JSC::appropriateOptimizingGetByFunction): |
| (JSC::appropriateGetByFunction): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionCallWithStackSize): |
| |
| 2019-11-21 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, rolling in again, regression is not caused by it |
| https://bugs.webkit.org/show_bug.cgi?id=202471 |
| |
| * builtins/BuiltinNames.h: |
| * builtins/StringPrototype.js: |
| (replaceAll): |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| (JSC::jsSpliceSubstringsWithSeparators): |
| (JSC::replaceUsingStringSearch): |
| (JSC::replace): |
| (JSC::stringProtoFuncReplaceUsingStringSearch): |
| (JSC::stringProtoFuncReplaceAllUsingStringSearch): |
| |
| 2019-11-21 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r252683 and r252721. |
| https://bugs.webkit.org/show_bug.cgi?id=204475 |
| |
| 13% regression in JetStream2/prepack-wtb (Requested by |
| yusukesuzuki on #webkit). |
| |
| Reverted changesets: |
| |
| "Implement String.prototype.replaceAll" |
| https://bugs.webkit.org/show_bug.cgi?id=202471 |
| https://trac.webkit.org/changeset/252683 |
| |
| "Unreviewed, address Darin's feedback on r252683." |
| https://trac.webkit.org/changeset/252721 |
| |
| 2019-11-21 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: removing the blackbox for a specific script doesn't actually remove the blackbox |
| https://bugs.webkit.org/show_bug.cgi?id=204428 |
| |
| Reviewed by Timothy Hatcher. |
| |
| Previously, when updating the blackbox state of each existing script, we would only tell the |
| `Debugger` about when scripts should be blackboxed, not when they shouldn't. This means that |
| when a given script is un-blackboxed, the `Debugger` would never get told about it and would |
| therefore still defer pauses as if it was blackboxed. |
| |
| The solution to this is simple; update the blackboxed state of every script, not just those |
| that should be blackboxed, and tell the `Debugger` about each. |
| |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): |
| |
| 2019-11-20 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Extend MacroAssemblerARM64::load/store for datasize = 16 |
| https://bugs.webkit.org/show_bug.cgi?id=204442 |
| <rdar://problem/57366761> |
| |
| Reviewed by Mark Lam. |
| |
| Our `void load16(const void* address, RegisterID dest)` and `void store16(RegisterID src, const void* address)` are not aware of |
| the condition that passed register can be memoryTempRegister, while `MacroAssemblerARM64::{load,store}` handles it correctly, e.g. |
| `load` invalidates `cachedMemoryTempRegister` if destination register is memoryTempRegister. As a result, when we are emitting |
| `or16(TrustedImm32 imm, AbsoluteAddress address)` with address where the address's value does not fit in imm, the generated code |
| is reusing memoryTempRegister incorrectly. |
| |
| 0xedf8d4fb4: mov x17, #0x7af0 |
| 0xedf8d4fb8: movk x17, #0xd5a, lsl #16 |
| 0xedf8d4fbc: movk x17, #0x1, lsl #32 // Construct imm register on x17. |
| 0xedf8d4fc0: ldrh w17, [x17] // Load half word from x17 to w17 (we should invalidate x17 memoryTempRegister here). |
| 0xedf8d4fc4: mov w16, #0x1b |
| 0xedf8d4fc8: orr w16, w17, w16 |
| 0xedf8d4fcc: strh w16, [x17] // x17 memoryTempRegister is reused while its content is invalid. |
| |
| The problem is that `load` and `store` functions are not supporting datasize = 16 case. This patch extends `MacroAssemblerARM64::{load,store}` |
| to support 16 so that `or16` implementation looks is similar to `or32` etc. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::load16): |
| (JSC::MacroAssemblerARM64::store16): |
| (JSC::MacroAssemblerARM64::load): |
| (JSC::MacroAssemblerARM64::store): |
| * assembler/testmasm.cpp: |
| (JSC::testOrImmMem): |
| |
| 2019-11-20 Saam Barati <sbarati@apple.com> |
| |
| Baseline JIT should fill in StructureStubInfo's propertyIsInt32 and the slow path should update the array profile more frequently |
| https://bugs.webkit.org/show_bug.cgi?id=204432 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| When I added inline caching for get by val, I removed code which updated the |
| ArrayProfile with some frequency. This patch adds code that does that back, |
| which recovers some of the JetStream2 regressions we are seeing. |
| |
| * jit/JITOperations.cpp: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| |
| 2019-11-20 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed, address Darin's feedback on r252683. |
| |
| * runtime/StringPrototype.cpp: |
| (JSC::replaceUsingStringSearch): |
| (JSC::replace): |
| (JSC::stringProtoFuncReplaceUsingStringSearch): |
| (JSC::stringProtoFuncReplaceAllUsingStringSearch): |
| |
| 2019-11-20 Caio Lima <ticaiolima@gmail.com> |
| |
| [JSC] OSR exit to LLInt is broken on MIPS |
| https://bugs.webkit.org/show_bug.cgi?id=203737 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch is adjusting the OSR to LLInt mechanism to MIPS. When we |
| use PIC on this architecture, we need to properly configure `$gp` |
| at some places to be able to access global variables. This is required |
| on LLInt to access Global Offset Table (got). According to MIPS ABI, |
| the `$gp` can be recalculated during function prologue using caller |
| register `$t9`. We also emit such instructions (we can see this as |
| `OFFLINE_ASM_CPLOAD` macro) immediately after a non-local label on |
| LLInt. With the introduction of OSR to LLInt mechanism, we now have |
| return location labels that are reached from `ret` LLInt instructions. |
| Such return locations are used to properly return to LLInt execution |
| whenever an OSR exits from inlined call on DFG or FTL to LLInt. When |
| OSR is materializing LLInt stack frames for inlined functions (or |
| accessors), it sets return address to its return location label. |
| This means that for such labels, we need to adjust `$gp` |
| using `$ra` instead of `$t9`, given that LLInt `ret` operation uses |
| `jr $ra` to jump the execution to there. |
| To implement this, we changed `mipsAddPICCode` to emit code |
| using the correct register required to recalculate `$gp`. |
| We also changed `callTargetFunction` to use the stubs as return |
| location points, since the declaration of global labels will emmit |
| `OFFLINE_ASM_CPLOAD($ra)` and we don't want to execute it during |
| normal LLInt execution. |
| |
| * llint/LowLevelInterpreter.asm: |
| * offlineasm/mips.rb: |
| |
| 2019-11-20 Robin Morisset <rmorisset@apple.com> |
| |
| Fix load<16> on ARM64 |
| https://bugs.webkit.org/show_bug.cgi?id=204326 |
| |
| Reviewed by Mark Lam. |
| |
| On ARM64 I used load<16> in https://bugs.webkit.org/show_bug.cgi?id=202832. |
| Unfortunately it turns out to call ldr<16>, and ldr<n> asserts that n is either 32 or 64. |
| This fix simply calls ldrh/strh directly. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::load16): |
| (JSC::MacroAssemblerARM64::store16): |
| |
| 2019-11-20 Mark Lam <mark.lam@apple.com> |
| |
| Flaky JSC test: stress/stack-overflow-in-yarr-byteCompile.js.dfg-eager. |
| https://bugs.webkit.org/show_bug.cgi?id=204405 |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| $vm.allWithStackSize() manipulates the stack in ways that will freak out ASan. |
| So, add SUPPRESS_ASAN to functionCallWithStackSize() to tell ASan to ignore it. |
| |
| * tools/JSDollarVM.cpp: |
| |
| 2019-11-20 Caio Lima <ticaiolima@gmail.com> |
| |
| Regression (r252680): JSCOnly build broken: no matching function for call to JSC::DFG::SpeculativeJIT::jsValueResult |
| https://bugs.webkit.org/show_bug.cgi?id=204404 |
| |
| Reviewed by Saam Barati. |
| |
| Adjusting build after changes from r252684 and r252680. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateWithGuard): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileIncOrDec): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_to_numeric): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| |
| 2019-11-19 Saam Barati <sbarati@apple.com> |
| |
| GetByVal should use polymorphic access and hook into a status object |
| https://bugs.webkit.org/show_bug.cgi?id=202767 |
| |
| Reviewed by Keith Miller. |
| |
| This patch puts get_by_val in our normal IC caching infrastructure. This means |
| building it on top of StructureStubInfo and PolymorphicAccess. For this to |
| work, AccessCase now supports all the array load variants that we used to have |
| fast paths for. For identifier based variants, it we just fall back to the |
| code we've already implemented, but only after doing a runtime check that |
| the identifier matches the expected identifier. This allows us to reuse all |
| the IC infrastructure we have for get_by_id. |
| |
| Our compilation strategy is that the baseline JIT always emits a get_by_val |
| IC. If that IC goes to the slow path, the DFG/FTL won't also emit the same IC, |
| since it's probable that we're seeing a megamorphic switch over strings. This |
| was needed to keep this patch neutral on Speedometer 2. It's likely there is |
| room to improve this heuristic: https://bugs.webkit.org/show_bug.cgi?id=204336 |
| |
| This now allows us to have inline caches which contain array loads, and uses |
| of different identifiers. They just show up as different access cases inside |
| polymorphic access. |
| |
| This patch is a progression on various microbenchmarks, especially those with |
| uses of a fixed set of multiple identifiers. It's neutral on JetStream 2 and |
| Speedometer 2. |
| |
| This patch also hooks in get_by_val ICs to our ICStatus infrastructure. This |
| is going to pave the way to allow us to eagerly throw away baseline code, since |
| when we go for an FTL compile, we will be able to use the IC status from the |
| prior compile without relying on baseline specific data structures. |
| |
| There are a few interesting tidbits in this patch that are worth |
| highlighting. |
| - Unlike get_by_id, when we take an IC snapshot for a get_by_val |
| IC, we're not guaranteed the various identifiers in question will outlive |
| the compile (get_by_id ensures this since they're in the constant pool of |
| CodeBlock). For get_by_val, the Identifiers in question are dynamic fields |
| of AccessCase, and AccessCase may get destroyed as we're compiling concurrently. |
| Also, String's reference counting isn't thread safe, so we can't just ref it. |
| Instead, we use a Box<Identifier> inside AccessCase. This allows us to safely |
| ref the Box without refing the underlying String. We're not worried about the |
| Box being destroyed while we're doing this, since we're holding a lock while |
| taking an IC snapshot inside GetByStatus. |
| - We no longer hold onto the actual JS symbol object in the inline cache. |
| This is what we used to do for inlining by val infos. Instead, this patch |
| extends the CheckStringIdent node to be able to handle symbols as well. This |
| patch also renames CheckStringIdent to CheckIdent. |
| |
| This patch also renames various IC related helpers from GetById* to GetBy*, |
| since they can both be used by get_by_val and get_by_id. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::AccessCase): |
| (JSC::AccessCase::create): |
| (JSC::AccessCase::fromStructureStubInfo): |
| (JSC::AccessCase::commit): |
| (JSC::AccessCase::guardedByStructureCheck const): |
| (JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const): |
| (JSC::AccessCase::requiresIdentifierNameMatch const): |
| (JSC::AccessCase::requiresInt32PropertyCheck const): |
| (JSC::AccessCase::needsScratchFPR const): |
| (JSC::AccessCase::forEachDependentCell const): |
| (JSC::AccessCase::doesCalls const): |
| (JSC::AccessCase::canReplace const): |
| (JSC::AccessCase::dump const): |
| (JSC::AccessCase::generateWithGuard): |
| (JSC::AccessCase::generate): |
| (JSC::AccessCase::generateImpl): |
| (JSC::AccessCase::toTypedArrayType): |
| (JSC::AccessCase::checkConsistency): |
| * bytecode/AccessCase.h: |
| (JSC::AccessCase::uid const): |
| (JSC::AccessCase::identifier const): |
| (JSC::AccessCase::checkConsistency): |
| (JSC::AccessCase::AccessCase): |
| * bytecode/GetByIdStatus.cpp: Removed. |
| * bytecode/GetByIdStatus.h: Removed. |
| * bytecode/GetByIdVariant.cpp: |
| (JSC::GetByIdVariant::GetByIdVariant): |
| (JSC::GetByIdVariant::operator=): |
| (JSC::GetByIdVariant::attemptToMerge): |
| * bytecode/GetByIdVariant.h: |
| (JSC::GetByIdVariant::domAttribute const): |
| (JSC::GetByIdVariant::identifier const): |
| * bytecode/GetByStatus.cpp: Copied from Source/JavaScriptCore/bytecode/GetByIdStatus.cpp. |
| (JSC::GetByStatus::appendVariant): |
| (JSC::GetByStatus::computeFromLLInt): |
| (JSC::GetByStatus::computeFor): |
| (JSC::GetByStatus::GetByStatus): |
| (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): |
| (JSC::GetByStatus::makesCalls const): |
| (JSC::GetByStatus::slowVersion const): |
| (JSC::GetByStatus::merge): |
| (JSC::GetByStatus::filter): |
| (JSC::GetByStatus::markIfCheap): |
| (JSC::GetByStatus::finalize): |
| (JSC::GetByStatus::singleIdentifier const): |
| (JSC::GetByStatus::dump const): |
| (JSC::GetByIdStatus::appendVariant): Deleted. |
| (JSC::GetByIdStatus::computeFromLLInt): Deleted. |
| (JSC::GetByIdStatus::computeFor): Deleted. |
| (JSC::GetByIdStatus::computeForStubInfo): Deleted. |
| (JSC::GetByIdStatus::GetByIdStatus): Deleted. |
| (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): Deleted. |
| (JSC::GetByIdStatus::makesCalls const): Deleted. |
| (JSC::GetByIdStatus::slowVersion const): Deleted. |
| (JSC::GetByIdStatus::merge): Deleted. |
| (JSC::GetByIdStatus::filter): Deleted. |
| (JSC::GetByIdStatus::markIfCheap): Deleted. |
| (JSC::GetByIdStatus::finalize): Deleted. |
| (JSC::GetByIdStatus::dump const): Deleted. |
| * bytecode/GetByStatus.h: Copied from Source/JavaScriptCore/bytecode/GetByIdStatus.h. |
| (JSC::GetByStatus::GetByStatus): |
| (JSC::GetByStatus::moduleNamespaceObject const): |
| (JSC::GetByStatus::moduleEnvironment const): |
| (JSC::GetByStatus::scopeOffset const): |
| (JSC::GetByIdStatus::GetByIdStatus): Deleted. |
| (JSC::GetByIdStatus::state const): Deleted. |
| (JSC::GetByIdStatus::isSet const): Deleted. |
| (JSC::GetByIdStatus::operator bool const): Deleted. |
| (JSC::GetByIdStatus::isSimple const): Deleted. |
| (JSC::GetByIdStatus::isCustom const): Deleted. |
| (JSC::GetByIdStatus::isModuleNamespace const): Deleted. |
| (JSC::GetByIdStatus::numVariants const): Deleted. |
| (JSC::GetByIdStatus::variants const): Deleted. |
| (JSC::GetByIdStatus::at const): Deleted. |
| (JSC::GetByIdStatus::operator[] const): Deleted. |
| (JSC::GetByIdStatus::takesSlowPath const): Deleted. |
| (JSC::GetByIdStatus::wasSeenInJIT const): Deleted. |
| (JSC::GetByIdStatus::moduleNamespaceObject const): Deleted. |
| (JSC::GetByIdStatus::moduleEnvironment const): Deleted. |
| (JSC::GetByIdStatus::scopeOffset const): Deleted. |
| * bytecode/GetterSetterAccessCase.cpp: |
| (JSC::GetterSetterAccessCase::GetterSetterAccessCase): |
| (JSC::GetterSetterAccessCase::create): |
| * bytecode/GetterSetterAccessCase.h: |
| * bytecode/ICStatusMap.h: |
| * bytecode/InByIdStatus.cpp: |
| (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback): |
| * bytecode/InlineAccess.cpp: |
| (JSC::InlineAccess::generateSelfPropertyAccess): |
| (JSC::InlineAccess::canGenerateSelfPropertyReplace): |
| (JSC::InlineAccess::generateSelfPropertyReplace): |
| (JSC::InlineAccess::isCacheableArrayLength): |
| (JSC::InlineAccess::generateArrayLength): |
| (JSC::InlineAccess::isCacheableStringLength): |
| (JSC::InlineAccess::generateStringLength): |
| (JSC::InlineAccess::generateSelfInAccess): |
| * bytecode/InstanceOfAccessCase.cpp: |
| (JSC::InstanceOfAccessCase::InstanceOfAccessCase): |
| * bytecode/InstanceOfStatus.cpp: |
| (JSC::InstanceOfStatus::computeForStubInfo): |
| * bytecode/IntrinsicGetterAccessCase.cpp: |
| (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase): |
| (JSC::IntrinsicGetterAccessCase::create): |
| * bytecode/IntrinsicGetterAccessCase.h: |
| * bytecode/ModuleNamespaceAccessCase.cpp: |
| (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase): |
| (JSC::ModuleNamespaceAccessCase::create): |
| * bytecode/ModuleNamespaceAccessCase.h: |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall): |
| (JSC::PolymorphicAccess::addCases): |
| (JSC::PolymorphicAccess::addCase): |
| (JSC::PolymorphicAccess::commit): |
| (JSC::PolymorphicAccess::regenerate): |
| (WTF::printInternal): |
| * bytecode/PolymorphicAccess.h: |
| * bytecode/ProxyableAccessCase.cpp: |
| (JSC::ProxyableAccessCase::ProxyableAccessCase): |
| (JSC::ProxyableAccessCase::create): |
| * bytecode/ProxyableAccessCase.h: |
| * bytecode/PutByIdStatus.cpp: |
| (JSC::PutByIdStatus::computeForStubInfo): |
| * bytecode/RecordedStatuses.cpp: |
| (JSC::RecordedStatuses::addGetByStatus): |
| (JSC::RecordedStatuses::addGetByIdStatus): Deleted. |
| * bytecode/RecordedStatuses.h: |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::StructureStubInfo): |
| (JSC::StructureStubInfo::initGetByIdSelf): |
| (JSC::StructureStubInfo::initArrayLength): |
| (JSC::StructureStubInfo::initStringLength): |
| (JSC::StructureStubInfo::initPutByIdReplace): |
| (JSC::StructureStubInfo::initInByIdSelf): |
| (JSC::StructureStubInfo::deref): |
| (JSC::StructureStubInfo::aboutToDie): |
| (JSC::StructureStubInfo::addAccessCase): |
| (JSC::StructureStubInfo::reset): |
| (JSC::StructureStubInfo::visitWeakReferences): |
| (JSC::StructureStubInfo::propagateTransitions): |
| (JSC::StructureStubInfo::summary const): |
| (JSC::StructureStubInfo::containsPC const): |
| (JSC::StructureStubInfo::setCacheType): |
| (JSC::StructureStubInfo::checkConsistency): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::getByIdSelfIdentifier): |
| (JSC::StructureStubInfo::thisValueIsInThisGPR const): |
| (JSC::StructureStubInfo::checkConsistency): |
| (JSC::StructureStubInfo::cacheType const): |
| (JSC::appropriateOptimizingGetByIdFunction): |
| (JSC::appropriateGenericGetByIdFunction): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus): |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleDOMJITGetter): |
| (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad): |
| (JSC::DFG::ByteCodeParser::load): |
| (JSC::DFG::ByteCodeParser::handleGetById): |
| (JSC::DFG::ByteCodeParser::parseGetById): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| (JSC::DFG::ByteCodeParser::handlePutByVal): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDesiredIdentifiers.cpp: |
| (JSC::DFG::DesiredIdentifiers::processCodeBlockIdentifiersIfNeeded): |
| (JSC::DFG::DesiredIdentifiers::ensure): |
| (JSC::DFG::DesiredIdentifiers::at const): |
| (JSC::DFG::DesiredIdentifiers::reallyAdd): |
| * dfg/DFGDesiredIdentifiers.h: |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGGraph.h: |
| * dfg/DFGInPlaceAbstractState.cpp: |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::link): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::addGetByVal): |
| * dfg/DFGMayExit.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasUidOperand): |
| (JSC::DFG::Node::hasGetByStatus): |
| (JSC::DFG::Node::getByStatus): |
| (JSC::DFG::Node::hasGetByIdStatus): Deleted. |
| (JSC::DFG::Node::getByIdStatus): Deleted. |
| * dfg/DFGNodeType.h: |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetById): |
| (JSC::DFG::SpeculativeJIT::compileCheckIdent): |
| (JSC::DFG::SpeculativeJIT::compileCheckStringIdent): Deleted. |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGVarargsForwardingPhase.cpp: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent): Deleted. |
| * jit/ICStats.h: |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileSlowCases): |
| (JSC::JIT::link): |
| * jit/JIT.h: |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::garbageStubInfo): |
| (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): |
| (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): |
| (JSC::JITGetByValGenerator::JITGetByValGenerator): |
| (JSC::JITGetByValGenerator::generateFastPath): |
| (JSC::JITGetByValGenerator::finalize): |
| * jit/JITInlineCacheGenerator.h: |
| (JSC::JITGetByValGenerator::JITGetByValGenerator): |
| (JSC::JITGetByValGenerator::slowPathJump const): |
| * jit/JITInlines.h: |
| (JSC::JIT::emitDoubleGetByVal): Deleted. |
| (JSC::JIT::emitContiguousGetByVal): Deleted. |
| (JSC::JIT::emitArrayStorageGetByVal): Deleted. |
| * jit/JITOperations.cpp: |
| (JSC::getByVal): |
| (JSC::tryGetByValOptimize): Deleted. |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emitGetByValWithCachedId): Deleted. |
| (JSC::JIT::privateCompileGetByVal): Deleted. |
| (JSC::JIT::privateCompileGetByValWithCachedId): Deleted. |
| (JSC::JIT::emitDirectArgumentsGetByVal): Deleted. |
| (JSC::JIT::emitScopedArgumentsGetByVal): Deleted. |
| (JSC::JIT::emitIntTypedArrayGetByVal): Deleted. |
| (JSC::JIT::emitFloatTypedArrayGetByVal): Deleted. |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emitGetByValWithCachedId): Deleted. |
| * jit/Repatch.cpp: |
| (JSC::appropriateOptimizingGetByFunction): |
| (JSC::appropriateGetByFunction): |
| (JSC::tryCacheGetBy): |
| (JSC::repatchGetBy): |
| (JSC::tryCacheArrayGetByVal): |
| (JSC::repatchArrayGetByVal): |
| (JSC::tryCachePutByID): |
| (JSC::tryCacheInByID): |
| (JSC::tryCacheInstanceOf): |
| (JSC::resetGetBy): |
| (JSC::appropriateOptimizingGetByIdFunction): Deleted. |
| (JSC::appropriateGetByIdFunction): Deleted. |
| (JSC::tryCacheGetByID): Deleted. |
| (JSC::repatchGetByID): Deleted. |
| (JSC::resetGetByID): Deleted. |
| * jit/Repatch.h: |
| * llint/LowLevelInterpreter.h: |
| * runtime/DOMAnnotation.h: |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::dumpInContextAssumingStructure const): |
| * runtime/Structure.h: |
| |
| 2019-11-19 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Implement String.prototype.replaceAll |
| https://bugs.webkit.org/show_bug.cgi?id=202471 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Implement the stage 3 proposal here: |
| https://github.com/tc39/proposal-string-replaceall |
| |
| String.prototype.replaceAll is the same as String.prototype.replace, except: |
| 1. When the first argument is a string, all instances of the search string are replaced. |
| 2. When the first argument is a non-global regular expression, a TypeError is thrown. |
| |
| * builtins/BuiltinNames.h: |
| * builtins/StringPrototype.js: |
| (replaceAll): Added. |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| (JSC::jsSpliceSubstringsWithSeparators): Add early out for single-replacement case. |
| (JSC::replaceUsingStringSearch): Add global replacement logic, following replaceUsingRegExpSearch. |
| (JSC::replace): |
| (JSC::stringProtoFuncReplaceUsingStringSearch): |
| (JSC::stringProtoFuncReplaceAllUsingStringSearch): Added. |
| |
| 2019-11-19 Robin Morisset <rmorisset@apple.com> |
| |
| [ESNext][BigInt] Add support for op_inc |
| https://bugs.webkit.org/show_bug.cgi?id=193240 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch adds support for both ++ and -- on BigInts. |
| |
| It required the following secondary changes: |
| - teaching FixupPhase how to replace it by ArithAdd/ArithSub/ValueAdd/ValueSub when the type is Int32/Double/BigInt |
| - pulling ObservedResults out of UnaryArithProfile/BinaryArithProfile, so that it can be used by ArithAdd regardless of whether it comes from an Inc or from an Add |
| - adding the constant 1n to the VM object so that it can be used by FixupPhase since it cannot allocate a new JSValue. |
| - adding an UnaryArithProfile to op_inc and op_dec, and teaching the llint to update them. |
| - adding ToNumeric (identity on bigints, same as toNumber on everything else) to all tiers |
| |
| * bytecode/ArithProfile.cpp: |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::emitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt const): |
| (JSC::ArithProfile<BitfieldType>::emitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::emitSetBigInt const): |
| * bytecode/ArithProfile.h: |
| (JSC::ObservedResults::ObservedResults): |
| (JSC::ObservedResults::didObserveNonInt32): |
| (JSC::ObservedResults::didObserveDouble): |
| (JSC::ObservedResults::didObserveNonNegZeroDouble): |
| (JSC::ObservedResults::didObserveNegZeroDouble): |
| (JSC::ObservedResults::didObserveNonNumeric): |
| (JSC::ObservedResults::didObserveBigInt): |
| (JSC::ObservedResults::didObserveInt32Overflow): |
| (JSC::ObservedResults::didObserveInt52Overflow): |
| (JSC::ArithProfile::observedResults const): |
| (JSC::ArithProfile::didObserveNonInt32 const): |
| (JSC::ArithProfile::didObserveDouble const): |
| (JSC::ArithProfile::didObserveNonNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNonNumeric const): |
| (JSC::ArithProfile::didObserveBigInt const): |
| (JSC::ArithProfile::didObserveInt32Overflow const): |
| (JSC::ArithProfile::didObserveInt52Overflow const): |
| (JSC::ArithProfile::setObservedNonNegZeroDouble): |
| (JSC::ArithProfile::setObservedNegZeroDouble): |
| (JSC::ArithProfile::setObservedNonNumeric): |
| (JSC::ArithProfile::setObservedBigInt): |
| (JSC::ArithProfile::setObservedInt32Overflow): |
| (JSC::ArithProfile::setObservedInt52Overflow): |
| (JSC::ArithProfile::observeResult): |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeIndex): |
| (JSC::computeDefsForBytecodeIndex): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::unaryArithProfileForPC): |
| * bytecode/ExitKind.h: |
| * bytecode/SpeculatedType.h: |
| (JSC::isInt32SpeculationForArithmetic): |
| (JSC::isInt32OrBooleanSpeculationForArithmetic): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitUnaryOp): |
| (JSC::BytecodeGenerator::emitToNumeric): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::emitPostIncOrDec): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::makeSafe): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| (JSC::DFG::FixupPhase::fixupToNumeric): |
| * dfg/DFGMayExit.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileIncOrDec): |
| (JSC::DFG::SpeculativeJIT::compileToPrimitive): |
| (JSC::DFG::SpeculativeJIT::compileToNumeric): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JIT.h: |
| * jit/JITMathIC.h: |
| (JSC::JITMathIC::generateInline): |
| * jit/JITMulGenerator.cpp: |
| (JSC::JITMulGenerator::generateFastPath): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_to_numeric): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_to_numeric): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::inc): |
| (JSC::JSBigInt::dec): |
| * runtime/JSBigInt.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-11-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] MetadataTable::sizeInBytes should not touch m_rawBuffer in UnlinkedMetadataTable unless MetadataTable is linked to that UnlinkedMetadataTable |
| https://bugs.webkit.org/show_bug.cgi?id=204390 |
| |
| Reviewed by Mark Lam. |
| |
| We have a race issue here. When calling MetadataTable::sizeInBytes, we call UnlinkedMetadataTable::sizeInBytes since we change the result based on |
| whether this MetadataTable is linked to this UnlinkedMetadataTable or not. The problem is that we are calling `UnlinkedMetadataTable::totalSize` |
| unconditionally in UnlinkedMetadataTable::sizeInBytes, and this is touching m_rawBuffer unconditionally. This is not correct since it is possible |
| that this m_rawBuffer is realloced while we are calling MetadataTable::sizeInBytes in GC thread. |
| |
| 1. The GC thread is calling MetadataTable::sizeInBytes for MetadataTable "A". |
| 2. The main thread is destroying MetadataTable "B". |
| 3. MetadataTable "B" is linked to UnlinkedMetadataTable "C". |
| 4. MetadataTable "A" is pointing to UnlinkedMetadataTable "C". |
| 5. "A" is touching UnlinkedMetadataTable::m_rawBuffer in "C", called from MetadataTable::sizeInBytes. |
| 6. (2) destroys MetadataTable "B", and realloc UnlinkedMetadataTable::m_rawBuffer in "C". |
| 7. (5) can touch already freed buffer. |
| |
| This patch fixes UnlinkedMetadataTable::sizeInBytes: not touching m_rawBuffer unless it is owned by the caller's MetadataTable. We need to call |
| UnlinkedMetadataTable::sizeInBytes anyway since we need to adjust the result based on whether the caller MetadataTable is linked to this UnlinkedMetadataTable. |
| |
| * bytecode/UnlinkedMetadataTableInlines.h: |
| (JSC::UnlinkedMetadataTable::sizeInBytes): |
| |
| 2019-11-19 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [JSC] DisallowVMReentry and DeferGC should use WTF::ThreadSpecific instead of using WTF::threadSpecificKeyCreate directly |
| https://bugs.webkit.org/show_bug.cgi?id=204350 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| WTF provides two thread specific storages, ThreadSpecific and |
| threadSpecificKeyCreate. Only DisallowVMReentry and DeferGC were |
| using the latter. They should use WTF::ThreadSpecific because it |
| is a useful type-safe wrapper class. |
| |
| * heap/DeferGC.cpp: |
| * heap/DeferGC.h: |
| (JSC::DisallowGC::initialize): |
| (JSC::DisallowGC::scopeReentryCount): |
| (JSC::DisallowGC::setScopeReentryCount): |
| * runtime/DisallowVMReentry.cpp: |
| * runtime/DisallowVMReentry.h: |
| (JSC::DisallowVMReentry::initialize): |
| (JSC::DisallowVMReentry::scopeReentryCount): |
| (JSC::DisallowVMReentry::setScopeReentryCount): |
| |
| 2019-11-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Work-around Leaks' false-positive report about memory leaking |
| https://bugs.webkit.org/show_bug.cgi?id=204384 |
| <rdar://problem/56950932> |
| |
| Reviewed by Mark Lam. |
| |
| According to the radar, Leaks start reporting false-positive memory leaks about ExecutableAllocator and FixedVMPoolExecutableAllocator, |
| while they are per-process singleton and reachable through g_jscConfig. I'm guessing this is because Leaks start skipping scan for |
| readonly memory region. (g_jscConfig is now mprotected to readonly). |
| |
| To work-around this, we anchor these heap allocated things to global variables to help Leaks scan. Once it is fixed, we should remove it. |
| |
| * jit/ExecutableAllocator.cpp: |
| (JSC::ExecutableAllocator::initializeUnderlyingAllocator): |
| (JSC::ExecutableAllocator::initialize): |
| |
| 2019-11-18 Mark Lam <mark.lam@apple.com> |
| |
| Always enable Optional<OptionsStorage::Size> parse(const char* string) for OS(DARWIN). |
| https://bugs.webkit.org/show_bug.cgi?id=204333 |
| <rdar://problem/57303785> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| On OS(DARWIN), the compiler does not consider size_t and unsigned to be the same |
| type, even for 32-bit targets. Hence, we need the size_t version of the function |
| in addition to the unsigned version. |
| |
| * runtime/Options.cpp: |
| (JSC::parse): |
| |
| 2019-11-18 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Local Resource Overrides: allow substitution based on a url pattern |
| https://bugs.webkit.org/show_bug.cgi?id=202375 |
| |
| Reviewed by Brian Burg. |
| |
| Often, websites will load content with a timestamp-based URL query parameter for |
| cache-busting or logging purposes. If a developer is trying to override these resources (or |
| is trying to have an existing override also match these resources), they'd need to edit the |
| local override's URL to match in addition to editing the resource that loads it (e.g. change |
| the <script> in an HTML file), which can sometimes be tricky of the content is dynamically |
| loaded (e.g. an XHR with a non-hardcoded URL). |
| |
| Allowing for local overrides to be set using a regular expression pattern would help resolve |
| this limitation. |
| |
| * inspector/protocol/Network.json: |
| Add `isRegex` parameter to `Network.addInterception` and `Network.removeInterception`. |
| |
| 2019-11-18 Keith Rollin <krollin@apple.com> |
| |
| Move jsc from Resources to Helpers |
| https://bugs.webkit.org/show_bug.cgi?id=203970 |
| <rdar://problem/55917748> |
| |
| Reviewed by Keith Miller. |
| |
| 'jsc' is a supporting application or tool, not a resource. As such, it |
| should go into Helpers, per |
| <https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG201> |
| |
| * Configurations/Base.xcconfig: |
| * Configurations/JSC.xcconfig: |
| * Configurations/ToolExecutable.xcconfig: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2019-11-18 Keith Miller <keith_miller@apple.com> |
| |
| Enable Nullish operators by default |
| https://bugs.webkit.org/show_bug.cgi?id=204308 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The nullish operators `??` and `?.` are likely going to stage 4 at |
| the December TC-39 meeting so we should probably just enable them |
| by default. |
| |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| * runtime/OptionsList.h: |
| |
| 2019-11-18 Mark Lam <mark.lam@apple.com> |
| |
| Clarify that OptionRange::operator=() is only used for initializing to 0 (i.e. state Uninitialized). |
| https://bugs.webkit.org/show_bug.cgi?id=204309 |
| |
| Reviewed by Saam Barati. |
| |
| Added a RELEASE_ASSERT in OptionRange::operator=() to enforce that it should |
| never be called with any value other than 0. |
| |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator= ): |
| |
| 2019-11-18 Mark Lam <mark.lam@apple.com> |
| |
| Reduce the amount of memory needed to store Options. |
| https://bugs.webkit.org/show_bug.cgi?id=202105 |
| <rdar://problem/55641041> |
| |
| Reviewed by Robin Morisset. |
| |
| Options used to be stored as an array of unions of all option types, where the |
| size of the array is around 349 elements. We also needed a second array for the |
| default option value. We now store each option (and its default value) as a type |
| specific field in an OptionsStorage struct. This reduces the size of storage for |
| Options from 16752 to 2192 bytes. This, in turn, allows JSC::Config to fit in a |
| single page. |
| |
| The reason we previously stored options in an array of unions is to allow us to |
| randomly access each option by its id. We now store the offset of the option |
| field in the Options::s_constMetaData array (previously called s_optionsInfo). |
| With this offset, we can compute the address of the option value field in |
| the OptionsStorage struct in the JSC::Config. |
| |
| In this patch, we also: |
| |
| 1. Renamed Options::s_optionsInfo to Options::s_constMetaData. |
| |
| 2. Refactor the Option class into the OptionReader::Option class. |
| |
| Previously, the Option class provided another way to access option values, |
| specifically when we need to access them by id. It also provided a means to |
| change that option value. However, it practice, we can do without this, and |
| remove a lot of the code. This class now exists as OptionReader::Option which |
| only provides a means to read information about options, but not change them |
| The only client for this class is the dumpOption() function. |
| |
| 3. Removed the OptionEntry class. It previously served 2 purpose: |
| a. Define the option types. The types are now defined in OptionsStorage. |
| b. Define a union abstract type large enough to store any option value. |
| This is now expressed as a union member in OptionReader::Option. |
| |
| OptionEntry.h also defines the OptionRange class. OptionRange is now moved |
| to OptionsList.h. |
| |
| 4. Changed the implementation of the option value parse functions to return |
| Optional values instead of taking a reference to the value. This makes the |
| code cleaner and easier to read on the client side. |
| |
| 5. Fixed scaleJITPolicy() to not rely on the Option class (see 2 above), and use |
| the canonical way to read and write option values instead i.e. via the |
| Options::<optionName>() accessors. |
| |
| 6. Fixed recomputeDependentOptions() to rely on the Option class (see 2 above). |
| We can compare the option against its default value using the canonical |
| accessors. |
| |
| 7. Fixed Options::initialize() to only compute the default option value once. |
| The "default" value may actually be a function call. Though current uses does |
| not have side effects if called more than once, it is best to not assume this. |
| |
| 8. Moved the definition of MAXIMUM_NUMBER_OF_FTL_COMPILER_THREADS and |
| enableWebAssemblyStreamingApi from Options.h to OptionsList.h because they are |
| used there first. |
| |
| 9. Reduced the size of the JSC::Config to 1 PageSize. |
| |
| * API/glib/JSCOptions.cpp: |
| (jscOptionsSetValue): |
| (jscOptionsGetValue): |
| (jsc_options_foreach): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * runtime/JSCConfig.h: |
| * runtime/OptionEntry.h: Removed. |
| * runtime/Options.cpp: |
| (JSC::parse): |
| (JSC::scaleJITPolicy): |
| (JSC::recomputeDependentOptions): |
| (JSC::Options::addressOfOption): |
| (JSC::Options::addressOfOptionDefault): |
| (JSC::Options::initialize): |
| (JSC::Options::setOptionWithoutAlias): |
| (JSC::invertBoolOptionValue): |
| (JSC::Options::setAliasedOption): |
| (JSC::Options::dumpAllOptions): |
| (JSC::OptionReader::Option::operator!= const): |
| (JSC::OptionReader::Option::name const): |
| (JSC::OptionReader::Option::description const): |
| (JSC::OptionReader::Option::type const): |
| (JSC::OptionReader::Option::availability const): |
| (JSC::OptionReader::Option::isOverridden const): |
| (JSC::OptionReader::Option::Option): |
| (JSC::Options::dumpOption): |
| (JSC::OptionReader::optionFor): |
| (JSC::OptionReader::defaultFor): |
| (JSC::OptionReader::Option::initValue): |
| (JSC::OptionReader::Option::dump const): |
| (JSC::OptionReader::Option::operator== const): |
| (JSC::Option::dump const): Deleted. |
| (JSC::Option::operator== const): Deleted. |
| * runtime/Options.h: |
| (JSC::Option::Option): Deleted. |
| (JSC::Option::operator!= const): Deleted. |
| (JSC::Option::id const): Deleted. |
| (JSC::Option::name const): Deleted. |
| (JSC::Option::description const): Deleted. |
| (JSC::Option::type const): Deleted. |
| (JSC::Option::availability const): Deleted. |
| (JSC::Option::isOverridden const): Deleted. |
| (JSC::Option::defaultOption const): Deleted. |
| (JSC::Option::boolVal): Deleted. |
| (JSC::Option::unsignedVal): Deleted. |
| (JSC::Option::doubleVal): Deleted. |
| (JSC::Option::int32Val): Deleted. |
| (JSC::Option::optionRangeVal): Deleted. |
| (JSC::Option::optionStringVal): Deleted. |
| (JSC::Option::gcLogLevelVal): Deleted. |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator= ): |
| (JSC::OptionRange::rangeString const): |
| |
| 2019-11-18 Chris Polcyn <cpolcyn@apple.com> |
| |
| Publish JavaScriptCore as Clang module |
| https://bugs.webkit.org/show_bug.cgi?id=204207 |
| |
| Reviewed by Keith Miller. |
| |
| * Configurations/JavaScriptCore.xcconfig: |
| |
| 2019-11-18 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed, address Darin's feedback on r252520. |
| |
| * runtime/FunctionRareData.h: |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::hasReifiedLength const): |
| (JSC::JSFunction::hasReifiedName const): |
| |
| 2019-11-18 Keith Miller <keith_miller@apple.com> and Yusuke Suzuki <ysuzuki@apple.com> |
| |
| BigInt should store its data in the primitive gigacage. |
| https://bugs.webkit.org/show_bug.cgi?id=194888 |
| |
| Reviewed by Mark Lam. |
| |
| We should put these bits in the primitive gigacage to reduce the |
| value of type confusing a BigInt as a different cell and using the |
| digits as a way to create an arbitrary pointer. I didn't worry |
| about length/sign as they are not possible to forge a pointer with. |
| |
| We also put JSBigInt in IsoSubspace. |
| |
| * runtime/CellSize.h: |
| (JSC::isDynamicallySizedType): |
| (JSC::cellSize): |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::JSBigInt): |
| (JSC::JSBigInt::destroy): |
| (JSC::JSBigInt::createWithLengthUnchecked): |
| * runtime/JSBigInt.h: |
| (JSC::JSBigInt::allocationSize): Deleted. |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-11-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove index-masking on ScopedArguments and put it in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204269 |
| |
| Reviewed by Saam Barati. |
| |
| We should remove index-masking for ScopedArguments. This patch reverts it. |
| We still use AuxiliaryBuffer, and avoid using variable sized cell. Then, |
| this patch also puts ScopedArguments in IsoSubspace. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateWithGuard): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): |
| (JSC::DFG::SpeculativeJIT::compileGetArrayLength): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64): Deleted. |
| (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32): Deleted. |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitPreparePreciseIndexMask32): Deleted. |
| * jit/AssemblyHelpers.h: |
| * jit/JIT.cpp: |
| (JSC::JIT::JIT): |
| * jit/JIT.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitScopedArgumentsGetByVal): |
| * runtime/ScopedArguments.cpp: |
| (JSC::ScopedArguments::ScopedArguments): |
| (JSC::ScopedArguments::createUninitialized): |
| (JSC::ScopedArguments::create): |
| (JSC::ScopedArguments::createByCopyingFrom): |
| (JSC::ScopedArguments::visitChildren): |
| (JSC::ScopedArguments::overrideThings): |
| (JSC::ScopedArguments::overrideThingsIfNecessary): |
| (JSC::ScopedArguments::unmapArgument): |
| * runtime/ScopedArguments.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-11-15 Eric Carlson <eric.carlson@apple.com> |
| |
| Don't use AVCapture on watchOS and tvOS |
| https://bugs.webkit.org/show_bug.cgi?id=204254 |
| <rdar://problem/45508044> |
| |
| Reviewed by Youenn Fablet. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-11-15 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Anonymous built-in functions should have empty string for a name |
| https://bugs.webkit.org/show_bug.cgi?id=204214 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Ensure that Function.prototype.name (exists and) is an empty string for various anonymous built-in functions, |
| following https://github.com/tc39/ecma262/pull/1490. |
| |
| Specifically: |
| 1. for promises, resolve / reject / executor elements are lacking a name property |
| 2. for proxies, the revocation function is lacking a name property |
| 3. for certain Intl objects, function getters return a bound function named "bound <name>" instead of "" |
| |
| This change also means that we no longer need the NameVisibility enum or isAnonymousBuiltinFunction logic. |
| |
| * builtins/PromiseConstructor.js: |
| * builtins/PromiseOperations.js: |
| Ensure resolve / reject / executor elements have a name property. |
| (They were @-named, which resulted in no name property at all.) |
| |
| * runtime/ProxyRevoke.cpp: |
| (JSC::ProxyRevoke::create): |
| (JSC::ProxyRevoke::finishCreation): |
| * runtime/ProxyRevoke.h: |
| Ensure revocation functions have a name property. |
| (NameVisibility existed solely to ensure this *wasn't* the case.) |
| |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototypeGetterCompare): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototypeGetterFormat): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototypeGetterFormat): |
| Give these bound functions an empty name. |
| |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * runtime/FunctionExecutable.h: |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::create): |
| (JSC::FunctionRareData::FunctionRareData): |
| * runtime/FunctionRareData.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::allocateRareData): |
| (JSC::JSFunction::allocateAndInitializeRareData): |
| (JSC::JSFunction::reifyLazyBoundNameIfNeeded): |
| * runtime/JSFunction.h: |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::hasReifiedName const): Ensure bound anonymous built-in functions can have an empty name. |
| (JSC::JSFunction::isAnonymousBuiltinFunction const): Deleted. |
| Get rid of isAnonymousBuiltinFunction logic. |
| |
| * runtime/ArrayConstructor.cpp: |
| (JSC::ArrayConstructor::finishCreation): |
| * runtime/AsyncFunctionConstructor.cpp: |
| (JSC::AsyncFunctionConstructor::finishCreation): |
| * runtime/AsyncGeneratorFunctionConstructor.cpp: |
| (JSC::AsyncGeneratorFunctionConstructor::finishCreation): |
| * runtime/BigIntConstructor.cpp: |
| (JSC::BigIntConstructor::finishCreation): |
| * runtime/BooleanConstructor.cpp: |
| (JSC::BooleanConstructor::finishCreation): |
| * runtime/DateConstructor.cpp: |
| (JSC::DateConstructor::finishCreation): |
| * runtime/ErrorConstructor.cpp: |
| (JSC::ErrorConstructor::finishCreation): |
| * runtime/FunctionConstructor.cpp: |
| (JSC::FunctionConstructor::finishCreation): |
| * runtime/FunctionPrototype.cpp: |
| (JSC::FunctionPrototype::finishCreation): |
| * runtime/GeneratorFunctionConstructor.cpp: |
| (JSC::GeneratorFunctionConstructor::finishCreation): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::finishCreation): |
| * runtime/InternalFunction.h: |
| * runtime/IntlCollatorConstructor.cpp: |
| (JSC::IntlCollatorConstructor::finishCreation): |
| * runtime/IntlDateTimeFormatConstructor.cpp: |
| (JSC::IntlDateTimeFormatConstructor::finishCreation): |
| * runtime/IntlNumberFormatConstructor.cpp: |
| (JSC::IntlNumberFormatConstructor::finishCreation): |
| * runtime/IntlPluralRulesConstructor.cpp: |
| (JSC::IntlPluralRulesConstructor::finishCreation): |
| * runtime/JSArrayBufferConstructor.cpp: |
| (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation): |
| * runtime/JSGenericTypedArrayViewConstructorInlines.h: |
| (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation): |
| * runtime/JSTypedArrayViewConstructor.cpp: |
| (JSC::JSTypedArrayViewConstructor::finishCreation): |
| * runtime/MapConstructor.cpp: |
| (JSC::MapConstructor::finishCreation): |
| * runtime/NativeErrorConstructor.cpp: |
| (JSC::NativeErrorConstructorBase::finishCreation): |
| * runtime/NullGetterFunction.h: |
| * runtime/NullSetterFunction.h: |
| * runtime/NumberConstructor.cpp: |
| (JSC::NumberConstructor::finishCreation): |
| * runtime/ObjectConstructor.cpp: |
| (JSC::ObjectConstructor::finishCreation): |
| * runtime/ProxyConstructor.cpp: |
| (JSC::ProxyConstructor::finishCreation): |
| * runtime/RegExpConstructor.cpp: |
| (JSC::RegExpConstructor::finishCreation): |
| * runtime/SetConstructor.cpp: |
| (JSC::SetConstructor::finishCreation): |
| * runtime/StringConstructor.cpp: |
| (JSC::StringConstructor::finishCreation): |
| * runtime/SymbolConstructor.cpp: |
| (JSC::SymbolConstructor::finishCreation): |
| * runtime/WeakMapConstructor.cpp: |
| (JSC::WeakMapConstructor::finishCreation): |
| * runtime/WeakObjectRefConstructor.cpp: |
| (JSC::WeakObjectRefConstructor::finishCreation): |
| * runtime/WeakSetConstructor.cpp: |
| (JSC::WeakSetConstructor::finishCreation): |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::WebAssemblyCompileErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::WebAssemblyInstanceConstructor::finishCreation): |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::WebAssemblyLinkErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::WebAssemblyMemoryConstructor::finishCreation): |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::WebAssemblyModuleConstructor::finishCreation): |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::WebAssemblyTableConstructor::finishCreation): |
| Get rid of NameVisibility enum. |
| |
| 2019-11-15 Myles C. Maxfield <mmaxfield@apple.com> |
| |
| [Apple] Enable variation fonts on all Apple platforms |
| https://bugs.webkit.org/show_bug.cgi?id=198100 |
| |
| Reviewed by Simon Fraser. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-11-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG strength reduction should define "groups" for RegExp constant-folded result |
| https://bugs.webkit.org/show_bug.cgi?id=204264 |
| |
| Reviewed by Michael Saboff. |
| |
| We always define "groups" property in the result of RegExp matching. |
| But we do not define it when DFG performs strength-reduction for the RegExp matching node. |
| This patch adds "groups" field correctly. |
| |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * runtime/RegExpMatchesArray.cpp: |
| (JSC::createEmptyRegExpMatchesArray): |
| |
| 2019-11-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Wasm error message should be cross-thread-copied |
| https://bugs.webkit.org/show_bug.cgi?id=204143 |
| |
| Reviewed by Mark Lam. |
| |
| It is shared by multiple threads, so we should copy it via crossThreadCopy. |
| |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::errorMessage): |
| * wasm/WasmEntryPlan.cpp: |
| (JSC::Wasm::EntryPlan::parseAndValidateModule): |
| * wasm/WasmPlan.h: |
| (JSC::Wasm::Plan::errorMessage const): |
| (JSC::Wasm::Plan::failed const): |
| * wasm/WasmStreamingParser.h: |
| (JSC::Wasm::StreamingParser::errorMessage const): |
| |
| 2019-11-15 Mark Lam <mark.lam@apple.com> |
| |
| Rename InPlaceAbstractState's m_foundConstant to m_shouldTryConstantFolding. |
| https://bugs.webkit.org/show_bug.cgi?id=204244 |
| |
| Reviewed by Saam Barati. |
| |
| m_shouldTryConstantFolding is a more accurate description of what this flag really |
| means i.e. that the AbstractInterpreter thinks that we may benefit from constant |
| folding, and therefore, should attempt it. It doesn't always mean that it found |
| constants to be folded. It also doesn't guarantee that the constant folding phase |
| will succeed in folding any constants. |
| |
| * dfg/DFGAbstractInterpreter.h: |
| (JSC::DFG::AbstractInterpreter::setConstant): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGAtTailAbstractState.h: |
| (JSC::DFG::AtTailAbstractState::setShouldTryConstantFolding): |
| (JSC::DFG::AtTailAbstractState::setFoundConstants): Deleted. |
| * dfg/DFGBasicBlock.cpp: |
| (JSC::DFG::BasicBlock::BasicBlock): |
| * dfg/DFGBasicBlock.h: |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::run): |
| * dfg/DFGInPlaceAbstractState.cpp: |
| (JSC::DFG::InPlaceAbstractState::beginBasicBlock): |
| (JSC::DFG::InPlaceAbstractState::initialize): |
| (JSC::DFG::InPlaceAbstractState::endBasicBlock): |
| * dfg/DFGInPlaceAbstractState.h: |
| (JSC::DFG::InPlaceAbstractState::setShouldTryConstantFolding): |
| (JSC::DFG::InPlaceAbstractState::setFoundConstants): Deleted. |
| |
| 2019-11-14 Saam Barati <sbarati@apple.com> |
| |
| Make gcSafeMemcpy/gcSafeMemmove/gcSafeZeroMemory work properly on arm64_32 |
| https://bugs.webkit.org/show_bug.cgi?id=204217 |
| |
| Reviewed by Mark Lam. |
| |
| We need to be explicit in the code about using 64-bit types and pointer types. |
| |
| * heap/GCMemoryOperations.h: |
| (JSC::gcSafeMemcpy): |
| (JSC::gcSafeMemmove): |
| (JSC::gcSafeZeroMemory): |
| |
| 2019-11-14 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Use toLength() and getIndexQuickly() in JSON.stringify |
| https://bugs.webkit.org/show_bug.cgi?id=204122 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Using toLength() is semantically equivalent and performance-neutral, while adding |
| JSObject::getIndexQuickly() advances microbenchmarks/json-stringify-array-replacer.js |
| by 34%. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Stringifier::Stringifier): |
| (JSC::Stringifier::Holder::appendNextProperty): |
| |
| 2019-11-14 Caio Lima <ticaiolima@gmail.com> |
| |
| Support or16(TrustedImm32, AbsoluteAddress) in the MIPS MacroAssembler |
| https://bugs.webkit.org/show_bug.cgi?id=204126 |
| |
| Reviewed by Mark Lam. |
| |
| This is adjusting the implementation of `or16` for MIPS. This required |
| the addition of `load16` and `store16` for this macro assembler as |
| well. This is also fixing build issue on ARMv7 `or16` implementation. |
| |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::or16): |
| * assembler/MacroAssemblerMIPS.h: |
| (JSC::MacroAssemblerMIPS::or16): |
| (JSC::MacroAssemblerMIPS::load16): |
| (JSC::MacroAssemblerMIPS::store16): |
| |
| 2019-11-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] BlockDirectory's bits should be compact |
| https://bugs.webkit.org/show_bug.cgi?id=204149 |
| |
| Reviewed by Robin Morisset. |
| |
| We start applying IsoSubspace to all JSCells. This means that IsoSubspace should be small enough, |
| so that we can hold many IsoSubspaces without considering about memory regression. |
| |
| In this patch, we introduce several things to shrink sizeof(IsoSubspace) from 528 to 384. |
| |
| 1. Adjusting members to remove some paddings. |
| 2. Remove m_heap field since this can be got from the caller easily. |
| 3. Make MarkedSpace::heap() efficient: just doing pointer arithmetic. |
| 4. Remove m_size field from IsoSubspace since BlockDirectory knows cellSize. |
| 5. Introduce BlockDirectoryBits, which repalces 9 FastBitVector in BlockDirectory to this one class. |
| Since all FastBitVector has the same size, we should not have a size field for each FastBitVector. |
| We reuse FastBitVector's View mechanism to keep the same ergonomics while making BlockDirectoryBits |
| much smaller. We put 9 uint32_t as Segment, and manage Vector<Segment> in this data structure. Since |
| we touch several bits at the same time for the same block-index, this data structure is compact and |
| efficient. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * heap/AlignedMemoryAllocator.cpp: |
| (JSC::AlignedMemoryAllocator::registerDirectory): |
| * heap/AlignedMemoryAllocator.h: |
| * heap/Allocator.h: |
| * heap/AllocatorInlines.h: |
| (JSC::Allocator::allocate const): |
| * heap/BlockDirectory.cpp: |
| (JSC::BlockDirectory::BlockDirectory): |
| (JSC::BlockDirectory::findEmptyBlockToSteal): |
| (JSC::BlockDirectory::findBlockForAllocation): |
| (JSC::BlockDirectory::tryAllocateBlock): |
| (JSC::BlockDirectory::addBlock): |
| (JSC::BlockDirectory::removeBlock): |
| (JSC::BlockDirectory::prepareForAllocation): |
| (JSC::BlockDirectory::beginMarkingForFullCollection): |
| (JSC::BlockDirectory::endMarking): |
| (JSC::BlockDirectory::snapshotUnsweptForEdenCollection): |
| (JSC::BlockDirectory::snapshotUnsweptForFullCollection): |
| (JSC::BlockDirectory::findBlockToSweep): |
| (JSC::BlockDirectory::sweep): |
| (JSC::BlockDirectory::shrink): |
| (JSC::BlockDirectory::assertNoUnswept): |
| (JSC::BlockDirectory::parallelNotEmptyBlockSource): |
| (JSC::BlockDirectory::dumpBits): |
| * heap/BlockDirectory.h: |
| (JSC::BlockDirectory::cellKind const): |
| (JSC::BlockDirectory::forEachBitVector): |
| (JSC::BlockDirectory::forEachBitVectorWithName): |
| (JSC::BlockDirectory::heap): Deleted. |
| * heap/BlockDirectoryBits.h: Added. |
| (JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView::BlockDirectoryBitVectorWordView): |
| (JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView::numBits const): |
| (JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView::word const): |
| (JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView::word): |
| (JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView::clearAll): |
| (JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView::view const): |
| (JSC::BlockDirectoryBits::numBits const): |
| (JSC::BlockDirectoryBits::resize): |
| (JSC::BlockDirectoryBits::forEachSegment): |
| * heap/BlockDirectoryInlines.h: |
| (JSC::BlockDirectory::forEachBlock): |
| (JSC::BlockDirectory::forEachNotEmptyBlock): |
| * heap/CompleteSubspace.cpp: |
| (JSC::CompleteSubspace::allocatorForSlow): |
| (JSC::CompleteSubspace::tryAllocateSlow): |
| * heap/CompleteSubspaceInlines.h: |
| (JSC::CompleteSubspace::allocateNonVirtual): |
| * heap/IsoCellSet.cpp: |
| (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource): |
| * heap/IsoCellSetInlines.h: |
| (JSC::IsoCellSet::forEachMarkedCell): |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::IsoSubspace): |
| (JSC::IsoSubspace::tryAllocateFromLowerTier): |
| * heap/IsoSubspace.h: |
| (JSC::IsoSubspace::cellSize): |
| (JSC::IsoSubspace::allocatorForNonVirtual): |
| (JSC::IsoSubspace::size const): Deleted. |
| (): Deleted. |
| * heap/IsoSubspaceInlines.h: |
| (JSC::IsoSubspace::allocateNonVirtual): |
| * heap/IsoSubspacePerVM.cpp: |
| (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace): |
| * heap/LocalAllocator.cpp: |
| (JSC::LocalAllocator::allocateSlowCase): |
| (JSC::LocalAllocator::doTestCollectionsIfNeeded): |
| * heap/LocalAllocator.h: |
| * heap/LocalAllocatorInlines.h: |
| (JSC::LocalAllocator::allocate): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::dumpState): |
| * heap/MarkedSpace.cpp: |
| (JSC::MarkedSpace::MarkedSpace): |
| (JSC::MarkedSpace::sweepBlocks): |
| (JSC::MarkedSpace::prepareForAllocation): |
| (JSC::MarkedSpace::visitWeakSets): |
| (JSC::MarkedSpace::reapWeakSets): |
| (JSC::MarkedSpace::prepareForMarking): |
| (JSC::MarkedSpace::beginMarking): |
| (JSC::MarkedSpace::snapshotUnswept): |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace::heap const): Deleted. |
| * heap/MarkedSpaceInlines.h: |
| (JSC::MarkedSpace::heap const): |
| * heap/Subspace.cpp: |
| (JSC::Subspace::initialize): |
| * heap/Subspace.h: |
| |
| 2019-11-13 Robin Morisset <rmorisset@apple.com> |
| |
| Split ArithProfile into a Unary and a Binary version |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| <rdar://problem/56266847> |
| |
| Reviewed by Keith Miller. |
| |
| ArithProfile was for a long time only used for add/sub/mul/div, but recently it started being used for negate. And it will soon also have to be used for inc and dec due to BigInt. |
| So in this patch I make a separate version that only has the data for a single argument, and thus takes half as much memory. |
| |
| After discussing this change with Phil I realized that the ResultType(s) that were taking space in ArithProfile are not needed: they never change and a copy is already in the bytecode instruction itself. |
| Removing them allowed shrinking both kinds of ArithProfile to fit in 16 bits (9 and 13 respectively). |
| I kept the two kinds separate because they may shrink or grow independently in the future. |
| |
| This also required adding the "orh" instruction to the offline assembler, to set bits in the ArithProfile. |
| This in turn motivated the addition of "storeh", as on RISC platforms "orh" on a memory location is actually loadh -> orh -> storeh. |
| |
| Finally it required adding support for or16(TrustedImm32, AbsoluteAddress) in the MacroAssembler for the ICs. |
| Instead of directly calling it (like we used to do with or32), I introduced ArithProfile::emitUnconditionalSet, so that if either ArithProfile ever changes in size again we'll have fewer places to change. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::or16): |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::or16): |
| * assembler/MacroAssemblerMIPS.h: |
| (JSC::MacroAssemblerMIPS::or16): |
| * assembler/MacroAssemblerX86.h: |
| (JSC::MacroAssemblerX86::or16): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::or16): |
| * assembler/testmasm.cpp: |
| (JSC::testOrImmMem): |
| (JSC::run): |
| * bytecode/ArithProfile.cpp: |
| (JSC::ArithProfile<BitfieldType>::emitObserveResult): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::emitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::emitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt const): |
| (JSC::ArithProfile<BitfieldType>::emitSetBigInt const): |
| (JSC::ArithProfile<BitfieldType>::emitUnconditionalSet const): |
| (WTF::printInternal): |
| * bytecode/ArithProfile.h: |
| (JSC::ArithProfile::didObserveNonInt32 const): |
| (JSC::ArithProfile::didObserveDouble const): |
| (JSC::ArithProfile::didObserveNonNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNonNumeric const): |
| (JSC::ArithProfile::didObserveBigInt const): |
| (JSC::ArithProfile::didObserveInt32Overflow const): |
| (JSC::ArithProfile::didObserveInt52Overflow const): |
| (JSC::ArithProfile::setObservedNonNegZeroDouble): |
| (JSC::ArithProfile::setObservedNegZeroDouble): |
| (JSC::ArithProfile::setObservedNonNumeric): |
| (JSC::ArithProfile::setObservedBigInt): |
| (JSC::ArithProfile::setObservedInt32Overflow): |
| (JSC::ArithProfile::setObservedInt52Overflow): |
| (JSC::ArithProfile::observeResult): |
| (JSC::ArithProfile::addressOfBits const): |
| (JSC::ArithProfile::bits const): |
| (JSC::ArithProfile::ArithProfile): |
| (JSC::ArithProfile::hasBits const): |
| (JSC::ArithProfile::setBit): |
| (JSC::UnaryArithProfile::UnaryArithProfile): |
| (JSC::UnaryArithProfile::observedIntBits): |
| (JSC::UnaryArithProfile::observedNumberBits): |
| (JSC::UnaryArithProfile::argObservedType const): |
| (JSC::UnaryArithProfile::setArgObservedType): |
| (JSC::UnaryArithProfile::argSawInt32): |
| (JSC::UnaryArithProfile::argSawNumber): |
| (JSC::UnaryArithProfile::argSawNonNumber): |
| (JSC::UnaryArithProfile::observeArg): |
| (JSC::UnaryArithProfile::isObservedTypeEmpty): |
| (JSC::BinaryArithProfile::BinaryArithProfile): |
| (JSC::BinaryArithProfile::observedIntIntBits): |
| (JSC::BinaryArithProfile::observedNumberIntBits): |
| (JSC::BinaryArithProfile::observedIntNumberBits): |
| (JSC::BinaryArithProfile::observedNumberNumberBits): |
| (JSC::BinaryArithProfile::setLhsObservedType): |
| (JSC::BinaryArithProfile::setRhsObservedType): |
| (JSC::BinaryArithProfile::observeLHS): |
| (JSC::BinaryArithProfile::observeLHSAndRHS): |
| (JSC::BinaryArithProfile::isObservedTypeEmpty): |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::addJITAddIC): |
| (JSC::CodeBlock::addJITMulIC): |
| (JSC::CodeBlock::addJITSubIC): |
| (JSC::CodeBlock::addJITNegIC): |
| (JSC::CodeBlock::binaryArithProfileForBytecodeIndex): |
| (JSC::CodeBlock::unaryArithProfileForBytecodeIndex): |
| (JSC::CodeBlock::binaryArithProfileForPC): |
| (JSC::CodeBlock::unaryArithProfileForPC): |
| (JSC::CodeBlock::couldTakeSpecialArithFastCase): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addMathIC): |
| * bytecode/Fits.h: |
| * bytecode/MethodOfGettingAValueProfile.cpp: |
| (JSC::MethodOfGettingAValueProfile::emitReportValue const): |
| (JSC::MethodOfGettingAValueProfile::reportValue): |
| * bytecode/MethodOfGettingAValueProfile.h: |
| (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitUnaryOp): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::UnaryOpNode::emitBytecode): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::makeSafe): |
| (JSC::DFG::ByteCodeParser::makeDivSafe): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileValueAdd): |
| (JSC::DFG::SpeculativeJIT::compileValueSub): |
| (JSC::DFG::SpeculativeJIT::compileValueNegate): |
| (JSC::DFG::SpeculativeJIT::compileValueMul): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): |
| * jit/JIT.h: |
| * jit/JITAddGenerator.cpp: |
| (JSC::JITAddGenerator::generateInline): |
| (JSC::JITAddGenerator::generateFastPath): |
| * jit/JITAddGenerator.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_op_negate): |
| (JSC::JIT::emit_op_add): |
| (JSC::JIT::emitMathICFast): |
| (JSC::JIT::emitMathICSlow): |
| (JSC::JIT::emit_op_div): |
| (JSC::JIT::emit_op_mul): |
| (JSC::JIT::emit_op_sub): |
| * jit/JITDivGenerator.cpp: |
| (JSC::JITDivGenerator::generateFastPath): |
| * jit/JITDivGenerator.h: |
| (JSC::JITDivGenerator::JITDivGenerator): |
| * jit/JITInlines.h: |
| (JSC::JIT::copiedArithProfile): |
| * jit/JITMathIC.h: |
| (JSC::JITMathIC::JITMathIC): |
| (JSC::JITMathIC::generateInline): |
| (JSC::JITMathIC::arithProfile const): |
| (JSC::JITBinaryMathIC::JITBinaryMathIC): |
| (JSC::JITUnaryMathIC::JITUnaryMathIC): |
| * jit/JITMulGenerator.cpp: |
| (JSC::JITMulGenerator::generateInline): |
| (JSC::JITMulGenerator::generateFastPath): |
| * jit/JITMulGenerator.h: |
| * jit/JITNegGenerator.cpp: |
| (JSC::JITNegGenerator::generateInline): |
| (JSC::JITNegGenerator::generateFastPath): |
| * jit/JITNegGenerator.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITSubGenerator.cpp: |
| (JSC::JITSubGenerator::generateInline): |
| (JSC::JITSubGenerator::generateFastPath): |
| * jit/JITSubGenerator.h: |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LLIntOffsetsExtractor.cpp: |
| (JSC::LLIntOffsetsExtractor::dummy): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm.rb: |
| * offlineasm/arm64.rb: |
| * offlineasm/cloop.rb: |
| * offlineasm/instructions.rb: |
| * offlineasm/mips.rb: |
| * offlineasm/risc.rb: |
| * offlineasm/x86.rb: |
| * parser/ResultType.h: |
| (JSC::ResultType::ResultType): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::updateArithProfileForUnaryArithOp): |
| (JSC::updateArithProfileForBinaryArithOp): |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-11-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put more into IsoSubspace part 2 |
| https://bugs.webkit.org/show_bug.cgi?id=204144 |
| |
| Reviewed by Mark Lam. |
| |
| We are doing this step by step to carefully watch the bot status. |
| This patch puts following things into IsoSubspace. |
| |
| 1. FunctionRareData |
| 2. ProxyObject |
| 3. SparseArrayValueMap |
| |
| * runtime/FunctionRareData.h: |
| * runtime/ProxyObject.h: |
| * runtime/SparseArrayValueMap.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-11-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] AI should convert IsCellWithType to constant when Structure set is finite |
| https://bugs.webkit.org/show_bug.cgi?id=204141 |
| |
| Reviewed by Saam Barati. |
| |
| We should fold IsCellWithType if Structure set is finite since we have a chance to know what JSType is. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| 2019-11-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Put more things in IsoSubspace |
| https://bugs.webkit.org/show_bug.cgi?id=204039 |
| |
| Reviewed by Keith Miller and Saam Barati. |
| |
| This patch puts following things into IsoSubspace. |
| |
| 1. UnlinkedEvalCodeBlock |
| 2. UnlinkedFunctionCodeBlock |
| 3. UnlinkedModuleProgramCodeBlock |
| 4. UnlinkedModuleProgramCodeBlock |
| 5. Symbol |
| 6. JSString |
| 7. JSRopeString |
| 8. GetterSetter |
| |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::subspaceFor): |
| * bytecode/UnlinkedEvalCodeBlock.h: |
| * bytecode/UnlinkedFunctionCodeBlock.h: |
| * bytecode/UnlinkedModuleProgramCodeBlock.h: |
| * bytecode/UnlinkedProgramCodeBlock.h: |
| * runtime/GetterSetter.h: |
| * runtime/JSString.h: |
| (JSC::JSString::subspaceFor): |
| * runtime/Symbol.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-11-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JSC GC relies on CodeBlock is not PreciseAllocation |
| https://bugs.webkit.org/show_bug.cgi?id=204124 |
| |
| Reviewed by Saam Barati. |
| |
| This is a follow-up patch after r252298. This patch fixes several GC issues. |
| |
| 1. We found that CodeBlock heavily relies on the fact that this is never getting PreciseAllocation. |
| For example, in our GC, we scan conservative roots to collect currently-executing CodeBlocks. |
| But if this is done in an Eden cycle, this can only find PreciseAllocation CodeBlocks allocated |
| in this current Eden cycle, since we only use Eden PreciseAllocation vector to find these cells. |
| This means some CodeBlocks that are PreciseAllocation and allocated in the past Eden cycle can |
| be missed in this currently-executing set. But we do not want to sort all the PreciseAllocation |
| vector every time Eden cycle happens. So, for now, we make # of lower-tier cells of CodeBlocks 0 |
| so that CodeBlocks are always allocated as non PreciseAllocation. |
| |
| 2. We had an pre-existing PreciseAllocation bug: when Weak<> is pointing PreciseAllocation, we keep |
| PreciseAllocation in m_preciseAllocations vector while the cell inside it is destroyed. This is OK. |
| But HeapUtil::findGCObjectPointersForMarking can populate this PreciseAllocation when performing |
| conservative root scanning. This means that HeapUtil::findGCObjectPointersForMarking can populate |
| destroyed cells. We insert hasValidCell check to avoid this issue. |
| |
| 3. Subspace::sweep only sweeps non PreciseAllocation blocks despite of this name. This is a problem |
| since we are explicitly calling Subspace::sweep to sweep ScriptExecutables, CodeBlocks, and JIT |
| stubs in a defined order. We rename Subspace::sweep to Subspace::sweepBlocks, and introduce |
| IsoSubspace::sweep which also sweeps PreciseAllocations for lower-tier cells correctly. |
| We are calling PreciseAllocation::sweep, but we still leave PreciseAllocation in m_preciseAllocations. |
| This is OK since PreciseAllocation::sweep can be called multiple times. Destroying / Reusing PreciseAllocations |
| are done by MarkedSpace::sweepPreciseAllocations. |
| |
| 4. We clear IsoCellSet's bit as soon as PreciseAllocation's cell is destroyed. This is aligned to the |
| behavior of MarkedBlocks. |
| |
| * bytecode/CodeBlock.h: |
| * heap/CodeBlockSetInlines.h: |
| (JSC::CodeBlockSet::mark): |
| * heap/Heap.cpp: |
| (JSC::Heap::sweepSynchronously): |
| (JSC::Heap::sweepInFinalize): |
| * heap/HeapUtil.h: |
| (JSC::HeapUtil::findGCObjectPointersForMarking): |
| * heap/IsoCellSet.h: |
| * heap/IsoCellSetInlines.h: |
| (JSC::IsoCellSet::clearLowerTierCell): |
| (JSC::IsoCellSet::sweepLowerTierCell): Deleted. |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::IsoSubspace): |
| (JSC::IsoSubspace::tryAllocateFromLowerTier): |
| (JSC::IsoSubspace::sweepLowerTierCell): |
| * heap/IsoSubspace.h: |
| * heap/IsoSubspaceInlines.h: |
| (JSC::IsoSubspace::clearIsoCellSetBit): |
| (JSC::IsoSubspace::sweep): |
| * heap/IsoSubspacePerVM.cpp: |
| (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace): |
| * heap/MarkedBlock.h: |
| * heap/MarkedSpace.cpp: |
| (JSC::MarkedSpace::sweepBlocks): |
| (JSC::MarkedSpace::sweep): Deleted. |
| * heap/MarkedSpace.h: |
| * heap/PreciseAllocation.cpp: |
| (JSC::PreciseAllocation::PreciseAllocation): |
| (JSC::PreciseAllocation::sweep): |
| * heap/Subspace.cpp: |
| (JSC::Subspace::sweepBlocks): |
| (JSC::Subspace::sweep): Deleted. |
| * heap/Subspace.h: |
| * runtime/JSCell.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * wasm/js/JSWebAssemblyMemory.h: |
| |
| 2019-11-12 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| RegExpBuiltinExec should create "groups" property unconditionally |
| https://bugs.webkit.org/show_bug.cgi?id=204067 |
| |
| Reviewed by Ross Kirsling. |
| |
| After RegExp named capture groups were initially implemented in JSC, the spec was changed |
| to unconditionally create "groups" property. |
| (https://github.com/tc39/proposal-regexp-named-groups/issues/34) |
| |
| This patch implements the change (that was shipped by V8), reducing number of structures |
| we use for RegExpMatchesArray, and also sets [[Prototype]] of "groups" object to `null`. |
| (step 24 of https://tc39.es/ecma262/#sec-regexpbuiltinexec) |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::regExpMatchesArrayStructure const): |
| (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const): Deleted. |
| * runtime/RegExpMatchesArray.cpp: |
| (JSC::createStructureImpl): |
| (JSC::createRegExpMatchesArrayWithGroupsStructure): Deleted. |
| (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure): Deleted. |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/StringPrototype.cpp: |
| (JSC::replaceUsingRegExpSearch): |
| |
| 2019-11-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix incorrect assertion |
| https://bugs.webkit.org/show_bug.cgi?id=201908 |
| |
| * heap/PreciseAllocation.cpp: |
| (JSC::PreciseAllocation::reuseForLowerTier): |
| |
| 2019-11-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix alignment adjustment when reusing PreciseAllocation |
| https://bugs.webkit.org/show_bug.cgi?id=201908 |
| |
| * heap/PreciseAllocation.cpp: |
| (JSC::PreciseAllocation::reuseForLowerTier): |
| |
| 2019-11-11 Tuomas Karkkainen <tuomas.webkit@apple.com> |
| |
| Typo in assertion in validateCPS in DFGValidate.cpp ("Unexecpted") |
| https://bugs.webkit.org/show_bug.cgi?id=204066 |
| |
| Reviewed by Antti Koivisto. |
| |
| * dfg/DFGValidate.cpp: |
| |
| 2019-11-11 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| WebDriver: implement proxy support |
| https://bugs.webkit.org/show_bug.cgi?id=180408 |
| |
| Reviewed by Carlos Alberto Lopez Perez. |
| |
| Add optional Proxy struct to session capabilities. |
| |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/glib/RemoteInspectorServer.cpp: |
| (Inspector::processSessionCapabilities): |
| |
| 2019-11-09 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Improve bytecode dumping |
| https://bugs.webkit.org/show_bug.cgi?id=204051 |
| |
| Reviewed by Keith Miller. |
| |
| This patch improves the bytecode dumping for Wasm by: |
| - Adding a new option that dumps only the Wasm bytecode. It can be quite hard to find |
| the Wasm bytecode in the middle of a ton of JS bytecode dumps. |
| - Adding a header with name of the function and stats, similar to the JS dump. |
| - Using Wasm types to properly print constants, and including the type in constants |
| table at the end of the dump. |
| |
| Here's an example of the updated bytecode dump: |
| |
| <?>.wasm-function[26] : (I32) -> [I32] |
| wasm size: 4 bytes |
| bytecode: 6 instructions (0 16-bit instructions, 0 32-bit instructions); 14 bytes; 1 parameter(s); 18 local(s); 22 callee register(s) |
| [ 0] enter |
| [ 1] mov loc18, null(const0) |
| [ 4] mov loc20, loc4 |
| [ 7] mov loc19, loc20 |
| [ 10] mov loc4, loc19 |
| [ 13] ret |
| |
| Constants: |
| const0 : Anyref = null |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::Wasm::BytecodeDumper::dumpBlock): |
| (JSC::Wasm::BytecodeDumper::dumpConstants): |
| (JSC::Wasm::BytecodeDumper::constantName const): |
| (JSC::Wasm::BytecodeDumper::formatConstant const): |
| * bytecode/BytecodeDumper.h: |
| (JSC::BytecodeDumper::~BytecodeDumper): |
| * runtime/OptionsList.h: |
| * wasm/WasmFunctionCodeBlock.cpp: |
| * wasm/WasmFunctionCodeBlock.h: |
| (JSC::Wasm::FunctionCodeBlock::functionIndex const): |
| (JSC::Wasm::FunctionCodeBlock::numVars const): |
| (JSC::Wasm::FunctionCodeBlock::numCalleeLocals const): |
| (JSC::Wasm::FunctionCodeBlock::numArguments const): |
| (JSC::Wasm::FunctionCodeBlock::constantTypes const): |
| (JSC::Wasm::FunctionCodeBlock::constants const): |
| (JSC::Wasm::FunctionCodeBlock::instructions const): |
| (JSC::Wasm::FunctionCodeBlock::getConstantType const): |
| * wasm/WasmGeneratorTraits.h: Added. |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::addConstant): |
| * wasm/WasmLLIntPlan.cpp: |
| (JSC::Wasm::LLIntPlan::didCompleteCompilation): |
| |
| 2019-11-08 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] LLIntGenerator should not retain VirtualRegisters used for constants |
| https://bugs.webkit.org/show_bug.cgi?id=204028 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The LLIntGenerator was keeping track of which RegisterIDs contained constants in order to materialize |
| the OSR entry data, since constants were not included in the OSR entry buffer. This was originally done |
| by adding the registers that contained constants to a vector and never reusing them. This is bad because |
| the bytecode generator reclaims registers by popping unused registers from the end of the vector and |
| stops as soon as it finds a used register. As it turns out, constants *should* be included in the buffer, |
| so we don't need to worry about whether registers contain constants and we can just stop retaining the |
| registers. An assertion was added to doOSREntry to ensure that the size of the scratch buffer matches the |
| size of the values to be written, which was not true before. |
| Additionally, add m_constantMap to LLIntGenerator to avoid adding duplicate constants to code blocks. |
| |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/BytecodeGeneratorBase.h: |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::addConstant): |
| (JSC::Wasm::LLIntGenerator::addLoop): |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::doOSREntry): |
| |
| 2019-11-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix debug JSC tests failures due to missing exception check |
| https://bugs.webkit.org/show_bug.cgi?id=203936 |
| |
| * tools/JSDollarVM.cpp: |
| (JSC::functionCallWithStackSize): |
| |
| 2019-11-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Rename LargeAllocation to PreciseAllocation |
| https://bugs.webkit.org/show_bug.cgi?id=204040 |
| |
| Reviewed by Keith Miller. |
| |
| After r252298, LargeAllocation is also used for small allocations. |
| This patch renames from LargeAllocation to PreciseAllocation since it reflects the behavior. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * heap/CellContainer.cpp: |
| (JSC::CellContainer::isNewlyAllocated const): |
| * heap/CellContainer.h: |
| (JSC::CellContainer::CellContainer): |
| (JSC::CellContainer::isMarkedBlock const): |
| (JSC::CellContainer::isPreciseAllocation const): |
| (JSC::CellContainer::preciseAllocation const): |
| (JSC::CellContainer::isLargeAllocation const): Deleted. |
| (JSC::CellContainer::largeAllocation const): Deleted. |
| * heap/CellContainerInlines.h: |
| (JSC::CellContainer::vm const): |
| (JSC::CellContainer::isMarked const): |
| (JSC::CellContainer::noteMarked): |
| (JSC::CellContainer::assertValidCell const): |
| (JSC::CellContainer::cellSize const): |
| (JSC::CellContainer::weakSet const): |
| (JSC::CellContainer::aboutToMark): |
| (JSC::CellContainer::areMarksStale const): |
| * heap/CompleteSubspace.cpp: |
| (JSC::CompleteSubspace::tryAllocateSlow): |
| (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual): |
| (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual): Deleted. |
| * heap/CompleteSubspace.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::sweepInFinalize): |
| * heap/HeapCell.cpp: |
| (JSC::HeapCell::isLive): |
| * heap/HeapCell.h: |
| * heap/HeapCellInlines.h: |
| (JSC::HeapCell::isPreciseAllocation const): |
| (JSC::HeapCell::cellContainer const): |
| (JSC::HeapCell::preciseAllocation const): |
| (JSC::HeapCell::vm const): |
| (JSC::HeapCell::cellSize const): |
| (JSC::HeapCell::cellAttributes const): |
| (JSC::HeapCell::subspace const): |
| (JSC::HeapCell::isLargeAllocation const): Deleted. |
| (JSC::HeapCell::largeAllocation const): Deleted. |
| * heap/HeapInlines.h: |
| (JSC::Heap::isMarked): |
| (JSC::Heap::testAndSetMarked): |
| * heap/HeapUtil.h: |
| (JSC::HeapUtil::findGCObjectPointersForMarking): |
| (JSC::HeapUtil::isPointerGCObjectJSCell): |
| (JSC::HeapUtil::isValueGCObject): |
| * heap/IsoAlignedMemoryAllocator.cpp: |
| (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory): |
| * heap/IsoCellSetInlines.h: |
| (JSC::IsoCellSet::add): |
| (JSC::IsoCellSet::remove): |
| (JSC::IsoCellSet::contains const): |
| (JSC::IsoCellSet::forEachMarkedCell): |
| (JSC::IsoCellSet::forEachMarkedCellInParallel): |
| (JSC::IsoCellSet::forEachLiveCell): |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::tryAllocateFromLowerTier): |
| (JSC::IsoSubspace::sweepLowerTierCell): |
| (JSC::IsoSubspace::destroyLowerTierFreeList): |
| * heap/IsoSubspace.h: |
| * heap/MarkedSpace.cpp: |
| (JSC::MarkedSpace::freeMemory): |
| (JSC::MarkedSpace::lastChanceToFinalize): |
| (JSC::MarkedSpace::sweepPreciseAllocations): |
| (JSC::MarkedSpace::prepareForAllocation): |
| (JSC::MarkedSpace::enablePreciseAllocationTracking): |
| (JSC::MarkedSpace::prepareForConservativeScan): |
| (JSC::MarkedSpace::prepareForMarking): |
| (JSC::MarkedSpace::resumeAllocating): |
| (JSC::MarkedSpace::isPagedOut): |
| (JSC::MarkedSpace::beginMarking): |
| (JSC::MarkedSpace::endMarking): |
| (JSC::MarkedSpace::objectCount): |
| (JSC::MarkedSpace::size): |
| (JSC::MarkedSpace::sweepLargeAllocations): Deleted. |
| (JSC::MarkedSpace::enableLargeAllocationTracking): Deleted. |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace:: const): |
| (JSC::MarkedSpace::preciseAllocationsNurseryOffset const): |
| (JSC::MarkedSpace::preciseAllocationsOffsetForThisCollection const): |
| (JSC::MarkedSpace::preciseAllocationsForThisCollectionBegin const): |
| (JSC::MarkedSpace::preciseAllocationsForThisCollectionEnd const): |
| (JSC::MarkedSpace::preciseAllocationsForThisCollectionSize const): |
| (JSC::MarkedSpace::largeAllocationsNurseryOffset const): Deleted. |
| (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection const): Deleted. |
| (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin const): Deleted. |
| (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd const): Deleted. |
| (JSC::MarkedSpace::largeAllocationsForThisCollectionSize const): Deleted. |
| * heap/MarkedSpaceInlines.h: |
| (JSC::MarkedSpace::forEachLiveCell): |
| (JSC::MarkedSpace::forEachDeadCell): |
| * heap/PreciseAllocation.cpp: Renamed from Source/JavaScriptCore/heap/LargeAllocation.cpp. |
| (JSC::isAlignedForPreciseAllocation): |
| (JSC::PreciseAllocation::tryCreate): |
| (JSC::PreciseAllocation::tryReallocate): |
| (JSC::PreciseAllocation::createForLowerTier): |
| (JSC::PreciseAllocation::reuseForLowerTier): |
| (JSC::PreciseAllocation::PreciseAllocation): |
| (JSC::PreciseAllocation::~PreciseAllocation): |
| (JSC::PreciseAllocation::lastChanceToFinalize): |
| (JSC::PreciseAllocation::shrink): |
| (JSC::PreciseAllocation::visitWeakSet): |
| (JSC::PreciseAllocation::reapWeakSet): |
| (JSC::PreciseAllocation::flip): |
| (JSC::PreciseAllocation::isEmpty): |
| (JSC::PreciseAllocation::sweep): |
| (JSC::PreciseAllocation::destroy): |
| (JSC::PreciseAllocation::dump const): |
| (JSC::PreciseAllocation::assertValidCell const): |
| * heap/PreciseAllocation.h: Renamed from Source/JavaScriptCore/heap/LargeAllocation.h. |
| (JSC::PreciseAllocation::fromCell): |
| (JSC::PreciseAllocation::isPreciseAllocation): |
| (JSC::PreciseAllocation::headerSize): |
| (JSC::PreciseAllocation::basePointer const): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendHiddenSlowImpl): |
| (JSC::SlotVisitor::appendToMarkStack): |
| * heap/SlotVisitorInlines.h: |
| (JSC::SlotVisitor::appendUnbarriered): |
| (JSC::SlotVisitor::appendHiddenUnbarriered): |
| * heap/Subspace.h: |
| * heap/SubspaceInlines.h: |
| (JSC::Subspace::forEachPreciseAllocation): |
| (JSC::Subspace::forEachMarkedCell): |
| (JSC::Subspace::forEachMarkedCellInParallel): |
| (JSC::Subspace::forEachLiveCell): |
| (JSC::Subspace::forEachLargeAllocation): Deleted. |
| * heap/WeakBlock.cpp: |
| (JSC::WeakBlock::visit): |
| * heap/WeakSet.cpp: |
| (JSC::WeakSet::sweep): |
| * llint/LowLevelInterpreter.asm: |
| * runtime/ButterflyInlines.h: |
| (JSC::Butterfly::reallocArrayRightIfPossible): |
| * runtime/OptionsList.h: |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::SamplingProfiler): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::isInHeap): |
| * tools/VMInspectorInlines.h: |
| (JSC::VMInspector::verifyCell): |
| |
| 2019-11-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make IsoSubspace scalable |
| https://bugs.webkit.org/show_bug.cgi?id=201908 |
| |
| Reviewed by Keith Miller. |
| |
| This patch introduces lower-tier into IsoSubspace so that we can avoid allocating MarkedBlock |
| if a certain type of object is not allocated so many. This optimization allows us apply IsoSubspace |
| more aggressively to various types of objects without introducing memory regression even if such a |
| type of object is allocated so frequently. |
| |
| We use LargeAllocation for these lower-tier objects. Each IsoSubspace holds up to 8 lower-tier objects |
| allocated via LargeAllocation. We use this special LargeAllocation when we tend to allocate small # of cells |
| for this type. Specifically, what we are doing right now is, (1) first, try to allocate in an existing |
| MarkedBlock (there won't be one to start), and (2) then, try to allocate in LargeAllocation, and if we cannot |
| allocate lower-tier objects, (3) finally we allocate a new MarkedBlock. Once this LargeAllocation is allocated |
| to a certain type, we do not deallocate it until VM is destroyed, so that we can keep IsoSubspace's |
| characteristics: once an address is assigned to a certain type, we continue using this address only for this type. |
| |
| To introduce this optimization, we need to remove an restriction that no callee cells can be a LargeAllocation. |
| This also turns out that SamplingProfiler's isValueGCObject is heavily relies on that all the callee is small-sized. |
| isValueGCObject relies on the thing that MarkedSpace::m_largeAllocations is sorted. But this is not true since |
| this vector is sorted only when conservative scan happens. And further, this vector is only partially sorted: we |
| sort only an eden part part of this vector. So we cannot use this vector to implement isValueGCObject in the sampling |
| profiler. Instead we register HeapCell address into a hash-set in MarkedSpace. Since we do not need to find a pointer |
| that is pointing at the middle of the JSCell in sampling profiler, just registering cell address is enough. And we |
| maintain this hash-set only when sampling profiler is enabled to save memory in major cases. |
| |
| We also fix the code that is relying on that JSString is always allocated in MarkedBlock. And we also fix PackedCellPtr's |
| assumption that CodeBlock is always allocated in MarkedBlock. |
| |
| We also make sizeof(LargeAllocation) small since it is now used for non-large allocations. |
| |
| JetStream2 and Speedometer2 are neutral. RAMification shows 0.6% progression on iOS devices. |
| |
| * heap/BlockDirectory.cpp: |
| (JSC::BlockDirectory::BlockDirectory): |
| * heap/BlockDirectory.h: |
| * heap/BlockDirectoryInlines.h: |
| (JSC::BlockDirectory::tryAllocateFromLowerTier): |
| * heap/CompleteSubspace.cpp: |
| (JSC::CompleteSubspace::allocatorForSlow): |
| (JSC::CompleteSubspace::tryAllocateSlow): |
| (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual): |
| * heap/Heap.cpp: |
| (JSC::Heap::dumpHeapStatisticsAtVMDestruction): |
| (JSC::Heap::addCoreConstraints): |
| * heap/HeapUtil.h: |
| (JSC::HeapUtil::isPointerGCObjectJSCell): |
| (JSC::HeapUtil::isValueGCObject): |
| * heap/IsoAlignedMemoryAllocator.cpp: |
| (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory): |
| (JSC::IsoAlignedMemoryAllocator::freeMemory): |
| (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory): |
| * heap/IsoCellSet.cpp: |
| (JSC::IsoCellSet::~IsoCellSet): |
| * heap/IsoCellSet.h: |
| * heap/IsoCellSetInlines.h: |
| (JSC::IsoCellSet::add): |
| (JSC::IsoCellSet::remove): |
| (JSC::IsoCellSet::contains const): |
| (JSC::IsoCellSet::forEachMarkedCell): |
| (JSC::IsoCellSet::forEachMarkedCellInParallel): |
| (JSC::IsoCellSet::forEachLiveCell): |
| (JSC::IsoCellSet::sweepLowerTierCell): |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::IsoSubspace): |
| (JSC::IsoSubspace::tryAllocateFromLowerTier): |
| (JSC::IsoSubspace::sweepLowerTierCell): |
| * heap/IsoSubspace.h: |
| * heap/LargeAllocation.cpp: |
| (JSC::LargeAllocation::tryReallocate): |
| (JSC::LargeAllocation::createForLowerTier): |
| (JSC::LargeAllocation::reuseForLowerTier): |
| (JSC::LargeAllocation::LargeAllocation): |
| * heap/LargeAllocation.h: |
| (JSC::LargeAllocation::lowerTierIndex const): |
| (JSC::LargeAllocation::isLowerTier const): |
| * heap/LocalAllocator.cpp: |
| (JSC::LocalAllocator::allocateSlowCase): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::Handle): |
| (JSC::MarkedBlock::Handle::stopAllocating): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::forEachCell): |
| * heap/MarkedSpace.cpp: |
| (JSC::MarkedSpace::freeMemory): |
| (JSC::MarkedSpace::lastChanceToFinalize): |
| (JSC::MarkedSpace::sweepLargeAllocations): |
| (JSC::MarkedSpace::enableLargeAllocationTracking): |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace:: const): |
| * heap/PackedCellPtr.h: |
| (JSC::PackedCellPtr::PackedCellPtr): |
| * heap/Subspace.h: |
| * heap/WeakSet.cpp: |
| (JSC::WeakSet::~WeakSet): |
| (JSC::WeakSet::findAllocator): |
| (JSC::WeakSet::addAllocator): |
| * heap/WeakSet.h: |
| (JSC::WeakSet::WeakSet): |
| (JSC::WeakSet::resetAllocator): |
| (JSC::WeakSet::container const): Deleted. |
| (JSC::WeakSet::setContainer): Deleted. |
| * heap/WeakSetInlines.h: |
| (JSC::WeakSet::allocate): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::InternalFunction): |
| * runtime/JSCallee.cpp: |
| (JSC::JSCallee::JSCallee): |
| * runtime/JSString.h: |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::SamplingProfiler): |
| (JSC::SamplingProfiler::processUnverifiedStackTraces): |
| (JSC::SamplingProfiler::releaseStackTraces): |
| (JSC::SamplingProfiler::stackTracesAsJSON): |
| (JSC::SamplingProfiler::reportTopFunctions): |
| (JSC::SamplingProfiler::reportTopBytecodes): |
| * runtime/SamplingProfiler.h: |
| |
| 2019-11-08 Matt Lewis <jlewis3@apple.com> |
| |
| Unreviewed, rolling out r252229. |
| |
| This caused internal failures. |
| |
| Reverted changeset: |
| |
| "Split ArithProfile into a Unary and a Binary version" |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| https://trac.webkit.org/changeset/252229 |
| |
| 2019-11-08 Chris Dumez <cdumez@apple.com> |
| |
| Make DeferredPromise behave nicely with regards to the back/forward cache |
| https://bugs.webkit.org/show_bug.cgi?id=203976 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| Add template parameter to JSC::Strong to indicate that the destructor should grab the JS lock. |
| Normally, the callers are in charge of grabbing the lock but this is not always feasible. |
| In particular, in this patch, I capture a JSC::Strong in a lambda. If the document gets destroyed |
| before the lambda has run, the lambda will get destroyed and it will destroy the captured JSC::Strong |
| as a result. |
| |
| * heap/Handle.h: |
| * heap/Strong.h: |
| (JSC::Strong::clear): |
| * heap/StrongInlines.h: |
| (JSC::shouldStrongDestructorGrabLock>::Strong): |
| (JSC::shouldStrongDestructorGrabLock>::set): |
| |
| 2019-11-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use LinkTimeConstants and make some properties lazy |
| https://bugs.webkit.org/show_bug.cgi?id=203795 |
| |
| Reviewed by Keith Miller. |
| |
| This patch makes Map and Set lazily initialized in JSGlobalObject by leveraging link-time-constant. @Set was accessed from |
| builtin-JS. So we cannot make it lazily-allocated. But now we have link-time-constant mechanism that makes such accesses |
| lazily-initialized. We use this to make Set lazily-allocated. |
| |
| And, instead of JSGlobalObject's last sequence of initialization, we initialize watchpoint in MapPrototype::finishCreation |
| and SetPrototype::finishCreation. This allows us to make Map and Set lazily-allocated. We also refactor NumberPrototype to |
| align to this model. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::speciesWatchpointIsValid): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::setupAdaptiveWatchpoint): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): |
| (JSC::JSGlobalObject::installNumberPrototypeWatchpoint): |
| (JSC::JSGlobalObject::installMapPrototypeWatchpoint): |
| (JSC::JSGlobalObject::installSetPrototypeWatchpoint): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::numberProtoToStringFunction const): |
| (JSC::JSGlobalObject::mapPrototype const): |
| (JSC::JSGlobalObject::jsSetPrototype const): |
| (JSC::JSGlobalObject::numberObjectStructure const): |
| (JSC::JSGlobalObject::mapStructure const): Deleted. |
| * runtime/MapPrototype.cpp: |
| (JSC::MapPrototype::finishCreation): |
| * runtime/NumberPrototype.cpp: |
| (JSC::NumberPrototype::finishCreation): |
| * runtime/NumberPrototype.h: |
| * runtime/SetPrototype.cpp: |
| (JSC::SetPrototype::finishCreation): |
| |
| 2019-11-08 Mark Lam <mark.lam@apple.com> |
| |
| Remove invalid assertion in DFG's compileNewArray(). |
| https://bugs.webkit.org/show_bug.cgi?id=204002 |
| <rdar://problem/56973531> |
| |
| Reviewed by Robin Morisset. |
| |
| The assertion is in an if clause conditional on !globalObject->isHavingABadTime(). |
| The assertion tests the IndexingType of a structure returned by |
| arrayStructureForIndexingTypeDuringAllocation(). |
| |
| However, the structures returned by arrayStructureForIndexingTypeDuringAllocation() |
| may have started transitioning to their SlowPut variant because the mutator will |
| be imminently firing the HavingABadTime watchpoint, but haven't done so yet. |
| In a race, the DFG may see the SlowPut variants of the structures before |
| isHavingABadTime() returns true. Hence, the assertion is invalid. |
| |
| Note that the FTL does not have this assertion. |
| |
| This issue is already tested by stress/racy-slow-put-cloned-arguments-when-having-a-bad-time.js. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewArray): |
| |
| 2019-11-08 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [PlayStation][JSC] Unreviewed build fix. |
| |
| * shell/playstation/TestShell.cpp: |
| |
| 2019-11-07 Mark Lam <mark.lam@apple.com> |
| |
| Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction(). |
| https://bugs.webkit.org/show_bug.cgi?id=203936 |
| <rdar://problem/56624724> |
| |
| Reviewed by Saam Barati. |
| |
| Basically, any functions below Yarr::ByteCompiler::compile() that recurses need |
| to check if it's safe to recurse before doing so. This patch adds the stack |
| checks in Yarr::ByteCompiler::compile() because it is the entry point to this |
| sub-system, and Yarr::ByteCompiler::emitDisjunction() because it is the only |
| function that recurses. All other functions called below compile() are either |
| leaf functions or have shallow stack usage. Hence, their stack needs are covered |
| by the DefaultReservedZone, and they do not need stack checks. |
| |
| This patch also does the following: |
| 1. Added $vm.callWithStackSize() which can be used to call a test function near |
| the end of the physical stack. This enables is to simulate the smaller stack |
| size of more resource constrained devices. |
| |
| $vm.callWithStackSize() uses inline asm to adjust the stack pointer and |
| does the callback via the JIT probe trampoline. |
| |
| 2. Added the --disableOptionsFreezingForTesting to the jsc shell to make it |
| possible to disable freezing of JSC options. $vm.callWithStackSize() relies |
| on this to modify the VM's stack limits. |
| |
| 3. Removed the inline modifier on VM::updateStackLimits() so that we can call it |
| from $vm.callWithStackSize() as well. It is not a performance critical |
| function and is rarely called. |
| |
| 4. Added a JSDollarVMHelper class that other parts of the system can declare as |
| a friend. This gives $vm a backdoor into the private functions and fields of |
| classes for its debugging work. In this patch, we're only using it to access |
| VM::updateVMStackLimits(). |
| |
| * jsc.cpp: |
| (CommandLine::parseArguments): |
| * runtime/VM.cpp: |
| (JSC::VM::updateStackLimits): |
| * runtime/VM.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMHelper::JSDollarVMHelper): |
| (JSC::JSDollarVMHelper::vmStackStart): |
| (JSC::JSDollarVMHelper::vmStackLimit): |
| (JSC::JSDollarVMHelper::vmSoftStackLimit): |
| (JSC::JSDollarVMHelper::updateVMStackLimits): |
| (JSC::callWithStackSizeProbeFunction): |
| (JSC::functionCallWithStackSize): |
| (JSC::JSDollarVM::finishCreation): |
| (IGNORE_WARNINGS_BEGIN): Deleted. |
| * yarr/YarrInterpreter.cpp: |
| (JSC::Yarr::ByteCompiler::compile): |
| (JSC::Yarr::ByteCompiler::emitDisjunction): |
| (JSC::Yarr::ByteCompiler::isSafeToRecurse): |
| |
| 2019-11-07 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Use fewer virtual registers in Wasm LLInt |
| https://bugs.webkit.org/show_bug.cgi?id=203861 |
| |
| Reviewed by Saam Barati. |
| |
| Reduce the number of virtual registers in two ways: |
| - Re-use arguments for result values (e.g. the result of add lhs, rhs should go in lhs, not a new virtual register) |
| - Re-use the argument register space for return values that should be placed in registers |
| |
| * bytecode/BytecodeList.rb: |
| * generator/Wasm.rb: |
| * llint/WebAssembly.asm: |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::callInformationFor): |
| (JSC::Wasm::LLIntGenerator::addReturn): |
| (JSC::Wasm::LLIntGenerator::addRefIsNull): |
| (JSC::Wasm::LLIntGenerator::addTableGet): |
| (JSC::Wasm::LLIntGenerator::addTableGrow): |
| (JSC::Wasm::LLIntGenerator::addGrowMemory): |
| (JSC::Wasm::LLIntGenerator::addSelect): |
| (JSC::Wasm::LLIntGenerator::load): |
| |
| 2019-11-07 Robin Morisset <rmorisset@apple.com> |
| |
| Split ArithProfile into a Unary and a Binary version |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| <rdar://problem/56266847> |
| |
| Reviewed by Keith Miller. |
| |
| ArithProfile was for a long time only used for add/sub/mul/div, but recently it started being used for negate. And it will soon also have to be used for inc and dec due to BigInt. |
| So in this patch I make a separate version that only has the data for a single argument, and thus takes half as much memory. |
| |
| After discussing this change with Phil I realized that the ResultType(s) that were taking space in ArithProfile are not needed: they never change and a copy is already in the bytecode instruction itself. |
| Removing them allowed shrinking both kinds of ArithProfile to fit in 16 bits (9 and 13 respectively). |
| I kept the two kinds separate because they may shrink or grow independently in the future. |
| |
| This also required adding the "orh" instruction to the offline assembler, to set bits in the ArithProfile. |
| This in turn motivated the addition of "storeh", as on RISC platforms "orh" on a memory location is actually loadh -> orh -> storeh. |
| |
| * bytecode/ArithProfile.cpp: |
| (JSC::ArithProfile<BitfieldType>::emitObserveResult): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::emitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt const): |
| (JSC::ArithProfile<BitfieldType>::emitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::emitSetBigInt const): |
| (WTF::printInternal): |
| * bytecode/ArithProfile.h: |
| (JSC::ArithProfile::didObserveNonInt32 const): |
| (JSC::ArithProfile::didObserveDouble const): |
| (JSC::ArithProfile::didObserveNonNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNonNumeric const): |
| (JSC::ArithProfile::didObserveBigInt const): |
| (JSC::ArithProfile::didObserveInt32Overflow const): |
| (JSC::ArithProfile::didObserveInt52Overflow const): |
| (JSC::ArithProfile::setObservedNonNegZeroDouble): |
| (JSC::ArithProfile::setObservedNegZeroDouble): |
| (JSC::ArithProfile::setObservedNonNumeric): |
| (JSC::ArithProfile::setObservedBigInt): |
| (JSC::ArithProfile::setObservedInt32Overflow): |
| (JSC::ArithProfile::setObservedInt52Overflow): |
| (JSC::ArithProfile::observeResult): |
| (JSC::ArithProfile::addressOfBits const): |
| (JSC::ArithProfile::bits const): |
| (JSC::ArithProfile::ArithProfile): |
| (JSC::ArithProfile::hasBits const): |
| (JSC::ArithProfile::setBit): |
| (JSC::UnaryArithProfile::UnaryArithProfile): |
| (JSC::UnaryArithProfile::observedIntBits): |
| (JSC::UnaryArithProfile::observedNumberBits): |
| (JSC::UnaryArithProfile::argObservedType const): |
| (JSC::UnaryArithProfile::setArgObservedType): |
| (JSC::UnaryArithProfile::argSawInt32): |
| (JSC::UnaryArithProfile::argSawNumber): |
| (JSC::UnaryArithProfile::argSawNonNumber): |
| (JSC::UnaryArithProfile::observeArg): |
| (JSC::UnaryArithProfile::isObservedTypeEmpty): |
| (JSC::BinaryArithProfile::BinaryArithProfile): |
| (JSC::BinaryArithProfile::observedIntIntBits): |
| (JSC::BinaryArithProfile::observedNumberIntBits): |
| (JSC::BinaryArithProfile::observedIntNumberBits): |
| (JSC::BinaryArithProfile::observedNumberNumberBits): |
| (JSC::BinaryArithProfile::setLhsObservedType): |
| (JSC::BinaryArithProfile::setRhsObservedType): |
| (JSC::BinaryArithProfile::observeLHS): |
| (JSC::BinaryArithProfile::observeLHSAndRHS): |
| (JSC::BinaryArithProfile::isObservedTypeEmpty): |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::addJITAddIC): |
| (JSC::CodeBlock::addJITMulIC): |
| (JSC::CodeBlock::addJITSubIC): |
| (JSC::CodeBlock::addJITNegIC): |
| (JSC::CodeBlock::binaryArithProfileForBytecodeOffset): |
| (JSC::CodeBlock::unaryArithProfileForBytecodeOffset): |
| (JSC::CodeBlock::binaryArithProfileForPC): |
| (JSC::CodeBlock::unaryArithProfileForPC): |
| (JSC::CodeBlock::couldTakeSpecialFastCase): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addMathIC): |
| * bytecode/Fits.h: |
| * bytecode/MethodOfGettingAValueProfile.cpp: |
| (JSC::MethodOfGettingAValueProfile::emitReportValue const): |
| (JSC::MethodOfGettingAValueProfile::reportValue): |
| * bytecode/MethodOfGettingAValueProfile.h: |
| (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitUnaryOp): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::UnaryOpNode::emitBytecode): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::makeSafe): |
| (JSC::DFG::ByteCodeParser::makeDivSafe): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileValueAdd): |
| (JSC::DFG::SpeculativeJIT::compileValueSub): |
| (JSC::DFG::SpeculativeJIT::compileValueNegate): |
| (JSC::DFG::SpeculativeJIT::compileValueMul): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): |
| * jit/JIT.h: |
| * jit/JITAddGenerator.cpp: |
| (JSC::JITAddGenerator::generateInline): |
| (JSC::JITAddGenerator::generateFastPath): |
| * jit/JITAddGenerator.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_op_negate): |
| (JSC::JIT::emit_op_add): |
| (JSC::JIT::emitMathICFast): |
| (JSC::JIT::emitMathICSlow): |
| (JSC::JIT::emit_op_div): |
| (JSC::JIT::emit_op_mul): |
| (JSC::JIT::emit_op_sub): |
| * jit/JITDivGenerator.cpp: |
| (JSC::JITDivGenerator::generateFastPath): |
| * jit/JITDivGenerator.h: |
| (JSC::JITDivGenerator::JITDivGenerator): |
| * jit/JITInlines.h: |
| (JSC::JIT::copiedArithProfile): |
| * jit/JITMathIC.h: |
| (JSC::JITMathIC::JITMathIC): |
| (JSC::JITMathIC::generateInline): |
| (JSC::JITMathIC::arithProfile const): |
| (JSC::isBinaryProfileEmpty): |
| (JSC::JITBinaryMathIC::JITBinaryMathIC): |
| (JSC::isUnaryProfileEmpty): |
| (JSC::JITUnaryMathIC::JITUnaryMathIC): |
| * jit/JITMulGenerator.cpp: |
| (JSC::JITMulGenerator::generateInline): |
| (JSC::JITMulGenerator::generateFastPath): |
| * jit/JITMulGenerator.h: |
| * jit/JITNegGenerator.cpp: |
| (JSC::JITNegGenerator::generateInline): |
| (JSC::JITNegGenerator::generateFastPath): |
| * jit/JITNegGenerator.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITSubGenerator.cpp: |
| (JSC::JITSubGenerator::generateInline): |
| (JSC::JITSubGenerator::generateFastPath): |
| * jit/JITSubGenerator.h: |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LLIntOffsetsExtractor.cpp: |
| (JSC::LLIntOffsetsExtractor::dummy): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * parser/ResultType.h: |
| (JSC::ResultType::ResultType): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::updateArithProfileForUnaryArithOp): |
| (JSC::updateArithProfileForBinaryArithOp): |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-11-07 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Inspector's DebuggerCallFrame should be aware of Wasm frames |
| https://bugs.webkit.org/show_bug.cgi?id=203925 |
| |
| Reviewed by Mark Lam. |
| |
| The DebuggerCallFrame checks for CallFrame::codeBlock to determine if it the current frame is a |
| valid JS frame, but since the Wasm interpreter stores the Wasm::FunctionCodeBlock to this slot, |
| that check is not sufficient. Add an extra check for CalleeBits::isWasm. |
| |
| * debugger/DebuggerCallFrame.cpp: |
| (JSC::DebuggerCallFrame::sourceIDForCallFrame): |
| |
| 2019-11-07 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: REGRESSION(r250087): inspector/model/remote-object.html is timing out |
| https://bugs.webkit.org/show_bug.cgi?id=202934 |
| <rdar://problem/56270900> |
| |
| Reviewed by Timothy Hatcher. |
| |
| In r250087, the inspector injected script was changed so that remote objects actually |
| iterate the keys of an array and generate a property descriptor for each. While this worked |
| fine (and was performant) for fetching remote objects, this was not efficient when creating |
| object previews, as that path wouldn't be limited by any sort of `fetchCount`, meaning that |
| a descriptor for every index would be created even though only the first 10 would be used. |
| |
| Refactor the inspector injected script code so that both the fetch and preview paths only |
| examine exactly the number of properties desired instead of considering all of them and then |
| slicing to fit. |
| |
| * inspector/InjectedScriptSource.js: |
| (InjectedScript.prototype._getProperties): |
| (InjectedScript.prototype._forEachPropertyDescriptor): Added. |
| (InjectedScript.prototype._forEachPropertyDescriptor.createFakeValueDescriptor): Added. |
| (InjectedScript.prototype._forEachPropertyDescriptor.processDescriptor): Added. |
| (InjectedScript.prototype._forEachPropertyDescriptor.processProperty): Added. |
| (RemoteObject.prototype._generatePreview): |
| (RemoteObject.prototype._appendPropertyPreview): Added. |
| (RemoteObject.prototype._appendPropertyPreview.appendPreview): Added. |
| (InjectedScript.prototype._propertyDescriptors): Deleted. |
| (InjectedScript.prototype._propertyDescriptors.processProperties): Deleted. |
| (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted. |
| (RemoteObject.prototype._appendPropertyPreviews): Deleted. |
| |
| 2019-11-07 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [[HasProperty]] result of Proxy in prototype chain is ignored |
| https://bugs.webkit.org/show_bug.cgi?id=203560 |
| |
| Reviewed by Ross Kirsling. |
| |
| Before this change, when [[HasProperty]] was called on ordinary object with Proxy in prototype chain, |
| falsy result of Proxy's "has" trap was ignored and prototype chain was inspected further. |
| |
| According to spec, OrdinaryHasProperty unconditionally returns result of parent's [[HasProperty]] call. |
| (step 5.a of https://tc39.es/ecma262/#sec-ordinaryhasproperty) |
| |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::getPropertySlot): |
| (JSC::JSObject::getNonIndexPropertySlot): |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performHasProperty): Walk the prototype chain in performDefaultHasProperty. |
| |
| 2019-11-06 Mark Lam <mark.lam@apple.com> |
| |
| Remove remnants of support code for an upwards growing stack. |
| https://bugs.webkit.org/show_bug.cgi?id=203942 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/VM.cpp: |
| (JSC::VM::updateStackLimits): |
| (JSC::VM::committedStackByteCount): |
| * runtime/VM.h: |
| (JSC::VM::isSafeToRecurse const): |
| * runtime/VMEntryScope.cpp: |
| (JSC::VMEntryScope::VMEntryScope): |
| * runtime/VMInlines.h: |
| (JSC::VM::ensureStackCapacityFor): |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const): |
| |
| 2019-11-06 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] BBQPlan should retain Wasm::CodeBlock when compiling a single function |
| https://bugs.webkit.org/show_bug.cgi?id=203924 |
| |
| Reviewed by Filip Pizlo. |
| |
| * wasm/WasmBBQPlan.h: |
| |
| 2019-11-06 Mark Lam <mark.lam@apple.com> |
| |
| JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should fire its watchpoint as the last step. |
| https://bugs.webkit.org/show_bug.cgi?id=203867 |
| <rdar://problem/56813514> |
| |
| Reviewed by Saam Barati. |
| |
| JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should make all |
| the array structures SlowPut before firing the watchpoint. Otherwise, the |
| concurrent JIT may think it's grabbing the slow put version of the structure, but |
| is actually grabbing the non-SlowPut version because it happened to beat the |
| mutator in a race to read the structure before the mutator makes it SlowPut. |
| |
| Also removed some assertions in DFGSpeculativeJIT.cpp that are vulnerable to races |
| between when the mutator makes all array structures SlowPut and when it fires the |
| HavingABadTime watchpoint. The FTL equivalent did not have these assertions. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCreateRest): |
| (JSC::DFG::SpeculativeJIT::compileNewArray): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut): |
| |
| 2019-11-06 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r251940. |
| https://bugs.webkit.org/show_bug.cgi?id=203920 |
| |
| "it introduced test262 failures" (Requested by rkirsling on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "[[HasProperty]] result of Proxy in prototype chain is |
| ignored" |
| https://bugs.webkit.org/show_bug.cgi?id=203560 |
| https://trac.webkit.org/changeset/251940 |
| |
| 2019-11-05 Mark Lam <mark.lam@apple.com> |
| |
| WTF::RunLoop should not depend on isMainThread() idiom. |
| https://bugs.webkit.org/show_bug.cgi?id=203873 |
| <rdar://problem/56524251> |
| |
| Reviewed by Saam Barati, Ryosuke Niwa, and Devin Rousso. |
| |
| * inspector/JSGlobalObjectScriptDebugServer.cpp: |
| (Inspector::JSGlobalObjectScriptDebugServer::runLoopMode): |
| * inspector/JSGlobalObjectScriptDebugServer.h: |
| * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: |
| (Inspector::RemoteTargetInitializeGlobalQueue): |
| (Inspector::RemoteConnectionToTarget::setupRunLoop): |
| (Inspector::RemoteConnectionToTarget::teardownRunLoop): |
| |
| 2019-11-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Allow tiering up from LLInt to BBQ |
| https://bugs.webkit.org/show_bug.cgi?id=203793 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Even though the interpreter was overall neutral on throughput, it's still a regression in pathological |
| cases where massive functions spend too long in the LLInt while compiling the function with OMG. This |
| patch makes it so that the LLInt can tier up to BBQ from the prologue, while still tiering up to OMG from |
| from loops. This is a huge speed up on the tsf-wasm subtest of JS2: |
| |
| # BBQ -> OMG |
| Startup: 100.680 |
| Runtime: 1.852 |
| Score: 13.654 |
| |
| # LLInt -> OMG |
| Startup: 378.205 |
| Runtime: 1.291 |
| Score: 22.082 |
| |
| # LLInt -> BBQ -> OMG |
| Startup: 405.983 |
| Runtime: 2.311 |
| Score: 30.623 |
| |
| * runtime/Options.cpp: |
| (JSC::overrideDefaults): |
| * runtime/OptionsList.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::BBQPlan): |
| (JSC::Wasm::BBQPlan::work): |
| (JSC::Wasm::BBQPlan::compileFunction): |
| * wasm/WasmEntryPlan.cpp: |
| (JSC::Wasm::EntryPlan::EntryPlan): |
| * wasm/WasmEntryPlan.h: |
| * wasm/WasmLLIntTierUpCounter.h: |
| (JSC::Wasm::LLIntTierUpCounter::optimizeAfterWarmUp): |
| (JSC::Wasm::LLIntTierUpCounter::optimizeSoon): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmSlowPaths.cpp: |
| (JSC::LLInt::jitCompileAndSetHeuristics): |
| |
| 2019-11-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Introduce LinkTimeConstant mechanism |
| https://bugs.webkit.org/show_bug.cgi?id=153792 |
| |
| Reviewed by Saam Barati. |
| |
| We are using private-name-variables of JSGlobalObject as a way to access to constants that are materialized per JSGlobalObject. |
| And we also have special-pointers and old link-time-constants to access to per JSGlobalObject constants. |
| We have bytecode intrinsic constants, but it is only available for per VM values. |
| |
| However, these ones have multiple problems. |
| |
| 1. private-name-variables is too costly. We need to have an entry in JSGlobalObject's variable, this makes SymbolTable of JSGlobalObject large. |
| It also requires WatchpointSet to make it constant-fold in DFG. And accessing these variables from builtin JS takes op_resolve_scope and op_get_from_scope, |
| enlarging bytecode and slow in interpreter and baseline compared to just getting them as a constant register. |
| 2. special-pointers are tailored to op_jne_ptr opcode, and not usable in the other bytecode since this is completely separate from VirtualRegister. |
| 3. Old link-time-constants implementation is putting array of all link-time-constants on each UnlinkedCodeBlock, even if it is not used. If you increase # of |
| link-time-constant, it increases sizeof(UnlinkedCodeBlock). |
| |
| In this patch, we introduce a new link-time-constant mechanism and remove the above old ones mostly. (private-name-variables still exists for WebCore and @assert). |
| We manage link-time-constants in BytecodeIntrinsicRegistry, and emit Int32:LinkTimeConstantID constant when generating an UnlinkedCodeBlock. Later, this constant |
| is alternated to an actual value when we link UnlinkedCodeBlock to CodeBlock with specific JSGlobalObject. private-name-variables accesses are now converted to |
| constant register so that it is very efficiently accessed and it reduces memory used for SymbolTable and WatchpointSet. op_jne_ptr takes link-time-constant |
| VirtualRegisters instead of special-pointers, so that we can remove special-pointers mechanism. We also replace old link-time-constants with new one, which reduces |
| sizeof(UnlinkedCodeBlock). |
| |
| Furthermore, new link-time-constant supports lazy initialization by using LazyProperty in JSGlobalObject. This allows us to lazily generate many internal functions |
| that are previously initialized eagerly. This reduces # of allocated JSFunction significantly when initializing JSGlobalObject. |
| |
| This patch also manually adds 256 to MarkedSpace's size-class. We empirically know that adding 256 here makes sequence of size-class better for memory consumption. |
| But this was achieved by adding `sizeof(UnlinkedFunctionCodeBlock)`. Now sizeof(UnlinkedFunctionCodeBlock) is changed by this patch, and this patch unintentionally |
| breaks that sequence. We should explicitly add 256 instead of adding sizeof(UnlinkedFunctionCodeBlock) adhocly. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Scripts/wkbuiltins/builtins_generate_combined_header.py: |
| (generate_section_for_global_private_code_name_macro): |
| * Sources.txt: |
| * builtins/BuiltinNames.h: |
| * builtins/PromiseConstructor.js: |
| (nakedConstructor.Promise): |
| (nakedConstructor.InternalPromise): |
| (nakedConstructor.Promise.reject): Deleted. |
| (nakedConstructor.InternalPromise.reject): Deleted. |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::CodeBlockBytecodeDumper<Block>::dumpConstants): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| (JSC::BytecodeIntrinsicRegistry::lookup const): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| (JSC::BytecodeIntrinsicRegistry::Entry::Entry): |
| (JSC::BytecodeIntrinsicRegistry::Entry::type const): |
| (JSC::BytecodeIntrinsicRegistry::Entry::linkTimeConstant const): |
| (JSC::BytecodeIntrinsicRegistry::Entry::emitter const): |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::setConstantRegisters): |
| * bytecode/Fits.h: |
| * bytecode/LinkTimeConstant.cpp: Renamed from Source/JavaScriptCore/bytecode/SpecialPointer.h. |
| (WTF::printInternal): |
| * bytecode/LinkTimeConstant.h: Added. |
| * bytecode/SpecialPointer.cpp: Removed. |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::addConstant): |
| (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted. |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall): |
| (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply): |
| (JSC::BytecodeGenerator::emitExpectedFunctionSnippet): |
| (JSC::BytecodeGenerator::emitCallDefineProperty): |
| (JSC::BytecodeGenerator::emitGetAsyncIterator): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ImportNode::emitBytecode): |
| (JSC::BytecodeIntrinsicNode::emitBytecode): |
| (JSC::promiseInternalFieldIndex): |
| (JSC::generatorInternalFieldIndex): |
| (JSC::asyncGeneratorInternalFieldIndex): |
| (JSC::FunctionNode::emitBytecode): |
| (JSC::ObjectPatternNode::bindValue const): |
| (JSC::ObjectSpreadExpressionNode::emitBytecode): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * heap/MarkedSpace.cpp: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_jneq_ptr): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_jneq_ptr): |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::createResolve): |
| (JSC::ASTBuilder::makeFunctionCallNode): |
| * parser/NodeConstructors.h: |
| (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode): |
| * parser/Nodes.h: |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedCodeBlock<CodeBlockType>::decode const): |
| (JSC::CachedCodeBlock<CodeBlockType>::encode): |
| * runtime/JSCJSValue.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::JSGlobalObject): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::linkTimeConstant const): |
| (JSC::JSGlobalObject::callFunction const): Deleted. |
| (JSC::JSGlobalObject::applyFunction const): Deleted. |
| (JSC::JSGlobalObject::throwTypeErrorFunction const): Deleted. |
| (JSC::JSGlobalObject::newPromiseCapabilityFunction const): Deleted. |
| (JSC::JSGlobalObject::resolvePromiseFunction const): Deleted. |
| (JSC::JSGlobalObject::rejectPromiseFunction const): Deleted. |
| (JSC::JSGlobalObject::promiseProtoThenFunction const): Deleted. |
| (JSC::JSGlobalObject::regExpProtoExecFunction const): Deleted. |
| (JSC::JSGlobalObject::regExpProtoGlobalGetter const): Deleted. |
| (JSC::JSGlobalObject::regExpProtoUnicodeGetter const): Deleted. |
| (JSC::JSGlobalObject::actualPointerFor): Deleted. |
| (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Deleted. |
| * runtime/JSGlobalObjectInlines.h: |
| (JSC::JSGlobalObject::throwTypeErrorFunction const): |
| (JSC::JSGlobalObject::newPromiseCapabilityFunction const): |
| (JSC::JSGlobalObject::resolvePromiseFunction const): |
| (JSC::JSGlobalObject::rejectPromiseFunction const): |
| (JSC::JSGlobalObject::promiseProtoThenFunction const): |
| (JSC::JSGlobalObject::regExpProtoExecFunction const): |
| (JSC::JSGlobalObject::regExpProtoGlobalGetter const): |
| (JSC::JSGlobalObject::regExpProtoUnicodeGetter const): |
| |
| 2019-11-04 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed fix for non-unified build. |
| |
| * jit/JITOperations.cpp: |
| * runtime/CommonSlowPaths.cpp: |
| Add missing includes. |
| |
| 2019-11-04 Saam Barati <sbarati@apple.com> |
| |
| Don't use memmove/memcpy/memset for memory that can be scanned concurrently |
| https://bugs.webkit.org/show_bug.cgi?id=203228 |
| <rdar://problem/56401852> |
| |
| Reviewed by Robin Morisset. |
| |
| We had code inside various places of the runtime which would call into system |
| memcpy/memmove/memset when updating a live butterfly. This means that the |
| concurrent collector could be scanning such butterflies while a memcpy/memmove/memset |
| was running. Those functions don't guarantee anything about the minimum |
| alignment of the stores they do. And implementations for them frequently have |
| byte copy loops for low byte copy counts. This lead to us seeing torn JSValues |
| inside the concurrent collector during Array.prototype.splice. This patch |
| introduces new functions for doing memcpy/memmove/memset for data structures |
| which may be concurrently scanned. The loops are written using inline assembly |
| for gcc compatible compilers on 64 bit platforms. The inline assembly |
| ensures we never write to memory using instructions that store fewer |
| than 8 bytes. On other platforms, we just use a volatile pointer to |
| ensure the compiler doesn't turn the loop into a function call or a |
| series of stores which may be smaller than 8 bytes. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * heap/GCMemoryOperations.h: Added. |
| (JSC::gcSafeMemcpy): |
| (JSC::gcSafeMemmove): |
| (JSC::gcSafeZeroMemory): |
| * heap/Heap.h: |
| * runtime/ArrayConventions.cpp: |
| (JSC::clearArrayMemset): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::copyElements): |
| * runtime/ButterflyInlines.h: |
| (JSC::Butterfly::tryCreate): |
| (JSC::Butterfly::createOrGrowPropertyStorage): |
| (JSC::Butterfly::growArrayRight): |
| (JSC::Butterfly::reallocArrayRightIfPossible): |
| (JSC::Butterfly::resizeArray): |
| (JSC::Butterfly::unshift): |
| (JSC::Butterfly::shift): |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::unshiftCountSlowCase): |
| (JSC::JSArray::appendMemcpy): |
| (JSC::JSArray::fastSlice): |
| (JSC::JSArray::shiftCountWithArrayStorage): |
| (JSC::JSArray::shiftCountWithAnyIndexingType): |
| (JSC::JSArray::unshiftCountWithArrayStorage): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): |
| (JSC::JSObject::convertFromCopyOnWrite): |
| (JSC::JSObject::shiftButterflyAfterFlattening): |
| * runtime/JSObject.h: |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/Structure.cpp: |
| (JSC::Structure::flattenDictionaryStructure): |
| |
| 2019-11-04 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r252015. |
| |
| Broke the Windows build |
| |
| Reverted changeset: |
| |
| "Split ArithProfile into a Unary and a Binary version" |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| https://trac.webkit.org/changeset/252015 |
| |
| 2019-11-04 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [[Set]] isn't correct with respect to the spec and Proxy |
| https://bugs.webkit.org/show_bug.cgi?id=155012 |
| |
| Reviewed by Saam Barati. |
| |
| This patch merely removes a FIXME comment, as JavaScriptCore has already correct |
| implementation of ordinary [[Set]]. In step 2.b of https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor, |
| if `parent` is a Proxy, the algorithm returns result of Proxy's [[Set]] method call. |
| It is up to the author of "set" trap (if any) to consult the prototype chain. |
| |
| All browsers pass https://test262.report/browse/built-ins/Proxy/set/call-parameters-prototype.js, |
| which asserts that no traps besides "set" are invoked on Proxies in prototype chain during [[Set]]. |
| |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::putInlineSlow): |
| |
| 2019-11-04 Robin Morisset <rmorisset@apple.com> |
| |
| Split ArithProfile into a Unary and a Binary version |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| <rdar://problem/56266847> |
| |
| Reviewed by Keith Miller. |
| |
| ArithProfile was for a long time only used for add/sub/mul/div, but recently it started being used for negate. And it will soon also have to be used for inc and dec due to BigInt. |
| So in this patch I make a separate version that only has the data for a single argument, and thus takes half as much memory. |
| |
| After discussing this change with Phil I realized that the ResultType(s) that were taking space in ArithProfile are not needed: they never change and a copy is already in the bytecode instruction itself. |
| Removing them allowed shrinking both kinds of ArithProfile to fit in 16 bits (9 and 13 respectively). |
| I kept the two kinds separate because they may shrink or grow independently in the future. |
| |
| This also required adding the "orh" instruction to the offline assembler, to set bits in the ArithProfile. |
| This in turn motivated the addition of "storeh", as on RISC platforms "orh" on a memory location is actually loadh -> orh -> storeh. |
| |
| * bytecode/ArithProfile.cpp: |
| (JSC::ArithProfile<BitfieldType>::emitObserveResult): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::emitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt const): |
| (JSC::ArithProfile<BitfieldType>::emitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::emitSetBigInt const): |
| (WTF::printInternal): |
| * bytecode/ArithProfile.h: |
| (JSC::ArithProfile::didObserveNonInt32 const): |
| (JSC::ArithProfile::didObserveDouble const): |
| (JSC::ArithProfile::didObserveNonNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNonNumeric const): |
| (JSC::ArithProfile::didObserveBigInt const): |
| (JSC::ArithProfile::didObserveInt32Overflow const): |
| (JSC::ArithProfile::didObserveInt52Overflow const): |
| (JSC::ArithProfile::setObservedNonNegZeroDouble): |
| (JSC::ArithProfile::setObservedNegZeroDouble): |
| (JSC::ArithProfile::setObservedNonNumeric): |
| (JSC::ArithProfile::setObservedBigInt): |
| (JSC::ArithProfile::setObservedInt32Overflow): |
| (JSC::ArithProfile::setObservedInt52Overflow): |
| (JSC::ArithProfile::observeResult): |
| (JSC::ArithProfile::addressOfBits const): |
| (JSC::ArithProfile::bits const): |
| (JSC::ArithProfile::ArithProfile): |
| (JSC::ArithProfile::hasBits const): |
| (JSC::ArithProfile::setBit): |
| (JSC::UnaryArithProfile::UnaryArithProfile): |
| (JSC::UnaryArithProfile::observedIntBits): |
| (JSC::UnaryArithProfile::observedNumberBits): |
| (JSC::UnaryArithProfile::argObservedType const): |
| (JSC::UnaryArithProfile::setArgObservedType): |
| (JSC::UnaryArithProfile::argSawInt32): |
| (JSC::UnaryArithProfile::argSawNumber): |
| (JSC::UnaryArithProfile::argSawNonNumber): |
| (JSC::UnaryArithProfile::observeArg): |
| (JSC::UnaryArithProfile::isObservedTypeEmpty): |
| (JSC::BinaryArithProfile::BinaryArithProfile): |
| (JSC::BinaryArithProfile::observedIntIntBits): |
| (JSC::BinaryArithProfile::observedNumberIntBits): |
| (JSC::BinaryArithProfile::observedIntNumberBits): |
| (JSC::BinaryArithProfile::observedNumberNumberBits): |
| (JSC::BinaryArithProfile::setLhsObservedType): |
| (JSC::BinaryArithProfile::setRhsObservedType): |
| (JSC::BinaryArithProfile::observeLHS): |
| (JSC::BinaryArithProfile::observeLHSAndRHS): |
| (JSC::BinaryArithProfile::isObservedTypeEmpty): |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::addJITAddIC): |
| (JSC::CodeBlock::addJITMulIC): |
| (JSC::CodeBlock::addJITSubIC): |
| (JSC::CodeBlock::addJITNegIC): |
| (JSC::CodeBlock::binaryArithProfileForBytecodeOffset): |
| (JSC::CodeBlock::unaryArithProfileForBytecodeOffset): |
| (JSC::CodeBlock::binaryArithProfileForPC): |
| (JSC::CodeBlock::unaryArithProfileForPC): |
| (JSC::CodeBlock::couldTakeSpecialFastCase): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addMathIC): |
| * bytecode/Fits.h: |
| * bytecode/MethodOfGettingAValueProfile.cpp: |
| (JSC::MethodOfGettingAValueProfile::emitReportValue const): |
| (JSC::MethodOfGettingAValueProfile::reportValue): |
| * bytecode/MethodOfGettingAValueProfile.h: |
| (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitUnaryOp): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::UnaryOpNode::emitBytecode): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::makeSafe): |
| (JSC::DFG::ByteCodeParser::makeDivSafe): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileValueAdd): |
| (JSC::DFG::SpeculativeJIT::compileValueSub): |
| (JSC::DFG::SpeculativeJIT::compileValueNegate): |
| (JSC::DFG::SpeculativeJIT::compileValueMul): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): |
| * jit/JIT.h: |
| * jit/JITAddGenerator.cpp: |
| (JSC::JITAddGenerator::generateInline): |
| (JSC::JITAddGenerator::generateFastPath): |
| * jit/JITAddGenerator.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_op_negate): |
| (JSC::JIT::emit_op_add): |
| (JSC::JIT::emitMathICFast): |
| (JSC::JIT::emitMathICSlow): |
| (JSC::JIT::emit_op_div): |
| (JSC::JIT::emit_op_mul): |
| (JSC::JIT::emit_op_sub): |
| * jit/JITDivGenerator.cpp: |
| (JSC::JITDivGenerator::generateFastPath): |
| * jit/JITDivGenerator.h: |
| (JSC::JITDivGenerator::JITDivGenerator): |
| * jit/JITInlines.h: |
| (JSC::JIT::copiedArithProfile): |
| * jit/JITMathIC.h: |
| (JSC::JITMathIC::JITMathIC): |
| (JSC::JITMathIC::generateInline): |
| (JSC::JITMathIC::arithProfile const): |
| (JSC::isBinaryProfileEmpty): |
| (JSC::JITBinaryMathIC::JITBinaryMathIC): |
| (JSC::isUnaryProfileEmpty): |
| (JSC::JITUnaryMathIC::JITUnaryMathIC): |
| * jit/JITMulGenerator.cpp: |
| (JSC::JITMulGenerator::generateInline): |
| (JSC::JITMulGenerator::generateFastPath): |
| * jit/JITMulGenerator.h: |
| * jit/JITNegGenerator.cpp: |
| (JSC::JITNegGenerator::generateInline): |
| (JSC::JITNegGenerator::generateFastPath): |
| * jit/JITNegGenerator.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITSubGenerator.cpp: |
| (JSC::JITSubGenerator::generateInline): |
| (JSC::JITSubGenerator::generateFastPath): |
| * jit/JITSubGenerator.h: |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LLIntOffsetsExtractor.cpp: |
| (JSC::LLIntOffsetsExtractor::dummy): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * parser/ResultType.h: |
| (JSC::ResultType::ResultType): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::updateArithProfileForUnaryArithOp): |
| (JSC::updateArithProfileForBinaryArithOp): |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-11-04 Mark Lam <mark.lam@apple.com> |
| |
| Surpress ASAN in SamplingProfiler's FrameWalker::resetAtMachineFrame(). |
| https://bugs.webkit.org/show_bug.cgi?id=203819 |
| <rdar://problem/56840002> |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/SamplingProfiler.cpp: |
| (JSC::FrameWalker::resetAtMachineFrame): |
| |
| 2019-11-03 Tadeu Zagallo <tzagallo@apple.com> |
| |
| LLIntGenerator should not allocate temporaries in between variables |
| https://bugs.webkit.org/show_bug.cgi?id=203787 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The BytecodeGenerator requires that all variables must be allocated contiguously, before any |
| temporaries are allocated. Currently, we might end up allocating a temporary to materialize |
| the null constant to initialize locals of type Anyref/Funcref. Fix it by keeping track of the |
| locals that need to be initialized and adding a new callback to notify when we have finished |
| parsing locals. Only then we perform the delayed initialization of local refs. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::didFinishParsingLocals): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::didFinishParsingLocals): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parse): |
| * wasm/WasmLLIntGenerator.cpp: |
| (JSC::Wasm::LLIntGenerator::addLocal): |
| (JSC::Wasm::LLIntGenerator::didFinishParsingLocals): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::didFinishParsingLocals): |
| |
| 2019-11-02 Alexey Proskuryakov <ap@apple.com> |
| |
| Revert http://trac.webkit.org/r251875 |
| Don't use memmove/memcpy/memset for memory that can be scanned concurrently |
| |
| This is suspected to have broken performance tests on iOS. |
| |
| Also reverted http://trac.webkit.org/r251909, because that was necessary for clean revert. |
| gcSafeMemmove references undefined slowPathBackwardsMemmove on non-gcc compatible compilers |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * heap/GCMemoryOperations.h: Removed. |
| * heap/Heap.h: |
| * runtime/ArrayConventions.cpp: |
| (JSC::clearArrayMemset): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::copyElements): |
| * runtime/ButterflyInlines.h: |
| (JSC::Butterfly::tryCreate): |
| (JSC::Butterfly::createOrGrowPropertyStorage): |
| (JSC::Butterfly::growArrayRight): |
| (JSC::Butterfly::reallocArrayRightIfPossible): |
| (JSC::Butterfly::resizeArray): |
| (JSC::Butterfly::unshift): |
| (JSC::Butterfly::shift): |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::unshiftCountSlowCase): |
| (JSC::JSArray::appendMemcpy): |
| (JSC::JSArray::fastSlice): |
| (JSC::JSArray::shiftCountWithArrayStorage): |
| (JSC::JSArray::shiftCountWithAnyIndexingType): |
| (JSC::JSArray::unshiftCountWithArrayStorage): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): |
| (JSC::JSObject::convertFromCopyOnWrite): |
| (JSC::JSObject::shiftButterflyAfterFlattening): |
| * runtime/JSObject.h: |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/Structure.cpp: |
| (JSC::Structure::flattenDictionaryStructure): |
| |
| 2019-11-02 Robin Morisset <rmorisset@apple.com> |
| |
| The offline assembler is wrong about which immediates are supported by and/or/xor on ARM64 |
| https://bugs.webkit.org/show_bug.cgi?id=203752 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| See https://dinfuehr.github.io/blog/encoding-of-immediate-values-on-aarch64/ for the details of which immediates are supported. |
| This patch is a minimal fix, ideally we should refactor all of the code dealing with immediates in risc.rb, but considering that I don't know ruby and this code is poorly/not tested, I went for the simplest possible fix. |
| |
| * offlineasm/arm64.rb: |
| * offlineasm/mips.rb: |
| * offlineasm/risc.rb: |
| |
| 2019-11-02 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Add diagnostic logging for frontend feature usage |
| https://bugs.webkit.org/show_bug.cgi?id=203579 |
| <rdar://problem/56717410> |
| |
| Reviewed by Brian Burg. |
| |
| Original patch by Matt Baker <mattbaker@apple.com>. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| Add `ENABLE_INSPECTOR_TELEMETRY`, which is only enabled for macOS. |
| |
| 2019-11-01 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Timelines: add a timeline that shows information about any recorded CSS animation/transition |
| https://bugs.webkit.org/show_bug.cgi?id=203651 |
| <rdar://problem/56128726> |
| |
| Reviewed by Brian Burg. |
| |
| Unlike all other forms of Web Animations, CSS animations/transitions, are _not_ created by |
| JavaScript, and therefore can seemingly appear out of nowhere. This patch expands the Media |
| timeline to be the Media & Animations timeline, which tracks when CSS animations/transitions |
| are created, started, delayed, iterated, canceled, or finished. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources.make: |
| * inspector/protocol/Animation.json: Added. |
| * inspector/protocol/Timeline.json: |
| Add an Animation domain for handling the tracking of CSS Web Animations. |
| |
| 2019-11-01 Saam Barati <sbarati@apple.com> |
| |
| Refactor uses of StructureStubInfo 'thisGPR' to a union for thisGPR and prototypeGPR |
| https://bugs.webkit.org/show_bug.cgi?id=203693 |
| |
| Reviewed by Mark Lam and Yusuke Suzuki. |
| |
| I'm going to be adding a third overload for this field when making |
| GetByVal inline caching part of StructureStubInfo. It's nicer for |
| each use case of this field to use it by the proper name. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateWithGuard): |
| (JSC::AccessCase::generateImpl): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PolymorphicAccess.h: |
| (JSC::AccessGenerationState::AccessGenerationState): |
| * bytecode/StructureStubInfo.h: |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::JITByIdGenerator::JITByIdGenerator): |
| (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): |
| (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): |
| |
| 2019-11-01 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [[HasProperty]] result of Proxy in prototype chain is ignored |
| https://bugs.webkit.org/show_bug.cgi?id=203560 |
| |
| Reviewed by Ross Kirsling. |
| |
| Before this change, when [[HasProperty]] was called on ordinary object with Proxy in prototype chain, |
| falsy result of Proxy's "has" trap was ignored and prototype chain was inspected further. |
| |
| According to spec, OrdinaryHasProperty unconditionally returns result of parent's [[HasProperty]] call. |
| (step 5.a of https://tc39.es/ecma262/#sec-ordinaryhasproperty) |
| |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::getPropertySlot): |
| (JSC::JSObject::getNonIndexPropertySlot): |
| |
| 2019-10-31 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, speculative GTK build fix r251886 |
| https://bugs.webkit.org/show_bug.cgi?id=203703 |
| |
| * wasm/WasmSlowPaths.h: |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Fix GTK build after r251886 |
| https://bugs.webkit.org/show_bug.cgi?id=203703 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| slow_path_wasm_throw_exception was missing `extern "C"` in the implementation file. |
| |
| * wasm/WasmSlowPaths.cpp: |
| (JSC::LLInt::slow_path_wasm_throw_exception): |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| gcSafeMemmove references undefined slowPathBackwardsMemmove on non-gcc compatible compilers |
| https://bugs.webkit.org/show_bug.cgi?id=203721 |
| |
| Reviewed by Fujii Hironori. |
| |
| * heap/GCMemoryOperations.h: |
| (JSC::gcSafeMemmove): |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Fix build when WTF_CPU_NEEDS_ALIGNED_ACCESS=1 after r251886 |
| https://bugs.webkit.org/show_bug.cgi?id=203718 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * bytecompiler/BytecodeGeneratorBaseInlines.h: |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode16): |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32): |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| offlineasm should emit the suffixes for floating point instructions on Windows x86 |
| https://bugs.webkit.org/show_bug.cgi?id=203720 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * offlineasm/x86.rb: |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Disable Wasm interpreter on WinCairo |
| https://bugs.webkit.org/show_bug.cgi?id=203705 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The interpreter does not build on WinCairo. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2019-10-31 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove metadata(CallFrame*) accessor |
| https://bugs.webkit.org/show_bug.cgi?id=203712 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| We should pass CodeBlock* explicitly to remove unnecessary use of CallFrame*, which is very error-prone. |
| |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareCatchOSREntry): |
| * dfg/DFGOSREntry.h: |
| * generator/Metadata.rb: |
| * jit/JITOperations.cpp: |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Unreviewed, fix LowLevelInterpreter32_64.asm after r251886 |
| https://bugs.webkit.org/show_bug.cgi?id=194257 |
| |
| ci2d was renamed to ci2ds and I also missed LowLevelInterpreter32_64.asm |
| |
| * llint/LowLevelInterpreter32_64.asm: |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Unreviewed, fix cloop builds after r251886 |
| https://bugs.webkit.org/show_bug.cgi?id=194257 |
| |
| ci2d was renamed to ci2ds, but I missed cloop.rb, arm.rb and mips.rb |
| |
| * offlineasm/arm.rb: |
| * offlineasm/cloop.rb: |
| * offlineasm/mips.rb: |
| |
| 2019-10-31 Tadeu Zagallo <tzagallo@apple.com> |
| |
| [WebAssembly] Create a Wasm interpreter |
| https://bugs.webkit.org/show_bug.cgi?id=194257 |
| <rdar://problem/44186794> |
| |
| Reviewed by Saam Barati. |
| |
| Add an interpreter tier to WebAssembly which reuses the LLInt infrastructure. The interpreter |
| currently tiers up straight to OMG and can OSR enter at the prologue and from loops. The initial |
| implementation of the interpreter is very naive, but despite the lack of optimizations it still |
| shows a 2x improvement on the WebAssembly subtests in JetStream2 and 2x improvement on the |
| PSPDFKit benchmark. It reduces "compilation" times by ~3x and it's neutral on throughput. |
| |
| The interpreter follows the same calling conventions as the BBQ/OMG, this means that: |
| - We have to allocate locals for all argument registers and write all arguments registers to the |
| stack in the prologue. |
| - Calls have to allocate space for at least as many arguments as the number of argument registers. |
| Before each call, all argument registers must be loaded from the stack, and after we return from |
| the call, all registers must be stored back to the stack, in case they contain return values. We |
| carefully layout the stack so that the arguments that would already have to be passed in the stack |
| end up in the right place. The stack layout for calls is: |
| [ gprs ][ fprs ][ optional stack arguments ][ callee frame ] |
| ^ sp |
| - The return opcode has to load all registers from the stack, since they might need to contain |
| results of the function. |
| - The calling convention requires that the callee should store itself in the callee slot of the call |
| frame, which is impossible in the interpreter, since the code we execute is the same for all callees. |
| In order to work around that, we generate an entry thunk to the wasm interpreter for each function. |
| All this thunk does is store the callee in the call frame and tail call the interpreter. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::BytecodeDumper<Block>::constantName const): |
| (JSC::BytecodeDumper<Block>::dumpValue): |
| (JSC::BytecodeDumper<Block>::dumpBytecode): |
| (JSC::CodeBlockBytecodeDumper<Block>::vm const): |
| (JSC::CodeBlockBytecodeDumper<Block>::identifier const): |
| (JSC::CodeBlockBytecodeDumper<Block>::dumpIdentifiers): |
| (JSC::CodeBlockBytecodeDumper<Block>::dumpConstants): |
| (JSC::CodeBlockBytecodeDumper<Block>::dumpExceptionHandlers): |
| (JSC::CodeBlockBytecodeDumper<Block>::dumpSwitchJumpTables): |
| (JSC::CodeBlockBytecodeDumper<Block>::dumpStringSwitchJumpTables): |
| (JSC::CodeBlockBytecodeDumper<Block>::dumpBlock): |
| * bytecode/BytecodeDumper.h: |
| (JSC::BytecodeDumper::dumpValue): |
| (JSC::BytecodeDumper::BytecodeDumper): |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::performGeneratorification): |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::dumpBytecode): |
| * bytecode/Fits.h: |
| * bytecode/Instruction.h: |
| (JSC::BaseInstruction::BaseInstruction): |
| (JSC::BaseInstruction::Impl::opcodeID const): |
| (JSC::BaseInstruction::opcodeID const): |
| (JSC::BaseInstruction::name const): |
| (JSC::BaseInstruction::isWide16 const): |
| (JSC::BaseInstruction::isWide32 const): |
| (JSC::BaseInstruction::hasMetadata const): |
| (JSC::BaseInstruction::sizeShiftAmount const): |
| (JSC::BaseInstruction::size const): |
| (JSC::BaseInstruction::is const): |
| (JSC::BaseInstruction::as const): |
| (JSC::BaseInstruction::cast): |
| (JSC::BaseInstruction::cast const): |
| (JSC::BaseInstruction::wide16 const): |
| (JSC::BaseInstruction::wide32 const): |
| * bytecode/InstructionStream.h: |
| (JSC::InstructionStream::iterator::operator+=): |
| (JSC::InstructionStream::iterator::operator++): |
| (JSC::InstructionStreamWriter::iterator::operator+=): |
| (JSC::InstructionStreamWriter::iterator::operator++): |
| * bytecode/Opcode.cpp: |
| * bytecode/Opcode.h: |
| * bytecode/PreciseJumpTargetsInlines.h: |
| * bytecode/UnlinkedCodeBlock.h: |
| * bytecode/VirtualRegister.cpp: |
| (JSC::VirtualRegister::VirtualRegister): |
| * bytecode/VirtualRegister.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::GenericLabel<JSGeneratorTraits>::setLocation): |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/BytecodeGeneratorBase.h: Added. |
| * bytecompiler/BytecodeGeneratorBaseInlines.h: Added. |
| (JSC::shrinkToFit): |
| (JSC::BytecodeGeneratorBase<Traits>::BytecodeGeneratorBase): |
| (JSC::BytecodeGeneratorBase<Traits>::newLabel): |
| (JSC::BytecodeGeneratorBase<Traits>::newEmittedLabel): |
| (JSC::BytecodeGeneratorBase<Traits>::reclaimFreeRegisters): |
| (JSC::BytecodeGeneratorBase<Traits>::emitLabel): |
| (JSC::BytecodeGeneratorBase<Traits>::recordOpcode): |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode16): |
| (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32): |
| (JSC::BytecodeGeneratorBase<Traits>::write): |
| (JSC::BytecodeGeneratorBase<Traits>::newRegister): |
| (JSC::BytecodeGeneratorBase<Traits>::newTemporary): |
| (JSC::BytecodeGeneratorBase<Traits>::addVar): |
| (JSC::BytecodeGeneratorBase<Traits>::allocateCalleeSaveSpace): |
| * bytecompiler/Label.h: |
| (JSC::GenericBoundLabel::GenericBoundLabel): |
| (JSC::GenericBoundLabel::target): |
| (JSC::GenericBoundLabel::saveTarget): |
| (JSC::GenericBoundLabel::commitTarget): |
| * dfg/DFGByteCodeParser.cpp: |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGOperations.cpp: |
| * generator/Argument.rb: |
| * generator/DSL.rb: |
| * generator/GeneratedFile.rb: |
| * generator/Opcode.rb: |
| * generator/Options.rb: |
| * generator/Section.rb: |
| * generator/Wasm.rb: Added. |
| * interpreter/Register.h: |
| * interpreter/RegisterInlines.h: |
| (JSC::Register::operator=): |
| * jit/JITArithmetic.cpp: |
| * jit/JITOpcodes.cpp: |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::initialize): |
| * llint/LLIntData.h: |
| (JSC::LLInt::wasmExceptionInstructions): |
| * llint/LLIntOfflineAsmConfig.h: |
| * llint/LLIntOffsetsExtractor.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| * llint/LLIntThunks.cpp: |
| (JSC::LLInt::generateThunkWithJumpTo): |
| (JSC::LLInt::wasmFunctionEntryThunk): |
| * llint/LLIntThunks.h: |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * llint/WebAssembly.asm: Added. |
| * offlineasm/arm64.rb: |
| * offlineasm/instructions.rb: |
| * offlineasm/parser.rb: |
| * offlineasm/registers.rb: |
| * offlineasm/transform.rb: |
| * offlineasm/x86.rb: |
| * parser/Nodes.h: |
| * runtime/Error.cpp: |
| (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator() const): |
| * runtime/ErrorInstance.cpp: |
| (JSC::ErrorInstance::finishCreation): |
| * runtime/Options.cpp: |
| (JSC::overrideDefaults): |
| * runtime/OptionsList.h: |
| * runtime/SamplingProfiler.cpp: |
| (JSC::FrameWalker::recordJITFrame): |
| (JSC::FrameWalker::resetAtMachineFrame): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::isControlTypeIf): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::isControlTypeIf): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::prepareImpl): |
| (JSC::Wasm::BBQPlan::work): |
| (JSC::Wasm::BBQPlan::compileFunction): |
| (JSC::Wasm::BBQPlan::didCompleteCompilation): |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmBBQPlanInlines.h: Removed. |
| * wasm/WasmCallee.cpp: |
| (JSC::Wasm::Callee::Callee): |
| (JSC::Wasm::Callee::dump const): |
| (JSC::Wasm::JITCallee::JITCallee): |
| (JSC::Wasm::LLIntCallee::setEntrypoint): |
| (JSC::Wasm::LLIntCallee::entrypoint const): |
| (JSC::Wasm::LLIntCallee::calleeSaveRegisters): |
| (JSC::Wasm:: const): |
| * wasm/WasmCallee.h: |
| (JSC::Wasm::Callee::setOSREntryCallee): |
| (JSC::Wasm::JITCallee::wasmToWasmCallsites): |
| (JSC::Wasm::JITCallee:: const): |
| * wasm/WasmCallingConvention.h: |
| * wasm/WasmCodeBlock.cpp: |
| (JSC::Wasm::CodeBlock::CodeBlock): |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::wasmToWasmExitStub): |
| * wasm/WasmCompilationMode.cpp: |
| (JSC::Wasm::makeString): |
| * wasm/WasmCompilationMode.h: |
| * wasm/WasmEmbedder.h: |
| * wasm/WasmEntryPlan.cpp: Added. |
| (JSC::Wasm::EntryPlan::EntryPlan): |
| (JSC::Wasm::EntryPlan::stateString): |
| (JSC::Wasm::EntryPlan::moveToState): |
| (JSC::Wasm::EntryPlan::didReceiveFunctionData): |
| (JSC::Wasm::EntryPlan::parseAndValidateModule): |
| (JSC::Wasm::EntryPlan::prepare): |
| (JSC::Wasm::EntryPlan::ThreadCountHolder::ThreadCountHolder): |
| (JSC::Wasm::EntryPlan::ThreadCountHolder::~ThreadCountHolder): |
| (JSC::Wasm::EntryPlan::complete): |
| (JSC::Wasm::EntryPlan::compileFunctions): |
| (JSC::Wasm::EntryPlan::work): |
| * wasm/WasmEntryPlan.h: Copied from Source/JavaScriptCore/wasm/WasmBBQPlan.h. |
| (JSC::Wasm::EntryPlan::parseAndValidateModule): |
| (JSC::Wasm::EntryPlan::exports const): |
| (JSC::Wasm::EntryPlan::internalFunctionCount const): |
| (JSC::Wasm::EntryPlan::takeModuleInformation): |
| (JSC::Wasm::EntryPlan::takeWasmToWasmExitStubs): |
| (JSC::Wasm::EntryPlan::takeWasmToWasmCallsites): |
| (JSC::Wasm::EntryPlan::hasBeenPrepared const): |
| (JSC::Wasm::EntryPlan::tryReserveCapacity): |
| * wasm/WasmFunctionCodeBlock.cpp: Added. |
| (JSC::Wasm::FunctionCodeBlock::setInstructions): |
| (JSC::Wasm::FunctionCodeBlock::dumpBytecode): |
| (JSC::Wasm::FunctionCodeBlock::addOutOfLineJumpTarget): |
| (JSC::Wasm::FunctionCodeBlock::outOfLineJumpOffset): |
| (JSC::Wasm::FunctionCodeBlock::outOfLineJumpTarget): |
| (JSC::Wasm::FunctionCodeBlock::addSignature): |
| (JSC::Wasm::FunctionCodeBlock::signature const): |
| (JSC::Wasm::FunctionCodeBlock::addJumpTable): |
| (JSC::Wasm::FunctionCodeBlock::jumpTable const const): |
| (JSC::Wasm::FunctionCodeBlock::numberOfJumpTables const): |
| * wasm/WasmFunctionCodeBlock.h: Added. |
| (JSC::Wasm::FunctionCodeBlock::FunctionCodeBlock): |
| (JSC::Wasm::FunctionCodeBlock::getConstant const): |
| (JSC::Wasm::FunctionCodeBlock::functionIndex const): |
| (JSC::Wasm::FunctionCodeBlock::addJumpTarget): |
| (JSC::Wasm::FunctionCodeBlock::numberOfJumpTargets): |
| (JSC::Wasm::FunctionCodeBlock::lastJumpTarget): |
| (JSC::Wasm::FunctionCodeBlock::outOfLineJumpOffset): |
| (JSC::Wasm::FunctionCodeBlock::bytecodeOffset): |
| (JSC::Wasm::FunctionCodeBlock::tierUpCounter): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.h: |
| * wasm/WasmLLIntGenerator.cpp: Added. |
| (JSC::Wasm::LLIntGenerator::ControlType::ControlType): |
| (JSC::Wasm::LLIntGenerator::ControlType::loop): |
| (JSC::Wasm::LLIntGenerator::ControlType::topLevel): |
| (JSC::Wasm::LLIntGenerator::ControlType::block): |
| (JSC::Wasm::LLIntGenerator::ControlType::if_): |
| (JSC::Wasm::LLIntGenerator::ControlType::targetLabelForBranch const): |
| (JSC::Wasm::LLIntGenerator::fail const): |
| (JSC::Wasm::LLIntGenerator::unifyValuesWithBlock): |
| (JSC::Wasm::LLIntGenerator::emptyExpression): |
| (JSC::Wasm::LLIntGenerator::createStack): |
| (JSC::Wasm::LLIntGenerator::isControlTypeIf): |
| (JSC::Wasm::LLIntGenerator::addEndToUnreachable): |
| (JSC::Wasm::LLIntGenerator::setParser): |
| (JSC::Wasm::LLIntGenerator::dump): |
| (JSC::Wasm::LLIntGenerator::virtualRegisterForLocal): |
| (JSC::Wasm::LLIntGenerator::tmpsForSignature): |
| (JSC::Wasm::LLIntGenerator::jsNullConstant): |
| (JSC::Wasm::LLIntGenerator::isConstant): |
| (JSC::Wasm::parseAndCompileBytecode): |
| (JSC::Wasm::LLIntGenerator::LLIntGenerator): |
| (JSC::Wasm::LLIntGenerator::finalize): |
| (JSC::Wasm::LLIntGenerator::callInformationFor): |
| (JSC::Wasm::LLIntGenerator::addArguments): |
| (JSC::Wasm::LLIntGenerator::addLocal): |
| (JSC::Wasm::LLIntGenerator::addConstant): |
| (JSC::Wasm::LLIntGenerator::getLocal): |
| (JSC::Wasm::LLIntGenerator::setLocal): |
| (JSC::Wasm::LLIntGenerator::getGlobal): |
| (JSC::Wasm::LLIntGenerator::setGlobal): |
| (JSC::Wasm::LLIntGenerator::addLoop): |
| (JSC::Wasm::LLIntGenerator::addTopLevel): |
| (JSC::Wasm::LLIntGenerator::addBlock): |
| (JSC::Wasm::LLIntGenerator::addIf): |
| (JSC::Wasm::LLIntGenerator::addElse): |
| (JSC::Wasm::LLIntGenerator::addElseToUnreachable): |
| (JSC::Wasm::LLIntGenerator::addReturn): |
| (JSC::Wasm::LLIntGenerator::addBranch): |
| (JSC::Wasm::LLIntGenerator::addSwitch): |
| (JSC::Wasm::LLIntGenerator::endBlock): |
| (JSC::Wasm::LLIntGenerator::addCall): |
| (JSC::Wasm::LLIntGenerator::addCallIndirect): |
| (JSC::Wasm::LLIntGenerator::addRefIsNull): |
| (JSC::Wasm::LLIntGenerator::addRefFunc): |
| (JSC::Wasm::LLIntGenerator::addTableGet): |
| (JSC::Wasm::LLIntGenerator::addTableSet): |
| (JSC::Wasm::LLIntGenerator::addTableSize): |
| (JSC::Wasm::LLIntGenerator::addTableGrow): |
| (JSC::Wasm::LLIntGenerator::addTableFill): |
| (JSC::Wasm::LLIntGenerator::addUnreachable): |
| (JSC::Wasm::LLIntGenerator::addCurrentMemory): |
| (JSC::Wasm::LLIntGenerator::addGrowMemory): |
| (JSC::Wasm::LLIntGenerator::addSelect): |
| (JSC::Wasm::LLIntGenerator::load): |
| (JSC::Wasm::LLIntGenerator::store): |
| (JSC::GenericLabel<Wasm::GeneratorTraits>::setLocation): |
| * wasm/WasmLLIntGenerator.h: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.h. |
| * wasm/WasmLLIntPlan.cpp: Added. |
| (JSC::Wasm::LLIntPlan::prepareImpl): |
| (JSC::Wasm::LLIntPlan::compileFunction): |
| (JSC::Wasm::LLIntPlan::didCompleteCompilation): |
| (JSC::Wasm::LLIntPlan::initializeCallees): |
| * wasm/WasmLLIntPlan.h: Copied from Source/JavaScriptCore/wasm/WasmOMGForOSREntryPlan.h. |
| * wasm/WasmLLIntTierUpCounter.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp. |
| (JSC::Wasm::LLIntTierUpCounter::addOSREntryDataForLoop): |
| (JSC::Wasm::LLIntTierUpCounter::osrEntryDataForLoop const const): |
| * wasm/WasmLLIntTierUpCounter.h: Copied from Source/JavaScriptCore/wasm/WasmOMGForOSREntryPlan.h. |
| (JSC::Wasm::LLIntTierUpCounter::LLIntTierUpCounter): |
| (JSC::Wasm::LLIntTierUpCounter::optimizeAfterWarmUp): |
| (JSC::Wasm::LLIntTierUpCounter::checkIfOptimizationThresholdReached): |
| (JSC::Wasm::LLIntTierUpCounter::optimizeSoon): |
| * wasm/WasmMemoryInformation.cpp: |
| (JSC::Wasm::PinnedRegisterInfo::get): |
| * wasm/WasmModule.cpp: |
| (JSC::Wasm::makeValidationResult): |
| (JSC::Wasm::makeValidationCallback): |
| (JSC::Wasm::Module::validateSync): |
| (JSC::Wasm::Module::validateAsync): |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGForOSREntryPlan.h: |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmSlowPaths.cpp: Added. |
| (JSC::LLInt::jitCompileAndSetHeuristics): |
| (JSC::LLInt::WASM_SLOW_PATH_DECL): |
| (JSC::LLInt::doWasmCall): |
| (JSC::LLInt::doWasmCallIndirect): |
| (JSC::LLInt::slow_path_wasm_throw_exception): |
| (JSC::LLInt::slow_path_wasm_popcount): |
| (JSC::LLInt::slow_path_wasm_popcountll): |
| * wasm/WasmSlowPaths.h: Added. |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::FuncRefTable::function const): |
| (JSC::Wasm::FuncRefTable::instance const): |
| * wasm/WasmTable.h: |
| * wasm/WasmTierUpCount.h: |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::isControlTypeIf): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/JSToWasm.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::calleeSaves const): |
| |
| 2019-10-31 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make String#localeCompare faster by inlining JSGlobalObject::defaultCollator |
| https://bugs.webkit.org/show_bug.cgi?id=203696 |
| |
| Reviewed by Mark Lam. |
| |
| We found that JSGlobalObject::defaultCollator is not inlined and it takes some time in JetStream2/cdjs. |
| We use LazyProperty mechanism here and make JSGlobalObject::defaultCollator function inlinable simple one. |
| This patch improves JetStream2/cdjs by 2%. |
| |
| * runtime/IntlCollator.cpp: |
| (JSC::IntlCollator::initializeCollator): |
| * runtime/IntlObject.cpp: |
| (JSC::intlBooleanOption): |
| (JSC::intlStringOption): |
| (JSC::intlNumberOption): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| (JSC::JSGlobalObject::defaultCollator): Deleted. |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::defaultCollator const): |
| * runtime/StringPrototype.cpp: |
| (JSC::stringProtoFuncLocaleCompare): |
| |
| 2019-10-31 Saam Barati <sbarati@apple.com> |
| |
| Don't use memmove/memcpy/memset for memory that can be scanned concurrently |
| https://bugs.webkit.org/show_bug.cgi?id=203228 |
| <rdar://problem/56401852> |
| |
| Reviewed by Robin Morisset. |
| |
| We had code inside various places of the runtime which would call into system |
| memcpy/memmove/memset when updating a live butterfly. This means that the |
| concurrent collector could be scanning such butterflies while a memcpy/memmove/memset |
| was running. Those functions don't guarantee anything about the minimum |
| alignment of the stores they do. And implementations for them frequently have |
| byte copy loops for low byte copy counts. This lead to us seeing torn JSValues |
| inside the concurrent collector during Array.prototype.splice. This patch |
| introduces new functions for doing memcpy/memmove/memset for data structures |
| which may be concurrently scanned. The loops are written using inline assembly |
| for gcc compatible compilers on 64 bit platforms. The inline assembly |
| ensures we never write to memory using instructions that store fewer |
| than 8 bytes. On other platforms, we just use a volatile pointer to |
| ensure the compiler doesn't turn the loop into a function call or a |
| series of stores which may be smaller than 8 bytes. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * heap/GCMemoryOperations.h: Added. |
| (JSC::gcSafeMemcpy): |
| (JSC::gcSafeMemmove): |
| (JSC::gcSafeZeroMemory): |
| * heap/Heap.h: |
| * runtime/ArrayConventions.cpp: |
| (JSC::clearArrayMemset): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::copyElements): |
| * runtime/ButterflyInlines.h: |
| (JSC::Butterfly::tryCreate): |
| (JSC::Butterfly::createOrGrowPropertyStorage): |
| (JSC::Butterfly::growArrayRight): |
| (JSC::Butterfly::reallocArrayRightIfPossible): |
| (JSC::Butterfly::resizeArray): |
| (JSC::Butterfly::unshift): |
| (JSC::Butterfly::shift): |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::unshiftCountSlowCase): |
| (JSC::JSArray::appendMemcpy): |
| (JSC::JSArray::fastSlice): |
| (JSC::JSArray::shiftCountWithArrayStorage): |
| (JSC::JSArray::shiftCountWithAnyIndexingType): |
| (JSC::JSArray::unshiftCountWithArrayStorage): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): |
| (JSC::JSObject::convertFromCopyOnWrite): |
| (JSC::JSObject::shiftButterflyAfterFlattening): |
| * runtime/JSObject.h: |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/Structure.cpp: |
| (JSC::Structure::flattenDictionaryStructure): |
| |
| 2019-10-31 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: make sure the blackbox config is removed before iterating all existing scripts |
| https://bugs.webkit.org/show_bug.cgi?id=203666 |
| |
| Reviewed by Matt Baker. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): |
| |
| 2019-10-31 Alex Christensen <achristensen@webkit.org> |
| |
| CMake build should make WebKit framework able to be used by Safari |
| https://bugs.webkit.org/show_bug.cgi?id=203685 |
| |
| Rubber-stamped by Tim Horton. |
| |
| * PlatformMac.cmake: |
| |
| 2019-10-31 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DateMath should have TimeClipped version |
| https://bugs.webkit.org/show_bug.cgi?id=203550 |
| |
| Reviewed by Saam Barati. |
| |
| Removing `using namespace WTF;` in Date related files in JSC. |
| |
| * runtime/DateConstructor.cpp: |
| * runtime/DateConversion.cpp: |
| (JSC::formatDateTime): |
| * runtime/DateInstance.cpp: |
| * runtime/DatePrototype.cpp: |
| * runtime/JSDateMath.cpp: |
| (JSC::localTimeOffset): |
| (JSC::timeToMS): |
| (JSC::gregorianDateTimeToMS): |
| (JSC::msToGregorianDateTime): |
| (JSC::parseDate): |
| (JSC::msToSeconds): Deleted. |
| (JSC::msToWeekDay): Deleted. |
| |
| 2019-10-30 Peng Liu <peng.liu6@apple.com> |
| |
| [Picture-in-Picture Web API] Enable the support for iOS |
| https://bugs.webkit.org/show_bug.cgi?id=202618 |
| |
| Reviewed by Jer Noble. |
| |
| Enable the Picture-in-Picture API support for iOS (iPad only). |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-10-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Date functions should have intrinsic |
| https://bugs.webkit.org/show_bug.cgi?id=202187 |
| |
| Reviewed by Keith Miller. |
| |
| This patch adds intrinsic to Date object getter functions to make it inlined in DFG and FTL. |
| We add two DFG nodes, DateGetInt32OrNaN and DateGetTime. DateGetTime is used when we know |
| that the result is always machine double. On the other hand, DateGetInt32OrNaN is used when the result is Int32 or NaN. |
| |
| Run SunSpider 100 times and get the solid improvement in Date related benchmarks. |
| |
| ToT Patched |
| |
| date-format-tofte 5.3511+-0.0260 ^ 5.2747+-0.0273 ^ definitely 1.0145x faster |
| date-format-xparb 4.9196+-0.0265 ^ 4.7067+-0.0200 ^ definitely 1.0452x faster |
| |
| * bytecode/SpeculatedType.cpp: |
| (JSC::dumpSpeculation): |
| (JSC::speculationFromClassInfo): |
| (JSC::speculationFromJSType): |
| (JSC::speculationFromString): |
| * bytecode/SpeculatedType.h: |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGHeapLocation.cpp: |
| (WTF::printInternal): |
| * dfg/DFGHeapLocation.h: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasIntrinsic): |
| (JSC::DFG::Node::intrinsic): |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::SafeToExecuteEdge::operator()): |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::speculateDateObject): |
| (JSC::DFG::SpeculativeJIT::speculate): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| (JSC::DFG::SpeculativeJIT::compileDateGet): |
| * dfg/DFGUseKind.cpp: |
| (WTF::printInternal): |
| * dfg/DFGUseKind.h: |
| (JSC::DFG::typeFilterFor): |
| (JSC::DFG::isCell): |
| * ftl/FTLAbstractHeapRepository.cpp: |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDateGet): |
| (JSC::FTL::DFG::LowerDFGToB3::lowDateObject): |
| (JSC::FTL::DFG::LowerDFGToB3::speculate): |
| (JSC::FTL::DFG::LowerDFGToB3::speculateDateObject): |
| * runtime/DateConversion.cpp: |
| (JSC::formatDateTime): |
| * runtime/DateInstance.cpp: |
| (JSC::DateInstance::calculateGregorianDateTime const): |
| (JSC::DateInstance::calculateGregorianDateTimeUTC const): |
| * runtime/DateInstance.h: |
| * runtime/DateInstanceCache.h: |
| (JSC::DateInstanceData::offsetOfGregorianDateTimeCachedForMS): |
| (JSC::DateInstanceData::offsetOfCachedGregorianDateTime): |
| (JSC::DateInstanceData::offsetOfGregorianDateTimeUTCCachedForMS): |
| (JSC::DateInstanceData::offsetOfCachedGregorianDateTimeUTC): |
| (JSC::DateInstanceData::DateInstanceData): Deleted. |
| * runtime/DatePrototype.cpp: |
| (JSC::formatLocaleDate): |
| (JSC::formateDateInstance): |
| (JSC::dateProtoFuncToISOString): |
| (JSC::dateProtoFuncGetFullYear): |
| (JSC::dateProtoFuncGetUTCFullYear): |
| (JSC::dateProtoFuncGetMonth): |
| (JSC::dateProtoFuncGetUTCMonth): |
| (JSC::dateProtoFuncGetDate): |
| (JSC::dateProtoFuncGetUTCDate): |
| (JSC::dateProtoFuncGetDay): |
| (JSC::dateProtoFuncGetUTCDay): |
| (JSC::dateProtoFuncGetHours): |
| (JSC::dateProtoFuncGetUTCHours): |
| (JSC::dateProtoFuncGetMinutes): |
| (JSC::dateProtoFuncGetUTCMinutes): |
| (JSC::dateProtoFuncGetSeconds): |
| (JSC::dateProtoFuncGetUTCSeconds): |
| (JSC::dateProtoFuncGetMilliSeconds): |
| (JSC::dateProtoFuncGetUTCMilliseconds): |
| (JSC::dateProtoFuncGetTimezoneOffset): |
| (JSC::setNewValueFromTimeArgs): |
| (JSC::setNewValueFromDateArgs): |
| (JSC::dateProtoFuncSetYear): |
| (JSC::dateProtoFuncGetYear): |
| * runtime/Intrinsic.cpp: |
| (JSC::intrinsicName): |
| * runtime/Intrinsic.h: |
| * runtime/JSDateMath.cpp: |
| (JSC::msToGregorianDateTime): |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| |
| 2019-10-30 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Intl.DateTimeFormat returns resolvedOptions in the wrong order |
| https://bugs.webkit.org/show_bug.cgi?id=203297 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| See table here: |
| https://tc39.es/ecma402/#table-datetimeformat-resolvedoptions-properties |
| |
| * runtime/IntlDateTimeFormat.cpp: |
| (JSC::IntlDateTimeFormat::resolvedOptions): |
| |
| 2019-10-30 Tadeu Zagallo <tzagallo@apple.com> |
| |
| tryCachePutToScopeGlobal should hold the lock to update metadata.m_getPutInfo |
| https://bugs.webkit.org/show_bug.cgi?id=203628 |
| <rdar://problem/56705353> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We hold the lock to update m_watchpointSet and m_operand, but at that point we have already |
| updated m_getPutInfo. This can lead to inconsistent state observable from the compiler thread |
| where the getPutInfo does not match the watchpointSet. |
| |
| * runtime/CommonSlowPaths.h: |
| (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): |
| |
| 2019-10-07 Jer Noble <jer.noble@apple.com> |
| |
| Implement the Remote Playback API. |
| https://bugs.webkit.org/show_bug.cgi?id=162971 |
| |
| Reviewed by Youenn Fablet. |
| |
| Add RemotePlayback as a common identifier, needed for bindings due to "EnabledAtRuntime=RemotePlayback". |
| |
| * runtime/CommonIdentifiers.h: |
| |
| 2019-10-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Add fast path for String#localeCompare |
| https://bugs.webkit.org/show_bug.cgi?id=202676 |
| |
| Reviewed by Mark Lam. |
| |
| When String#localeCompare is invoked, we are setting up UCharIterator to iterate code points. |
| But this is too slow since its implementation is invoking function pointer for each code point |
| to get next code point. Strings have many code points typically. Invoking function pointer so many times |
| takes too much time just for locale-aware comparison. |
| |
| This patch revises the implementation by adding 2 fast path and 1 slow path. The slow path requires extra memory, |
| but it is soon released (not GC-managed). |
| |
| 1. If both strings are ASCII (not Latin1), we use ucol_strcollUTF8. |
| 2. If both strings are 16-bit, we use ucol_strcoll. |
| 3. Otherwise, we convert strings to 16-bit strings, and then we use ucol_strcoll. |
| |
| JetStream2/cdjs is improved from 56 to 85 on iMac Pro (50%). |
| |
| * runtime/IntlCollator.cpp: |
| (JSC::IntlCollator::compareStrings): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionMake16BitStringIfPossible): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2019-10-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove JSPromiseDeferred |
| https://bugs.webkit.org/show_bug.cgi?id=203400 |
| |
| Reviewed by Keith Miller. |
| |
| This patch optimizes the existing Promise usage in C++. We remove JSPromiseDeferred and JSInternalPromiseDeferred, use JSPromise and JSInternalPromise directly. |
| JSC now offers first `resolve` and `reject` operations to `JSPromise` without separating `resolve` and `reject` function from `JSPromise`. Then, we do not need |
| to have a tuple of these functions and promise, and we can just use `JSPromise::resolve` and `JSPromise::reject`. This removes unnecessary function allocations |
| and cell allocation for JSPromiseDeferred and makes API simple. |
| |
| * API/JSAPIGlobalObject.mm: |
| (JSC::JSAPIGlobalObject::moduleLoaderImportModule): |
| (JSC::JSAPIGlobalObject::moduleLoaderFetch): |
| (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule): |
| * API/JSObjectRef.cpp: |
| (JSObjectMakeDeferredPromise): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * jsc.cpp: |
| (GlobalObject::moduleLoaderImportModule): |
| (GlobalObject::moduleLoaderFetch): |
| (runJSC): |
| * runtime/Completion.cpp: |
| (JSC::rejectPromise): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::newPromiseCapabilityFunction const): |
| (JSC::JSGlobalObject::resolvePromiseFunction const): |
| (JSC::JSGlobalObject::rejectPromiseFunction const): |
| (JSC::JSGlobalObject::numberProtoToStringFunction const): |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::globalFuncImportModule): |
| * runtime/JSInternalPromise.h: |
| * runtime/JSInternalPromiseDeferred.cpp: Removed. |
| * runtime/JSInternalPromiseDeferred.h: Removed. |
| * runtime/JSModuleLoader.cpp: |
| (JSC::JSModuleLoader::importModule): |
| (JSC::JSModuleLoader::resolve): |
| (JSC::JSModuleLoader::fetch): |
| (JSC::moduleLoaderParseModule): |
| * runtime/JSPromise.cpp: |
| (JSC::JSPromise::flags const): |
| (JSC::JSPromise::isHandled const): |
| (JSC::JSPromise::createDeferredData): |
| (JSC::JSPromise::resolvedPromise): |
| (JSC::callFunction): |
| (JSC::JSPromise::resolve): |
| (JSC::JSPromise::reject): |
| * runtime/JSPromise.h: |
| * runtime/JSPromiseDeferred.cpp: Removed. |
| * runtime/JSPromiseDeferred.h: Removed. |
| * runtime/PromiseTimer.cpp: Renamed from Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp. |
| (JSC::PromiseTimer::PromiseTimer): |
| (JSC::PromiseTimer::doWork): |
| (JSC::PromiseTimer::runRunLoop): |
| (JSC::PromiseTimer::addPendingPromise): |
| (JSC::PromiseTimer::hasPendingPromise): |
| (JSC::PromiseTimer::hasDependancyInPendingPromise): |
| (JSC::PromiseTimer::cancelPendingPromise): |
| (JSC::PromiseTimer::scheduleWorkSoon): |
| * runtime/PromiseTimer.h: Renamed from Source/JavaScriptCore/runtime/PromiseDeferredTimer.h. |
| (JSC::PromiseTimer::create): |
| * runtime/StringRecursionChecker.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| (JSC::VM::~VM): |
| * runtime/VM.h: |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::reject): |
| (JSC::webAssemblyModuleValidateAsyncInternal): |
| (JSC::webAssemblyCompileFunc): |
| (JSC::resolve): |
| (JSC::JSWebAssembly::webAssemblyModuleValidateAsync): |
| (JSC::instantiate): |
| (JSC::compileAndInstantiate): |
| (JSC::JSWebAssembly::instantiate): |
| (JSC::webAssemblyModuleInstantinateAsyncInternal): |
| (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyCodeBlock.h: |
| |
| 2019-10-28 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fix various non-unified build issues introduced since r251436 |
| https://bugs.webkit.org/show_bug.cgi?id=203492 |
| |
| Reviewed by Alex Christensen and Mark Lam. |
| |
| * bytecode/BytecodeIndex.cpp: Add missing inclusion of wtf/PrintStream.h |
| * bytecode/ICStatusUtils.h: Add missing inclusion if BytecodeIndex.h |
| * bytecode/InstructionStream.h: Ditto. |
| * debugger/DebuggerLocation.cpp: Add missing inclusion of JSCellInlines.h |
| * dfg/DFGLazyJSValue.h: Add missing inclusion of GPRInfo.h |
| * ftl/FTLOSREntry.h: Add missing inclusion of BytecodeIndex.h |
| * heap/CompleteSubspaceInlines.h: Add missing inclusions of CompleteSubspace.h and VM.h |
| * inspector/JavaScriptCallFrame.h: |
| (Inspector::JavaScriptCallFrame::thisValue const): Prepend namespace to the JSC::VM type. |
| * jit/JITDisassembler.h: Add missing inclusion of BytecodeIndex.h |
| * jit/JITWorklist.h: Ditto. |
| * runtime/JSImmutableButterfly.cpp: Add missing inclusion of ButterflyInlines.h |
| * runtime/ObjectInitializationScope.h: Add missing inclusion of VM.h |
| * runtime/StringRecursionChecker.h: Add missing inclusion of GetVM.h |
| * runtime/VMTraps.cpp: Add missing inclusion of CallFrameInlines.h |
| * tools/Integrity.cpp: Add missing inclusion of Integrity.h, HeapCellInlines.h, and |
| JSCellInlines.h |
| * wasm/WasmOperations.cpp: Add missing inclusion of JSCJSValueInlines.h and |
| JSGlobalObjectInlines.h |
| * wasm/WasmOperations.h: Add missing inclusion of IndexingType.h, JSCJSValue.h, and |
| WasmExceptionType.h; add forward declarations for JSArrray and Wasm::Signature. |
| * wasm/js/JSWebAssembly.cpp: Add missing inclusion of WasmOperations.h |
| * wasm/js/JSWebAssemblyHelpers.h: Add missing inclusion of Error.h and JSArrayBufferView.h |
| |
| 2019-10-28 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Lexer flags should be an OptionSet |
| https://bugs.webkit.org/show_bug.cgi?id=203032 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| LexerFlags has an annoyingly misspelled value LexexFlagsDontBuildKeywords; |
| let's use this as an opportunity to modernize this enum. |
| |
| * parser/ASTBuilder.h: |
| * parser/Lexer.cpp: |
| (JSC::Lexer<LChar>::parseIdentifier): |
| (JSC::Lexer<UChar>::parseIdentifier): |
| (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| * parser/Lexer.h: |
| (JSC::Lexer<T>::lexExpectIdentifier): |
| (JSC::Lexer<T>::lex): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseProperty): |
| (JSC::Parser<LexerType>::parseMemberExpression): |
| * parser/Parser.h: |
| (JSC::Parser::next): |
| (JSC::Parser::nextWithoutClearingLineTerminator): |
| (JSC::Parser::nextExpectIdentifier): |
| (JSC::Parser::consume): |
| * parser/SyntaxChecker.h: |
| |
| 2019-10-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Optimize Promise runtime functions |
| https://bugs.webkit.org/show_bug.cgi?id=203454 |
| |
| Reviewed by Keith Miller. |
| |
| This patch optimizes Promise runtime functions a bit. |
| |
| 1. Add fast paths to Promise.resolve / Promise.reject. |
| 2. Remove state check in async-functions. Unlike generators, async-function's next function is not exposed to users. |
| It is called by runtime so we can control state perfectly. |
| 3. Add "enqueueJob" name to make sampling profiler work for this function. |
| 4. Make Promise/InternalPromise constructor inlinable size |
| |
| ToT Patched |
| |
| promise-creation-many 25.5794+-0.3681 ^ 22.5410+-0.3229 ^ definitely 1.1348x faster |
| promise-resolve 32.3793+-0.4252 ^ 9.4219+-0.1114 ^ definitely 3.4366x faster |
| promise-reject 108.5968+-0.7741 ^ 36.9383+-0.3770 ^ definitely 2.9400x faster |
| |
| * builtins/AsyncFunctionPrototype.js: |
| (globalPrivate.asyncFunctionResume): |
| * builtins/PromiseConstructor.js: |
| (reject): |
| (resolve): |
| (nakedConstructor.Promise.reject): |
| (nakedConstructor.Promise): |
| (nakedConstructor.InternalPromise.reject): |
| (nakedConstructor.InternalPromise): |
| (nakedConstructor.Promise.resolve): Deleted. |
| (nakedConstructor.InternalPromise.resolve): Deleted. |
| * builtins/PromiseOperations.js: |
| (globalPrivate.newPromiseCapability.resolve): |
| (globalPrivate.newPromiseCapability.reject): |
| (globalPrivate.newPromiseCapability): |
| (globalPrivate.promiseResolveSlow): |
| (globalPrivate.promiseRejectSlow): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2019-10-28 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use FTLOutput::callWithoutSideEffects if operation does not have side effects |
| https://bugs.webkit.org/show_bug.cgi?id=203485 |
| |
| Reviewed by Mark Lam. |
| |
| This makes Call's Effect none, and encourages optimizations around it. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52): |
| |
| 2019-10-28 Tuomas Karkkainen <tuomas.webkit@apple.com> |
| |
| dumpSpeculation in SpeculatedType.cpp prints to the wrong stream and has wrong capitalization for NaN |
| https://bugs.webkit.org/show_bug.cgi?id=203486 |
| |
| Reviewed by Antti Koivisto. |
| |
| * bytecode/SpeculatedType.cpp: |
| (JSC::dumpSpeculation): |
| |
| 2019-10-28 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [Windows][Clang] error LNK2001: unresolved external symbol "void * __cdecl JSC::allocateCell<class JSC::JSGenericTypedArrayView<struct JSC::Float32Adaptor> >(class JSC::Heap &,unsigned __int64)" |
| https://bugs.webkit.org/show_bug.cgi?id=203483 |
| |
| Unreviewed build fix for clang-cl builds. |
| |
| * runtime/JSGenericTypedArrayViewInlines.h: Added #include "JSCellInlines.h". |
| |
| 2019-10-26 Chris Lord <clord@igalia.com> |
| |
| Put OffscreenCanvas behind a build flag |
| https://bugs.webkit.org/show_bug.cgi?id=203146 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-10-25 Yury Semikhatsky <yurys@chromium.org> |
| |
| Web Inspector: support emulateUserGesture parameter in Runtime.callFunctionOn |
| https://bugs.webkit.org/show_bug.cgi?id=200262 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| (Inspector::InspectorRuntimeAgent::callFunctionOn): |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/protocol/Runtime.json: |
| |
| 2019-10-24 Mark Lam <mark.lam@apple.com> |
| |
| Move JSC::Register inline methods into RegisterInlines.h. |
| https://bugs.webkit.org/show_bug.cgi?id=203391 |
| |
| Reviewed by Yusuke Suzuki and Keith Miller. |
| |
| We're doing this because: |
| 1. RegisterInlines.h is the canonical place to put inline Register methods. |
| 2. It helps reduce build time. |
| e.g. build-jsc went from 208.02 to 196.81 seconds (about a 5% reduction). |
| 3. This enables experimental work to box JSCells in JSValue. |
| |
| This patch also handles the fallout of this change, which necessitates more |
| inline methods being moved from <file>.h to their respective <file>Inlines.h. |
| |
| JSArray.h used to include ButterflyInlines.h and JSCellInlines.h. This is a |
| violation of inclusion ordering (.h should not #include Inlines.h). This |
| violation has been removed. |
| |
| * API/JSAPIGlobalObject.mm: |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/CodeBlock.h: |
| (JSC::CallFrame::r): Deleted. |
| (JSC::CallFrame::uncheckedR): Deleted. |
| * bytecode/MetadataTable.cpp: |
| * ftl/FTLLowerDFGToB3.cpp: |
| * interpreter/CallFrame.h: |
| (JSC::CallFrame::guaranteedJSValueCallee const): Deleted. |
| (JSC::CallFrame::jsCallee const): Deleted. |
| (JSC::CallFrame::codeBlock const): Deleted. |
| (JSC::CallFrame::unsafeCodeBlock const): Deleted. |
| (JSC::CallFrame::scope const): Deleted. |
| (JSC::CallFrame::topOfFrame): Deleted. |
| (JSC::CallFrame::setScope): Deleted. |
| (JSC::CallFrame::setCallee): Deleted. |
| (JSC::CallFrame::setCodeBlock): Deleted. |
| * interpreter/CallFrameInlines.h: |
| (JSC::CallFrame::r): |
| (JSC::CallFrame::uncheckedR): |
| (JSC::CallFrame::guaranteedJSValueCallee const): |
| (JSC::CallFrame::jsCallee const): |
| (JSC::CallFrame::codeBlock const): |
| (JSC::CallFrame::unsafeCodeBlock const): |
| (JSC::CallFrame::lexicalGlobalObject const): |
| (JSC::CallFrame::setCallee): |
| (JSC::CallFrame::setCodeBlock): |
| (JSC::CallFrame::setScope): |
| (JSC::CallFrame::scope const): |
| (JSC::CallFrame::topOfFrame): |
| * interpreter/Interpreter.cpp: |
| * interpreter/ProtoCallFrame.h: |
| (JSC::ProtoCallFrame::init): Deleted. |
| * interpreter/ProtoCallFrameInlines.h: Added. |
| (JSC::ProtoCallFrame::init): |
| (JSC::ProtoCallFrame::callee const): |
| (JSC::ProtoCallFrame::setCallee): |
| (JSC::ProtoCallFrame::codeBlock const): |
| (JSC::ProtoCallFrame::setCodeBlock): |
| * interpreter/Register.h: |
| (JSC::Register::callFrame const): Deleted. |
| (JSC::Register::codeBlock const): Deleted. |
| (JSC::Register::asanUnsafeCodeBlock const): Deleted. |
| * interpreter/RegisterInlines.h: Added. |
| (JSC::Register::callFrame const): |
| (JSC::Register::codeBlock const): |
| (JSC::Register::asanUnsafeCodeBlock const): |
| (JSC::Register::object const): |
| (JSC::Register::operator=): |
| (JSC::Register::scope const): |
| * interpreter/StackVisitor.cpp: |
| * jit/AssemblyHelpers.h: |
| * llint/LLIntSlowPaths.cpp: |
| * runtime/ArrayStorage.h: |
| (JSC::ArrayStorage::optimalVectorLength): Deleted. |
| * runtime/ArrayStorageInlines.h: Added. |
| (JSC::ArrayStorage::availableVectorLength): |
| (JSC::ArrayStorage::optimalVectorLength): |
| (JSC::ArrayStorage::totalSize const): |
| * runtime/ButterflyInlines.h: |
| * runtime/ClassInfo.h: |
| * runtime/GetVM.h: Added. |
| * runtime/JSArray.h: |
| * runtime/JSArrayInlines.h: |
| * runtime/JSCellInlines.h: |
| * runtime/JSGlobalObject.h: |
| * runtime/JSObject.h: |
| (JSC::Register::object const): Deleted. |
| (JSC::Register::operator=): Deleted. |
| * runtime/JSObjectInlines.h: |
| * runtime/JSScope.h: |
| (JSC::Register::operator=): Deleted. |
| (JSC::Register::scope const): Deleted. |
| (JSC::CallFrame::lexicalGlobalObject const): Deleted. |
| * runtime/JSString.h: |
| * runtime/PropertyNameArray.h: |
| * runtime/PropertySlot.h: |
| * runtime/VMInlines.h: |
| * tools/HeapVerifier.cpp: |
| * wasm/js/WebAssemblyFunction.cpp: |
| |
| 2019-10-24 Zan Dobersek <zdobersek@igalia.com> |
| |
| REGRESSION(r251468): Build, test failures in 32-bit JSC after BytecodeIndex refactoring |
| https://bugs.webkit.org/show_bug.cgi?id=203290 |
| |
| Reviewed by Keith Miller. |
| |
| * bytecode/BytecodeIndex.h: |
| (JSC::BytecodeIndex::BytecodeIndex): |
| Add a BytecodeIndex(WTF::HashTableDeletedValueType) constructor. |
| * bytecode/CodeOrigin.h: |
| (JSC::CodeOrigin::CodeOrigin): |
| Have the CodeOrigin(WTF::HashTableDeletedValueType) constructor |
| initialize the BytecodeIndex object accordingly, as a deleted value. |
| (JSC::CodeOrigin::isHashTableDeletedValue const): |
| Test BytecodeIndex object's deleted-value condition through the |
| corresponding BytecodeIndex::isHashTableDeletedValue() method. |
| * profiler/ProfilerOrigin.h: |
| (JSC::Profiler::Origin::Origin): |
| Simplify the m_bytecodeIndex member initialization for a deleted value. |
| (JSC::Profiler::Origin::operator! const): |
| Fix the negation operator, returning true if the m_bytecodeIndex is |
| either empty or deleted. |
| |
| 2019-10-24 Sihui Liu <sihui_liu@apple.com> |
| |
| [ Mac WK1 ] REGRESSION (r251261): Layout Test inspector/console/webcore-logging.html is consistently Failing |
| https://bugs.webkit.org/show_bug.cgi?id=203173 |
| <rdar://problem/56424721> |
| |
| Hold a strong reference to JSGlobalOjbect in ConsoleMessage so that object is not garbage collected before |
| WebConsoleAgent::frameWindowDiscarded. |
| |
| Covered by existing test: inspector/console/webcore-logging.html. |
| |
| Reviewed by Geoffrey Garen. |
| |
| * inspector/ConsoleMessage.cpp: |
| (Inspector::ConsoleMessage::ConsoleMessage): |
| (Inspector::ConsoleMessage::clear): |
| * inspector/ConsoleMessage.h: |
| |
| 2019-10-24 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Properly organize wasm operations |
| https://bugs.webkit.org/show_bug.cgi?id=203360 |
| |
| Reviewed by Keith Miller. |
| |
| This patch cleans up operation functions called from Wasm. |
| |
| 1. Properly name these operations with prefix "operation". |
| 2. Do not use lambda. Define function with JIT_OPERATION. |
| 3. Consolidate them in WasmOperations.cpp. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::addRefFunc): |
| (JSC::Wasm::AirIRGenerator::addTableGet): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::addTableSize): |
| (JSC::Wasm::AirIRGenerator::addTableGrow): |
| (JSC::Wasm::AirIRGenerator::addTableFill): |
| (JSC::Wasm::AirIRGenerator::addGrowMemory): |
| (JSC::Wasm::AirIRGenerator::emitWriteBarrierForJSWrapper): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addTableGet): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addRefFunc): |
| (JSC::Wasm::B3IRGenerator::addTableSize): |
| (JSC::Wasm::B3IRGenerator::addTableGrow): |
| (JSC::Wasm::B3IRGenerator::addTableFill): |
| (JSC::Wasm::B3IRGenerator::addGrowMemory): |
| (JSC::Wasm::B3IRGenerator::emitWriteBarrierForJSWrapper): |
| (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>): |
| (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::getWasmTableElement): Deleted. |
| (JSC::Wasm::setWasmTableElement): Deleted. |
| (JSC::Wasm::doWasmTableGrow): Deleted. |
| (JSC::Wasm::doWasmTableFill): Deleted. |
| (JSC::Wasm::doWasmRefFunc): Deleted. |
| * wasm/WasmInstance.h: |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::operationWasmUnwind): |
| (JSC::Wasm::operationConvertToF64): |
| (JSC::Wasm::operationConvertToI32): |
| (JSC::Wasm::operationConvertToF32): |
| (JSC::Wasm::operationIterateResults): |
| (JSC::Wasm::operationAllocateResultsArray): |
| (JSC::Wasm::operationWasmWriteBarrierSlowPath): |
| (JSC::Wasm::operationPopcount32): |
| (JSC::Wasm::operationPopcount64): |
| (JSC::Wasm::operationGrowMemory): |
| (JSC::Wasm::operationGetWasmTableElement): |
| (JSC::Wasm::setWasmTableElement): |
| (JSC::Wasm::operationSetWasmTableElement): |
| (JSC::Wasm::operationWasmTableGrow): |
| (JSC::Wasm::operationWasmTableFill): |
| (JSC::Wasm::operationWasmRefFunc): |
| (JSC::Wasm::operationGetWasmTableSize): |
| (JSC::Wasm::operationWasmToJSException): |
| * wasm/WasmOperations.h: |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::marshallJSResult): |
| (JSC::Wasm::allocateResultsArray): Deleted. |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| (JSC::Wasm::operationWasmToJSException): Deleted. |
| * wasm/js/WasmToJS.h: |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| |
| 2019-10-24 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove LLInt's Callee size assumption |
| https://bugs.webkit.org/show_bug.cgi?id=203282 |
| |
| Reviewed by Mark Lam. |
| |
| LLInt code still assumes that Callee is always allocated in non-LargeAllocation. |
| This patch removes this assumption by following three changes. |
| |
| 1. If we can get CodeBlock, we get VM& from CodeBlock. |
| 2. In nativeCallTrampoline and internalFunctionCallTrampoline, we get VM& from JSGlobalObject. It involves one more pointer-chasing but it is OK |
| since this JSGlobalObject's VM* field will be touched in called native functions anyway. And this code is only used when we are not using JIT. |
| 3. In exception handling code in LLInt, we get VM& from callee by checking LargeAllocation possibility. This is OK since it is only executed when |
| exception unwinding happens, and which is an expensive operation anyway. |
| |
| * heap/LargeAllocation.h: |
| (JSC::LargeAllocation::headerSize): |
| * heap/WeakSet.h: |
| (JSC::WeakSet::WeakSet): |
| (JSC::WeakSet::vm const): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::JSGlobalObject): |
| (JSC::JSGlobalObject::init): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::vm const): |
| (JSC::JSGlobalObject::defaultCodeGenerationMode const): |
| * runtime/VM.h: |
| (JSC::WeakSet::heap const): |
| |
| 2019-10-24 Zan Dobersek <zdobersek@igalia.com> |
| |
| [JSC] Get 32-bit ports back into building order |
| https://bugs.webkit.org/show_bug.cgi?id=203358 |
| |
| Reviewed by Carlos Garcia Campos. |
| |
| Get JSC building again on 32-bit architectures after changes in r251468. |
| Some 32-bit code in LLint and JIT is brought back, and additional casts |
| around BytecodeIndex construction are added as necessary. |
| |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::reifyInlinedCallFrames): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::reifyInlinedCallFrames): |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::setCurrentVPC): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileCallEvalSlowCase): |
| (JSC::JIT::compileOpCall): |
| * jit/JITInlines.h: |
| (JSC::JIT::updateTopCallFrame): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitGetByValWithCachedId): |
| (JSC::JIT::emit_op_put_by_val): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| |
| 2019-10-24 Paulo Matos <pmatos@igalia.com> |
| |
| Disable pichdr generation on MIPS for return location labels |
| https://bugs.webkit.org/show_bug.cgi?id=203040 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Disable generation of pichdr for return location labels generated in |
| defineOSRExitReturnLabel. Since r250806 (Allow OSR exit to the LLInt), |
| MIPS was segfaulting since the pichdr after an OSR exit was corruption |
| the gp register. |
| |
| * offlineasm/mips.rb: |
| |
| 2019-10-23 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: provide a way to inject "bootstrap" JavaScript into the page as the first script executed |
| https://bugs.webkit.org/show_bug.cgi?id=195847 |
| <rdar://problem/48950551> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| When debugging webpages, it's often useful to be able to swizzle various functions in order |
| to add extra logs for when they're called (e.g. `Event.prototype.preventDefault`). Sometimes |
| this can be difficult, such as if the page saves a copy of the function and references that |
| instead, in which case it would be helpful to have a way to guarantee that the swizzled code |
| is the first thing evaluated after the context is created. |
| |
| This change adds support for that concept, which has been named Inspector Bootstrap Script. |
| Once created, it will be injected as the first user script to every new global object that |
| is created afterwards. Modifications to the Inspector Bootstrap Script take effect for all |
| new global objects created _after_ the modification happened. |
| |
| * inspector/protocol/Page.json: |
| Add `setBoostrapScript` command. |
| |
| 2019-10-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove wasmAwareLexicalGlobalObject |
| https://bugs.webkit.org/show_bug.cgi?id=203351 |
| |
| Reviewed by Mark Lam. |
| |
| CallFrame::lexicalGlobalObject() is no longer called frequently. We can just make the current wasmAwareLexicalGlobalObject as CallFrame::lexicalGlobalObject, |
| and remove wasmAwareLexicalGlobalObject function. |
| |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::hasBreakpoint): |
| (JSC::Debugger::breakProgram): |
| (JSC::lexicalGlobalObjectForCallFrame): |
| * debugger/DebuggerCallFrame.cpp: |
| (JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const): |
| (JSC::DebuggerCallFrame::scope): |
| (JSC::DebuggerCallFrame::thisValue const): |
| (JSC::DebuggerCallFrame::evaluateWithScopeExtension): |
| * debugger/DebuggerCallFrame.h: |
| * inspector/JSJavaScriptCallFrame.cpp: |
| (Inspector::JSJavaScriptCallFrame::thisObject const): |
| * inspector/JavaScriptCallFrame.h: |
| (Inspector::JavaScriptCallFrame::thisValue const): |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::lexicalGlobalObjectFromWasmCallee const): |
| (JSC::CallFrame::wasmAwareLexicalGlobalObject): Deleted. |
| * interpreter/CallFrame.h: |
| * interpreter/Interpreter.cpp: |
| (JSC::notifyDebuggerOfUnwinding): |
| (JSC::Interpreter::debug): |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::Frame::createArguments): |
| * interpreter/StackVisitor.h: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::llint_throw_stack_overflow_error): |
| * runtime/JSFunction.cpp: |
| (JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor): |
| (JSC::RetrieveArgumentsFunctor::operator() const): |
| (JSC::retrieveArguments): |
| * runtime/JSScope.h: |
| (JSC::CallFrame::lexicalGlobalObject const): |
| * runtime/RegExpInlines.h: |
| (JSC::RegExp::matchInline): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| |
| 2019-10-23 Keith Miller <keith_miller@apple.com> |
| |
| Undo incidental change from BytecodeIndex class patch |
| https://bugs.webkit.org/show_bug.cgi?id=203339 |
| |
| Reviewed by Mark Lam. |
| |
| It's not totally clear why we need to claim our bytecode index is |
| 0 when we can't figure what the true index is. I'd rather unbreak |
| our build for now, however, and fix the underlying issue in |
| https://bugs.webkit.org/show_bug.cgi?id=203340 |
| |
| * runtime/Error.cpp: |
| (JSC::getBytecodeIndex): |
| |
| 2019-10-23 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Figure out missing prepareCallOperation |
| https://bugs.webkit.org/show_bug.cgi?id=203285 |
| |
| Reviewed by Mark Lam. |
| |
| We start using __builtin_frame_address to get CallFrame* in JIT operations. For the platform which is not supporting this API (MSVC), |
| we put frame-pointer to vm.topCallFrame in the caller side. The problem is that all Apple platform is now using __builtin_frame_address, |
| and we are not testing vm.topCallFrame version at all. |
| |
| To find missing prepareCallOperation call, we introduce JITOperationPrologueCallFrameTracer. When USE(BUILTIN_FRAME_ADDRESS) is enabled and |
| if it is debug build, we anyway put frame-pointer to vm.topCallFrame. And after that, we ensure that vm.topCallFrame is the same to the |
| CallFrame* gained by __builtin_frame_address. By doing this, we can find places missing this call in debug build of Apple ports. |
| |
| We also found that FTL's custom getter calling is putting wrong value to vm.topCallFrame. This patch fixes it too. |
| |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::emitRestoreArguments): |
| (JSC::DFG::operationCompileOSRExit): |
| (JSC::DFG::OSRExit::compileExit): |
| (JSC::DFG::operationDebugPrintSpeculationFailure): |
| (JSC::DFG::OSRExit::compileOSRExit): Deleted. |
| (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted. |
| * dfg/DFGOSRExit.h: |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::handleExitCounts): |
| (JSC::DFG::osrWriteBarrier): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitThunkGenerator): |
| (JSC::DFG::osrExitGenerationThunkGenerator): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::callPreflight): |
| (JSC::FTL::DFG::LowerDFGToB3::callCheck): |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileStub): |
| (JSC::FTL::operationCompileFTLOSRExit): |
| (JSC::FTL::compileFTLOSRExit): Deleted. |
| * ftl/FTLOSRExitCompiler.h: |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::operationPopulateObjectInOSR): |
| (JSC::FTL::operationMaterializeObjectInOSR): |
| (JSC::FTL::operationCompileFTLLazySlowPath): |
| (JSC::FTL::compileFTLLazySlowPath): Deleted. |
| * ftl/FTLOperations.h: |
| * ftl/FTLSlowPathCall.cpp: |
| (JSC::FTL::SlowPathCallContext::makeCall): |
| * ftl/FTLThunks.cpp: |
| (JSC::FTL::genericGenerationThunkGenerator): |
| (JSC::FTL::osrExitGenerationThunkGenerator): |
| (JSC::FTL::lazySlowPathGenerationThunkGenerator): |
| (JSC::FTL::slowPathCallThunkGenerator): |
| * ftl/FTLThunks.h: |
| (JSC::FTL::generateIfNecessary): |
| (JSC::FTL::Thunks::getSlowPathCallThunk): |
| * interpreter/FrameTracers.h: |
| (JSC::SlowPathFrameTracer::SlowPathFrameTracer): |
| (JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer): |
| (JSC::JITOperationPrologueCallFrameTracer::~JITOperationPrologueCallFrameTracer): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::callExceptionFuzz): |
| (JSC::AssemblyHelpers::debugCall): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::prepareCallOperation): |
| * jit/CCallHelpers.cpp: |
| (JSC::CCallHelpers::ensureShadowChickenPacket): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::prepareCallOperation): Deleted. |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/Repatch.cpp: |
| (JSC::ftlThunkAwareRepatchCall): |
| * jit/ThunkGenerators.cpp: |
| (JSC::boundThisNoArgsFunctionCallGenerator): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::handleHostCall): |
| * runtime/AtomicsObject.cpp: |
| (JSC::operationAtomicsAdd): |
| (JSC::operationAtomicsAnd): |
| (JSC::operationAtomicsCompareExchange): |
| (JSC::operationAtomicsExchange): |
| (JSC::operationAtomicsIsLockFree): |
| (JSC::operationAtomicsLoad): |
| (JSC::operationAtomicsOr): |
| (JSC::operationAtomicsStore): |
| (JSC::operationAtomicsSub): |
| (JSC::operationAtomicsXor): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/StringPrototype.cpp: |
| (JSC::operationStringProtoFuncReplaceRegExpEmptyStr): |
| (JSC::operationStringProtoFuncReplaceRegExpString): |
| (JSC::operationStringProtoFuncReplaceGeneric): |
| * tools/JSDollarVM.cpp: |
| (IGNORE_WARNINGS_BEGIN): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::operationWasmThrowBadI64): |
| (JSC::Wasm::operationWasmTriggerOSREntryNow): |
| (JSC::Wasm::operationWasmTriggerTierUpNow): |
| (JSC::Wasm::operationThrowBadI64): Deleted. |
| (JSC::Wasm::triggerOSREntryNow): Deleted. |
| (JSC::Wasm::triggerTierUpNow): Deleted. |
| * wasm/WasmOperations.h: |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::instantiate): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::operationWasmToJSException): |
| (JSC::Wasm::emitThrowWasmToJSException): |
| (JSC::Wasm::wasmToJSException): Deleted. |
| * wasm/js/WasmToJS.h: |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::constructJSWebAssemblyInstance): |
| |
| 2019-10-23 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r251482. |
| |
| r251261 broke multiple tests, reverting this as part of that |
| rollout. |
| |
| Reverted changeset: |
| |
| "[ Mac WK1 ] REGRESSION (r251261): Layout Test |
| inspector/console/webcore-logging.html is consistently |
| Failing" |
| https://bugs.webkit.org/show_bug.cgi?id=203173 |
| https://trac.webkit.org/changeset/251482 |
| |
| 2019-10-23 Yury Semikhatsky <yurys@chromium.org> |
| |
| Web Inspector: notify inspector when provisional page is created, committed and destroyed |
| https://bugs.webkit.org/show_bug.cgi?id=202704 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/InspectorTarget.h: changed InspectorTarget to not require FrontendChannel as |
| all messages are routed by means of the owning InspectorTargetAgent. |
| * inspector/agents/InspectorTargetAgent.cpp: |
| (Inspector::InspectorTargetAgent::InspectorTargetAgent): |
| (Inspector::buildTargetInfoObject): |
| (Inspector::InspectorTargetAgent::targetCreated): |
| (Inspector::InspectorTargetAgent::targetDestroyed): |
| (Inspector::InspectorTargetAgent::didCommitProvisionalTarget): this method is used to |
| notify frontend that corresponding provisional target has committed and replaced previous |
| target. |
| (Inspector::InspectorTargetAgent::connectionType const): |
| (Inspector::InspectorTargetAgent::connectToTargets): |
| (Inspector::InspectorTargetAgent::disconnectFromTargets): |
| * inspector/agents/InspectorTargetAgent.h: |
| * inspector/protocol/Target.json: extended TargetInfo with provisional page details and |
| added event which is fired when provisional page gets committed. If provisional |
| load fails there will be targetDestroyed event without corresponding commit. |
| |
| 2019-10-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| String.prototype.matchAll should throw on non-global regex |
| https://bugs.webkit.org/show_bug.cgi?id=202838 |
| |
| Reviewed by Keith Miller. |
| |
| * builtins/StringPrototype.js: |
| (matchAll): |
| Implement normative change from https://github.com/tc39/ecma262/pull/1716. |
| |
| * builtins/BuiltinNames.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/RegExpConstructor.cpp: |
| (JSC::esSpecIsRegExp): Added. |
| * runtime/RegExpConstructor.h: |
| Expose isRegExp to builtins. (This differs from @isRegExpObject by first checking for Symbol.match.) |
| |
| 2019-10-23 Sihui Liu <sihui_liu@apple.com> |
| |
| [ Mac WK1 ] REGRESSION (r251261): Layout Test inspector/console/webcore-logging.html is consistently Failing |
| https://bugs.webkit.org/show_bug.cgi?id=203173 |
| <rdar://problem/56424721> |
| |
| Hold a strong reference to JSGlobalOjbect in ConsoleMessage so that object is not garbage collected before |
| WebConsoleAgent::frameWindowDiscarded. |
| |
| Covered by existing test: inspector/console/webcore-logging.html. |
| |
| Reviewed by Geoffrey Garen. |
| |
| * inspector/ConsoleMessage.cpp: |
| (Inspector::ConsoleMessage::ConsoleMessage): |
| (Inspector::ConsoleMessage::clear): |
| * inspector/ConsoleMessage.h: |
| |
| 2019-10-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Make `JSGlobalObject*` threading change more stabilized by adding tests and assertions |
| https://bugs.webkit.org/show_bug.cgi?id=203274 |
| |
| Reviewed by Saam Barati. |
| |
| This patch does some follow-up changes after r251425. |
| |
| 1. Add tests that tests vm.topCallFrame from C++ world to ensure that `vm.topCallFrame` is kept nullptr if it is accessed from C++ world even after executing some scripts. |
| 2. Add assertion to ensure that `DECLARE_CALL_FRAME` is only called in JIT operation's prologue. |
| 3. Remove some of ExecState::deprecatedVM call. |
| 4. Define `USE(BUILTIN_FRAME_ADDRESS)` when using __builtin_frame_address to get CallFrame. |
| |
| * API/tests/testapi.cpp: |
| (TestAPI::topCallFrameAccess): |
| (testCAPIViaCpp): |
| * interpreter/CallFrame.cpp: |
| (JSC::isFromJSCode): |
| * interpreter/CallFrame.h: |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::prepareCallOperation): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpRegisters): |
| |
| 2019-10-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, WinCairo build fix after r251468 |
| https://bugs.webkit.org/show_bug.cgi?id=203276 |
| |
| * jit/JIT.h: |
| |
| 2019-10-22 Keith Miller <keith_miller@apple.com> |
| |
| BytecodeIndex should be a proper C++ class |
| https://bugs.webkit.org/show_bug.cgi?id=203276 |
| |
| Reviewed by Mark Lam. |
| |
| This patch makes a change to how we refer to the bytecode index in |
| a bytecode stream. Previously we just used an unsigned number to |
| represent the index, this patch changes most of the code to use a |
| BytecodeIndex class instead. The only places where this patch does |
| not change this is for jump and switch targets / deltas. |
| |
| Additionally, this patch attempts to canonicalize the terminology |
| around how we refer to bytecode indices. Now we use the word index |
| to refer to the bytecode index class and offset to refer to the |
| unsigned byte offset into the instruction stream. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/ByValInfo.h: |
| (JSC::ByValInfo::ByValInfo): |
| (JSC::getByValInfoBytecodeIndex): |
| * bytecode/BytecodeBasicBlock.cpp: |
| (JSC::BytecodeBasicBlock::computeImpl): |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::GeneratorLivenessAnalysis::run): |
| * bytecode/BytecodeIndex.cpp: Added. |
| (JSC::BytecodeIndex::dump const): |
| * bytecode/BytecodeIndex.h: Added. |
| (JSC::BytecodeIndex::BytecodeIndex): |
| (JSC::BytecodeIndex::offset const): |
| (JSC::BytecodeIndex::asBits const): |
| (JSC::BytecodeIndex::hash const): |
| (JSC::BytecodeIndex::deletedValue): |
| (JSC::BytecodeIndex::isHashTableDeletedValue const): |
| (JSC::BytecodeIndex::operator bool const): |
| (JSC::BytecodeIndex::operator == const): |
| (JSC::BytecodeIndex::operator != const): |
| (JSC::BytecodeIndex::operator < const): |
| (JSC::BytecodeIndex::operator > const): |
| (JSC::BytecodeIndex::operator <= const): |
| (JSC::BytecodeIndex::operator >= const): |
| (JSC::BytecodeIndex::fromBits): |
| (JSC::BytecodeIndexHash::hash): |
| (JSC::BytecodeIndexHash::equal): |
| * bytecode/BytecodeLivenessAnalysis.cpp: |
| (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex): |
| (JSC::BytecodeLivenessAnalysis::computeFullLiveness): |
| (JSC::BytecodeLivenessAnalysis::computeKills): |
| (JSC::BytecodeLivenessAnalysis::dumpResults): |
| (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): Deleted. |
| * bytecode/BytecodeLivenessAnalysis.h: |
| * bytecode/BytecodeLivenessAnalysisInlines.h: |
| (JSC::BytecodeLivenessPropagation::stepOverInstruction): |
| (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex): |
| (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock): |
| (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex): |
| (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset): Deleted. |
| (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset): Deleted. |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeIndex): |
| (JSC::computeDefsForBytecodeIndex): |
| (JSC::computeUsesForBytecodeOffset): Deleted. |
| (JSC::computeDefsForBytecodeOffset): Deleted. |
| * bytecode/CallLinkStatus.cpp: |
| (JSC::CallLinkStatus::computeFromLLInt): |
| (JSC::CallLinkStatus::computeFor): |
| (JSC::CallLinkStatus::computeExitSiteData): |
| * bytecode/CallLinkStatus.h: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): |
| (JSC::CodeBlock::addRareCaseProfile): |
| (JSC::CodeBlock::rareCaseProfileForBytecodeIndex): |
| (JSC::CodeBlock::rareCaseProfileCountForBytecodeIndex): |
| (JSC::CodeBlock::handlerForBytecodeIndex): |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndex): |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): |
| (JSC::CodeBlock::lineNumberForBytecodeIndex): |
| (JSC::CodeBlock::columnNumberForBytecodeIndex): |
| (JSC::CodeBlock::expressionRangeForBytecodeIndex const): |
| (JSC::CodeBlock::hasOpDebugForLineAndColumn): |
| (JSC::CodeBlock::getArrayProfile): |
| (JSC::CodeBlock::tryGetValueProfileForBytecodeIndex): |
| (JSC::CodeBlock::valueProfilePredictionForBytecodeIndex): |
| (JSC::CodeBlock::valueProfileForBytecodeIndex): |
| (JSC::CodeBlock::validate): |
| (JSC::CodeBlock::arithProfileForBytecodeIndex): |
| (JSC::CodeBlock::couldTakeSpecialArithFastCase): |
| (JSC::CodeBlock::bytecodeIndexFromCallSiteIndex): |
| (JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::handlerForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow): Deleted. |
| (JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::expressionRangeForBytecodeOffset const): Deleted. |
| (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted. |
| (JSC::CodeBlock::couldTakeSpecialFastCase): Deleted. |
| (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted. |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::likelyToTakeSlowCase): |
| (JSC::CodeBlock::couldTakeSlowCase): |
| (JSC::CodeBlock::bytecodeIndex): |
| * bytecode/CodeOrigin.cpp: |
| (JSC::CodeOrigin::approximateHash const): |
| (JSC::CodeOrigin::dump const): |
| * bytecode/CodeOrigin.h: |
| (JSC::CodeOrigin::CodeOrigin): |
| (JSC::CodeOrigin::isSet const): |
| (JSC::CodeOrigin::isHashTableDeletedValue const): |
| (JSC::CodeOrigin::bytecodeIndex const): |
| (JSC::CodeOrigin::OutOfLineCodeOrigin::OutOfLineCodeOrigin): |
| (JSC::CodeOrigin::buildCompositeValue): |
| (JSC::CodeOrigin::hash const): |
| * bytecode/DFGExitProfile.cpp: |
| (JSC::DFG::FrequentExitSite::dump const): |
| (JSC::DFG::ExitProfile::exitSitesFor): |
| * bytecode/DFGExitProfile.h: |
| (JSC::DFG::FrequentExitSite::FrequentExitSite): |
| (JSC::DFG::FrequentExitSite::operator== const): |
| (JSC::DFG::FrequentExitSite::subsumes const): |
| (JSC::DFG::FrequentExitSite::hash const): |
| (JSC::DFG::FrequentExitSite::bytecodeIndex const): |
| (JSC::DFG::FrequentExitSite::isHashTableDeletedValue const): |
| (JSC::DFG::QueryableExitProfile::hasExitSite const): |
| (JSC::DFG::FrequentExitSite::bytecodeOffset const): Deleted. |
| * bytecode/DeferredSourceDump.cpp: |
| (JSC::DeferredSourceDump::DeferredSourceDump): |
| (JSC::DeferredSourceDump::dump): |
| * bytecode/DeferredSourceDump.h: |
| (): Deleted. |
| * bytecode/FullBytecodeLiveness.h: |
| (JSC::FullBytecodeLiveness::getLiveness const): |
| (JSC::FullBytecodeLiveness::operandIsLive const): |
| * bytecode/GetByIdStatus.cpp: |
| (JSC::GetByIdStatus::computeFromLLInt): |
| (JSC::GetByIdStatus::computeFor): |
| (JSC::GetByIdStatus::computeForStubInfo): |
| * bytecode/GetByIdStatus.h: |
| * bytecode/ICStatusUtils.cpp: |
| (JSC::hasBadCacheExitSite): |
| * bytecode/ICStatusUtils.h: |
| * bytecode/InByIdStatus.cpp: |
| (JSC::InByIdStatus::computeFor): |
| * bytecode/InByIdStatus.h: |
| * bytecode/InlineCallFrame.cpp: |
| (JSC::InlineCallFrame::dumpInContext const): |
| * bytecode/InstanceOfStatus.cpp: |
| (JSC::InstanceOfStatus::computeFor): |
| * bytecode/InstanceOfStatus.h: |
| * bytecode/InstructionStream.h: |
| (JSC::InstructionStream::BaseRef::offset const): |
| (JSC::InstructionStream::BaseRef::index const): |
| (JSC::InstructionStream::at const): |
| * bytecode/LazyOperandValueProfile.h: |
| (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey): |
| (JSC::LazyOperandValueProfileKey::operator== const): |
| (JSC::LazyOperandValueProfileKey::hash const): |
| (JSC::LazyOperandValueProfileKey::bytecodeIndex const): |
| (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue const): |
| (JSC::LazyOperandValueProfileKey::bytecodeOffset const): Deleted. |
| * bytecode/MethodOfGettingAValueProfile.cpp: |
| (JSC::MethodOfGettingAValueProfile::fromLazyOperand): |
| * bytecode/MethodOfGettingAValueProfile.h: |
| * bytecode/PutByIdStatus.cpp: |
| (JSC::PutByIdStatus::computeFromLLInt): |
| (JSC::PutByIdStatus::computeFor): |
| * bytecode/PutByIdStatus.h: |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::StructureStubInfo): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::lineNumberForBytecodeIndex): |
| (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const): |
| (JSC::UnlinkedCodeBlock::handlerForBytecodeIndex): |
| (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted. |
| (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset const): Deleted. |
| (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted. |
| * bytecode/UnlinkedCodeBlock.h: |
| * bytecode/ValueProfile.h: |
| (JSC::RareCaseProfile::RareCaseProfile): |
| (JSC::getRareCaseProfileBytecodeIndex): |
| (JSC::getRareCaseProfileBytecodeOffset): Deleted. |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::ForInContext::finalize): |
| * debugger/DebuggerCallFrame.cpp: |
| (JSC::DebuggerCallFrame::currentPosition): |
| * dfg/DFGBasicBlock.cpp: |
| (JSC::DFG::BasicBlock::BasicBlock): |
| * dfg/DFGBasicBlock.h: |
| (JSC::DFG::getBytecodeBeginForBlock): |
| (JSC::DFG::blockForBytecodeIndex): |
| (JSC::DFG::blockForBytecodeOffset): Deleted. |
| * dfg/DFGBlockInsertionSet.cpp: |
| (JSC::DFG::BlockInsertionSet::insert): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::flushForTerminalImpl): |
| (JSC::DFG::ByteCodeParser::flushIfTerminal): |
| (JSC::DFG::ByteCodeParser::branchData): |
| (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): |
| (JSC::DFG::ByteCodeParser::getPrediction): |
| (JSC::DFG::ByteCodeParser::getArrayMode): |
| (JSC::DFG::ByteCodeParser::makeSafe): |
| (JSC::DFG::ByteCodeParser::makeDivSafe): |
| (JSC::DFG::ByteCodeParser::allocateTargetableBlock): |
| (JSC::DFG::ByteCodeParser::allocateUntargetableBlock): |
| (JSC::DFG::ByteCodeParser::makeBlockTargetable): |
| (JSC::DFG::ByteCodeParser::handleCall): |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| (JSC::DFG::ByteCodeParser::inlineCall): |
| (JSC::DFG::ByteCodeParser::handleCallVariant): |
| (JSC::DFG::ByteCodeParser::handleInlining): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| (JSC::DFG::ByteCodeParser::linkBlock): |
| (JSC::DFG::ByteCodeParser::parseCodeBlock): |
| (JSC::DFG::ByteCodeParser::parse): |
| * dfg/DFGCommonData.cpp: |
| (JSC::DFG::CommonData::addCodeOrigin): |
| (JSC::DFG::CommonData::addUniqueCallSiteIndex): |
| (JSC::DFG::CommonData::lastCallSite const): |
| * dfg/DFGCommonData.h: |
| (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex): |
| (JSC::DFG::CommonData::appendCatchEntrypoint): |
| * dfg/DFGDriver.cpp: |
| (JSC::DFG::compileImpl): |
| (JSC::DFG::compile): |
| * dfg/DFGDriver.h: |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| (JSC::DFG::Graph::willCatchExceptionInMachineFrame): |
| * dfg/DFGGraph.h: |
| * dfg/DFGJITCode.cpp: |
| (JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds): |
| * dfg/DFGJITCode.h: |
| (JSC::DFG::JITCode::appendOSREntryData): |
| (JSC::DFG::JITCode::osrEntryDataForBytecodeIndex): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::JITCompiler): |
| (JSC::DFG::JITCompiler::compile): |
| (JSC::DFG::JITCompiler::compileFunction): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::setStartOfCode): |
| * dfg/DFGLiveCatchVariablePreservationPhase.cpp: |
| (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch): |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::OSREntryData::dumpInContext const): |
| (JSC::DFG::prepareOSREntry): |
| (JSC::DFG::prepareCatchOSREntry): |
| * dfg/DFGOSREntry.h: |
| (JSC::DFG::getOSREntryDataBytecodeIndex): |
| (JSC::DFG::prepareOSREntry): |
| * dfg/DFGOSREntrypointCreationPhase.cpp: |
| (JSC::DFG::OSREntrypointCreationPhase::run): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| (JSC::DFG::printOSRExit): |
| (JSC::DFG::OSRExit::compileExit): |
| (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): |
| * dfg/DFGOSRExit.h: |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::Plan): |
| (JSC::DFG::Plan::compileInThreadImpl): |
| (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary): |
| * dfg/DFGPlan.h: |
| (JSC::DFG::Plan::osrEntryBytecodeIndex const): |
| (JSC::DFG::Plan::tierUpInLoopHierarchy): |
| (JSC::DFG::Plan::tierUpAndOSREnterBytecodes): |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCurrentBlock): |
| (JSC::DFG::SpeculativeJIT::checkArgumentTypes): |
| (JSC::DFG::SpeculativeJIT::compileValueAdd): |
| (JSC::DFG::SpeculativeJIT::compileValueSub): |
| (JSC::DFG::SpeculativeJIT::compileValueNegate): |
| (JSC::DFG::SpeculativeJIT::compileValueMul): |
| (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGTierUpCheckInjectionPhase.cpp: |
| (JSC::DFG::TierUpCheckInjectionPhase::run): |
| (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap): |
| * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: |
| (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): |
| * dfg/DFGValidate.cpp: |
| * ftl/FTLCompile.cpp: |
| (JSC::FTL::compile): |
| * ftl/FTLForOSREntryJITCode.h: |
| (JSC::FTL::ForOSREntryJITCode::setBytecodeIndex): |
| (JSC::FTL::ForOSREntryJITCode::bytecodeIndex const): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): |
| * ftl/FTLOSREntry.cpp: |
| (JSC::FTL::prepareOSREntry): |
| * ftl/FTLOSREntry.h: |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::callSiteIndex const): |
| (JSC::CallFrame::unsafeCallSiteIndex const): |
| (JSC::CallFrame::setCurrentVPC): |
| (JSC::CallFrame::bytecodeIndex): |
| (JSC::CallFrame::codeOrigin): |
| (JSC::CallFrame::dump): |
| (JSC::CallFrame::bytecodeOffset): Deleted. |
| * interpreter/CallFrame.h: |
| (JSC::CallSiteIndex::CallSiteIndex): |
| (JSC::CallSiteIndex::operator bool const): |
| (JSC::CallSiteIndex::operator== const): |
| (JSC::CallSiteIndex::bits const): |
| (JSC::CallSiteIndex::bytecodeIndex const): |
| (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): |
| (): Deleted. |
| * interpreter/Interpreter.cpp: |
| (JSC::GetStackTraceFunctor::operator() const): |
| (JSC::findExceptionHandler): |
| * interpreter/ShadowChicken.cpp: |
| (JSC::ShadowChicken::update): |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::readNonInlinedFrame): |
| (JSC::StackVisitor::readInlinedFrame): |
| (JSC::StackVisitor::Frame::retrieveExpressionInfo const): |
| (JSC::StackVisitor::Frame::dump const): |
| * interpreter/StackVisitor.h: |
| (JSC::StackVisitor::Frame::bytecodeIndex const): |
| (JSC::StackVisitor::Frame::bytecodeOffset const): Deleted. |
| * jit/JIT.cpp: |
| (JSC::JIT::JIT): |
| (JSC::JIT::emitEnterOptimizationCheck): |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| (JSC::JIT::compileWithoutLinking): |
| (JSC::JIT::link): |
| (JSC::JIT::privateCompileExceptionHandlers): |
| * jit/JIT.h: |
| (JSC::CallRecord::CallRecord): |
| (JSC::SlowCaseEntry::SlowCaseEntry): |
| (JSC::SwitchRecord::SwitchRecord): |
| (JSC::ByValCompilationInfo::ByValCompilationInfo): |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileCallEvalSlowCase): |
| (JSC::JIT::compileOpCall): |
| * jit/JITCodeMap.h: |
| (JSC::JITCodeMap::Entry::Entry): |
| (JSC::JITCodeMap::Entry::bytecodeIndex const): |
| (JSC::JITCodeMap::append): |
| (JSC::JITCodeMap::find const): |
| * jit/JITDisassembler.cpp: |
| (JSC::JITDisassembler::dumpVectorForInstructions): |
| (JSC::JITDisassembler::reportInstructions): |
| * jit/JITDisassembler.h: |
| * jit/JITInlines.h: |
| (JSC::JIT::emitNakedCall): |
| (JSC::JIT::emitNakedTailCall): |
| (JSC::JIT::updateTopCallFrame): |
| (JSC::JIT::linkAllSlowCasesForBytecodeIndex): |
| (JSC::JIT::addSlowCase): |
| (JSC::JIT::addJump): |
| (JSC::JIT::emitJumpSlowToHot): |
| (JSC::JIT::emitGetVirtualRegister): |
| (JSC::JIT::linkAllSlowCasesForBytecodeOffset): Deleted. |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_instanceof): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emit_op_has_indexed_property): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_instanceof): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emit_op_has_indexed_property): |
| * jit/JITOperations.cpp: |
| (JSC::getByVal): |
| (JSC::tryGetByValOptimize): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_by_val): |
| (JSC::JIT::emitGetByValWithCachedId): |
| (JSC::JIT::emit_op_put_by_val): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emit_op_try_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_direct): |
| (JSC::JIT::emit_op_get_by_id): |
| (JSC::JIT::emit_op_get_by_id_with_this): |
| (JSC::JIT::emit_op_put_by_id): |
| (JSC::JIT::emit_op_in_by_id): |
| * jit/JITWorklist.cpp: |
| (JSC::JITWorklist::Plan::Plan): |
| (JSC::JITWorklist::Plan::compileNow): |
| (JSC::JITWorklist::compileLater): |
| (JSC::JITWorklist::compileNow): |
| * jit/JITWorklist.h: |
| * jit/PCToCodeOriginMap.cpp: |
| (JSC::PCToCodeOriginMap::PCToCodeOriginMap): |
| (JSC::PCToCodeOriginMap::findPC const): |
| * jit/PCToCodeOriginMap.h: |
| (JSC::PCToCodeOriginMapBuilder::defaultCodeOrigin): |
| * jit/SlowPathCall.h: |
| (JSC::JITSlowPathCall::call): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::jitCompileAndSetHeuristics): |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * profiler/ProfilerOrigin.cpp: |
| (JSC::Profiler::Origin::Origin): |
| (JSC::Profiler::Origin::dump const): |
| (JSC::Profiler::Origin::toJS const): |
| * profiler/ProfilerOrigin.h: |
| (JSC::Profiler::Origin::Origin): |
| (JSC::Profiler::Origin::operator! const): |
| (JSC::Profiler::Origin::bytecodeIndex const): |
| (JSC::Profiler::Origin::hash const): |
| (JSC::Profiler::Origin::isHashTableDeletedValue const): |
| * runtime/Error.cpp: |
| (JSC::getBytecodeIndex): |
| (JSC::getBytecodeOffset): Deleted. |
| * runtime/Error.h: |
| * runtime/ErrorInstance.cpp: |
| (JSC::appendSourceToError): |
| (JSC::ErrorInstance::finishCreation): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::tryGetBytecodeIndex): |
| (JSC::SamplingProfiler::processUnverifiedStackTraces): |
| (JSC::SamplingProfiler::reportTopBytecodes): |
| * runtime/SamplingProfiler.h: |
| (JSC::SamplingProfiler::StackFrame::CodeLocation::hasBytecodeIndex const): |
| * runtime/StackFrame.cpp: |
| (JSC::StackFrame::StackFrame): |
| (JSC::StackFrame::computeLineAndColumn const): |
| * runtime/StackFrame.h: |
| (JSC::StackFrame::hasBytecodeIndex const): |
| (JSC::StackFrame::bytecodeIndex): |
| (JSC::StackFrame::hasBytecodeOffset const): Deleted. |
| (JSC::StackFrame::bytecodeOffset): Deleted. |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpRegisters): |
| |
| 2019-10-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, make 32bit JIT built |
| https://bugs.webkit.org/show_bug.cgi?id=202392 |
| |
| This patch makes 32bit JIT built at least. |
| |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_throw): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emitGetByValWithCachedId): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id_with_this): |
| (JSC::JIT::emitSlow_op_get_from_scope): |
| |
| 2019-10-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove non-LargeAllocation restriction for JSCallee |
| https://bugs.webkit.org/show_bug.cgi?id=203260 |
| |
| Reviewed by Saam Barati. |
| |
| We now pass JSGlobalObject* instead of ExecState*. And we are getting VM& from JSGlobalObject*. |
| Because now accessing ExecState::vm() becomes less frequent, we can remove the restriction that |
| callee is only allocated in non-LargeAllocation, which restriction made ExecState::vm fast. |
| |
| This patch renames `CallFrame::vm` to `CallFrame::deprecatedVM`. And we avoid using it as much as possible. |
| And we also remove the restriction that callee needs to be in non-LargeAllocation. |
| |
| * API/JSContextRef.cpp: |
| (JSContextCreateBacktrace): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::noticeIncomingCall): |
| * debugger/DebuggerCallFrame.cpp: |
| (JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const): |
| (JSC::DebuggerCallFrame::functionName const): |
| (JSC::DebuggerCallFrame::scope): |
| (JSC::DebuggerCallFrame::type const): |
| (JSC::DebuggerCallFrame::evaluateWithScopeExtension): |
| (JSC::DebuggerCallFrame::positionForCallFrame): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::OSRExit::compileOSRExit): |
| (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): |
| * dfg/DFGOperations.cpp: |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileFTLOSRExit): |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::compileFTLLazySlowPath): |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): |
| * inspector/ScriptCallStackFactory.cpp: |
| (Inspector::createScriptCallStack): |
| (Inspector::createScriptCallStackForConsole): |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::callerSourceOrigin): |
| (JSC::CallFrame::friendlyFunctionName): |
| * interpreter/CallFrame.h: |
| (JSC::CallFrame::iterate): |
| * interpreter/Interpreter.cpp: |
| (JSC::sizeOfVarargs): |
| (JSC::sizeFrameForVarargs): |
| (JSC::Interpreter::getStackTrace): |
| (JSC::Interpreter::unwind): |
| (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown): |
| (JSC::Interpreter::debug): |
| * interpreter/Interpreter.h: |
| * interpreter/ShadowChicken.cpp: |
| (JSC::ShadowChicken::update): |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::StackVisitor): |
| (JSC::StackVisitor::Frame::functionName const): |
| * interpreter/StackVisitor.h: |
| (JSC::StackVisitor::visit): |
| * jit/HostCallReturnValue.cpp: |
| (JSC::getHostCallReturnValueWithExecState): |
| * jit/JITOperations.cpp: |
| * jit/Repatch.cpp: |
| (JSC::linkFor): |
| (JSC::linkPolymorphicCall): |
| * jit/Repatch.h: |
| * jsc.cpp: |
| (functionJSCStack): |
| (functionRunString): |
| (functionLoadString): |
| (functionCallerSourceOrigin): |
| (functionCallerIsOMGCompiled): |
| (functionDollarEvalScript): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/Error.cpp: |
| (JSC::getBytecodeOffset): |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructFunction): |
| * runtime/JSCellInlines.h: |
| (JSC::CallFrame::deprecatedVM const): |
| (JSC::CallFrame::vm const): Deleted. |
| * runtime/JSFunction.cpp: |
| (JSC::retrieveArguments): |
| (JSC::JSFunction::argumentsGetter): |
| (JSC::retrieveCallerFunction): |
| (JSC::JSFunction::callerGetter): |
| (JSC::JSFunction::defineOwnProperty): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::assertCall): |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::globalFuncEval): |
| (JSC::globalFuncImportModule): |
| * runtime/NullSetterFunction.cpp: |
| (JSC::callerIsStrict): |
| (JSC::NullSetterFunctionInternal::callReturnUndefined): |
| * tools/JSDollarVM.cpp: |
| (IGNORE_WARNINGS_BEGIN): |
| (JSC::functionLLintTrue): |
| (JSC::functionJITTrue): |
| (JSC::functionDumpRegisters): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::codeBlockForFrame): |
| (JSC::VMInspector::dumpCallFrame): |
| (JSC::VMInspector::dumpRegisters): |
| (JSC::VMInspector::dumpStack): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| |
| 2019-10-22 Mark Lam <mark.lam@apple.com> |
| |
| Clients of JSArray::tryCreateUninitializedRestricted() should invoke the mutatorFence(). |
| https://bugs.webkit.org/show_bug.cgi?id=203231 |
| <rdar://problem/56486552> |
| |
| Reviewed by Saam Barati. |
| |
| Clients of JSArray::tryCreateUninitializedRestricted() creates a partially |
| initialized JSArray butterfly, with the contract that it (the client) will take |
| care of filling in all the missing indexed properties before setting the newly |
| created array loose in the world. We intentionally do not unconditionally write |
| barrier the newly created array but, instead, rely on an owner object (or GC root) |
| that it gets put into to scan it. |
| |
| That said, we do need to ensure that all the stores are completed before this |
| array is put in an owner object (or GC root) which makes it scannable by the GC. |
| This ensures that the GC will not be scanning a partially initialized array |
| butterfly. To achieve this, we should invoke the mutatorFence after the clients |
| of JSArray::tryCreateUninitializedRestricted() finish initializing the array. |
| |
| By design, all clients of tryCreateUninitializedRestricted() must instantiate an |
| ObjectInitializationScope RAII object. This patch makes use of the |
| ObjectInitializationScope destructor to invoke the mutatorFence. |
| |
| Note: we technically only need to invoke the fence if we succeeded in allocating |
| the array. However, we just invoke the fence unconditionally because we expect |
| that in the common path, we will succeed in allocating the array. The release |
| build version of ObjectInitializationScope does not keep record of whether we |
| succeed in allocating the array anyway. To keep the behavior consistent, the |
| debug build version of ObjectInitializationScope will also unconditionally |
| invoke the fence even if we failed to allocate the array. |
| |
| This patch also does the following: |
| |
| 1. Replaced the setting of the public length in arrayProtoPrivateFuncConcatMemcpy() |
| with an assertion. The public length was already set by |
| tryCreateUninitializedRestricted() earlier. |
| |
| Ditto for JSArray::fastSlice(). |
| |
| 2. Removed a redundant instance of ObjectInitializationScope in |
| createEmptyRegExpMatchesArray(). |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoPrivateFuncConcatMemcpy): |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::fastSlice): |
| * runtime/ObjectInitializationScope.cpp: |
| (JSC::ObjectInitializationScope::~ObjectInitializationScope): |
| * runtime/ObjectInitializationScope.h: |
| (JSC::ObjectInitializationScope::~ObjectInitializationScope): |
| * runtime/RegExpMatchesArray.cpp: |
| (JSC::createEmptyRegExpMatchesArray): |
| |
| 2019-10-22 Mark Lam <mark.lam@apple.com> |
| |
| Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky(). |
| https://bugs.webkit.org/show_bug.cgi?id=203230 |
| <rdar://problem/56460749> |
| |
| Reviewed by Robin Morisset. |
| |
| operationRegExpExecNonGlobalOrSticky() was asserting no exception when |
| createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns |
| null when RegExp::matchInline() returns -1. RegExp::matchInline() can return -1 |
| either when there's an error, or if the match fails. When there's an error, |
| RegExp::matchInline() also throws an exception via a throwError() helper. |
| |
| This patch fixes operationRegExpExecNonGlobalOrSticky() to check for an exception |
| being thrown, or createRegExpMatchesArray() returning a null array due to a failed |
| match. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2019-10-22 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fix non-unified builds after r251326 |
| https://bugs.webkit.org/show_bug.cgi?id=203244 |
| |
| Reviewed by Youenn Fablet. |
| |
| * ftl/FTLOSREntry.h: Add missing forward declaration of JSC::VM. |
| * inspector/ScriptCallStackFactory.h: Add missing forward declaration of JSC::JSGlobalObject. |
| * llint/LLIntExceptions.h: Add missing forward declaration of JSC::VM. |
| * runtime/ExceptionFuzz.h: Add missing forward declaration of JSC::JSGlobalObject. |
| * runtime/JSDateMath.h: Ditto. |
| * runtime/JSStringJoiner.h: Add missing inclusion of the JSGlobalObject.h header. |
| * runtime/Watchdog.h: Add missing forward declaration of JSC::JSGlobalObject. |
| * wasm/WasmOperations.h: Add missing forward declaration of JSC::JSWebAssemblyInstance. |
| |
| 2019-10-21 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Thread JSGlobalObject* instead of ExecState* |
| https://bugs.webkit.org/show_bug.cgi?id=202392 |
| |
| Reviewed by Geoffrey Garen. |
| |
| This patch replaces JSC's convention entirely: instead of passing ExecState*, we pass lexical JSGlobalObject*. |
| We have many issues historically. |
| |
| 1. We have a hack like global-exec, since many runtime functions take ExecState* while valid ExecState* is populated only after executing some JS function. |
| 2. We pass ExecState* without considering whether this is correct one when inlining a function. If inlined function has different realm, `exec->lexicalGlobalObject()` just returns wrong JSGlobalObject*. |
| |
| This patch attempts to remove these issues entirely by passing JSGlobalObject* instead of ExecState*. |
| |
| 1. We change ExecState* to JSGlobalObject*. |
| 2. JIT operations should take JSGlobalObject* instead of ExecState* to reflect the inlinee's JSGlobalObject* correctly. |
| 3. We get CallFrame* by using `__builtin_frame_address(1)` in JIT operations. When it is not available, we put CallFrame* to `vm.topCallFrame` in the caller side and load it from VM. |
| 4. We remove ExecState*. All the actual call-frame is called `CallFrame*`. CallFrame* is passed only when CallFrame* is actually needed: accessing arguments, OSR etc. |
| 5. LLInt and Baseline slow paths are just getting CallFrame*. It gets CodeBlock from CallFrame* and getting VM& and JSGlobalObject* from it since they do not have inlining. |
| 6. We basically removed `VM::vmEntryGlobalObject`. It returns JSGlobalObject* from VMEntryScope. APIs and Completion.cpp use this but they are wrong. And by using lexical JSGlobalObject*, we fixed WPT issues. |
| 7. This patch does not fix complicated JSGlobalObject* issues. But we put FIXME if it seems wrong and it needs to be revisited. |
| 8. FunctionConstructor, ArrayConstructor etc. are exposed from JSGlobalObject to use it for InternalFunction::createStructure() without using `CallFrame*`. |
| |
| * API/APICallbackFunction.h: |
| (JSC::APICallbackFunction::call): |
| (JSC::APICallbackFunction::construct): |
| * API/APICast.h: |
| (toJS): |
| (toJSGlobalObject): |
| (toJSForGC): |
| (toRef): |
| (toGlobalRef): |
| * API/APIUtils.h: |
| (handleExceptionIfNeeded): |
| (setException): |
| * API/JSAPIGlobalObject.h: |
| * API/JSAPIGlobalObject.mm: |
| (JSC::JSAPIGlobalObject::moduleLoaderResolve): |
| (JSC::JSAPIGlobalObject::moduleLoaderImportModule): |
| (JSC::JSAPIGlobalObject::moduleLoaderFetch): |
| (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties): |
| (JSC::JSAPIGlobalObject::moduleLoaderEvaluate): |
| (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule): |
| * API/JSAPIValueWrapper.h: |
| * API/JSBase.cpp: |
| (JSEvaluateScriptInternal): |
| (JSEvaluateScript): |
| (JSCheckScriptSyntax): |
| (JSGarbageCollect): |
| (JSReportExtraMemoryCost): |
| (JSSynchronousGarbageCollectForDebugging): |
| (JSSynchronousEdenCollectForDebugging): |
| * API/JSBaseInternal.h: |
| * API/JSCTestRunnerUtils.cpp: |
| (JSC::failNextNewCodeBlock): |
| (JSC::numberOfDFGCompiles): |
| (JSC::setNeverInline): |
| (JSC::setNeverOptimize): |
| * API/JSCallbackConstructor.h: |
| * API/JSCallbackObject.h: |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::JSCallbackObject): |
| (JSC::JSCallbackObject<Parent>::finishCreation): |
| (JSC::JSCallbackObject<Parent>::init): |
| (JSC::JSCallbackObject<Parent>::toStringName): |
| (JSC::JSCallbackObject<Parent>::getOwnPropertySlot): |
| (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex): |
| (JSC::JSCallbackObject<Parent>::defaultValue): |
| (JSC::JSCallbackObject<Parent>::put): |
| (JSC::JSCallbackObject<Parent>::putByIndex): |
| (JSC::JSCallbackObject<Parent>::deleteProperty): |
| (JSC::JSCallbackObject<Parent>::deletePropertyByIndex): |
| (JSC::JSCallbackObject<Parent>::construct): |
| (JSC::JSCallbackObject<Parent>::customHasInstance): |
| (JSC::JSCallbackObject<Parent>::call): |
| (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames): |
| (JSC::JSCallbackObject<Parent>::getStaticValue): |
| (JSC::JSCallbackObject<Parent>::staticFunctionGetter): |
| (JSC::JSCallbackObject<Parent>::callbackGetter): |
| * API/JSClassRef.cpp: |
| (OpaqueJSClass::contextData): |
| (OpaqueJSClass::staticValues): |
| (OpaqueJSClass::staticFunctions): |
| (OpaqueJSClass::prototype): |
| * API/JSClassRef.h: |
| * API/JSContext.mm: |
| (-[JSContext ensureWrapperMap]): |
| (-[JSContext evaluateJSScript:]): |
| (-[JSContext dependencyIdentifiersForModuleJSScript:]): |
| (-[JSContext setException:]): |
| (-[JSContext initWithGlobalContextRef:]): |
| (-[JSContext wrapperMap]): |
| * API/JSContextRef.cpp: |
| (internalScriptTimeoutCallback): |
| (JSGlobalContextCreateInGroup): |
| (JSGlobalContextRetain): |
| (JSGlobalContextRelease): |
| (JSContextGetGlobalObject): |
| (JSContextGetGroup): |
| (JSContextGetGlobalContext): |
| (JSGlobalContextCopyName): |
| (JSGlobalContextSetName): |
| (JSGlobalContextSetUnhandledRejectionCallback): |
| (JSContextCreateBacktrace): |
| (JSGlobalContextGetRemoteInspectionEnabled): |
| (JSGlobalContextSetRemoteInspectionEnabled): |
| (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions): |
| (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions): |
| (JSGlobalContextGetDebuggerRunLoop): |
| (JSGlobalContextSetDebuggerRunLoop): |
| (JSGlobalContextGetAugmentableInspectorController): |
| * API/JSManagedValue.mm: |
| (-[JSManagedValue initWithValue:]): |
| (-[JSManagedValue value]): |
| * API/JSObjectRef.cpp: |
| (JSObjectMake): |
| (JSObjectMakeFunctionWithCallback): |
| (JSObjectMakeConstructor): |
| (JSObjectMakeFunction): |
| (JSObjectMakeArray): |
| (JSObjectMakeDate): |
| (JSObjectMakeError): |
| (JSObjectMakeRegExp): |
| (JSObjectMakeDeferredPromise): |
| (JSObjectGetPrototype): |
| (JSObjectSetPrototype): |
| (JSObjectHasProperty): |
| (JSObjectGetProperty): |
| (JSObjectSetProperty): |
| (JSObjectHasPropertyForKey): |
| (JSObjectGetPropertyForKey): |
| (JSObjectSetPropertyForKey): |
| (JSObjectDeletePropertyForKey): |
| (JSObjectGetPropertyAtIndex): |
| (JSObjectSetPropertyAtIndex): |
| (JSObjectDeleteProperty): |
| (JSObjectGetPrivateProperty): |
| (JSObjectSetPrivateProperty): |
| (JSObjectDeletePrivateProperty): |
| (JSObjectIsFunction): |
| (JSObjectCallAsFunction): |
| (JSObjectIsConstructor): |
| (JSObjectCallAsConstructor): |
| (JSObjectCopyPropertyNames): |
| (JSObjectGetGlobalContext): |
| * API/JSScriptRef.cpp: |
| * API/JSTypedArray.cpp: |
| (createTypedArray): |
| (JSValueGetTypedArrayType): |
| (JSObjectMakeTypedArray): |
| (JSObjectMakeTypedArrayWithBytesNoCopy): |
| (JSObjectMakeTypedArrayWithArrayBuffer): |
| (JSObjectMakeTypedArrayWithArrayBufferAndOffset): |
| (JSObjectGetTypedArrayBytesPtr): |
| (JSObjectGetTypedArrayLength): |
| (JSObjectGetTypedArrayByteLength): |
| (JSObjectGetTypedArrayByteOffset): |
| (JSObjectGetTypedArrayBuffer): |
| (JSObjectMakeArrayBufferWithBytesNoCopy): |
| (JSObjectGetArrayBufferBytesPtr): |
| (JSObjectGetArrayBufferByteLength): |
| * API/JSValue.mm: |
| (JSContainerConvertor::add): |
| (reportExceptionToInspector): |
| (valueToObjectWithoutCopy): |
| (ObjcContainerConvertor::add): |
| * API/JSValueRef.cpp: |
| (JSValueGetType): |
| (JSValueIsUndefined): |
| (JSValueIsNull): |
| (JSValueIsBoolean): |
| (JSValueIsNumber): |
| (JSValueIsString): |
| (JSValueIsObject): |
| (JSValueIsSymbol): |
| (JSValueIsArray): |
| (JSValueIsDate): |
| (JSValueIsObjectOfClass): |
| (JSValueIsEqual): |
| (JSValueIsStrictEqual): |
| (JSValueIsInstanceOfConstructor): |
| (JSValueMakeUndefined): |
| (JSValueMakeNull): |
| (JSValueMakeBoolean): |
| (JSValueMakeNumber): |
| (JSValueMakeSymbol): |
| (JSValueMakeString): |
| (JSValueMakeFromJSONString): |
| (JSValueCreateJSONString): |
| (JSValueToBoolean): |
| (JSValueToNumber): |
| (JSValueToStringCopy): |
| (JSValueToObject): |
| (JSValueProtect): |
| (JSValueUnprotect): |
| * API/JSWeakObjectMapRefPrivate.cpp: |
| * API/JSWrapperMap.mm: |
| (constructorHasInstance): |
| (makeWrapper): |
| (putNonEnumerable): |
| (copyMethodsToObject): |
| (-[JSObjCClassInfo wrapperForObject:inContext:]): |
| (-[JSObjCClassInfo structureInContext:]): |
| * API/ObjCCallbackFunction.mm: |
| (JSC::objCCallbackFunctionCallAsFunction): |
| (JSC::objCCallbackFunctionCallAsConstructor): |
| (objCCallbackFunctionForInvocation): |
| * API/glib/JSCCallbackFunction.cpp: |
| (JSC::JSCCallbackFunction::call): |
| (JSC::JSCCallbackFunction::construct): |
| * API/glib/JSCClass.cpp: |
| (isWrappedObject): |
| (jscContextForObject): |
| (jscClassCreateConstructor): |
| (jscClassAddMethod): |
| * API/glib/JSCContext.cpp: |
| (jsc_context_evaluate_in_object): |
| (jsc_context_check_syntax): |
| * API/glib/JSCException.cpp: |
| (jscExceptionCreate): |
| * API/glib/JSCValue.cpp: |
| (jsc_value_object_define_property_data): |
| (jsc_value_object_define_property_accessor): |
| (jscValueFunctionCreate): |
| * API/glib/JSCWeakValue.cpp: |
| (jscWeakValueInitialize): |
| (jsc_weak_value_get_value): |
| * API/glib/JSCWrapperMap.cpp: |
| (JSC::WrapperMap::createJSWrappper): |
| (JSC::WrapperMap::createContextWithJSWrappper): |
| * API/tests/JSONParseTest.cpp: |
| (testJSONParse): |
| * API/tests/JSObjectGetProxyTargetTest.cpp: |
| (testJSObjectGetProxyTarget): |
| * API/tests/JSWrapperMapTests.mm: |
| (+[JSWrapperMapTests testStructureIdentity]): |
| * API/tests/testapi.cpp: |
| (APIContext::APIContext): |
| (APIContext::operator JSC::JSGlobalObject*): |
| (APIContext::operator JSC::ExecState*): Deleted. |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bindings/ScriptFunctionCall.cpp: |
| (Deprecated::ScriptCallArgumentHandler::appendArgument): |
| (Deprecated::ScriptFunctionCall::ScriptFunctionCall): |
| (Deprecated::ScriptFunctionCall::call): |
| * bindings/ScriptFunctionCall.h: |
| * bindings/ScriptObject.cpp: |
| (Deprecated::ScriptObject::ScriptObject): |
| * bindings/ScriptObject.h: |
| (Deprecated::ScriptObject::globalObject const): |
| (Deprecated::ScriptObject::scriptState const): Deleted. |
| * bindings/ScriptValue.cpp: |
| (Inspector::jsToInspectorValue): |
| (Inspector::toInspectorValue): |
| * bindings/ScriptValue.h: |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCaseSnippetParams.cpp: |
| (JSC::SlowPathCallGeneratorWithArguments::generateImpl): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::setConstantIdentifierSetRegisters): |
| (JSC::CodeBlock::setConstantRegisters): |
| (JSC::CodeBlock::linkIncomingCall): |
| (JSC::CodeBlock::linkIncomingPolymorphicCall): |
| (JSC::CodeBlock::noticeIncomingCall): |
| * bytecode/CodeBlock.h: |
| (JSC::CallFrame::r): |
| (JSC::CallFrame::uncheckedR): |
| (JSC::ExecState::r): Deleted. |
| (JSC::ExecState::uncheckedR): Deleted. |
| * bytecode/DirectEvalCodeCache.cpp: |
| (JSC::DirectEvalCodeCache::setSlow): |
| * bytecode/DirectEvalCodeCache.h: |
| (JSC::DirectEvalCodeCache::set): |
| * bytecode/InlineCallFrame.cpp: |
| (JSC::InlineCallFrame::calleeForCallFrame const): |
| * bytecode/InlineCallFrame.h: |
| * bytecode/InternalFunctionAllocationProfile.h: |
| (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase): |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| (JSC::generateConditionsForPropertyMiss): |
| (JSC::generateConditionsForPropertySetterMiss): |
| (JSC::generateConditionsForPrototypePropertyHit): |
| (JSC::generateConditionsForPrototypePropertyHitCustom): |
| (JSC::generateConditionsForInstanceOf): |
| * bytecode/ObjectPropertyConditionSet.h: |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::AccessGenerationState::emitExplicitExceptionHandler): |
| * bytecode/StructureStubInfo.h: |
| (JSC::appropriateGenericGetByIdFunction): |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::UnlinkedFunctionExecutable::fromGlobalCode): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * bytecode/ValueRecovery.cpp: |
| (JSC::ValueRecovery::recover const): |
| * bytecode/ValueRecovery.h: |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::attach): |
| (JSC::Debugger::hasBreakpoint): |
| (JSC::Debugger::breakProgram): |
| (JSC::lexicalGlobalObjectForCallFrame): |
| (JSC::Debugger::updateCallFrame): |
| (JSC::Debugger::pauseIfNeeded): |
| (JSC::Debugger::exception): |
| (JSC::Debugger::atStatement): |
| (JSC::Debugger::atExpression): |
| (JSC::Debugger::callEvent): |
| (JSC::Debugger::returnEvent): |
| (JSC::Debugger::unwindEvent): |
| (JSC::Debugger::willExecuteProgram): |
| (JSC::Debugger::didExecuteProgram): |
| (JSC::Debugger::didReachBreakpoint): |
| * debugger/Debugger.h: |
| * debugger/DebuggerCallFrame.cpp: |
| (JSC::DebuggerCallFrame::create): |
| (JSC::DebuggerCallFrame::globalObject): |
| (JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const): |
| (JSC::DebuggerCallFrame::thisValue const): |
| (JSC::DebuggerCallFrame::evaluateWithScopeExtension): |
| (JSC::DebuggerCallFrame::sourceIDForCallFrame): |
| (JSC::DebuggerCallFrame::globalExec): Deleted. |
| (JSC::DebuggerCallFrame::vmEntryGlobalObject const): Deleted. |
| * debugger/DebuggerCallFrame.h: |
| * debugger/DebuggerEvalEnabler.h: |
| (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler): |
| (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler): |
| * debugger/DebuggerScope.cpp: |
| (JSC::DebuggerScope::toStringName): |
| (JSC::DebuggerScope::getOwnPropertySlot): |
| (JSC::DebuggerScope::put): |
| (JSC::DebuggerScope::deleteProperty): |
| (JSC::DebuggerScope::getOwnPropertyNames): |
| (JSC::DebuggerScope::defineOwnProperty): |
| (JSC::DebuggerScope::caughtValue const): |
| * debugger/DebuggerScope.h: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGArithMode.h: |
| * dfg/DFGArrayifySlowPathGenerator.h: |
| * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: |
| (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator): |
| (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator): |
| (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator): |
| * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Graph::globalThisObjectFor): |
| * dfg/DFGJITCode.cpp: |
| (JSC::DFG::JITCode::reconstruct): |
| * dfg/DFGJITCode.h: |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compileExceptionHandlers): |
| (JSC::DFG::JITCompiler::compileFunction): |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareOSREntry): |
| (JSC::DFG::prepareCatchOSREntry): |
| * dfg/DFGOSREntry.h: |
| (JSC::DFG::prepareOSREntry): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::createClonedArgumentsDuringExit): |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::adjustAndJumpToTarget): |
| (JSC::DFG::printOSRExit): |
| (JSC::DFG::OSRExit::emitRestoreArguments): |
| (JSC::DFG::OSRExit::compileOSRExit): |
| (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): |
| * dfg/DFGOSRExit.h: |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::osrWriteBarrier): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::putByVal): |
| (JSC::DFG::putByValInternal): |
| (JSC::DFG::putByValCellInternal): |
| (JSC::DFG::putByValCellStringInternal): |
| (JSC::DFG::newTypedArrayWithSize): |
| (JSC::DFG::putWithThis): |
| (JSC::DFG::binaryOp): |
| (JSC::DFG::bitwiseBinaryOp): |
| (JSC::DFG::getByValObject): |
| * dfg/DFGOperations.h: |
| * dfg/DFGSaneStringGetByValSlowPathGenerator.h: |
| (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileInById): |
| (JSC::DFG::SpeculativeJIT::compileInByVal): |
| (JSC::DFG::SpeculativeJIT::compileDeleteById): |
| (JSC::DFG::SpeculativeJIT::compileDeleteByVal): |
| (JSC::DFG::SpeculativeJIT::compilePushWithScope): |
| (JSC::DFG::SpeculativeJIT::compileStringSlice): |
| (JSC::DFG::SpeculativeJIT::compileToLowerCase): |
| (JSC::DFG::SpeculativeJIT::compileCheckTraps): |
| (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnString): |
| (JSC::DFG::SpeculativeJIT::compileFromCharCode): |
| (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): |
| (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString): |
| (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol): |
| (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString): |
| (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol): |
| (JSC::DFG::SpeculativeJIT::compileGetByValWithThis): |
| (JSC::DFG::SpeculativeJIT::compileParseInt): |
| (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells): |
| (JSC::DFG::SpeculativeJIT::compileValueBitNot): |
| (JSC::DFG::SpeculativeJIT::emitUntypedBitOp): |
| (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): |
| (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp): |
| (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): |
| (JSC::DFG::SpeculativeJIT::compileValueBitRShift): |
| (JSC::DFG::SpeculativeJIT::compileValueAdd): |
| (JSC::DFG::SpeculativeJIT::compileValueSub): |
| (JSC::DFG::SpeculativeJIT::compileMathIC): |
| (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom): |
| (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor): |
| (JSC::DFG::SpeculativeJIT::compileArithAbs): |
| (JSC::DFG::SpeculativeJIT::compileArithClz32): |
| (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp): |
| (JSC::DFG::SpeculativeJIT::compileValueMul): |
| (JSC::DFG::SpeculativeJIT::compileValueDiv): |
| (JSC::DFG::SpeculativeJIT::compileArithFRound): |
| (JSC::DFG::SpeculativeJIT::compileValueMod): |
| (JSC::DFG::SpeculativeJIT::compileArithRounding): |
| (JSC::DFG::SpeculativeJIT::compileArithSqrt): |
| (JSC::DFG::SpeculativeJIT::compileValuePow): |
| (JSC::DFG::SpeculativeJIT::compileStringEquality): |
| (JSC::DFG::SpeculativeJIT::compileStringCompare): |
| (JSC::DFG::SpeculativeJIT::compileSameValue): |
| (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileNewFunction): |
| (JSC::DFG::SpeculativeJIT::compileSetFunctionName): |
| (JSC::DFG::SpeculativeJIT::compileLoadVarargs): |
| (JSC::DFG::SpeculativeJIT::compileCreateActivation): |
| (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments): |
| (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments): |
| (JSC::DFG::SpeculativeJIT::compileCreateRest): |
| (JSC::DFG::SpeculativeJIT::compileSpread): |
| (JSC::DFG::SpeculativeJIT::compileNewArray): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): |
| (JSC::DFG::SpeculativeJIT::compileArraySlice): |
| (JSC::DFG::SpeculativeJIT::compileArrayIndexOf): |
| (JSC::DFG::SpeculativeJIT::compileArrayPush): |
| (JSC::DFG::SpeculativeJIT::compileNotifyWrite): |
| (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileCallDOM): |
| (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): |
| (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf): |
| (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant): |
| (JSC::DFG::SpeculativeJIT::compileNumberToStringWithRadix): |
| (JSC::DFG::SpeculativeJIT::compileNewStringObject): |
| (JSC::DFG::SpeculativeJIT::compileNewSymbol): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileNewRegexp): |
| (JSC::DFG::SpeculativeJIT::emitSwitchImm): |
| (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): |
| (JSC::DFG::SpeculativeJIT::emitSwitchChar): |
| (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): |
| (JSC::DFG::SpeculativeJIT::emitSwitchString): |
| (JSC::DFG::SpeculativeJIT::compileStoreBarrier): |
| (JSC::DFG::SpeculativeJIT::compilePutAccessorById): |
| (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById): |
| (JSC::DFG::SpeculativeJIT::compileResolveScope): |
| (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval): |
| (JSC::DFG::SpeculativeJIT::compileGetDynamicVar): |
| (JSC::DFG::SpeculativeJIT::compilePutDynamicVar): |
| (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal): |
| (JSC::DFG::SpeculativeJIT::compileStringReplace): |
| (JSC::DFG::SpeculativeJIT::compileDefineDataProperty): |
| (JSC::DFG::SpeculativeJIT::compileDefineAccessorProperty): |
| (JSC::DFG::SpeculativeJIT::compileThrow): |
| (JSC::DFG::SpeculativeJIT::compileThrowStaticError): |
| (JSC::DFG::SpeculativeJIT::compileHasGenericProperty): |
| (JSC::DFG::SpeculativeJIT::compileToIndexString): |
| (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::compileHasStructureProperty): |
| (JSC::DFG::SpeculativeJIT::compileGetPropertyEnumerator): |
| (JSC::DFG::SpeculativeJIT::compileStrCat): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArray): |
| (JSC::DFG::SpeculativeJIT::compileToThis): |
| (JSC::DFG::SpeculativeJIT::compileObjectKeys): |
| (JSC::DFG::SpeculativeJIT::compileObjectCreate): |
| (JSC::DFG::SpeculativeJIT::compileCreateThis): |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): |
| (JSC::DFG::SpeculativeJIT::compileNewObject): |
| (JSC::DFG::SpeculativeJIT::compileNewPromise): |
| (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): |
| (JSC::DFG::SpeculativeJIT::compileToPrimitive): |
| (JSC::DFG::SpeculativeJIT::compileSetAdd): |
| (JSC::DFG::SpeculativeJIT::compileMapSet): |
| (JSC::DFG::SpeculativeJIT::compileWeakSetAdd): |
| (JSC::DFG::SpeculativeJIT::compileWeakMapSet): |
| (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): |
| (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): |
| (JSC::DFG::SpeculativeJIT::compileGetDirectPname): |
| (JSC::DFG::SpeculativeJIT::compileProfileType): |
| (JSC::DFG::SpeculativeJIT::cachedPutById): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): |
| (JSC::DFG::SpeculativeJIT::compileBigIntEquality): |
| (JSC::DFG::SpeculativeJIT::compileMakeRope): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException): |
| (JSC::DFG::SpeculativeJIT::prepareForExternalCall): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::cachedGetById): |
| (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::cachedGetById): |
| (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dynbench.cpp: |
| (main): |
| * ftl/FTLCompile.cpp: |
| (JSC::FTL::compile): |
| * ftl/FTLGeneratedFunction.h: |
| * ftl/FTLLink.cpp: |
| (JSC::FTL::link): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStrCat): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayify): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToNumber): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError): |
| (JSC::FTL::DFG::LowerDFGToB3::mapHashString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileParseInt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFast): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace): |
| (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): |
| (JSC::FTL::DFG::LowerDFGToB3::getById): |
| (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compare): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): |
| (JSC::FTL::DFG::LowerDFGToB3::stringsEqual): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::allocateObject): |
| (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): |
| (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket): |
| (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): |
| (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): |
| (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier): |
| (JSC::FTL::DFG::LowerDFGToB3::callCheck): |
| * ftl/FTLOSREntry.cpp: |
| (JSC::FTL::prepareOSREntry): |
| * ftl/FTLOSREntry.h: |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileStub): |
| (JSC::FTL::compileFTLOSRExit): |
| * ftl/FTLOSRExitCompiler.h: |
| * ftl/FTLOperations.cpp: |
| (JSC::FTL::operationPopulateObjectInOSR): |
| (JSC::FTL::operationMaterializeObjectInOSR): |
| (JSC::FTL::compileFTLLazySlowPath): |
| * ftl/FTLOperations.h: |
| * ftl/FTLSlowPathCall.h: |
| (JSC::FTL::callOperation): |
| * generator/Metadata.rb: |
| * heap/Handle.h: |
| * heap/HeapCell.h: |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::json): |
| * inspector/ConsoleMessage.cpp: |
| (Inspector::ConsoleMessage::ConsoleMessage): |
| (Inspector::ConsoleMessage::autogenerateMetadata): |
| (Inspector::ConsoleMessage::addToFrontend): |
| (Inspector::ConsoleMessage::globalObject const): |
| (Inspector::ConsoleMessage::scriptState const): Deleted. |
| * inspector/ConsoleMessage.h: |
| * inspector/InjectedScript.cpp: |
| (Inspector::InjectedScript::wrapCallFrames const): |
| (Inspector::InjectedScript::wrapObject const): |
| (Inspector::InjectedScript::wrapJSONString const): |
| (Inspector::InjectedScript::wrapTable const): |
| (Inspector::InjectedScript::previewValue const): |
| (Inspector::InjectedScript::arrayFromVector): |
| * inspector/InjectedScriptBase.cpp: |
| (Inspector::InjectedScriptBase::hasAccessToInspectedScriptState const): |
| (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const): |
| (Inspector::InjectedScriptBase::makeCall): |
| (Inspector::InjectedScriptBase::makeAsyncCall): |
| * inspector/InjectedScriptBase.h: |
| * inspector/InjectedScriptHost.cpp: |
| (Inspector::InjectedScriptHost::wrapper): |
| * inspector/InjectedScriptHost.h: |
| * inspector/InjectedScriptManager.cpp: |
| (Inspector::InjectedScriptManager::injectedScriptIdFor): |
| (Inspector::InjectedScriptManager::createInjectedScript): |
| (Inspector::InjectedScriptManager::injectedScriptFor): |
| * inspector/InjectedScriptManager.h: |
| * inspector/InjectedScriptModule.cpp: |
| (Inspector::InjectedScriptModule::ensureInjected): |
| * inspector/InjectedScriptModule.h: |
| * inspector/InspectorEnvironment.h: |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): |
| (Inspector::JSGlobalObjectConsoleClient::count): |
| (Inspector::JSGlobalObjectConsoleClient::countReset): |
| (Inspector::JSGlobalObjectConsoleClient::profile): |
| (Inspector::JSGlobalObjectConsoleClient::profileEnd): |
| (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot): |
| (Inspector::JSGlobalObjectConsoleClient::time): |
| (Inspector::JSGlobalObjectConsoleClient::timeLog): |
| (Inspector::JSGlobalObjectConsoleClient::timeEnd): |
| (Inspector::JSGlobalObjectConsoleClient::timeStamp): |
| (Inspector::JSGlobalObjectConsoleClient::record): |
| (Inspector::JSGlobalObjectConsoleClient::recordEnd): |
| (Inspector::JSGlobalObjectConsoleClient::screenshot): |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/JSGlobalObjectInspectorController.cpp: |
| (Inspector::JSGlobalObjectInspectorController::reportAPIException): |
| * inspector/JSGlobalObjectInspectorController.h: |
| * inspector/JSGlobalObjectScriptDebugServer.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::evaluate const): |
| (Inspector::JSInjectedScriptHost::savedResultAlias const): |
| (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): |
| (Inspector::JSInjectedScriptHost::internalConstructorName): |
| (Inspector::JSInjectedScriptHost::isHTMLAllCollection): |
| (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): |
| (Inspector::JSInjectedScriptHost::subtype): |
| (Inspector::JSInjectedScriptHost::functionDetails): |
| (Inspector::constructInternalProperty): |
| (Inspector::JSInjectedScriptHost::getInternalProperties): |
| (Inspector::JSInjectedScriptHost::proxyTargetValue): |
| (Inspector::JSInjectedScriptHost::weakMapSize): |
| (Inspector::JSInjectedScriptHost::weakMapEntries): |
| (Inspector::JSInjectedScriptHost::weakSetSize): |
| (Inspector::JSInjectedScriptHost::weakSetEntries): |
| (Inspector::cloneArrayIteratorObject): |
| (Inspector::cloneMapIteratorObject): |
| (Inspector::cloneSetIteratorObject): |
| (Inspector::JSInjectedScriptHost::iteratorEntries): |
| (Inspector::checkForbiddenPrototype): |
| (Inspector::JSInjectedScriptHost::queryInstances): |
| (Inspector::JSInjectedScriptHost::queryHolders): |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate): |
| (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties): |
| * inspector/JSJavaScriptCallFrame.cpp: |
| (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension): |
| (Inspector::valueForScopeLocation): |
| (Inspector::JSJavaScriptCallFrame::scopeDescriptions): |
| (Inspector::JSJavaScriptCallFrame::caller const): |
| (Inspector::JSJavaScriptCallFrame::sourceID const): |
| (Inspector::JSJavaScriptCallFrame::line const): |
| (Inspector::JSJavaScriptCallFrame::column const): |
| (Inspector::JSJavaScriptCallFrame::functionName const): |
| (Inspector::JSJavaScriptCallFrame::scopeChain const): |
| (Inspector::JSJavaScriptCallFrame::thisObject const): |
| (Inspector::JSJavaScriptCallFrame::isTailDeleted const): |
| (Inspector::JSJavaScriptCallFrame::type const): |
| (Inspector::toJS): |
| * inspector/JSJavaScriptCallFrame.h: |
| * inspector/JSJavaScriptCallFramePrototype.cpp: |
| (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension): |
| (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions): |
| (Inspector::jsJavaScriptCallFrameAttributeCaller): |
| (Inspector::jsJavaScriptCallFrameAttributeSourceID): |
| (Inspector::jsJavaScriptCallFrameAttributeLine): |
| (Inspector::jsJavaScriptCallFrameAttributeColumn): |
| (Inspector::jsJavaScriptCallFrameAttributeFunctionName): |
| (Inspector::jsJavaScriptCallFrameAttributeScopeChain): |
| (Inspector::jsJavaScriptCallFrameAttributeThisObject): |
| (Inspector::jsJavaScriptCallFrameAttributeType): |
| (Inspector::jsJavaScriptCallFrameIsTailDeleted): |
| * inspector/JavaScriptCallFrame.h: |
| (Inspector::JavaScriptCallFrame::deprecatedVMEntryGlobalObject const): |
| (Inspector::JavaScriptCallFrame::vmEntryGlobalObject const): Deleted. |
| * inspector/ScriptArguments.cpp: |
| (Inspector::ScriptArguments::create): |
| (Inspector::ScriptArguments::ScriptArguments): |
| (Inspector::ScriptArguments::globalObject const): |
| (Inspector::ScriptArguments::getFirstArgumentAsString const): |
| (Inspector::ScriptArguments::isEqual const): |
| (Inspector::ScriptArguments::globalState const): Deleted. |
| * inspector/ScriptArguments.h: |
| * inspector/ScriptCallStackFactory.cpp: |
| (Inspector::createScriptCallStack): |
| (Inspector::createScriptCallStackForConsole): |
| (Inspector::extractSourceInformationFromException): |
| (Inspector::createScriptCallStackFromException): |
| (Inspector::createScriptArguments): |
| * inspector/ScriptCallStackFactory.h: |
| * inspector/ScriptDebugListener.h: |
| * inspector/ScriptDebugServer.cpp: |
| (Inspector::ScriptDebugServer::evaluateBreakpointAction): |
| (Inspector::ScriptDebugServer::sourceParsed): |
| (Inspector::ScriptDebugServer::handleExceptionInBreakpointCondition const): |
| (Inspector::ScriptDebugServer::handlePause): |
| (Inspector::ScriptDebugServer::exceptionOrCaughtValue): |
| * inspector/ScriptDebugServer.h: |
| * inspector/agents/InspectorAuditAgent.cpp: |
| (Inspector::InspectorAuditAgent::setup): |
| (Inspector::InspectorAuditAgent::populateAuditObject): |
| * inspector/agents/InspectorAuditAgent.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::startTiming): |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| * inspector/agents/InspectorConsoleAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall): |
| (Inspector::InspectorDebuggerAgent::resume): |
| (Inspector::InspectorDebuggerAgent::didPause): |
| (Inspector::InspectorDebuggerAgent::breakpointActionProbe): |
| (Inspector::InspectorDebuggerAgent::didContinue): |
| (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): |
| (Inspector::InspectorDebuggerAgent::assertPaused): |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::snapshot): |
| (Inspector::InspectorHeapAgent::getPreview): |
| (Inspector::InspectorHeapAgent::getRemoteObject): |
| * inspector/agents/JSGlobalObjectAuditAgent.cpp: |
| (Inspector::JSGlobalObjectAuditAgent::injectedScriptForEval): |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval): |
| (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): |
| * inspector/agents/JSGlobalObjectDebuggerAgent.h: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval): |
| * interpreter/AbstractPC.cpp: |
| (JSC::AbstractPC::AbstractPC): |
| * interpreter/AbstractPC.h: |
| * interpreter/CachedCall.h: |
| (JSC::CachedCall::CachedCall): |
| * interpreter/CallFrame.cpp: |
| (JSC::CallFrame::initDeprecatedCallFrameForDebugger): |
| (JSC::CallFrame::wasmAwareLexicalGlobalObject): |
| (JSC::CallFrame::convertToStackOverflowFrame): |
| (JSC::ExecState::initGlobalExec): Deleted. |
| * interpreter/CallFrame.h: |
| (JSC::CallFrame::isDeprecatedCallFrameForDebugger const): |
| (JSC::CallFrame::isGlobalExec const): Deleted. |
| * interpreter/Interpreter.cpp: |
| (JSC::eval): |
| (JSC::sizeOfVarargs): |
| (JSC::sizeFrameForForwardArguments): |
| (JSC::sizeFrameForVarargs): |
| (JSC::loadVarargs): |
| (JSC::setupVarargsFrame): |
| (JSC::setupVarargsFrameAndSetThis): |
| (JSC::setupForwardArgumentsFrame): |
| (JSC::setupForwardArgumentsFrameAndSetThis): |
| (JSC::notifyDebuggerOfUnwinding): |
| (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown): |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| (JSC::Interpreter::debug): |
| * interpreter/Interpreter.h: |
| * interpreter/InterpreterInlines.h: |
| (JSC::Interpreter::execute): |
| * interpreter/Register.h: |
| * interpreter/ShadowChicken.cpp: |
| (JSC::ShadowChicken::log): |
| (JSC::ShadowChicken::update): |
| (JSC::ShadowChicken::functionsOnStack): |
| * interpreter/ShadowChicken.h: |
| * interpreter/ShadowChickenInlines.h: |
| (JSC::ShadowChicken::iterate): |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::Frame::createArguments): |
| * interpreter/StackVisitor.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitDumbVirtualCall): |
| * jit/AssemblyHelpers.h: |
| * jit/CCallHelpers.cpp: |
| (JSC::CCallHelpers::ensureShadowChickenPacket): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::prepareCallOperation): |
| (JSC::CCallHelpers::setupArguments): |
| * jit/HostCallReturnValue.cpp: |
| (JSC::getHostCallReturnValueWithExecState): |
| * jit/HostCallReturnValue.h: |
| (JSC::initializeHostCallReturnValue): |
| * jit/JIT.cpp: |
| (JSC::JIT::emitEnterOptimizationCheck): |
| (JSC::JIT::compileWithoutLinking): |
| (JSC::JIT::privateCompileExceptionHandlers): |
| * jit/JIT.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_compareAndJumpSlow): |
| (JSC::JIT::emitMathICFast): |
| (JSC::JIT::emitMathICSlow): |
| * jit/JITArithmetic32_64.cpp: |
| (JSC::JIT::emit_compareAndJumpSlow): |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileSetupFrame): |
| (JSC::JIT::compileCallEval): |
| (JSC::JIT::compileCallEvalSlowCase): |
| (JSC::JIT::compileOpCallSlowCase): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileCallEval): |
| (JSC::JIT::compileCallEvalSlowCase): |
| (JSC::JIT::compileOpCallSlowCase): |
| * jit/JITExceptions.cpp: |
| (JSC::genericUnwind): |
| * jit/JITExceptions.h: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emitSlow_op_new_object): |
| (JSC::JIT::emitSlow_op_instanceof): |
| (JSC::JIT::emit_op_set_function_name): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::emitSlow_op_jstricteq): |
| (JSC::JIT::emitSlow_op_jnstricteq): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emit_op_debug): |
| (JSC::JIT::emitSlow_op_eq): |
| (JSC::JIT::emitSlow_op_neq): |
| (JSC::JIT::emitSlow_op_jeq): |
| (JSC::JIT::emitSlow_op_jneq): |
| (JSC::JIT::emitSlow_op_instanceof_custom): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emitSlow_op_check_traps): |
| (JSC::JIT::emit_op_new_regexp): |
| (JSC::JIT::emitNewFuncCommon): |
| (JSC::JIT::emitNewFuncExprCommon): |
| (JSC::JIT::emit_op_new_array): |
| (JSC::JIT::emit_op_new_array_with_size): |
| (JSC::JIT::emitSlow_op_has_indexed_property): |
| (JSC::JIT::emit_op_profile_type): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emitSlow_op_new_object): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_debug): |
| (JSC::JIT::emit_op_profile_type): |
| * jit/JITOperations.cpp: |
| (JSC::newFunctionCommon): |
| (JSC::getByVal): |
| (JSC::tryGetByValOptimize): |
| (JSC::operationNewFunctionCommon): Deleted. |
| * jit/JITOperations.h: |
| * jit/JITOperationsMSVC64.cpp: |
| (JSC::getHostCallReturnValueWithExecState): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitGetByValWithCachedId): |
| (JSC::JIT::emitSlow_op_get_by_val): |
| (JSC::JIT::emitPutByValWithCachedId): |
| (JSC::JIT::emitSlow_op_put_by_val): |
| (JSC::JIT::emit_op_put_getter_by_id): |
| (JSC::JIT::emit_op_put_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_setter_by_id): |
| (JSC::JIT::emit_op_put_getter_by_val): |
| (JSC::JIT::emit_op_put_setter_by_val): |
| (JSC::JIT::emit_op_del_by_id): |
| (JSC::JIT::emit_op_del_by_val): |
| (JSC::JIT::emitSlow_op_try_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id_direct): |
| (JSC::JIT::emitSlow_op_get_by_id): |
| (JSC::JIT::emitSlow_op_get_by_id_with_this): |
| (JSC::JIT::emitSlow_op_put_by_id): |
| (JSC::JIT::emitSlow_op_in_by_id): |
| (JSC::JIT::emitSlow_op_get_from_scope): |
| (JSC::JIT::emitSlow_op_put_to_scope): |
| (JSC::JIT::emitWriteBarrier): |
| * jit/PolymorphicCallStubRoutine.cpp: |
| (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): |
| * jit/PolymorphicCallStubRoutine.h: |
| * jit/Repatch.cpp: |
| (JSC::forceICFailure): |
| (JSC::tryCacheGetByID): |
| (JSC::repatchGetByID): |
| (JSC::tryCachePutByID): |
| (JSC::repatchPutByID): |
| (JSC::tryCacheInByID): |
| (JSC::repatchInByID): |
| (JSC::tryCacheInstanceOf): |
| (JSC::repatchInstanceOf): |
| (JSC::linkFor): |
| (JSC::linkDirectFor): |
| (JSC::linkSlowFor): |
| (JSC::linkVirtualFor): |
| (JSC::linkPolymorphicCall): |
| * jit/Repatch.h: |
| * jit/SnippetSlowPathCalls.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::throwExceptionFromCallSlowPathGenerator): |
| (JSC::slowPathFor): |
| (JSC::nativeForGenerator): |
| (JSC::boundThisNoArgsFunctionCallGenerator): |
| * jit/ThunkGenerators.h: |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (GlobalObject::moduleLoaderImportModule): |
| (GlobalObject::moduleLoaderResolve): |
| (GlobalObject::moduleLoaderFetch): |
| (GlobalObject::moduleLoaderCreateImportMetaProperties): |
| (cStringFromViewWithString): |
| (printInternal): |
| (functionPrintStdOut): |
| (functionPrintStdErr): |
| (functionDebug): |
| (functionSleepSeconds): |
| (functionRun): |
| (functionRunString): |
| (functionLoad): |
| (functionLoadString): |
| (functionReadFile): |
| (functionCheckSyntax): |
| (functionSetSamplingFlags): |
| (functionClearSamplingFlags): |
| (functionSetRandomSeed): |
| (functionNeverInlineFunction): |
| (functionNoDFG): |
| (functionNoOSRExitFuzzing): |
| (functionOptimizeNextInvocation): |
| (functionNumberOfDFGCompiles): |
| (functionCallerIsOMGCompiled): |
| (functionDollarEvalScript): |
| (functionDollarAgentStart): |
| (functionDollarAgentReceiveBroadcast): |
| (functionDollarAgentReport): |
| (functionDollarAgentSleep): |
| (functionDollarAgentBroadcast): |
| (functionFlashHeapAccess): |
| (functionJSCOptions): |
| (functionTransferArrayBuffer): |
| (functionCheckModuleSyntax): |
| (functionGenerateHeapSnapshot): |
| (functionSamplingProfilerStackTraces): |
| (functionAsyncTestStart): |
| (functionWebAssemblyMemoryMode): |
| (functionSetUnhandledRejectionCallback): |
| (dumpException): |
| (checkUncaughtException): |
| (checkException): |
| (runWithOptions): |
| (runInteractive): |
| * llint/LLIntExceptions.cpp: |
| (JSC::LLInt::returnToThrow): |
| (JSC::LLInt::callToThrow): |
| * llint/LLIntExceptions.h: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::getNonConstantOperand): |
| (JSC::LLInt::getOperand): |
| (JSC::LLInt::llint_trace_operand): |
| (JSC::LLInt::llint_trace_value): |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::traceFunctionPrologue): |
| (JSC::LLInt::jitCompileAndSetHeuristics): |
| (JSC::LLInt::entryOSR): |
| (JSC::LLInt::setupGetByIdPrototypeCache): |
| (JSC::LLInt::getByVal): |
| (JSC::LLInt::handleHostCall): |
| (JSC::LLInt::setUpCall): |
| (JSC::LLInt::genericCall): |
| (JSC::LLInt::varargsSetup): |
| (JSC::LLInt::commonCallEval): |
| (JSC::LLInt::llint_throw_stack_overflow_error): |
| (JSC::LLInt::llint_write_barrier_slow): |
| * llint/LLIntSlowPaths.h: |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoopRegister::operator CallFrame*): |
| (JSC::CLoopRegister::operator ExecState*): Deleted. |
| * parser/ModuleAnalyzer.cpp: |
| (JSC::ModuleAnalyzer::ModuleAnalyzer): |
| * parser/ModuleAnalyzer.h: |
| * parser/ParserError.h: |
| (JSC::ParserError::toErrorObject): |
| * profiler/ProfilerBytecode.cpp: |
| (JSC::Profiler::Bytecode::toJS const): |
| * profiler/ProfilerBytecode.h: |
| * profiler/ProfilerBytecodeSequence.cpp: |
| (JSC::Profiler::BytecodeSequence::addSequenceProperties const): |
| * profiler/ProfilerBytecodeSequence.h: |
| * profiler/ProfilerBytecodes.cpp: |
| (JSC::Profiler::Bytecodes::toJS const): |
| * profiler/ProfilerBytecodes.h: |
| * profiler/ProfilerCompilation.cpp: |
| (JSC::Profiler::Compilation::toJS const): |
| * profiler/ProfilerCompilation.h: |
| * profiler/ProfilerCompiledBytecode.cpp: |
| (JSC::Profiler::CompiledBytecode::toJS const): |
| * profiler/ProfilerCompiledBytecode.h: |
| * profiler/ProfilerDatabase.cpp: |
| (JSC::Profiler::Database::toJS const): |
| (JSC::Profiler::Database::toJSON const): |
| * profiler/ProfilerDatabase.h: |
| * profiler/ProfilerEvent.cpp: |
| (JSC::Profiler::Event::toJS const): |
| * profiler/ProfilerEvent.h: |
| * profiler/ProfilerOSRExit.cpp: |
| (JSC::Profiler::OSRExit::toJS const): |
| * profiler/ProfilerOSRExit.h: |
| * profiler/ProfilerOSRExitSite.cpp: |
| (JSC::Profiler::OSRExitSite::toJS const): |
| * profiler/ProfilerOSRExitSite.h: |
| * profiler/ProfilerOrigin.cpp: |
| (JSC::Profiler::Origin::toJS const): |
| * profiler/ProfilerOrigin.h: |
| * profiler/ProfilerOriginStack.cpp: |
| (JSC::Profiler::OriginStack::toJS const): |
| * profiler/ProfilerOriginStack.h: |
| * profiler/ProfilerProfiledBytecodes.cpp: |
| (JSC::Profiler::ProfiledBytecodes::toJS const): |
| * profiler/ProfilerProfiledBytecodes.h: |
| * profiler/ProfilerUID.cpp: |
| (JSC::Profiler::UID::toJS const): |
| * profiler/ProfilerUID.h: |
| * runtime/AbstractModuleRecord.cpp: |
| (JSC::AbstractModuleRecord::finishCreation): |
| (JSC::AbstractModuleRecord::hostResolveImportedModule): |
| (JSC::AbstractModuleRecord::resolveImport): |
| (JSC::AbstractModuleRecord::resolveExportImpl): |
| (JSC::AbstractModuleRecord::resolveExport): |
| (JSC::getExportedNames): |
| (JSC::AbstractModuleRecord::getModuleNamespace): |
| (JSC::AbstractModuleRecord::link): |
| (JSC::AbstractModuleRecord::evaluate): |
| * runtime/AbstractModuleRecord.h: |
| * runtime/ArgList.h: |
| (JSC::ArgList::ArgList): |
| * runtime/ArrayBufferView.h: |
| * runtime/ArrayConstructor.cpp: |
| (JSC::constructArrayWithSizeQuirk): |
| (JSC::constructWithArrayConstructor): |
| (JSC::callArrayConstructor): |
| (JSC::isArraySlowInline): |
| (JSC::isArraySlow): |
| (JSC::arrayConstructorPrivateFuncIsArraySlow): |
| * runtime/ArrayConstructor.h: |
| (JSC::isArray): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::ArrayPrototype::finishCreation): |
| (JSC::getProperty): |
| (JSC::putLength): |
| (JSC::setLength): |
| (JSC::speciesWatchpointIsValid): |
| (JSC::arrayProtoFuncSpeciesCreate): |
| (JSC::argumentClampedIndexFromStartOrEnd): |
| (JSC::shift): |
| (JSC::unshift): |
| (JSC::fastJoin): |
| (JSC::arrayProtoFuncToString): |
| (JSC::arrayProtoFuncToLocaleString): |
| (JSC::slowJoin): |
| (JSC::arrayProtoFuncJoin): |
| (JSC::arrayProtoFuncPop): |
| (JSC::arrayProtoFuncPush): |
| (JSC::arrayProtoFuncReverse): |
| (JSC::arrayProtoFuncShift): |
| (JSC::arrayProtoFuncSlice): |
| (JSC::arrayProtoFuncSplice): |
| (JSC::arrayProtoFuncUnShift): |
| (JSC::fastIndexOf): |
| (JSC::arrayProtoFuncIndexOf): |
| (JSC::arrayProtoFuncLastIndexOf): |
| (JSC::moveElements): |
| (JSC::concatAppendOne): |
| (JSC::arrayProtoPrivateFuncConcatMemcpy): |
| (JSC::arrayProtoPrivateFuncAppendMemcpy): |
| * runtime/AsyncFunctionConstructor.cpp: |
| (JSC::callAsyncFunctionConstructor): |
| (JSC::constructAsyncFunctionConstructor): |
| * runtime/AsyncGeneratorFunctionConstructor.cpp: |
| (JSC::callAsyncGeneratorFunctionConstructor): |
| (JSC::constructAsyncGeneratorFunctionConstructor): |
| * runtime/AtomicsObject.cpp: |
| (JSC::atomicsFuncAdd): |
| (JSC::atomicsFuncAnd): |
| (JSC::atomicsFuncCompareExchange): |
| (JSC::atomicsFuncExchange): |
| (JSC::atomicsFuncIsLockFree): |
| (JSC::atomicsFuncLoad): |
| (JSC::atomicsFuncOr): |
| (JSC::atomicsFuncStore): |
| (JSC::atomicsFuncSub): |
| (JSC::atomicsFuncWait): |
| (JSC::atomicsFuncWake): |
| (JSC::atomicsFuncXor): |
| (JSC::operationAtomicsAdd): |
| (JSC::operationAtomicsAnd): |
| (JSC::operationAtomicsCompareExchange): |
| (JSC::operationAtomicsExchange): |
| (JSC::operationAtomicsIsLockFree): |
| (JSC::operationAtomicsLoad): |
| (JSC::operationAtomicsOr): |
| (JSC::operationAtomicsStore): |
| (JSC::operationAtomicsSub): |
| (JSC::operationAtomicsXor): |
| * runtime/AtomicsObject.h: |
| * runtime/BigIntConstructor.cpp: |
| (JSC::toBigInt): |
| (JSC::callBigIntConstructor): |
| * runtime/BigIntObject.cpp: |
| (JSC::BigIntObject::toStringName): |
| (JSC::BigIntObject::defaultValue): |
| * runtime/BigIntObject.h: |
| * runtime/BigIntPrototype.cpp: |
| (JSC::bigIntProtoFuncToStringImpl): |
| (JSC::bigIntProtoFuncValueOf): |
| * runtime/BooleanConstructor.cpp: |
| (JSC::callBooleanConstructor): |
| (JSC::constructWithBooleanConstructor): |
| (JSC::constructBooleanFromImmediateBoolean): |
| * runtime/BooleanConstructor.h: |
| * runtime/BooleanPrototype.cpp: |
| (JSC::booleanProtoFuncToString): |
| (JSC::booleanProtoFuncValueOf): |
| * runtime/CallData.cpp: |
| (JSC::call): |
| (JSC::profiledCall): |
| * runtime/CallData.h: |
| * runtime/ClassInfo.h: |
| * runtime/ClonedArguments.cpp: |
| (JSC::ClonedArguments::createEmpty): |
| (JSC::ClonedArguments::createWithInlineFrame): |
| (JSC::ClonedArguments::createWithMachineFrame): |
| (JSC::ClonedArguments::createByCopyingFrom): |
| (JSC::ClonedArguments::getOwnPropertySlot): |
| (JSC::ClonedArguments::getOwnPropertyNames): |
| (JSC::ClonedArguments::put): |
| (JSC::ClonedArguments::deleteProperty): |
| (JSC::ClonedArguments::defineOwnProperty): |
| (JSC::ClonedArguments::materializeSpecials): |
| (JSC::ClonedArguments::materializeSpecialsIfNecessary): |
| * runtime/ClonedArguments.h: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::throwArityCheckStackOverflowError): |
| (JSC::SLOW_PATH_DECL): |
| (JSC::createInternalFieldObject): |
| (JSC::updateArithProfileForBinaryArithOp): |
| * runtime/CommonSlowPaths.h: |
| (JSC::CommonSlowPaths::codeBlockFromCallFrameCallee): |
| (JSC::CommonSlowPaths::arityCheckFor): |
| (JSC::CommonSlowPaths::opInByVal): |
| (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): |
| (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): |
| (JSC::CommonSlowPaths::putDirectWithReify): |
| (JSC::CommonSlowPaths::putDirectAccessorWithReify): |
| * runtime/Completion.cpp: |
| (JSC::checkSyntax): |
| (JSC::checkModuleSyntax): |
| (JSC::evaluate): |
| (JSC::profiledEvaluate): |
| (JSC::evaluateWithScopeExtension): |
| (JSC::rejectPromise): |
| (JSC::loadAndEvaluateModule): |
| (JSC::loadModule): |
| (JSC::linkAndEvaluateModule): |
| (JSC::importModule): |
| * runtime/Completion.h: |
| (JSC::evaluate): |
| (JSC::profiledEvaluate): |
| * runtime/ConsoleClient.cpp: |
| (JSC::ConsoleClient::printConsoleMessageWithArguments): |
| (JSC::ConsoleClient::internalMessageWithTypeAndLevel): |
| (JSC::ConsoleClient::logWithLevel): |
| (JSC::ConsoleClient::clear): |
| (JSC::ConsoleClient::dir): |
| (JSC::ConsoleClient::dirXML): |
| (JSC::ConsoleClient::table): |
| (JSC::ConsoleClient::trace): |
| (JSC::ConsoleClient::assertion): |
| (JSC::ConsoleClient::group): |
| (JSC::ConsoleClient::groupCollapsed): |
| (JSC::ConsoleClient::groupEnd): |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::valueOrDefaultLabelString): |
| (JSC::valueToStringWithUndefinedOrNullCheck): |
| (JSC::consoleLogWithLevel): |
| (JSC::consoleProtoFuncDebug): |
| (JSC::consoleProtoFuncError): |
| (JSC::consoleProtoFuncLog): |
| (JSC::consoleProtoFuncInfo): |
| (JSC::consoleProtoFuncWarn): |
| (JSC::consoleProtoFuncClear): |
| (JSC::consoleProtoFuncDir): |
| (JSC::consoleProtoFuncDirXML): |
| (JSC::consoleProtoFuncTable): |
| (JSC::consoleProtoFuncTrace): |
| (JSC::consoleProtoFuncAssert): |
| (JSC::consoleProtoFuncCount): |
| (JSC::consoleProtoFuncCountReset): |
| (JSC::consoleProtoFuncProfile): |
| (JSC::consoleProtoFuncProfileEnd): |
| (JSC::consoleProtoFuncTakeHeapSnapshot): |
| (JSC::consoleProtoFuncTime): |
| (JSC::consoleProtoFuncTimeLog): |
| (JSC::consoleProtoFuncTimeEnd): |
| (JSC::consoleProtoFuncTimeStamp): |
| (JSC::consoleProtoFuncGroup): |
| (JSC::consoleProtoFuncGroupCollapsed): |
| (JSC::consoleProtoFuncGroupEnd): |
| (JSC::consoleProtoFuncRecord): |
| (JSC::consoleProtoFuncRecordEnd): |
| (JSC::consoleProtoFuncScreenshot): |
| * runtime/ConstructData.cpp: |
| (JSC::construct): |
| (JSC::profiledConstruct): |
| * runtime/ConstructData.h: |
| (JSC::construct): |
| (JSC::profiledConstruct): |
| * runtime/CustomGetterSetter.cpp: |
| (JSC::callCustomSetter): |
| * runtime/CustomGetterSetter.h: |
| * runtime/DataView.cpp: |
| (JSC::DataView::wrap): |
| * runtime/DataView.h: |
| * runtime/DateConstructor.cpp: |
| (JSC::millisecondsFromComponents): |
| (JSC::constructDate): |
| (JSC::constructWithDateConstructor): |
| (JSC::dateParse): |
| (JSC::dateUTC): |
| * runtime/DateConstructor.h: |
| * runtime/DateInstance.cpp: |
| (JSC::DateInstance::calculateGregorianDateTime const): |
| (JSC::DateInstance::calculateGregorianDateTimeUTC const): |
| * runtime/DateInstance.h: |
| * runtime/DatePrototype.cpp: |
| (JSC::formatLocaleDate): |
| (JSC::formateDateInstance): |
| (JSC::fillStructuresUsingTimeArgs): |
| (JSC::fillStructuresUsingDateArgs): |
| (JSC::dateProtoFuncToString): |
| (JSC::dateProtoFuncToUTCString): |
| (JSC::dateProtoFuncToISOString): |
| (JSC::dateProtoFuncToDateString): |
| (JSC::dateProtoFuncToTimeString): |
| (JSC::dateProtoFuncToLocaleString): |
| (JSC::dateProtoFuncToLocaleDateString): |
| (JSC::dateProtoFuncToLocaleTimeString): |
| (JSC::dateProtoFuncToPrimitiveSymbol): |
| (JSC::dateProtoFuncGetTime): |
| (JSC::dateProtoFuncGetFullYear): |
| (JSC::dateProtoFuncGetUTCFullYear): |
| (JSC::dateProtoFuncGetMonth): |
| (JSC::dateProtoFuncGetUTCMonth): |
| (JSC::dateProtoFuncGetDate): |
| (JSC::dateProtoFuncGetUTCDate): |
| (JSC::dateProtoFuncGetDay): |
| (JSC::dateProtoFuncGetUTCDay): |
| (JSC::dateProtoFuncGetHours): |
| (JSC::dateProtoFuncGetUTCHours): |
| (JSC::dateProtoFuncGetMinutes): |
| (JSC::dateProtoFuncGetUTCMinutes): |
| (JSC::dateProtoFuncGetSeconds): |
| (JSC::dateProtoFuncGetUTCSeconds): |
| (JSC::dateProtoFuncGetMilliSeconds): |
| (JSC::dateProtoFuncGetUTCMilliseconds): |
| (JSC::dateProtoFuncGetTimezoneOffset): |
| (JSC::dateProtoFuncSetTime): |
| (JSC::setNewValueFromTimeArgs): |
| (JSC::setNewValueFromDateArgs): |
| (JSC::dateProtoFuncSetMilliSeconds): |
| (JSC::dateProtoFuncSetUTCMilliseconds): |
| (JSC::dateProtoFuncSetSeconds): |
| (JSC::dateProtoFuncSetUTCSeconds): |
| (JSC::dateProtoFuncSetMinutes): |
| (JSC::dateProtoFuncSetUTCMinutes): |
| (JSC::dateProtoFuncSetHours): |
| (JSC::dateProtoFuncSetUTCHours): |
| (JSC::dateProtoFuncSetDate): |
| (JSC::dateProtoFuncSetUTCDate): |
| (JSC::dateProtoFuncSetMonth): |
| (JSC::dateProtoFuncSetUTCMonth): |
| (JSC::dateProtoFuncSetFullYear): |
| (JSC::dateProtoFuncSetUTCFullYear): |
| (JSC::dateProtoFuncSetYear): |
| (JSC::dateProtoFuncGetYear): |
| (JSC::dateProtoFuncToJSON): |
| * runtime/DirectArguments.cpp: |
| (JSC::DirectArguments::createByCopying): |
| (JSC::DirectArguments::copyToArguments): |
| * runtime/DirectArguments.h: |
| * runtime/DirectEvalExecutable.cpp: |
| (JSC::DirectEvalExecutable::create): |
| (JSC::DirectEvalExecutable::DirectEvalExecutable): |
| * runtime/DirectEvalExecutable.h: |
| * runtime/Error.cpp: |
| (JSC::createError): |
| (JSC::createEvalError): |
| (JSC::createRangeError): |
| (JSC::createReferenceError): |
| (JSC::createSyntaxError): |
| (JSC::createTypeError): |
| (JSC::createNotEnoughArgumentsError): |
| (JSC::createURIError): |
| (JSC::createGetterTypeError): |
| (JSC::getStackTrace): |
| (JSC::getBytecodeOffset): |
| (JSC::addErrorInfo): |
| (JSC::throwConstructorCannotBeCalledAsFunctionTypeError): |
| (JSC::throwTypeError): |
| (JSC::throwSyntaxError): |
| (JSC::throwGetterTypeError): |
| (JSC::throwDOMAttributeGetterTypeError): |
| (JSC::createOutOfMemoryError): |
| * runtime/Error.h: |
| (JSC::throwRangeError): |
| (JSC::throwVMError): |
| (JSC::throwVMTypeError): |
| (JSC::throwVMRangeError): |
| (JSC::throwVMGetterTypeError): |
| (JSC::throwVMDOMAttributeGetterTypeError): |
| * runtime/ErrorConstructor.cpp: |
| (JSC::constructErrorConstructor): |
| (JSC::callErrorConstructor): |
| (JSC::ErrorConstructor::put): |
| (JSC::ErrorConstructor::deleteProperty): |
| * runtime/ErrorConstructor.h: |
| * runtime/ErrorInstance.cpp: |
| (JSC::ErrorInstance::create): |
| (JSC::appendSourceToError): |
| (JSC::ErrorInstance::finishCreation): |
| (JSC::ErrorInstance::sanitizedToString): |
| (JSC::ErrorInstance::getOwnPropertySlot): |
| (JSC::ErrorInstance::getOwnNonIndexPropertyNames): |
| (JSC::ErrorInstance::getStructurePropertyNames): |
| (JSC::ErrorInstance::defineOwnProperty): |
| (JSC::ErrorInstance::put): |
| (JSC::ErrorInstance::deleteProperty): |
| * runtime/ErrorInstance.h: |
| (JSC::ErrorInstance::create): |
| * runtime/ErrorPrototype.cpp: |
| (JSC::errorProtoFuncToString): |
| * runtime/EvalExecutable.cpp: |
| (JSC::EvalExecutable::EvalExecutable): |
| * runtime/EvalExecutable.h: |
| * runtime/ExceptionFuzz.cpp: |
| (JSC::doExceptionFuzzing): |
| * runtime/ExceptionFuzz.h: |
| (JSC::doExceptionFuzzingIfEnabled): |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::TerminatedExecutionError::defaultValue): |
| (JSC::createStackOverflowError): |
| (JSC::createUndefinedVariableError): |
| (JSC::errorDescriptionForValue): |
| (JSC::createError): |
| (JSC::createInvalidFunctionApplyParameterError): |
| (JSC::createInvalidInParameterError): |
| (JSC::createInvalidInstanceofParameterErrorNotFunction): |
| (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): |
| (JSC::createNotAConstructorError): |
| (JSC::createNotAFunctionError): |
| (JSC::createNotAnObjectError): |
| (JSC::createErrorForInvalidGlobalAssignment): |
| (JSC::createTDZError): |
| (JSC::throwOutOfMemoryError): |
| (JSC::throwStackOverflowError): |
| (JSC::throwTerminatedExecutionException): |
| * runtime/ExceptionHelpers.h: |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructWithFunctionConstructor): |
| (JSC::callFunctionConstructor): |
| (JSC::constructFunction): |
| (JSC::constructFunctionSkippingEvalEnabledCheck): |
| * runtime/FunctionConstructor.h: |
| * runtime/FunctionExecutable.cpp: |
| (JSC::FunctionExecutable::fromGlobalCode): |
| * runtime/FunctionExecutable.h: |
| * runtime/FunctionPrototype.cpp: |
| (JSC::functionProtoFuncToString): |
| * runtime/FunctionRareData.h: |
| * runtime/GeneratorFunctionConstructor.cpp: |
| (JSC::callGeneratorFunctionConstructor): |
| (JSC::constructGeneratorFunctionConstructor): |
| * runtime/GenericArguments.h: |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::getOwnPropertySlot): |
| (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex): |
| (JSC::GenericArguments<Type>::getOwnPropertyNames): |
| (JSC::GenericArguments<Type>::put): |
| (JSC::GenericArguments<Type>::putByIndex): |
| (JSC::GenericArguments<Type>::deleteProperty): |
| (JSC::GenericArguments<Type>::deletePropertyByIndex): |
| (JSC::GenericArguments<Type>::defineOwnProperty): |
| (JSC::GenericArguments<Type>::copyToArguments): |
| * runtime/GenericTypedArrayView.h: |
| * runtime/GenericTypedArrayViewInlines.h: |
| (JSC::GenericTypedArrayView<Adaptor>::wrap): |
| * runtime/GetterSetter.cpp: |
| (JSC::callGetter): |
| (JSC::callSetter): |
| * runtime/GetterSetter.h: |
| * runtime/HashMapImpl.h: |
| (JSC::HashMapBuffer::create): |
| (JSC::areKeysEqual): |
| (JSC::jsMapHash): |
| (JSC::HashMapImpl::finishCreation): |
| (JSC::HashMapImpl::findBucket): |
| (JSC::HashMapImpl::get): |
| (JSC::HashMapImpl::has): |
| (JSC::HashMapImpl::add): |
| (JSC::HashMapImpl::addNormalized): |
| (JSC::HashMapImpl::remove): |
| (JSC::HashMapImpl::clear): |
| (JSC::HashMapImpl::setUpHeadAndTail): |
| (JSC::HashMapImpl::addNormalizedNonExistingForCloning): |
| (JSC::HashMapImpl::addNormalizedInternal): |
| (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized): |
| (JSC::HashMapImpl::rehash): |
| (JSC::HashMapImpl::makeAndSetNewBuffer): |
| * runtime/Identifier.h: |
| * runtime/IndirectEvalExecutable.cpp: |
| (JSC::IndirectEvalExecutable::create): |
| (JSC::IndirectEvalExecutable::IndirectEvalExecutable): |
| * runtime/IndirectEvalExecutable.h: |
| * runtime/InspectorInstrumentationObject.cpp: |
| (JSC::inspectorInstrumentationObjectLog): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::InternalFunction): |
| (JSC::InternalFunction::createSubclassStructureSlow): |
| * runtime/InternalFunction.h: |
| (JSC::InternalFunction::createSubclassStructure): |
| * runtime/IntlCollator.cpp: |
| (JSC::IntlCollator::initializeCollator): |
| (JSC::IntlCollator::createCollator): |
| (JSC::IntlCollator::compareStrings): |
| (JSC::IntlCollator::resolvedOptions): |
| * runtime/IntlCollator.h: |
| * runtime/IntlCollatorConstructor.cpp: |
| (JSC::constructIntlCollator): |
| (JSC::callIntlCollator): |
| (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorFuncCompare): |
| (JSC::IntlCollatorPrototypeGetterCompare): |
| (JSC::IntlCollatorPrototypeFuncResolvedOptions): |
| * runtime/IntlDateTimeFormat.cpp: |
| (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate): |
| (JSC::IntlDateTimeFormat::initializeDateTimeFormat): |
| (JSC::IntlDateTimeFormat::resolvedOptions): |
| (JSC::IntlDateTimeFormat::format): |
| (JSC::IntlDateTimeFormat::formatToParts): |
| * runtime/IntlDateTimeFormat.h: |
| * runtime/IntlDateTimeFormatConstructor.cpp: |
| (JSC::constructIntlDateTimeFormat): |
| (JSC::callIntlDateTimeFormat): |
| (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatFuncFormatDateTime): |
| (JSC::IntlDateTimeFormatPrototypeGetterFormat): |
| (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): |
| (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): |
| * runtime/IntlNumberFormat.cpp: |
| (JSC::IntlNumberFormat::initializeNumberFormat): |
| (JSC::IntlNumberFormat::formatNumber): |
| (JSC::IntlNumberFormat::resolvedOptions): |
| (JSC::IntlNumberFormat::formatToParts): |
| * runtime/IntlNumberFormat.h: |
| * runtime/IntlNumberFormatConstructor.cpp: |
| (JSC::constructIntlNumberFormat): |
| (JSC::callIntlNumberFormat): |
| (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatFuncFormatNumber): |
| (JSC::IntlNumberFormatPrototypeGetterFormat): |
| (JSC::IntlNumberFormatPrototypeFuncFormatToParts): |
| (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): |
| * runtime/IntlObject.cpp: |
| (JSC::intlBooleanOption): |
| (JSC::intlStringOption): |
| (JSC::intlNumberOption): |
| (JSC::intlDefaultNumberOption): |
| (JSC::canonicalizeLocaleList): |
| (JSC::defaultLocale): |
| (JSC::lookupMatcher): |
| (JSC::bestFitMatcher): |
| (JSC::resolveLocale): |
| (JSC::lookupSupportedLocales): |
| (JSC::bestFitSupportedLocales): |
| (JSC::supportedLocales): |
| (JSC::intlObjectFuncGetCanonicalLocales): |
| * runtime/IntlObject.h: |
| * runtime/IntlObjectInlines.h: |
| (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor): |
| * runtime/IntlPluralRules.cpp: |
| (JSC::IntlPluralRules::initializePluralRules): |
| (JSC::IntlPluralRules::resolvedOptions): |
| (JSC::IntlPluralRules::select): |
| * runtime/IntlPluralRules.h: |
| * runtime/IntlPluralRulesConstructor.cpp: |
| (JSC::constructIntlPluralRules): |
| (JSC::callIntlPluralRules): |
| (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototypeFuncSelect): |
| (JSC::IntlPluralRulesPrototypeFuncResolvedOptions): |
| * runtime/IteratorOperations.cpp: |
| (JSC::iteratorNext): |
| (JSC::iteratorValue): |
| (JSC::iteratorComplete): |
| (JSC::iteratorStep): |
| (JSC::iteratorClose): |
| (JSC::createIteratorResultObject): |
| (JSC::hasIteratorMethod): |
| (JSC::iteratorMethod): |
| (JSC::iteratorForIterable): |
| * runtime/IteratorOperations.h: |
| (JSC::forEachInIterable): |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::setLengthWritable): |
| (JSC::JSArray::defineOwnProperty): |
| (JSC::JSArray::getOwnPropertySlot): |
| (JSC::JSArray::put): |
| (JSC::JSArray::deleteProperty): |
| (JSC::JSArray::getOwnNonIndexPropertyNames): |
| (JSC::JSArray::setLengthWithArrayStorage): |
| (JSC::JSArray::appendMemcpy): |
| (JSC::JSArray::setLength): |
| (JSC::JSArray::pop): |
| (JSC::JSArray::push): |
| (JSC::JSArray::fastSlice): |
| (JSC::JSArray::shiftCountWithAnyIndexingType): |
| (JSC::JSArray::unshiftCountWithArrayStorage): |
| (JSC::JSArray::unshiftCountWithAnyIndexingType): |
| (JSC::JSArray::fillArgList): |
| (JSC::JSArray::copyToArguments): |
| (JSC::constructArray): |
| (JSC::constructArrayNegativeIndexed): |
| * runtime/JSArray.h: |
| (JSC::JSArray::shiftCountForShift): |
| (JSC::JSArray::shiftCountForSplice): |
| (JSC::JSArray::shiftCount): |
| (JSC::JSArray::unshiftCountForShift): |
| (JSC::JSArray::unshiftCountForSplice): |
| (JSC::JSArray::unshiftCount): |
| * runtime/JSArrayBufferConstructor.cpp: |
| (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer): |
| (JSC::callArrayBuffer): |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::arrayBufferProtoFuncSlice): |
| (JSC::arrayBufferProtoGetterFuncByteLength): |
| (JSC::sharedArrayBufferProtoGetterFuncByteLength): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::toStringName): |
| (JSC::JSArrayBufferView::put): |
| (JSC::JSArrayBufferView::unsharedJSBuffer): |
| (JSC::JSArrayBufferView::possiblySharedJSBuffer): |
| (JSC::JSArrayBufferView::slowDownAndWasteMemory): |
| * runtime/JSArrayBufferView.h: |
| * runtime/JSArrayInlines.h: |
| (JSC::toLength): |
| (JSC::JSArray::pushInline): |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::tryCreateWithLength): |
| (JSC::JSBigInt::toPrimitive const): |
| (JSC::JSBigInt::parseInt): |
| (JSC::JSBigInt::stringToBigInt): |
| (JSC::JSBigInt::toString): |
| (JSC::JSBigInt::exponentiate): |
| (JSC::JSBigInt::multiply): |
| (JSC::JSBigInt::divide): |
| (JSC::JSBigInt::remainder): |
| (JSC::JSBigInt::add): |
| (JSC::JSBigInt::sub): |
| (JSC::JSBigInt::bitwiseAnd): |
| (JSC::JSBigInt::bitwiseOr): |
| (JSC::JSBigInt::bitwiseXor): |
| (JSC::JSBigInt::leftShift): |
| (JSC::JSBigInt::signedRightShift): |
| (JSC::JSBigInt::bitwiseNot): |
| (JSC::JSBigInt::absoluteAdd): |
| (JSC::JSBigInt::absoluteDivWithBigIntDivisor): |
| (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy): |
| (JSC::JSBigInt::absoluteAddOne): |
| (JSC::JSBigInt::absoluteSubOne): |
| (JSC::JSBigInt::leftShiftByAbsolute): |
| (JSC::JSBigInt::rightShiftByAbsolute): |
| (JSC::JSBigInt::toStringBasePowerOfTwo): |
| (JSC::JSBigInt::toStringGeneric): |
| (JSC::JSBigInt::allocateFor): |
| (JSC::JSBigInt::toNumber const): |
| (JSC::JSBigInt::getPrimitiveNumber const): |
| (JSC::JSBigInt::toObject const): |
| * runtime/JSBigInt.h: |
| * runtime/JSBoundFunction.cpp: |
| (JSC::boundThisNoArgsFunctionCall): |
| (JSC::boundFunctionCall): |
| (JSC::boundThisNoArgsFunctionConstruct): |
| (JSC::boundFunctionConstruct): |
| (JSC::hasInstanceBoundFunction): |
| (JSC::getBoundFunctionStructure): |
| (JSC::JSBoundFunction::create): |
| (JSC::JSBoundFunction::customHasInstance): |
| (JSC::JSBoundFunction::boundArgsCopy): |
| * runtime/JSBoundFunction.h: |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::toInteger const): |
| (JSC::JSValue::toIntegerPreserveNaN const): |
| (JSC::JSValue::toLength const): |
| (JSC::JSValue::toNumberSlowCase const): |
| (JSC::JSValue::toObjectSlowCase const): |
| (JSC::JSValue::toThisSlowCase const): |
| (JSC::JSValue::synthesizePrototype const): |
| (JSC::JSValue::putToPrimitive): |
| (JSC::JSValue::putToPrimitiveByIndex): |
| (JSC::JSValue::toStringSlowCase const): |
| (JSC::JSValue::toWTFStringSlowCase const): |
| * runtime/JSCJSValue.h: |
| (JSC::JSValue::toFloat const): |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::toInt32 const): |
| (JSC::JSValue::toUInt32 const): |
| (JSC::JSValue::toIndex const): |
| (JSC::JSValue::getString const): |
| (JSC::Unknown>::getString const): |
| (JSC::JSValue::toPropertyKey const): |
| (JSC::JSValue::toPrimitive const): |
| (JSC::toPreferredPrimitiveType): |
| (JSC::JSValue::getPrimitiveNumber): |
| (JSC::JSValue::toNumber const): |
| (JSC::JSValue::toNumeric const): |
| (JSC::JSValue::toBigIntOrInt32 const): |
| (JSC::JSValue::toObject const): |
| (JSC::JSValue::toThis const): |
| (JSC::JSValue::get const): |
| (JSC::JSValue::getPropertySlot const): |
| (JSC::JSValue::getOwnPropertySlot const): |
| (JSC::JSValue::put): |
| (JSC::JSValue::putInline): |
| (JSC::JSValue::putByIndex): |
| (JSC::JSValue::equal): |
| (JSC::JSValue::equalSlowCaseInline): |
| (JSC::JSValue::strictEqualSlowCaseInline): |
| (JSC::JSValue::strictEqual): |
| (JSC::JSValue::requireObjectCoercible const): |
| (JSC::sameValue): |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::getString const): |
| (JSC::JSCell::put): |
| (JSC::JSCell::putByIndex): |
| (JSC::JSCell::deleteProperty): |
| (JSC::JSCell::deletePropertyByIndex): |
| (JSC::JSCell::toThis): |
| (JSC::JSCell::toPrimitive const): |
| (JSC::JSCell::getPrimitiveNumber const): |
| (JSC::JSCell::toNumber const): |
| (JSC::JSCell::toObjectSlow const): |
| (JSC::JSCell::defaultValue): |
| (JSC::JSCell::getOwnPropertySlot): |
| (JSC::JSCell::getOwnPropertySlotByIndex): |
| (JSC::JSCell::doPutPropertySecurityCheck): |
| (JSC::JSCell::getOwnPropertyNames): |
| (JSC::JSCell::getOwnNonIndexPropertyNames): |
| (JSC::JSCell::toStringName): |
| (JSC::JSCell::getPropertyNames): |
| (JSC::JSCell::customHasInstance): |
| (JSC::JSCell::defineOwnProperty): |
| (JSC::JSCell::getEnumerableLength): |
| (JSC::JSCell::getStructurePropertyNames): |
| (JSC::JSCell::getGenericPropertyNames): |
| (JSC::JSCell::preventExtensions): |
| (JSC::JSCell::isExtensible): |
| (JSC::JSCell::setPrototype): |
| (JSC::JSCell::getPrototype): |
| * runtime/JSCell.h: |
| * runtime/JSCellInlines.h: |
| (JSC::CallFrame::vm const): |
| (JSC::JSCell::toBoolean const): |
| (JSC::JSCell::toObject const): |
| (JSC::JSCell::putInline): |
| (JSC::ExecState::vm const): Deleted. |
| * runtime/JSCustomGetterSetterFunction.cpp: |
| (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): |
| * runtime/JSDataView.cpp: |
| (JSC::JSDataView::create): |
| (JSC::JSDataView::createUninitialized): |
| (JSC::JSDataView::set): |
| (JSC::JSDataView::setIndex): |
| (JSC::JSDataView::getOwnPropertySlot): |
| (JSC::JSDataView::put): |
| (JSC::JSDataView::defineOwnProperty): |
| (JSC::JSDataView::deleteProperty): |
| (JSC::JSDataView::getOwnNonIndexPropertyNames): |
| * runtime/JSDataView.h: |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::getData): |
| (JSC::setData): |
| (JSC::dataViewProtoGetterBuffer): |
| (JSC::dataViewProtoGetterByteLength): |
| (JSC::dataViewProtoGetterByteOffset): |
| * runtime/JSDateMath.cpp: |
| (JSC::parseDate): |
| * runtime/JSDateMath.h: |
| * runtime/JSFixedArray.cpp: |
| (JSC::JSFixedArray::copyToArguments): |
| * runtime/JSFixedArray.h: |
| * runtime/JSFunction.cpp: |
| (JSC::callHostFunctionAsConstructor): |
| (JSC::JSFunction::prototypeForConstruction): |
| (JSC::JSFunction::allocateAndInitializeRareData): |
| (JSC::JSFunction::initializeRareData): |
| (JSC::retrieveArguments): |
| (JSC::JSFunction::argumentsGetter): |
| (JSC::retrieveCallerFunction): |
| (JSC::JSFunction::callerGetter): |
| (JSC::JSFunction::getOwnPropertySlot): |
| (JSC::JSFunction::getOwnNonIndexPropertyNames): |
| (JSC::JSFunction::put): |
| (JSC::JSFunction::deleteProperty): |
| (JSC::JSFunction::defineOwnProperty): |
| (JSC::JSFunction::setFunctionName): |
| (JSC::JSFunction::reifyName): |
| (JSC::JSFunction::reifyLazyPropertyIfNeeded): |
| (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded): |
| (JSC::JSFunction::reifyLazyLengthIfNeeded): |
| (JSC::JSFunction::reifyLazyNameIfNeeded): |
| (JSC::JSFunction::reifyLazyBoundNameIfNeeded): |
| * runtime/JSFunction.h: |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::ensureRareDataAndAllocationProfile): |
| * runtime/JSGenericTypedArrayView.h: |
| * runtime/JSGenericTypedArrayViewConstructorInlines.h: |
| (JSC::constructGenericTypedArrayViewFromIterator): |
| (JSC::constructGenericTypedArrayViewWithArguments): |
| (JSC::constructGenericTypedArrayView): |
| (JSC::callGenericTypedArrayView): |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::create): |
| (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector): |
| (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): |
| (JSC::JSGenericTypedArrayView<Adaptor>::validateRange): |
| (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType): |
| (JSC::JSGenericTypedArrayView<Adaptor>::set): |
| (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError): |
| (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot): |
| (JSC::JSGenericTypedArrayView<Adaptor>::put): |
| (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): |
| (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty): |
| (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): |
| (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): |
| (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex): |
| (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames): |
| * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: |
| (JSC::speciesConstruct): |
| (JSC::argumentClampedIndexFromStartOrEnd): |
| (JSC::genericTypedArrayViewProtoFuncSet): |
| (JSC::genericTypedArrayViewProtoFuncCopyWithin): |
| (JSC::genericTypedArrayViewProtoFuncIncludes): |
| (JSC::genericTypedArrayViewProtoFuncIndexOf): |
| (JSC::genericTypedArrayViewProtoFuncJoin): |
| (JSC::genericTypedArrayViewProtoFuncLastIndexOf): |
| (JSC::genericTypedArrayViewProtoGetterFuncBuffer): |
| (JSC::genericTypedArrayViewProtoGetterFuncLength): |
| (JSC::genericTypedArrayViewProtoGetterFuncByteLength): |
| (JSC::genericTypedArrayViewProtoGetterFuncByteOffset): |
| (JSC::genericTypedArrayViewProtoFuncReverse): |
| (JSC::genericTypedArrayViewPrivateFuncSort): |
| (JSC::genericTypedArrayViewProtoFuncSlice): |
| (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): |
| * runtime/JSGlobalLexicalEnvironment.cpp: |
| (JSC::JSGlobalLexicalEnvironment::getOwnPropertySlot): |
| (JSC::JSGlobalLexicalEnvironment::put): |
| * runtime/JSGlobalLexicalEnvironment.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::createConsoleProperty): |
| (JSC::makeBoundFunction): |
| (JSC::hasOwnLengthProperty): |
| (JSC::getGetterById): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::put): |
| (JSC::JSGlobalObject::defineOwnProperty): |
| (JSC::JSGlobalObject::addFunction): |
| (JSC::JSGlobalObject::visitChildren): |
| (JSC::JSGlobalObject::deprecatedCallFrameForDebugger): |
| (JSC::JSGlobalObject::exposeDollarVM): |
| (JSC::JSGlobalObject::getOwnPropertySlot): |
| (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): |
| (JSC::JSGlobalObject::defaultCollator): |
| (JSC::JSGlobalObject::globalExec): Deleted. |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::addVar): |
| (JSC::JSGlobalObject::regExpConstructor const): |
| (JSC::JSGlobalObject::functionConstructor const): |
| (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation const): |
| (JSC::JSGlobalObject::supportsRichSourceInfo): |
| (JSC::JSGlobalObject::globalObjectAtDebuggerEntry const): |
| (JSC::JSGlobalObject::setGlobalObjectAtDebuggerEntry): |
| (JSC::constructEmptyArray): |
| (JSC::constructArray): |
| (JSC::constructArrayNegativeIndexed): |
| (JSC::JSGlobalObject::callFrameAtDebuggerEntry const): Deleted. |
| (JSC::JSGlobalObject::setCallFrameAtDebuggerEntry): Deleted. |
| (JSC::ExecState::globalThisValue const): Deleted. |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::encode): |
| (JSC::decode): |
| (JSC::globalFuncEval): |
| (JSC::globalFuncParseInt): |
| (JSC::globalFuncParseFloat): |
| (JSC::globalFuncDecodeURI): |
| (JSC::globalFuncDecodeURIComponent): |
| (JSC::globalFuncEncodeURI): |
| (JSC::globalFuncEncodeURIComponent): |
| (JSC::globalFuncEscape): |
| (JSC::globalFuncUnescape): |
| (JSC::globalFuncThrowTypeError): |
| (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller): |
| (JSC::globalFuncMakeTypeError): |
| (JSC::globalFuncProtoGetter): |
| (JSC::globalFuncProtoSetter): |
| (JSC::globalFuncHostPromiseRejectionTracker): |
| (JSC::globalFuncBuiltinLog): |
| (JSC::globalFuncImportModule): |
| (JSC::globalFuncPropertyIsEnumerable): |
| (JSC::globalFuncOwnKeys): |
| (JSC::globalFuncDateTimeFormat): |
| * runtime/JSGlobalObjectFunctions.h: |
| * runtime/JSGlobalObjectInlines.h: |
| (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const): |
| (JSC::getVM): |
| * runtime/JSImmutableButterfly.cpp: |
| (JSC::JSImmutableButterfly::copyToArguments): |
| * runtime/JSImmutableButterfly.h: |
| * runtime/JSInternalPromise.cpp: |
| (JSC::JSInternalPromise::then): |
| * runtime/JSInternalPromise.h: |
| * runtime/JSInternalPromiseDeferred.cpp: |
| (JSC::JSInternalPromiseDeferred::tryCreate): |
| (JSC::JSInternalPromiseDeferred::resolve): |
| (JSC::JSInternalPromiseDeferred::reject): |
| * runtime/JSInternalPromiseDeferred.h: |
| * runtime/JSLexicalEnvironment.cpp: |
| (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): |
| (JSC::JSLexicalEnvironment::getOwnPropertySlot): |
| (JSC::JSLexicalEnvironment::put): |
| (JSC::JSLexicalEnvironment::deleteProperty): |
| * runtime/JSLexicalEnvironment.h: |
| * runtime/JSLock.cpp: |
| (JSC::JSLockHolder::JSLockHolder): |
| (JSC::JSLock::lock): |
| (JSC::JSLock::unlock): |
| (JSC::JSLock::DropAllLocks::DropAllLocks): |
| * runtime/JSLock.h: |
| * runtime/JSMap.cpp: |
| (JSC::JSMap::toStringName): |
| (JSC::JSMap::clone): |
| * runtime/JSMap.h: |
| * runtime/JSMapIterator.cpp: |
| (JSC::JSMapIterator::createPair): |
| * runtime/JSMapIterator.h: |
| * runtime/JSMicrotask.cpp: |
| (JSC::JSMicrotask::run): |
| * runtime/JSModuleEnvironment.cpp: |
| (JSC::JSModuleEnvironment::getOwnPropertySlot): |
| (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames): |
| (JSC::JSModuleEnvironment::put): |
| (JSC::JSModuleEnvironment::deleteProperty): |
| * runtime/JSModuleEnvironment.h: |
| * runtime/JSModuleLoader.cpp: |
| (JSC::JSModuleLoader::finishCreation): |
| (JSC::printableModuleKey): |
| (JSC::JSModuleLoader::dependencyKeysIfEvaluated): |
| (JSC::JSModuleLoader::provideFetch): |
| (JSC::JSModuleLoader::loadAndEvaluateModule): |
| (JSC::JSModuleLoader::loadModule): |
| (JSC::JSModuleLoader::linkAndEvaluateModule): |
| (JSC::JSModuleLoader::requestImportModule): |
| (JSC::JSModuleLoader::importModule): |
| (JSC::JSModuleLoader::resolveSync): |
| (JSC::JSModuleLoader::resolve): |
| (JSC::JSModuleLoader::fetch): |
| (JSC::JSModuleLoader::createImportMetaProperties): |
| (JSC::JSModuleLoader::evaluate): |
| (JSC::JSModuleLoader::evaluateNonVirtual): |
| (JSC::JSModuleLoader::getModuleNamespaceObject): |
| (JSC::moduleLoaderParseModule): |
| (JSC::moduleLoaderRequestedModules): |
| (JSC::moduleLoaderModuleDeclarationInstantiation): |
| (JSC::moduleLoaderResolve): |
| (JSC::moduleLoaderResolveSync): |
| (JSC::moduleLoaderFetch): |
| (JSC::moduleLoaderGetModuleNamespaceObject): |
| (JSC::moduleLoaderEvaluate): |
| * runtime/JSModuleLoader.h: |
| * runtime/JSModuleNamespaceObject.cpp: |
| (JSC::JSModuleNamespaceObject::finishCreation): |
| (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): |
| (JSC::JSModuleNamespaceObject::getOwnPropertySlot): |
| (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex): |
| (JSC::JSModuleNamespaceObject::put): |
| (JSC::JSModuleNamespaceObject::putByIndex): |
| (JSC::JSModuleNamespaceObject::deleteProperty): |
| (JSC::JSModuleNamespaceObject::getOwnPropertyNames): |
| (JSC::JSModuleNamespaceObject::defineOwnProperty): |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSModuleRecord.cpp: |
| (JSC::JSModuleRecord::create): |
| (JSC::JSModuleRecord::finishCreation): |
| (JSC::JSModuleRecord::link): |
| (JSC::JSModuleRecord::instantiateDeclarations): |
| (JSC::JSModuleRecord::evaluate): |
| * runtime/JSModuleRecord.h: |
| * runtime/JSONObject.cpp: |
| (JSC::unwrapBoxedPrimitive): |
| (JSC::gap): |
| (JSC::PropertyNameForFunctionCall::value const): |
| (JSC::Stringifier::Stringifier): |
| (JSC::Stringifier::stringify): |
| (JSC::Stringifier::toJSON): |
| (JSC::Stringifier::toJSONImpl): |
| (JSC::Stringifier::appendStringifiedValue): |
| (JSC::Stringifier::Holder::Holder): |
| (JSC::Stringifier::Holder::appendNextProperty): |
| (JSC::Walker::Walker): |
| (JSC::Walker::callReviver): |
| (JSC::Walker::walk): |
| (JSC::JSONProtoFuncParse): |
| (JSC::JSONProtoFuncStringify): |
| (JSC::JSONParse): |
| (JSC::JSONStringify): |
| * runtime/JSONObject.h: |
| * runtime/JSObject.cpp: |
| (JSC::getClassPropertyNames): |
| (JSC::JSObject::toStringName): |
| (JSC::JSObject::calculatedClassName): |
| (JSC::JSObject::getOwnPropertySlotByIndex): |
| (JSC::ordinarySetSlow): |
| (JSC::JSObject::put): |
| (JSC::JSObject::putInlineSlow): |
| (JSC::JSObject::putByIndex): |
| (JSC::JSObject::setPrototypeWithCycleCheck): |
| (JSC::JSObject::setPrototype): |
| (JSC::JSObject::getPrototype): |
| (JSC::JSObject::putGetter): |
| (JSC::JSObject::putSetter): |
| (JSC::JSObject::putDirectAccessor): |
| (JSC::JSObject::hasProperty const): |
| (JSC::JSObject::hasPropertyGeneric const): |
| (JSC::JSObject::deleteProperty): |
| (JSC::JSObject::deletePropertyByIndex): |
| (JSC::callToPrimitiveFunction): |
| (JSC::JSObject::ordinaryToPrimitive const): |
| (JSC::JSObject::defaultValue): |
| (JSC::JSObject::toPrimitive const): |
| (JSC::JSObject::getPrimitiveNumber const): |
| (JSC::JSObject::hasInstance): |
| (JSC::JSObject::defaultHasInstance): |
| (JSC::objectPrivateFuncInstanceOf): |
| (JSC::JSObject::getPropertyNames): |
| (JSC::JSObject::getOwnPropertyNames): |
| (JSC::JSObject::getOwnNonIndexPropertyNames): |
| (JSC::JSObject::toNumber const): |
| (JSC::JSObject::toString const): |
| (JSC::JSObject::toThis): |
| (JSC::JSObject::preventExtensions): |
| (JSC::JSObject::isExtensible): |
| (JSC::JSObject::reifyAllStaticProperties): |
| (JSC::putIndexedDescriptor): |
| (JSC::JSObject::defineOwnIndexedProperty): |
| (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype): |
| (JSC::JSObject::attemptToInterceptPutByIndexOnHole): |
| (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): |
| (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): |
| (JSC::JSObject::putByIndexBeyondVectorLength): |
| (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): |
| (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): |
| (JSC::getCustomGetterSetterFunctionForGetterSetter): |
| (JSC::JSObject::getOwnPropertyDescriptor): |
| (JSC::putDescriptor): |
| (JSC::JSObject::putDirectMayBeIndex): |
| (JSC::validateAndApplyPropertyDescriptor): |
| (JSC::JSObject::defineOwnNonIndexProperty): |
| (JSC::JSObject::defineOwnProperty): |
| (JSC::JSObject::getEnumerableLength): |
| (JSC::JSObject::getStructurePropertyNames): |
| (JSC::JSObject::getGenericPropertyNames): |
| (JSC::JSObject::getMethod): |
| * runtime/JSObject.h: |
| (JSC::JSObject::putByIndexInline): |
| (JSC::JSObject::putDirectIndex): |
| (JSC::JSObject::getDirectIndex): |
| (JSC::JSObject::getIndex const): |
| (JSC::JSObject::createRawObject): |
| (JSC::JSFinalObject::create): |
| (JSC::JSObject::getPrototype): |
| (JSC::JSObject::getOwnPropertySlot): |
| (JSC::JSObject::doPutPropertySecurityCheck): |
| (JSC::JSObject::getPropertySlot): |
| (JSC::JSObject::get const): |
| * runtime/JSObjectInlines.h: |
| (JSC::createListFromArrayLike): |
| (JSC::JSObject::getPropertySlot const): |
| (JSC::JSObject::getPropertySlot): |
| (JSC::JSObject::getNonIndexPropertySlot): |
| (JSC::JSObject::getOwnPropertySlotInline): |
| (JSC::JSObject::putInlineForJSObject): |
| (JSC::JSObject::hasOwnProperty const): |
| (JSC::JSObject::putOwnDataPropertyMayBeIndex): |
| * runtime/JSPromise.cpp: |
| (JSC::JSPromise::resolve): |
| * runtime/JSPromise.h: |
| * runtime/JSPromiseDeferred.cpp: |
| (JSC::JSPromiseDeferred::createDeferredData): |
| (JSC::JSPromiseDeferred::tryCreate): |
| (JSC::callFunction): |
| (JSC::JSPromiseDeferred::resolve): |
| (JSC::JSPromiseDeferred::reject): |
| * runtime/JSPromiseDeferred.h: |
| * runtime/JSPropertyNameEnumerator.h: |
| (JSC::propertyNameEnumerator): |
| * runtime/JSProxy.cpp: |
| (JSC::JSProxy::toStringName): |
| (JSC::JSProxy::getOwnPropertySlot): |
| (JSC::JSProxy::getOwnPropertySlotByIndex): |
| (JSC::JSProxy::put): |
| (JSC::JSProxy::putByIndex): |
| (JSC::JSProxy::defineOwnProperty): |
| (JSC::JSProxy::deleteProperty): |
| (JSC::JSProxy::isExtensible): |
| (JSC::JSProxy::preventExtensions): |
| (JSC::JSProxy::deletePropertyByIndex): |
| (JSC::JSProxy::getPropertyNames): |
| (JSC::JSProxy::getEnumerableLength): |
| (JSC::JSProxy::getStructurePropertyNames): |
| (JSC::JSProxy::getGenericPropertyNames): |
| (JSC::JSProxy::getOwnPropertyNames): |
| (JSC::JSProxy::setPrototype): |
| (JSC::JSProxy::getPrototype): |
| * runtime/JSProxy.h: |
| * runtime/JSScope.cpp: |
| (JSC::abstractAccess): |
| (JSC::isUnscopable): |
| (JSC::JSScope::resolve): |
| (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval): |
| (JSC::JSScope::abstractResolve): |
| (JSC::JSScope::toThis): |
| * runtime/JSScope.h: |
| (JSC::CallFrame::lexicalGlobalObject const): |
| (JSC::ExecState::lexicalGlobalObject const): Deleted. |
| * runtime/JSSet.cpp: |
| (JSC::JSSet::toStringName): |
| (JSC::JSSet::clone): |
| * runtime/JSSet.h: |
| * runtime/JSSetIterator.cpp: |
| (JSC::JSSetIterator::createPair): |
| * runtime/JSSetIterator.h: |
| * runtime/JSString.cpp: |
| (JSC::JSString::equalSlowCase const): |
| (JSC::JSRopeString::resolveRopeToAtomString const): |
| (JSC::JSRopeString::resolveRopeToExistingAtomString const): |
| (JSC::JSRopeString::resolveRopeWithFunction const): |
| (JSC::JSRopeString::resolveRope const): |
| (JSC::JSRopeString::outOfMemory const): |
| (JSC::JSString::toPrimitive const): |
| (JSC::JSString::getPrimitiveNumber const): |
| (JSC::JSString::toNumber const): |
| (JSC::JSString::toObject const): |
| (JSC::JSString::toThis): |
| (JSC::JSString::getStringPropertyDescriptor): |
| * runtime/JSString.h: |
| (JSC::JSString::toIdentifier const): |
| (JSC::JSString::toAtomString const): |
| (JSC::JSString::toExistingAtomString const): |
| (JSC::JSString::value const): |
| (JSC::JSString::tryGetValue const): |
| (JSC::JSString::getIndex): |
| (JSC::jsSubstring): |
| (JSC::jsStringWithCache): |
| (JSC::JSString::getStringPropertySlot): |
| (JSC::JSRopeString::unsafeView const): |
| (JSC::JSRopeString::viewWithUnderlyingString const): |
| (JSC::JSString::unsafeView const): |
| (JSC::JSString::viewWithUnderlyingString const): |
| (JSC::JSValue::toBoolean const): |
| (JSC::JSValue::toString const): |
| (JSC::JSValue::toStringOrNull const): |
| (JSC::JSValue::toWTFString const): |
| * runtime/JSStringInlines.h: |
| (JSC::JSString::equal const): |
| (JSC::jsMakeNontrivialString): |
| (JSC::repeatCharacter): |
| * runtime/JSStringIterator.cpp: |
| (JSC::JSStringIterator::iteratedValue const): |
| (JSC::JSStringIterator::clone): |
| * runtime/JSStringIterator.h: |
| * runtime/JSStringJoiner.cpp: |
| (JSC::JSStringJoiner::joinedLength const): |
| (JSC::JSStringJoiner::join): |
| * runtime/JSStringJoiner.h: |
| (JSC::JSStringJoiner::JSStringJoiner): |
| (JSC::JSStringJoiner::appendWithoutSideEffects): |
| (JSC::JSStringJoiner::append): |
| * runtime/JSSymbolTableObject.cpp: |
| (JSC::JSSymbolTableObject::deleteProperty): |
| (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): |
| * runtime/JSSymbolTableObject.h: |
| (JSC::symbolTablePut): |
| (JSC::symbolTablePutTouchWatchpointSet): |
| (JSC::symbolTablePutInvalidateWatchpointSet): |
| * runtime/JSTemplateObjectDescriptor.cpp: |
| (JSC::JSTemplateObjectDescriptor::createTemplateObject): |
| * runtime/JSTemplateObjectDescriptor.h: |
| * runtime/JSTypedArrayViewConstructor.cpp: |
| (JSC::constructTypedArrayView): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::typedArrayViewPrivateFuncLength): |
| (JSC::typedArrayViewProtoFuncSet): |
| (JSC::typedArrayViewProtoFuncCopyWithin): |
| (JSC::typedArrayViewProtoFuncIncludes): |
| (JSC::typedArrayViewProtoFuncLastIndexOf): |
| (JSC::typedArrayViewProtoFuncIndexOf): |
| (JSC::typedArrayViewProtoFuncJoin): |
| (JSC::typedArrayViewProtoGetterFuncBuffer): |
| (JSC::typedArrayViewProtoGetterFuncLength): |
| (JSC::typedArrayViewProtoGetterFuncByteLength): |
| (JSC::typedArrayViewProtoGetterFuncByteOffset): |
| (JSC::typedArrayViewProtoFuncReverse): |
| (JSC::typedArrayViewPrivateFuncSubarrayCreate): |
| (JSC::typedArrayViewProtoFuncSlice): |
| * runtime/JSTypedArrays.cpp: |
| (JSC::createUint8TypedArray): |
| * runtime/JSTypedArrays.h: |
| * runtime/JSWeakMap.cpp: |
| (JSC::JSWeakMap::toStringName): |
| * runtime/JSWeakMap.h: |
| * runtime/JSWeakObjectRef.cpp: |
| (JSC::JSWeakObjectRef::toStringName): |
| * runtime/JSWeakObjectRef.h: |
| * runtime/JSWeakSet.cpp: |
| (JSC::JSWeakSet::toStringName): |
| * runtime/JSWeakSet.h: |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::tryJSONPParse): |
| (JSC::LiteralParser<CharType>::makeIdentifier): |
| (JSC::LiteralParser<CharType>::parse): |
| * runtime/LiteralParser.h: |
| (JSC::LiteralParser::LiteralParser): |
| * runtime/Lookup.h: |
| (JSC::putEntry): |
| (JSC::lookupPut): |
| (JSC::nonCachingStaticFunctionGetter): |
| * runtime/MapConstructor.cpp: |
| (JSC::callMap): |
| (JSC::constructMap): |
| * runtime/MapPrototype.cpp: |
| (JSC::getMap): |
| (JSC::mapProtoFuncClear): |
| (JSC::mapProtoFuncDelete): |
| (JSC::mapProtoFuncGet): |
| (JSC::mapProtoFuncHas): |
| (JSC::mapProtoFuncSet): |
| (JSC::mapProtoFuncSize): |
| * runtime/MathObject.cpp: |
| (JSC::mathProtoFuncAbs): |
| (JSC::mathProtoFuncACos): |
| (JSC::mathProtoFuncASin): |
| (JSC::mathProtoFuncATan): |
| (JSC::mathProtoFuncATan2): |
| (JSC::mathProtoFuncCeil): |
| (JSC::mathProtoFuncClz32): |
| (JSC::mathProtoFuncCos): |
| (JSC::mathProtoFuncExp): |
| (JSC::mathProtoFuncFloor): |
| (JSC::mathProtoFuncHypot): |
| (JSC::mathProtoFuncLog): |
| (JSC::mathProtoFuncMax): |
| (JSC::mathProtoFuncMin): |
| (JSC::mathProtoFuncPow): |
| (JSC::mathProtoFuncRound): |
| (JSC::mathProtoFuncSign): |
| (JSC::mathProtoFuncSin): |
| (JSC::mathProtoFuncSqrt): |
| (JSC::mathProtoFuncTan): |
| (JSC::mathProtoFuncIMul): |
| (JSC::mathProtoFuncACosh): |
| (JSC::mathProtoFuncASinh): |
| (JSC::mathProtoFuncATanh): |
| (JSC::mathProtoFuncCbrt): |
| (JSC::mathProtoFuncCosh): |
| (JSC::mathProtoFuncExpm1): |
| (JSC::mathProtoFuncFround): |
| (JSC::mathProtoFuncLog1p): |
| (JSC::mathProtoFuncLog10): |
| (JSC::mathProtoFuncLog2): |
| (JSC::mathProtoFuncSinh): |
| (JSC::mathProtoFuncTanh): |
| (JSC::mathProtoFuncTrunc): |
| * runtime/Microtask.h: |
| * runtime/ModuleProgramExecutable.cpp: |
| (JSC::ModuleProgramExecutable::ModuleProgramExecutable): |
| (JSC::ModuleProgramExecutable::create): |
| * runtime/ModuleProgramExecutable.h: |
| * runtime/NativeErrorConstructor.cpp: |
| (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor): |
| (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor): |
| * runtime/NullSetterFunction.cpp: |
| (JSC::callerIsStrict): |
| (JSC::NullSetterFunctionInternal::callReturnUndefined): |
| * runtime/NumberConstructor.cpp: |
| (JSC::constructNumberConstructor): |
| (JSC::callNumberConstructor): |
| * runtime/NumberObject.cpp: |
| (JSC::constructNumber): |
| * runtime/NumberObject.h: |
| * runtime/NumberPrototype.cpp: |
| (JSC::throwVMToThisNumberError): |
| (JSC::numberProtoFuncToExponential): |
| (JSC::numberProtoFuncToFixed): |
| (JSC::numberProtoFuncToPrecision): |
| (JSC::numberProtoFuncToString): |
| (JSC::numberProtoFuncToLocaleString): |
| (JSC::numberProtoFuncValueOf): |
| (JSC::extractToStringRadixArgument): |
| * runtime/NumberPrototype.h: |
| * runtime/ObjectConstructor.cpp: |
| (JSC::constructObjectWithNewTarget): |
| (JSC::constructWithObjectConstructor): |
| (JSC::callObjectConstructor): |
| (JSC::objectConstructorGetPrototypeOf): |
| (JSC::objectConstructorSetPrototypeOf): |
| (JSC::objectConstructorGetOwnPropertyDescriptor): |
| (JSC::objectConstructorGetOwnPropertyDescriptors): |
| (JSC::objectConstructorGetOwnPropertyNames): |
| (JSC::objectConstructorGetOwnPropertySymbols): |
| (JSC::objectConstructorKeys): |
| (JSC::objectConstructorAssign): |
| (JSC::objectConstructorValues): |
| (JSC::toPropertyDescriptor): |
| (JSC::objectConstructorDefineProperty): |
| (JSC::defineProperties): |
| (JSC::objectConstructorDefineProperties): |
| (JSC::objectConstructorCreate): |
| (JSC::setIntegrityLevel): |
| (JSC::testIntegrityLevel): |
| (JSC::objectConstructorSeal): |
| (JSC::objectConstructorFreeze): |
| (JSC::objectConstructorPreventExtensions): |
| (JSC::objectConstructorIsSealed): |
| (JSC::objectConstructorIsFrozen): |
| (JSC::objectConstructorIsExtensible): |
| (JSC::objectConstructorIs): |
| (JSC::ownPropertyKeys): |
| * runtime/ObjectConstructor.h: |
| (JSC::constructEmptyObject): |
| (JSC::constructObject): |
| (JSC::constructObjectFromPropertyDescriptor): |
| * runtime/ObjectPrototype.cpp: |
| (JSC::objectProtoFuncValueOf): |
| (JSC::objectProtoFuncHasOwnProperty): |
| (JSC::objectProtoFuncIsPrototypeOf): |
| (JSC::objectProtoFuncDefineGetter): |
| (JSC::objectProtoFuncDefineSetter): |
| (JSC::objectProtoFuncLookupGetter): |
| (JSC::objectProtoFuncLookupSetter): |
| (JSC::objectProtoFuncPropertyIsEnumerable): |
| (JSC::objectProtoFuncToLocaleString): |
| (JSC::objectProtoFuncToString): |
| * runtime/Operations.cpp: |
| (JSC::JSValue::equalSlowCase): |
| (JSC::JSValue::strictEqualSlowCase): |
| (JSC::jsAddSlowCase): |
| (JSC::jsTypeStringForValue): |
| (JSC::jsIsObjectTypeOrNull): |
| (JSC::normalizePrototypeChain): |
| * runtime/Operations.h: |
| (JSC::jsString): |
| (JSC::jsStringFromRegisterArray): |
| (JSC::bigIntCompare): |
| (JSC::toPrimitiveNumeric): |
| (JSC::jsLess): |
| (JSC::jsLessEq): |
| (JSC::jsAddNonNumber): |
| (JSC::jsAdd): |
| (JSC::jsSub): |
| (JSC::jsMul): |
| (JSC::jsStringFromArguments): Deleted. |
| * runtime/ParseInt.h: |
| (JSC::toStringView): |
| * runtime/ProgramExecutable.cpp: |
| (JSC::ProgramExecutable::ProgramExecutable): |
| (JSC::hasRestrictedGlobalProperty): |
| (JSC::ProgramExecutable::initializeGlobalProperties): |
| * runtime/ProgramExecutable.h: |
| * runtime/PropertyDescriptor.cpp: |
| (JSC::PropertyDescriptor::slowGetterSetter): |
| (JSC::PropertyDescriptor::equalTo const): |
| * runtime/PropertyDescriptor.h: |
| * runtime/PropertySlot.cpp: |
| (JSC::PropertySlot::functionGetter const): |
| (JSC::PropertySlot::customGetter const): |
| (JSC::PropertySlot::customAccessorGetter const): |
| * runtime/PropertySlot.h: |
| (JSC::PropertySlot::getValue const): |
| * runtime/ProxyConstructor.cpp: |
| (JSC::makeRevocableProxy): |
| (JSC::proxyRevocableConstructorThrowError): |
| (JSC::constructProxyObject): |
| (JSC::callProxy): |
| * runtime/ProxyConstructor.h: |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::toStringName): |
| (JSC::ProxyObject::finishCreation): |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performGet): |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): |
| (JSC::ProxyObject::performHasProperty): |
| (JSC::ProxyObject::getOwnPropertySlotCommon): |
| (JSC::ProxyObject::getOwnPropertySlot): |
| (JSC::ProxyObject::getOwnPropertySlotByIndex): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::put): |
| (JSC::ProxyObject::putByIndexCommon): |
| (JSC::ProxyObject::putByIndex): |
| (JSC::performProxyCall): |
| (JSC::performProxyConstruct): |
| (JSC::ProxyObject::performDelete): |
| (JSC::ProxyObject::deleteProperty): |
| (JSC::ProxyObject::deletePropertyByIndex): |
| (JSC::ProxyObject::performPreventExtensions): |
| (JSC::ProxyObject::preventExtensions): |
| (JSC::ProxyObject::performIsExtensible): |
| (JSC::ProxyObject::isExtensible): |
| (JSC::ProxyObject::performDefineOwnProperty): |
| (JSC::ProxyObject::defineOwnProperty): |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| (JSC::ProxyObject::getOwnPropertyNames): |
| (JSC::ProxyObject::getPropertyNames): |
| (JSC::ProxyObject::getOwnNonIndexPropertyNames): |
| (JSC::ProxyObject::getStructurePropertyNames): |
| (JSC::ProxyObject::getGenericPropertyNames): |
| (JSC::ProxyObject::performSetPrototype): |
| (JSC::ProxyObject::setPrototype): |
| (JSC::ProxyObject::performGetPrototype): |
| (JSC::ProxyObject::getPrototype): |
| * runtime/ProxyObject.h: |
| * runtime/PutPropertySlot.h: |
| * runtime/ReflectObject.cpp: |
| (JSC::reflectObjectConstruct): |
| (JSC::reflectObjectDefineProperty): |
| (JSC::reflectObjectGet): |
| (JSC::reflectObjectGetOwnPropertyDescriptor): |
| (JSC::reflectObjectGetPrototypeOf): |
| (JSC::reflectObjectIsExtensible): |
| (JSC::reflectObjectOwnKeys): |
| (JSC::reflectObjectPreventExtensions): |
| (JSC::reflectObjectSet): |
| (JSC::reflectObjectSetPrototypeOf): |
| * runtime/RegExp.h: |
| * runtime/RegExpCachedResult.cpp: |
| (JSC::RegExpCachedResult::lastResult): |
| (JSC::RegExpCachedResult::leftContext): |
| (JSC::RegExpCachedResult::rightContext): |
| (JSC::RegExpCachedResult::setInput): |
| * runtime/RegExpCachedResult.h: |
| * runtime/RegExpConstructor.cpp: |
| (JSC::regExpConstructorDollar): |
| (JSC::regExpConstructorInput): |
| (JSC::regExpConstructorMultiline): |
| (JSC::regExpConstructorLastMatch): |
| (JSC::regExpConstructorLastParen): |
| (JSC::regExpConstructorLeftContext): |
| (JSC::regExpConstructorRightContext): |
| (JSC::setRegExpConstructorInput): |
| (JSC::setRegExpConstructorMultiline): |
| (JSC::getRegExpStructure): |
| (JSC::toFlags): |
| (JSC::regExpCreate): |
| (JSC::constructRegExp): |
| (JSC::esSpecRegExpCreate): |
| (JSC::constructWithRegExpConstructor): |
| (JSC::callRegExpConstructor): |
| * runtime/RegExpConstructor.h: |
| (JSC::isRegExp): |
| * runtime/RegExpGlobalData.cpp: |
| (JSC::RegExpGlobalData::getBackref): |
| (JSC::RegExpGlobalData::getLastParen): |
| (JSC::RegExpGlobalData::getLeftContext): |
| (JSC::RegExpGlobalData::getRightContext): |
| * runtime/RegExpGlobalData.h: |
| * runtime/RegExpGlobalDataInlines.h: |
| (JSC::RegExpGlobalData::setInput): |
| * runtime/RegExpInlines.h: |
| (JSC::RegExp::matchInline): |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/RegExpObject.cpp: |
| (JSC::RegExpObject::getOwnPropertySlot): |
| (JSC::RegExpObject::deleteProperty): |
| (JSC::RegExpObject::getOwnNonIndexPropertyNames): |
| (JSC::RegExpObject::getPropertyNames): |
| (JSC::RegExpObject::getGenericPropertyNames): |
| (JSC::RegExpObject::defineOwnProperty): |
| (JSC::regExpObjectSetLastIndexStrict): |
| (JSC::regExpObjectSetLastIndexNonStrict): |
| (JSC::RegExpObject::put): |
| (JSC::RegExpObject::exec): |
| (JSC::RegExpObject::match): |
| (JSC::RegExpObject::matchGlobal): |
| * runtime/RegExpObject.h: |
| * runtime/RegExpObjectInlines.h: |
| (JSC::getRegExpObjectLastIndexAsUnsigned): |
| (JSC::RegExpObject::execInline): |
| (JSC::RegExpObject::matchInline): |
| (JSC::collectMatches): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::regExpProtoFuncTestFast): |
| (JSC::regExpProtoFuncExec): |
| (JSC::regExpProtoFuncMatchFast): |
| (JSC::regExpProtoFuncCompile): |
| (JSC::flagsString): |
| (JSC::regExpProtoFuncToString): |
| (JSC::regExpProtoGetterGlobal): |
| (JSC::regExpProtoGetterIgnoreCase): |
| (JSC::regExpProtoGetterMultiline): |
| (JSC::regExpProtoGetterDotAll): |
| (JSC::regExpProtoGetterSticky): |
| (JSC::regExpProtoGetterUnicode): |
| (JSC::regExpProtoGetterFlags): |
| (JSC::regExpProtoGetterSourceInternal): |
| (JSC::regExpProtoGetterSource): |
| (JSC::regExpProtoFuncSearchFast): |
| (JSC::regExpProtoFuncSplitFast): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::FrameWalker::FrameWalker): |
| (JSC::FrameWalker::isValidFramePointer): |
| (JSC::CFrameWalker::CFrameWalker): |
| (JSC::SamplingProfiler::takeSample): |
| (JSC::SamplingProfiler::StackFrame::nameFromCallee): |
| * runtime/ScopedArguments.cpp: |
| (JSC::ScopedArguments::createByCopying): |
| (JSC::ScopedArguments::copyToArguments): |
| * runtime/ScopedArguments.h: |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::newCodeBlockFor): |
| (JSC::ScriptExecutable::prepareForExecutionImpl): |
| (JSC::ScriptExecutable::createTemplateObject): |
| * runtime/ScriptExecutable.h: |
| * runtime/SetConstructor.cpp: |
| (JSC::callSet): |
| (JSC::constructSet): |
| * runtime/SetPrototype.cpp: |
| (JSC::getSet): |
| (JSC::setProtoFuncAdd): |
| (JSC::setProtoFuncClear): |
| (JSC::setProtoFuncDelete): |
| (JSC::setProtoFuncHas): |
| (JSC::setProtoFuncSize): |
| * runtime/SimpleTypedArrayController.cpp: |
| (JSC::SimpleTypedArrayController::toJS): |
| * runtime/SimpleTypedArrayController.h: |
| * runtime/SparseArrayValueMap.cpp: |
| (JSC::SparseArrayValueMap::putEntry): |
| (JSC::SparseArrayValueMap::putDirect): |
| (JSC::SparseArrayEntry::put): |
| * runtime/SparseArrayValueMap.h: |
| * runtime/StrictEvalActivation.cpp: |
| (JSC::StrictEvalActivation::deleteProperty): |
| * runtime/StrictEvalActivation.h: |
| * runtime/StringConstructor.cpp: |
| (JSC::stringFromCharCode): |
| (JSC::stringFromCodePoint): |
| (JSC::constructWithStringConstructor): |
| (JSC::stringConstructor): |
| (JSC::callStringConstructor): |
| * runtime/StringConstructor.h: |
| * runtime/StringObject.cpp: |
| (JSC::StringObject::getOwnPropertySlot): |
| (JSC::StringObject::getOwnPropertySlotByIndex): |
| (JSC::StringObject::put): |
| (JSC::StringObject::putByIndex): |
| (JSC::isStringOwnProperty): |
| (JSC::StringObject::defineOwnProperty): |
| (JSC::StringObject::deleteProperty): |
| (JSC::StringObject::deletePropertyByIndex): |
| (JSC::StringObject::getOwnPropertyNames): |
| (JSC::StringObject::getOwnNonIndexPropertyNames): |
| * runtime/StringObject.h: |
| (JSC::jsStringWithReuse): |
| (JSC::jsSubstring): |
| * runtime/StringPrototype.cpp: |
| (JSC::substituteBackreferencesSlow): |
| (JSC::jsSpliceSubstrings): |
| (JSC::jsSpliceSubstringsWithSeparators): |
| (JSC::removeUsingRegExpSearch): |
| (JSC::replaceUsingRegExpSearch): |
| (JSC::operationStringProtoFuncReplaceRegExpEmptyStr): |
| (JSC::operationStringProtoFuncReplaceRegExpString): |
| (JSC::replaceUsingStringSearch): |
| (JSC::stringProtoFuncRepeatCharacter): |
| (JSC::replace): |
| (JSC::stringProtoFuncReplaceUsingRegExp): |
| (JSC::stringProtoFuncReplaceUsingStringSearch): |
| (JSC::operationStringProtoFuncReplaceGeneric): |
| (JSC::stringProtoFuncToString): |
| (JSC::stringProtoFuncCharAt): |
| (JSC::stringProtoFuncCharCodeAt): |
| (JSC::stringProtoFuncCodePointAt): |
| (JSC::stringProtoFuncIndexOf): |
| (JSC::stringProtoFuncLastIndexOf): |
| (JSC::stringProtoFuncSlice): |
| (JSC::splitStringByOneCharacterImpl): |
| (JSC::stringProtoFuncSplitFast): |
| (JSC::stringProtoFuncSubstrImpl): |
| (JSC::stringProtoFuncSubstring): |
| (JSC::stringProtoFuncToLowerCase): |
| (JSC::stringProtoFuncToUpperCase): |
| (JSC::stringProtoFuncLocaleCompare): |
| (JSC::toLocaleCase): |
| (JSC::stringProtoFuncToLocaleUpperCase): |
| (JSC::trimString): |
| (JSC::stringProtoFuncTrim): |
| (JSC::stringProtoFuncTrimStart): |
| (JSC::stringProtoFuncTrimEnd): |
| (JSC::stringProtoFuncStartsWith): |
| (JSC::stringProtoFuncEndsWith): |
| (JSC::stringIncludesImpl): |
| (JSC::stringProtoFuncIncludes): |
| (JSC::builtinStringIncludesInternal): |
| (JSC::stringProtoFuncIterator): |
| (JSC::normalize): |
| (JSC::stringProtoFuncNormalize): |
| * runtime/StringPrototype.h: |
| * runtime/StringPrototypeInlines.h: |
| (JSC::stringSlice): |
| * runtime/StringRecursionChecker.cpp: |
| (JSC::StringRecursionChecker::throwStackOverflowError): |
| (JSC::StringRecursionChecker::emptyString): |
| * runtime/StringRecursionChecker.h: |
| (JSC::StringRecursionChecker::performCheck): |
| (JSC::StringRecursionChecker::StringRecursionChecker): |
| (JSC::StringRecursionChecker::~StringRecursionChecker): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::prototypeChain const): |
| (JSC::Structure::setObjectToStringValue): |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::setObjectToStringValue): |
| * runtime/StructureRareData.h: |
| * runtime/Symbol.cpp: |
| (JSC::Symbol::toPrimitive const): |
| (JSC::Symbol::getPrimitiveNumber const): |
| (JSC::Symbol::toObject const): |
| (JSC::Symbol::toNumber const): |
| * runtime/Symbol.h: |
| * runtime/SymbolConstructor.cpp: |
| (JSC::callSymbol): |
| (JSC::symbolConstructorFor): |
| (JSC::symbolConstructorKeyFor): |
| * runtime/SymbolObject.cpp: |
| (JSC::SymbolObject::toStringName): |
| (JSC::SymbolObject::defaultValue): |
| * runtime/SymbolObject.h: |
| * runtime/SymbolPrototype.cpp: |
| (JSC::symbolProtoGetterDescription): |
| (JSC::symbolProtoFuncToString): |
| (JSC::symbolProtoFuncValueOf): |
| * runtime/TestRunnerUtils.cpp: |
| (JSC::failNextNewCodeBlock): |
| (JSC::numberOfDFGCompiles): |
| (JSC::setNeverInline): |
| (JSC::setNeverOptimize): |
| (JSC::setCannotUseOSRExitFuzzing): |
| (JSC::optimizeNextInvocation): |
| * runtime/TestRunnerUtils.h: |
| * runtime/ThrowScope.cpp: |
| (JSC::ThrowScope::throwException): |
| * runtime/ThrowScope.h: |
| (JSC::ThrowScope::throwException): |
| (JSC::throwException): |
| * runtime/ToNativeFromValue.h: |
| (JSC::toNativeFromValue): |
| * runtime/TypeError.h: |
| (JSC::typeError): |
| * runtime/TypedArrayController.h: |
| * runtime/VM.cpp: |
| (JSC::VM::throwException): |
| (JSC::VM::callPromiseRejectionCallback): |
| (JSC::QueuedTask::run): |
| (JSC::VM::deprecatedVMEntryGlobalObject const): |
| (JSC::VM::vmEntryGlobalObject const): Deleted. |
| * runtime/VM.h: |
| (JSC::VM::addressOfCallFrameForCatch): |
| (JSC::VM::handleTraps): |
| * runtime/VMEntryScope.cpp: |
| (JSC::VMEntryScope::VMEntryScope): |
| * runtime/VMEntryScope.h: |
| * runtime/VMTraps.cpp: |
| (JSC::VMTraps::invalidateCodeBlocksOnStack): |
| (JSC::VMTraps::handleTraps): |
| * runtime/VMTraps.h: |
| (JSC::VMTraps::invalidateCodeBlocksOnStack): |
| * runtime/Watchdog.cpp: |
| (JSC::Watchdog::shouldTerminate): |
| * runtime/Watchdog.h: |
| * runtime/WeakMapConstructor.cpp: |
| (JSC::callWeakMap): |
| (JSC::constructWeakMap): |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::getWeakMap): |
| (JSC::protoFuncWeakMapDelete): |
| (JSC::protoFuncWeakMapGet): |
| (JSC::protoFuncWeakMapHas): |
| (JSC::protoFuncWeakMapSet): |
| * runtime/WeakObjectRefConstructor.cpp: |
| (JSC::callWeakRef): |
| (JSC::constructWeakRef): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::getWeakRef): |
| (JSC::protoFuncWeakRefDeref): |
| * runtime/WeakSetConstructor.cpp: |
| (JSC::callWeakSet): |
| (JSC::constructWeakSet): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::getWeakSet): |
| (JSC::protoFuncWeakSetDelete): |
| (JSC::protoFuncWeakSetHas): |
| (JSC::protoFuncWeakSetAdd): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::create): |
| (JSC::JSDollarVMCallFrame::finishCreation): |
| (JSC::ImpureGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::customGetter): |
| (JSC::CustomGetter::customGetterAcessor): |
| (JSC::RuntimeArray::create): |
| (JSC::RuntimeArray::getOwnPropertySlot): |
| (JSC::RuntimeArray::getOwnPropertySlotByIndex): |
| (JSC::RuntimeArray::put): |
| (JSC::RuntimeArray::deleteProperty): |
| (JSC::RuntimeArray::finishCreation): |
| (JSC::RuntimeArray::RuntimeArray): |
| (JSC::RuntimeArray::lengthGetter): |
| (JSC::testStaticAccessorGetter): |
| (JSC::testStaticAccessorPutter): |
| (JSC::StaticCustomAccessor::getOwnPropertySlot): |
| (JSC::DOMJITGetter::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetter::customGetter): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterComplex::customGetter): |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterBaseJSObject::customGetter): |
| (JSC::customGetAccessor): |
| (JSC::customGetValue): |
| (JSC::customSetAccessor): |
| (JSC::customSetValue): |
| (JSC::functionWasmStreamingParserAddBytes): |
| (JSC::functionBreakpoint): |
| (JSC::functionGC): |
| (JSC::functionEdenGC): |
| (JSC::functionCallFrame): |
| (JSC::functionCodeBlockForFrame): |
| (JSC::codeBlockFromArg): |
| (JSC::doPrint): |
| (JSC::functionDumpCallFrame): |
| (JSC::functionDumpStack): |
| (JSC::functionCreateRuntimeArray): |
| (JSC::functionSetImpureGetterDelegate): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::functionCreateElement): |
| (JSC::functionGetHiddenValue): |
| (JSC::functionSetHiddenValue): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| (JSC::functionFindTypeForExpression): |
| (JSC::functionReturnTypeFor): |
| (JSC::functionHasBasicBlockExecuted): |
| (JSC::functionBasicBlockExecutionCount): |
| (JSC::changeDebuggerModeWhenIdle): |
| (JSC::functionEnableDebuggerModeWhenIdle): |
| (JSC::functionDisableDebuggerModeWhenIdle): |
| (JSC::functionGetGetterSetter): |
| (JSC::functionLoadGetterFromGetterSetter): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::currentThreadOwnsJSLock): |
| (JSC::ensureCurrentThreadOwnsJSLock): |
| (JSC::VMInspector::gc): |
| (JSC::VMInspector::edenGC): |
| (JSC::VMInspector::isValidCodeBlock): |
| (JSC::VMInspector::codeBlockForFrame): |
| (JSC::VMInspector::dumpCallFrame): |
| (JSC::VMInspector::dumpStack): |
| * tools/VMInspector.h: |
| * wasm/WasmCallingConvention.h: |
| * wasm/WasmEmbedder.h: |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::operationThrowBadI64): |
| * wasm/WasmOperations.h: |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::allocateResultsArray): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::reject): |
| (JSC::webAssemblyModuleValidateAsyncInternal): |
| (JSC::webAssemblyCompileFunc): |
| (JSC::resolve): |
| (JSC::JSWebAssembly::webAssemblyModuleValidateAsync): |
| (JSC::instantiate): |
| (JSC::compileAndInstantiate): |
| (JSC::JSWebAssembly::instantiate): |
| (JSC::webAssemblyModuleInstantinateAsyncInternal): |
| (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyValidateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyCompileError.cpp: |
| (JSC::JSWebAssemblyCompileError::create): |
| (JSC::createJSWebAssemblyCompileError): |
| * wasm/js/JSWebAssemblyCompileError.h: |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::toNonWrappingUint32): |
| (JSC::getWasmBufferFromValue): |
| (JSC::createSourceBufferFromValue): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): |
| (JSC::JSWebAssemblyInstance::finalizeCreation): |
| (JSC::JSWebAssemblyInstance::create): |
| * wasm/js/JSWebAssemblyInstance.h: |
| * wasm/js/JSWebAssemblyLinkError.cpp: |
| (JSC::JSWebAssemblyLinkError::create): |
| (JSC::createJSWebAssemblyLinkError): |
| * wasm/js/JSWebAssemblyLinkError.h: |
| * wasm/js/JSWebAssemblyMemory.cpp: |
| (JSC::JSWebAssemblyMemory::create): |
| (JSC::JSWebAssemblyMemory::grow): |
| * wasm/js/JSWebAssemblyMemory.h: |
| * wasm/js/JSWebAssemblyModule.cpp: |
| (JSC::JSWebAssemblyModule::createStub): |
| * wasm/js/JSWebAssemblyModule.h: |
| * wasm/js/JSWebAssemblyRuntimeError.cpp: |
| (JSC::JSWebAssemblyRuntimeError::create): |
| (JSC::createJSWebAssemblyRuntimeError): |
| * wasm/js/JSWebAssemblyRuntimeError.h: |
| * wasm/js/JSWebAssemblyTable.cpp: |
| (JSC::JSWebAssemblyTable::create): |
| * wasm/js/JSWebAssemblyTable.h: |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| (JSC::Wasm::wasmToJSException): |
| * wasm/js/WasmToJS.h: |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyCompileError): |
| (JSC::callJSWebAssemblyCompileError): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::constructJSWebAssemblyInstance): |
| (JSC::callJSWebAssemblyInstance): |
| * wasm/js/WebAssemblyInstanceConstructor.h: |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| (JSC::getInstance): |
| (JSC::webAssemblyInstanceProtoFuncExports): |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyLinkError): |
| (JSC::callJSWebAssemblyLinkError): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| (JSC::callJSWebAssemblyMemory): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| (JSC::getMemory): |
| (JSC::webAssemblyMemoryProtoFuncGrow): |
| (JSC::webAssemblyMemoryProtoFuncBuffer): |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleCustomSections): |
| (JSC::webAssemblyModuleImports): |
| (JSC::webAssemblyModuleExports): |
| (JSC::constructJSWebAssemblyModule): |
| (JSC::callJSWebAssemblyModule): |
| (JSC::WebAssemblyModuleConstructor::createModule): |
| * wasm/js/WebAssemblyModuleConstructor.h: |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::create): |
| (JSC::WebAssemblyModuleRecord::finishCreation): |
| (JSC::WebAssemblyModuleRecord::link): |
| (JSC::dataSegmentFail): |
| (JSC::WebAssemblyModuleRecord::evaluate): |
| * wasm/js/WebAssemblyModuleRecord.h: |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyRuntimeError): |
| (JSC::callJSWebAssemblyRuntimeError): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| (JSC::callJSWebAssemblyTable): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::getTable): |
| (JSC::webAssemblyTableProtoFuncLength): |
| (JSC::webAssemblyTableProtoFuncGrow): |
| (JSC::webAssemblyTableProtoFuncGet): |
| (JSC::webAssemblyTableProtoFuncSet): |
| * wasm/js/WebAssemblyWrapperFunction.cpp: |
| (JSC::callWebAssemblyWrapperFunction): |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| |
| 2019-10-21 Mark Lam <mark.lam@apple.com> |
| |
| Rolling out r251411: Fix is incorrect. |
| https://bugs.webkit.org/show_bug.cgi?id=203230 |
| |
| Not reviewed. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2019-10-21 Mark Lam <mark.lam@apple.com> |
| |
| Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky(). |
| https://bugs.webkit.org/show_bug.cgi?id=203230 |
| <rdar://problem/56460749> |
| |
| Reviewed by Robin Morisset. |
| |
| operationRegExpExecNonGlobalOrSticky() was asserting no exception when |
| createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns |
| null when RegExp::matchInline() returns -1. The only way RegExp::matchInline() |
| can return -1 is via a throwError() helper which throws an exception. The other |
| return path in RegExp::matchInline() explicitly ASSERT(result >= -1). Hence, the |
| assertion in operationRegExpExecNonGlobalOrSticky() is wrong. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2019-10-21 Saam Barati <sbarati@apple.com> |
| |
| ValuePow's constant folding rule differs from what the runtime does |
| https://bugs.webkit.org/show_bug.cgi?id=203220 |
| <rdar://problem/56181441> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The constant folding rule for ValuePow was boxing the result using jsDoubleNumber, |
| where the runtime function was boxing the result using jsNumber. This patch makes |
| it so that constant folding agrees with what the runtime is doing. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| 2019-10-21 Mark Lam <mark.lam@apple.com> |
| |
| Fix missing exception check in JSON Stringifier. |
| https://bugs.webkit.org/show_bug.cgi?id=203227 |
| <rdar://problem/56459854> |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Stringifier::Stringifier): |
| |
| 2019-10-21 Mark Lam <mark.lam@apple.com> |
| |
| Rolling out r251226: Causes a build speed regression. |
| https://bugs.webkit.org/show_bug.cgi?id=203219 |
| |
| Not reviewed. |
| |
| Apparently, compilers aren't very fast at compiling constexpr function invocations. |
| Rolling this out while I rework the patch to not have this build speed regression. |
| |
| * API/glib/JSCOptions.cpp: |
| (jscOptionsSetValue): |
| (jscOptionsGetValue): |
| (jsc_options_foreach): |
| (jsc_options_get_option_group): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * runtime/JSCConfig.h: |
| * runtime/OptionEntry.h: Copied from Source/JavaScriptCore/runtime/OptionEntry.h. |
| * runtime/Options.cpp: |
| (JSC::Options::isAvailable): |
| (JSC::overrideOptionWithHeuristic): |
| (JSC::scaleJITPolicy): |
| (JSC::recomputeDependentOptions): |
| (JSC::Options::initialize): |
| (JSC::Options::setOptionWithoutAlias): |
| (JSC::Options::dumpAllOptions): |
| (JSC::Options::dumpOption): |
| (JSC::Option::dump const): |
| (JSC::Option::operator== const): |
| (JSC::optionTypeSpecificIndex): Deleted. |
| (JSC::Option::Option): Deleted. |
| (JSC::Option::defaultOption const): Deleted. |
| * runtime/Options.h: |
| (JSC::Option::Option): |
| (JSC::Option::id const): |
| (JSC::Option::name const): |
| (JSC::Option::description const): |
| (JSC::Option::type const): |
| (JSC::Option::availability const): |
| (JSC::Option::isOverridden const): |
| (JSC::Option::defaultOption const): |
| (JSC::Option::boolVal): |
| (JSC::Option::unsignedVal): |
| (JSC::Option::doubleVal): |
| (JSC::Option::int32Val): |
| (JSC::Option::optionRangeVal): |
| (JSC::Option::optionStringVal): |
| (JSC::Option::gcLogLevelVal): |
| (JSC::Option::idIndex const): Deleted. |
| (JSC::optionTypeSpecificIndex): Deleted. |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator= ): Deleted. |
| (JSC::OptionRange::rangeString const): Deleted. |
| (JSC::countNumberOfJSCOptionsOfType): Deleted. |
| |
| 2019-10-21 Mark Lam <mark.lam@apple.com> |
| |
| Fix issues when setting public length on ArrayWithContiguous type butterflies. |
| https://bugs.webkit.org/show_bug.cgi?id=203211 |
| <rdar://problem/56476097> |
| |
| Reviewed by Keith Miller and Saam Barati. |
| |
| For ArrayWithContiguous type butterflies, SlotVisitor scans up to the public |
| length of the butterfly. When setting a new public length, if the new public |
| length is greater than the current, we should always writeBarrier after the |
| setting of the new public length. Otherwise, there can be a race where the GC |
| scans the butterfly after new values have been written to it but before the |
| public length as been updated. As a result, the new values never get scanned. |
| |
| For the DFG and FTL, the StoreBarrierInsertionPhase is responsible for inserting |
| the writeBarriers after the node. Hence, the writeBarrier is guaranteed to be |
| after the publicLength has been updated. |
| |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::shiftCountWithArrayStorage): |
| (JSC::JSArray::shiftCountWithAnyIndexingType): |
| * runtime/JSArrayInlines.h: |
| (JSC::JSArray::pushInline): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::putByIndex): |
| (JSC::JSObject::reallocateAndShrinkButterfly): |
| * runtime/JSObject.h: |
| (JSC::JSObject::setIndexQuickly): |
| |
| 2019-10-21 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: make ObjC protocol dispatcher commands optional and add `respondsToSelector` checks to allow other inspector clients to choose what they implement |
| https://bugs.webkit.org/show_bug.cgi?id=203197 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| This will help eliminate internal build failures, and will also allow other clients to |
| remove all of their commands that previously just responded with an "unsupported" error. |
| |
| * inspector/scripts/codegen/objc_generator_templates.py: |
| * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: |
| (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command): |
| (ObjCBackendDispatcherImplementationGenerator._generate_responds_to_selector_for_command): Added. |
| Add a `respondsToSelector` check before attempting to call the delegate function. |
| |
| * inspector/scripts/codegen/generate_objc_header.py: |
| (ObjCHeaderGenerator._generate_command_protocols): |
| Mark all commands as `@optional`. |
| |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/command-targetType-matching-domain-debuggableType.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/domain-debuggableTypes.json-result: |
| * inspector/scripts/tests/generic/expected/domain-targetType-matching-domain-debuggableType.json-result: |
| * inspector/scripts/tests/generic/expected/domain-targetTypes.json-result: |
| * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/event-targetType-matching-domain-debuggableType.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| |
| 2019-10-21 Saam Barati <sbarati@apple.com> |
| |
| JSON.parse has bad is array assert |
| https://bugs.webkit.org/show_bug.cgi?id=203207 |
| <rdar://problem/56366913> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| In r250860, we updated JSON.parse to be more spec compliant with how it |
| handles arrays. However, we also updated an assertion in an improper way, |
| where our assert was not accounting for the check we performed to take |
| that control flow path. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Walker::walk): |
| |
| 2019-10-21 Robin Morisset <rmorisset@apple.com> |
| |
| Throw the right exception upon memory exhaustion in Array::slice |
| https://bugs.webkit.org/show_bug.cgi?id=202650 |
| |
| Reviewed by Saam Barati. |
| |
| Trivial change: just use tryCreate instead of create, and throw an exception if it fails. |
| No security implication: we were just crashing instead of throwing a catchable exception. |
| |
| * runtime/ArrayBuffer.cpp: |
| (JSC::ArrayBuffer::slice const): |
| (JSC::ArrayBuffer::sliceImpl const): |
| * runtime/ArrayBuffer.h: |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::arrayBufferProtoFuncSlice): |
| |
| 2019-10-21 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [WinCairo][PlayStation] Add automation support for RemoteInspector SocketServer implementation. |
| https://bugs.webkit.org/show_bug.cgi?id=199070 |
| |
| Reviewed by Ross Kirsling. |
| |
| Added handler for StartAutomationSession event from WebDriver and preparing for automation session. |
| |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/socket/RemoteInspectorSocket.cpp: |
| (Inspector::RemoteInspector::listingForAutomationTarget const): |
| (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): |
| (Inspector::RemoteInspector::requestAutomationSession): |
| (Inspector::RemoteInspector::dispatchMap): |
| (Inspector::RemoteInspector::startAutomationSession): |
| |
| 2019-10-21 Mark Lam <mark.lam@apple.com> |
| |
| Remove all uses of untagCodePtr in debugging code. |
| https://bugs.webkit.org/show_bug.cgi?id=203188 |
| <rdar://problem/56453043> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSCPtrTag.cpp: |
| (JSC::tagForPtr): |
| |
| 2019-10-21 Robin Morisset <rmorisset@apple.com> |
| |
| Post increment/decrement should only call ToNumber once |
| https://bugs.webkit.org/show_bug.cgi?id=202711 |
| |
| Reviewed by Saam Barati. |
| |
| The problem is that we first called ToNumber on the object being incremented (to have the result that we'll eventually return), but we then do emitIncOrDec on the original object, which can call ToNumber again. |
| Instead we must do the ToNumber once, then copy its result, emitIncOrDec on the copy, put the copy back in the original location, and finally return the old value. |
| Since the result of ToNumber is guaranteed not to be an object, emitIncOrDec won't call ToNumber a second time. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::emitPostIncOrDec): |
| |
| 2019-10-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG::CommonData modification by DFG reallyAdd should be guarded by CodeBlock's lock |
| https://bugs.webkit.org/show_bug.cgi?id=203177 |
| |
| Reviewed by Mark Lam. |
| |
| When doing DFG reallyAdd, DFG::JITCode is already set in CodeBlock and DFG::CommonData can be |
| reachable from CodeBlock. So concurrent collector can trace entries of DFG::CommonData while DFG reallyAdd |
| is modifying it. It would be possible that we install DFG::JITCode after performing DFG reallyAdd, but for now, |
| we just protect DFG reallyAdd's DFG::CommonData modification by CodeBlock's lock so that concurrent collector |
| does not trace them in a racy manner. |
| |
| * dfg/DFGDesiredGlobalProperties.cpp: |
| (JSC::DFG::DesiredGlobalProperties::reallyAdd): |
| * dfg/DFGDesiredIdentifiers.cpp: |
| (JSC::DFG::DesiredIdentifiers::reallyAdd): |
| * dfg/DFGDesiredTransitions.cpp: |
| (JSC::DFG::DesiredTransition::reallyAdd): |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): |
| (JSC::DFG::SymbolTableAdaptor::add): |
| (JSC::DFG::FunctionExecutableAdaptor::add): |
| (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add): |
| * dfg/DFGDesiredWatchpoints.h: |
| (JSC::DFG::SetPointerAdaptor::add): |
| * dfg/DFGDesiredWeakReferences.cpp: |
| (JSC::DFG::DesiredWeakReferences::reallyAdd): |
| |
| 2019-10-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make ConcurrentJSLock Lock even if ENABLE_CONCURRENT_JS=OFF |
| https://bugs.webkit.org/show_bug.cgi?id=202892 |
| |
| Reviewed by Mark Lam. |
| |
| We are using ConcurrentJSLock to guard data structure against concurrent compilers. |
| But these data structures should be guarded by GC concurrent collector, so we are using this ConcurrentJSLock |
| to guard them against concurrent collector too. |
| The problem is that ENABLE(CONCURRENT_JS) relies on ENABLE(DFG_JIT). If we configure JSC with the options like, |
| |
| ENABLE_DFG_JIT 0 |
| ENABLE_FTL_JIT 0 |
| |
| Then, the built JSC becomes |
| |
| ENABLE_CONCURRENT_JS 0 |
| But, Concurrent GC is enabled. |
| |
| This is wrong due to several reasons. |
| |
| 1. Baseline JIT can produce JIT related data structures that are traced by concurrent collector. In the above options, |
| these data structures are not guarded by lock. |
| 2. Baseline JIT also has concurrent JIT compiler. But ENABLE_CONCURRENT_JS does not reflect this. |
| |
| In this patch, we fix two things. |
| |
| 1. We should make ConcurrentJSLock always Lock. In 64bit environment we are supporting actively (including watchOS ARM64_32), |
| we are enabling ENABLE(JIT) regardless of we are actually using JIT. So, anyway, this is already a Lock. Flipping these |
| bits does not matter in 32bit architectures since they do not have concurrent compilers anyway. This makes things simpler: |
| it is always a Lock. And concurrent collector can use it. |
| 2. We should make `ENABLE(CONCURRENT_JS)` ON when `ENABLE(JIT)` is true, to reflect the fact that Baseline JIT has concurrent compiler. |
| |
| * runtime/ConcurrentJSLock.h: |
| (JSC::ConcurrentJSLocker::ConcurrentJSLocker): |
| |
| 2019-10-18 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Elements: allow WebKit engineers to edit UserAgent shadow trees |
| https://bugs.webkit.org/show_bug.cgi?id=203159 |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/protocol/DOM.json: |
| Add `setAllowEditingUserAgentShadowTrees` command. |
| |
| 2019-10-18 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [Clang][Windows] Options.cpp(317,25): error: no matching function for call to 'optionTypeSpecificIndex' |
| https://bugs.webkit.org/show_bug.cgi?id=203142 |
| |
| Unreviewed build fix |
| |
| clang-cl reported a compilation error for MSVC bug workaround code of optionTypeSpecificIndex. |
| |
| runtime\Options.cpp(294,12): error: variables defined in a constexpr function must be initialized |
| size_t index; |
| ^ |
| * runtime/Options.cpp: |
| (JSC::optionTypeSpecificIndex): Initialize the variable 'index'. |
| |
| 2019-10-17 Mark Lam <mark.lam@apple.com> |
| |
| Add missing checks after calls to the sameValue() JSValue comparator. |
| https://bugs.webkit.org/show_bug.cgi?id=203126 |
| <rdar://problem/56366561> |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::defineOwnProperty): |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::defineOwnIndexedProperty): |
| (JSC::validateAndApplyPropertyDescriptor): |
| * runtime/PropertyDescriptor.cpp: |
| (JSC::PropertyDescriptor::equalTo const): |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::performSetPrototype): |
| (JSC::ProxyObject::performGetPrototype): |
| * runtime/RegExpObject.cpp: |
| (JSC::RegExpObject::defineOwnProperty): |
| |
| 2019-10-17 Saam Barati <sbarati@apple.com> |
| |
| GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap |
| https://bugs.webkit.org/show_bug.cgi?id=203124 |
| <rdar://problem/55988183> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| |
| 2019-10-17 Mark Lam <mark.lam@apple.com> |
| |
| Harden capacity checks in DFG::LocalCSEPhase::SmallMap. |
| https://bugs.webkit.org/show_bug.cgi?id=203123 |
| <rdar://problem/56339943> |
| |
| Change addPure() and addImpure() to use RELEASE_ASSERT in their capacity checks. |
| |
| Reviewed by Keith Miller. |
| |
| * dfg/DFGCSEPhase.cpp: |
| |
| 2019-10-17 Mark Lam <mark.lam@apple.com> |
| |
| Use constexpr in more places and remove some unnecessary external linkage. |
| https://bugs.webkit.org/show_bug.cgi?id=203115 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * API/JSWrapperMap.mm: |
| * heap/MarkedBlock.cpp: |
| * inspector/JSGlobalObjectInspectorController.cpp: |
| (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): |
| * inspector/ScriptCallStack.h: |
| * interpreter/CLoopStack.h: |
| * interpreter/CallFrame.h: |
| * interpreter/ShadowChicken.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::emitRandomThunkImpl): |
| * jit/GPRInfo.cpp: |
| * jit/GPRInfo.h: |
| * jit/JIT.h: |
| * jit/PCToCodeOriginMap.cpp: |
| * jit/SpecializedThunkJIT.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::roundThunkGenerator): |
| * jit/UnusedPointer.h: |
| * llint/LLIntData.h: |
| * llint/LLIntPCRanges.h: |
| * parser/Lexer.h: |
| * parser/Nodes.h: |
| * runtime/CodeCache.cpp: |
| * runtime/CodeCache.h: |
| * runtime/ErrorInstance.h: |
| * runtime/JSAsyncFunction.h: |
| * runtime/JSAsyncGeneratorFunction.h: |
| * runtime/JSBoundFunction.h: |
| * runtime/JSCallee.h: |
| * runtime/JSFunction.h: |
| * runtime/JSGeneratorFunction.h: |
| * runtime/JSNativeStdFunction.h: |
| * runtime/JSRunLoopTimer.cpp: |
| (): Deleted. |
| * runtime/JSRunLoopTimer.h: |
| * runtime/ProxyObject.h: |
| * runtime/Watchdog.cpp: |
| (): Deleted. |
| * runtime/Watchdog.h: |
| * wasm/js/WebAssemblyFunction.h: |
| * wasm/js/WebAssemblyFunctionBase.h: |
| * wasm/js/WebAssemblyWrapperFunction.h: |
| |
| 2019-10-17 Brent Fulgham <bfulgham@apple.com> |
| |
| Build fix for newer versions of MSVC. |
| |
| Rubber stamped by Mark Lam. |
| |
| Some versions of MSVC optimize the inline optimization of |
| index away, triggering an uninitialized variable error. This |
| change avoids this problem. |
| |
| * runtime/Options.cpp: |
| (JSC::optionTypeSpecificIndex): |
| |
| 2019-10-17 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: rework frontend agent construction to allow commands/events to be controlled by the related target's type |
| https://bugs.webkit.org/show_bug.cgi?id=200384 |
| <rdar://problem/53850352> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/scripts/codegen/generate_js_backend_commands.py: |
| (JSBackendCommandsGenerator.generate_domain): |
| (JSBackendCommandsGenerator.generate_domain.generate_parameter_object): |
| * inspector/scripts/codegen/models.py: |
| (validate_target_types): Added. |
| (Protocol.parse_domain): |
| (Protocol.parse_command): |
| (Protocol.parse_event): |
| (Domain.__init__): |
| (Domains): |
| (Command.__init__): |
| (Event.__init__): |
| * inspector/protocol/ApplicationCache.json: |
| * inspector/protocol/Audit.json: |
| * inspector/protocol/CPUProfiler.json: |
| * inspector/protocol/CSS.json: |
| * inspector/protocol/Canvas.json: |
| * inspector/protocol/Console.json: |
| * inspector/protocol/DOM.json: |
| * inspector/protocol/DOMDebugger.json: |
| * inspector/protocol/DOMStorage.json: |
| * inspector/protocol/Database.json: |
| * inspector/protocol/Debugger.json: |
| * inspector/protocol/Heap.json: |
| * inspector/protocol/IndexedDB.json: |
| * inspector/protocol/Inspector.json: |
| * inspector/protocol/LayerTree.json: |
| * inspector/protocol/Memory.json: |
| * inspector/protocol/Network.json: |
| * inspector/protocol/Page.json: |
| * inspector/protocol/Recording.json: |
| * inspector/protocol/Runtime.json: |
| * inspector/protocol/ScriptProfiler.json: |
| * inspector/protocol/Security.json: |
| * inspector/protocol/ServiceWorker.json: |
| * inspector/protocol/Target.json: |
| * inspector/protocol/Timeline.json: |
| * inspector/protocol/Worker.json: |
| Add `debuggableTypes` and `targetTypes` arrays to domains/commands/events that are used when |
| generating InspectorBackendCommands.js for more accurate compatibility checks. |
| |
| * inspector/InspectorTarget.h: |
| * inspector/agents/InspectorTargetAgent.h: |
| * inspector/agents/InspectorTargetAgent.cpp: |
| (Inspector::targetTypeToProtocolType): |
| (Inspector::InspectorTargetAgent::exists): Deleted. |
| Remove `Target.exists` now that the frontend can do proper feature checking. |
| |
| * inspector/remote/RemoteControllableTarget.h: |
| * inspector/remote/RemoteInspectionTarget.h: |
| * inspector/remote/RemoteInspectorConstants.h: |
| * inspector/remote/cocoa/RemoteInspectorCocoa.mm: |
| (Inspector::RemoteInspector::listingForInspectionTarget const): |
| * inspector/remote/glib/RemoteInspectorGlib.cpp: |
| (Inspector::RemoteInspector::listingForInspectionTarget const): |
| * inspector/remote/socket/RemoteInspectorSocket.cpp: |
| (Inspector::RemoteInspector::listingForInspectionTarget const): |
| Split the `Web` debuggable type into `Page` (WebCore::Page) and `WebPage` (WebKit::WebPageProxy). |
| |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/command-targetType-matching-domain-debuggableType.json: Added. |
| * inspector/scripts/tests/generic/domain-availability.json: Removed. |
| * inspector/scripts/tests/generic/domain-debuggableTypes.json: Added. |
| * inspector/scripts/tests/generic/domain-targetType-matching-domain-debuggableType.json: Added. |
| * inspector/scripts/tests/generic/domain-targetTypes.json: Added. |
| * inspector/scripts/tests/generic/event-targetType-matching-domain-debuggableType.json: Added. |
| * inspector/scripts/tests/generic/expected/command-targetType-matching-domain-debuggableType.json-result: Added. |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/domain-debuggableTypes.json-result: Added. |
| * inspector/scripts/tests/generic/expected/domain-targetType-matching-domain-debuggableType.json-result: Added. |
| * inspector/scripts/tests/generic/expected/domain-targetTypes.json-result: Added. |
| * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/event-targetType-matching-domain-debuggableType.json-result: Added. |
| * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/fail-on-command-targetType-matching-domain-debuggableType.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-command-targetTypes-type.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-command-targetTypes-value.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Removed. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Removed. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error: Removed. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-debuggableTypes-type.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-debuggableTypes-value.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-targetType-matching-domain-debuggableType.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-targetTypes-type.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-domain-targetTypes-value.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-event-targetType-matching-domain-debuggableType.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-event-targetTypes-type.json-error: Added. |
| * inspector/scripts/tests/generic/expected/fail-on-event-targetTypes-value.json-error: Added. |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: |
| * inspector/scripts/tests/generic/expected/version.json-result: |
| * inspector/scripts/tests/generic/fail-on-command-targetType-matching-domain-debuggableType.json: Added. |
| * inspector/scripts/tests/generic/fail-on-command-targetTypes-type.json: Added. |
| * inspector/scripts/tests/generic/fail-on-command-targetTypes-value.json: Added. |
| * inspector/scripts/tests/generic/fail-on-domain-debuggableTypes-type.json: Added. |
| * inspector/scripts/tests/generic/fail-on-domain-debuggableTypes-value.json: Added. |
| * inspector/scripts/tests/generic/fail-on-domain-targetType-matching-domain-debuggableType.json: Added. |
| * inspector/scripts/tests/generic/fail-on-domain-targetTypes-type.json: Added. |
| * inspector/scripts/tests/generic/fail-on-domain-targetTypes-value.json: Added. |
| * inspector/scripts/tests/generic/fail-on-event-targetType-matching-domain-debuggableType.json: Added. |
| * inspector/scripts/tests/generic/fail-on-event-targetTypes-type.json: Added. |
| * inspector/scripts/tests/generic/fail-on-event-targetTypes-value.json: Added. |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| Update test results, as well as added new tests for `debuggableTypes` and `targetTypes`. |
| |
| 2019-10-16 Mark Lam <mark.lam@apple.com> |
| |
| Reduce the amount of memory needed to store Options. |
| https://bugs.webkit.org/show_bug.cgi?id=202105 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The size of the JSC::Config needed to store the Options is now reduced to 4K |
| instead of 16K, enabled by constexpr template magic. |
| |
| 1. Instead of all options in a large array of OptionEntry (which is a union of |
| all the option types), we now have separate arrays for each of the types of |
| options. For example, |
| |
| Removed g_jscConfig.options[]. |
| Added g_jscConfig.typeBoolOptions[]. |
| Added g_jscConfig.typeInt32Options[]. |
| Added g_jscConfig.typeDoubleOptions[]. |
| ... |
| |
| We used to find the storage for the option using g_jscConfig.options[Options::ID]. |
| We now find the storage for each type of option using |
| g_jscConfig.options[optionTypeSpecificIndex<OptionTypeID, OptionID>()]. For |
| example, Options::useJIT() used to be implemented as: |
| |
| inline bool& Options::useJIT() |
| { |
| return g_jscConfig.options[Options::useJITID]; |
| } |
| |
| ... which is now replaced with: |
| |
| inline bool& Options::useJIT() |
| { |
| return g_jscConfig.typeBoolOptions[optionTypeSpecificIndex<OptionTypeID::Bool, OptionID::useJIT>()]; |
| } |
| |
| MSVC has a bug where it cannot handle very large source files: see |
| https://developercommunity.visualstudio.com/content/problem/653301/fatal-error-c1002-compiler-is-out-of-heap-space-in.html. |
| This bug prevents this patch from building on MSVC. To workaround this bug, |
| we don't inline the Options accessors when COMPILER(MSVC). This prevents MSVC |
| from having to parse the large body of template code code to used to implement |
| the inline accessors in every file that #include "Options.h". |
| |
| Also add the @no-unify attribute to Options.cpp (where we put the accessors) |
| so that it doesn't trigger the MSVC bug also. |
| |
| 2. Introduce the optionTypeSpecificIndex() constexpr template function for |
| computing the index of each option in their respective type specific options |
| array. |
| |
| 3. Introduce OptionTypes, OptionTypeID, and OptionID. |
| |
| The OptionTypes namespace replaces OptionEntry as the container of option types. |
| The OptionID enum class replaces Options::ID. |
| The OptionTypeID enum class is new and is used together with OptionID in |
| constexpr templates to compute the typeSpecificIndex of options. |
| |
| 4. Removed the OptionEntry struct and OptionEntry.h. After (1), this struct is |
| only used in the Option class. We just moved the union of option types (that |
| OptionEntry embeds) into the Option class. |
| |
| Moved class OptionRange into OptionsList.h. |
| |
| 5. Removed the large OptionEntry arrays from JSC::Config. |
| Added type specific options arrays. |
| Also ordered these arrays to maximize compactness and minimize internal fragmentation. |
| |
| 6. Changed scaleJITPolicy() to go directly to g_jscConfig.typeInt32Options[] |
| instead of going through the Option wrapper object. This allows us to simplify |
| things and make the Option class a read only interface of options. |
| |
| 7. Changed Options::initialize() to only compute the option default value once. |
| The default value specified in the OptionsList may not always be a constant. |
| Sometimes, it is a function call. |
| |
| 8. The Option class now only gives read only access to the options. |
| |
| The Option class' role is to provide an interface for reading an option at any |
| given OptionID without first knowing about the type of the specific option. |
| It is useful for iterating options, and is currently only used by |
| Options::dumpOption(). |
| |
| Technically, we could merge all the Option class code into its single client. |
| We opted not to do this because the amount of code is non-trivial, and the |
| Option class does a good job of encapsulating this functionality. |
| |
| * API/glib/JSCOptions.cpp: |
| (jscOptionsSetValue): |
| (jscOptionsGetValue): |
| (jsc_options_foreach): |
| (jsc_options_get_option_group): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * runtime/JSCConfig.h: |
| * runtime/OptionEntry.h: Removed. |
| * runtime/Options.cpp: |
| (JSC::Options::isAvailable): |
| (JSC::overrideOptionWithHeuristic): |
| (JSC::optionTypeSpecificIndex): |
| (JSC::scaleJITPolicy): |
| (JSC::recomputeDependentOptions): |
| (JSC::Options::initialize): |
| (JSC::Options::setOptionWithoutAlias): |
| (JSC::Options::dumpAllOptions): |
| (JSC::Options::dumpOption): |
| (JSC::Option::Option): |
| (JSC::Option::defaultOption const): |
| (JSC::Option::dump const): |
| (JSC::Option::operator== const): |
| * runtime/Options.h: |
| (JSC::Option::id const): |
| (JSC::Option::name const): |
| (JSC::Option::description const): |
| (JSC::Option::type const): |
| (JSC::Option::availability const): |
| (JSC::Option::isOverridden const): |
| (JSC::Option::Option): |
| (JSC::Option::idIndex const): |
| (JSC::optionTypeSpecificIndex): |
| (JSC::Option::defaultOption const): Deleted. |
| (JSC::Option::boolVal): Deleted. |
| (JSC::Option::unsignedVal): Deleted. |
| (JSC::Option::doubleVal): Deleted. |
| (JSC::Option::int32Val): Deleted. |
| (JSC::Option::optionRangeVal): Deleted. |
| (JSC::Option::optionStringVal): Deleted. |
| (JSC::Option::gcLogLevelVal): Deleted. |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator= ): |
| (JSC::OptionRange::rangeString const): |
| (JSC::countNumberOfJSCOptionsOfType): |
| |
| 2019-10-16 Keith Miller <keith_miller@apple.com> |
| |
| Move assert in Wasm::Plan::fail. |
| https://bugs.webkit.org/show_bug.cgi?id=203052 |
| |
| Reviewed by Mark Lam. |
| |
| Since we changed how Wasm::Plan interacts with the streaming |
| parser it's possible for the streaming parser to call fail with no |
| error message (because the corresponding Wasm::Plan already |
| failed). This patch moves an erroneous assert so it no longer |
| trips when this happens. |
| |
| * wasm/WasmPlan.cpp: |
| (JSC::Wasm::Plan::fail): |
| |
| 2019-10-16 Keith Miller <keith_miller@apple.com> |
| |
| checkConsistency in Air O0 should only run when validation is enabled |
| https://bugs.webkit.org/show_bug.cgi?id=203050 |
| |
| Reviewed by Saam Barati. |
| |
| I resued the validateGraph and validateGraphAtEachPhase options |
| because adding a new option and threading it through all our |
| testing infrastructure didn't seem worthwhile for this. |
| |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::checkConsistency): |
| |
| 2019-10-16 Paulo Matos <pmatos@igalia.com> and Caio Lima <ticaiolima@gmail.com> |
| |
| Invalid instruction generated for ARM_THUMB2 in llint |
| https://bugs.webkit.org/show_bug.cgi?id=202844 |
| |
| Reviewed by Saam Barati. |
| |
| Do not allow instruction execution to reach OSR return label on ARMv7. |
| Currently we are seeing the instruction execution hitting a .word directive in |
| the instruction stream and segfaulting. There are two words used to represent a |
| global label which was generated as part of the work on OSR Exit to LLInt work |
| (r250806). The double word generation only occurs in ARMv7 and therefore only here |
| the segfault manifests itself. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2019-10-16 Paulo Matos <pmatos@linki.tools> |
| |
| Fix GCC warning on MIPS about dead variable metadata |
| https://bugs.webkit.org/show_bug.cgi?id=202987 |
| |
| Reviewed by Keith Miller. |
| |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| |
| 2019-10-15 Mark Lam <mark.lam@apple.com> |
| |
| operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string. |
| https://bugs.webkit.org/show_bug.cgi?id=202312 |
| <rdar://problem/55782280> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| operationSwitchCharWithUnknownKeyType() can only dispatch to a case handler |
| if the key string is of length 1. All other cases should dispatch to the default |
| handler. This patch also adds the missing OOME check. |
| |
| Also fixed a bug in SpeculativeJIT::emitSwitchCharStringJump() where the slow |
| path rope resolution was returning after the length check. It needs to return to |
| the point before the length check. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): |
| * jit/JITOperations.cpp: |
| |
| 2019-10-15 Peng Liu <peng.liu6@apple.com> |
| |
| [Picture-in-Picture Web API] Implement HTMLVideoElement.requestPictureInPicture() / Document.exitPictureInPicture() |
| https://bugs.webkit.org/show_bug.cgi?id=201024 |
| |
| Reviewed by Eric Carlson. |
| |
| Add configurations for Picture-in-Picture API. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-10-15 Angelos Oikonomopoulos <aoikonomopoulos@igalia.com> |
| |
| Interpreter: Don't assert that reference is nonnull |
| https://bugs.webkit.org/show_bug.cgi?id=202986 |
| |
| Reviewed by Keith Miller. |
| |
| G++ 9.2 can assume that the address of a reference is nonnull and |
| emits multiple warnings to that effect in --debug builds. |
| |
| * interpreter/FrameTracers.h: |
| (JSC::NativeCallFrameTracer::NativeCallFrameTracer): |
| |
| 2019-10-14 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r251090. |
| https://bugs.webkit.org/show_bug.cgi?id=202959 |
| |
| "broke tests" (Requested by RMorisset on #webkit). |
| |
| Reverted changeset: |
| |
| "Split ArithProfile into a Unary and a Binary version" |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| https://trac.webkit.org/changeset/251090 |
| |
| 2019-10-14 Robin Morisset <rmorisset@apple.com> |
| |
| Split ArithProfile into a Unary and a Binary version |
| https://bugs.webkit.org/show_bug.cgi?id=202832 |
| |
| Reviewed by Keith Miller. |
| |
| ArithProfile was for a long time only used for add/sub/mul/div, but recently it started being used for negate. And it will soon also have to be used for inc and dec due to BigInt. |
| So in this patch I make a separate version that only has the data for a single argument, and thus takes half as much memory. |
| |
| * bytecode/ArithProfile.cpp: |
| (JSC::ArithProfile<BitfieldType>::emitObserveResult): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::emitSetDouble const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::shouldEmitSetBigInt const): |
| (JSC::ArithProfile<BitfieldType>::emitSetNonNumeric const): |
| (JSC::ArithProfile<BitfieldType>::emitSetBigInt const): |
| (WTF::printInternal): |
| * bytecode/ArithProfile.h: |
| (JSC::ArithProfile::didObserveNonInt32 const): |
| (JSC::ArithProfile::didObserveDouble const): |
| (JSC::ArithProfile::didObserveNonNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNegZeroDouble const): |
| (JSC::ArithProfile::didObserveNonNumeric const): |
| (JSC::ArithProfile::didObserveBigInt const): |
| (JSC::ArithProfile::didObserveInt32Overflow const): |
| (JSC::ArithProfile::didObserveInt52Overflow const): |
| (JSC::ArithProfile::setObservedNonNegZeroDouble): |
| (JSC::ArithProfile::setObservedNegZeroDouble): |
| (JSC::ArithProfile::setObservedNonNumeric): |
| (JSC::ArithProfile::setObservedBigInt): |
| (JSC::ArithProfile::setObservedInt32Overflow): |
| (JSC::ArithProfile::setObservedInt52Overflow): |
| (JSC::ArithProfile::observeResult): |
| (JSC::ArithProfile::addressOfBits const): |
| (JSC::ArithProfile::bits const): |
| (JSC::ArithProfile::ArithProfile): |
| (JSC::ArithProfile::hasBits const): |
| (JSC::ArithProfile::setBit): |
| (JSC::UnaryArithProfile::UnaryArithProfile): |
| (JSC::UnaryArithProfile::observedIntBits): |
| (JSC::UnaryArithProfile::observedNumberBits): |
| (JSC::UnaryArithProfile::argResultType const): |
| (JSC::UnaryArithProfile::argObservedType const): |
| (JSC::UnaryArithProfile::setArgObservedType): |
| (JSC::UnaryArithProfile::argSawInt32): |
| (JSC::UnaryArithProfile::argSawNumber): |
| (JSC::UnaryArithProfile::argSawNonNumber): |
| (JSC::UnaryArithProfile::observeArg): |
| (JSC::UnaryArithProfile::isObservedTypeEmpty): |
| (JSC::BinaryArithProfile::BinaryArithProfile): |
| (JSC::BinaryArithProfile::observedIntIntBits): |
| (JSC::BinaryArithProfile::observedNumberIntBits): |
| (JSC::BinaryArithProfile::observedIntNumberBits): |
| (JSC::BinaryArithProfile::observedNumberNumberBits): |
| (JSC::BinaryArithProfile::observeLHS): |
| (JSC::BinaryArithProfile::observeLHSAndRHS): |
| (JSC::BinaryArithProfile::isObservedTypeEmpty): |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::addJITAddIC): |
| (JSC::CodeBlock::addJITMulIC): |
| (JSC::CodeBlock::addJITSubIC): |
| (JSC::CodeBlock::addJITNegIC): |
| (JSC::CodeBlock::binaryArithProfileForBytecodeOffset): |
| (JSC::CodeBlock::unaryArithProfileForBytecodeOffset): |
| (JSC::CodeBlock::binaryArithProfileForPC): |
| (JSC::CodeBlock::unaryArithProfileForPC): |
| (JSC::CodeBlock::couldTakeSpecialFastCase): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addMathIC): |
| * bytecode/Fits.h: |
| * bytecode/MethodOfGettingAValueProfile.cpp: |
| (JSC::MethodOfGettingAValueProfile::emitReportValue const): |
| (JSC::MethodOfGettingAValueProfile::reportValue): |
| * bytecode/MethodOfGettingAValueProfile.h: |
| (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitUnaryOp): |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::UnaryOpNode::emitBytecode): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::makeSafe): |
| (JSC::DFG::ByteCodeParser::makeDivSafe): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::methodOfGettingAValueProfileFor): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileValueAdd): |
| (JSC::DFG::SpeculativeJIT::compileValueSub): |
| (JSC::DFG::SpeculativeJIT::compileValueNegate): |
| (JSC::DFG::SpeculativeJIT::compileValueMul): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): |
| * jit/JIT.h: |
| * jit/JITAddGenerator.cpp: |
| (JSC::JITAddGenerator::generateInline): |
| (JSC::JITAddGenerator::generateFastPath): |
| * jit/JITAddGenerator.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_op_negate): |
| (JSC::JIT::emit_op_add): |
| (JSC::JIT::emitMathICFast): |
| (JSC::JIT::emitMathICSlow): |
| (JSC::JIT::emit_op_div): |
| (JSC::JIT::emit_op_mul): |
| (JSC::JIT::emit_op_sub): |
| * jit/JITDivGenerator.cpp: |
| (JSC::JITDivGenerator::generateFastPath): |
| * jit/JITDivGenerator.h: |
| (JSC::JITDivGenerator::JITDivGenerator): |
| * jit/JITInlines.h: |
| (JSC::JIT::copiedArithProfile): |
| * jit/JITMathIC.h: |
| (JSC::JITMathIC::JITMathIC): |
| (JSC::JITMathIC::generateInline): |
| (JSC::JITMathIC::arithProfile const): |
| (JSC::isBinaryProfileEmpty): |
| (JSC::JITBinaryMathIC::JITBinaryMathIC): |
| (JSC::isUnaryProfileEmpty): |
| (JSC::JITUnaryMathIC::JITUnaryMathIC): |
| * jit/JITMulGenerator.cpp: |
| (JSC::JITMulGenerator::generateInline): |
| (JSC::JITMulGenerator::generateFastPath): |
| * jit/JITMulGenerator.h: |
| * jit/JITNegGenerator.cpp: |
| (JSC::JITNegGenerator::generateInline): |
| (JSC::JITNegGenerator::generateFastPath): |
| * jit/JITNegGenerator.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITSubGenerator.cpp: |
| (JSC::JITSubGenerator::generateInline): |
| (JSC::JITSubGenerator::generateFastPath): |
| * jit/JITSubGenerator.h: |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LLIntOffsetsExtractor.cpp: |
| (JSC::LLIntOffsetsExtractor::dummy): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * parser/ResultType.h: |
| (JSC::ResultType::ResultType): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::updateArithProfileForUnaryArithOp): |
| (JSC::updateArithProfileForBinaryArithOp): |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-10-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] GetterSetter should be JSCell, not JSObject |
| https://bugs.webkit.org/show_bug.cgi?id=202656 |
| |
| Reviewed by Tadeu Zagallo and Saam Barati. |
| |
| Essentially, GetterSetter is not a JSObject. It is like a JSCell. But we made GetterSetter JSObject |
| to leverage existing strict-eq implementations for JSObject: pointer-comparison. But given the following |
| conditions, |
| |
| 1. GetterSetter strict-eq comparison only happens in builtin code when using @tryGetById. |
| 2. RHS of that comparison is always folded into constant in DFG. |
| 3. We already use pointer-comparison for cells that are neither JSString nor JSBigInt. |
| 4. DFG strength reduction already has a rule which makes `CompareStrictEq(Cell-not-JSString/JSBigInt, Constant)` `ComparePtrEq`. |
| |
| So we already support non-JSString/JSBigInt cell comparison in JSC JS code. We should use it instead of making GetterSetter JSObject. |
| This patch makes GetterSetter JSCell, and makes getterSetterStructure per-VM structure. |
| |
| The attached test reported AI validation failure. AI assumed that GetterSetter's realm should be the same to the base object. But |
| this is incorrect in our runtime code: we are creating GetterSetter with lexical realm (JSGlobalObject). But the fundamental problem |
| is that GetterSetter is JSObject and tied to JSGlobalObject while it is not necessary. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGFixupPhase.cpp: |
| * runtime/GetterSetter.cpp: |
| * runtime/GetterSetter.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::getGetterById): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::regExpProtoGlobalGetter const): |
| (JSC::JSGlobalObject::regExpProtoUnicodeGetter const): |
| (JSC::JSGlobalObject::customGetterSetterFunctionStructure const): |
| (JSC::JSGlobalObject::getterSetterStructure const): Deleted. |
| * runtime/JSType.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-10-14 Saam Barati <sbarati@apple.com> |
| |
| Canonicalize how we prepare the prototype chain for inline caching |
| https://bugs.webkit.org/show_bug.cgi?id=202827 |
| <rdar://problem/56193919> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch canonicalizes how we prepare the prototype chain for caching. Both |
| in the poly proto chain, and the generateConditions*, we were flattening |
| dictionaries as we walk the prototype chain. We now unify that into one |
| function called `preparePrototypeChainForCaching`. In that, we flatten |
| dictionaries as we traverse the prototype chain, and note if any objects |
| are poly proto. |
| |
| My patch in r250540 made it so we now flatten uncacheable dictionaries (this |
| was the intention all along, but it was a perf bug that we didn't do this). That |
| revealed that the inline caching code could use a stale PropertyOffset when |
| flattening an uncacheable dictionary. This patch makes it so we universally |
| try just defer caching to later if we encounter a situation where we flatten |
| a dictionary that could be a property holder. |
| |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| (JSC::generateConditionsForPrototypeEquivalenceConcurrently): |
| (JSC::generateConditionsForPropertyMissConcurrently): |
| (JSC::generateConditionsForPropertySetterMissConcurrently): |
| (JSC::preparePrototypeChainForCaching): |
| * bytecode/ObjectPropertyConditionSet.h: |
| * bytecode/PolyProtoAccessChain.cpp: |
| (JSC::PolyProtoAccessChain::create): |
| * bytecode/PolyProtoAccessChain.h: |
| (JSC::PolyProtoAccessChain::slotBaseStructure const): |
| * jit/Repatch.cpp: |
| (JSC::tryCacheGetByID): |
| (JSC::tryCachePutByID): |
| (JSC::tryCacheInByID): |
| (JSC::tryCacheInstanceOf): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::setupGetByIdPrototypeCache): |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::setObjectToStringValue): |
| |
| 2019-10-11 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: support pattern blackboxing |
| https://bugs.webkit.org/show_bug.cgi?id=198855 |
| |
| Reviewed by Timothy Hatcher. |
| |
| Allow scripts to be blackboxed based on URL patterns (in addition to individual URLs) which |
| can be extremely useful when trying to step through unminified library/framework code. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::enable): |
| (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): |
| (Inspector::InspectorDebuggerAgent::shouldBlackboxURL const): Added. |
| (Inspector::InspectorDebuggerAgent::didParseSource): |
| |
| * inspector/protocol/Debugger.json: |
| Add `caseSensitive` and `isRegex` optional boolean parameters to `setShouldBlackboxURL`. |
| |
| 2019-10-08 Ryosuke Niwa <rniwa@webkit.org> |
| |
| Make WebInspector's remote debug EventLoop code into RunLoop |
| https://bugs.webkit.org/show_bug.cgi?id=202716 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Updated the code to use RunLoop::cycle instead of now deleted EventLoop class. |
| |
| The runloop mode used in Apple's port is moved to RemoteInspectionTarget::runLoopMode |
| with a special case for watchOS. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * inspector/JSGlobalObjectScriptDebugServer.cpp: |
| (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused): |
| (Inspector::JSGlobalObjectScriptDebugServer::runLoopMode): Added. |
| * inspector/remote/RemoteInspectionTarget.cpp: |
| (Inspector::RemoteInspectionTarget::pauseWaitingForAutomaticInspection): |
| Invoke CFRunLoopAddSource with the runloop mode only expcet on watchOS where |
| we use the default runloop anyway. |
| * inspector/remote/RemoteInspectionTarget.h: |
| * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: |
| (Inspector::RemoteTargetInitializeGlobalQueue): |
| (Inspector::RemoteConnectionToTarget::setupRunLoop): |
| (Inspector::RemoteConnectionToTarget::teardownRunLoop): |
| |
| 2019-10-10 Ryosuke Niwa <rniwa@webkit.org> |
| |
| Make it safe to store a ThreadSafeRefCounted object in Ref & RefPtr safe inside its destructor |
| https://bugs.webkit.org/show_bug.cgi?id=201576 |
| <rdar://problem/56001847> |
| |
| Reviewed by Geoffrey Garen and Mark Lam. |
| |
| Made DropAllLocks::DropAllLocks check Heap::isShuttingDown instead of VM's refCount being 0 to detect |
| when VM is getting destroyed. |
| |
| * runtime/JSLock.cpp: |
| (JSC::JSLock::DropAllLocks::DropAllLocks): |
| |
| 2019-10-11 Keith Miller <keith_miller@apple.com> |
| |
| Wasm B3IRGenerator should use arguments for control data. |
| https://bugs.webkit.org/show_bug.cgi?id=202855 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This was failing a test on our bots. I'm not sure how I missed |
| it... I also added another test for good measure. |
| |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::ControlData::ControlData): |
| |
| 2019-10-10 Keith Miller <keith_miller@apple.com> |
| |
| GenerateAndAllocateRegisters can trivially elide self moves at end of liveness |
| https://bugs.webkit.org/show_bug.cgi?id=202833 |
| |
| Reviewed by Saam Barati. |
| |
| This also fixes a bug where if a tmp is moved to itself at the end of its lifetime |
| we would mess up the accounting for the tmp. |
| |
| In order to catch these bugs earlier during generation I added a |
| checkConsistency function that if a tmp is in a reg that reg is |
| not available and that reg thinks the tmp is also allocated in it. |
| |
| * b3/B3Bank.h: |
| (JSC::B3::bankForReg): |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::checkConsistency): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::generate): |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| |
| 2019-10-10 Yury Semikhatsky <yurys@chromium.org> |
| |
| Web Inspector: use more C++ keywords for defining agents |
| https://bugs.webkit.org/show_bug.cgi?id=200959 |
| <rdar://problem/54735374> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Add override annotation to overrided virtual methods in inspector code. This |
| change is automatically generated by the following command: |
| clang-tidy -checks='-*,modernize-use-override' -header-filter='.*inspector.*' -fix -p WebKitBuild/Release/ |
| WebKitBuild/Release/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-84c9f43f-*.cpp |
| WebKitBuild/Release/DerivedSources/WebCore/unified-sources/UnifiedSource-84c9f43f-*.cpp |
| |
| * inspector/InjectedScript.h: |
| * inspector/InjectedScriptModule.h: |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/JSGlobalObjectInspectorController.h: |
| * inspector/JSGlobalObjectScriptDebugServer.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| * inspector/ScriptDebugServer.h: |
| * inspector/agents/InspectorAgent.h: |
| * inspector/agents/InspectorAuditAgent.h: |
| * inspector/agents/InspectorConsoleAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorHeapAgent.h: |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/agents/InspectorScriptProfilerAgent.h: |
| * inspector/agents/InspectorTargetAgent.h: |
| * inspector/agents/JSGlobalObjectAuditAgent.h: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.h: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.h: |
| * inspector/remote/RemoteAutomationTarget.h: |
| * inspector/remote/RemoteConnectionToTarget.h: |
| |
| 2019-10-10 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [WinCairo] Move remote communication handling from RemoteInspectorServer to RemoteInspector. |
| https://bugs.webkit.org/show_bug.cgi?id=202763 |
| |
| Reviewed by Ross Kirsling. |
| |
| Because RemoteInspector now exists in UIProcess, the old implementation which communicate with RemoteInspector |
| in WebProcess and RemoteInspectorServer in UIProcess was meaningless or even bad. Remove this complex |
| implementation and move communication handling from RemoteInspectorServer to RemoteInspector and communicate |
| each other directly. |
| |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: |
| * inspector/remote/socket/RemoteInspectorConnectionClient.h: |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::~RemoteInspectorServer): |
| (Inspector::RemoteInspectorServer::start): |
| (Inspector::RemoteInspectorServer::didAccept): |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| * inspector/remote/socket/RemoteInspectorSocket.cpp: |
| (Inspector::RemoteInspector::connect): |
| (Inspector::RemoteInspector::didClose): |
| (Inspector::RemoteInspector::sendWebInspectorEvent): |
| (Inspector::RemoteInspector::start): |
| (Inspector::RemoteInspector::stopInternal): |
| (Inspector::RemoteInspector::pushListingsNow): |
| (Inspector::RemoteInspector::pushListingsSoon): |
| (Inspector::RemoteInspector::sendMessageToRemote): |
| (Inspector::RemoteInspector::setup): |
| (Inspector::RemoteInspector::sendMessageToTarget): |
| (Inspector::RemoteInspector::backendCommands const): |
| (Inspector::RemoteInspector::dispatchMap): |
| (Inspector::RemoteInspector::setupInspectorClient): |
| (Inspector::RemoteInspector::setupTarget): |
| (Inspector::RemoteInspector::frontendDidClose): |
| (Inspector::RemoteInspector::sendMessageToBackend): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: |
| (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint): |
| (Inspector::RemoteInspectorSocketEndpoint::listenInet): |
| (Inspector::RemoteInspectorSocketEndpoint::isListening): |
| (Inspector::RemoteInspectorSocketEndpoint::workerThread): |
| (Inspector::RemoteInspectorSocketEndpoint::generateConnectionID): |
| (Inspector::RemoteInspectorSocketEndpoint::makeConnection): |
| (Inspector::RemoteInspectorSocketEndpoint::createClient): |
| (Inspector::RemoteInspectorSocketEndpoint::createListener): |
| (Inspector::RemoteInspectorSocketEndpoint::invalidateListener): |
| (Inspector::RemoteInspectorSocketEndpoint::getPort const): |
| (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: |
| |
| 2019-10-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, speculative fix build failure on 32bit |
| https://bugs.webkit.org/show_bug.cgi?id=202569 |
| |
| * llint/LowLevelInterpreter32_64.asm: |
| |
| 2019-10-09 Saam Barati <sbarati@apple.com> |
| |
| Unreviewed. Try to fix build for Windows C_LOOP |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2019-10-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, roll out r250878 |
| https://bugs.webkit.org/show_bug.cgi?id=202656 |
| |
| Breaking vimeo page. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGFixupPhase.cpp: |
| * runtime/GetterSetter.cpp: |
| * runtime/GetterSetter.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::getGetterById): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::regExpProtoGlobalGetter const): |
| (JSC::JSGlobalObject::regExpProtoUnicodeGetter const): |
| (JSC::JSGlobalObject::getterSetterStructure const): |
| * runtime/JSType.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-10-09 Adrian Perez de Castro <aperez@igalia.com> |
| |
| Unreviewed build fix for non-unified builds. |
| |
| * dfg/DFGByteCodeParser.cpp: Add missing inclusion of the GetterSetter.h header. |
| |
| 2019-10-09 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [Win] error LNK2019: unresolved external symbol "public: __cdecl JSC::Strong<enum JSC::Unknown>::Strong<enum JSC::Unknown>(class JSC::VM &,class JSC::JSValue)" |
| https://bugs.webkit.org/show_bug.cgi?id=202722 |
| |
| Unreviewed flaky build fix for Windows ports. |
| |
| JSC::Strong is used without including "StrongInlines.h". |
| |
| * runtime/JSCInlines.h: Added #include "StrongInlines.h". |
| |
| 2019-10-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] FTL vmCall should check # of arguments |
| https://bugs.webkit.org/show_bug.cgi?id=202683 |
| |
| Reviewed by Saam Barati. |
| |
| This patch inserts static_assert for # of arguments when using FTL vmCall. |
| It turned out that such check is useful when converting ExecState* to JSGlobalObject*. |
| Like, first, adding JSGlobalObject* parameter, making it compiled and removing ExecState* and m_callFrame parameter later. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStrCat): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayify): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToNumber): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError): |
| (JSC::FTL::DFG::LowerDFGToB3::mapHashString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileParseInt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFast): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace): |
| (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compare): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): |
| (JSC::FTL::DFG::LowerDFGToB3::stringsEqual): |
| (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket): |
| (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): |
| (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): |
| (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier): |
| (JSC::FTL::DFG::LowerDFGToB3::vmCall): |
| * ftl/FTLOutput.h: |
| (JSC::FTL::Output::callWithoutSideEffects): |
| |
| 2019-10-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, roll out r250848 |
| https://bugs.webkit.org/show_bug.cgi?id=202683 |
| |
| Causing JSTests failures. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStrCat): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayify): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToNumber): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError): |
| (JSC::FTL::DFG::LowerDFGToB3::mapHashString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileParseInt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFast): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace): |
| (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compare): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): |
| (JSC::FTL::DFG::LowerDFGToB3::stringsEqual): |
| (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket): |
| (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): |
| (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): |
| (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier): |
| (JSC::FTL::DFG::LowerDFGToB3::vmCall): |
| |
| 2019-10-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] GetterSetter should be JSCell, not JSObject |
| https://bugs.webkit.org/show_bug.cgi?id=202656 |
| |
| Reviewed by Tadeu Zagallo and Saam Barati. |
| |
| Essentially, GetterSetter is not a JSObject. It is like a JSCell. But we made GetterSetter JSObject |
| to leverage existing strict-eq implementations for JSObject: pointer-comparison. But given the following |
| conditions, |
| |
| 1. GetterSetter strict-eq comparison only happens in builtin code when using @tryGetById. |
| 2. RHS of that comparison is always folded into constant in DFG. |
| 3. We already use pointer-comparison for cells that are neither JSString nor JSBigInt. |
| 4. DFG strength reduction already has a rule which makes `CompareStrictEq(Cell-not-JSString/JSBigInt, Constant)` `ComparePtrEq`. |
| |
| So we already support non-JSString/JSBigInt cell comparison in JSC JS code. We should use it instead of making GetterSetter JSObject. |
| This patch makes GetterSetter JSCell, and makes getterSetterStructure per-VM structure. |
| |
| The attached test reported AI validation failure. AI assumed that GetterSetter's realm should be the same to the base object. But |
| this is incorrect in our runtime code: we are creating GetterSetter with lexical realm (JSGlobalObject). But the fundamental problem |
| is that GetterSetter is JSObject and tied to JSGlobalObject while it is not necessary. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGFixupPhase.cpp: |
| * runtime/GetterSetter.cpp: |
| * runtime/GetterSetter.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::getGetterById): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::regExpProtoGlobalGetter const): |
| (JSC::JSGlobalObject::regExpProtoUnicodeGetter const): |
| (JSC::JSGlobalObject::customGetterSetterFunctionStructure const): |
| (JSC::JSGlobalObject::getterSetterStructure const): Deleted. |
| * runtime/JSType.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-10-08 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: modifications to shader modules can be shared between vertex/fragment shaders |
| https://bugs.webkit.org/show_bug.cgi?id=202031 |
| |
| Reviewed by Dean Jackson. |
| |
| * inspector/protocol/Canvas.json: |
| Create a distinct `ShaderProgram` type so that additional data can be bundled and sent to |
| the frontend as part of the `programCreated` event without having to worry about having too |
| many arguments. |
| |
| 2019-10-08 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSON.parse incorrectly handles array proxies |
| https://bugs.webkit.org/show_bug.cgi?id=199292 |
| |
| Reviewed by Saam Barati. |
| |
| 1. Use isArray to correctly detect proxied arrays. |
| 2. Make "length" lookup observable to array proxies and handle exceptions. |
| |
| * runtime/JSONObject.cpp: |
| (JSC::Walker::walk): |
| |
| 2019-10-08 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fix non-unified builds after r250486 |
| https://bugs.webkit.org/show_bug.cgi?id=202636 |
| |
| Reviewed by Youenn Fablet. |
| |
| * runtime/JSLock.h: Add missing inclusion of wtf/ForbidHeapAllocation.h |
| * wasm/WasmSignature.cpp: Add missing inclusions of wtf/CommaPrinter.h and |
| wtf/StringPrintStream.h (needed by debug builds). |
| * wasm/WasmStreamingParser.cpp: Add missing inclusion of WasmSignatureInlines.h to |
| avoid missing symbols during linking. |
| |
| 2019-10-08 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] FTL vmCall should check # of arguments |
| https://bugs.webkit.org/show_bug.cgi?id=202683 |
| |
| Reviewed by Saam Barati. |
| |
| This patch inserts static_assert for # of arguments when using FTL vmCall. |
| It turned out that such check is useful when converting ExecState* to JSGlobalObject*. |
| Like, first, adding JSGlobalObject* parameter, making it compiled and removing ExecState* and m_callFrame parameter later. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStrCat): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayify): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): |
| (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): |
| (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToNumber): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): |
| (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrow): |
| (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError): |
| (JSC::FTL::DFG::LowerDFGToB3::mapHashString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd): |
| (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileParseInt): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest): |
| (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFast): |
| (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace): |
| (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compare): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): |
| (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): |
| (JSC::FTL::DFG::LowerDFGToB3::stringsEqual): |
| (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket): |
| (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): |
| (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): |
| (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier): |
| (JSC::FTL::DFG::LowerDFGToB3::vmCall): |
| |
| 2019-10-07 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Clean up ThunkGenerator's nativeCallTrampoline generator code |
| https://bugs.webkit.org/show_bug.cgi?id=202657 |
| |
| Reviewed by Saam Barati. |
| |
| ThunkGenerator has per-architecture JIT code for nativeForGenerator, but this is unnecessary. |
| This patch cleans up it and unifies the implementations. |
| |
| * jit/ThunkGenerators.cpp: |
| (JSC::nativeForGenerator): |
| |
| 2019-10-07 Saam Barati <sbarati@apple.com> |
| |
| Allow OSR exit to the LLInt |
| https://bugs.webkit.org/show_bug.cgi?id=197993 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This patch makes it so we can OSR exit to the LLInt. |
| Here are the interesting implementation details: |
| |
| 1. We no longer baseline compile everything in the inline stack. |
| |
| 2. When the top frame is a LLInt frame, we exit to the corresponding |
| LLInt bytecode. However, we need to materialize the LLInt registers |
| for PC, PB, and metadata. |
| |
| 3. When dealing with inline call frames where the caller is LLInt, we |
| need to return to the appropriate place. Let's consider we're exiting |
| at a place A->B (A calls B), where A is LLInt. If A is a normal call, |
| we place the return PC in the frame we materialize to B to be right |
| after the LLInt's inline cache for calls. If A is a varargs call, we place |
| it at the return location for vararg calls. The interesting scenario here |
| is where A is a getter/setter. This means that A might be get_by_id, |
| get_by_val, put_by_id, or put_by_val. Since the LLInt does not have any |
| form of IC for getters/setters, we make this work by creating new LLInt |
| "return location" stubs for these opcodes. |
| |
| 4. We need to update what callee saves we store in the callee if the caller frame |
| is a LLInt frame. Let's consider an inline stack A->B->C, where A is a LLInt frame. |
| When we materialize the stack frame for B, we need to ensure that the LLInt callee |
| saves that A uses is stored into B's preserved callee saves. Specifically, this |
| is just the PB/metadata registers. |
| |
| This patch also fixes offlineasm's macro expansion to allow us to |
| use computed label names for global labels. |
| |
| In a future bug, I'm going to investigate some kind of control system for |
| throwing away baseline code when we tier up: |
| https://bugs.webkit.org/show_bug.cgi?id=202503 |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::metadataTable): |
| (JSC::CodeBlock::instructionsRawPointer): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| (JSC::DFG::OSRExit::compileOSRExit): |
| * dfg/DFGOSRExit.h: |
| (JSC::DFG::OSRExitState::OSRExitState): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::calleeSaveSlot): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| * dfg/DFGOSRExitPreparation.cpp: |
| (JSC::DFG::prepareCodeOriginForOSRExit): Deleted. |
| * dfg/DFGOSRExitPreparation.h: |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileFTLOSRExit): |
| * llint/LLIntData.h: |
| (JSC::LLInt::getCodePtr): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/asm.rb: |
| * offlineasm/transform.rb: |
| * runtime/OptionsList.h: |
| |
| 2019-10-07 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Change signature of HostFunction to (JSGlobalObject*, CallFrame*) |
| https://bugs.webkit.org/show_bug.cgi?id=202569 |
| |
| Reviewed by Saam Barati. |
| |
| This patch changes JSC host-functions's signature from `CallFrame*` to `JSGlobalObject*, CallFrame*`. |
| We would like to replace the current `ExecState*` use with `JSGlobalObject*` to fix many issues, remove |
| globalExec() hack, and remove `ExecState::vm()` hack. This is important since this hack prevents us from |
| implementing scalable IsoSubspace optimization, which leads to putting all JS cells in each IsoSubspace. |
| |
| To get lexical JSGlobalObject in a super fast way, we put it in JSFunction/InternalFunction's field. |
| And trampoline gets JSGlobalObject from callee, and passes it as its argument. Since this trampoline already |
| accesses to the field of callee to get executable address, getting another field is fairly cheap. |
| The memory increase does not matter in this case. The sizeof(JSFunction) is 40. Since our allocation size of |
| JSCells are rounded by 16, increasing one field does not change the actual allocation size. And # of InternalFunction |
| is very limited since it is only used for constructors in JSC. |
| |
| This patch changes the signature. And for the ExecState* -> JSGlobalObject* preparation, we use `CallFrame*` name |
| instead of `ExecState*` in the host-functions. And use `callFrame` variable name instead of `state` or `exec`. |
| And we also get VM& from `JSGlobalObject*` instead of `CallFrame*` since it is faster. |
| |
| * API/APICallbackFunction.h: |
| (JSC::APICallbackFunction::call): |
| (JSC::APICallbackFunction::construct): |
| * API/APICast.h: |
| * API/JSAPIGlobalObject.mm: |
| (JSC::JSAPIGlobalObject::moduleLoaderFetch): |
| * API/JSBaseInternal.h: |
| * API/JSCallbackObject.h: |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::construct): |
| (JSC::JSCallbackObject<Parent>::call): |
| * bytecode/InlineCallFrame.h: |
| * debugger/Debugger.h: |
| * dfg/DFGArithMode.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): |
| (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): |
| * dfg/DFGGraph.h: |
| * dfg/DFGOSREntry.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| * ftl/FTLOSREntry.h: |
| * inspector/ConsoleMessage.h: |
| * inspector/InjectedScriptBase.cpp: |
| (Inspector::InjectedScriptBase::makeAsyncCall): |
| * inspector/InjectedScriptManager.h: |
| * inspector/JSGlobalObjectInspectorController.h: |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate): |
| (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties): |
| * inspector/JSJavaScriptCallFramePrototype.cpp: |
| (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension): |
| (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions): |
| (Inspector::jsJavaScriptCallFrameAttributeCaller): |
| (Inspector::jsJavaScriptCallFrameAttributeSourceID): |
| (Inspector::jsJavaScriptCallFrameAttributeLine): |
| (Inspector::jsJavaScriptCallFrameAttributeColumn): |
| (Inspector::jsJavaScriptCallFrameAttributeFunctionName): |
| (Inspector::jsJavaScriptCallFrameAttributeScopeChain): |
| (Inspector::jsJavaScriptCallFrameAttributeThisObject): |
| (Inspector::jsJavaScriptCallFrameAttributeType): |
| (Inspector::jsJavaScriptCallFrameIsTailDeleted): |
| * inspector/ScriptArguments.h: |
| * inspector/ScriptCallStackFactory.h: |
| * inspector/ScriptDebugServer.h: |
| * inspector/agents/InspectorConsoleAgent.h: |
| * interpreter/AbstractPC.h: |
| * interpreter/CallFrame.h: |
| (JSC::ExecState::guaranteedJSValueCallee const): Deleted. |
| (JSC::ExecState::jsCallee const): Deleted. |
| (JSC::ExecState::callee const): Deleted. |
| (JSC::ExecState::unsafeCallee const): Deleted. |
| (JSC::ExecState::codeBlock const): Deleted. |
| (JSC::ExecState::addressOfCodeBlock const): Deleted. |
| (JSC::ExecState::unsafeCodeBlock const): Deleted. |
| (JSC::ExecState::scope const): Deleted. |
| (JSC::ExecState::create): Deleted. |
| (JSC::ExecState::registers): Deleted. |
| (JSC::ExecState::registers const): Deleted. |
| (JSC::ExecState::operator=): Deleted. |
| (JSC::ExecState::callerFrame const): Deleted. |
| (JSC::ExecState::callerFrameOrEntryFrame const): Deleted. |
| (JSC::ExecState::unsafeCallerFrameOrEntryFrame const): Deleted. |
| (JSC::ExecState::callerFrameOffset): Deleted. |
| (JSC::ExecState::returnPC const): Deleted. |
| (JSC::ExecState::hasReturnPC const): Deleted. |
| (JSC::ExecState::clearReturnPC): Deleted. |
| (JSC::ExecState::returnPCOffset): Deleted. |
| (JSC::ExecState::abstractReturnPC): Deleted. |
| (JSC::ExecState::topOfFrame): Deleted. |
| (JSC::ExecState::setCallerFrame): Deleted. |
| (JSC::ExecState::setScope): Deleted. |
| (JSC::ExecState::argumentCount const): Deleted. |
| (JSC::ExecState::argumentCountIncludingThis const): Deleted. |
| (JSC::ExecState::argumentOffset): Deleted. |
| (JSC::ExecState::argumentOffsetIncludingThis): Deleted. |
| (JSC::ExecState::addressOfArgumentsStart const): Deleted. |
| (JSC::ExecState::argument): Deleted. |
| (JSC::ExecState::uncheckedArgument): Deleted. |
| (JSC::ExecState::setArgument): Deleted. |
| (JSC::ExecState::getArgumentUnsafe): Deleted. |
| (JSC::ExecState::thisArgumentOffset): Deleted. |
| (JSC::ExecState::thisValue): Deleted. |
| (JSC::ExecState::setThisValue): Deleted. |
| (JSC::ExecState::newTarget): Deleted. |
| (JSC::ExecState::offsetFor): Deleted. |
| (JSC::ExecState::noCaller): Deleted. |
| (JSC::ExecState::isGlobalExec const): Deleted. |
| (JSC::ExecState::setArgumentCountIncludingThis): Deleted. |
| (JSC::ExecState::setCallee): Deleted. |
| (JSC::ExecState::setCodeBlock): Deleted. |
| (JSC::ExecState::setReturnPC): Deleted. |
| (JSC::ExecState::iterate): Deleted. |
| (JSC::ExecState::argIndexForRegister): Deleted. |
| (JSC::ExecState::callerFrameAndPC): Deleted. |
| (JSC::ExecState::callerFrameAndPC const): Deleted. |
| (JSC::ExecState::unsafeCallerFrameAndPC const): Deleted. |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::executeCall): |
| (JSC::Interpreter::executeConstruct): |
| (JSC::Interpreter::prepareForRepeatCall): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/ProtoCallFrame.h: |
| (JSC::ProtoCallFrame::init): |
| * interpreter/Register.h: |
| * interpreter/ShadowChicken.h: |
| * interpreter/StackVisitor.h: |
| * interpreter/VMEntryRecord.h: |
| (JSC::VMEntryRecord::prevTopCallFrame): |
| (JSC::VMEntryRecord::unsafePrevTopCallFrame): |
| * jit/CCallHelpers.h: |
| * jit/JITExceptions.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::nativeForGenerator): |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionPrintStdOut): |
| (functionPrintStdErr): |
| (functionDebug): |
| (functionDescribe): |
| (functionDescribeArray): |
| (functionSleepSeconds): |
| (functionJSCStack): |
| (functionGCAndSweep): |
| (functionFullGC): |
| (functionEdenGC): |
| (functionHeapSize): |
| (functionResetMemoryPeak): |
| (functionAddressOf): |
| (functionVersion): |
| (functionRun): |
| (functionRunString): |
| (functionLoad): |
| (functionLoadString): |
| (functionReadFile): |
| (functionCheckSyntax): |
| (functionSetSamplingFlags): |
| (functionClearSamplingFlags): |
| (functionGetRandomSeed): |
| (functionSetRandomSeed): |
| (functionIsRope): |
| (functionCallerSourceOrigin): |
| (functionReadline): |
| (functionPreciseTime): |
| (functionNeverInlineFunction): |
| (functionNoDFG): |
| (functionNoFTL): |
| (functionNoOSRExitFuzzing): |
| (functionOptimizeNextInvocation): |
| (functionNumberOfDFGCompiles): |
| (functionCallerIsOMGCompiled): |
| (functionDollarCreateRealm): |
| (functionDollarEvalScript): |
| (functionDollarAgentStart): |
| (functionDollarAgentReceiveBroadcast): |
| (functionDollarAgentReport): |
| (functionDollarAgentSleep): |
| (functionDollarAgentBroadcast): |
| (functionDollarAgentGetReport): |
| (functionDollarAgentLeaving): |
| (functionDollarAgentMonotonicNow): |
| (functionWaitForReport): |
| (functionHeapCapacity): |
| (functionFlashHeapAccess): |
| (functionDisableRichSourceInfo): |
| (functionMallocInALoop): |
| (functionTotalCompileTime): |
| (functionJSCOptions): |
| (functionReoptimizationRetryCount): |
| (functionTransferArrayBuffer): |
| (functionFailNextNewCodeBlock): |
| (functionQuit): |
| (functionFalse): |
| (functionUndefined1): |
| (functionUndefined2): |
| (functionIsInt32): |
| (functionIsPureNaN): |
| (functionIdentity): |
| (functionEffectful42): |
| (functionMakeMasquerader): |
| (functionHasCustomProperties): |
| (functionDumpTypesForAllVariables): |
| (functionDrainMicrotasks): |
| (functionReleaseWeakRefs): |
| (functionIs32BitPlatform): |
| (functionCreateGlobalObject): |
| (functionCheckModuleSyntax): |
| (functionPlatformSupportsSamplingProfiler): |
| (functionGenerateHeapSnapshot): |
| (functionGenerateHeapSnapshotForGCDebugging): |
| (functionResetSuperSamplerState): |
| (functionEnsureArrayStorage): |
| (functionStartSamplingProfiler): |
| (functionSamplingProfilerStackTraces): |
| (functionMaxArguments): |
| (functionAsyncTestStart): |
| (functionAsyncTestPassed): |
| (functionWebAssemblyMemoryMode): |
| (functionSetUnhandledRejectionCallback): |
| (runWithOptions): |
| (functionDollarDetachArrayBuffer): Deleted. |
| * llint/LLIntExceptions.h: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::handleHostCall): |
| * llint/LLIntSlowPaths.h: |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoopRegister::callFrame const): |
| (JSC::CLoopRegister::execState const): Deleted. |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/cloop.rb: |
| * runtime/ArrayBufferView.h: |
| * runtime/ArrayConstructor.cpp: |
| (JSC::constructArrayWithSizeQuirk): |
| (JSC::constructWithArrayConstructor): |
| (JSC::callArrayConstructor): |
| (JSC::arrayConstructorPrivateFuncIsArraySlow): |
| * runtime/ArrayConstructor.h: |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSpeciesCreate): |
| (JSC::arrayProtoFuncToString): |
| (JSC::arrayProtoFuncToLocaleString): |
| (JSC::arrayProtoFuncJoin): |
| (JSC::arrayProtoFuncPop): |
| (JSC::arrayProtoFuncPush): |
| (JSC::arrayProtoFuncReverse): |
| (JSC::arrayProtoFuncShift): |
| (JSC::arrayProtoFuncSlice): |
| (JSC::arrayProtoFuncSplice): |
| (JSC::arrayProtoFuncUnShift): |
| (JSC::arrayProtoFuncIndexOf): |
| (JSC::arrayProtoFuncLastIndexOf): |
| (JSC::arrayProtoPrivateFuncConcatMemcpy): |
| (JSC::arrayProtoPrivateFuncAppendMemcpy): |
| * runtime/ArrayPrototype.h: |
| * runtime/AsyncFunctionConstructor.cpp: |
| (JSC::callAsyncFunctionConstructor): |
| (JSC::constructAsyncFunctionConstructor): |
| * runtime/AsyncGeneratorFunctionConstructor.cpp: |
| (JSC::callAsyncGeneratorFunctionConstructor): |
| (JSC::constructAsyncGeneratorFunctionConstructor): |
| * runtime/AtomicsObject.cpp: |
| (JSC::atomicsFuncAdd): |
| (JSC::atomicsFuncAnd): |
| (JSC::atomicsFuncCompareExchange): |
| (JSC::atomicsFuncExchange): |
| (JSC::atomicsFuncIsLockFree): |
| (JSC::atomicsFuncLoad): |
| (JSC::atomicsFuncOr): |
| (JSC::atomicsFuncStore): |
| (JSC::atomicsFuncSub): |
| (JSC::atomicsFuncWait): |
| (JSC::atomicsFuncWake): |
| (JSC::atomicsFuncXor): |
| * runtime/BigIntConstructor.cpp: |
| (JSC::callBigIntConstructor): |
| (JSC::bigIntConstructorFuncAsUintN): |
| (JSC::bigIntConstructorFuncAsIntN): |
| * runtime/BigIntPrototype.cpp: |
| (JSC::bigIntProtoFuncToStringImpl): |
| (JSC::bigIntProtoFuncToString): |
| (JSC::bigIntProtoFuncToLocaleString): |
| (JSC::bigIntProtoFuncValueOf): |
| * runtime/BooleanConstructor.cpp: |
| (JSC::callBooleanConstructor): |
| (JSC::constructWithBooleanConstructor): |
| (JSC::constructBooleanFromImmediateBoolean): |
| * runtime/BooleanPrototype.cpp: |
| (JSC::booleanProtoFuncToString): |
| (JSC::booleanProtoFuncValueOf): |
| * runtime/CallData.h: |
| * runtime/CommonSlowPaths.h: |
| * runtime/Completion.h: |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::consoleLogWithLevel): |
| (JSC::consoleProtoFuncDebug): |
| (JSC::consoleProtoFuncError): |
| (JSC::consoleProtoFuncLog): |
| (JSC::consoleProtoFuncInfo): |
| (JSC::consoleProtoFuncWarn): |
| (JSC::consoleProtoFuncClear): |
| (JSC::consoleProtoFuncDir): |
| (JSC::consoleProtoFuncDirXML): |
| (JSC::consoleProtoFuncTable): |
| (JSC::consoleProtoFuncTrace): |
| (JSC::consoleProtoFuncAssert): |
| (JSC::consoleProtoFuncCount): |
| (JSC::consoleProtoFuncCountReset): |
| (JSC::consoleProtoFuncProfile): |
| (JSC::consoleProtoFuncProfileEnd): |
| (JSC::consoleProtoFuncTakeHeapSnapshot): |
| (JSC::consoleProtoFuncTime): |
| (JSC::consoleProtoFuncTimeLog): |
| (JSC::consoleProtoFuncTimeEnd): |
| (JSC::consoleProtoFuncTimeStamp): |
| (JSC::consoleProtoFuncGroup): |
| (JSC::consoleProtoFuncGroupCollapsed): |
| (JSC::consoleProtoFuncGroupEnd): |
| (JSC::consoleProtoFuncRecord): |
| (JSC::consoleProtoFuncRecordEnd): |
| (JSC::consoleProtoFuncScreenshot): |
| * runtime/ConstructData.h: |
| * runtime/DateConstructor.cpp: |
| (JSC::constructWithDateConstructor): |
| (JSC::callDate): |
| (JSC::dateParse): |
| (JSC::dateNowImpl): |
| (JSC::dateNow): |
| (JSC::dateUTC): |
| * runtime/DateConstructor.h: |
| * runtime/DatePrototype.cpp: |
| (JSC::dateProtoFuncToString): |
| (JSC::dateProtoFuncToUTCString): |
| (JSC::dateProtoFuncToISOString): |
| (JSC::dateProtoFuncToDateString): |
| (JSC::dateProtoFuncToTimeString): |
| (JSC::dateProtoFuncToLocaleString): |
| (JSC::dateProtoFuncToLocaleDateString): |
| (JSC::dateProtoFuncToLocaleTimeString): |
| (JSC::dateProtoFuncToPrimitiveSymbol): |
| (JSC::dateProtoFuncGetTime): |
| (JSC::dateProtoFuncGetFullYear): |
| (JSC::dateProtoFuncGetUTCFullYear): |
| (JSC::dateProtoFuncGetMonth): |
| (JSC::dateProtoFuncGetUTCMonth): |
| (JSC::dateProtoFuncGetDate): |
| (JSC::dateProtoFuncGetUTCDate): |
| (JSC::dateProtoFuncGetDay): |
| (JSC::dateProtoFuncGetUTCDay): |
| (JSC::dateProtoFuncGetHours): |
| (JSC::dateProtoFuncGetUTCHours): |
| (JSC::dateProtoFuncGetMinutes): |
| (JSC::dateProtoFuncGetUTCMinutes): |
| (JSC::dateProtoFuncGetSeconds): |
| (JSC::dateProtoFuncGetUTCSeconds): |
| (JSC::dateProtoFuncGetMilliSeconds): |
| (JSC::dateProtoFuncGetUTCMilliseconds): |
| (JSC::dateProtoFuncGetTimezoneOffset): |
| (JSC::dateProtoFuncSetTime): |
| (JSC::dateProtoFuncSetMilliSeconds): |
| (JSC::dateProtoFuncSetUTCMilliseconds): |
| (JSC::dateProtoFuncSetSeconds): |
| (JSC::dateProtoFuncSetUTCSeconds): |
| (JSC::dateProtoFuncSetMinutes): |
| (JSC::dateProtoFuncSetUTCMinutes): |
| (JSC::dateProtoFuncSetHours): |
| (JSC::dateProtoFuncSetUTCHours): |
| (JSC::dateProtoFuncSetDate): |
| (JSC::dateProtoFuncSetUTCDate): |
| (JSC::dateProtoFuncSetMonth): |
| (JSC::dateProtoFuncSetUTCMonth): |
| (JSC::dateProtoFuncSetFullYear): |
| (JSC::dateProtoFuncSetUTCFullYear): |
| (JSC::dateProtoFuncSetYear): |
| (JSC::dateProtoFuncGetYear): |
| (JSC::dateProtoFuncToJSON): |
| * runtime/DatePrototype.h: |
| * runtime/ECMAScriptSpecInternalFunctions.cpp: |
| (JSC::esSpecIsConstructor): |
| * runtime/ECMAScriptSpecInternalFunctions.h: |
| * runtime/Error.h: |
| * runtime/ErrorConstructor.cpp: |
| (JSC::ErrorConstructor::finishCreation): |
| (JSC::constructErrorConstructor): |
| (JSC::callErrorConstructor): |
| (JSC::ErrorConstructor::put): |
| (JSC::ErrorConstructor::deleteProperty): |
| * runtime/ErrorPrototype.cpp: |
| (JSC::errorProtoFuncToString): |
| * runtime/ExceptionFuzz.h: |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructWithFunctionConstructor): |
| (JSC::callFunctionConstructor): |
| (JSC::constructFunction): |
| * runtime/FunctionPrototype.cpp: |
| (JSC::callFunctionPrototype): |
| (JSC::functionProtoFuncToString): |
| * runtime/GeneratorFunctionConstructor.cpp: |
| (JSC::callGeneratorFunctionConstructor): |
| (JSC::constructGeneratorFunctionConstructor): |
| * runtime/Identifier.h: |
| * runtime/InspectorInstrumentationObject.cpp: |
| (JSC::inspectorInstrumentationObjectLog): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::InternalFunction): |
| * runtime/InternalFunction.h: |
| (JSC::InternalFunction::offsetOfGlobalObject): |
| (JSC::InternalFunction::globalObject const): |
| * runtime/IntlCollatorConstructor.cpp: |
| (JSC::constructIntlCollator): |
| (JSC::callIntlCollator): |
| (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): |
| * runtime/IntlCollatorConstructor.h: |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorFuncCompare): |
| (JSC::IntlCollatorPrototypeGetterCompare): |
| (JSC::IntlCollatorPrototypeFuncResolvedOptions): |
| * runtime/IntlDateTimeFormatConstructor.cpp: |
| (JSC::constructIntlDateTimeFormat): |
| (JSC::callIntlDateTimeFormat): |
| (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlDateTimeFormatConstructor.h: |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatFuncFormatDateTime): |
| (JSC::IntlDateTimeFormatPrototypeGetterFormat): |
| (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): |
| (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): |
| * runtime/IntlNumberFormatConstructor.cpp: |
| (JSC::constructIntlNumberFormat): |
| (JSC::callIntlNumberFormat): |
| (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): |
| * runtime/IntlNumberFormatConstructor.h: |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatFuncFormatNumber): |
| (JSC::IntlNumberFormatPrototypeGetterFormat): |
| (JSC::IntlNumberFormatPrototypeFuncFormatToParts): |
| (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): |
| * runtime/IntlObject.cpp: |
| (JSC::intlObjectFuncGetCanonicalLocales): |
| * runtime/IntlPluralRulesConstructor.cpp: |
| (JSC::constructIntlPluralRules): |
| (JSC::callIntlPluralRules): |
| (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): |
| * runtime/IntlPluralRulesConstructor.h: |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototypeFuncSelect): |
| (JSC::IntlPluralRulesPrototypeFuncResolvedOptions): |
| * runtime/JSArrayBufferConstructor.cpp: |
| (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation): |
| (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer): |
| (JSC::callArrayBuffer): |
| (JSC::arrayBufferFuncIsView): |
| * runtime/JSArrayBufferConstructor.h: |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::arrayBufferProtoFuncSlice): |
| (JSC::arrayBufferProtoGetterFuncByteLength): |
| (JSC::sharedArrayBufferProtoGetterFuncByteLength): |
| * runtime/JSBoundFunction.cpp: |
| (JSC::boundThisNoArgsFunctionCall): |
| (JSC::boundFunctionCall): |
| (JSC::boundThisNoArgsFunctionConstruct): |
| (JSC::boundFunctionConstruct): |
| (JSC::isBoundFunction): |
| (JSC::hasInstanceBoundFunction): |
| (JSC::JSBoundFunction::boundArgsCopy): |
| * runtime/JSBoundFunction.h: |
| * runtime/JSCJSValue.h: |
| * runtime/JSCell.h: |
| * runtime/JSCustomGetterSetterFunction.cpp: |
| (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): |
| * runtime/JSCustomGetterSetterFunction.h: |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::getData): |
| (JSC::setData): |
| (JSC::dataViewProtoGetterBuffer): |
| (JSC::dataViewProtoGetterByteLength): |
| (JSC::dataViewProtoGetterByteOffset): |
| (JSC::dataViewProtoFuncGetInt8): |
| (JSC::dataViewProtoFuncGetInt16): |
| (JSC::dataViewProtoFuncGetInt32): |
| (JSC::dataViewProtoFuncGetUint8): |
| (JSC::dataViewProtoFuncGetUint16): |
| (JSC::dataViewProtoFuncGetUint32): |
| (JSC::dataViewProtoFuncGetFloat32): |
| (JSC::dataViewProtoFuncGetFloat64): |
| (JSC::dataViewProtoFuncSetInt8): |
| (JSC::dataViewProtoFuncSetInt16): |
| (JSC::dataViewProtoFuncSetInt32): |
| (JSC::dataViewProtoFuncSetUint8): |
| (JSC::dataViewProtoFuncSetUint16): |
| (JSC::dataViewProtoFuncSetUint32): |
| (JSC::dataViewProtoFuncSetFloat32): |
| (JSC::dataViewProtoFuncSetFloat64): |
| * runtime/JSDateMath.h: |
| * runtime/JSFunction.cpp: |
| (JSC::callHostFunctionAsConstructor): |
| (JSC::JSFunction::JSFunction): |
| (JSC::JSFunction::prototypeForConstruction): |
| (JSC::JSFunction::allocateAndInitializeRareData): |
| (JSC::JSFunction::initializeRareData): |
| (JSC::JSFunction::getOwnPropertySlot): |
| * runtime/JSFunction.h: |
| (JSC::JSFunction::offsetOfGlobalObject): |
| (JSC::JSFunction::globalObject const): |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::JSFunction): |
| * runtime/JSGenericTypedArrayViewConstructorInlines.h: |
| (JSC::constructGenericTypedArrayView): |
| (JSC::callGenericTypedArrayView): |
| * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: |
| (JSC::genericTypedArrayViewProtoFuncSlice): |
| (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::makeBoundFunction): |
| (JSC::hasOwnLengthProperty): |
| (JSC::assertCall): |
| (JSC::enqueueJob): |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::globalFuncEval): |
| (JSC::globalFuncParseInt): |
| (JSC::globalFuncParseFloat): |
| (JSC::globalFuncDecodeURI): |
| (JSC::globalFuncDecodeURIComponent): |
| (JSC::globalFuncEncodeURI): |
| (JSC::globalFuncEncodeURIComponent): |
| (JSC::globalFuncEscape): |
| (JSC::globalFuncUnescape): |
| (JSC::globalFuncThrowTypeError): |
| (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller): |
| (JSC::globalFuncMakeTypeError): |
| (JSC::globalFuncProtoGetter): |
| (JSC::globalFuncProtoSetter): |
| (JSC::globalFuncHostPromiseRejectionTracker): |
| (JSC::globalFuncBuiltinLog): |
| (JSC::globalFuncBuiltinDescribe): |
| (JSC::globalFuncImportModule): |
| (JSC::globalFuncPropertyIsEnumerable): |
| (JSC::globalFuncOwnKeys): |
| (JSC::globalFuncDateTimeFormat): |
| * runtime/JSGlobalObjectFunctions.h: |
| * runtime/JSLock.h: |
| * runtime/JSModuleLoader.cpp: |
| (JSC::moduleLoaderParseModule): |
| (JSC::moduleLoaderRequestedModules): |
| (JSC::moduleLoaderModuleDeclarationInstantiation): |
| (JSC::moduleLoaderResolve): |
| (JSC::moduleLoaderResolveSync): |
| (JSC::moduleLoaderFetch): |
| (JSC::moduleLoaderGetModuleNamespaceObject): |
| (JSC::moduleLoaderEvaluate): |
| * runtime/JSNativeStdFunction.cpp: |
| (JSC::runStdFunction): |
| * runtime/JSNativeStdFunction.h: |
| * runtime/JSONObject.cpp: |
| (JSC::JSONProtoFuncParse): |
| (JSC::JSONProtoFuncStringify): |
| * runtime/JSObject.cpp: |
| (JSC::objectPrivateFuncInstanceOf): |
| * runtime/JSObject.h: |
| * runtime/JSTypedArrayViewConstructor.cpp: |
| (JSC::constructTypedArrayView): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::typedArrayViewPrivateFuncIsTypedArrayView): |
| (JSC::typedArrayViewPrivateFuncLength): |
| (JSC::typedArrayViewPrivateFuncGetOriginalConstructor): |
| (JSC::typedArrayViewPrivateFuncSort): |
| (JSC::typedArrayViewProtoFuncSet): |
| (JSC::typedArrayViewProtoFuncCopyWithin): |
| (JSC::typedArrayViewProtoFuncIncludes): |
| (JSC::typedArrayViewProtoFuncLastIndexOf): |
| (JSC::typedArrayViewProtoFuncIndexOf): |
| (JSC::typedArrayViewProtoFuncJoin): |
| (JSC::typedArrayViewProtoGetterFuncBuffer): |
| (JSC::typedArrayViewProtoGetterFuncLength): |
| (JSC::typedArrayViewProtoGetterFuncByteLength): |
| (JSC::typedArrayViewProtoGetterFuncByteOffset): |
| (JSC::typedArrayViewProtoFuncReverse): |
| (JSC::typedArrayViewPrivateFuncSubarrayCreate): |
| (JSC::typedArrayViewProtoFuncSlice): |
| (JSC::typedArrayViewProtoGetterFuncToStringTag): |
| * runtime/JSTypedArrayViewPrototype.h: |
| * runtime/MapConstructor.cpp: |
| (JSC::callMap): |
| (JSC::constructMap): |
| (JSC::mapPrivateFuncMapBucketHead): |
| (JSC::mapPrivateFuncMapBucketNext): |
| (JSC::mapPrivateFuncMapBucketKey): |
| (JSC::mapPrivateFuncMapBucketValue): |
| * runtime/MapConstructor.h: |
| * runtime/MapPrototype.cpp: |
| (JSC::getMap): |
| (JSC::mapProtoFuncClear): |
| (JSC::mapProtoFuncDelete): |
| (JSC::mapProtoFuncGet): |
| (JSC::mapProtoFuncHas): |
| (JSC::mapProtoFuncSet): |
| (JSC::mapProtoFuncSize): |
| * runtime/MathObject.cpp: |
| (JSC::mathProtoFuncAbs): |
| (JSC::mathProtoFuncACos): |
| (JSC::mathProtoFuncASin): |
| (JSC::mathProtoFuncATan): |
| (JSC::mathProtoFuncATan2): |
| (JSC::mathProtoFuncCeil): |
| (JSC::mathProtoFuncClz32): |
| (JSC::mathProtoFuncCos): |
| (JSC::mathProtoFuncExp): |
| (JSC::mathProtoFuncFloor): |
| (JSC::mathProtoFuncHypot): |
| (JSC::mathProtoFuncLog): |
| (JSC::mathProtoFuncMax): |
| (JSC::mathProtoFuncMin): |
| (JSC::mathProtoFuncPow): |
| (JSC::mathProtoFuncRandom): |
| (JSC::mathProtoFuncRound): |
| (JSC::mathProtoFuncSign): |
| (JSC::mathProtoFuncSin): |
| (JSC::mathProtoFuncSqrt): |
| (JSC::mathProtoFuncTan): |
| (JSC::mathProtoFuncIMul): |
| (JSC::mathProtoFuncACosh): |
| (JSC::mathProtoFuncASinh): |
| (JSC::mathProtoFuncATanh): |
| (JSC::mathProtoFuncCbrt): |
| (JSC::mathProtoFuncCosh): |
| (JSC::mathProtoFuncExpm1): |
| (JSC::mathProtoFuncFround): |
| (JSC::mathProtoFuncLog1p): |
| (JSC::mathProtoFuncLog10): |
| (JSC::mathProtoFuncLog2): |
| (JSC::mathProtoFuncSinh): |
| (JSC::mathProtoFuncTanh): |
| (JSC::mathProtoFuncTrunc): |
| * runtime/MathObject.h: |
| * runtime/Microtask.h: |
| * runtime/NativeErrorConstructor.cpp: |
| (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor): |
| (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor): |
| * runtime/NativeErrorConstructor.h: |
| * runtime/NativeFunction.h: |
| (JSC::NativeFunction::operator()): |
| (JSC::TaggedNativeFunction::operator()): |
| * runtime/NullGetterFunction.cpp: |
| (JSC::NullGetterFunctionInternal::callReturnUndefined): |
| * runtime/NullSetterFunction.cpp: |
| (JSC::NullSetterFunctionInternal::callReturnUndefined): |
| * runtime/NumberConstructor.cpp: |
| (JSC::constructNumberConstructor): |
| (JSC::callNumberConstructor): |
| (JSC::numberConstructorFuncIsInteger): |
| (JSC::numberConstructorFuncIsSafeInteger): |
| * runtime/NumberPrototype.cpp: |
| (JSC::numberProtoFuncToExponential): |
| (JSC::numberProtoFuncToFixed): |
| (JSC::numberProtoFuncToPrecision): |
| (JSC::numberProtoFuncToString): |
| (JSC::numberProtoFuncToLocaleString): |
| (JSC::numberProtoFuncValueOf): |
| * runtime/NumberPrototype.h: |
| * runtime/ObjectConstructor.cpp: |
| (JSC::constructObjectWithNewTarget): |
| (JSC::constructWithObjectConstructor): |
| (JSC::callObjectConstructor): |
| (JSC::objectConstructorGetPrototypeOf): |
| (JSC::objectConstructorSetPrototypeOf): |
| (JSC::objectConstructorGetOwnPropertyDescriptor): |
| (JSC::objectConstructorGetOwnPropertyDescriptors): |
| (JSC::objectConstructorGetOwnPropertyNames): |
| (JSC::objectConstructorGetOwnPropertySymbols): |
| (JSC::objectConstructorKeys): |
| (JSC::objectConstructorAssign): |
| (JSC::objectConstructorValues): |
| (JSC::objectConstructorDefineProperty): |
| (JSC::objectConstructorDefineProperties): |
| (JSC::objectConstructorCreate): |
| (JSC::objectConstructorSeal): |
| (JSC::objectConstructorFreeze): |
| (JSC::objectConstructorPreventExtensions): |
| (JSC::objectConstructorIsSealed): |
| (JSC::objectConstructorIsFrozen): |
| (JSC::objectConstructorIsExtensible): |
| (JSC::objectConstructorIs): |
| (JSC::constructObject): Deleted. |
| * runtime/ObjectConstructor.h: |
| * runtime/ObjectPrototype.cpp: |
| (JSC::objectProtoFuncValueOf): |
| (JSC::objectProtoFuncHasOwnProperty): |
| (JSC::objectProtoFuncIsPrototypeOf): |
| (JSC::objectProtoFuncDefineGetter): |
| (JSC::objectProtoFuncDefineSetter): |
| (JSC::objectProtoFuncLookupGetter): |
| (JSC::objectProtoFuncLookupSetter): |
| (JSC::objectProtoFuncPropertyIsEnumerable): |
| (JSC::objectProtoFuncToLocaleString): |
| (JSC::objectProtoFuncToString): |
| * runtime/ObjectPrototype.h: |
| * runtime/ProxyConstructor.cpp: |
| (JSC::makeRevocableProxy): |
| (JSC::proxyRevocableConstructorThrowError): |
| (JSC::constructProxyObject): |
| (JSC::callProxy): |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyCall): |
| (JSC::performProxyConstruct): |
| * runtime/ProxyRevoke.cpp: |
| (JSC::performProxyRevoke): |
| * runtime/ReflectObject.cpp: |
| (JSC::reflectObjectConstruct): |
| (JSC::reflectObjectDefineProperty): |
| (JSC::reflectObjectGet): |
| (JSC::reflectObjectGetOwnPropertyDescriptor): |
| (JSC::reflectObjectGetPrototypeOf): |
| (JSC::reflectObjectIsExtensible): |
| (JSC::reflectObjectOwnKeys): |
| (JSC::reflectObjectPreventExtensions): |
| (JSC::reflectObjectSet): |
| (JSC::reflectObjectSetPrototypeOf): |
| * runtime/RegExpConstructor.cpp: |
| (JSC::regExpConstructorDollar): |
| (JSC::regExpConstructorInput): |
| (JSC::regExpConstructorMultiline): |
| (JSC::regExpConstructorLastMatch): |
| (JSC::regExpConstructorLastParen): |
| (JSC::regExpConstructorLeftContext): |
| (JSC::regExpConstructorRightContext): |
| (JSC::setRegExpConstructorInput): |
| (JSC::setRegExpConstructorMultiline): |
| (JSC::esSpecRegExpCreate): |
| (JSC::constructWithRegExpConstructor): |
| (JSC::callRegExpConstructor): |
| * runtime/RegExpConstructor.h: |
| * runtime/RegExpPrototype.cpp: |
| (JSC::regExpProtoFuncTestFast): |
| (JSC::regExpProtoFuncExec): |
| (JSC::regExpProtoFuncMatchFast): |
| (JSC::regExpProtoFuncCompile): |
| (JSC::regExpProtoFuncToString): |
| (JSC::regExpProtoGetterGlobal): |
| (JSC::regExpProtoGetterIgnoreCase): |
| (JSC::regExpProtoGetterMultiline): |
| (JSC::regExpProtoGetterDotAll): |
| (JSC::regExpProtoGetterSticky): |
| (JSC::regExpProtoGetterUnicode): |
| (JSC::regExpProtoGetterFlags): |
| (JSC::regExpProtoGetterSource): |
| (JSC::regExpProtoFuncSearchFast): |
| (JSC::regExpProtoFuncSplitFast): |
| * runtime/RegExpPrototype.h: |
| * runtime/SetConstructor.cpp: |
| (JSC::callSet): |
| (JSC::constructSet): |
| (JSC::setPrivateFuncSetBucketHead): |
| (JSC::setPrivateFuncSetBucketNext): |
| (JSC::setPrivateFuncSetBucketKey): |
| * runtime/SetConstructor.h: |
| * runtime/SetPrototype.cpp: |
| (JSC::getSet): |
| (JSC::setProtoFuncAdd): |
| (JSC::setProtoFuncClear): |
| (JSC::setProtoFuncDelete): |
| (JSC::setProtoFuncHas): |
| (JSC::setProtoFuncSize): |
| * runtime/StringConstructor.cpp: |
| (JSC::stringFromCharCode): |
| (JSC::stringFromCodePoint): |
| (JSC::constructWithStringConstructor): |
| (JSC::callStringConstructor): |
| * runtime/StringPrototype.cpp: |
| (JSC::stringProtoFuncRepeatCharacter): |
| (JSC::stringProtoFuncReplaceUsingRegExp): |
| (JSC::stringProtoFuncReplaceUsingStringSearch): |
| (JSC::stringProtoFuncToString): |
| (JSC::stringProtoFuncCharAt): |
| (JSC::stringProtoFuncCharCodeAt): |
| (JSC::stringProtoFuncCodePointAt): |
| (JSC::stringProtoFuncIndexOf): |
| (JSC::stringProtoFuncLastIndexOf): |
| (JSC::stringProtoFuncSlice): |
| (JSC::stringProtoFuncSplitFast): |
| (JSC::stringProtoFuncSubstrImpl): |
| (JSC::stringProtoFuncSubstr): |
| (JSC::builtinStringSubstrInternal): |
| (JSC::stringProtoFuncSubstring): |
| (JSC::stringProtoFuncToLowerCase): |
| (JSC::stringProtoFuncToUpperCase): |
| (JSC::stringProtoFuncLocaleCompare): |
| (JSC::toLocaleCase): |
| (JSC::stringProtoFuncToLocaleLowerCase): |
| (JSC::stringProtoFuncToLocaleUpperCase): |
| (JSC::stringProtoFuncTrim): |
| (JSC::stringProtoFuncTrimStart): |
| (JSC::stringProtoFuncTrimEnd): |
| (JSC::stringProtoFuncStartsWith): |
| (JSC::stringProtoFuncEndsWith): |
| (JSC::stringIncludesImpl): |
| (JSC::stringProtoFuncIncludes): |
| (JSC::builtinStringIncludesInternal): |
| (JSC::stringProtoFuncIterator): |
| (JSC::stringProtoFuncNormalize): |
| * runtime/StringPrototype.h: |
| * runtime/SymbolConstructor.cpp: |
| (JSC::callSymbol): |
| (JSC::symbolConstructorFor): |
| (JSC::symbolConstructorKeyFor): |
| * runtime/SymbolPrototype.cpp: |
| (JSC::symbolProtoGetterDescription): |
| (JSC::symbolProtoFuncToString): |
| (JSC::symbolProtoFuncValueOf): |
| * runtime/ThrowScope.h: |
| * runtime/TypedArrayController.h: |
| * runtime/VM.h: |
| * runtime/VMTraps.h: |
| * runtime/Watchdog.h: |
| * runtime/WeakMapConstructor.cpp: |
| (JSC::callWeakMap): |
| (JSC::constructWeakMap): |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::getWeakMap): |
| (JSC::protoFuncWeakMapDelete): |
| (JSC::protoFuncWeakMapGet): |
| (JSC::protoFuncWeakMapHas): |
| (JSC::protoFuncWeakMapSet): |
| * runtime/WeakObjectRefConstructor.cpp: |
| (JSC::callWeakRef): |
| (JSC::constructWeakRef): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::getWeakRef): |
| (JSC::protoFuncWeakRefDeref): |
| * runtime/WeakSetConstructor.cpp: |
| (JSC::callWeakSet): |
| (JSC::constructWeakSet): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::getWeakSet): |
| (JSC::protoFuncWeakSetDelete): |
| (JSC::protoFuncWeakSetHas): |
| (JSC::protoFuncWeakSetAdd): |
| * tools/JSDollarVM.cpp: |
| (JSC::DOMJITGetterComplex::functionEnableException): |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::functionWasmStreamingParserAddBytes): |
| (JSC::functionWasmStreamingParserFinalize): |
| (JSC::functionCrash): |
| (JSC::functionBreakpoint): |
| (JSC::functionDFGTrue): |
| (JSC::functionFTLTrue): |
| (JSC::functionCpuMfence): |
| (JSC::functionCpuRdtsc): |
| (JSC::functionCpuCpuid): |
| (JSC::functionCpuPause): |
| (JSC::functionCpuClflush): |
| (JSC::functionLLintTrue): |
| (JSC::functionJITTrue): |
| (JSC::functionNoInline): |
| (JSC::functionGC): |
| (JSC::functionEdenGC): |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::functionCallFrame): |
| (JSC::functionCodeBlockForFrame): |
| (JSC::codeBlockFromArg): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionDumpSourceFor): |
| (JSC::functionDumpBytecodeFor): |
| (JSC::doPrint): |
| (JSC::functionDataLog): |
| (JSC::functionPrint): |
| (JSC::functionDumpCallFrame): |
| (JSC::functionDumpStack): |
| (JSC::functionDumpRegisters): |
| (JSC::functionDumpCell): |
| (JSC::functionIndexingMode): |
| (JSC::functionInlineCapacity): |
| (JSC::functionValue): |
| (JSC::functionGetPID): |
| (JSC::functionHaveABadTime): |
| (JSC::functionIsHavingABadTime): |
| (JSC::functionCreateGlobalObject): |
| (JSC::functionCreateProxy): |
| (JSC::functionCreateRuntimeArray): |
| (JSC::functionCreateNullRopeString): |
| (JSC::functionCreateImpureGetter): |
| (JSC::functionCreateCustomGetterObject): |
| (JSC::functionCreateDOMJITNodeObject): |
| (JSC::functionCreateDOMJITGetterObject): |
| (JSC::functionCreateDOMJITGetterComplexObject): |
| (JSC::functionCreateDOMJITFunctionObject): |
| (JSC::functionCreateDOMJITCheckSubClassObject): |
| (JSC::functionCreateDOMJITGetterBaseJSObject): |
| (JSC::functionCreateWasmStreamingParser): |
| (JSC::functionCreateStaticCustomAccessor): |
| (JSC::functionSetImpureGetterDelegate): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::functionCreateRoot): |
| (JSC::functionCreateElement): |
| (JSC::functionGetElement): |
| (JSC::functionCreateSimpleObject): |
| (JSC::functionGetHiddenValue): |
| (JSC::functionSetHiddenValue): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): |
| (JSC::functionFindTypeForExpression): |
| (JSC::functionReturnTypeFor): |
| (JSC::functionFlattenDictionaryObject): |
| (JSC::functionDumpBasicBlockExecutionRanges): |
| (JSC::functionHasBasicBlockExecuted): |
| (JSC::functionBasicBlockExecutionCount): |
| (JSC::functionEnableExceptionFuzz): |
| (JSC::functionEnableDebuggerModeWhenIdle): |
| (JSC::functionDisableDebuggerModeWhenIdle): |
| (JSC::functionDeleteAllCodeWhenIdle): |
| (JSC::functionGlobalObjectCount): |
| (JSC::functionGlobalObjectForObject): |
| (JSC::functionGetGetterSetter): |
| (JSC::functionLoadGetterFromGetterSetter): |
| (JSC::functionCreateCustomTestGetterSetter): |
| (JSC::functionDeltaBetweenButterflies): |
| (JSC::functionTotalGCTime): |
| (JSC::functionParseCount): |
| (JSC::functionIsWasmSupported): |
| * wasm/WasmEmbedder.h: |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::webAssemblyCompileFunc): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyValidateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyCompileError): |
| (JSC::callJSWebAssemblyCompileError): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::constructJSWebAssemblyInstance): |
| (JSC::callJSWebAssemblyInstance): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| (JSC::webAssemblyInstanceProtoFuncExports): |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyLinkError): |
| (JSC::callJSWebAssemblyLinkError): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| (JSC::callJSWebAssemblyMemory): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| (JSC::webAssemblyMemoryProtoFuncGrow): |
| (JSC::webAssemblyMemoryProtoFuncBuffer): |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleCustomSections): |
| (JSC::webAssemblyModuleImports): |
| (JSC::webAssemblyModuleExports): |
| (JSC::constructJSWebAssemblyModule): |
| (JSC::callJSWebAssemblyModule): |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::constructJSWebAssemblyRuntimeError): |
| (JSC::callJSWebAssemblyRuntimeError): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| (JSC::callJSWebAssemblyTable): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::webAssemblyTableProtoFuncLength): |
| (JSC::webAssemblyTableProtoFuncGrow): |
| (JSC::webAssemblyTableProtoFuncGet): |
| (JSC::webAssemblyTableProtoFuncSet): |
| * wasm/js/WebAssemblyWrapperFunction.cpp: |
| (JSC::callWebAssemblyWrapperFunction): |
| * yarr/YarrErrorCode.h: |
| |
| 2019-10-07 Matt Lewis <jlewis3@apple.com> |
| |
| Unreviewed, rolling out r250750. |
| |
| Reverting change as this broke interal test over the weekend. |
| |
| Reverted changeset: |
| |
| "Allow OSR exit to the LLInt" |
| https://bugs.webkit.org/show_bug.cgi?id=197993 |
| https://trac.webkit.org/changeset/250750 |
| |
| 2019-10-04 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Socket-based RWI should base64-encode backend commands on client, not server |
| https://bugs.webkit.org/show_bug.cgi?id=202605 |
| |
| Reviewed by Don Olmstead. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::setupInspectorClient): |
| |
| 2019-10-04 Saam Barati <sbarati@apple.com> |
| |
| Allow OSR exit to the LLInt |
| https://bugs.webkit.org/show_bug.cgi?id=197993 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This patch makes it so we can OSR exit to the LLInt. |
| Here are the interesting implementation details: |
| |
| 1. We no longer baseline compile everything in the inline stack. |
| |
| 2. When the top frame is a LLInt frame, we exit to the corresponding |
| LLInt bytecode. However, we need to materialize the LLInt registers |
| for PC, PB, and metadata. |
| |
| 3. When dealing with inline call frames where the caller is LLInt, we |
| need to return to the appropriate place. Let's consider we're exiting |
| at a place A->B (A calls B), where A is LLInt. If A is a normal call, |
| we place the return PC in the frame we materialize to B to be right |
| after the LLInt's inline cache for calls. If A is a varargs call, we place |
| it at the return location for vararg calls. The interesting scenario here |
| is where A is a getter/setter. This means that A might be get_by_id, |
| get_by_val, put_by_id, or put_by_val. Since the LLInt does not have any |
| form of IC for getters/setters, we make this work by creating new LLInt |
| "return location" stubs for these opcodes. |
| |
| 4. We need to update what callee saves we store in the callee if the caller frame |
| is a LLInt frame. Let's consider an inline stack A->B->C, where A is a LLInt frame. |
| When we materialize the stack frame for B, we need to ensure that the LLInt callee |
| saves that A uses is stored into B's preserved callee saves. Specifically, this |
| is just the PB/metadata registers. |
| |
| This patch also fixes offlineasm's macro expansion to allow us to |
| use computed label names for global labels. |
| |
| In a future bug, I'm going to investigate some kind of control system for |
| throwing away baseline code when we tier up: |
| https://bugs.webkit.org/show_bug.cgi?id=202503 |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::metadataTable): |
| (JSC::CodeBlock::instructionsRawPointer): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| (JSC::DFG::OSRExit::compileOSRExit): |
| * dfg/DFGOSRExit.h: |
| (JSC::DFG::OSRExitState::OSRExitState): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::callerReturnPC): |
| (JSC::DFG::calleeSaveSlot): |
| (JSC::DFG::reifyInlinedCallFrames): |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| * dfg/DFGOSRExitPreparation.cpp: |
| (JSC::DFG::prepareCodeOriginForOSRExit): Deleted. |
| * dfg/DFGOSRExitPreparation.h: |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileFTLOSRExit): |
| * llint/LLIntData.h: |
| (JSC::LLInt::getCodePtr): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/asm.rb: |
| * offlineasm/transform.rb: |
| * runtime/OptionsList.h: |
| |
| 2019-10-04 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r250583. |
| |
| Broke multiple internal API tests |
| |
| Reverted changeset: |
| |
| "[JSC] Place VM* in TLS" |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| https://trac.webkit.org/changeset/250583 |
| |
| 2019-10-04 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r250594. |
| |
| Broke multiple internal API tests |
| |
| Reverted changeset: |
| |
| "Unreviewed, fix incorrect assertion" |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| https://trac.webkit.org/changeset/250594 |
| |
| 2019-10-04 Alex Christensen <achristensen@webkit.org> |
| |
| Simplify sandbox enabling macros |
| https://bugs.webkit.org/show_bug.cgi?id=202536 |
| |
| Reviewed by Brent Fulgham. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-10-03 Christopher Reid <chris.reid@sony.com> |
| |
| [WinCairo] Remote Inspector doesn't gracefully shutdown |
| https://bugs.webkit.org/show_bug.cgi?id=202546 |
| |
| Reviewed by Ross Kirsling. |
| |
| Call shutdown before closesocket in windows to close the connection gracefully. |
| |
| This also fixes some potential threading issues where m_clientConnection |
| is set on a worker thread but cleared on the main thread. |
| Remove callOnMainThread in the server too since execution gets paused during JS breakpoints. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: |
| |
| 2019-10-03 Mark Lam <mark.lam@apple.com> |
| |
| Fix testmasm failure on ASan builds. |
| https://bugs.webkit.org/show_bug.cgi?id=202554 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Gigacage is disabled on ASan builds. So testmasm is sad. Make the relevant test |
| bail gracefully if Gigacage should be disabled. |
| |
| Also converted some ASSERTs into RELEASE_ASSERTs. This is a test. No reason to |
| not assert always. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| |
| 2019-10-03 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Socket RWI client should acquire backend commands from server |
| https://bugs.webkit.org/show_bug.cgi?id=202421 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::setupInspectorClient): |
| (Inspector::RemoteInspectorServer::backendCommands const): |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| (Inspector::RemoteInspectorServer::setBackendCommandsPath): |
| Assuming a path to InspectorBackendCommands.js has been provided, |
| read the file and send off its base64-encoded contents in a "BackendCommands" message when setting up a client. |
| |
| 2019-10-03 Yury Semikhatsky <yurys@chromium.org> |
| |
| Web Inspector: tests under LayoutTests/inspector/debugger are flaky |
| https://bugs.webkit.org/show_bug.cgi?id=137131 |
| <rdar://problem/18461335> |
| |
| Reviewed by Devin Rousso. |
| |
| Changed breakpoint resolution logic to make it consistent across platforms and |
| better handle the case when there are several DebuggerPausePositions at the same |
| offset (but with different types). |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::hasOpDebugForLineAndColumn): |
| * bytecode/CodeBlock.h: |
| * debugger/Breakpoint.h: Removed Breakpoint::unspecifiedColumn, Optional<unsigned> |
| is used instead where needed. It allows to avoid code that relies on (int)UINT_MAX => -1 |
| conversion. |
| |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::resolveBreakpoint): clarified that in the map columns are 0-based. |
| * debugger/DebuggerParseData.cpp: |
| (JSC::DebuggerPausePositions::breakpointLocationForLineColumn): replaced custom |
| binary search with std::lower_bound. If there are several pause positions at the |
| same offset they will be sorted by the type and the algorithm is guaranteed to see |
| leftmost one first. |
| |
| (JSC::DebuggerPausePositions::sort): use type as secondary ordering component. |
| * debugger/DebuggerParseData.h: Rearranged type constants so that Enter < Pause < Leave |
| this change along with sorting by type should guarantee that in case of several pause |
| positions at the same line Enter goes before Pause before Leave and the breakpoint |
| resolution will yield result similar to that when each pause locations has different |
| position. |
| |
| * inspector/protocol/Debugger.json: clarified that positions are 0-based. |
| * parser/ParserTokens.h: |
| (JSC::JSTextPosition::column const): added helper method for computing column. |
| |
| 2019-10-03 Keith Miller <keith_miller@apple.com> |
| |
| Fix assembler on ARM64E |
| https://bugs.webkit.org/show_bug.cgi?id=202528 |
| |
| Reviewed by Michael Saboff. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::callOperation): |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::callOperation): |
| |
| 2019-10-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] AsyncGenerator should have internal fields |
| https://bugs.webkit.org/show_bug.cgi?id=201498 |
| |
| Reviewed by Saam Barati. |
| |
| This patch introduces JSAsyncGenerator. We did this already for JSGenerator. This patch does the same thing for JSAsyncGenerator |
| This patch cleans up JSGenerator's code to share it with JSAsyncGenerator, e.g. JSGenerator::initialValues etc. |
| It improves JetStream2/async-fs by ~10%. |
| |
| We also fixed the pre-existing bug. We are using OpcodeID for the key of hashmap. And using op_add code as a part of key. |
| By adding a new bytecode, it suddenly becomes 0. And 0 is not valid key in WTF::HashMap. This patch adds 1 to opcodeID when using |
| for HashMap's key to fix this issue. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/AsyncGeneratorPrototype.js: |
| (globalPrivate.asyncGeneratorQueueIsEmpty): |
| (globalPrivate.asyncGeneratorQueueEnqueue): |
| (globalPrivate.asyncGeneratorQueueDequeue): |
| (globalPrivate.isExecutionState): |
| (globalPrivate.isSuspendYieldState): |
| (globalPrivate.asyncGeneratorReject): |
| (globalPrivate.asyncGeneratorResolve): |
| (asyncGeneratorYieldAwaited): |
| (globalPrivate.asyncGeneratorYield): |
| (globalPrivate.doAsyncGeneratorBodyCall): |
| (globalPrivate.asyncGeneratorResumeNext): |
| (globalPrivate.asyncGeneratorEnqueue): |
| * builtins/BuiltinNames.h: |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields): |
| (JSC::BytecodeGenerator::emitCreateAsyncGenerator): |
| (JSC::BytecodeGenerator::emitYieldPoint): |
| (JSC::BytecodeGenerator::emitYield): |
| (JSC::BytecodeGenerator::emitAwait): |
| (JSC::BytecodeGenerator::emitDelegateYield): |
| (JSC::BytecodeGenerator::emitGeneratorStateChange): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitIsAsyncGenerator): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::asyncGeneratorInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getAsyncGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putAsyncGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isAsyncGenerator): |
| (JSC::YieldExprNode::emitBytecode): |
| (JSC::AwaitExprNode::emitBytecode): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToNewInternalFieldObject): |
| (JSC::DFG::Node::hasStructure): |
| (JSC::DFG::Node::convertToNewGenerator): Deleted. |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): |
| (JSC::DFG::SpeculativeJIT::compileCreateGenerator): |
| (JSC::DFG::SpeculativeJIT::compileCreateAsyncGenerator): |
| (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): |
| (JSC::DFG::SpeculativeJIT::compileNewGenerator): |
| (JSC::DFG::SpeculativeJIT::compileNewAsyncGenerator): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewAsyncGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateAsyncGenerator): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JITInlines.h: |
| (JSC::JIT::copiedArithProfile): |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * llint/LowLevelInterpreter.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::createInternalFieldObject): |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/JSAsyncGenerator.cpp: Copied from Source/JavaScriptCore/runtime/JSGenerator.cpp. |
| (JSC::JSAsyncGenerator::create): |
| (JSC::JSAsyncGenerator::createStructure): |
| (JSC::JSAsyncGenerator::JSAsyncGenerator): |
| (JSC::JSAsyncGenerator::finishCreation): |
| (JSC::JSAsyncGenerator::visitChildren): |
| * runtime/JSAsyncGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGenerator.h. |
| * runtime/JSAsyncGeneratorFunction.h: |
| * runtime/JSGenerator.cpp: |
| (JSC::JSGenerator::finishCreation): |
| * runtime/JSGenerator.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::asyncGeneratorStructure const): |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| |
| 2019-10-02 Keith Miller <keith_miller@apple.com> |
| |
| FTL OSR exit shouldn't bother updating get_by_id array profiles that have changed modes |
| https://bugs.webkit.org/show_bug.cgi?id=202493 |
| |
| Reviewed by Saam Barati. |
| |
| I added this optimization for DFG but forgot to do it for the FTL |
| at the same time. This patch rectifies that. |
| |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::compileStub): |
| |
| 2019-10-02 Paulo Matos <pmatos@igalia.com> |
| |
| Gardening build fix: Hide store64/load64 functions from 32bit |
| https://bugs.webkit.org/show_bug.cgi?id=202453 |
| |
| Unreviewed. |
| |
| Prior patch for bug 202250 breaks 32bit builds because functions |
| store64 and load64 do not exist. ifdef these functions away from 32bits since |
| they are not used in 32bit code path. |
| |
| * jit/AssemblyHelpers.h: |
| |
| 2019-10-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix incorrect assertion |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| |
| * runtime/JSLock.cpp: |
| (JSC::JSLock::DropAllLocks::~DropAllLocks): |
| |
| 2019-10-01 Saam Barati <sbarati@apple.com> |
| |
| ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid |
| https://bugs.webkit.org/show_bug.cgi?id=199361 |
| <rdar://problem/52454940> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| In a prior fix to the object allocation sinking phase, I added code where we |
| made sure to insert PutHints over Phis for fields of an object at control flow |
| merge points. However, that code didn't consider that the base of the PutHint |
| may no longer be a valid heap location. This could cause us to emit invalid |
| SSA code by referring to a node which does not dominate the PutHint location. |
| This patch fixes the bug to only emit the PutHints when valid. |
| |
| This patch also makes it so that DFGValidate actually validates that the graph |
| is in valid SSA form. E.g, any use of a node N must be dominated by N. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGValidate.cpp: |
| |
| 2019-10-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Place VM* in TLS |
| https://bugs.webkit.org/show_bug.cgi?id=202391 |
| |
| Reviewed by Mark Lam. |
| |
| This patch puts VM* in TLS mainly for debugging purpose. In JSLockHolder, we put VM* and save the old VM* in TLS. |
| And JSLockHolder's destructor restores it. It is possible that we have two VMs A and B. After locking A, we enter |
| B. In this case, when B's lock is released, we should restore TLS to A. We put the old VM* in JSLockHolder::m_previousVMInTLS |
| so that we can restore it in JSLockHolder's destructor. |
| |
| This patch also cleans up Lock<JSLock> / std::lock_guard<JSLock> usage in JSRunLoopTimer and JSManagedValue by introducing |
| JSLockHolder with LockIfVMIsLive tag. Previously, we are intentionally use `std::lock_guard<JSLock>` since VM* can be dead |
| at these places. JSLockHolder with LockIfVMIsLive handles this case carefully: it locks JSLock when VM* is live. |
| |
| * API/JSManagedValue.mm: |
| (-[JSManagedValue value]): |
| * API/glib/JSCWeakValue.cpp: |
| (jsc_weak_value_get_value): |
| * runtime/InitializeThreading.cpp: |
| (JSC::initializeThreading): |
| * runtime/JSLock.cpp: |
| (JSC::JSLockHolder::JSLockHolder): |
| (JSC::JSLockHolder::~JSLockHolder): |
| (JSC::JSLock::DropAllLocks::DropAllLocks): |
| (JSC::JSLock::DropAllLocks::~DropAllLocks): |
| * runtime/JSLock.h: |
| (JSC::JSLockHolder::vm): |
| * runtime/JSRunLoopTimer.cpp: |
| (JSC::JSRunLoopTimer::timerDidFire): |
| * runtime/VM.cpp: |
| (JSC::VM::initializeTLS): |
| * runtime/VM.h: |
| (JSC::VM::exchange): |
| (JSC::VM::current): |
| |
| 2019-10-01 Michael Saboff <msaboff@apple.com> and Paulo Matos <pmatos@igalia.com> |
| |
| [YARR] Properly handle surrogates when matching back references |
| https://bugs.webkit.org/show_bug.cgi?id=202041 |
| |
| Reviewed by Keith Miller. |
| |
| This patch is based on a work in progress patch by Paulo Matos <pmatos@igalia.com>. |
| |
| When handling back references in Unicode patterns, we can't match un-decoded surrogate characters, |
| instead we need to read and process surrogate pairs. Changed matchBackreference() to do this, |
| including properly incrementing the back reference pattern and search indexes. |
| |
| In support of this change, on X86_64 we needed to free up r10 to be used exclusively for |
| "patternIndex". It was also used as a temp in tryReadUnicodeCharImpl(). Made a new named |
| temp register, called unicodeTemp, to take the place of regT2(r10) in tryReadUnicodeCharImpl. |
| This new temp is r14 on X86_64 and X5 on ARM64. To free up r14 on X86_64, changed the |
| old leadingSurrogateTag to be a literal. |
| |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl): |
| (JSC::Yarr::YarrGenerator::matchBackreference): |
| (JSC::Yarr::YarrGenerator::generateEnter): |
| (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates): Deleted. |
| |
| 2019-10-01 Keith Miller <keith_miller@apple.com> |
| |
| Add support for the Wasm multi-value proposal |
| https://bugs.webkit.org/show_bug.cgi?id=202250 |
| |
| Reviewed by Saam Barati. |
| |
| The wasm multi-value proposal makes two major changes to the |
| spec. The first is that functions may now return more than one |
| value across calls. When calling to/from JS, if there is more than |
| one return type we return/receive a JSArray/Iterable, |
| respectively. In the Wasm calls JS case, if the iteratable object |
| does not vend the exact number of objects expected by the |
| signature an error is thrown. |
| |
| The second major change in the multi-value proposal allows blocks |
| to have any signature type. This works in a backwards compatible |
| way by exploiting the fact that the old value-type thunk signatures |
| (where the block takes no arguments and returns just the value |
| type i.e. [] -> [type]) were always encoded as a negative |
| number. If a block has a function signature, it is encoded as a |
| positive index into the type section. When a block has a function |
| signature type then the values from the enclosing stack are popped |
| off that stack and added to the new block's stack. In the case of |
| a br/br_if to a Loop block the "argument" values should be on the |
| brancher's stack. |
| |
| The biggest change in this patch is stripping down the |
| WasmCallingConventions file into one simpler API that just tells |
| you where the each argument should be located. It also now handles |
| adding or subtracting sizeof(CallerFrameAndPC) depending on |
| whether you are caller or callee. Additionally, when computing |
| locations for the callee it returns a B3::ValueRep that has the |
| offsetFromFP rather than offsetFromSP. Since the code has been |
| cleaned up I tried to also reduce code duplication in the various |
| stubs for wasm code. This patch also removes the Air specific |
| calling convention code and moves that logic into the Air IR |
| generator. |
| |
| Since blocks can now have arbitrary signatures the control entries |
| now use a const signature* rather than just the return |
| type. Additionally, what used to be the result phi is now the phis |
| for all the results for non-loop blocks and the arguments for a |
| loop block. Due to the control flow restrictions of wasm |
| conveniently we don't have to worry about generating non-optimal |
| SSA, thus we can just use phis directly rather than using a |
| variable. |
| |
| Lastly, to help clean up some code in the IR generators new helper |
| methods were added to create call Patchpoints. These helpers do |
| most of the boiler-plate initialization. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/AbstractMacroAssembler.h: |
| (JSC::AbstractMacroAssembler::ImplicitAddress::ImplicitAddress): |
| * assembler/LinkBuffer.cpp: |
| (JSC::shouldDumpDisassemblyFor): |
| * assembler/LinkBuffer.h: |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::callOperation): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::callOperation): |
| * b3/B3LowerToAir.cpp: |
| * b3/B3PatchpointSpecial.cpp: |
| (JSC::B3::PatchpointSpecial::forEachArg): |
| (JSC::B3::PatchpointSpecial::isValid): |
| (JSC::B3::PatchpointSpecial::admitsStack): |
| (JSC::B3::PatchpointSpecial::generate): |
| * b3/B3Procedure.h: |
| (JSC::B3::Procedure::resultCount const): |
| (JSC::B3::Procedure::typeAtOffset const): |
| (JSC::B3::Procedure::returnCount const): Deleted. |
| * b3/B3StackmapGenerationParams.cpp: |
| (JSC::B3::StackmapGenerationParams::code const): |
| * b3/B3StackmapGenerationParams.h: |
| * b3/B3ValueRep.h: |
| * b3/air/AirHelpers.h: Added. |
| (JSC::B3::Air::moveForType): |
| (JSC::B3::Air::relaxedMoveForType): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::store64FromReg): |
| (JSC::AssemblyHelpers::store32FromReg): |
| (JSC::AssemblyHelpers::load64ToReg): |
| (JSC::AssemblyHelpers::load32ToReg): |
| * runtime/JSCConfig.h: |
| * runtime/OptionsList.h: |
| * tools/JSDollarVM.cpp: |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpValue): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::ConstrainedTmp::operator bool const): |
| (JSC::Wasm::TypedTmp::dump const): |
| (JSC::Wasm::AirIRGenerator::ControlData::ControlData): |
| (JSC::Wasm::AirIRGenerator::ControlData::dump const): |
| (JSC::Wasm::AirIRGenerator::ControlData::blockType const): |
| (JSC::Wasm::AirIRGenerator::ControlData::signature const): |
| (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch): |
| (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock): |
| (JSC::Wasm::AirIRGenerator::addEndToUnreachable): |
| (JSC::Wasm::AirIRGenerator::emitCallPatchpoint): |
| (JSC::Wasm::AirIRGenerator::validateInst): |
| (JSC::Wasm::AirIRGenerator::tmpsForSignature): |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::toB3ResultType): |
| (JSC::Wasm::AirIRGenerator::addBottom): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addTopLevel): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| (JSC::Wasm::AirIRGenerator::addBlock): |
| (JSC::Wasm::AirIRGenerator::addIf): |
| (JSC::Wasm::AirIRGenerator::addElse): |
| (JSC::Wasm::AirIRGenerator::addElseToUnreachable): |
| (JSC::Wasm::AirIRGenerator::addReturn): |
| (JSC::Wasm::AirIRGenerator::addBranch): |
| (JSC::Wasm::AirIRGenerator::addSwitch): |
| (JSC::Wasm::AirIRGenerator::endBlock): |
| (JSC::Wasm::AirIRGenerator::addCall): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::AirIRGenerator::dump): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>): |
| (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>): |
| (JSC::Wasm::AirIRGenerator::ControlData::type const): Deleted. |
| (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const): Deleted. |
| (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const): Deleted. |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::ControlData::ControlData): |
| (JSC::Wasm::B3IRGenerator::ControlData::dump const): |
| (JSC::Wasm::B3IRGenerator::ControlData::blockType const): |
| (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const): |
| (JSC::Wasm::B3IRGenerator::ControlData::targetBlockForBranch): |
| (JSC::Wasm::B3IRGenerator::ControlData::convertIfToBlock): |
| (JSC::Wasm::B3IRGenerator::addEndToUnreachable): |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::framePointer): |
| (JSC::Wasm::B3IRGenerator::toB3ResultType): |
| (JSC::Wasm::B3IRGenerator::addArguments): |
| (JSC::Wasm::B3IRGenerator::addGrowMemory): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| (JSC::Wasm::B3IRGenerator::addTopLevel): |
| (JSC::Wasm::B3IRGenerator::addBlock): |
| (JSC::Wasm::B3IRGenerator::addIf): |
| (JSC::Wasm::B3IRGenerator::addElse): |
| (JSC::Wasm::B3IRGenerator::addElseToUnreachable): |
| (JSC::Wasm::B3IRGenerator::addReturn): |
| (JSC::Wasm::B3IRGenerator::addBranch): |
| (JSC::Wasm::B3IRGenerator::addSwitch): |
| (JSC::Wasm::B3IRGenerator::endBlock): |
| (JSC::Wasm::B3IRGenerator::createCallPatchpoint): |
| (JSC::Wasm::B3IRGenerator::addCall): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| (JSC::Wasm::B3IRGenerator::ControlData::type const): Deleted. |
| (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidSignature const): Deleted. |
| (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch const): Deleted. |
| (JSC::Wasm::B3IRGenerator::createStack): Deleted. |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::didReceiveFunctionData): |
| (JSC::Wasm::BBQPlan::parseAndValidateModule): |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmCallingConvention.cpp: |
| (JSC::Wasm::jsCallingConvention): |
| (JSC::Wasm::wasmCallingConvention): |
| (JSC::Wasm::jscCallingConvention): Deleted. |
| (JSC::Wasm::jscCallingConventionAir): Deleted. |
| (JSC::Wasm::wasmCallingConventionAir): Deleted. |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallInformation::CallInformation): |
| (JSC::Wasm::CallInformation::computeResultsOffsetList): |
| (JSC::Wasm::WasmCallingConvention::WasmCallingConvention): |
| (JSC::Wasm::WasmCallingConvention::marshallLocationImpl const): |
| (JSC::Wasm::WasmCallingConvention::marshallLocation const): |
| (JSC::Wasm::WasmCallingConvention::callInformationFor const): |
| (JSC::Wasm::JSCallingConvention::JSCallingConvention): |
| (JSC::Wasm::JSCallingConvention::marshallLocationImpl const): |
| (JSC::Wasm::JSCallingConvention::marshallLocation const): |
| (JSC::Wasm::JSCallingConvention::callInformationFor const): |
| (JSC::Wasm::CallingConvention::CallingConvention): Deleted. |
| (JSC::Wasm::CallingConvention::marshallArgumentImpl const): Deleted. |
| (JSC::Wasm::CallingConvention::marshallArgument const): Deleted. |
| (JSC::Wasm::CallingConvention::headerSizeInBytes): Deleted. |
| (JSC::Wasm::CallingConvention::setupFrameInPrologue const): Deleted. |
| (JSC::Wasm::CallingConvention::loadArguments const): Deleted. |
| (JSC::Wasm::CallingConvention::setupCall const): Deleted. |
| (JSC::Wasm::CallingConventionAir::CallingConventionAir): Deleted. |
| (JSC::Wasm::CallingConventionAir::prologueScratch const): Deleted. |
| (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const): Deleted. |
| (JSC::Wasm::CallingConventionAir::marshallArgument const): Deleted. |
| (JSC::Wasm::CallingConventionAir::headerSizeInBytes): Deleted. |
| (JSC::Wasm::CallingConventionAir::loadArguments const): Deleted. |
| (JSC::Wasm::CallingConventionAir::setupCall const): Deleted. |
| (JSC::Wasm::nextJSCOffset): Deleted. |
| * wasm/WasmFormat.h: |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::splitStack): |
| (JSC::Wasm::FunctionParser::signature const): |
| (JSC::Wasm::FunctionParser<Context>::FunctionParser): |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.h: |
| * wasm/WasmMemoryInformation.cpp: |
| (JSC::Wasm::getPinnedRegisters): |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmParser.h: |
| (JSC::Wasm::FailureHelper::makeString): |
| (JSC::Wasm::Parser<SuccessType>::Parser): |
| (JSC::Wasm::Parser<SuccessType>::peekInt7): |
| (JSC::Wasm::Parser<SuccessType>::parseBlockSignature): |
| (JSC::Wasm::Parser<SuccessType>::parseValueType): |
| (JSC::Wasm::Parser<SuccessType>::parseResultType): Deleted. |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseType): |
| (JSC::Wasm::SectionParser::parseStart): |
| * wasm/WasmSectionParser.h: |
| * wasm/WasmSignature.cpp: |
| (JSC::Wasm::Signature::toString const): |
| (JSC::Wasm::Signature::dump const): |
| (JSC::Wasm::computeHash): |
| (JSC::Wasm::Signature::hash const): |
| (JSC::Wasm::Signature::tryCreate): |
| (JSC::Wasm::SignatureInformation::SignatureInformation): |
| (JSC::Wasm::ParameterTypes::hash): |
| (JSC::Wasm::ParameterTypes::equal): |
| (JSC::Wasm::ParameterTypes::translate): |
| (JSC::Wasm::SignatureInformation::signatureFor): |
| (JSC::Wasm::SignatureInformation::adopt): Deleted. |
| * wasm/WasmSignature.h: |
| (JSC::Wasm::Signature::Signature): |
| (JSC::Wasm::Signature::allocatedSize): |
| (JSC::Wasm::Signature::returnCount const): |
| (JSC::Wasm::Signature::returnType const): |
| (JSC::Wasm::Signature::returnsVoid const): |
| (JSC::Wasm::Signature::argument const): |
| (JSC::Wasm::Signature::operator== const): |
| (JSC::Wasm::Signature::getReturnType): |
| (JSC::Wasm::Signature::getArgument): |
| (JSC::Wasm::SignatureHash::SignatureHash): |
| (JSC::Wasm::SignatureHash::equal): |
| (JSC::Wasm::SignatureInformation::thunkFor const): |
| (JSC::Wasm::Signature::returnType): Deleted. |
| (JSC::Wasm::Signature::argument): Deleted. |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::parseCodeSectionSize): |
| (JSC::Wasm::StreamingParser::parseFunctionPayload): |
| (JSC::Wasm::StreamingParser::parseSectionPayload): |
| * wasm/WasmStreamingParser.h: |
| (JSC::Wasm::StreamingParserClient::didReceiveSectionData): |
| (JSC::Wasm::StreamingParser::reportError): |
| (JSC::Wasm::StreamingParserClient::didReceiveFunctionData): Deleted. |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::throwExceptionFromWasmThunkGenerator): |
| (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): |
| (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::ControlData::ControlData): |
| (JSC::Wasm::Validate::ControlData::dump const): |
| (JSC::Wasm::Validate::ControlData::blockType const): |
| (JSC::Wasm::Validate::ControlData::signature const): |
| (JSC::Wasm::Validate::ControlData::branchTargetArity const): |
| (JSC::Wasm::Validate::ControlData::branchTargetType const): |
| (JSC::Wasm::Validate::fail const): |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableGrow): |
| (JSC::Wasm::Validate::addTableFill): |
| (JSC::Wasm::Validate::addRefIsNull): |
| (JSC::Wasm::Validate::addTopLevel): |
| (JSC::Wasm::splitStack): |
| (JSC::Wasm::Validate::addBlock): |
| (JSC::Wasm::Validate::addLoop): |
| (JSC::Wasm::Validate::addIf): |
| (JSC::Wasm::Validate::addElseToUnreachable): |
| (JSC::Wasm::Validate::addReturn): |
| (JSC::Wasm::Validate::checkBranchTarget): |
| (JSC::Wasm::Validate::addSwitch): |
| (JSC::Wasm::Validate::addGrowMemory): |
| (JSC::Wasm::Validate::addEndToUnreachable): |
| (JSC::Wasm::Validate::addCall): |
| (JSC::Wasm::Validate::addCallIndirect): |
| (JSC::Wasm::Validate::unify): |
| (JSC::Wasm::Validate::ControlData::hasNonVoidSignature const): Deleted. |
| (JSC::Wasm::Validate::ControlData::type const): Deleted. |
| (JSC::Wasm::Validate::ControlData::branchTargetSignature const): Deleted. |
| * wasm/generateWasmOpsHeader.py: |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::boxWasmResult): |
| (JSC::Wasm::allocateResultsArray): |
| (JSC::Wasm::marshallJSResult): |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/JSToWasm.h: |
| * wasm/js/JSWebAssemblyCodeBlock.cpp: |
| (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WasmToJS.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| (JSC::WebAssemblyFunction::useTagRegisters const): |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| |
| 2019-09-30 Alex Christensen <achristensen@webkit.org> |
| |
| Resurrect Mac CMake build |
| https://bugs.webkit.org/show_bug.cgi?id=202384 |
| |
| Rubber-stamped by Tim Horton. |
| |
| * PlatformMac.cmake: |
| |
| 2019-09-30 Alex Christensen <achristensen@webkit.org> |
| |
| Rename JSTokenType::EXPORT to EXPORT_ to avoid naming conflict with internal header |
| https://bugs.webkit.org/show_bug.cgi?id=202385 |
| |
| * parser/Keywords.table: |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseModuleSourceElements): |
| (JSC::Parser<LexerType>::parseExportDeclaration): |
| * parser/ParserTokens.h: |
| |
| 2019-09-30 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Make assertion in JSObject::putOwnDataProperty more precise |
| https://bugs.webkit.org/show_bug.cgi?id=202379 |
| <rdar://problem/49515980> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Currently, we assert that the structure has no accessors/custom accessors, but that assertion is |
| too conservative. All we need to prove is that the property being inserted either does not exist |
| in the target object or is neither an accessor nor read-only. |
| |
| * runtime/JSObject.h: |
| (JSC::JSObject::putOwnDataProperty): Deleted. |
| (JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted. |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::validatePutOwnDataProperty): |
| (JSC::JSObject::putOwnDataProperty): |
| (JSC::JSObject::putOwnDataPropertyMayBeIndex): |
| |
| 2019-09-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too |
| https://bugs.webkit.org/show_bug.cgi?id=202389 |
| <rdar://problem/50717564> |
| |
| Reviewed by Mark Lam. |
| |
| While we are protecting HeapSnapshotBuilder::m_edges with a lock, we are not protecting m_rootData, which is also concurrently modified. |
| This patch protects it. |
| |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell): |
| |
| 2019-09-30 Saam Barati <sbarati@apple.com> |
| |
| Inline caching is wrong for custom accessors and custom values |
| https://bugs.webkit.org/show_bug.cgi?id=201994 |
| <rdar://problem/50850326> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| There was an oversight in our inline caching code for custom accessors and |
| custom values. We used to assume that if an object O had a custom function for |
| property P, then O will forever respond to the same custom function for |
| property P. |
| |
| This assumption was very wrong. These custom accessors/values might be |
| properties in JS which are configurable, so they can be rewritten to be |
| other properties. Our inline caching code would be wrong in the scenarios |
| where these property descriptors got redefined. |
| |
| This patch makes it so that we now properly watchpoint for custom functions |
| being changed. If the custom accessor has been materialized, we place an |
| Equivalence watchpoint on the custom accessor. This patch also teaches |
| StructureStubInfo how to watchpoint on property value equivalence. Before, |
| we just watchpointed on structure transitions. |
| |
| This patch also adds a new property condition kind for when the custom function |
| exists inside the static property table. This case is really easy to test for |
| because we just need to see if the structure still has static properties and |
| the static property table has the entry for a particular property. This |
| property condition kind just needs to watch for structure transitions because |
| an entry in the static property table can't be mutated. |
| |
| This patch is neutral on the microbenchmarks I've added. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::AccessCase): |
| (JSC::AccessCase::couldStillSucceed const): |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h: |
| * bytecode/ObjectPropertyCondition.cpp: |
| (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const): |
| * bytecode/ObjectPropertyCondition.h: |
| (JSC::ObjectPropertyCondition::customFunctionEquivalence): |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const): |
| (JSC::ObjectPropertyConditionSet::slotBaseCondition const): |
| (JSC::generateConditionsForPrototypePropertyHitCustom): |
| * bytecode/ObjectPropertyConditionSet.h: |
| * bytecode/PolyProtoAccessChain.cpp: |
| (JSC::PolyProtoAccessChain::create): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::AccessGenerationState::installWatchpoint): |
| (JSC::PolymorphicAccess::commit): |
| (JSC::AccessGenerationState::addWatchpoint): Deleted. |
| * bytecode/PolymorphicAccess.h: |
| * bytecode/PropertyCondition.cpp: |
| (JSC::PropertyCondition::dumpInContext const): |
| (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): |
| (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const): |
| (JSC::PropertyCondition::isStillValid const): |
| (JSC::PropertyCondition::isWatchableWhenValid const): |
| (WTF::printInternal): |
| * bytecode/PropertyCondition.h: |
| (JSC::PropertyCondition::customFunctionEquivalence): |
| (JSC::PropertyCondition::hash const): |
| (JSC::PropertyCondition::operator== const): |
| * bytecode/StructureStubClearingWatchpoint.cpp: |
| (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal): |
| (JSC::WatchpointsOnStructureStubInfo::addWatchpoint): |
| (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndInstallWatchpoint): |
| (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint): |
| (JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire): |
| (JSC::StructureStubClearingWatchpoint::fireInternal): Deleted. |
| * bytecode/StructureStubClearingWatchpoint.h: |
| * bytecode/Watchpoint.h: |
| * jit/Repatch.cpp: |
| (JSC::tryCacheGetByID): |
| (JSC::tryCachePutByID): |
| * runtime/ClassInfo.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::findPropertyHashEntry const): |
| * runtime/JSObject.h: |
| * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: |
| * runtime/Structure.cpp: |
| (JSC::Structure::findPropertyHashEntry const): |
| * runtime/Structure.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::testStaticAccessorGetter): |
| (JSC::testStaticAccessorPutter): |
| (JSC::StaticCustomAccessor::StaticCustomAccessor): |
| (JSC::StaticCustomAccessor::createStructure): |
| (JSC::StaticCustomAccessor::create): |
| (JSC::StaticCustomAccessor::getOwnPropertySlot): |
| (JSC::functionCreateStaticCustomAccessor): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2019-09-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number |
| https://bugs.webkit.org/show_bug.cgi?id=202382 |
| <rdar://problem/52669112> |
| |
| Reviewed by Saam Barati. |
| |
| If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments, |
| we fold it to constant False. But this is wrong since `false == 0` is true in JS. |
| This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types |
| if one of them are seen. |
| |
| * bytecode/SpeculatedType.cpp: |
| (JSC::leastUpperBoundOfEquivalentSpeculations): |
| (JSC::valuesCouldBeEqual): |
| |
| 2019-09-28 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fix non-unified build issue caused by r250440 |
| https://bugs.webkit.org/show_bug.cgi?id=202349 |
| |
| Reviewed by Mark Lam. |
| |
| * dfg/DFGOSRExit.cpp: Add missing inclusion of the BytecodeUseDef.h header. |
| |
| 2019-09-27 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&` |
| https://bugs.webkit.org/show_bug.cgi?id=202330 |
| |
| Reviewed by Saam Barati. |
| |
| In toLocaleLowerCase and toLocaleUpperCase, we get `const String&` from JSString* and use it. |
| But if this string is newly created one in toLocaleLowerCase and toLocaleUpperCase (like, passing a number, and number.toString() is called |
| in C++), after getting `const String&`, our C++ code potentially does not have any reference to the owner of this `const String&`. So, this |
| JSString* can be collected by GC, while `const String&` is used. This makes `const String&` destroyed, and causes crash. |
| |
| In this patch, we receive it as `String` instead of `const String&` to ref it. This ensures that this string is live even if the owner is collected. |
| I grepped the source code and make this changes conservatively to places which looks dangerous. And I added error checks more after calling `value(exec)`. |
| |
| In this patch, I didn't introduce the change like that: `JSString::value(ExecState*)` returns `String` instead of `const String&`. Some of places are |
| really performance sensitive and we want to use the current behavior when we can ensure the owners are alive. We could figure out these points, and we |
| can change the default behavior of `JSString::value` function to returning `String`. But for now, I plan it as a future work. |
| |
| * dfg/DFGOperations.cpp: |
| * jsc.cpp: |
| (GlobalObject::moduleLoaderImportModule): |
| * runtime/DateConstructor.cpp: |
| (JSC::constructDate): |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::equalSlowCaseInline): |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/StringPrototype.cpp: |
| (JSC::toLocaleCase): |
| (JSC::stringProtoFuncToLocaleLowerCase): |
| (JSC::stringProtoFuncToLocaleUpperCase): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionCreateBuiltin): |
| |
| 2019-09-27 Keith Miller <keith_miller@apple.com> |
| |
| OSR exit shouldn't bother updating get_by_id array profiles that have changed modes |
| https://bugs.webkit.org/show_bug.cgi?id=202324 |
| <rdar://problem/52669110> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This is an optimization that avoids polluting the array profile. |
| |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::OSRExit::compileExit): |
| |
| 2019-09-27 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Non-standard Error properties should not be enumerable |
| https://bugs.webkit.org/show_bug.cgi?id=198975 |
| |
| Reviewed by Ross Kirsling. |
| |
| Define non-standard Error properties "line", "column", and "sourceURL" as non-enumerable to match other engines. |
| |
| * runtime/ErrorInstance.cpp: |
| (JSC::ErrorInstance::materializeErrorInfoIfNeeded): |
| |
| 2019-09-26 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs |
| https://bugs.webkit.org/show_bug.cgi?id=202299 |
| <rdar://problem/52669116> |
| |
| Reviewed by Saam Barati. |
| |
| When converting recursive-tail-call to jump to the upper call frame, we picked call-frame which is spread by LoadVarargs. |
| This is wrong since this call-frame does not know the exact number of arguments. We are using InlineCallFrame::argumentCountIncludingThis, |
| but this is maximal argumentCountIncludingThis when InlineCallFrame is Varargs call-frame. Let's see the simple example. |
| |
| 'use strict'; |
| var count = 0; |
| function foo() { |
| count--; |
| if (count === 0) |
| return 30; |
| return foo(42, 42); // HERE |
| } |
| |
| function test() { |
| count = 100; |
| return foo(...[42, 42]); // THERE |
| } |
| noInline(test); |
| |
| In the above case, currently, we convert HERE's foo call to the jump to the prologue of the foo function inlined by "test". But since foo is called |
| in a varargs form, "test" emits LoadVarargs, and it also emits `SetArgumentMaybe` for 1st and 2nd arguments. Since HERE's foo call is actually passing |
| two arguments, we emit a Phi node which Upsilon is from SetArgumentMaybe and 42 Constant. This is wrong since SetArgumentMaybe should not be used. Later, |
| SSA conversion phase emits Upsilon with SetArgumentMaybe, and since SetArgumentMaybe is simply removed in SSA conversion phase, it ends up emitting |
| Upsilon without a child. |
| |
| We are currently only performing recursive-tail-call optimization when argument count matches. Given this condition, we should not pick varargs CallFrame |
| as a jump target. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| |
| 2019-09-26 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| toExponential, toFixed, and toPrecision should allow arguments up to 100 |
| https://bugs.webkit.org/show_bug.cgi?id=199163 |
| |
| Reviewed by Ross Kirsling. |
| |
| Previously, the spec gave fixed range of [0,20] for Number.prototype.{toExponential,toFixed} argument and |
| range of [1,21] for Number.prototype.toPrecision argument, but allowed implementations to permit a larger range. |
| Historically, only SpiderMonkey accepted a larger range, and other implementations threw a RangeError outside the range. |
| Later the spec was changed (see https://github.com/tc39/ecma262/pull/857) to specify the SpiderMonkey behavior. |
| |
| * runtime/NumberPrototype.cpp: |
| (JSC::numberProtoFuncToExponential): Accept arguments between 0 and 100. |
| (JSC::numberProtoFuncToFixed): Accept arguments between 0 and 100. |
| (JSC::numberProtoFuncToPrecision): Accept arguments between 1 and 100. |
| (JSC::getIntegerArgumentInRange): Inline to improve readability. |
| |
| 2019-09-26 Mark Lam <mark.lam@apple.com> |
| |
| We need to initialize the Gigacage first in setJITEnabled() when disabling the JIT. |
| https://bugs.webkit.org/show_bug.cgi?id=202257 |
| |
| Reviewed by Saam Barati. |
| |
| Because of an OS quirk, even after the JIT region has been unmapped, the OS thinks |
| that region is reserved, and as such, can cause Gigacage allocation to fail. We |
| work around this by initializing the Gigacage first. |
| |
| Note: when called, setJITEnabled() is always called extra early in the process |
| bootstrap. Under normal operation (when setJITEnabled() isn't called at all), we |
| will naturally initialize the Gigacage before we allocate the JIT region. |
| Hence, this workaround is merely ensuring the same behavior of allocation ordering. |
| |
| This patch only applies to iOS. |
| |
| * jit/ExecutableAllocator.cpp: |
| (JSC::ExecutableAllocator::setJITEnabled): |
| |
| 2019-09-25 Guillaume Emont <guijemont@igalia.com> |
| |
| testapi: slow devices need more time before watchdog fires |
| https://bugs.webkit.org/show_bug.cgi?id=202149 |
| |
| Reviewed by Mark Lam. |
| |
| In testExecutionTimeLimit(), the time that we leave for the watchdog |
| to fire is often not enough on (slower) arm and mips devices, creating |
| a testapi failure. |
| This change also skips FTL-specific testing when FTL is disabled. |
| |
| * API/tests/ExecutionTimeLimitTest.cpp: |
| (testExecutionTimeLimit): |
| |
| 2019-09-24 Christopher Reid <chris.reid@sony.com> |
| |
| [WinCairo] Start RemoteInspectorServer |
| https://bugs.webkit.org/show_bug.cgi?id=199938 |
| <rdar://problem/53323048> |
| |
| Reviewed by Fujii Hironori. |
| |
| * inspector/remote/socket/RemoteInspectorSocket.cpp: |
| * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: |
| - Fixed some network byte order issues |
| - Need to check for POLLHUP in isReadable as closed windows sockets don't have POLLIN set |
| |
| 2019-09-24 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the result of the trap is undefined |
| https://bugs.webkit.org/show_bug.cgi?id=154376 |
| |
| Reviewed by Ross Kirsling. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): Remove resolved FIXME comments. |
| |
| 2019-09-24 Alexey Proskuryakov <ap@apple.com> |
| |
| JavaScriptCore (still) doesn't unlock the engineering keychain |
| https://bugs.webkit.org/show_bug.cgi?id=202123 |
| |
| Reviewed by Dan Bernstein. |
| |
| Unlike WebKit, JavaScriptCore only defines CODE_SIGN_IDENTITY in ToolExecutable |
| configuration, not in DebugRelease. As a result, it's not defined when running |
| the script for Unlock Keychain phase. |
| |
| Fix this by moving CODE_SIGN_IDENTITY to DebugRelease configuration, matching |
| WebKit. As a result, we are now using consistent signing options in all targets. |
| |
| * Configurations/DebugRelease.xcconfig: |
| * Configurations/ToolExecutable.xcconfig: |
| When moving, removed a special case for Production, as that's never used with |
| DebugRelease (also, the Profile case was incorrect). |
| |
| 2019-09-24 Caio Lima <ticaiolima@gmail.com> |
| |
| [BigInt] Add ValueBitRShift into DFG |
| https://bugs.webkit.org/show_bug.cgi?id=192663 |
| |
| Reviewed by Robin Morisset. |
| |
| We are introducing a new node called ValueBitRShift that is |
| responsible to handle speculation of `UntypedUse` and `BigIntUse` during |
| DFG. Following the approach of other bitwise operations, we |
| now have 2 nodes to handle ">>" operator during JIT, mainly because |
| of the introduction of BigInt, that makes this operator result into |
| Int32 or BigInt. We renamed `BitRShift` to `ArithBitRShift` and such |
| node handles Integers and Numbers speculation and can only return |
| Int32 values. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/Opcode.h: |
| |
| Adding support to ValueProfile to `op_rshift` to be used during |
| prediction propagation. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| Adding support to still do constant propagation of ValueBitRShift when |
| it is `UntypedUse`. |
| |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| |
| `ValueBitRshift` can trigger GC when it is `BigIntUse` because the |
| operation `JSBigInt::signedRightShift` potentially allocates new |
| JSBigInts. It also can trigger GC when it is `UntypedUse` because it |
| can execute arbitrary code. |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| |
| The fixup rule of `ValueBitRShift` checks if it should fixup for |
| `BigIntUse` or `UntypedUse`. If those checks fail, we fallback to |
| `ArithBitRShift`. |
| |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasNumericResult): |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| |
| We are using the same rule used by `ValueBitLShift` to propagate |
| types. We try to propagate the type based on operation's input, but |
| fallback to `getHeapPrediction()` if this is not possible. |
| |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp): |
| (JSC::DFG::SpeculativeJIT::compileValueBitRShift): |
| (JSC::DFG::SpeculativeJIT::compileShiftOp): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::shiftOp): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBitRShift): Deleted. |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-09-24 Mark Lam <mark.lam@apple.com> |
| |
| Refactor cellSize() out of VMInspector::verifyCellSize(). |
| https://bugs.webkit.org/show_bug.cgi?id=202132 |
| |
| Reviewed by Saam Barati. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * runtime/CellSize.h: Added. |
| (JSC::isDynamicallySizedType): |
| (JSC::cellSize): |
| * runtime/DirectArguments.h: |
| * runtime/JSBigInt.h: |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSType.h: |
| (JSC::isDynamicallySizedType): Deleted. |
| * tools/VMInspectorInlines.h: |
| (JSC::VMInspector::verifyCellSize): |
| |
| 2019-09-23 Mark Lam <mark.lam@apple.com> |
| |
| Introducing Integrity audit functions. |
| https://bugs.webkit.org/show_bug.cgi?id=202085 |
| |
| Reviewed by Saam Barati. |
| |
| This patch's main goal is to introduce the Integrity audit functions. They can |
| be used wherever we want to audit a cell to probabilistically ensure it is not |
| corrupted. However, to keep this patch small, we will only introduce the audit |
| tool here with one example use in SlotVisitor. We'll follow up later with more |
| patches to deploy this tool throughout the VM. |
| |
| 1. Introduced Integrity audit functions that can be configured at several |
| AuditLevels: |
| None - don't do any audits. |
| Minimal - do a minimal quick audit (minimize perf impact). |
| Full - do a full audit of the many aspects of a cell. |
| Random - randomly do a full audit with a probability dictated by |
| Options::randomIntegrityAuditRate() between 0.0 (never audit) and |
| 1.0 (audit at every chance). |
| |
| The default AuditLevel for Debug builds is Random. |
| The default AuditLevel for Release builds is None. |
| The default Options::randomIntegrityAuditRate() is 0.05. |
| |
| How full audits work? |
| ==================== |
| The full audit uses the VMInspector::verifyCell() template function to do its |
| job. The reason for keeping this separate is to allow the template function |
| to be used later for debug checks that want to take some custom action on |
| verification failure instead of crashing with a RELEASE_ASSERT. |
| |
| Full audit of a cell pointer includes: |
| a. Verify that a cell designated as a LargeAllocation is in the heap's |
| set of LargeAllocations. |
| |
| b. Verify that a cell not designated as a LargeAllocation is actually in its |
| MarkedBlock's bounds. |
| |
| c. Verify that the cell's container (LargeAllocation / MarkedBlock) actually |
| belongs to the current VM. |
| |
| d. Verify that a cell in a MarkedBlock is properly aligned on the block's |
| allocation unit size. |
| |
| e. If the cell is not an ImmutableButterfly, verify that it is not located in |
| the Gigacage. |
| |
| f. Verify that the cell's JSType matches its StructureBlob's JSType. |
| |
| g. Verify that the cell size as dictated by the cell ClassInfo does not exceed |
| the size of the allocation unit size (as expected by the container |
| MarkedBlock or LargeAllocation). |
| |
| Some cells are dynamically size (see isDynamicallySizedType()). For these |
| cells, we compute their sizes and verify that the size does not exceed the |
| allocation unit size. Their sizes should also be greater or equal to the |
| static cell size as dictated by their ClassInfo. |
| |
| h. If a cell has a butterfly, verify that the butterfly is in its the JSValue |
| Gigacage. |
| |
| We can add more verifications later, or make some these more robust, but this |
| is a start for now. |
| |
| How random audits work? |
| ====================== |
| Random audits are triggered by the m_triggerBits bits in VM::m_integrityRandom. |
| m_triggerBits is a 64-bit bitfield. |
| |
| If Options::randomIntegrityAuditRate() is 0, m_triggerBits will always be 0, |
| and no audits will be done. |
| |
| If Options::randomIntegrityAuditRate() is non-zero, m_triggerBits will be |
| initialized as follows: |
| |
| | 1 reload bit | ... 63 trigger bits ... | |
| |
| The reload bit is always set (more details below). |
| Each of the 63 trigger bits are randomly set depending if the following is true |
| for the bit: |
| |
| VM::random() <= Options::randomIntegrityAuditRate() * UINT_MAX |
| |
| When Integrity::auditCell() is called, we take the bottom bit as the trigger |
| bit for the current cell, and shifts the rest down by 1. |
| |
| If m_triggerBits is non-null after the shift, the taken trigger bit will dictate |
| whether we do a full audit on the current cell or not. |
| |
| Once the reload bit reaches the bottom, we call a reload function to |
| re-initialize m_triggerBits. The reload function also returns a bool |
| indicating whether to trigger a full audit of the current cell. |
| |
| With this scheme, we only need to call the reload function once every 64 calls |
| to Integrity::auditCell(), and can efficiently determine whether to trigger |
| the audit the other 63 times with the probability specified in |
| Options::randomIntegrityAuditRate(). |
| |
| 2. Embedded the C++ class size of JSCells into their ClassInfo. This is used in |
| the full audits to verify cell sizes. |
| |
| 3. Added isDynamicallySizedType() to check if a JSType has a dynamic size allocation |
| i.e. the size of instances of this type is not determined by the static C++ |
| size of its class, but rather, depends on some runtime variable. |
| |
| 4. Made the VMInspector a friend of several classes so that it can access their |
| private methods and fields. |
| |
| 5. Moved the inline function JSBigInt::allocationSize() from BigInt.cpp to its |
| header file so that we can use it in VMInspector::verifyCellSize(). |
| |
| 6. Gave the JSModuleNamespaceObject() its own JSType so that we can identify it |
| as a dynamically sized object. |
| |
| 7. Increased the randomness of VM::random() (which is implemented with WeakRandom) |
| by re-seeding it with a cryptographically random number each GC. |
| |
| 8. Called Integrity::auditCell() on SlotVisitor::appendJSCellOrAuxiliary()'s cell |
| as an example use of auditCell(). More uses will be added in later patches to |
| follow. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * heap/Heap.cpp: |
| (JSC::Heap::runBeginPhase): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendJSCellOrAuxiliary): |
| * runtime/ClassInfo.h: |
| * runtime/DirectArguments.h: |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::allocationSize): Deleted. |
| * runtime/JSBigInt.h: |
| (JSC::JSBigInt::allocationSize): |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| (JSC::isDynamicallySizedType): |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| * runtime/OptionsList.h: |
| * runtime/Structure.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| (JSC::VM::random): |
| (JSC::VM::integrityRandom): |
| * tools/Integrity.cpp: Added. |
| (JSC::Integrity::Random::Random): |
| (JSC::Integrity::Random::reloadAndCheckShouldAuditSlow): |
| (JSC::Integrity::auditCellFully): |
| (JSC::Integrity::auditCellMinimallySlow): |
| * tools/Integrity.h: Added. |
| (JSC::Integrity::auditCell): |
| * tools/IntegrityInlines.h: Added. |
| (JSC::Integrity::Random::shouldAudit): |
| (JSC::Integrity::auditCellMinimally): |
| (JSC::Integrity::auditCellRandomly): |
| * tools/VMInspector.h: |
| (JSC::VMInspector::unusedVerifier): |
| (JSC::VMInspector::verifyCellSize): |
| * tools/VMInspectorInlines.h: Added. |
| (JSC::VMInspector::verifyCellSize): |
| (JSC::VMInspector::verifyCell): |
| |
| 2019-09-23 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r250262. |
| https://bugs.webkit.org/show_bug.cgi?id=202126 |
| |
| "Breaks Win64 builds because of MSVC bug" (Requested by mlam|a |
| on #webkit). |
| |
| Reverted changeset: |
| |
| "Reduce the amount of memory needed to store Options." |
| https://bugs.webkit.org/show_bug.cgi?id=202105 |
| https://trac.webkit.org/changeset/250262 |
| |
| 2019-09-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Array methods should throw TypeError upon attempting to modify a string |
| https://bugs.webkit.org/show_bug.cgi?id=201910 |
| |
| Reviewed by Keith Miller. |
| |
| We currently allow Array prototype methods to modify strings that they are called upon in certain cases. |
| (In particular, we're inconsistent about permitting writes to the length property.) |
| |
| According to section 22.1.3 of the ES spec, this should result in a TypeError. |
| https://tc39.es/ecma262/#sec-properties-of-the-array-prototype-object |
| (Test262 cases are needed, but the key is that all such methods use Set(..., true) which throws on failure.) |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::putLength): |
| (JSC::setLength): |
| Never update the length property of a non-JSArray without checking whether we're actually allowed to. |
| |
| 2019-09-23 Mark Lam <mark.lam@apple.com> |
| |
| Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition. |
| https://bugs.webkit.org/show_bug.cgi?id=202122 |
| <rdar://problem/55535249> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2019-09-23 Mark Lam <mark.lam@apple.com> |
| |
| Reduce the amount of memory needed to store Options. |
| https://bugs.webkit.org/show_bug.cgi?id=202105 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The size of the JSC::Config needed to store the Options is now reduced to 4K |
| instead of 16K, enabled by constexpr template magic. |
| |
| 1. Instead of all options in a large array of OptionEntry (which is a union of |
| all the option types), we now have separate arrays for each of the types of |
| options. For example, |
| |
| Removed g_jscConfig.options[]. |
| Added g_jscConfig.typeBoolOptions[]. |
| Added g_jscConfig.typeInt32Options[]. |
| Added g_jscConfig.typeDoubleOptions[]. |
| ... |
| |
| We used to find the storage for the option using g_jscConfig.options[Options::ID]. |
| We now find the storage for each type of option using |
| g_jscConfig.options[optionTypeSpecificIndex<OptionTypeID, OptionID>()]. For |
| example, Options::useJIT() used to be implemented as: |
| |
| inline bool& Options::useJIT() |
| { |
| return g_jscConfig.options[Options::useJITID]; |
| } |
| |
| ... which is now replaced with: |
| |
| inline bool& Options::useJIT() |
| { |
| return g_jscConfig.typeBoolOptions[optionTypeSpecificIndex<OptionTypeID::Bool, OptionID::useJIT>()]; |
| } |
| |
| 2. Introduce the optionTypeSpecificIndex() constexpr template function for |
| computing the index of each option in their respective type specific options |
| array. |
| |
| 3. Introduce OptionTypes, OptionTypeID, and OptionID. |
| |
| The OptionTypes namespace replaces OptionEntry as the container of option types. |
| The OptionID enum class replaces Options::ID. |
| The OptionTypeID enum class is new and is used together with OptionID in |
| constexpr templates to compute the typeSpecificIndex of options. |
| |
| 4. Removed the OptionEntry struct and OptionEntry.h. After (1), this struct is |
| only used in the Option class. We just moved the union of option types (that |
| OptionEntry embeds) into the Option class. |
| |
| Moved class OptionRange into OptionsList.h. |
| |
| 5. Removed the large OptionEntry arrays from JSC::Config. |
| Added type specific options arrays. |
| Also ordered these arrays to maximize compactness and minimize internal fragmentation. |
| |
| 6. Changed scaleJITPolicy() to go directly to g_jscConfig.typeInt32Options[] |
| instead of going through the Option wrapper object. This allows us to simplify |
| things and make the Option class a read only interface of options. |
| |
| 7. Changed Options::initialize() to only compute the option default value once. |
| The default value specified in the OptionsList may not always be a constant. |
| Sometimes, it is a function call. |
| |
| 8. The Option class now only gives read only access to the options. |
| |
| The Option class' role is to provide an interface for reading an option at any |
| given OptionID without first knowing about the type of the specific option. |
| It is useful for iterating options, and is currently only used by |
| Options::dumpOption(). |
| |
| Technically, we could merge all the Option class code into its single client. |
| We opted not to do this because the amount of code is non-trivial, and the |
| Option class does a good job of encapsulating this functionality. |
| |
| * API/glib/JSCOptions.cpp: |
| (jscOptionsSetValue): |
| (jscOptionsGetValue): |
| (jsc_options_foreach): |
| (jsc_options_get_option_group): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * runtime/JSCConfig.h: |
| * runtime/OptionEntry.h: Removed. |
| * runtime/Options.cpp: |
| (JSC::Options::isAvailable): |
| (JSC::overrideOptionWithHeuristic): |
| (JSC::scaleJITPolicy): |
| (JSC::recomputeDependentOptions): |
| (JSC::Options::initialize): |
| (JSC::Options::setOptionWithoutAlias): |
| (JSC::Options::dumpAllOptions): |
| (JSC::Options::dumpOption): |
| (JSC::Option::Option): |
| (JSC::Option::defaultOption const): |
| (JSC::Option::dump const): |
| (JSC::Option::operator== const): |
| * runtime/Options.h: |
| (JSC::Option::id const): |
| (JSC::Option::name const): |
| (JSC::Option::description const): |
| (JSC::Option::type const): |
| (JSC::Option::availability const): |
| (JSC::Option::isOverridden const): |
| (JSC::Option::Option): |
| (JSC::Option::idIndex const): |
| (JSC::Option::defaultOption const): Deleted. |
| (JSC::Option::boolVal): Deleted. |
| (JSC::Option::unsignedVal): Deleted. |
| (JSC::Option::doubleVal): Deleted. |
| (JSC::Option::int32Val): Deleted. |
| (JSC::Option::optionRangeVal): Deleted. |
| (JSC::Option::optionStringVal): Deleted. |
| (JSC::Option::gcLogLevelVal): Deleted. |
| * runtime/OptionsList.h: |
| (JSC::OptionRange::operator= ): |
| (JSC::OptionRange::rangeString const): |
| (JSC::optionTypeSpecificIndex): |
| (JSC::countNumberOfJSCOptionsOfType): |
| |
| 2019-09-23 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: show WebGPU shader pipelines |
| https://bugs.webkit.org/show_bug.cgi?id=201675 |
| <rdar://problem/55543450> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Canvas.json: |
| Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the |
| frontend of a new program |
| |
| 2019-09-23 Zan Dobersek <zdobersek@igalia.com> |
| |
| testmasm: integer operands loaded as unsigned values |
| https://bugs.webkit.org/show_bug.cgi?id=202099 |
| |
| Reviewed by Mark Lam. |
| |
| Suppress GCC warnings about comparing signed and unsigned values in |
| test cases introduced in r247913 by using signed integer types for |
| loading 32-bit and 64-bit integer operand values. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testBranchTestBit32RegReg): |
| (JSC::testBranchTestBit32RegImm): |
| (JSC::testBranchTestBit32AddrImm): |
| (JSC::testBranchTestBit64RegReg): |
| (JSC::testBranchTestBit64RegImm): |
| (JSC::testBranchTestBit64AddrImm): |
| |
| 2019-09-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function |
| https://bugs.webkit.org/show_bug.cgi?id=202072 |
| |
| Reviewed by Mark Lam. |
| |
| Inline doubleToStrictInt52 in FTL since it is very simple function. |
| This change improves JetStream2/stanford-crypto-sha256 by ~5%. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52): |
| * ftl/FTLOutput.cpp: |
| (JSC::FTL::Output::doubleToInt64): |
| * ftl/FTLOutput.h: |
| |
| 2019-09-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, follow-up change after r250198 |
| https://bugs.webkit.org/show_bug.cgi?id=201633 |
| |
| * b3/testb3_5.cpp: |
| (testCheckAddRemoveCheckWithSExt16): |
| |
| 2019-09-21 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function |
| https://bugs.webkit.org/show_bug.cgi?id=201633 |
| |
| Reviewed by Mark Lam. |
| |
| Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type. |
| In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double. |
| |
| The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each |
| of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which |
| can be seen if OSR exit occurs. |
| |
| In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions |
| well emitted when Int52 is used. |
| |
| When Int52 is used, we typically have the sequence like, |
| |
| Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64 |
| Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52 |
| |
| While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy. |
| This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis. |
| This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit. |
| We can see ~5% improvement in JetStream2/async-fs. |
| |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.h: |
| (int16Operands): |
| (int8Operands): |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_5.cpp: |
| (testCheckAddRemoveCheckWithSExt8): |
| (testCheckAddRemoveCheckWithSExt16): |
| (testCheckAddRemoveCheckWithSExt32): |
| (testCheckAddRemoveCheckWithZExt32): |
| |
| 2019-09-21 Mark Lam <mark.lam@apple.com> |
| |
| Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage. |
| https://bugs.webkit.org/show_bug.cgi?id=202082 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| They are not being caged anyway. |
| |
| * runtime/DirectArguments.h: |
| * runtime/JSLexicalEnvironment.h: |
| (JSC::JSLexicalEnvironment::subspaceFor): |
| * runtime/ScopedArguments.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| |
| 2019-09-21 Tadeu Zagallo <tzagallo@apple.com> |
| |
| AccessCase should strongly visit its dependencies while on stack |
| https://bugs.webkit.org/show_bug.cgi?id=201986 |
| <rdar://problem/55521953> |
| |
| Reviewed by Saam Barati and Yusuke Suzuki. |
| |
| AccessCase::doesCalls is responsible for specifying the cells it depends on, so that |
| MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However, |
| it was missing most of its dependencies, which led to it being collected while on stack. |
| This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js |
| as the PolymorphicAccess being collected and removing its exception handler from the code |
| block, which led to exception propagating past the try/catch. |
| |
| In order to fix this, we abstract the dependency gathering logic from AccessCase into |
| forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to |
| guarantee that their implementation is consistent. |
| |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::forEachDependentCell const): |
| (JSC::AccessCase::doesCalls const): |
| (JSC::AccessCase::visitWeak const): |
| * bytecode/AccessCase.h: |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::lastSeenCallee const): |
| (JSC::CallLinkInfo::haveLastSeenCallee const): |
| (JSC::CallLinkInfo::lastSeenCallee): Deleted. |
| (JSC::CallLinkInfo::haveLastSeenCallee): Deleted. |
| * bytecode/CallLinkInfo.h: |
| (JSC::CallLinkInfo::isDirect const): |
| (JSC::CallLinkInfo::isLinked const): |
| (JSC::CallLinkInfo::stub const): |
| (JSC::CallLinkInfo::forEachDependentCell const): |
| (JSC::CallLinkInfo::isLinked): Deleted. |
| (JSC::CallLinkInfo::stub): Deleted. |
| * bytecode/ObjectPropertyCondition.cpp: |
| (JSC::ObjectPropertyCondition::isStillLive const): |
| * bytecode/ObjectPropertyCondition.h: |
| (JSC::ObjectPropertyCondition::forEachDependentCell const): |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| (JSC::ObjectPropertyConditionSet::areStillLive const): |
| * bytecode/ObjectPropertyConditionSet.h: |
| (JSC::ObjectPropertyConditionSet::forEachDependentCell const): |
| * bytecode/PropertyCondition.cpp: |
| (JSC::PropertyCondition::isStillLive const): |
| * bytecode/PropertyCondition.h: |
| (JSC::PropertyCondition::forEachDependentCell const): |
| * jit/PolymorphicCallStubRoutine.cpp: |
| (JSC::PolymorphicCallStubRoutine::visitWeak): |
| * jit/PolymorphicCallStubRoutine.h: |
| (JSC::PolymorphicCallStubRoutine::forEachDependentCell): |
| |
| 2019-09-21 David Kilzer <ddkilzer@apple.com> |
| |
| clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore |
| <https://webkit.org/b/202069> |
| |
| Reviewed by Mark Lam. |
| |
| Fix unwanted copying/ref churn of loop variables by making them |
| const references. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::setConstantIdentifierSetRegisters): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * inspector/agents/InspectorAgent.cpp: |
| (Inspector::InspectorAgent::activateExtraDomains): |
| * inspector/remote/cocoa/RemoteInspectorCocoa.mm: |
| (Inspector::RemoteInspector::stopInternal): |
| (Inspector::RemoteInspector::xpcConnectionFailed): |
| (Inspector::RemoteInspector::pushListingsNow): |
| * parser/Parser.h: |
| (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates): |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::registerForReportAtExit): |
| (JSC::SamplingProfiler::reportTopFunctions): |
| (JSC::SamplingProfiler::reportTopBytecodes): |
| * runtime/TypeSet.cpp: |
| (JSC::StructureShape::inspectorRepresentation): |
| (JSC::StructureShape::merge): |
| |
| 2019-09-20 Keith Miller <keith_miller@apple.com> |
| |
| eliding a move in Air O0 needs to mark the dest's old reg as available |
| https://bugs.webkit.org/show_bug.cgi?id=202066 |
| |
| Reviewed by Saam Barati. |
| |
| Also adds a new release method that handles all the invariants of |
| returning a register to the available register pool. |
| |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::release): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::spill): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded): |
| (JSC::B3::Air::GenerateAndAllocateRegisters::generate): |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| |
| 2019-09-20 Mark Lam <mark.lam@apple.com> |
| |
| Harden assertion in StructureIDTable::get(). |
| https://bugs.webkit.org/show_bug.cgi?id=202067 |
| <rdar://problem/55577923> |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/StructureIDTable.h: |
| (JSC::StructureIDTable::get): |
| |
| 2019-09-20 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r250114. |
| |
| Broke ~16 webgpu/ tests on Mojave wk2 |
| |
| Reverted changeset: |
| |
| "Web Inspector: Canvas: show WebGPU shader pipelines" |
| https://bugs.webkit.org/show_bug.cgi?id=201675 |
| https://trac.webkit.org/changeset/250114 |
| |
| 2019-09-20 Paulo Matos <pmatos@igalia.com> |
| |
| Implement memory monitoring functions for Linux OS |
| https://bugs.webkit.org/show_bug.cgi?id=200391 |
| |
| Reviewed by Žan Doberšek. |
| |
| * jsc.cpp: |
| |
| 2019-09-20 Devin Rousso <drousso@apple.com> |
| |
| ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html |
| https://bugs.webkit.org/show_bug.cgi?id=201713 |
| <rdar://problem/55290349> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value |
| instead of using a referenced `bool` (which wouldn't include any of the exception's info). |
| |
| * bindings/ScriptFunctionCall.h: |
| * bindings/ScriptFunctionCall.cpp: |
| (Deprecated::ScriptFunctionCall::call): |
| |
| * inspector/InjectedScript.cpp: |
| (Inspector::InjectedScript::wrapCallFrames const): |
| (Inspector::InjectedScript::wrapObject const): |
| (Inspector::InjectedScript::wrapJSONString const): |
| (Inspector::InjectedScript::wrapTable const): |
| (Inspector::InjectedScript::previewValue const): |
| (Inspector::InjectedScript::findObjectById const): |
| (Inspector::InjectedScript::releaseObjectGroup): |
| |
| * inspector/InjectedScriptBase.h: |
| * inspector/InjectedScriptBase.cpp: |
| (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const): |
| (Inspector::InjectedScriptBase::makeCall): |
| (Inspector::InjectedScriptBase::makeAsyncCall): |
| |
| * inspector/InjectedScriptManager.h: |
| * inspector/InjectedScriptManager.cpp: |
| (Inspector::InjectedScriptManager::createInjectedScript): |
| (Inspector::InjectedScriptManager::injectedScriptFor): |
| |
| * inspector/InjectedScriptModule.cpp: |
| (Inspector::InjectedScriptModule::ensureInjected): |
| |
| 2019-09-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable |
| https://bugs.webkit.org/show_bug.cgi?id=202014 |
| |
| Reviewed by Saam Barati. |
| |
| Let's look into the bytecode generated by the test. |
| |
| [ 0] enter |
| [ 1] get_scope loc4 |
| [ 3] mov loc5, loc4 |
| [ 6] check_traps |
| [ 7] mov loc6, callee |
| [ 10] create_direct_arguments loc7 |
| [ 12] to_this this |
| [ 15] mov loc8, loc7 |
| [ 18] mov loc9, loc6 |
| [ 21] mov loc12, Undefined(const0) |
| [ 24] get_by_id loc11, loc6, 0 |
| [ 29] jneq_ptr loc11, ApplyFunction, 18(->47) |
| [ 34] mov loc11, loc6 |
| [ 37] call_varargs loc11, loc11, this, loc8, loc13, 0 |
| [ 45] jmp 17(->62) |
| [ 47] mov loc16, loc6 |
| [ 50] mov loc15, this |
| [ 53] mov loc14, loc8 |
| [ 56] call loc11, loc11, 3, 22 |
| ... |
| |
| call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this). |
| This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13. |
| And it is not in the previous place to loc13 (|this| is not loc12). |
| |
| On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments. |
| But this is wrong. loc12 in the above bytecode is used for `[ 56] call loc11, loc11, 3, 22`'s argument later, and this call assumes |
| that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it. |
| |
| The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined |
| CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since |
| LoadVarargs clobbers it. And we eventually use it and crash. |
| |
| 60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid) |
| |
| This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used. |
| |
| In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place. |
| DFG should not assume that the previous register to firstFreeReg is used for |this|. |
| |
| This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to |
| represent that `maxArgumentCountIncludingThis` includes |this| count. |
| |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis): |
| (JSC::CallLinkInfo::setMaxNumArguments): Deleted. |
| * bytecode/CallLinkInfo.h: |
| (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis): |
| (JSC::CallLinkInfo::maxArgumentCountIncludingThis): |
| (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted. |
| (JSC::CallLinkInfo::maxNumArguments): Deleted. |
| * bytecode/CallLinkStatus.cpp: |
| (JSC::CallLinkStatus::computeFor): |
| (JSC::CallLinkStatus::dump const): |
| * bytecode/CallLinkStatus.h: |
| (JSC::CallLinkStatus::maxArgumentCountIncludingThis const): |
| (JSC::CallLinkStatus::maxNumArguments const): Deleted. |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleVarargsInlining): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileSetupFrame): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileSetupFrame): |
| * jit/JITOperations.cpp: |
| |
| 2019-09-19 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: show WebGPU shader pipelines |
| https://bugs.webkit.org/show_bug.cgi?id=201675 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Canvas.json: |
| Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the |
| frontend of a new program |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Rename VMInspector::m_list to m_vmList. |
| https://bugs.webkit.org/show_bug.cgi?id=202015 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| m_vmList is more descriptive, and this rename helps grep-ability by disambiguating |
| it from other m_lists in the code base. |
| |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::add): |
| (JSC::VMInspector::remove): |
| * tools/VMInspector.h: |
| (JSC::VMInspector::iterate): |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Reduce the number of required tag bits for the JSValue. |
| https://bugs.webkit.org/show_bug.cgi?id=201990 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We're reducing the number of tag bits to 15. It should just work. |
| |
| How did we arrive at 15 bits? |
| ============================ |
| Currently, the minimum number of top bits used by doubles is 13-bits. The |
| highest double bit encoding are: |
| |
| "negative" pureNaN: starts with 0xfff8 |
| negative infinity: starts with 0xfff0 |
| highest number: starts with 0xffe* |
| lowest number: starts with 0x0000 |
| |
| Requirements: |
| 1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints |
| (all 1s at the top). |
| |
| 2. We want to be able to add an offset to double bits and ensure that they never |
| end up in the ranges for pointers and ints. |
| |
| 3. The int tag must be higher than whatever value is produced in the top bits |
| when boxing a double. We have code that relies on this relationship being |
| true and checks if a JSValue is an int by checking if the tag bits are above |
| or equal to the int tag. |
| |
| 4. We don't want to burn more than 2 CPU registers for tag / mask registers. |
| |
| Based on the bit encoding of doubles, the full number range of the top 13 bits |
| are used in valid double numbers. This means the minimum tag bits must be greater |
| than 13. |
| |
| Consider a 14-bit tag. The DoubleEncodeOffset will be 1 << 50 i.e. starts with |
| 0x0004. With this encoding, |
| "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc |
| |
| i.e. the top 14 bits are all set. This conflicts with the int number range. |
| |
| Next, consider a 15-bit tag. The DoubleEncodeOffset will be 1 << 49 i.e. starts |
| with 0x0002. With this encoding: |
| "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa |
| negative infinity: maps to 0xfff0 + 0x0002 => 0xfff2 |
| |
| i.e. 0xfffe (top 5 bits set) is available to represent ints. This is the encoding |
| that we'll adopt in this patch. |
| |
| Alternate encodings schemes to consider in the future: |
| ===================================================== |
| 1. If we're willing and able to purifyNaN at all the places that can produce a |
| "negative" pureNaN, e.g. after a division, then we can remove the "negative" |
| pureNaN as a valid double bit encoding. With this, we can now box doubles |
| with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with |
| 0x0004. |
| |
| With this encoding, the top double, negative infinity, is encoded as follows: |
| |
| negative infinity: maps to 0xfff0 + 0x0004 => 0xfff4 |
| |
| i.e. leaving 0xfffc as the tag for ints. |
| |
| We didn't adopt this scheme at this time because it adds complexity, and may |
| have performance impact from the extra purifyNaN checks. |
| |
| Ref: https://bugs.webkit.org/show_bug.cgi?id=202002 |
| |
| 2. If we're willing to use 3 tag registers or always materialize one of them, we |
| can also adopt a 14-bit tag as follows: |
| |
| Pointer { 0000:PPPP:PPPP:PPPP |
| / 0002:****:****:**** |
| Double { ... |
| \ FFFC:****:****:**** |
| Integer { FFFF:0000:IIII:IIII |
| |
| where ... |
| NumberMask is 0xfffc: any bits set in the top 14 bits is a number. |
| IntMask is 0xffff: value is int if value & IntMask == IntMask. |
| NotCellMask is NumberMask | OtherTag. |
| |
| Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding |
| a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is |
| still less than 0xffff. |
| |
| We didn't adopt this scheme at this time because it adds complexity and may |
| have a performance impact from either burning another register, or materializing |
| the 3rd mask. |
| |
| Ref: https://bugs.webkit.org/show_bug.cgi?id=202005 |
| |
| * runtime/JSCJSValue.h: |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Refactoring: fix broken indentation in JSNonDestructibleProxy.h. |
| https://bugs.webkit.org/show_bug.cgi?id=201989 |
| |
| Reviewed by Saam Barati. |
| |
| This patch only unindent the code to get it back to compliant formatting. |
| There is no actual code change. |
| |
| * runtime/JSNonDestructibleProxy.h: |
| (JSC::JSNonDestructibleProxy::subspaceFor): |
| (JSC::JSNonDestructibleProxy::create): |
| (JSC::JSNonDestructibleProxy::createStructure): |
| (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy): |
| |
| 2019-09-19 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Syntax checker should report duplicate __proto__ properties |
| https://bugs.webkit.org/show_bug.cgi?id=201897 |
| <rdar://problem/53201788> |
| |
| Reviewed by Mark Lam. |
| |
| Currently we have two ways of parsing object literals: |
| - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking, |
| it doesn't allocate string literals while parsing properties. It does still allocate identifiers, |
| but it won't store them in the Property object that it creates for each parsed property. This |
| method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters. |
| - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters |
| as stated above. This will always allocate string literals as well as identifiers and store them in |
| the Property object, even during syntax checking. |
| |
| From looking at the history, it seems that there was a distinction between these two methods: |
| parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate |
| getters/setters or properties defined as both getters/setters and constants. That distinction |
| was removed and the only distinction that remained was whether we build strings and store the |
| strings and properties as part of the Property object created by SyntaxChecker::createProperty. |
| However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate |
| __proto__ properties in object literals even in sloppy mode, which means that we do need to build |
| the strings and identifiers and store them as part of the Property objects. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseObjectLiteral): |
| (JSC::Parser<LexerType>::parsePrimaryExpression): |
| (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted. |
| * parser/Parser.h: |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Remove a now unnecessary hack to work around static const needing external linkage. |
| https://bugs.webkit.org/show_bug.cgi?id=201988 |
| |
| Reviewed by Saam Barati. |
| |
| MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's |
| inlinable. |
| |
| * b3/B3Common.cpp: |
| (JSC::B3::pinnedExtendedOffsetAddrRegister): |
| |
| 2019-09-19 Mark Lam <mark.lam@apple.com> |
| |
| Replace JSValue #defines with static constexpr values. |
| https://bugs.webkit.org/show_bug.cgi?id=201966 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| static constexpr is the modern C++ way to define these constants. |
| |
| Some of the values are typed int64_t and some are int32_t. The original #define |
| values are int64_t. Hence, we adopt int64_t as the default type to use here. |
| |
| However, some of these constants are being used as 32-bit values, and the code |
| was static_cast'ing them into int32_t. This set of constants are all the small |
| values that fit in an int32_t anyway. So, we're putting these in int32_t instead |
| so that we don't have to keep casting them. In the few places where they are |
| used as int64_t, they will automatically get up-casted anyway. |
| |
| In this patch, we also did the following: |
| |
| 1. Renamed TagMask to NotCellMask, because everywhere in the code, we're |
| basically using it to filter out cells like this: |
| |
| if (value & NotCellMask) then goto handleNotCellCase; |
| |
| 2. Renamed TagTypeNumber to NumberTag for a shorter name. |
| |
| Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask. |
| They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask. |
| |
| 3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value |
| as a literal constant. We now define DoubleEncodeOffset based on |
| DoubleEncodeOffsetBit ensuring consistency. |
| |
| 4. Introduced MiscTag so that clients don't have to put this set of tags together |
| themselves. |
| |
| 5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now |
| captures these values correctly with constexpr statements. These static |
| asserts were holdovers from the old days back when we had to define LLInt |
| constant values manually, and we needed a mechanism to detect when the values |
| have changed in the source. |
| |
| 6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts. |
| |
| 7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset |
| constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit. There's no need |
| to do this for ARM64 because the constant can be loaded efficiently with a single |
| MOVZ instruction. So, we add a CPU(ARM64) case to just move the constant into |
| the target register. |
| |
| * assembler/AbortReason.h: |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateWithGuard): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::executeOSRExit): |
| (JSC::DFG::OSRExit::compileExit): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::silentFill): |
| (JSC::DFG::SpeculativeJIT::checkArgumentTypes): |
| (JSC::DFG::SpeculativeJIT::compileValueToInt32): |
| (JSC::DFG::SpeculativeJIT::compileDoubleRep): |
| (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand): |
| (JSC::DFG::SpeculativeJIT::speculateMisc): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::spill): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::fillJSValue): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): |
| (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): |
| (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): |
| (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): |
| (JSC::DFG::SpeculativeJIT::compileInt52Compare): |
| (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNot): |
| (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): |
| (JSC::DFG::SpeculativeJIT::emitBranch): |
| (JSC::DFG::SpeculativeJIT::compile): |
| (JSC::DFG::SpeculativeJIT::moveTrueTo): |
| (JSC::DFG::SpeculativeJIT::moveFalseTo): |
| (JSC::DFG::SpeculativeJIT::blessBoolean): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lower): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber): |
| (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInById): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname): |
| (JSC::FTL::DFG::LowerDFGToB3::getById): |
| (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined): |
| (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): |
| (JSC::FTL::DFG::LowerDFGToB3::isInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::boxInt32): |
| (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc): |
| (JSC::FTL::DFG::LowerDFGToB3::unboxDouble): |
| (JSC::FTL::DFG::LowerDFGToB3::boxDouble): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotCell): |
| (JSC::FTL::DFG::LowerDFGToB3::isCell): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotMisc): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean): |
| (JSC::FTL::DFG::LowerDFGToB3::boxBoolean): |
| (JSC::FTL::DFG::LowerDFGToB3::isNotOther): |
| (JSC::FTL::DFG::LowerDFGToB3::isOther): |
| * ftl/FTLOSRExitCompiler.cpp: |
| (JSC::FTL::reboxAccordingToFormat): |
| (JSC::FTL::compileStub): |
| * interpreter/CalleeBits.h: |
| (JSC::CalleeBits::boxWasm): |
| (JSC::CalleeBits::isWasm const): |
| (JSC::CalleeBits::asWasmCallee const): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::jitAssertIsJSInt32): |
| (JSC::AssemblyHelpers::jitAssertIsJSNumber): |
| (JSC::AssemblyHelpers::jitAssertIsJSDouble): |
| (JSC::AssemblyHelpers::jitAssertIsCell): |
| (JSC::AssemblyHelpers::jitAssertTagsInPlace): |
| (JSC::AssemblyHelpers::emitConvertValueToBoolean): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters): |
| (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters): |
| (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters): |
| (JSC::AssemblyHelpers::branchIfNotCell): |
| (JSC::AssemblyHelpers::branchIfCell): |
| (JSC::AssemblyHelpers::branchIfOther): |
| (JSC::AssemblyHelpers::branchIfNotOther): |
| (JSC::AssemblyHelpers::branchIfInt32): |
| (JSC::AssemblyHelpers::branchIfNotInt32): |
| (JSC::AssemblyHelpers::branchIfNumber): |
| (JSC::AssemblyHelpers::branchIfNotNumber): |
| (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32): |
| (JSC::AssemblyHelpers::branchIfBoolean): |
| (JSC::AssemblyHelpers::branchIfNotBoolean): |
| (JSC::AssemblyHelpers::boxDouble): |
| (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions): |
| (JSC::AssemblyHelpers::boxInt52): |
| (JSC::AssemblyHelpers::boxBooleanPayload): |
| (JSC::AssemblyHelpers::boxInt32): |
| * jit/CallFrameShuffleData.h: |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::CallFrameShuffler): |
| (JSC::CallFrameShuffler::dump const): |
| (JSC::CallFrameShuffler::prepareAny): |
| * jit/CallFrameShuffler.h: |
| (JSC::CallFrameShuffler::getFreeRegister const): |
| * jit/CallFrameShuffler64.cpp: |
| (JSC::CallFrameShuffler::emitBox): |
| (JSC::CallFrameShuffler::tryAcquireNumberTagRegister): |
| (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted. |
| * jit/GPRInfo.h: |
| (JSC::GPRInfo::reservedRegisters): |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_compareAndJumpSlow): |
| * jit/JITBitAndGenerator.cpp: |
| (JSC::JITBitAndGenerator::generateFastPath): |
| * jit/JITBitOrGenerator.cpp: |
| (JSC::JITBitOrGenerator::generateFastPath): |
| * jit/JITBitXorGenerator.cpp: |
| (JSC::JITBitXorGenerator::generateFastPath): |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileTailCall): |
| * jit/JITDivGenerator.cpp: |
| (JSC::JITDivGenerator::generateFastPath): |
| * jit/JITInlines.h: |
| (JSC::JIT::emitPatchableJumpIfNotInt): |
| * jit/JITLeftShiftGenerator.cpp: |
| (JSC::JITLeftShiftGenerator::generateFastPath): |
| * jit/JITMulGenerator.cpp: |
| (JSC::JITMulGenerator::generateFastPath): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_overrides_has_instance): |
| (JSC::JIT::emit_op_is_undefined): |
| (JSC::JIT::emit_op_is_undefined_or_null): |
| (JSC::JIT::emit_op_is_boolean): |
| (JSC::JIT::emit_op_is_number): |
| (JSC::JIT::emit_op_is_cell_with_type): |
| (JSC::JIT::emit_op_is_object): |
| (JSC::JIT::emit_op_not): |
| (JSC::JIT::emit_op_jeq_null): |
| (JSC::JIT::emit_op_jneq_null): |
| (JSC::JIT::emit_op_jundefined_or_null): |
| (JSC::JIT::emit_op_jnundefined_or_null): |
| (JSC::JIT::emit_op_eq_null): |
| (JSC::JIT::emit_op_neq_null): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitGenericContiguousPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * jit/JITRightShiftGenerator.cpp: |
| (JSC::JITRightShiftGenerator::generateFastPath): |
| * jit/RegisterSet.cpp: |
| (JSC::RegisterSet::runtimeTagRegisters): |
| (JSC::RegisterSet::llintBaselineCalleeSaveRegisters): |
| (JSC::RegisterSet::dfgCalleeSaveRegisters): |
| (JSC::RegisterSet::ftlCalleeSaveRegisters): |
| * jit/SpecializedThunkJIT.h: |
| (JSC::SpecializedThunkJIT::returnDouble): |
| (JSC::SpecializedThunkJIT::tagReturnAsInt32): |
| * jit/ThunkGenerators.cpp: |
| (JSC::virtualThunkFor): |
| (JSC::nativeForGenerator): |
| (JSC::arityFixupGenerator): |
| (JSC::absThunkGenerator): |
| * llint/LLIntData.cpp: |
| (JSC::LLInt::Data::performAssertions): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter.cpp: |
| (JSC::CLoop::execute): |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm64.rb: |
| * offlineasm/cloop.rb: |
| * offlineasm/x86.rb: |
| * runtime/JSCJSValue.h: |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::isUndefinedOrNull const): |
| (JSC::JSValue::isCell const): |
| (JSC::JSValue::isInt32 const): |
| (JSC::JSValue::JSValue): |
| (JSC::JSValue::asDouble const): |
| (JSC::JSValue::isNumber const): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-09-18 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Better handling for large arrays and collections in Object Trees |
| https://bugs.webkit.org/show_bug.cgi?id=143589 |
| <rdar://problem/16135388> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Adds two buttons before the "Prototype" item in expanded object/collection previews: |
| - Show %d More |
| - Show All (%d More) |
| |
| The default `fetchCount` increment is `100`. The first button will only be shown if there |
| are more than `100` items remaining (haven't been shown). |
| |
| * inspector/InjectedScriptSource.js: |
| (InjectedScript.prototype.getProperties): |
| (InjectedScript.prototype.getDisplayableProperties): |
| (InjectedScript.prototype.getCollectionEntries): |
| (InjectedScript.prototype._getProperties): |
| (InjectedScript.prototype._internalPropertyDescriptors): |
| (InjectedScript.prototype._propertyDescriptors): |
| (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor): |
| (InjectedScript.prototype._propertyDescriptors.processProperties): |
| (InjectedScript.prototype._getSetEntries): |
| (InjectedScript.prototype._getMapEntries): |
| (InjectedScript.prototype._getWeakMapEntries): |
| (InjectedScript.prototype._getWeakSetEntries): |
| (InjectedScript.prototype._getIteratorEntries): |
| (InjectedScript.prototype._entries): |
| (RemoteObject.prototype._generatePreview): |
| (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted. |
| Don't include boolean property descriptor values if they are `false. |
| |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::weakMapEntries): |
| (Inspector::JSInjectedScriptHost::weakSetEntries): |
| |
| * inspector/InjectedScript.h: |
| * inspector/InjectedScript.cpp: |
| (Inspector::InjectedScript::getProperties): |
| (Inspector::InjectedScript::getDisplayableProperties): |
| (Inspector::InjectedScript::getCollectionEntries): |
| |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| (Inspector::asInt): Added. |
| (Inspector::InspectorRuntimeAgent::getProperties): |
| (Inspector::InspectorRuntimeAgent::getDisplayableProperties): |
| (Inspector::InspectorRuntimeAgent::getCollectionEntries): |
| |
| * inspector/protocol/Runtime.json: |
| Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`. |
| Mark boolean properties as optional so they can be omitted if `false`. |
| |
| 2019-09-18 Joonghun Park <pjh0718@gmail.com> |
| |
| Unreviewed. Remove build warning since r249976. |
| |
| No new tests, no behavioral changes. |
| |
| This patch removes the build warning below. |
| warning: control reaches end of non-void function [-Wreturn-type] |
| |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::ArrayMode::alreadyChecked const): |
| |
| 2019-09-18 Saam Barati <sbarati@apple.com> |
| |
| TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT |
| https://bugs.webkit.org/show_bug.cgi?id=201953 |
| <rdar://problem/53803524> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We had code in DFGSpeculativeJIT like: |
| |
| if (!globalObject->isHavingABadTime()) { |
| <-- here --> |
| Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())); |
| assert 's' has expected indexing type |
| } |
| |
| The problem is, we may have a bad time before we actually load the structure |
| inside the if. We may have a bad time while we're at the "<-- here -->" in the |
| above program. The fix is to first load the structure, then check if we're |
| having a bad time. If we're still not having a bad time, it's valid to assert |
| things about the structure. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewArray): |
| |
| 2019-09-18 Chris Dumez <cdumez@apple.com> |
| |
| Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*() |
| https://bugs.webkit.org/show_bug.cgi?id=201947 |
| <rdar://problem/55453612> |
| |
| Reviewed by Mark Lam. |
| |
| Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533> |
| but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of |
| <https://trac.webkit.org/changeset/249064>. |
| |
| * API/JSContextRef.cpp: |
| (JSContextGroupCreate): |
| (JSGlobalContextCreate): |
| (JSGlobalContextCreateInGroup): |
| |
| 2019-09-18 Saam Barati <sbarati@apple.com> |
| |
| Phantom insertion phase may disagree with arguments forwarding about live ranges |
| https://bugs.webkit.org/show_bug.cgi?id=200715 |
| <rdar://problem/54301717> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The issue is that Phantom insertion phase was disagreeing about live ranges |
| from the arguments forwarding phase. The effect is that Phantom insertion |
| would insert a Phantom creating a longer live range than what arguments |
| forwarding was analyzing. Arguments forwarding will look for the last DFG |
| use or the last bytecode use of a variable it wants to eliminate. It then |
| does an interference analysis to ensure that nothing clobbers other variables |
| it needs to recover the sunken allocation during OSR exit. |
| |
| Phantom insertion works by ordering the program into OSR exit epochs. If a value was used |
| in the current epoch, there is no need to insert a phantom for it. We |
| determine where we might need a Phantom by looking at bytecode kills. In this |
| analysis, we have a mapping from bytecode local to DFG node. However, we |
| sometimes forgot to remove the entry when a local is killed. So, if the first |
| kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design. |
| However, if the variable gets killed again, we might errantly insert a Phantom |
| for the prior variable which should've already been killed. The solution is to |
| clear the entry in our mapping when a variable is killed. |
| |
| The program in question was like this: |
| |
| 1: DirectArguments |
| ... |
| 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 |
| ... |
| clobber things needed for recovery |
| ... |
| |
| Arguments elimination would transform the program since between @1 and |
| @2, nothing clobbers values needed for exit and nothing escapes @1. The |
| program becomes: |
| |
| 1: PhantomDirectArguments |
| ... |
| 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 |
| ... |
| clobber things needed for recovery of @1 |
| ... |
| |
| |
| Phantom insertion would then transform the program into: |
| |
| 1: PhantomDirectArguments |
| ... |
| 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 |
| ... |
| clobber things needed for recovery of @1 |
| ... |
| 3: Phantom(@1) |
| ... |
| |
| This is wrong because Phantom insertion and arguments forwarding must agree on live |
| ranges, otherwise the interference analysis performed by arguments forwarding will |
| not correctly analyze up until where the value might be recovered. |
| |
| * dfg/DFGPhantomInsertionPhase.cpp: |
| |
| 2019-09-18 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r250002. |
| https://bugs.webkit.org/show_bug.cgi?id=201943 |
| |
| Patching of the callee and call is not atomic (Requested by |
| tadeuzagallo on #webkit). |
| |
| Reverted changeset: |
| |
| "Change WebAssembly calling conventions" |
| https://bugs.webkit.org/show_bug.cgi?id=201799 |
| https://trac.webkit.org/changeset/250002 |
| |
| 2019-09-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Generator should have internal fields |
| https://bugs.webkit.org/show_bug.cgi?id=201159 |
| |
| Reviewed by Keith Miller. |
| |
| This patch makes generator's internal states InternalField instead of private properties. |
| Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures. |
| As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary. |
| |
| If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting |
| in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next |
| lookup suboptimal for now. |
| |
| In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal |
| states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access |
| these fields without using megamorphic get_by_id_direct. |
| |
| And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode. |
| |
| We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto |
| JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0 |
| inline-storage slot for PolyProto implementation. |
| |
| This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support. |
| In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator. |
| |
| This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly. |
| |
| This patch includes several design decisions. |
| |
| 1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`. |
| 2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto |
| support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger. |
| 3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now, |
| we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep |
| this patch simple. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/AsyncFunctionPrototype.js: |
| (globalPrivate.asyncFunctionResume): |
| * builtins/GeneratorPrototype.js: |
| (globalPrivate.generatorResume): |
| (next): |
| (return): |
| (throw): |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::BytecodeGeneratorification::run): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecode/SpeculatedType.cpp: |
| (JSC::speculationFromJSType): |
| * bytecode/SpeculatedType.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitPutGeneratorFields): |
| (JSC::BytecodeGenerator::emitCreateGenerator): |
| (JSC::BytecodeGenerator::emitNewGenerator): |
| (JSC::BytecodeGenerator::emitYield): |
| (JSC::BytecodeGenerator::emitDelegateYield): |
| (JSC::BytecodeGenerator::emitGeneratorStateChange): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitIsGenerator): |
| (JSC::BytecodeGenerator::generatorStateRegister): |
| (JSC::BytecodeGenerator::generatorValueRegister): |
| (JSC::BytecodeGenerator::generatorResumeModeRegister): |
| (JSC::BytecodeGenerator::generatorFrameRegister): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::generatorInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator): |
| (JSC::FunctionNode::emitBytecode): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| (JSC::DFG::FixupPhase::fixupIsCellWithType): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToNewGenerator): |
| (JSC::DFG::Node::speculatedTypeForQuery): |
| (JSC::DFG::Node::hasStructure): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileCreateGenerator): |
| (JSC::DFG::SpeculativeJIT::compileNewGenerator): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator): |
| (JSC::FTL::DFG::LowerDFGToB3::isCellWithType): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| * llint/LowLevelInterpreter.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::createSubclassStructureSlow): |
| * runtime/InternalFunction.h: |
| (JSC::InternalFunction::createSubclassStructure): |
| * runtime/JSGenerator.cpp: Added. |
| (JSC::JSGenerator::create): |
| (JSC::JSGenerator::createStructure): |
| (JSC::JSGenerator::JSGenerator): |
| (JSC::JSGenerator::finishCreation): |
| (JSC::JSGenerator::visitChildren): |
| * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h. |
| * runtime/JSGeneratorFunction.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::generatorStructure const): |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| |
| 2019-09-17 Keith Miller <keith_miller@apple.com> |
| |
| Move comment explaining our Options to OptionsList.h |
| https://bugs.webkit.org/show_bug.cgi?id=201891 |
| |
| Rubber-stamped by Mark Lam. |
| |
| We moved the list so we should move the comment. |
| |
| * runtime/Options.h: |
| * runtime/OptionsList.h: |
| |
| 2019-09-17 Keith Miller <keith_miller@apple.com> |
| |
| Elide unnecessary moves in Air O0 |
| https://bugs.webkit.org/show_bug.cgi?id=201703 |
| |
| Reviewed by Saam Barati. |
| |
| This patch also removes the code that would try to reuse temps in |
| WasmAirIRGenerator. That code makes it hard to accurately |
| determine where a temp dies as it could be reused again |
| later. Thus every temp, may appear to live for a long time in the |
| global ordering. |
| |
| This appears to be a minor progression on the overall score of |
| wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction. |
| |
| This patch also fixes an issue where we didn't ask Patchpoints |
| for early clobber registers when determining what callee saves |
| were used by the program. |
| |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: |
| (JSC::B3::Air::GenerateAndAllocateRegisters::generate): |
| * b3/air/AirBasicBlock.h: |
| * b3/air/AirCode.h: |
| * b3/air/AirHandleCalleeSaves.cpp: |
| (JSC::B3::Air::handleCalleeSaves): |
| * b3/air/testair.cpp: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::didKill): Deleted. |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::didKill): Deleted. |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::didKill): Deleted. |
| |
| 2019-09-17 Mark Lam <mark.lam@apple.com> |
| |
| Use constexpr instead of const in symbol definitions that are obviously constexpr. |
| https://bugs.webkit.org/show_bug.cgi?id=201879 |
| |
| Rubber-stamped by Joseph Pecoraro. |
| |
| const may require external storage (at the compiler's whim) though these |
| currently do not. constexpr makes it clear that the value is a literal constant |
| that can be inlined. In most cases in the code, when we say static const, we |
| actually mean static constexpr. I'm changing the code to reflect this. |
| |
| * API/JSAPIValueWrapper.h: |
| * API/JSCallbackConstructor.h: |
| * API/JSCallbackObject.h: |
| * API/JSContextRef.cpp: |
| * API/JSWrapperMap.mm: |
| * API/tests/CompareAndSwapTest.cpp: |
| * API/tests/TypedArrayCTest.cpp: |
| * API/tests/testapi.mm: |
| (testObjectiveCAPIMain): |
| * KeywordLookupGenerator.py: |
| (Trie.printAsC): |
| * assembler/ARMv7Assembler.h: |
| * assembler/AssemblerBuffer.h: |
| * assembler/AssemblerCommon.h: |
| * assembler/MacroAssembler.h: |
| * assembler/MacroAssemblerARM64.h: |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/MacroAssemblerARMv7.h: |
| * assembler/MacroAssemblerCodeRef.h: |
| * assembler/MacroAssemblerMIPS.h: |
| * assembler/MacroAssemblerX86.h: |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::absDouble): |
| (JSC::MacroAssemblerX86Common::negateDouble): |
| * assembler/MacroAssemblerX86_64.h: |
| * assembler/X86Assembler.h: |
| * b3/B3Bank.h: |
| * b3/B3CheckSpecial.h: |
| * b3/B3DuplicateTails.cpp: |
| * b3/B3EliminateCommonSubexpressions.cpp: |
| * b3/B3FixSSA.cpp: |
| * b3/B3FoldPathConstants.cpp: |
| * b3/B3InferSwitches.cpp: |
| * b3/B3Kind.h: |
| * b3/B3LowerToAir.cpp: |
| * b3/B3NativeTraits.h: |
| * b3/B3ReduceDoubleToFloat.cpp: |
| * b3/B3ReduceLoopStrength.cpp: |
| * b3/B3ReduceStrength.cpp: |
| * b3/B3ValueKey.h: |
| * b3/air/AirAllocateRegistersByGraphColoring.cpp: |
| * b3/air/AirAllocateStackByGraphColoring.cpp: |
| * b3/air/AirArg.h: |
| * b3/air/AirCCallSpecial.h: |
| * b3/air/AirEmitShuffle.cpp: |
| * b3/air/AirFixObviousSpills.cpp: |
| * b3/air/AirFormTable.h: |
| * b3/air/AirLowerAfterRegAlloc.cpp: |
| * b3/air/AirPrintSpecial.h: |
| * b3/air/AirStackAllocation.cpp: |
| * b3/air/AirTmp.h: |
| * b3/testb3_6.cpp: |
| (testInterpreter): |
| * bytecode/AccessCase.cpp: |
| * bytecode/CallLinkStatus.cpp: |
| * bytecode/CallVariant.h: |
| * bytecode/CodeBlock.h: |
| * bytecode/CodeOrigin.h: |
| * bytecode/DFGExitProfile.h: |
| * bytecode/DirectEvalCodeCache.h: |
| * bytecode/ExecutableToCodeBlockEdge.h: |
| * bytecode/GetterSetterAccessCase.cpp: |
| * bytecode/LazyOperandValueProfile.h: |
| * bytecode/ObjectPropertyCondition.h: |
| * bytecode/ObjectPropertyConditionSet.cpp: |
| * bytecode/PolymorphicAccess.cpp: |
| * bytecode/PropertyCondition.h: |
| * bytecode/SpeculatedType.h: |
| * bytecode/StructureStubInfo.cpp: |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): |
| * bytecode/UnlinkedCodeBlock.h: |
| * bytecode/UnlinkedEvalCodeBlock.h: |
| * bytecode/UnlinkedFunctionCodeBlock.h: |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * bytecode/UnlinkedModuleProgramCodeBlock.h: |
| * bytecode/UnlinkedProgramCodeBlock.h: |
| * bytecode/ValueProfile.h: |
| * bytecode/VirtualRegister.h: |
| * bytecode/Watchpoint.h: |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/Label.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ThisNode::emitBytecode): |
| * bytecompiler/RegisterID.h: |
| * debugger/Breakpoint.h: |
| * debugger/DebuggerParseData.cpp: |
| * debugger/DebuggerPrimitives.h: |
| * debugger/DebuggerScope.h: |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGAbstractValue.h: |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| * dfg/DFGByteCodeParser.cpp: |
| * dfg/DFGCSEPhase.cpp: |
| * dfg/DFGCommon.h: |
| * dfg/DFGCompilationKey.h: |
| * dfg/DFGDesiredGlobalProperty.h: |
| * dfg/DFGEdgeDominates.h: |
| * dfg/DFGEpoch.h: |
| * dfg/DFGForAllKills.h: |
| (JSC::DFG::forAllKilledNodesAtNodeIndex): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::isLiveInBytecode): |
| * dfg/DFGHeapLocation.h: |
| * dfg/DFGInPlaceAbstractState.cpp: |
| * dfg/DFGIntegerCheckCombiningPhase.cpp: |
| * dfg/DFGIntegerRangeOptimizationPhase.cpp: |
| * dfg/DFGInvalidationPointInjectionPhase.cpp: |
| * dfg/DFGLICMPhase.cpp: |
| * dfg/DFGLazyNode.h: |
| * dfg/DFGMinifiedID.h: |
| * dfg/DFGMovHintRemovalPhase.cpp: |
| * dfg/DFGNodeFlowProjection.h: |
| * dfg/DFGNodeType.h: |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| * dfg/DFGPhantomInsertionPhase.cpp: |
| * dfg/DFGPromotedHeapLocation.h: |
| * dfg/DFGPropertyTypeKey.h: |
| * dfg/DFGPureValue.h: |
| * dfg/DFGPutStackSinkingPhase.cpp: |
| * dfg/DFGRegisterBank.h: |
| * dfg/DFGSSAConversionPhase.cpp: |
| * dfg/DFGSSALoweringPhase.cpp: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileDoubleRep): |
| (JSC::DFG::compileClampDoubleToByte): |
| (JSC::DFG::SpeculativeJIT::compileArithRounding): |
| (JSC::DFG::compileArithPowIntegerFastPath): |
| (JSC::DFG::SpeculativeJIT::compileArithPow): |
| (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): |
| * dfg/DFGStackLayoutPhase.cpp: |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * dfg/DFGStrengthReductionPhase.cpp: |
| * dfg/DFGStructureAbstractValue.h: |
| * dfg/DFGVarargsForwardingPhase.cpp: |
| * dfg/DFGVariableEventStream.cpp: |
| (JSC::DFG::VariableEventStream::reconstruct const): |
| * dfg/DFGWatchpointCollectionPhase.cpp: |
| * disassembler/ARM64/A64DOpcode.h: |
| * ftl/FTLLocation.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom): |
| * ftl/FTLSlowPathCall.cpp: |
| * ftl/FTLSlowPathCallKey.h: |
| * heap/CellContainer.h: |
| * heap/CellState.h: |
| * heap/ConservativeRoots.h: |
| * heap/GCSegmentedArray.h: |
| * heap/HandleBlock.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::updateAllocationLimits): |
| * heap/Heap.h: |
| * heap/HeapSnapshot.h: |
| * heap/HeapUtil.h: |
| (JSC::HeapUtil::findGCObjectPointersForMarking): |
| * heap/IncrementalSweeper.cpp: |
| * heap/LargeAllocation.h: |
| * heap/MarkedBlock.cpp: |
| * heap/Strong.h: |
| * heap/VisitRaceKey.h: |
| * heap/Weak.h: |
| * heap/WeakBlock.h: |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHostPrototype.h: |
| * inspector/JSJavaScriptCallFrame.h: |
| * inspector/JSJavaScriptCallFramePrototype.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): |
| * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: |
| (CppProtocolTypesHeaderGenerator._generate_versions): |
| * inspector/scripts/tests/generic/expected/version.json-result: |
| * interpreter/Interpreter.h: |
| * interpreter/ShadowChicken.cpp: |
| * jit/BinarySwitch.cpp: |
| * jit/CallFrameShuffler.h: |
| * jit/ExecutableAllocator.h: |
| * jit/FPRInfo.h: |
| * jit/GPRInfo.h: |
| * jit/ICStats.h: |
| * jit/JITThunks.h: |
| * jit/Reg.h: |
| * jit/RegisterSet.h: |
| * jit/TempRegisterSet.h: |
| * jsc.cpp: |
| * parser/ASTBuilder.h: |
| * parser/Nodes.h: |
| * parser/SourceCodeKey.h: |
| * parser/SyntaxChecker.h: |
| * parser/VariableEnvironment.h: |
| * profiler/ProfilerOrigin.h: |
| * profiler/ProfilerOriginStack.h: |
| * profiler/ProfilerUID.h: |
| * runtime/AbstractModuleRecord.cpp: |
| * runtime/ArrayBufferNeuteringWatchpointSet.h: |
| * runtime/ArrayConstructor.h: |
| * runtime/ArrayConventions.h: |
| * runtime/ArrayIteratorPrototype.h: |
| * runtime/ArrayPrototype.cpp: |
| (JSC::setLength): |
| * runtime/AsyncFromSyncIteratorPrototype.h: |
| * runtime/AsyncGeneratorFunctionPrototype.h: |
| * runtime/AsyncGeneratorPrototype.h: |
| * runtime/AsyncIteratorPrototype.h: |
| * runtime/AtomicsObject.cpp: |
| * runtime/BigIntConstructor.h: |
| * runtime/BigIntPrototype.h: |
| * runtime/BooleanPrototype.h: |
| * runtime/ClonedArguments.h: |
| * runtime/CodeCache.h: |
| * runtime/ControlFlowProfiler.h: |
| * runtime/CustomGetterSetter.h: |
| * runtime/DateConstructor.h: |
| * runtime/DatePrototype.h: |
| * runtime/DefinePropertyAttributes.h: |
| * runtime/ErrorPrototype.h: |
| * runtime/EvalExecutable.h: |
| * runtime/Exception.h: |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::invalidParameterInSourceAppender): |
| (JSC::invalidParameterInstanceofSourceAppender): |
| * runtime/ExceptionHelpers.h: |
| * runtime/ExecutableBase.h: |
| * runtime/FunctionExecutable.h: |
| * runtime/FunctionRareData.h: |
| * runtime/GeneratorPrototype.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericOffset.h: |
| * runtime/GetPutInfo.h: |
| * runtime/GetterSetter.h: |
| * runtime/GlobalExecutable.h: |
| * runtime/Identifier.h: |
| * runtime/InspectorInstrumentationObject.h: |
| * runtime/InternalFunction.h: |
| * runtime/IntlCollatorConstructor.h: |
| * runtime/IntlCollatorPrototype.h: |
| * runtime/IntlDateTimeFormatConstructor.h: |
| * runtime/IntlDateTimeFormatPrototype.h: |
| * runtime/IntlNumberFormatConstructor.h: |
| * runtime/IntlNumberFormatPrototype.h: |
| * runtime/IntlObject.h: |
| * runtime/IntlPluralRulesConstructor.h: |
| * runtime/IntlPluralRulesPrototype.h: |
| * runtime/IteratorPrototype.h: |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::tryCreateUninitializedRestricted): |
| * runtime/JSArray.h: |
| * runtime/JSArrayBuffer.h: |
| * runtime/JSArrayBufferView.h: |
| * runtime/JSBigInt.h: |
| * runtime/JSCJSValue.h: |
| * runtime/JSCell.h: |
| * runtime/JSCustomGetterSetterFunction.h: |
| * runtime/JSDataView.h: |
| * runtime/JSDataViewPrototype.h: |
| * runtime/JSDestructibleObject.h: |
| * runtime/JSFixedArray.h: |
| * runtime/JSGenericTypedArrayView.h: |
| * runtime/JSGlobalLexicalEnvironment.h: |
| * runtime/JSGlobalObject.h: |
| * runtime/JSImmutableButterfly.h: |
| * runtime/JSInternalPromiseConstructor.h: |
| * runtime/JSInternalPromiseDeferred.h: |
| * runtime/JSInternalPromisePrototype.h: |
| * runtime/JSLexicalEnvironment.h: |
| * runtime/JSModuleEnvironment.h: |
| * runtime/JSModuleLoader.h: |
| * runtime/JSModuleNamespaceObject.h: |
| * runtime/JSNonDestructibleProxy.h: |
| * runtime/JSONObject.cpp: |
| * runtime/JSONObject.h: |
| * runtime/JSObject.h: |
| * runtime/JSPromiseConstructor.h: |
| * runtime/JSPromiseDeferred.h: |
| * runtime/JSPromisePrototype.h: |
| * runtime/JSPropertyNameEnumerator.h: |
| * runtime/JSProxy.h: |
| * runtime/JSScope.h: |
| * runtime/JSScriptFetchParameters.h: |
| * runtime/JSScriptFetcher.h: |
| * runtime/JSSegmentedVariableObject.h: |
| * runtime/JSSourceCode.h: |
| * runtime/JSString.cpp: |
| * runtime/JSString.h: |
| * runtime/JSSymbolTableObject.h: |
| * runtime/JSTemplateObjectDescriptor.h: |
| * runtime/JSTypeInfo.h: |
| * runtime/MapPrototype.h: |
| * runtime/MinimumReservedZoneSize.h: |
| * runtime/ModuleProgramExecutable.h: |
| * runtime/NativeExecutable.h: |
| * runtime/NativeFunction.h: |
| * runtime/NativeStdFunctionCell.h: |
| * runtime/NumberConstructor.h: |
| * runtime/NumberPrototype.h: |
| * runtime/ObjectConstructor.h: |
| * runtime/ObjectPrototype.h: |
| * runtime/ProgramExecutable.h: |
| * runtime/PromiseDeferredTimer.cpp: |
| * runtime/PropertyMapHashTable.h: |
| * runtime/PropertyNameArray.h: |
| (JSC::PropertyNameArray::add): |
| * runtime/PrototypeKey.h: |
| * runtime/ProxyConstructor.h: |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| * runtime/ProxyRevoke.h: |
| * runtime/ReflectObject.h: |
| * runtime/RegExp.h: |
| * runtime/RegExpCache.h: |
| * runtime/RegExpConstructor.h: |
| * runtime/RegExpKey.h: |
| * runtime/RegExpObject.h: |
| * runtime/RegExpPrototype.h: |
| * runtime/RegExpStringIteratorPrototype.h: |
| * runtime/SamplingProfiler.cpp: |
| * runtime/ScopedArgumentsTable.h: |
| * runtime/ScriptExecutable.h: |
| * runtime/SetPrototype.h: |
| * runtime/SmallStrings.h: |
| * runtime/SparseArrayValueMap.h: |
| * runtime/StringConstructor.h: |
| * runtime/StringIteratorPrototype.h: |
| * runtime/StringObject.h: |
| * runtime/StringPrototype.h: |
| * runtime/Structure.h: |
| * runtime/StructureChain.h: |
| * runtime/StructureRareData.h: |
| * runtime/StructureTransitionTable.h: |
| * runtime/Symbol.h: |
| * runtime/SymbolConstructor.h: |
| * runtime/SymbolPrototype.h: |
| * runtime/SymbolTable.h: |
| * runtime/TemplateObjectDescriptor.h: |
| * runtime/TypeProfiler.cpp: |
| * runtime/TypeProfiler.h: |
| * runtime/TypeProfilerLog.cpp: |
| * runtime/VarOffset.h: |
| * testRegExp.cpp: |
| * tools/HeapVerifier.cpp: |
| (JSC::HeapVerifier::checkIfRecorded): |
| * tools/JSDollarVM.cpp: |
| * wasm/WasmB3IRGenerator.cpp: |
| * wasm/WasmBBQPlan.cpp: |
| * wasm/WasmFaultSignalHandler.cpp: |
| * wasm/WasmFunctionParser.h: |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| * wasm/WasmOMGPlan.cpp: |
| * wasm/WasmPlan.cpp: |
| * wasm/WasmSignature.cpp: |
| * wasm/WasmSignature.h: |
| * wasm/WasmWorklist.cpp: |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyCodeBlock.h: |
| * wasm/js/WebAssemblyCompileErrorConstructor.h: |
| * wasm/js/WebAssemblyCompileErrorPrototype.h: |
| * wasm/js/WebAssemblyFunction.h: |
| * wasm/js/WebAssemblyInstanceConstructor.h: |
| * wasm/js/WebAssemblyInstancePrototype.h: |
| * wasm/js/WebAssemblyLinkErrorConstructor.h: |
| * wasm/js/WebAssemblyLinkErrorPrototype.h: |
| * wasm/js/WebAssemblyMemoryConstructor.h: |
| * wasm/js/WebAssemblyMemoryPrototype.h: |
| * wasm/js/WebAssemblyModuleConstructor.h: |
| * wasm/js/WebAssemblyModulePrototype.h: |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.h: |
| * wasm/js/WebAssemblyRuntimeErrorPrototype.h: |
| * wasm/js/WebAssemblyTableConstructor.h: |
| * wasm/js/WebAssemblyTablePrototype.h: |
| * wasm/js/WebAssemblyToJSCallee.h: |
| * yarr/Yarr.h: |
| * yarr/YarrParser.h: |
| * yarr/generateYarrCanonicalizeUnicode: |
| |
| 2019-09-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Follow-up after String.codePointAt optimization |
| https://bugs.webkit.org/show_bug.cgi?id=201889 |
| |
| Reviewed by Saam Barati. |
| |
| Follow-up after string.codePointAt DFG / FTL optimizations, |
| |
| 1. Gracefully accept arguments more than expected for intrinsics |
| 2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| |
| 2019-09-17 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Change WebAssembly calling conventions |
| https://bugs.webkit.org/show_bug.cgi?id=201799 |
| |
| Reviewed by Saam Barati. |
| |
| Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when |
| we have the Wasm interpreter, since we need the callee in order to know which function are we executing. |
| This patch changes the calling conventions in preparation for the interpreter, so that the caller |
| becomes responsible for writing the callee into the call frame. |
| However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually |
| generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary |
| code when we know statically who is the callee: |
| - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC. |
| - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry |
| |
| Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping |
| of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addCall): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmAirIRGenerator.h: |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::addCall): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::BBQPlan): |
| (JSC::Wasm::BBQPlan::prepare): |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmBBQPlanInlines.h: |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmCallee.cpp: |
| (JSC::Wasm::Callee::Callee): |
| (JSC::Wasm::repatchMove): |
| (JSC::Wasm::repatchCall): |
| (JSC::Wasm::BBQCallee::addCaller): |
| (JSC::Wasm::BBQCallee::addAndLinkCaller): |
| (JSC::Wasm::BBQCallee::repatchCallers): |
| * wasm/WasmCallee.h: |
| (JSC::Wasm::Callee::entrypoint): |
| (JSC::Wasm::Callee::code const): |
| (JSC::Wasm::Callee::calleeSaveRegisters): |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConvention::setupFrameInPrologue const): |
| * wasm/WasmCodeBlock.cpp: |
| (JSC::Wasm::CodeBlock::CodeBlock): |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace): |
| * wasm/WasmEmbedder.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation): |
| * wasm/WasmInstance.h: |
| (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation): |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGForOSREntryPlan.h: |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::OMGPlan): |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmOMGPlan.h: |
| * wasm/WasmOperations.cpp: |
| (JSC::Wasm::triggerOMGReplacementCompile): |
| (JSC::Wasm::doOSREntry): |
| (JSC::Wasm::triggerOSREntryNow): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/JSToWasm.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| (JSC::WebAssemblyFunction::create): |
| (JSC::WebAssemblyFunction::WebAssemblyFunction): |
| * wasm/js/WebAssemblyFunction.h: |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| (JSC::WebAssemblyModuleRecord::evaluate): |
| * wasm/js/WebAssemblyWrapperFunction.cpp: |
| (JSC::WebAssemblyWrapperFunction::create): |
| |
| 2019-09-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CheckArray+NonArray is not filtering out Array in AI |
| https://bugs.webkit.org/show_bug.cgi?id=201857 |
| <rdar://problem/54194820> |
| |
| Reviewed by Keith Miller. |
| |
| The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure. |
| While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked |
| accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array. |
| This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime. |
| |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::ArrayMode::alreadyChecked const): |
| |
| 2019-09-17 Saam Barati <sbarati@apple.com> |
| |
| CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage |
| https://bugs.webkit.org/show_bug.cgi?id=201853 |
| <rdar://problem/53805461> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We were claiming CheckArray for ScopedArguments/DirectArguments was filtering |
| out SlowPutArrayStorage. It does no such thing. We just check that the object |
| is either ScopedArguments/DirectArguments. |
| |
| * dfg/DFGArrayMode.h: |
| (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): |
| (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const): |
| (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted. |
| |
| 2019-09-16 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Wasm StreamingParser should validate that number of functions matches number of declarations |
| https://bugs.webkit.org/show_bug.cgi?id=201850 |
| <rdar://problem/55290186> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Currently, when parsing the code section, we check that the number of functions matches the number |
| of declarations in the function section. However, that check is never performed if the module does |
| not have a code section. To fix that, we perform the check again in StreamingParser::finalize. |
| |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::finalize): |
| |
| 2019-09-16 Michael Saboff <msaboff@apple.com> |
| |
| [JSC] Perform check again when we found non-BMP characters |
| https://bugs.webkit.org/show_bug.cgi?id=201647 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We need to check for end of input for non-BMP characters when matching a character class that contains |
| both BMP and non-BMP characters. In advanceIndexAfterCharacterClassTermMatch() we were checking for |
| end of input for both BMP and non-BMP characters. For BMP characters, this check is redundant. |
| After moving the check to after the "is BMP check", we need to decrement index after reaching the failure |
| label to back out the index++ for the first surrogate of the non-BMP character. |
| |
| Added the same kind of check in generateCharacterClassOnce(). In that case, we have pre-checked the |
| first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before |
| we increment for the second surrogate. |
| |
| While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the |
| loop to check the count at loop top instead of loop bottom. |
| |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch): |
| (JSC::Yarr::YarrGenerator::generateCharacterClassOnce): |
| (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy): |
| (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy): |
| (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy): |
| |
| 2019-09-16 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Add missing syntax errors for await in function parameter default expressions |
| https://bugs.webkit.org/show_bug.cgi?id=201615 |
| |
| Reviewed by Darin Adler. |
| |
| This patch rectifies two oversights: |
| 1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}` |
| (and likewise for async arrow functions). |
| 2. We were not prohibiting `(x = await => {}) => {}` in an async context |
| (regardless of parentheses, but note that this one *only* applies to arrow functions). |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1). |
| (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2). |
| (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT. |
| (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2). |
| |
| 2019-09-16 Tadeu Zagallo <tzagallo@apple.com> |
| |
| SamplingProfiler should hold API lock before reporting results |
| https://bugs.webkit.org/show_bug.cgi?id=201829 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Right now, the SamplingProfiler crashes in debug builds when trying |
| report results if it finds a JSFunction on the stack that doesn't have |
| RareData. It tries to allocate the function's rare data when we call |
| getOwnPropertySlot in order to get the function's name, but that fails |
| because we are not holding the VM's API lock. We fix it by just holding |
| the lock before reporting the results. |
| |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::reportDataToOptionFile): |
| |
| 2019-09-16 David Kilzer <ddkilzer@apple.com> |
| |
| [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32() |
| <https://webkit.org/b/201804> |
| |
| Reviewed by Saam Barati. |
| |
| * b3/testb3_8.cpp: |
| (testFastForwardCopy32): Allocate arrays using |
| WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue |
| statements. |
| |
| 2019-09-16 Saam Barati <sbarati@apple.com> |
| |
| JSObject::putInlineSlow should not ignore "__proto__" for Proxy |
| https://bugs.webkit.org/show_bug.cgi?id=200386 |
| <rdar://problem/53854946> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We used to ignore '__proto__' in putInlineSlow when the object in question |
| was Proxy. There is no reason for this, and it goes against the spec. So |
| I've removed that condition. This also has the effect that it fixes an |
| assertion firing inside our inline caching code which dictates that for a |
| property replace that the base value's structure must be equal to the |
| structure when we grabbed the structure prior to the put operation. |
| The old code caused a weird edge case where we broke this invariant. |
| |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::putInlineSlow): |
| |
| 2019-09-15 David Kilzer <ddkilzer@apple.com> |
| |
| Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:] |
| <https://webkit.org/b/201803> |
| |
| Reviewed by Dan Bernstein. |
| |
| * API/JSVirtualMachine.mm: |
| (-[JSVirtualMachine addManagedReference:withOwner:]): Use |
| RetainPtr<> to fix the leak. |
| |
| 2019-09-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Retire x86 32bit JIT support |
| https://bugs.webkit.org/show_bug.cgi?id=201790 |
| |
| Reviewed by Mark Lam. |
| |
| Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS. |
| Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs |
| can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed. |
| WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested. |
| |
| While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden. |
| This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr. |
| |
| This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo, |
| MachineContext information since they are useful even though JIT is not supported. |
| |
| * dfg/DFGArrayMode.cpp: |
| (JSC::DFG::ArrayMode::refine const): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::compileExceptionHandlers): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::osrWriteBarrier): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileArithDiv): |
| (JSC::DFG::SpeculativeJIT::compileArithMod): |
| (JSC::DFG::SpeculativeJIT::compileCreateRest): |
| (JSC::DFG::SpeculativeJIT::compileGetDirectPname): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitGenerationThunkGenerator): |
| * ftl/FTLThunks.cpp: |
| (JSC::FTL::slowPathCallThunkGenerator): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::callExceptionFuzz): |
| (JSC::AssemblyHelpers::debugCall): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::setupArgumentsImpl): |
| (JSC::CCallHelpers::prepareForTailCallSlow): |
| * jit/CallFrameShuffler.cpp: |
| (JSC::CallFrameShuffler::prepareForTailCall): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileExceptionHandlers): |
| * jit/JITArithmetic32_64.cpp: |
| (JSC::JIT::emit_op_mod): |
| (JSC::JIT::emitSlow_op_mod): |
| * jit/SlowPathCall.h: |
| (JSC::JITSlowPathCall::call): |
| * jit/ThunkGenerators.cpp: |
| (JSC::nativeForGenerator): |
| (JSC::arityFixupGenerator): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitModOrDiv): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::generateDotStarEnclosure): |
| (JSC::Yarr::YarrGenerator::generateEnter): |
| (JSC::Yarr::YarrGenerator::generateReturn): |
| (JSC::Yarr::YarrGenerator::compile): |
| * yarr/YarrJIT.h: |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| jsc -d stopped working. |
| https://bugs.webkit.org/show_bug.cgi?id=201787 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| The reason is because, in this case, the jsc shell is trying to set an option |
| after the VM has been instantiated. The fix is simply to move all options |
| initialization before the VM is instantiated. |
| |
| * jsc.cpp: |
| (runWithOptions): |
| (jscmain): |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| watchOS requires PageSize alignment of 16K for JSC::Config. |
| https://bugs.webkit.org/show_bug.cgi?id=201786 |
| <rdar://problem/55357890> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSCConfig.h: |
| |
| 2019-09-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, follow-up fix after r249842 |
| https://bugs.webkit.org/show_bug.cgi?id=201750 |
| |
| Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::nearCall): |
| (JSC::MacroAssemblerARM64::threadSafePatchableNearCall): |
| |
| 2019-09-13 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Date.prototype.toJSON does not execute steps 1-2 |
| https://bugs.webkit.org/show_bug.cgi?id=105282 |
| |
| Reviewed by Ross Kirsling. |
| |
| According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be |
| strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved |
| using sloppy mode semantics, resulting in `toISOString` being called on global object if `this` |
| value equals `null` or `undefined`. |
| |
| * runtime/DatePrototype.cpp: |
| (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check. |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy() should do its !Gigacage assertion on exit. |
| https://bugs.webkit.org/show_bug.cgi?id=201780 |
| <rdar://problem/55354867> |
| |
| Reviewed by Robin Morisset. |
| |
| Re-doing previous fix. |
| |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| (JSC::GigacageAssertScope::GigacageAssertScope): Deleted. |
| (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted. |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy() should do its !Gigacage assertion on exit. |
| https://bugs.webkit.org/show_bug.cgi?id=201780 |
| <rdar://problem/55354867> |
| |
| Reviewed by Robin Morisset. |
| |
| * jit/ExecutableAllocator.h: |
| (JSC::GigacageAssertScope::GigacageAssertScope): |
| (JSC::GigacageAssertScope::~GigacageAssertScope): |
| (JSC::performJITMemcpy): |
| |
| 2019-09-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Micro-optimize YarrJIT's surrogate pair handling |
| https://bugs.webkit.org/show_bug.cgi?id=201750 |
| |
| Reviewed by Michael Saboff. |
| |
| Optimize sequence of machine code used to get code-point with unicode flag. |
| |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl): |
| |
| 2019-09-13 Mark Lam <mark.lam@apple.com> |
| |
| We should assert $vm is enabled on entry and exit in its functions. |
| https://bugs.webkit.org/show_bug.cgi?id=201762 |
| <rdar://problem/55338742> |
| |
| Rubber-stamped by Michael Saboff. |
| |
| 1. Also do the same for FunctionOverrides. |
| 2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this. |
| 3. Also added assertions to lambda functions in $vm. |
| |
| * tools/FunctionOverrides.cpp: |
| (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope): |
| (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope): |
| (JSC::FunctionOverrides::overrides): |
| (JSC::FunctionOverrides::FunctionOverrides): |
| (JSC::FunctionOverrides::reinstallOverrides): |
| (JSC::initializeOverrideInfo): |
| (JSC::FunctionOverrides::initializeOverrideFor): |
| (JSC::parseClause): |
| (JSC::FunctionOverrides::parseOverridesInFile): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame): |
| (JSC::JSDollarVMCallFrame::createStructure): |
| (JSC::JSDollarVMCallFrame::create): |
| (JSC::JSDollarVMCallFrame::finishCreation): |
| (JSC::JSDollarVMCallFrame::addProperty): |
| (JSC::Element::Element): |
| (JSC::Element::create): |
| (JSC::Element::visitChildren): |
| (JSC::Element::createStructure): |
| (JSC::Root::Root): |
| (JSC::Root::setElement): |
| (JSC::Root::create): |
| (JSC::Root::createStructure): |
| (JSC::Root::visitChildren): |
| (JSC::SimpleObject::SimpleObject): |
| (JSC::SimpleObject::create): |
| (JSC::SimpleObject::visitChildren): |
| (JSC::SimpleObject::createStructure): |
| (JSC::ImpureGetter::ImpureGetter): |
| (JSC::ImpureGetter::createStructure): |
| (JSC::ImpureGetter::create): |
| (JSC::ImpureGetter::finishCreation): |
| (JSC::ImpureGetter::getOwnPropertySlot): |
| (JSC::ImpureGetter::visitChildren): |
| (JSC::CustomGetter::CustomGetter): |
| (JSC::CustomGetter::createStructure): |
| (JSC::CustomGetter::create): |
| (JSC::CustomGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::customGetter): |
| (JSC::CustomGetter::customGetterAcessor): |
| (JSC::RuntimeArray::create): |
| (JSC::RuntimeArray::destroy): |
| (JSC::RuntimeArray::getOwnPropertySlot): |
| (JSC::RuntimeArray::getOwnPropertySlotByIndex): |
| (JSC::RuntimeArray::createPrototype): |
| (JSC::RuntimeArray::createStructure): |
| (JSC::RuntimeArray::finishCreation): |
| (JSC::RuntimeArray::RuntimeArray): |
| (JSC::RuntimeArray::lengthGetter): |
| (JSC::DOMJITNode::DOMJITNode): |
| (JSC::DOMJITNode::createStructure): |
| (JSC::DOMJITNode::checkSubClassSnippet): |
| (JSC::DOMJITNode::create): |
| (JSC::DOMJITGetter::DOMJITGetter): |
| (JSC::DOMJITGetter::createStructure): |
| (JSC::DOMJITGetter::create): |
| (JSC::DOMJITGetter::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetter::customGetter): |
| (JSC::DOMJITGetter::finishCreation): |
| (JSC::DOMJITGetterComplex::DOMJITGetterComplex): |
| (JSC::DOMJITGetterComplex::createStructure): |
| (JSC::DOMJITGetterComplex::create): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterComplex::functionEnableException): |
| (JSC::DOMJITGetterComplex::customGetter): |
| (JSC::DOMJITGetterComplex::finishCreation): |
| (JSC::DOMJITFunctionObject::DOMJITFunctionObject): |
| (JSC::DOMJITFunctionObject::createStructure): |
| (JSC::DOMJITFunctionObject::create): |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::checkSubClassSnippet): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): |
| (JSC::DOMJITCheckSubClassObject::createStructure): |
| (JSC::DOMJITCheckSubClassObject::create): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): |
| (JSC::DOMJITGetterBaseJSObject::createStructure): |
| (JSC::DOMJITGetterBaseJSObject::create): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterBaseJSObject::customGetter): |
| (JSC::DOMJITGetterBaseJSObject::finishCreation): |
| (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter): |
| (JSC::JSTestCustomGetterSetter::create): |
| (JSC::JSTestCustomGetterSetter::createStructure): |
| (JSC::customSetAccessor): |
| (JSC::customSetValue): |
| (JSC::JSTestCustomGetterSetter::finishCreation): |
| (JSC::Element::handleOwner): |
| (JSC::Element::finishCreation): |
| (JSC::WasmStreamingParser::WasmStreamingParser): |
| (JSC::WasmStreamingParser::create): |
| (JSC::WasmStreamingParser::createStructure): |
| (JSC::WasmStreamingParser::finishCreation): |
| (JSC::functionWasmStreamingParserAddBytes): |
| (JSC::functionWasmStreamingParserFinalize): |
| (JSC::functionCrash): |
| (JSC::functionBreakpoint): |
| (JSC::functionDFGTrue): |
| (JSC::functionFTLTrue): |
| (JSC::functionCpuMfence): |
| (JSC::functionCpuRdtsc): |
| (JSC::functionCpuCpuid): |
| (JSC::functionCpuPause): |
| (JSC::functionCpuClflush): |
| (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): |
| (JSC::getExecutableForFunction): |
| (JSC::functionLLintTrue): |
| (JSC::functionJITTrue): |
| (JSC::functionNoInline): |
| (JSC::functionGC): |
| (JSC::functionEdenGC): |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::functionCallFrame): |
| (JSC::functionCodeBlockForFrame): |
| (JSC::codeBlockFromArg): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionDumpSourceFor): |
| (JSC::functionDumpBytecodeFor): |
| (JSC::doPrint): |
| (JSC::functionDataLog): |
| (JSC::functionPrint): |
| (JSC::functionDumpCallFrame): |
| (JSC::functionDumpStack): |
| (JSC::functionDumpRegisters): |
| (JSC::functionDumpCell): |
| (JSC::functionIndexingMode): |
| (JSC::functionInlineCapacity): |
| (JSC::functionValue): |
| (JSC::functionGetPID): |
| (JSC::functionHaveABadTime): |
| (JSC::functionIsHavingABadTime): |
| (JSC::functionCreateGlobalObject): |
| (JSC::functionCreateProxy): |
| (JSC::functionCreateRuntimeArray): |
| (JSC::functionCreateNullRopeString): |
| (JSC::functionCreateImpureGetter): |
| (JSC::functionCreateCustomGetterObject): |
| (JSC::functionCreateDOMJITNodeObject): |
| (JSC::functionCreateDOMJITGetterObject): |
| (JSC::functionCreateDOMJITGetterComplexObject): |
| (JSC::functionCreateDOMJITFunctionObject): |
| (JSC::functionCreateDOMJITCheckSubClassObject): |
| (JSC::functionCreateDOMJITGetterBaseJSObject): |
| (JSC::functionCreateWasmStreamingParser): |
| (JSC::functionSetImpureGetterDelegate): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::functionCreateRoot): |
| (JSC::functionCreateElement): |
| (JSC::functionGetElement): |
| (JSC::functionCreateSimpleObject): |
| (JSC::functionGetHiddenValue): |
| (JSC::functionSetHiddenValue): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): |
| (JSC::functionFindTypeForExpression): |
| (JSC::functionReturnTypeFor): |
| (JSC::functionFlattenDictionaryObject): |
| (JSC::functionDumpBasicBlockExecutionRanges): |
| (JSC::functionHasBasicBlockExecuted): |
| (JSC::functionBasicBlockExecutionCount): |
| (JSC::functionEnableExceptionFuzz): |
| (JSC::changeDebuggerModeWhenIdle): |
| (JSC::functionEnableDebuggerModeWhenIdle): |
| (JSC::functionDisableDebuggerModeWhenIdle): |
| (JSC::functionDeleteAllCodeWhenIdle): |
| (JSC::functionGlobalObjectCount): |
| (JSC::functionGlobalObjectForObject): |
| (JSC::functionGetGetterSetter): |
| (JSC::functionLoadGetterFromGetterSetter): |
| (JSC::functionCreateCustomTestGetterSetter): |
| (JSC::functionDeltaBetweenButterflies): |
| (JSC::functionTotalGCTime): |
| (JSC::functionParseCount): |
| (JSC::functionIsWasmSupported): |
| (JSC::JSDollarVM::finishCreation): |
| (JSC::JSDollarVM::addFunction): |
| (JSC::JSDollarVM::addConstructibleFunction): |
| * tools/JSDollarVM.h: |
| (JSC::DollarVMAssertScope::DollarVMAssertScope): |
| (JSC::DollarVMAssertScope::~DollarVMAssertScope): |
| |
| 2019-09-13 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>) |
| https://bugs.webkit.org/show_bug.cgi?id=201535 |
| <rdar://problem/29119232> |
| |
| Reviewed by Devin Rousso. |
| |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::resolveBreakpoint): |
| When resolving a breakpoint inside of an inline <script> we need to adjust |
| based on the starting position of the <script> in the HTML resource. |
| |
| 2019-09-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] X86Registers.h callee-save register definition is wrong |
| https://bugs.webkit.org/show_bug.cgi?id=201756 |
| |
| Reviewed by Mark Lam. |
| |
| I think nobody is using X86 JIT backend, but it is simply wrong. |
| edi and esi should be callee-save. |
| |
| * assembler/X86Registers.h: |
| |
| 2019-09-12 Mark Lam <mark.lam@apple.com> |
| |
| Harden JSC against the abuse of runtime options. |
| https://bugs.webkit.org/show_bug.cgi?id=201597 |
| <rdar://problem/55167068> |
| |
| Reviewed by Filip Pizlo. |
| |
| Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>. |
| |
| 1. Introduce a JSC::Config struct that will be protected as ReadOnly once the |
| first VM instance is constructed. The end of the VM constructor calls |
| Config::permanentlyFreeze() which will make the Config ReadOnly. |
| |
| Note: this is currently only supported for OS(DARWIN) and OS(LINUX). |
| OS(WINDOWS) will need to implement some missing pieces before it can enable |
| this hardening (see FIXME in JSCConfig.cpp). |
| |
| The hardening strategy here is to put immutable global values into the Config. |
| Any modifications that need to be made to these values must be done before the |
| first VM instance is done instantiating. This ensures that no script will |
| ever run while the Config is still writable. |
| |
| Also, the policy for this hardening is that a process is opted in by default. |
| If there's a valid need to disable this hardening (e.g. for some test |
| environments), the relevant process will need to opt itself out by calling |
| Config::configureForTesting(). |
| |
| The jsc shell, WK2 UI and WebContent processes are opted in by default. |
| Only test processes may be opt out. |
| |
| 2. Put all JSC::Options in the Config. This enforces the invariant that options |
| can only be changed before we instantiate a VM. Once a VM is instantiated, |
| the options are immutable. |
| |
| 3. Remove functionForceGCSlowPaths() from the jsc shell. Setting |
| Options::forceGCSlowPaths this way is no longer allowed. |
| |
| 4. Re-factored the Options code (Options.h) into: |
| - OptionEntry.h: the data structure that stores the option values. |
| - OptionsList.h: the list of options. |
| - Options.h: the Options singleton object which is the interface for accessing options. |
| |
| Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because |
| "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than |
| "JSC_OPTIONS(FOR_EACH_OPTION)". |
| |
| 5. Change testapi to call Config::configureForTesting(). Parts of testapi makes |
| use of setting options in its tests. Hence, this hardening is disabled for |
| testapi. |
| |
| Note: the jsc shell does enable this hardening. |
| |
| 6. Put ExecutableAllocator's immutable globals in the Config. |
| |
| 7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the |
| FunctionOverrides test utility. |
| |
| 8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm. |
| |
| We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions |
| that are non-trivial at an eye's glance. This includes (but is not limited to): |
| constructors |
| create() factory |
| createStructure() factory |
| finishCreation() |
| HOST_CALL or operation functions |
| Constructors and methods of utility and test classes |
| |
| The only exception are some constexpr constructors used for instantiating |
| globals (since these must have trivial constructors) e.g. DOMJITAttribute. |
| Instead, these constructors should always be ALWAYS_INLINE. |
| |
| * API/glib/JSCOptions.cpp: |
| (jscOptionsSetValue): |
| (jscOptionsGetValue): |
| (jsc_options_foreach): |
| (jsc_options_get_option_group): |
| * API/tests/testapi.c: |
| (main): |
| * API/tests/testapi.cpp: |
| (configureJSCForTesting): |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * jit/ExecutableAllocator.cpp: |
| (JSC::isJITEnabled): |
| (JSC::ExecutableAllocator::setJITEnabled): |
| (JSC::ExecutableAllocator::initializeUnderlyingAllocator): |
| (JSC::ExecutableAllocator::isValid const): |
| (JSC::ExecutableAllocator::underMemoryPressure): |
| (JSC::ExecutableAllocator::memoryPressureMultiplier): |
| (JSC::ExecutableAllocator::allocate): |
| (JSC::ExecutableAllocator::isValidExecutableMemory): |
| (JSC::ExecutableAllocator::getLock const): |
| (JSC::ExecutableAllocator::committedByteCount): |
| (JSC::ExecutableAllocator::dumpProfile): |
| (JSC::startOfFixedExecutableMemoryPoolImpl): |
| (JSC::endOfFixedExecutableMemoryPoolImpl): |
| (JSC::isJITPC): |
| (JSC::dumpJITMemory): |
| (JSC::ExecutableAllocator::initialize): |
| (JSC::ExecutableAllocator::singleton): |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionJSCOptions): |
| (jscmain): |
| (functionForceGCSlowPaths): Deleted. |
| * runtime/ConfigFile.cpp: |
| (JSC::ConfigFile::parse): |
| * runtime/InitializeThreading.cpp: |
| (JSC::initializeThreading): |
| * runtime/JSCConfig.cpp: Added. |
| (JSC::Config::disableFreezingForTesting): |
| (JSC::Config::enableRestrictedOptions): |
| (JSC::Config::permanentlyFreeze): |
| * runtime/JSCConfig.h: Added. |
| (JSC::Config::configureForTesting): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::exposeDollarVM): |
| * runtime/OptionEntry.h: Added. |
| (JSC::OptionRange::operator= ): |
| (JSC::OptionRange::rangeString const): |
| * runtime/Options.cpp: |
| (JSC::Options::isAvailable): |
| (JSC::scaleJITPolicy): |
| (JSC::Options::initialize): |
| (JSC::Options::setOptions): |
| (JSC::Options::setOptionWithoutAlias): |
| (JSC::Options::setAliasedOption): |
| (JSC::Option::dump const): |
| (JSC::Option::operator== const): |
| (): Deleted. |
| (JSC::Options::enableRestrictedOptions): Deleted. |
| * runtime/Options.h: |
| (JSC::Option::Option): |
| (JSC::Option::defaultOption const): |
| (JSC::Option::boolVal): |
| (JSC::Option::unsignedVal): |
| (JSC::Option::doubleVal): |
| (JSC::Option::int32Val): |
| (JSC::Option::optionRangeVal): |
| (JSC::Option::optionStringVal): |
| (JSC::Option::gcLogLevelVal): |
| (JSC::OptionRange::operator= ): Deleted. |
| (JSC::OptionRange::rangeString const): Deleted. |
| * runtime/OptionsList.h: Added. |
| (JSC::countNumberOfJSCOptions): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * tools/FunctionOverrides.cpp: |
| (JSC::FunctionOverrides::FunctionOverrides): |
| (JSC::FunctionOverrides::reinstallOverrides): |
| (JSC::FunctionOverrides::initializeOverrideFor): |
| (JSC::FunctionOverrides::parseOverridesInFile): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame): |
| (JSC::JSDollarVMCallFrame::createStructure): |
| (JSC::JSDollarVMCallFrame::create): |
| (JSC::JSDollarVMCallFrame::finishCreation): |
| (JSC::JSDollarVMCallFrame::addProperty): |
| (JSC::Element::Element): |
| (JSC::Element::create): |
| (JSC::Element::createStructure): |
| (JSC::Root::Root): |
| (JSC::Root::create): |
| (JSC::Root::createStructure): |
| (JSC::SimpleObject::SimpleObject): |
| (JSC::SimpleObject::create): |
| (JSC::SimpleObject::createStructure): |
| (JSC::ImpureGetter::ImpureGetter): |
| (JSC::ImpureGetter::createStructure): |
| (JSC::ImpureGetter::create): |
| (JSC::ImpureGetter::finishCreation): |
| (JSC::ImpureGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::CustomGetter): |
| (JSC::CustomGetter::createStructure): |
| (JSC::CustomGetter::create): |
| (JSC::CustomGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::customGetter): |
| (JSC::CustomGetter::customGetterAcessor): |
| (JSC::RuntimeArray::create): |
| (JSC::RuntimeArray::destroy): |
| (JSC::RuntimeArray::getOwnPropertySlot): |
| (JSC::RuntimeArray::getOwnPropertySlotByIndex): |
| (JSC::RuntimeArray::createPrototype): |
| (JSC::RuntimeArray::createStructure): |
| (JSC::RuntimeArray::finishCreation): |
| (JSC::RuntimeArray::RuntimeArray): |
| (JSC::RuntimeArray::lengthGetter): |
| (JSC::DOMJITNode::DOMJITNode): |
| (JSC::DOMJITNode::createStructure): |
| (JSC::DOMJITNode::checkSubClassSnippet): |
| (JSC::DOMJITNode::create): |
| (JSC::DOMJITGetter::DOMJITGetter): |
| (JSC::DOMJITGetter::createStructure): |
| (JSC::DOMJITGetter::create): |
| (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): |
| (JSC::DOMJITGetter::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetter::customGetter): |
| (JSC::DOMJITGetter::finishCreation): |
| (JSC::DOMJITGetterComplex::DOMJITGetterComplex): |
| (JSC::DOMJITGetterComplex::createStructure): |
| (JSC::DOMJITGetterComplex::create): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterComplex::functionEnableException): |
| (JSC::DOMJITGetterComplex::customGetter): |
| (JSC::DOMJITGetterComplex::finishCreation): |
| (JSC::DOMJITFunctionObject::DOMJITFunctionObject): |
| (JSC::DOMJITFunctionObject::createStructure): |
| (JSC::DOMJITFunctionObject::create): |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::checkSubClassSnippet): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): |
| (JSC::DOMJITCheckSubClassObject::createStructure): |
| (JSC::DOMJITCheckSubClassObject::create): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): |
| (JSC::DOMJITGetterBaseJSObject::createStructure): |
| (JSC::DOMJITGetterBaseJSObject::create): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): |
| (JSC::DOMJITGetterBaseJSObject::customGetter): |
| (JSC::DOMJITGetterBaseJSObject::finishCreation): |
| (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter): |
| (JSC::JSTestCustomGetterSetter::create): |
| (JSC::JSTestCustomGetterSetter::createStructure): |
| (JSC::customSetAccessor): |
| (JSC::customSetValue): |
| (JSC::JSTestCustomGetterSetter::finishCreation): |
| (JSC::Element::handleOwner): |
| (JSC::Element::finishCreation): |
| (JSC::WasmStreamingParser::WasmStreamingParser): |
| (JSC::WasmStreamingParser::create): |
| (JSC::WasmStreamingParser::createStructure): |
| (JSC::WasmStreamingParser::finishCreation): |
| (JSC::functionWasmStreamingParserAddBytes): |
| (JSC::functionWasmStreamingParserFinalize): |
| (JSC::functionCrash): |
| (JSC::functionBreakpoint): |
| (JSC::functionDFGTrue): |
| (JSC::functionFTLTrue): |
| (JSC::functionCpuMfence): |
| (JSC::functionCpuRdtsc): |
| (JSC::functionCpuCpuid): |
| (JSC::functionCpuPause): |
| (JSC::functionCpuClflush): |
| (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): |
| (JSC::getExecutableForFunction): |
| (JSC::functionLLintTrue): |
| (JSC::functionJITTrue): |
| (JSC::functionNoInline): |
| (JSC::functionGC): |
| (JSC::functionEdenGC): |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::functionCallFrame): |
| (JSC::functionCodeBlockForFrame): |
| (JSC::codeBlockFromArg): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionDumpSourceFor): |
| (JSC::functionDumpBytecodeFor): |
| (JSC::doPrint): |
| (JSC::functionDataLog): |
| (JSC::functionPrint): |
| (JSC::functionDumpCallFrame): |
| (JSC::functionDumpStack): |
| (JSC::functionDumpRegisters): |
| (JSC::functionDumpCell): |
| (JSC::functionIndexingMode): |
| (JSC::functionInlineCapacity): |
| (JSC::functionValue): |
| (JSC::functionGetPID): |
| (JSC::functionHaveABadTime): |
| (JSC::functionIsHavingABadTime): |
| (JSC::functionCreateGlobalObject): |
| (JSC::functionCreateProxy): |
| (JSC::functionCreateRuntimeArray): |
| (JSC::functionCreateNullRopeString): |
| (JSC::functionCreateImpureGetter): |
| (JSC::functionCreateCustomGetterObject): |
| (JSC::functionCreateDOMJITNodeObject): |
| (JSC::functionCreateDOMJITGetterObject): |
| (JSC::functionCreateDOMJITGetterComplexObject): |
| (JSC::functionCreateDOMJITFunctionObject): |
| (JSC::functionCreateDOMJITCheckSubClassObject): |
| (JSC::functionCreateDOMJITGetterBaseJSObject): |
| (JSC::functionCreateWasmStreamingParser): |
| (JSC::functionSetImpureGetterDelegate): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::functionCreateRoot): |
| (JSC::functionCreateElement): |
| (JSC::functionGetElement): |
| (JSC::functionCreateSimpleObject): |
| (JSC::functionGetHiddenValue): |
| (JSC::functionSetHiddenValue): |
| (JSC::functionShadowChickenFunctionsOnStack): |
| (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): |
| (JSC::functionFindTypeForExpression): |
| (JSC::functionReturnTypeFor): |
| (JSC::functionFlattenDictionaryObject): |
| (JSC::functionDumpBasicBlockExecutionRanges): |
| (JSC::functionHasBasicBlockExecuted): |
| (JSC::functionBasicBlockExecutionCount): |
| (JSC::functionEnableExceptionFuzz): |
| (JSC::changeDebuggerModeWhenIdle): |
| (JSC::functionEnableDebuggerModeWhenIdle): |
| (JSC::functionDisableDebuggerModeWhenIdle): |
| (JSC::functionDeleteAllCodeWhenIdle): |
| (JSC::functionGlobalObjectCount): |
| (JSC::functionGlobalObjectForObject): |
| (JSC::functionGetGetterSetter): |
| (JSC::functionLoadGetterFromGetterSetter): |
| (JSC::functionCreateCustomTestGetterSetter): |
| (JSC::functionDeltaBetweenButterflies): |
| (JSC::functionTotalGCTime): |
| (JSC::functionParseCount): |
| (JSC::functionIsWasmSupported): |
| (JSC::JSDollarVM::finishCreation): |
| (JSC::JSDollarVM::addFunction): |
| (JSC::JSDollarVM::addConstructibleFunction): |
| * tools/JSDollarVM.h: |
| |
| 2019-09-11 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext |
| https://bugs.webkit.org/show_bug.cgi?id=201650 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`. |
| |
| A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even |
| required (e.g. compute pipeline). We should treat the `GPUCanvasContext` almost like a |
| `-webkit-canvas` client of a `WebGPUDevice`. |
| |
| * inspector/protocol/Canvas.json: |
| - Add `powerPreference` key to `ContextAttributes` type. |
| - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason. |
| - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason. |
| - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't |
| really a "canvas". |
| |
| 2019-09-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Add StringCodePointAt intrinsic |
| https://bugs.webkit.org/show_bug.cgi?id=201673 |
| |
| Reviewed by Michael Saboff. |
| |
| JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt. |
| This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker. |
| |
| In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit |
| inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits |
| preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope |
| check. This thing is just the same to the existing StringCharCodeAt mechanism. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasArrayMode): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| (JSC::DFG::SpeculativeJIT::compileStringCodePointAt): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt): |
| * jit/JITInlines.h: |
| (JSC::JIT::emitLoadCharacterString): |
| * jit/ThunkGenerators.cpp: |
| (JSC::stringGetByValGenerator): |
| (JSC::stringCharLoad): |
| (JSC::stringPrototypeCodePointAtThunkGenerator): |
| * jit/ThunkGenerators.h: |
| * runtime/Intrinsic.cpp: |
| (JSC::intrinsicName): |
| * runtime/Intrinsic.h: |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| * runtime/VM.cpp: |
| (JSC::thunkGeneratorForIntrinsic): |
| |
| 2019-09-11 Michael Saboff <msaboff@apple.com> |
| |
| JSC crashes due to stack overflow while building RegExp |
| https://bugs.webkit.org/show_bug.cgi?id=201649 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Check for running out of stack when we are optimizing RegExp containing BOL terms or |
| other deep copying of disjunctions. |
| |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPatternConstructor::copyDisjunction): |
| (JSC::Yarr::YarrPatternConstructor::copyTerm): |
| (JSC::Yarr::YarrPatternConstructor::error): |
| (JSC::Yarr::YarrPattern::compile): |
| |
| 2019-09-11 Truitt Savell <tsavell@apple.com> |
| |
| Unreviewed, rolling out r249753. |
| |
| caused inspector/canvas/shaderProgram-add-remove-webgl.html to |
| crash on all Mac platforms. |
| |
| Reverted changeset: |
| |
| "Web Inspector: Canvas: instrument WebGPUDevice instead of |
| GPUCanvasContext" |
| https://bugs.webkit.org/show_bug.cgi?id=201650 |
| https://trac.webkit.org/changeset/249753 |
| |
| 2019-09-10 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext |
| https://bugs.webkit.org/show_bug.cgi?id=201650 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`. |
| |
| A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even |
| required (e.g. compute pipeline). We should treat the `GPUCanvasContext` almost like a |
| `-webkit-canvas` client of a `WebGPUDevice`. |
| |
| * inspector/protocol/Canvas.json: |
| - Add `powerPreference` key to `ContextAttributes` type. |
| - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason. |
| - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason. |
| - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't |
| really a "canvas". |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3 |
| https://bugs.webkit.org/show_bug.cgi?id=201634 |
| |
| Reviewed by Mark Lam and Robin Morisset. |
| |
| This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction. |
| |
| 1. 32bit bitwise operation with allOne constants |
| |
| Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`! |
| For example, in BitAnd strength reduction, |
| |
| 1034 // Turn this: BitAnd(value, all-ones) |
| 1035 // Into this: value. |
| 1036 if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max())) |
| 1037 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) { |
| 1038 replaceWithIdentity(m_value->child(0)); |
| 1039 break; |
| 1040 } |
| |
| We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is, |
| |
| 262 inline bool Value::isInt(int64_t value) const |
| 263 { |
| 264 return hasInt() && asInt() == value; |
| 265 } |
| |
| So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is, |
| |
| 257 inline int64_t Value::asInt() const |
| 258 { |
| 259 return hasInt32() ? asInt32() : asInt64(); |
| 260 } |
| |
| So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want! |
| We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes). |
| |
| 2. BitAnd and BitOr strength reduction bug |
| |
| We also fix the following optimization. |
| |
| // Turn this: BitAnd(Op(value, constant1), constant2) |
| // where !(constant1 & constant2) |
| // and Op is BitOr or BitXor |
| // into this: BitAnd(value, constant2) |
| |
| Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken. |
| |
| // Turn this: BitAnd(BitXor(x, allOnes), c) |
| // Into this: BitXor(BitOr(x, ~c), allOnes) |
| |
| And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it. |
| |
| For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option. |
| |
| * b3/B3LowerToAir.cpp: |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.h: |
| * b3/testb3_2.cpp: |
| (testBitAndNotNot32): |
| (testBitAndNotImm): |
| (testBitAndNotImm32): |
| (testBitOrAndAndArgs32): |
| (testBitOrAndSameArgs32): |
| (testBitOrNotNot32): |
| (testBitOrNotImm32): |
| (addBitTests): |
| * b3/testb3_3.cpp: |
| (testBitXorAndAndArgs32): |
| (testBitXorAndSameArgs32): |
| |
| 2019-09-10 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r249721. |
| https://bugs.webkit.org/show_bug.cgi?id=201667 |
| |
| Discovering existing bug (Requested by yusukesuzuki on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "[JSC] 32bit bitwide operation with all-one (-1) is wrong in |
| B3" |
| https://bugs.webkit.org/show_bug.cgi?id=201634 |
| https://trac.webkit.org/changeset/249721 |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData |
| https://bugs.webkit.org/show_bug.cgi?id=201664 |
| <rdar://problem/52126927> |
| |
| Reviewed by Tadeu Zagallo. |
| |
| We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result. |
| This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters. |
| Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread, |
| we can see half-baked JITData structure which holds garbage pointers. |
| |
| But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons. |
| |
| 1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are |
| called while taking this exact same lock, so dead-lock can happen. |
| 2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT |
| compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock. |
| |
| Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that |
| JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::ensureJITDataSlow): |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result |
| https://bugs.webkit.org/show_bug.cgi?id=198253 |
| |
| Reviewed by Mark Lam. |
| |
| ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32. |
| When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles |
| it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens. |
| |
| In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly. |
| |
| * parser/ResultType.h: |
| (JSC::ResultType::bigIntOrInt32Type): |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3 |
| https://bugs.webkit.org/show_bug.cgi?id=201634 |
| |
| Reviewed by Mark Lam. |
| |
| Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`! |
| For example, in BitAnd strength reduction, |
| |
| 1034 // Turn this: BitAnd(value, all-ones) |
| 1035 // Into this: value. |
| 1036 if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max())) |
| 1037 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) { |
| 1038 replaceWithIdentity(m_value->child(0)); |
| 1039 break; |
| 1040 } |
| |
| We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is, |
| |
| 262 inline bool Value::isInt(int64_t value) const |
| 263 { |
| 264 return hasInt() && asInt() == value; |
| 265 } |
| |
| So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is, |
| |
| 257 inline int64_t Value::asInt() const |
| 258 { |
| 259 return hasInt32() ? asInt32() : asInt64(); |
| 260 } |
| |
| So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want! |
| We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes). |
| |
| We also fix the following optimization. |
| |
| // Turn this: BitAnd(Op(value, constant1), constant2) |
| // where !(constant1 & constant2) |
| // and Op is BitOr or BitXor |
| // into this: BitAnd(value, constant2) |
| |
| Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken. |
| |
| // Turn this: BitAnd(BitXor(x, allOnes), c) |
| // Into this: BitXor(BitOr(x, ~c), allOnes) |
| |
| We add 32bit version of B3 tests for these optimizations. |
| |
| * b3/B3LowerToAir.cpp: |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.h: |
| * b3/testb3_2.cpp: |
| (testBitAndNotNot32): |
| (testBitAndNotImm): |
| (testBitAndNotImm32): |
| (testBitOrAndAndArgs32): |
| (testBitOrAndSameArgs32): |
| (testBitOrNotNot32): |
| (testBitOrNotImm32): |
| (addBitTests): |
| * b3/testb3_3.cpp: |
| (testBitXorAndAndArgs32): |
| (testBitXorAndSameArgs32): |
| |
| 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan |
| https://bugs.webkit.org/show_bug.cgi?id=189043 |
| |
| Reviewed by Keith Miller. |
| |
| This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan. |
| And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by |
| using Wasm::StreamingParser. |
| |
| Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will |
| create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming |
| and instantiateStreaming. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * tools/JSDollarVM.cpp: |
| (JSC::WasmStreamingParser::WasmStreamingParser): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmAirIRGenerator.h: |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed. |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::BBQPlan): |
| (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation. |
| (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser. |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmModuleParser.cpp: Removed. |
| * wasm/WasmModuleParser.h: Removed. |
| * wasm/WasmOMGForOSREntryPlan.cpp: |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmPlan.cpp: |
| (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used. |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used. |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::StreamingParser): |
| (JSC::Wasm::StreamingParser::parseCodeSectionSize): |
| (JSC::Wasm::StreamingParser::parseFunctionPayload): |
| (JSC::Wasm::StreamingParser::parseSectionPayload): |
| (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings. |
| * wasm/WasmStreamingParser.h: |
| (JSC::Wasm::StreamingParserClient::didReceiveSectionData): |
| (JSC::Wasm::StreamingParserClient::didReceiveFunctionData): |
| (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient, |
| which has 3 callbacks right now. StreamingParser gets this client and call these callbacks |
| at appropriate timings. |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::validateFunction): |
| * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed. |
| |
| 2019-09-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory |
| https://bugs.webkit.org/show_bug.cgi?id=201622 |
| |
| Reviewed by Mark Lam. |
| |
| CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate |
| this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector, |
| the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::setConstantRegisters): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addConstant): |
| (JSC::CodeBlock::addConstantLazily): |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): |
| (JSC::DFG::SymbolTableAdaptor::add): |
| (JSC::DFG::FunctionExecutableAdaptor::add): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::registerFrozenValues): |
| * dfg/DFGJITFinalizer.cpp: |
| (JSC::DFG::JITFinalizer::finalizeCommon): |
| * dfg/DFGLazyJSValue.cpp: |
| (JSC::DFG::LazyJSValue::emit const): |
| |
| 2019-09-09 Robin Morisset <rmorisset@apple.com> |
| |
| [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array |
| https://bugs.webkit.org/show_bug.cgi?id=197305 |
| |
| Reviewed by Keith Miller. |
| |
| Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet. |
| Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists). |
| |
| This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly. |
| Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers). |
| |
| The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms. |
| So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall. |
| |
| No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2. |
| |
| * b3/air/AirAllocateRegistersByGraphColoring.cpp: |
| |
| 2019-09-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector |
| https://bugs.webkit.org/show_bug.cgi?id=201613 |
| |
| Reviewed by Mark Lam. |
| |
| We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode |
| since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the |
| issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is |
| misleading, it is like "instructions-requires-llint-finalize"). |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::propagateTransitions): |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::applyModification): |
| (JSC::UnlinkedCodeBlock::shrinkToFit): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted. |
| (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted. |
| (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted. |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitResolveScope): |
| (JSC::BytecodeGenerator::emitGetFromScope): |
| (JSC::BytecodeGenerator::emitPutToScope): |
| (JSC::BytecodeGenerator::emitGetById): |
| (JSC::BytecodeGenerator::emitDirectGetById): |
| (JSC::BytecodeGenerator::emitPutById): |
| (JSC::BytecodeGenerator::emitDirectPutById): |
| (JSC::BytecodeGenerator::emitCreateThis): |
| (JSC::BytecodeGenerator::emitToThis): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedCodeBlock<CodeBlockType>::decode const): |
| (JSC::CachedCodeBlock<CodeBlockType>::encode): |
| |
| 2019-09-07 Keith Miller <keith_miller@apple.com> |
| |
| OSR entry into wasm misses some contexts |
| https://bugs.webkit.org/show_bug.cgi?id=201569 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch fixes an issue where we could fail to capture some of |
| our contexts when OSR entering into wasm code. Before we would |
| only capture the state of the block immediately surrounding the |
| entrance loop block header. We actually need to capture all |
| enclosed stacks. |
| |
| Additionally, we don't need to use variables for all the captured |
| values. We can use a Phi and insert an upsilon just below the |
| captured value. |
| |
| * interpreter/CallFrame.h: |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionCallerIsOMGCompiled): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::createStack): |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::addConstant): |
| (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| (JSC::Wasm::B3IRGenerator::addEndToUnreachable): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::B3IRGenerator::dump): |
| (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::append): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::last): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted. |
| (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted. |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser::controlStack): |
| |
| 2019-09-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Promise resolve/reject functions should be created more efficiently |
| https://bugs.webkit.org/show_bug.cgi?id=201488 |
| |
| Reviewed by Mark Lam. |
| |
| While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations. |
| Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used |
| for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject). |
| Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower. |
| |
| In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information |
| to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes |
| anonymous-builtin-function creation faster. |
| |
| We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test. |
| The simple microbenchmark shows 1.7x improvement. |
| |
| ToT Patched |
| |
| promise-creation-many 45.6701+-0.1488 ^ 26.8663+-1.8336 ^ definitely 1.6999x faster |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::create): |
| (JSC::FunctionRareData::FunctionRareData): |
| * runtime/FunctionRareData.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::finishCreation): |
| (JSC::JSFunction::allocateRareData): |
| (JSC::JSFunction::allocateAndInitializeRareData): |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::hasReifiedName const): |
| |
| 2019-09-07 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy() source buffer should not be in the Gigacage. |
| https://bugs.webkit.org/show_bug.cgi?id=201577 |
| <rdar://problem/55142606> |
| |
| Reviewed by Michael Saboff. |
| |
| Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source |
| buffer is not in the Gigacage. |
| |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| |
| 2019-09-07 Mark Lam <mark.lam@apple.com> |
| |
| The jsc shell should allow disabling of the Gigacage for testing purposes. |
| https://bugs.webkit.org/show_bug.cgi?id=201579 |
| |
| Reviewed by Michael Saboff. |
| |
| Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code. If |
| this env var is present and it has a falsy value, then do not |
| forbidDisablingPrimitiveGigacage() in the jsc shell. |
| |
| * jsc.cpp: |
| (jscmain): |
| |
| 2019-09-06 Mark Lam <mark.lam@apple.com> |
| |
| Harden protection of the Gigacage Config parameters. |
| https://bugs.webkit.org/show_bug.cgi?id=201570 |
| <rdar://problem/55134229> |
| |
| Reviewed by Saam Barati. |
| |
| Just renaming some function names here. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * jsc.cpp: |
| (jscmain): |
| |
| 2019-09-06 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Math.round() produces wrong result for value prior to 0.5 |
| https://bugs.webkit.org/show_bug.cgi?id=185115 |
| |
| Reviewed by Saam Barati. |
| |
| Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994. |
| This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite. |
| |
| Specifically: |
| - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5), |
| so taking the difference between ceil(value)` and `value` is problematic. |
| - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones |
| (by falling back to jsRound). This patch gives baseline a legitimate implementation too. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileArithRounding): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): |
| * jit/ThunkGenerators.cpp: |
| (JSC::roundThunkGenerator): |
| * runtime/MathCommon.cpp: |
| |
| 2019-09-05 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken) |
| https://bugs.webkit.org/show_bug.cgi?id=201366 |
| |
| Reviewed by Saam Barati. |
| |
| It is possible for the log buffer to be full right as someone is trying to |
| log a function prologue. In such a case the machine stack has already been |
| updated to include the new JavaScript call frame, but the prologue packet |
| cannot be included in the update because the log is full. This would mean |
| that the update fails to rationalize the machine stack with the shadow |
| log / stack. Namely, the current JavaScript call frame is unable to |
| find a matching prologue (the one we are holding to include after the update) |
| and inserts a questionable value into the stack; and in the process |
| missing and removing real potential tail calls. |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function start() { return first(); } |
| |
| If the the log fills up just as we are entering `b` then we may have a list |
| full log of packets looking like: |
| |
| Shadow Log: |
| ... |
| { prologue-packet: entering `start` ... } |
| { prologue-packet: entering `first` ... } |
| { tail-packet: leaving `first` with a tail call } |
| |
| Incoming Packet: |
| { prologue-packet: entering `second` ... } |
| |
| Current JS Stack: |
| second |
| start |
| |
| Since the Current JavaScript stack already has `second`, if we process the |
| log without the prologue for `second` then we push a confused entry on the |
| shadow stack and clear the log such that we eventually lose the tail-call |
| information for `first` to `second`. |
| |
| This patch solves this issue by providing enough extra space in the log |
| to always process the incoming packet when that forces an update. This way |
| clients can continue to behave exactly as they are. |
| |
| -- |
| |
| We also document a corner case in some circumstances where the shadow |
| log may currently be insufficient to know how to reconcile: |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail() { return Math.random() } |
| function start() { |
| for (i=0;i<1000;++i) doNothingTail(); |
| return first(); |
| } |
| |
| In this case the ShadowChicken log may be processed multiple times due |
| to the many calls to `doNothingTail` / `Math.random()`. When calling the |
| Native function no prologue packet is emitted, so it is unclear that we |
| temporarly go deeper and come back out on the stack, so the log appears |
| to have lots of doNothingTail calls reusing the same frame: |
| |
| Shadow Log: |
| ... |
| , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start} |
| , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [125] tail-packet:{frame = 0x7ffeef8971f0} |
| , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [127] tail-packet:{frame = 0x7ffeef8971f0} |
| ... |
| , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [141] tail-packet:{frame = 0x7ffeef8971f0} |
| , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [143] tail-packet:{frame = 0x7ffeef8971f0} |
| , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first} |
| , [145] tail-packet:{frame = 0x7ffeef8971f0} |
| , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second} |
| ... |
| |
| This log would seem to be indistinguishable from real tail recursion, such as: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail(n) { |
| return n ? doNothingTail(n-1) : first(); |
| } |
| function start() { |
| return doNothingTail(1000); |
| } |
| |
| Likewise there are more cases where the shadow log appears to be ambiguous with determining |
| the appropriate parent call frame with intermediate function calls. In practice this may |
| not be too problematic, as this is a best effort reconstruction of tail deleted frames. |
| It seems likely we would only show additional frames that did in fact happen serially |
| between JavaScript call frames, but may not actually be the proper parent frames |
| heirachy in the stack. |
| |
| * interpreter/ShadowChicken.cpp: |
| (JSC::ShadowChicken::Packet::dump const): |
| (JSC::ShadowChicken::Frame::dump const): |
| (JSC::ShadowChicken::dump const): |
| Improved debugging output. Especially for functions. |
| |
| (JSC::ShadowChicken::ShadowChicken): |
| Make space in the log for 1 additional packet to process when we slow log. |
| |
| (JSC::ShadowChicken::log): |
| Include this packet in our update. |
| |
| (JSC::ShadowChicken::update): |
| Address an edge case where we can eliminate tail-deleted frames that don't make sense. |
| |
| 2019-09-06 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r249566. |
| |
| Causes inspector layout test crashes under GuardMalloc |
| |
| Reverted changeset: |
| |
| "Tail Deleted Frames shown in Web Inspector are sometimes |
| incorrect (Shadow Chicken)" |
| https://bugs.webkit.org/show_bug.cgi?id=201366 |
| https://trac.webkit.org/changeset/249566 |
| |
| 2019-09-06 Guillaume Emont <guijemont@igalia.com> |
| |
| testmasm: save r6 in JIT'ed code on ARM_THUMB2 |
| https://bugs.webkit.org/show_bug.cgi?id=201138 |
| |
| Reviewed by Mark Lam. |
| |
| MacroAssemblerArmv7 uses r6 as a temporary register, and it is a |
| callee-saved register. The JITs use |
| AssemblyHelpers::emitSaveCalleeSaves() and friends to save |
| callee-saved registers, but there is no such mechanism in testmasm, |
| which seems to make the assumption that the macroassembler does not |
| use callee-saved registers (which I guess is true for all other |
| architectures, but not for Armv7). |
| |
| This issue means that testmasm crashes on Armv7 since code generated |
| by gcc uses r6, and it gets modified by JIT'ed code. |
| |
| This change makes sure that we save and restore r6 for all code |
| compiled by testmasm on Armv7. |
| |
| * assembler/testmasm.cpp: |
| (JSC::emitFunctionPrologue): |
| (JSC::emitFunctionEpilogue): |
| (JSC::testSimple): |
| (JSC::testGetEffectiveAddress): |
| (JSC::testBranchTruncateDoubleToInt32): |
| (JSC::testBranchTestBit32RegReg): |
| (JSC::testBranchTestBit32RegImm): |
| (JSC::testBranchTestBit32AddrImm): |
| (JSC::testBranchTestBit64RegReg): |
| (JSC::testBranchTestBit64RegImm): |
| (JSC::testBranchTestBit64AddrImm): |
| (JSC::testCompareDouble): |
| (JSC::testMul32WithImmediates): |
| (JSC::testMul32SignExtend): |
| (JSC::testCompareFloat): |
| (JSC::testProbeReadsArgumentRegisters): |
| (JSC::testProbeWritesArgumentRegisters): |
| (JSC::testProbePreservesGPRS): |
| (JSC::testProbeModifiesStackPointer): |
| (JSC::testProbeModifiesProgramCounter): |
| (JSC::testProbeModifiesStackValues): |
| (JSC::testByteSwap): |
| (JSC::testMoveDoubleConditionally32): |
| (JSC::testMoveDoubleConditionally64): |
| (JSC::testCagePreservesPACFailureBit): |
| |
| 2019-09-05 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken) |
| https://bugs.webkit.org/show_bug.cgi?id=201366 |
| |
| Reviewed by Saam Barati. |
| |
| It is possible for the log buffer to be full right as someone is trying to |
| log a function prologue. In such a case the machine stack has already been |
| updated to include the new JavaScript call frame, but the prologue packet |
| cannot be included in the update because the log is full. This would mean |
| that the update fails to rationalize the machine stack with the shadow |
| log / stack. Namely, the current JavaScript call frame is unable to |
| find a matching prologue (the one we are holding to include after the update) |
| and inserts a questionable value into the stack; and in the process |
| missing and removing real potential tail calls. |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function start() { return first(); } |
| |
| If the the log fills up just as we are entering `b` then we may have a list |
| full log of packets looking like: |
| |
| Shadow Log: |
| ... |
| { prologue-packet: entering `start` ... } |
| { prologue-packet: entering `first` ... } |
| { tail-packet: leaving `first` with a tail call } |
| |
| Incoming Packet: |
| { prologue-packet: entering `second` ... } |
| |
| Current JS Stack: |
| second |
| start |
| |
| Since the Current JavaScript stack already has `second`, if we process the |
| log without the prologue for `second` then we push a confused entry on the |
| shadow stack and clear the log such that we eventually lose the tail-call |
| information for `first` to `second`. |
| |
| This patch solves this issue by providing enough extra space in the log |
| to always process the incoming packet when that forces an update. This way |
| clients can continue to behave exactly as they are. |
| |
| -- |
| |
| We also document a corner case in some circumstances where the shadow |
| log may currently be insufficient to know how to reconcile: |
| |
| For example: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail() { return Math.random() } |
| function start() { |
| for (i=0;i<1000;++i) doNothingTail(); |
| return first(); |
| } |
| |
| In this case the ShadowChicken log may be processed multiple times due |
| to the many calls to `doNothingTail` / `Math.random()`. When calling the |
| Native function no prologue packet is emitted, so it is unclear that we |
| temporarly go deeper and come back out on the stack, so the log appears |
| to have lots of doNothingTail calls reusing the same frame: |
| |
| Shadow Log: |
| ... |
| , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start} |
| , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [125] tail-packet:{frame = 0x7ffeef8971f0} |
| , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [127] tail-packet:{frame = 0x7ffeef8971f0} |
| ... |
| , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [141] tail-packet:{frame = 0x7ffeef8971f0} |
| , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail} |
| , [143] tail-packet:{frame = 0x7ffeef8971f0} |
| , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first} |
| , [145] tail-packet:{frame = 0x7ffeef8971f0} |
| , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second} |
| ... |
| |
| This log would seem to be indistinguishable from real tail recursion, such as: |
| |
| "use strict"; |
| function third() { return 1; } |
| function second() { return third(); } |
| function first() { return second(); } |
| function doNothingTail(n) { |
| return n ? doNothingTail(n-1) : first(); |
| } |
| function start() { |
| return doNothingTail(1000); |
| } |
| |
| Likewise there are more cases where the shadow log appears to be ambiguous with determining |
| the appropriate parent call frame with intermediate function calls. In practice this may |
| not be too problematic, as this is a best effort reconstruction of tail deleted frames. |
| It seems likely we would only show additional frames that did in fact happen serially |
| between JavaScript call frames, but may not actually be the proper parent frames |
| heirachy in the stack. |
| |
| * interpreter/ShadowChicken.cpp: |
| (JSC::ShadowChicken::Packet::dump const): |
| (JSC::ShadowChicken::Frame::dump const): |
| (JSC::ShadowChicken::dump const): |
| Improved debugging output. Especially for functions. |
| |
| (JSC::ShadowChicken::ShadowChicken): |
| Make space in the log for 1 additional packet to process when we slow log. |
| |
| (JSC::ShadowChicken::log): |
| Include this packet in our update. |
| |
| (JSC::ShadowChicken::update): |
| Address an edge case where we can eliminate tail-deleted frames that don't make sense. |
| |
| 2019-09-05 Mark Lam <mark.lam@apple.com> |
| |
| Refactor the Gigacage code to require less pointer casting. |
| https://bugs.webkit.org/show_bug.cgi?id=201521 |
| |
| Reviewed by Saam Barati. |
| |
| Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled |
| in the build. This allows us to remove the unneeded stubs in WTF Gigacage.h. |
| |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/VM.h: |
| (JSC::VM::gigacageAuxiliarySpace): |
| |
| 2019-09-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, follow-up after r249530 and r249509 |
| https://bugs.webkit.org/show_bug.cgi?id=201495 |
| |
| Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer. |
| |
| * builtins/PromiseConstructor.js: |
| (nakedConstructor.Promise.resolve): |
| (nakedConstructor.Promise.reject): |
| (nakedConstructor.Promise): |
| (nakedConstructor.InternalPromise.resolve): |
| (nakedConstructor.InternalPromise.reject): |
| (nakedConstructor.InternalPromise): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::weakPointer): |
| (JSC::FTL::DFG::LowerDFGToB3::frozenPointer): |
| (JSC::FTL::DFG::LowerDFGToB3::weakStructure): |
| * ftl/FTLOutput.h: |
| (JSC::FTL::Output::alreadyRegisteredWeakPointer): |
| (JSC::FTL::Output::alreadyRegisteredFrozenPointer): |
| (JSC::FTL::Output::weakPointer): Deleted. |
| |
| 2019-09-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl |
| https://bugs.webkit.org/show_bug.cgi?id=201513 |
| |
| Reviewed by Ross Kirsling. |
| |
| This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects. |
| It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on. |
| |
| The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties |
| with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions |
| has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to |
| different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary. |
| And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets |
| emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem. |
| |
| Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified |
| number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/Opcode.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitGetInternalField): |
| (JSC::BytecodeGenerator::emitPutInternalField): |
| (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted. |
| (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted. |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGMayExit.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasInternalFieldIndex): |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetInternalField): |
| (JSC::DFG::SpeculativeJIT::compilePutInternalField): |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileNewPromise): |
| (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted. |
| (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted. |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted. |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted. |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| * jit/JIT.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| (JSC::JIT::emit_op_get_promise_internal_field): Deleted. |
| (JSC::JIT::emit_op_put_promise_internal_field): Deleted. |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_internal_field): |
| (JSC::JIT::emit_op_put_internal_field): |
| (JSC::JIT::emit_op_get_promise_internal_field): Deleted. |
| (JSC::JIT::emit_op_put_promise_internal_field): Deleted. |
| * llint/LLIntOffsetsExtractor.cpp: |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h. |
| (JSC::JSInternalFieldObjectImpl::allocationSize): |
| (JSC::JSInternalFieldObjectImpl::internalField const): |
| (JSC::JSInternalFieldObjectImpl::internalField): |
| (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields): |
| (JSC::JSInternalFieldObjectImpl::offsetOfInternalField): |
| (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl): |
| * runtime/JSInternalFieldObjectImplInlines.h: Added. |
| (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren): |
| * runtime/JSPromise.cpp: |
| (JSC::JSPromise::finishCreation): |
| (JSC::JSPromise::visitChildren): |
| (JSC::JSPromise::status const): |
| (JSC::JSPromise::result const): |
| (JSC::JSPromise::isHandled const): |
| * runtime/JSPromise.h: |
| (JSC::JSPromise::allocationSize): Deleted. |
| (JSC::JSPromise::offsetOfInternalFields): Deleted. |
| (JSC::JSPromise::offsetOfInternalField): Deleted. |
| (): Deleted. |
| |
| 2019-09-05 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247463. |
| https://bugs.webkit.org/show_bug.cgi?id=201515 |
| |
| JetStream2 code-load related regression (Requested by |
| yusukesuzuki on #webkit). |
| |
| Reverted changeset: |
| |
| "Keyword lookup can use memcmp to get around unaligned load |
| undefined behavior" |
| https://bugs.webkit.org/show_bug.cgi?id=199650 |
| https://trac.webkit.org/changeset/247463 |
| |
| 2019-09-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| LazyClassStructure::setConstructor should not store the constructor to the global object |
| https://bugs.webkit.org/show_bug.cgi?id=201484 |
| <rdar://problem/50400451> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| LazyClassStructure::setConstructor sets the constructor as a property of the global object. |
| This became a problem when it started being used for WebAssembly constructors, such as Module |
| and Instance, since they are properties of the WebAssembly object, not the global object. That |
| resulted in properties of the global object replaced whenever a lazy WebAssembly constructor |
| was first accessed. e.g. |
| |
| globalThis.Module = x; |
| WebAssembly.Module; |
| globalThis.Module === WebAssembly.Module; |
| |
| * runtime/LazyClassStructure.cpp: |
| (JSC::LazyClassStructure::Initializer::setConstructor): |
| * runtime/LazyClassStructure.h: |
| * runtime/Lookup.h: |
| (JSC::reifyStaticProperty): |
| |
| 2019-09-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Do not use FTLOutput::weakPointer directly |
| https://bugs.webkit.org/show_bug.cgi?id=201495 |
| |
| Reviewed by Filip Pizlo. |
| |
| FTLOutput::weakPointer does not register the cell as a weak pointer. |
| CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion. |
| While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live, |
| and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function. |
| For FrozenValue, we should use frozenPointer helper function. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression |
| https://bugs.webkit.org/show_bug.cgi?id=201373 |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitLoopHint): |
| (JSC::BytecodeGenerator::emitCheckTraps): |
| * bytecompiler/BytecodeGenerator.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * jit/JIT.cpp: |
| (JSC::JIT::emitEnterOptimizationCheck): |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JIT.h: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_enter): |
| (JSC::JIT::emit_op_loop_hint): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emit_op_check_traps): |
| (JSC::JIT::emitSlow_op_check_traps): |
| (JSC::JIT::emitSlow_op_enter): Deleted. |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_enter): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, rebaseline builtin generator test results |
| https://bugs.webkit.org/show_bug.cgi?id=200898 |
| |
| Rebaseline the result files. |
| |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: |
| * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result: |
| * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen |
| https://bugs.webkit.org/show_bug.cgi?id=201485 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing |
| it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have |
| a race issue like, |
| |
| 1. While one thread is adding overrides information, |
| 2. Another thread is accessing this hash table. |
| |
| This patch adds a lock to make sure that only one thread can access this registry. |
| |
| * tools/FunctionOverrides.cpp: |
| (JSC::FunctionOverrides::FunctionOverrides): |
| (JSC::FunctionOverrides::reinstallOverrides): |
| (JSC::FunctionOverrides::initializeOverrideFor): |
| (JSC::FunctionOverrides::parseOverridesInFile): |
| * tools/FunctionOverrides.h: |
| (JSC::FunctionOverrides::clear): |
| |
| 2019-09-04 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make Promise implementation faster |
| https://bugs.webkit.org/show_bug.cgi?id=200898 |
| |
| Reviewed by Saam Barati. |
| |
| This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%. |
| |
| 1. Make JSPromise C++ friendly |
| |
| Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise. |
| This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these |
| fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal |
| fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL |
| supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand |
| this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1]. |
| |
| We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented. |
| This also requires adding SpecPromiseObject and PromiseObjectUse to DFG. |
| |
| Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension |
| is filed in [2]. |
| |
| 2. Make JSPromise constructor JS friendly |
| |
| The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it |
| calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program. |
| If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them. |
| Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for |
| construct is 100. We might want to investigate getting it inlined in the future[3]. |
| |
| We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor |
| annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator |
| do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows |
| us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise, |
| which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement |
| JSPromise constructor fully in JS. |
| With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4]. |
| |
| 3. DFG supports for JSPromise operations |
| |
| This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis, |
| and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate |
| promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG. |
| When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism |
| used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile |
| can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable |
| in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's |
| structure is invalidated: `callee.prototype` is replaced. |
| |
| 4. Avoid creating unnecessary promises |
| |
| Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided. |
| For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating |
| intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They |
| take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations |
| in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then` |
| check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types. |
| |
| 5. Avoid creating resolving-functions and promise capabilities |
| |
| Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this |
| patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later |
| created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions |
| and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`. |
| The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing |
| `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`. |
| This mechanism will be used to drop JSPromiseDeferred in a separate patch. |
| |
| JetStream2/async-fs results. |
| ToT: |
| Running async-fs: |
| Startup: 116.279 |
| Worst Case: 151.515 |
| Average: 176.630 |
| Score: 145.996 |
| Wall time: 0:01.149 |
| |
| Patched: |
| Running async-fs: |
| Startup: 166.667 |
| Worst Case: 267.857 |
| Average: 299.080 |
| Score: 237.235 |
| Wall time: 0:00.683 |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=201159 |
| [2]: https://bugs.webkit.org/show_bug.cgi?id=201160 |
| [3]: https://bugs.webkit.org/show_bug.cgi?id=201452 |
| [4]: https://bugs.webkit.org/show_bug.cgi?id=201158 |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Scripts/wkbuiltins/builtins_generate_combined_header.py: |
| (ConstructAbility): |
| (ConstructorKind): |
| * Scripts/wkbuiltins/builtins_generate_separate_header.py: |
| * Scripts/wkbuiltins/builtins_generator.py: |
| (BuiltinsGenerator.generate_embedded_code_data_for_function): |
| (BuiltinsGenerator.generate_embedded_code_string_section_for_data): |
| * Scripts/wkbuiltins/builtins_model.py: |
| (BuiltinFunction.__init__): |
| (BuiltinFunction.fromString): |
| * Scripts/wkbuiltins/builtins_templates.py: |
| * builtins/AsyncFromSyncIteratorPrototype.js: |
| (next.try): |
| (next): |
| (return.try): |
| (return): |
| (throw.try): |
| (throw): |
| * builtins/AsyncFunctionPrototype.js: |
| (globalPrivate.asyncFunctionResume): |
| * builtins/AsyncGeneratorPrototype.js: |
| (globalPrivate.asyncGeneratorQueueIsEmpty): |
| (globalPrivate.asyncGeneratorQueueEnqueue): |
| (globalPrivate.asyncGeneratorQueueDequeue): |
| (globalPrivate.asyncGeneratorReject): |
| (globalPrivate.asyncGeneratorResolve): |
| (globalPrivate.asyncGeneratorYield): |
| (onRejected): |
| (globalPrivate.awaitValue): |
| (onFulfilled): |
| (globalPrivate.doAsyncGeneratorBodyCall): |
| (globalPrivate.asyncGeneratorResumeNext): |
| (globalPrivate.asyncGeneratorEnqueue): |
| (globalPrivate.asyncGeneratorDequeue): Deleted. |
| (const.onRejected): Deleted. |
| (const.onFulfilled): Deleted. |
| (globalPrivate.asyncGeneratorResumeNext.): Deleted. |
| * builtins/BuiltinExecutableCreator.h: |
| * builtins/BuiltinExecutables.cpp: |
| (JSC::BuiltinExecutables::defaultConstructorSourceCode): |
| (JSC::BuiltinExecutables::createDefaultConstructor): |
| (JSC::BuiltinExecutables::createBuiltinExecutable): |
| (JSC::BuiltinExecutables::createExecutable): |
| (JSC::createBuiltinExecutable): Deleted. |
| * builtins/BuiltinExecutables.h: |
| * builtins/BuiltinNames.h: |
| * builtins/BuiltinUtils.h: |
| * builtins/ModuleLoader.js: |
| (forceFulfillPromise): |
| * builtins/PromiseConstructor.js: |
| (nakedConstructor.Promise.resolve): |
| (nakedConstructor.Promise.reject): |
| (nakedConstructor.Promise): |
| (nakedConstructor.InternalPromise.resolve): |
| (nakedConstructor.InternalPromise.reject): |
| (nakedConstructor.InternalPromise): |
| * builtins/PromiseOperations.js: |
| (globalPrivate.newPromiseReaction): |
| (globalPrivate.newPromiseCapability): |
| (globalPrivate.newHandledRejectedPromise): |
| (globalPrivate.triggerPromiseReactions): |
| (globalPrivate.resolvePromise): |
| (globalPrivate.rejectPromise): |
| (globalPrivate.fulfillPromise): |
| (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck): |
| (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck): |
| (globalPrivate.createResolvingFunctions.resolve): |
| (globalPrivate.createResolvingFunctions.reject): |
| (globalPrivate.createResolvingFunctions): |
| (globalPrivate.promiseReactionJobWithoutPromise): |
| (globalPrivate.resolveWithoutPromise): |
| (globalPrivate.rejectWithoutPromise): |
| (globalPrivate.fulfillWithoutPromise): |
| (resolve): |
| (reject): |
| (globalPrivate.createResolvingFunctionsWithoutPromise): |
| (globalPrivate.promiseReactionJob): |
| (globalPrivate.promiseResolveThenableJobFast): |
| (globalPrivate.promiseResolveThenableJobWithoutPromiseFast): |
| (globalPrivate.promiseResolveThenableJob): |
| (globalPrivate.isPromise): Deleted. |
| (globalPrivate.newPromiseCapability.executor): Deleted. |
| (globalPrivate.initializePromise): Deleted. |
| * builtins/PromisePrototype.js: |
| (then): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): |
| * bytecode/BytecodeIntrinsicRegistry.h: |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| (JSC::CodeBlock::finalizeLLIntInlineCaches): |
| * bytecode/Opcode.h: |
| * bytecode/SpeculatedType.cpp: |
| (JSC::dumpSpeculation): |
| (JSC::speculationFromClassInfo): |
| (JSC::speculationFromJSType): |
| (JSC::speculationFromString): |
| * bytecode/SpeculatedType.h: |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::generate): |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitGetPromiseInternalField): |
| (JSC::BytecodeGenerator::emitPutPromiseInternalField): |
| (JSC::BytecodeGenerator::emitCreatePromise): |
| (JSC::BytecodeGenerator::emitNewPromise): |
| (JSC::BytecodeGenerator::emitReturn): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::promiseRegister): |
| (JSC::BytecodeGenerator::emitIsPromise): |
| (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted. |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::promiseInternalFieldIndex): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise): |
| (JSC::FunctionNode::emitBytecode): |
| * dfg/DFGAbstractHeap.h: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| * dfg/DFGClobbersExitState.cpp: |
| (JSC::DFG::clobbersExitState): |
| * dfg/DFGConstantFoldingPhase.cpp: |
| (JSC::DFG::ConstantFoldingPhase::foldConstants): |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dump): |
| * dfg/DFGHeapLocation.cpp: |
| (WTF::printInternal): |
| * dfg/DFGHeapLocation.h: |
| * dfg/DFGMayExit.cpp: |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::convertToNewPromise): |
| (JSC::DFG::Node::hasIsInternalPromise): |
| (JSC::DFG::Node::isInternalPromise): |
| (JSC::DFG::Node::hasInternalFieldIndex): |
| (JSC::DFG::Node::internalFieldIndex): |
| (JSC::DFG::Node::hasHeapPrediction): |
| (JSC::DFG::Node::hasStructure): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| * dfg/DFGPromotedHeapLocation.cpp: |
| (WTF::printInternal): |
| * dfg/DFGPromotedHeapLocation.h: |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::SafeToExecuteEdge::operator()): |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| (JSC::DFG::SpeculativeJIT::speculatePromiseObject): |
| (JSC::DFG::SpeculativeJIT::speculate): |
| (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): |
| (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): |
| (JSC::DFG::SpeculativeJIT::compileCreatePromise): |
| (JSC::DFG::SpeculativeJIT::compileNewPromise): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * dfg/DFGUseKind.cpp: |
| (WTF::printInternal): |
| * dfg/DFGUseKind.h: |
| (JSC::DFG::typeFilterFor): |
| (JSC::DFG::isCell): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): |
| (JSC::FTL::DFG::LowerDFGToB3::speculate): |
| (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JIT.h: |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emit_op_get_promise_internal_field): |
| (JSC::JIT::emit_op_put_promise_internal_field): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::emit_op_get_promise_internal_field): |
| (JSC::JIT::emit_op_put_promise_internal_field): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| (JSC::Parser<LexerType>::parseFunctionInfo): |
| * parser/Parser.h: |
| (JSC::parse): |
| * parser/ParserModes.h: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/CommonSlowPaths.h: |
| * runtime/ConstructAbility.h: |
| * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h. |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::FunctionRareData): |
| (JSC::FunctionRareData::initializeObjectAllocationProfile): |
| (JSC::FunctionRareData::clear): |
| * runtime/FunctionRareData.h: |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::createSubclassStructureSlow): |
| * runtime/InternalFunction.h: |
| (JSC::InternalFunction::createSubclassStructure): |
| * runtime/JSCast.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::enqueueJob): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::arrayProtoValuesFunction const): |
| (JSC::JSGlobalObject::promiseProtoThenFunction const): |
| (JSC::JSGlobalObject::initializePromiseFunction const): Deleted. |
| * runtime/JSInternalPromise.cpp: |
| (JSC::JSInternalPromise::createStructure): |
| * runtime/JSInternalPromiseConstructor.cpp: |
| (JSC::JSInternalPromiseConstructor::create): |
| (JSC::JSInternalPromiseConstructor::createStructure): |
| (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor): |
| (JSC::constructPromise): Deleted. |
| * runtime/JSInternalPromiseConstructor.h: |
| * runtime/JSInternalPromisePrototype.cpp: |
| (JSC::JSInternalPromisePrototype::create): |
| * runtime/JSMicrotask.cpp: |
| (JSC::createJSMicrotask): |
| (JSC::JSMicrotask::run): |
| * runtime/JSMicrotask.h: |
| * runtime/JSPromise.cpp: |
| (JSC::JSPromise::createStructure): |
| (JSC::JSPromise::finishCreation): |
| (JSC::JSPromise::visitChildren): |
| (JSC::JSPromise::status const): |
| (JSC::JSPromise::result const): |
| (JSC::JSPromise::isHandled const): |
| (JSC::JSPromise::initialize): Deleted. |
| * runtime/JSPromise.h: |
| (JSC::JSPromise::allocationSize): |
| (JSC::JSPromise::offsetOfInternalFields): |
| (JSC::JSPromise::offsetOfInternalField): |
| * runtime/JSPromiseConstructor.cpp: |
| (JSC::JSPromiseConstructor::create): |
| (JSC::JSPromiseConstructor::createStructure): |
| (JSC::JSPromiseConstructor::JSPromiseConstructor): |
| (JSC::JSPromiseConstructor::finishCreation): |
| (JSC::constructPromise): Deleted. |
| (JSC::callPromise): Deleted. |
| * runtime/JSPromiseConstructor.h: |
| * runtime/JSPromisePrototype.cpp: |
| (JSC::JSPromisePrototype::create): |
| (JSC::JSPromisePrototype::finishCreation): |
| (JSC::JSPromisePrototype::addOwnInternalSlots): |
| * runtime/JSPromisePrototype.h: |
| * runtime/JSType.cpp: |
| (WTF::printInternal): |
| * runtime/JSType.h: |
| |
| 2019-09-04 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based) |
| https://bugs.webkit.org/show_bug.cgi?id=201262 |
| <rdar://problem/13108764> |
| |
| Reviewed by Devin Rousso. |
| |
| When interception is enabled, Network requests that match any of the configured |
| interception patterns will be paused on the backend and allowed to be modified |
| by the frontend. |
| |
| Currently the only time a network request can be intercepted is during the |
| HTTP response. However, this intercepting interface is mean to extend to |
| HTTP requests as well. |
| |
| When a response is to be intercepted a new event is sent to the frontend: |
| |
| `Network.responseIntercepted` event |
| |
| With a `requestId` to identify that network request. The frontend |
| must respond with one of the following commands to continue: |
| |
| `Network.interceptContinue` - proceed with the response unmodified |
| `Network.interceptWithResponse` - provide a response |
| |
| The response is paused in the meantime. |
| |
| * inspector/protocol/Network.json: |
| New interfaces for intercepting network responses and suppling override content. |
| |
| * Scripts/generate-combined-inspector-json.py: |
| * inspector/scripts/generate-inspector-protocol-bindings.py: |
| (generate_from_specification.load_specification): |
| Complete allowing comments in JSON protocol files. |
| |
| * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: |
| (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command): |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| Allow optional enums in ObjC interfaces. |
| |
| 2019-09-03 Mark Lam <mark.lam@apple.com> |
| |
| Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread(). |
| https://bugs.webkit.org/show_bug.cgi?id=201449 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Using !isMainThread() in the assertion also disables the assertion for the mutator |
| of worker threads. This is not what we intended. |
| |
| * runtime/StructureInlines.h: |
| (JSC::Structure::storedPrototype const): |
| (JSC::Structure::storedPrototypeObject const): |
| |
| 2019-09-04 Mark Lam <mark.lam@apple.com> |
| |
| Disambiguate a symbol used in JSDollarVM. |
| https://bugs.webkit.org/show_bug.cgi?id=201466 |
| <rdar://problem/51826672> |
| |
| Reviewed by Tadeu Zagallo. |
| |
| This was causing a build issue on some internal build. |
| |
| * tools/JSDollarVM.cpp: |
| |
| 2019-09-03 Mark Lam <mark.lam@apple.com> |
| |
| Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread. |
| https://bugs.webkit.org/show_bug.cgi?id=201309 |
| <rdar://problem/54832121> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * runtime/JSArrayBufferView.h: |
| * runtime/JSArrayBufferViewInlines.h: |
| (JSC::JSArrayBufferView::possiblySharedBufferImpl): |
| (JSC::JSArrayBufferView::possiblySharedBuffer): |
| (JSC::JSArrayBufferView::byteOffsetImpl): |
| (JSC::JSArrayBufferView::byteOffset): |
| (JSC::JSArrayBufferView::byteOffsetConcurrently): |
| |
| 2019-09-03 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: implement blackboxing of script resources |
| https://bugs.webkit.org/show_bug.cgi?id=17240 |
| <rdar://problem/5732847> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| When a script is blackboxed and the debugger attempts to pause in that script, the pause |
| reason/data will be saved and execution will continue until it has left the blackboxed |
| script. Once outside, execution is paused with the saved reason/data. |
| |
| This is especially useful when debugging issues using libraries/frameworks, as it allows the |
| developer to "skip" the internal logic of the library/framework and instead focus only on |
| how they're using it. |
| |
| * inspector/protocol/Debugger.json: |
| Add `setShouldBlackboxURL` command. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent): |
| (Inspector::InspectorDebuggerAgent::enable): |
| (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added. |
| (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): |
| (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement): |
| (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added. |
| (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts): |
| (Inspector::InspectorDebuggerAgent::didParseSource): |
| (Inspector::InspectorDebuggerAgent::didPause): |
| (Inspector::InspectorDebuggerAgent::didContinue): |
| (Inspector::InspectorDebuggerAgent::breakProgram): |
| (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): |
| (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added. |
| (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted. |
| Renamed "break" to "pause" to match `Debugger` naming. |
| |
| * debugger/Debugger.h: |
| * debugger/Debugger.cpp: |
| (JSC::Debugger::pauseIfNeeded): |
| (JSC::Debugger::setBlackboxType): Added. |
| (JSC::Debugger::clearBlackbox): Added. |
| (JSC::Debugger::isBlacklisted const): Deleted. |
| (JSC::Debugger::addToBlacklist): Deleted. |
| (JSC::Debugger::clearBlacklist): Deleted. |
| |
| 2019-09-03 Mark Lam <mark.lam@apple.com> |
| |
| Remove the need to pass performJITMemcpy as a pointer. |
| https://bugs.webkit.org/show_bug.cgi?id=201413 |
| |
| Reviewed by Michael Saboff. |
| |
| We want performJITMemcpy to always be inlined. In this patch, we also clean up |
| some template parameters to use enums instead of booleans to better document the |
| intent of the code. |
| |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::fillNops): |
| (JSC::ARM64Assembler::linkJump): |
| (JSC::ARM64Assembler::linkCall): |
| (JSC::ARM64Assembler::relinkJump): |
| (JSC::ARM64Assembler::relinkCall): |
| (JSC::ARM64Assembler::link): |
| (JSC::ARM64Assembler::linkJumpOrCall): |
| (JSC::ARM64Assembler::linkCompareAndBranch): |
| (JSC::ARM64Assembler::linkConditionalBranch): |
| (JSC::ARM64Assembler::linkTestAndBranch): |
| (JSC::ARM64Assembler::relinkJumpOrCall): |
| (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted. |
| (JSC::ARM64Assembler::CopyFunction::operator()): Deleted. |
| * assembler/ARMv7Assembler.h: |
| (JSC::ARMv7Assembler::fillNops): |
| (JSC::ARMv7Assembler::link): |
| (JSC::ARMv7Assembler::linkJumpT1): |
| (JSC::ARMv7Assembler::linkJumpT2): |
| (JSC::ARMv7Assembler::linkJumpT3): |
| (JSC::ARMv7Assembler::linkJumpT4): |
| (JSC::ARMv7Assembler::linkConditionalJumpT4): |
| (JSC::ARMv7Assembler::linkBX): |
| (JSC::ARMv7Assembler::linkConditionalBX): |
| * assembler/AbstractMacroAssembler.h: |
| (JSC::AbstractMacroAssembler::emitNops): |
| * assembler/LinkBuffer.cpp: |
| (JSC::LinkBuffer::copyCompactAndLinkCode): |
| * assembler/MIPSAssembler.h: |
| (JSC::MIPSAssembler::fillNops): |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::link): |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::link): |
| * assembler/X86Assembler.h: |
| (JSC::X86Assembler::fillNops): |
| * jit/ExecutableAllocator.h: |
| (JSC::performJITMemcpy): |
| * runtime/JSCPtrTag.h: |
| |
| 2019-09-03 Devin Rousso <drousso@apple.com> |
| |
| REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected |
| https://bugs.webkit.org/show_bug.cgi?id=201201 |
| <rdar://problem/54771560> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/InjectedScriptSource.js: |
| (let.InjectedScript.prototype.injectModule): |
| (let.InjectedScript.prototype._evaluateOn): |
| (CommandLineAPI): |
| (let.InjectedScript.prototype.setInspectObject): Deleted. |
| (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted. |
| (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted. |
| (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted. |
| (InjectedScript.CommandLineAPI): Deleted. |
| Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects |
| directly, instead of having them call functions. |
| |
| * inspector/InjectedScriptModule.cpp: |
| (Inspector::InjectedScriptModule::ensureInjected): |
| Make sure to reset `hadException` to `false` before making another call. |
| |
| 2019-09-03 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Remove BytecodeGenerator::emitPopScope |
| https://bugs.webkit.org/show_bug.cgi?id=201395 |
| |
| Reviewed by Saam Barati. |
| |
| Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions. |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::popLexicalScopeInternal): |
| (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration): |
| (JSC::BytecodeGenerator::emitPopWithScope): |
| (JSC::BytecodeGenerator::emitPopScope): Deleted. |
| * bytecompiler/BytecodeGenerator.h: |
| |
| 2019-09-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Merge op_check_traps into op_enter and op_loop_hint |
| https://bugs.webkit.org/show_bug.cgi?id=201373 |
| |
| Reviewed by Mark Lam. |
| |
| This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations. |
| But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in |
| op_enter and op_loop_hint. |
| |
| While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint), |
| since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy. |
| |
| We also inline op_enter's slow path's write-barrier emission in LLInt. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::emitLoopHint): |
| (JSC::BytecodeGenerator::emitCheckTraps): Deleted. |
| * bytecompiler/BytecodeGenerator.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| (JSC::JIT::emitEnterOptimizationCheck): Deleted. |
| * jit/JIT.h: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_loop_hint): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emit_op_enter): |
| (JSC::JIT::emitSlow_op_enter): |
| (JSC::JIT::emit_op_check_traps): Deleted. |
| (JSC::JIT::emitSlow_op_check_traps): Deleted. |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_enter): Deleted. |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| * runtime/CommonSlowPaths.h: |
| |
| 2019-09-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Fix testb3 debug failures |
| https://bugs.webkit.org/show_bug.cgi?id=201382 |
| |
| Reviewed by Mark Lam. |
| |
| Fix testb3 debug failures due to incorrect types of operations like pointer + int32. |
| |
| * b3/testb3_8.cpp: |
| (testByteCopyLoop): |
| (testByteCopyLoopStartIsLoopDependent): |
| (testByteCopyLoopBoundIsLoopDependent): |
| |
| 2019-09-01 Mark Lam <mark.lam@apple.com> |
| |
| Speculative build fix for ARMv7 and MIPS. |
| https://bugs.webkit.org/show_bug.cgi?id=201389 |
| |
| Not reviewed. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::jettison): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] LLInt op should not emit the same code three times |
| https://bugs.webkit.org/show_bug.cgi?id=201370 |
| |
| Reviewed by Mark Lam. |
| |
| LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue. |
| But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once. |
| |
| * llint/LowLevelInterpreter.asm: |
| |
| 2019-08-30 Mark Lam <mark.lam@apple.com> |
| |
| Remove some obsolete statements that have no effect. |
| https://bugs.webkit.org/show_bug.cgi?id=201357 |
| |
| Reviewed by Saam Barati. |
| |
| This patch removes 3 statements that look like this: |
| |
| result->butterfly(); // Ensure that the butterfly is in to-space. |
| |
| The statement just reads a field and does nothing with it. This is a no-op |
| logic-wise, and the comment that accompanies it is obsolete. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2019-08-30 Mark Lam <mark.lam@apple.com> |
| |
| Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information. |
| https://bugs.webkit.org/show_bug.cgi?id=201345 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using |
| the wrong pointer for capture the cell headerWord and zapReason. As a result, |
| we get junk for those 2 values. |
| |
| Previously, we were only capturing the upper 32-bits of the cell header slot, |
| and the lower 32-bit of the next slot in the zapped cell. We now capture the |
| full 64-bits of both slots. If the second slot did not contain a zapReason as we |
| expect, the upper 32-bits might give us a clue as to what type of value the slot |
| contains. |
| |
| This patch also adds capturing of the found MarkedBlock address for the zapped |
| cell, as well as some state bit values. |
| |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::reportZappedCellAndCrash): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Generate new.target register only when it is used |
| https://bugs.webkit.org/show_bug.cgi?id=201335 |
| |
| Reviewed by Mark Lam. |
| |
| Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register |
| only when it is actually required. |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::newTarget): |
| * parser/Nodes.h: |
| (JSC::ScopeNode::needsNewTargetRegisterForThisScope const): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable |
| https://bugs.webkit.org/show_bug.cgi?id=201331 |
| |
| Reviewed by Mark Lam. |
| |
| SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand. |
| For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows. |
| |
| 1. DFG ByteCodeParser is inlining and copying SimpleJumpTable |
| 2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable |
| |
| Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that. |
| This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered |
| by profiled CodeBlock. |
| |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock): |
| * bytecode/JumpTable.h: |
| (JSC::SimpleJumpTable::cloneNonJITPart const): |
| (JSC::SimpleJumpTable::clear): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): |
| |
| 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid |
| https://bugs.webkit.org/show_bug.cgi?id=201332 |
| |
| Reviewed by Mark Lam. |
| |
| When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes |
| that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result |
| does not exist, set BottomValue only when "result" is valid as the other DFG code is doing. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleInlining): |
| |
| 2019-08-29 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: async event listener stack traces should be available in Workers |
| https://bugs.webkit.org/show_bug.cgi?id=200903 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| (Inspector::InspectorDebuggerAgent::enabled): Added. |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend): |
| (Inspector::InspectorDebuggerAgent::enable): |
| (Inspector::InspectorDebuggerAgent::disable): |
| Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`. |
| |
| 2019-08-29 Keith Rollin <krollin@apple.com> |
| |
| Update .xcconfig symbols to reflect the current set of past and future product versions. |
| https://bugs.webkit.org/show_bug.cgi?id=200720 |
| <rdar://problem/54305032> |
| |
| Reviewed by Alex Christensen. |
| |
| Remove version symbols related to old OS's we no longer support, |
| ensure that version symbols are defined for OS's we do support. |
| |
| * Configurations/Base.xcconfig: |
| * Configurations/DebugRelease.xcconfig: |
| * Configurations/Version.xcconfig: |
| |
| 2019-08-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Repatch should construct CallCases and CasesValue at the same time |
| https://bugs.webkit.org/show_bug.cgi?id=201325 |
| |
| Reviewed by Saam Barati. |
| |
| In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`. |
| If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too. |
| |
| * jit/Repatch.cpp: |
| (JSC::linkPolymorphicCall): |
| |
| 2019-08-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation |
| https://bugs.webkit.org/show_bug.cgi?id=198650 |
| |
| Reviewed by Saam Barati. |
| |
| Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties. |
| This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this |
| interpreter interpret the control-flow edge that AI proved that is never taken. |
| AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But |
| ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis |
| done in ObjectAllocationSinking. |
| |
| Let's see the example. |
| |
| BB#0 |
| 35: NewObject([%AM:Object]) |
| ... |
| 47: Branch(ConstantTrue, T:#1, F:#2) |
| |
| BB#1 // This basic block is never taken due to @47's jump. |
| ... |
| 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2)) |
| 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066) |
| ... |
| XX: Jump(#2) |
| |
| BB#2 |
| ... |
| 92: CheckStructure(@35, [%Dx:Object]) |
| 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2)) |
| ... |
| |
| AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant. |
| AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92. |
| After AI removes @92, ObjectAllocationSinking starts looking into this graph. |
| |
| BB#0 |
| 35: NewObject([%AM:Object]) |
| ... |
| 47: Branch(ConstantTrue, T:#1, F:#2) |
| |
| BB#1 // This basic block is never taken due to @47's jump. |
| ... |
| 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2)) |
| 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066) |
| ... |
| XX: Jump(#2) |
| |
| BB#2 |
| ... |
| 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2)) |
| ... |
| YY: Jump(#3) |
| |
| BB#3 |
| ... |
| ZZ: <HERE> want to materialize @35's sunk object. |
| |
| Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in |
| BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and |
| insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original |
| one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking |
| phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes |
| conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property. |
| So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug |
| assertion. |
| |
| 187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >) |
| |
| This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data. |
| In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime. |
| |
| * dfg/DFGObjectAllocationSinkingPhase.cpp: |
| |
| 2019-08-29 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: DOMDebugger: support event breakpoints in Worker contexts |
| https://bugs.webkit.org/show_bug.cgi?id=200651 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/DOMDebugger.json: |
| Make the domain available in "worker" contexts as well. |
| |
| 2019-08-29 Keith Rollin <krollin@apple.com> |
| |
| Remove 32-bit macOS support |
| https://bugs.webkit.org/show_bug.cgi?id=201282 |
| <rdar://problem/54821667> |
| |
| Reviewed by Anders Carlsson. |
| |
| WebKit doesn’t support 32-bit Mac any more, so remove checks and code |
| for that platform. |
| |
| * API/JSBase.h: |
| * runtime/VM.h: |
| |
| 2019-08-29 Keith Rollin <krollin@apple.com> |
| |
| Remove support for macOS < 10.13 (part 3) |
| https://bugs.webkit.org/show_bug.cgi?id=201224 |
| <rdar://problem/54795934> |
| |
| Reviewed by Darin Adler. |
| |
| Remove symbols in WebKitTargetConditionals.xcconfig related to macOS |
| 10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes |
| like _MACOS_SINCE_1013. |
| |
| * Configurations/WebKitTargetConditionals.xcconfig: |
| |
| 2019-08-29 Mark Lam <mark.lam@apple.com> |
| |
| Remove a bad assertion in ByteCodeParser::inlineCall(). |
| https://bugs.webkit.org/show_bug.cgi?id=201292 |
| <rdar://problem/54121659> |
| |
| Reviewed by Michael Saboff. |
| |
| In the DFG bytecode parser, we've already computed the inlining cost of a candidate |
| inlining target, and determine that it is worth inlining before invoking |
| ByteCodeParser::inlineCall(). However, in ByteCodeParser::inlineCall(), it |
| recomputes the inlining cost again only for the purpose of asserting that it isn't |
| too high. |
| |
| Not consider a badly written test that does the following: |
| |
| function bar() { |
| ... |
| foo(); // Call in a hot loop here. |
| ... |
| } |
| |
| bar(); // <===== foo is inlineable into bar here. |
| noInline(foo); // <===== Change mind, and make foo not inlineable. |
| bar(); |
| |
| With this bad test, the following racy scenario can occur: |
| |
| 1. the first invocation of bar() gets hot, and a concurrent compile is kicked off. |
| 2. the compiler thread computes foo()'s inliningCost() and determines that it is |
| worthy to be inlined, and will imminently call inlineCall(). |
| 3. the mutator calls the noInline() test utility on foo(), thereby making it NOT |
| inlineable. |
| 4. the compiler thread calls inlineCall(). In inlineCall(), it re-computes the |
| inliningCost for foo() and now finds that it is not inlineable. An assertion |
| failure follows. |
| |
| Technically, the test is in error because noInline() shouldn't be used that way. |
| However, fuzzers that are not clued into noInline()'s proper usage may generate |
| code like this. |
| |
| On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the |
| inlining cost and asserting on it. The only reason inlineCall() is invoked is |
| because it was already previously determined that a target function is inlineable |
| based on its inlining cost. Today, in practice, I don't think we have any real |
| world condition where the mutator can affect the inlining cost of a target |
| function midway through execution. So, this assertion isn't a problem if no one |
| writes a test that abuses noInline(). However, should things change such that the |
| mutator is able to affect the inlining cost of a target function, then it is |
| incorrect for the compiler to assume that the inlining cost is immutable. Once |
| the compiler decides to inline a function, it should just follow through. |
| |
| This patch removes this assertion in ByteCodeParser::inlineCall(). It is an |
| annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the |
| ability to affect the inlining cost of a target function. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::inlineCall): |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks. |
| https://bugs.webkit.org/show_bug.cgi?id=201281 |
| <rdar://problem/54028228> |
| |
| Reviewed by Yusuke Suzuki and Saam Barati. |
| |
| This (see title above) is already the preferred idiom used in most places in our |
| compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's |
| compileStringCharAt(). Consider the following: |
| |
| bool prototypeChainIsSane = false; |
| if (globalObject->stringPrototypeChainIsSane()) { |
| ... |
| m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm())); |
| m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm())); |
| |
| prototypeChainIsSane = globalObject->stringPrototypeChainIsSane(); |
| } |
| |
| What's essential for correctness here is that the stringPrototype and objectPrototype |
| structures be loaded before the loads in the second stringPrototypeChainIsSane() |
| check. Without a loadLoadFence before the second stringPrototypeChainIsSane() |
| check, we can't guarantee that. Elsewhere in the compiler, the preferred idiom |
| for doing this right is to pre-load the structures first, do a loadLoadFence, and |
| then do the IsSane check just once after e.g. |
| |
| Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm); |
| Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm); |
| |
| if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences. |
| && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences. |
| && globalObject->arrayPrototypeChainIsSane()) { |
| |
| m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure); |
| m_graph.registerAndWatchStructureTransition(objectPrototypeStructure); |
| ... |
| } |
| |
| This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's |
| compileStringCharAt() to follow the same idiom. |
| |
| We also fix a bad assertion in Structure::storedPrototype() and |
| Structure::storedPrototypeObject(). The assertion is only correct when those |
| methods are called from the mutator thread. The assertion has been updated to |
| only check its test condition if the current thread is the mutator thread. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnString): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): |
| * runtime/StructureInlines.h: |
| (JSC::Structure::storedPrototype const): |
| (JSC::Structure::storedPrototypeObject const): |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| Placate exception check validation in DFG's operationHasGenericProperty(). |
| https://bugs.webkit.org/show_bug.cgi?id=201245 |
| <rdar://problem/54777512> |
| |
| Reviewed by Robin Morisset. |
| |
| * dfg/DFGOperations.cpp: |
| |
| 2019-08-28 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed. Restabilize non-unified build. |
| |
| * runtime/PropertySlot.h: |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks. |
| https://bugs.webkit.org/show_bug.cgi?id=201006 |
| <rdar://problem/52053991> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We already ensured that it is not possible to overflow in Wasm::FunctionParser's |
| parse(). It is unnecessary and misleading to do those overflow checks in |
| AirIRGenerator and B3IRGenerator. The only check that is necessary is that |
| m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory |
| situation. |
| |
| This patch changes these unnecessary checks to assertions instead. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::addLocal): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addLocal): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addLocal): |
| |
| 2019-08-28 Keith Rollin <krollin@apple.com> |
| |
| Remove support for macOS < 10.13 (part 2) |
| https://bugs.webkit.org/show_bug.cgi?id=201197 |
| <rdar://problem/54759985> |
| |
| Update conditionals that reference WK_MACOS_1013 and suffixes like |
| _MACOS_SINCE_1013, assuming that we're always building on 10.13 or |
| later and that these conditionals are always True or False. |
| |
| See Bug 200694 for earlier changes in this area. |
| |
| Reviewed by Darin Adler. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-08-28 Mark Lam <mark.lam@apple.com> |
| |
| Gardening: Rebase test results after r249175. |
| https://bugs.webkit.org/show_bug.cgi?id=201172 |
| |
| Not reviewed. |
| |
| * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: |
| * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: |
| |
| 2019-08-27 Michael Saboff <msaboff@apple.com> |
| |
| Update PACCage changes for builds without Gigacage, but with signed pointers |
| https://bugs.webkit.org/show_bug.cgi?id=201202 |
| |
| Reviewed by Saam Barati. |
| |
| Factored out the untagging of pointers and added that to both the Gigacage enabled |
| and disabled code paths. Did this for the LLInt as well as the JITs. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list. |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-08-27 Mark Lam <mark.lam@apple.com> |
| |
| Refactor to use VM& instead of VM* at as many places as possible. |
| https://bugs.webkit.org/show_bug.cgi?id=201172 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Using VM& documents more clearly that the VM pointer is expected to never be null |
| in most cases. There are a few places where it can be null (e.g JSLock, and |
| DFG::Plan). Those will be left using a VM*. |
| |
| Also converted some uses of ExecState* to using VM& instead since the ExecState* |
| is only there to fetch the VM pointer. Doing this also reduces the number of |
| times we have to compute VM* from ExecState*. |
| |
| This patch is not exhaustive in converting to use VM&, but applies the change to |
| many commonly used pieces of code for a start. |
| |
| Also fixed a missing exception check in JSString::toIdentifier() and |
| JSValue::toPropertyKey() exposed by this patch. |
| |
| * API/APICast.h: |
| (toJS): |
| * API/JSAPIGlobalObject.mm: |
| (JSC::JSAPIGlobalObject::moduleLoaderResolve): |
| (JSC::JSAPIGlobalObject::moduleLoaderImportModule): |
| (JSC::JSAPIGlobalObject::moduleLoaderFetch): |
| (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties): |
| (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule): |
| * API/JSCallbackConstructor.cpp: |
| (JSC::JSCallbackConstructor::finishCreation): |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::asCallbackObject): |
| (JSC::JSCallbackObject<Parent>::~JSCallbackObject): |
| (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex): |
| (JSC::JSCallbackObject<Parent>::putByIndex): |
| (JSC::JSCallbackObject<Parent>::deletePropertyByIndex): |
| (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames): |
| * API/JSContext.mm: |
| (-[JSContext dependencyIdentifiersForModuleJSScript:]): |
| * API/JSObjectRef.cpp: |
| (JSObjectMakeFunction): |
| (classInfoPrivate): |
| (JSObjectGetPrivate): |
| (JSObjectSetPrivate): |
| (JSObjectCopyPropertyNames): |
| (JSPropertyNameAccumulatorAddName): |
| (JSObjectGetProxyTarget): |
| * API/JSScriptRef.cpp: |
| (parseScript): |
| * API/JSValueRef.cpp: |
| (JSValueMakeString): |
| * API/OpaqueJSString.cpp: |
| (OpaqueJSString::identifier const): |
| * API/glib/JSCContext.cpp: |
| (jsc_context_check_syntax): |
| * KeywordLookupGenerator.py: |
| (Trie.printSubTreeAsC): |
| * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: |
| (BuiltinsWrapperHeaderGenerator.generate_constructor): |
| * Scripts/wkbuiltins/builtins_templates.py: |
| * bindings/ScriptFunctionCall.cpp: |
| (Deprecated::ScriptCallArgumentHandler::appendArgument): |
| (Deprecated::ScriptFunctionCall::call): |
| * bindings/ScriptValue.cpp: |
| (Inspector::jsToInspectorValue): |
| * builtins/BuiltinExecutables.cpp: |
| (JSC::BuiltinExecutables::createExecutable): |
| * builtins/BuiltinNames.cpp: |
| (JSC::BuiltinNames::BuiltinNames): |
| * builtins/BuiltinNames.h: |
| (JSC::BuiltinNames::getPublicName const): |
| * bytecode/BytecodeDumper.cpp: |
| (JSC::BytecodeDumper<Block>::vm const): |
| * bytecode/BytecodeDumper.h: |
| * bytecode/BytecodeGeneratorification.cpp: |
| (JSC::BytecodeGeneratorification::BytecodeGeneratorification): |
| (JSC::BytecodeGeneratorification::storageForGeneratorLocal): |
| (JSC::BytecodeGeneratorification::run): |
| * bytecode/BytecodeIntrinsicRegistry.cpp: |
| (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue): |
| (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue): |
| * bytecode/CallVariant.h: |
| (JSC::CallVariant::internalFunction const): |
| (JSC::CallVariant::function const): |
| (JSC::CallVariant::isClosureCall const): |
| (JSC::CallVariant::executable const): |
| (JSC::CallVariant::functionExecutable const): |
| (JSC::CallVariant::nativeExecutable const): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::dumpSource): |
| (JSC::CodeBlock::CodeBlock): |
| (JSC::CodeBlock::setConstantIdentifierSetRegisters): |
| (JSC::CodeBlock::setNumParameters): |
| (JSC::CodeBlock::finalizeBaselineJITInlineCaches): |
| (JSC::CodeBlock::unlinkIncomingCalls): |
| (JSC::CodeBlock::replacement): |
| (JSC::CodeBlock::computeCapabilityLevel): |
| (JSC::CodeBlock::noticeIncomingCall): |
| (JSC::CodeBlock::nameForRegister): |
| (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::vm const): |
| (JSC::CodeBlock::numberOfArgumentValueProfiles): |
| (JSC::CodeBlock::valueProfileForArgument): |
| * bytecode/DeferredSourceDump.cpp: |
| (JSC::DeferredSourceDump::DeferredSourceDump): |
| * bytecode/EvalCodeBlock.h: |
| * bytecode/FunctionCodeBlock.h: |
| * bytecode/GetByIdStatus.cpp: |
| (JSC::GetByIdStatus::computeFromLLInt): |
| * bytecode/GlobalCodeBlock.h: |
| (JSC::GlobalCodeBlock::GlobalCodeBlock): |
| * bytecode/ModuleProgramCodeBlock.h: |
| * bytecode/ObjectAllocationProfileInlines.h: |
| (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount): |
| * bytecode/PolyProtoAccessChain.cpp: |
| (JSC::PolyProtoAccessChain::create): |
| * bytecode/ProgramCodeBlock.h: |
| * bytecode/PropertyCondition.cpp: |
| (JSC::PropertyCondition::isWatchableWhenValid const): |
| * bytecode/PutByIdStatus.cpp: |
| (JSC::PutByIdStatus::computeFromLLInt): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::initGetByIdSelf): |
| (JSC::StructureStubInfo::initPutByIdReplace): |
| (JSC::StructureStubInfo::initInByIdSelf): |
| (JSC::StructureStubInfo::addAccessCase): |
| (JSC::StructureStubInfo::visitWeakReferences): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::addSetConstant): |
| (JSC::UnlinkedCodeBlock::addConstant): |
| (JSC::UnlinkedCodeBlock::addFunctionDecl): |
| (JSC::UnlinkedCodeBlock::addFunctionExpr): |
| * bytecode/UnlinkedEvalCodeBlock.h: |
| * bytecode/UnlinkedFunctionCodeBlock.h: |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::generateUnlinkedFunctionCodeBlock): |
| (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * bytecode/UnlinkedGlobalCodeBlock.h: |
| (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): |
| * bytecode/UnlinkedModuleProgramCodeBlock.h: |
| * bytecode/UnlinkedProgramCodeBlock.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::BytecodeGenerator): |
| (JSC::BytecodeGenerator::pushLexicalScopeInternal): |
| (JSC::BytecodeGenerator::emitDirectPutById): |
| (JSC::BytecodeGenerator::getVariablesUnderTDZ): |
| (JSC::BytecodeGenerator::addBigIntConstant): |
| (JSC::BytecodeGenerator::addTemplateObjectConstant): |
| (JSC::BytecodeGenerator::emitNewDefaultConstructor): |
| (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::vm const): |
| (JSC::BytecodeGenerator::propertyNames const): |
| (JSC::BytecodeGenerator::emitNodeInTailPosition): |
| (JSC::BytecodeGenerator::emitDefineClassElements): |
| (JSC::BytecodeGenerator::emitNodeInConditionContext): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::RegExpNode::emitBytecode): |
| (JSC::ArrayNode::emitBytecode): |
| (JSC::FunctionCallResolveNode::emitBytecode): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): |
| (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject): |
| (JSC::InstanceOfNode::emitBytecode): |
| * debugger/Debugger.cpp: |
| * debugger/DebuggerParseData.cpp: |
| (JSC::gatherDebuggerParseData): |
| * debugger/DebuggerScope.cpp: |
| (JSC::DebuggerScope::next): |
| (JSC::DebuggerScope::name const): |
| (JSC::DebuggerScope::location const): |
| * dfg/DFGDesiredIdentifiers.cpp: |
| (JSC::DFG::DesiredIdentifiers::reallyAdd): |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): |
| (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add): |
| * dfg/DFGFrozenValue.h: |
| (JSC::DFG::FrozenValue::FrozenValue): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::canOptimizeStringObjectAccess): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::linkOSRExits): |
| (JSC::DFG::JITCompiler::compileExceptionHandlers): |
| (JSC::DFG::JITCompiler::link): |
| (JSC::DFG::emitStackOverflowCheck): |
| (JSC::DFG::JITCompiler::compileFunction): |
| (JSC::DFG::JITCompiler::exceptionCheck): |
| (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer): |
| * dfg/DFGJITCompiler.h: |
| (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback): |
| (JSC::DFG::JITCompiler::fastExceptionCheck): |
| (JSC::DFG::JITCompiler::vm): |
| * dfg/DFGLazyJSValue.cpp: |
| (JSC::DFG::LazyJSValue::getValue const): |
| (JSC::DFG::LazyJSValue::emit const): |
| * dfg/DFGOSREntry.cpp: |
| (JSC::DFG::prepareOSREntry): |
| * dfg/DFGOSRExit.cpp: |
| (JSC::DFG::OSRExit::compileOSRExit): |
| (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): |
| * dfg/DFGOSRExitCompilerCommon.h: |
| (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::newTypedArrayWithSize): |
| (JSC::DFG::binaryOp): |
| (JSC::DFG::bitwiseBinaryOp): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::Plan): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): |
| (JSC::DFG::SpeculativeJIT::compileStringSlice): |
| (JSC::DFG::SpeculativeJIT::compileCurrentBlock): |
| (JSC::DFG::SpeculativeJIT::compileCheckTraps): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnString): |
| (JSC::DFG::SpeculativeJIT::compileFromCharCode): |
| (JSC::DFG::SpeculativeJIT::compileStringZeroLength): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther): |
| (JSC::DFG::SpeculativeJIT::emitStringBranch): |
| (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetGlobalObject): |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| (JSC::DFG::SpeculativeJIT::compileCreateActivation): |
| (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileSpread): |
| (JSC::DFG::SpeculativeJIT::compileNewArray): |
| (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): |
| (JSC::DFG::SpeculativeJIT::compileArraySlice): |
| (JSC::DFG::SpeculativeJIT::compileArrayPush): |
| (JSC::DFG::SpeculativeJIT::compileTypeOf): |
| (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly): |
| (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): |
| (JSC::DFG::SpeculativeJIT::compileCheckSubClass): |
| (JSC::DFG::SpeculativeJIT::compileNewStringObject): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileNewRegexp): |
| (JSC::DFG::SpeculativeJIT::compileStoreBarrier): |
| (JSC::DFG::SpeculativeJIT::compileStringReplace): |
| (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject): |
| (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): |
| (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext): |
| (JSC::DFG::SpeculativeJIT::compileObjectKeys): |
| (JSC::DFG::SpeculativeJIT::compileCreateThis): |
| (JSC::DFG::SpeculativeJIT::compileNewObject): |
| (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue): |
| (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail): |
| (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): |
| (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): |
| (JSC::DFG::SpeculativeJIT::compileProfileType): |
| (JSC::DFG::SpeculativeJIT::compileMakeRope): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::vm): |
| (JSC::DFG::SpeculativeJIT::prepareForExternalCall): |
| (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize): |
| (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): |
| (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): |
| (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNot): |
| (JSC::DFG::SpeculativeJIT::emitBranch): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined): |
| (JSC::DFG::SpeculativeJIT::emitCall): |
| (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): |
| (JSC::DFG::SpeculativeJIT::compileLogicalNot): |
| (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): |
| (JSC::DFG::SpeculativeJIT::emitBranch): |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitThunkGenerator): |
| (JSC::DFG::osrExitGenerationThunkGenerator): |
| (JSC::DFG::osrEntryThunkGenerator): |
| * dfg/DFGThunks.h: |
| * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: |
| (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::visitWeakReferences): |
| * dynbench.cpp: |
| (main): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): |
| (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): |
| (JSC::FTL::DFG::LowerDFGToB3::boolify): |
| * ftl/FTLThunks.cpp: |
| (JSC::FTL::genericGenerationThunkGenerator): |
| (JSC::FTL::osrExitGenerationThunkGenerator): |
| (JSC::FTL::lazySlowPathGenerationThunkGenerator): |
| * ftl/FTLThunks.h: |
| * heap/CellContainer.h: |
| * heap/CellContainerInlines.h: |
| (JSC::CellContainer::vm const): |
| (JSC::CellContainer::heap const): |
| * heap/CompleteSubspace.cpp: |
| (JSC::CompleteSubspace::tryAllocateSlow): |
| (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual): |
| * heap/GCActivityCallback.h: |
| * heap/GCAssertions.h: |
| * heap/HandleSet.cpp: |
| (JSC::HandleSet::HandleSet): |
| * heap/HandleSet.h: |
| (JSC::HandleSet::vm): |
| * heap/Heap.cpp: |
| (JSC::Heap::Heap): |
| (JSC::Heap::lastChanceToFinalize): |
| (JSC::Heap::releaseDelayedReleasedObjects): |
| (JSC::Heap::protect): |
| (JSC::Heap::unprotect): |
| (JSC::Heap::finalizeMarkedUnconditionalFinalizers): |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| (JSC::Heap::completeAllJITPlans): |
| (JSC::Heap::iterateExecutingAndCompilingCodeBlocks): |
| (JSC::Heap::gatherJSStackRoots): |
| (JSC::Heap::gatherScratchBufferRoots): |
| (JSC::Heap::removeDeadCompilerWorklistEntries): |
| (JSC::Heap::isAnalyzingHeap const): |
| (JSC::Heap::gatherExtraHeapData): |
| (JSC::Heap::protectedObjectTypeCounts): |
| (JSC::Heap::objectTypeCounts): |
| (JSC::Heap::deleteAllCodeBlocks): |
| (JSC::Heap::deleteAllUnlinkedCodeBlocks): |
| (JSC::Heap::deleteUnmarkedCompiledCode): |
| (JSC::Heap::checkConn): |
| (JSC::Heap::runEndPhase): |
| (JSC::Heap::stopThePeriphery): |
| (JSC::Heap::finalize): |
| (JSC::Heap::requestCollection): |
| (JSC::Heap::sweepInFinalize): |
| (JSC::Heap::sweepArrayBuffers): |
| (JSC::Heap::deleteSourceProviderCaches): |
| (JSC::Heap::didFinishCollection): |
| (JSC::Heap::addCoreConstraints): |
| * heap/Heap.h: |
| * heap/HeapCell.h: |
| * heap/HeapCellInlines.h: |
| (JSC::HeapCell::heap const): |
| (JSC::HeapCell::vm const): |
| * heap/HeapInlines.h: |
| (JSC::Heap::vm const): |
| * heap/IsoSubspacePerVM.cpp: |
| (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace): |
| * heap/LargeAllocation.cpp: |
| (JSC::LargeAllocation::sweep): |
| (JSC::LargeAllocation::assertValidCell const): |
| * heap/LargeAllocation.h: |
| (JSC::LargeAllocation::vm const): |
| * heap/LocalAllocator.cpp: |
| (JSC::LocalAllocator::allocateSlowCase): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::Handle): |
| (JSC::MarkedBlock::aboutToMarkSlow): |
| (JSC::MarkedBlock::assertMarksNotStale): |
| (JSC::MarkedBlock::areMarksStale): |
| (JSC::MarkedBlock::isMarked): |
| (JSC::MarkedBlock::assertValidCell const): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::vm const): |
| (JSC::MarkedBlock::vm const): |
| * heap/MarkedBlockInlines.h: |
| (JSC::MarkedBlock::heap const): |
| (JSC::MarkedBlock::Handle::specializedSweep): |
| * heap/SlotVisitor.cpp: |
| (JSC::validate): |
| * heap/SlotVisitorInlines.h: |
| (JSC::SlotVisitor::vm): |
| (JSC::SlotVisitor::vm const): |
| * heap/StopIfNecessaryTimer.cpp: |
| (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer): |
| * heap/StopIfNecessaryTimer.h: |
| * heap/Strong.h: |
| (JSC::Strong::operator=): |
| * heap/WeakSet.h: |
| (JSC::WeakSet::WeakSet): |
| (JSC::WeakSet::vm const): |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::savedResultAlias const): |
| (Inspector::JSInjectedScriptHost::internalConstructorName): |
| (Inspector::JSInjectedScriptHost::subtype): |
| (Inspector::JSInjectedScriptHost::functionDetails): |
| (Inspector::constructInternalProperty): |
| (Inspector::JSInjectedScriptHost::getInternalProperties): |
| (Inspector::JSInjectedScriptHost::weakMapEntries): |
| (Inspector::JSInjectedScriptHost::weakSetEntries): |
| (Inspector::JSInjectedScriptHost::iteratorEntries): |
| (Inspector::JSInjectedScriptHost::queryInstances): |
| (Inspector::JSInjectedScriptHost::queryHolders): |
| * inspector/JSJavaScriptCallFrame.cpp: |
| (Inspector::valueForScopeLocation): |
| (Inspector::JSJavaScriptCallFrame::scopeDescriptions): |
| (Inspector::JSJavaScriptCallFrame::functionName const): |
| (Inspector::JSJavaScriptCallFrame::type const): |
| * inspector/ScriptCallStackFactory.cpp: |
| (Inspector::extractSourceInformationFromException): |
| * inspector/agents/InspectorAuditAgent.cpp: |
| (Inspector::InspectorAuditAgent::populateAuditObject): |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::gc): |
| * interpreter/FrameTracers.h: |
| (JSC::NativeCallFrameTracer::NativeCallFrameTracer): |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::executeProgram): |
| (JSC::Interpreter::prepareForRepeatCall): |
| (JSC::Interpreter::execute): |
| (JSC::Interpreter::executeModuleProgram): |
| * interpreter/StackVisitor.cpp: |
| (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding): |
| (JSC::StackVisitor::Frame::computeLineAndColumn const): |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitDumbVirtualCall): |
| (JSC::AssemblyHelpers::emitConvertValueToBoolean): |
| (JSC::AssemblyHelpers::branchIfValue): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::vm): |
| * jit/JIT.cpp: |
| (JSC::JIT::JIT): |
| (JSC::JIT::emitEnterOptimizationCheck): |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileExceptionHandlers): |
| * jit/JIT.h: |
| * jit/JITCall.cpp: |
| (JSC::JIT::compileCallEvalSlowCase): |
| * jit/JITCall32_64.cpp: |
| (JSC::JIT::compileCallEvalSlowCase): |
| * jit/JITExceptions.cpp: |
| (JSC::genericUnwind): |
| * jit/JITExceptions.h: |
| * jit/JITInlineCacheGenerator.cpp: |
| (JSC::JITGetByIdGenerator::JITGetByIdGenerator): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_is_undefined): |
| (JSC::JIT::emit_op_jfalse): |
| (JSC::JIT::emit_op_jeq_null): |
| (JSC::JIT::emit_op_jneq_null): |
| (JSC::JIT::emit_op_jtrue): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_eq_null): |
| (JSC::JIT::emit_op_neq_null): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| (JSC::JIT::emit_op_log_shadow_chicken_prologue): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_jfalse): |
| (JSC::JIT::emit_op_jtrue): |
| (JSC::JIT::emit_op_throw): |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_log_shadow_chicken_prologue): |
| (JSC::JIT::emit_op_log_shadow_chicken_tail): |
| * jit/JITOperations.cpp: |
| (JSC::operationNewFunctionCommon): |
| (JSC::tryGetByValOptimize): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitWriteBarrier): |
| * jit/JITThunks.cpp: |
| (JSC::JITThunks::ctiNativeCall): |
| (JSC::JITThunks::ctiNativeConstruct): |
| (JSC::JITThunks::ctiNativeTailCall): |
| (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags): |
| (JSC::JITThunks::ctiInternalFunctionCall): |
| (JSC::JITThunks::ctiInternalFunctionConstruct): |
| (JSC::JITThunks::ctiStub): |
| (JSC::JITThunks::hostFunctionStub): |
| * jit/JITThunks.h: |
| * jit/JITWorklist.cpp: |
| (JSC::JITWorklist::Plan::vm): |
| (JSC::JITWorklist::completeAllForVM): |
| (JSC::JITWorklist::poll): |
| (JSC::JITWorklist::compileLater): |
| (JSC::JITWorklist::compileNow): |
| * jit/Repatch.cpp: |
| (JSC::readPutICCallTarget): |
| (JSC::ftlThunkAwareRepatchCall): |
| (JSC::linkSlowFor): |
| (JSC::linkFor): |
| (JSC::linkDirectFor): |
| (JSC::revertCall): |
| (JSC::unlinkFor): |
| (JSC::linkVirtualFor): |
| (JSC::linkPolymorphicCall): |
| * jit/SpecializedThunkJIT.h: |
| (JSC::SpecializedThunkJIT::SpecializedThunkJIT): |
| * jit/ThunkGenerator.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::throwExceptionFromCallSlowPathGenerator): |
| (JSC::slowPathFor): |
| (JSC::linkCallThunkGenerator): |
| (JSC::linkPolymorphicCallThunkGenerator): |
| (JSC::virtualThunkFor): |
| (JSC::nativeForGenerator): |
| (JSC::nativeCallGenerator): |
| (JSC::nativeTailCallGenerator): |
| (JSC::nativeTailCallWithoutSavedTagsGenerator): |
| (JSC::nativeConstructGenerator): |
| (JSC::internalFunctionCallGenerator): |
| (JSC::internalFunctionConstructGenerator): |
| (JSC::arityFixupGenerator): |
| (JSC::unreachableGenerator): |
| (JSC::stringGetByValGenerator): |
| (JSC::charToString): |
| (JSC::charCodeAtThunkGenerator): |
| (JSC::charAtThunkGenerator): |
| (JSC::fromCharCodeThunkGenerator): |
| (JSC::clz32ThunkGenerator): |
| (JSC::sqrtThunkGenerator): |
| (JSC::floorThunkGenerator): |
| (JSC::ceilThunkGenerator): |
| (JSC::truncThunkGenerator): |
| (JSC::roundThunkGenerator): |
| (JSC::expThunkGenerator): |
| (JSC::logThunkGenerator): |
| (JSC::absThunkGenerator): |
| (JSC::imulThunkGenerator): |
| (JSC::randomThunkGenerator): |
| (JSC::boundThisNoArgsFunctionCallGenerator): |
| * jit/ThunkGenerators.h: |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (GlobalObject::addFunction): |
| (GlobalObject::moduleLoaderImportModule): |
| (GlobalObject::moduleLoaderResolve): |
| (GlobalObject::moduleLoaderCreateImportMetaProperties): |
| (functionDescribe): |
| (functionDescribeArray): |
| (JSCMemoryFootprint::addProperty): |
| (functionRun): |
| (functionRunString): |
| (functionReadFile): |
| (functionCallerSourceOrigin): |
| (functionReadline): |
| (functionDollarCreateRealm): |
| (functionDollarEvalScript): |
| (functionDollarAgentGetReport): |
| (functionWaitForReport): |
| (functionJSCOptions): |
| (functionCheckModuleSyntax): |
| (functionGenerateHeapSnapshotForGCDebugging): |
| (functionWebAssemblyMemoryMode): |
| (dumpException): |
| (checkUncaughtException): |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::handleHostCall): |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::ASTBuilder): |
| (JSC::ASTBuilder::createResolve): |
| (JSC::ASTBuilder::createGetterOrSetterProperty): |
| (JSC::ASTBuilder::createProperty): |
| (JSC::ASTBuilder::createFuncDeclStatement): |
| (JSC::ASTBuilder::makeFunctionCallNode): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::Lexer): |
| (JSC::Lexer<LChar>::parseIdentifier): |
| (JSC::Lexer<UChar>::parseIdentifier): |
| * parser/Lexer.h: |
| (JSC::Lexer<T>::lexExpectIdentifier): |
| * parser/ModuleAnalyzer.cpp: |
| (JSC::ModuleAnalyzer::ModuleAnalyzer): |
| * parser/ModuleAnalyzer.h: |
| (JSC::ModuleAnalyzer::vm): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| (JSC::Parser<LexerType>::parseInner): |
| (JSC::Parser<LexerType>::isArrowFunctionParameters): |
| (JSC::Parser<LexerType>::parseSourceElements): |
| (JSC::Parser<LexerType>::parseModuleSourceElements): |
| (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements): |
| (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): |
| (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements): |
| (JSC::Parser<LexerType>::parseSingleFunction): |
| (JSC::Parser<LexerType>::parseStatementListItem): |
| (JSC::Parser<LexerType>::parseObjectRestAssignmentElement): |
| (JSC::Parser<LexerType>::parseAssignmentElement): |
| (JSC::Parser<LexerType>::parseDestructuringPattern): |
| (JSC::Parser<LexerType>::parseForStatement): |
| (JSC::Parser<LexerType>::parseBreakStatement): |
| (JSC::Parser<LexerType>::parseContinueStatement): |
| (JSC::Parser<LexerType>::parseStatement): |
| (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement): |
| (JSC::Parser<LexerType>::createGeneratorParameters): |
| (JSC::Parser<LexerType>::parseFunctionInfo): |
| (JSC::Parser<LexerType>::parseFunctionDeclaration): |
| (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): |
| (JSC::Parser<LexerType>::parseClassDeclaration): |
| (JSC::Parser<LexerType>::parseClass): |
| (JSC::Parser<LexerType>::parseImportClauseItem): |
| (JSC::Parser<LexerType>::parseImportDeclaration): |
| (JSC::Parser<LexerType>::parseExportSpecifier): |
| (JSC::Parser<LexerType>::parseExportDeclaration): |
| (JSC::Parser<LexerType>::parseAssignmentExpression): |
| (JSC::Parser<LexerType>::parseProperty): |
| (JSC::Parser<LexerType>::parseGetterSetter): |
| (JSC::Parser<LexerType>::parseObjectLiteral): |
| (JSC::Parser<LexerType>::parseStrictObjectLiteral): |
| (JSC::Parser<LexerType>::parseClassExpression): |
| (JSC::Parser<LexerType>::parseFunctionExpression): |
| (JSC::Parser<LexerType>::parseAsyncFunctionExpression): |
| (JSC::Parser<LexerType>::parsePrimaryExpression): |
| (JSC::Parser<LexerType>::parseMemberExpression): |
| (JSC::Parser<LexerType>::parseArrowFunctionExpression): |
| (JSC::Parser<LexerType>::parseUnaryExpression): |
| * parser/Parser.h: |
| (JSC::isArguments): |
| (JSC::isEval): |
| (JSC::isEvalOrArgumentsIdentifier): |
| (JSC::Scope::Scope): |
| (JSC::Scope::declareParameter): |
| (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded): |
| (JSC::Scope::collectFreeVariables): |
| (JSC::Parser::canRecurse): |
| (JSC::parse): |
| (JSC::parseFunctionForFunctionConstructor): |
| * parser/ParserArena.h: |
| (JSC::IdentifierArena::makeIdentifier): |
| (JSC::IdentifierArena::makeEmptyIdentifier): |
| (JSC::IdentifierArena::makeIdentifierLCharFromUChar): |
| (JSC::IdentifierArena::makeNumericIdentifier): |
| * parser/SyntaxChecker.h: |
| (JSC::SyntaxChecker::SyntaxChecker): |
| (JSC::SyntaxChecker::createProperty): |
| (JSC::SyntaxChecker::createGetterOrSetterProperty): |
| * profiler/ProfilerBytecode.cpp: |
| (JSC::Profiler::Bytecode::toJS const): |
| * profiler/ProfilerBytecodeSequence.cpp: |
| (JSC::Profiler::BytecodeSequence::addSequenceProperties const): |
| * profiler/ProfilerBytecodes.cpp: |
| (JSC::Profiler::Bytecodes::toJS const): |
| * profiler/ProfilerCompilation.cpp: |
| (JSC::Profiler::Compilation::toJS const): |
| * profiler/ProfilerCompiledBytecode.cpp: |
| (JSC::Profiler::CompiledBytecode::toJS const): |
| * profiler/ProfilerEvent.cpp: |
| (JSC::Profiler::Event::toJS const): |
| * profiler/ProfilerOSRExit.cpp: |
| (JSC::Profiler::OSRExit::toJS const): |
| * profiler/ProfilerOSRExitSite.cpp: |
| (JSC::Profiler::OSRExitSite::toJS const): |
| * profiler/ProfilerUID.cpp: |
| (JSC::Profiler::UID::toJS const): |
| * runtime/AbstractModuleRecord.cpp: |
| (JSC::AbstractModuleRecord::finishCreation): |
| (JSC::AbstractModuleRecord::hostResolveImportedModule): |
| (JSC::AbstractModuleRecord::resolveExportImpl): |
| (JSC::getExportedNames): |
| (JSC::AbstractModuleRecord::getModuleNamespace): |
| * runtime/ArrayBufferNeuteringWatchpointSet.cpp: |
| (JSC::ArrayBufferNeuteringWatchpointSet::fireAll): |
| * runtime/ArrayIteratorPrototype.cpp: |
| (JSC::ArrayIteratorPrototype::finishCreation): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::fastJoin): |
| (JSC::arrayProtoFuncToLocaleString): |
| (JSC::slowJoin): |
| (JSC::arrayProtoFuncJoin): |
| (JSC::arrayProtoFuncPush): |
| * runtime/AsyncFunctionPrototype.cpp: |
| (JSC::AsyncFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorFunctionPrototype.cpp: |
| (JSC::AsyncGeneratorFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorPrototype.cpp: |
| (JSC::AsyncGeneratorPrototype::finishCreation): |
| * runtime/AtomicsObject.cpp: |
| (JSC::AtomicsObject::finishCreation): |
| (JSC::atomicsFuncWait): |
| (JSC::operationAtomicsAdd): |
| (JSC::operationAtomicsAnd): |
| (JSC::operationAtomicsCompareExchange): |
| (JSC::operationAtomicsExchange): |
| (JSC::operationAtomicsIsLockFree): |
| (JSC::operationAtomicsLoad): |
| (JSC::operationAtomicsOr): |
| (JSC::operationAtomicsStore): |
| (JSC::operationAtomicsSub): |
| (JSC::operationAtomicsXor): |
| * runtime/BigIntPrototype.cpp: |
| (JSC::BigIntPrototype::finishCreation): |
| (JSC::bigIntProtoFuncToString): |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedUniquedStringImplBase::decode const): |
| (JSC::CachedIdentifier::decode const): |
| (JSC::CachedJSValue::decode const): |
| * runtime/CodeCache.cpp: |
| (JSC::CodeCacheMap::pruneSlowCase): |
| (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): |
| * runtime/CodeCache.h: |
| (JSC::generateUnlinkedCodeBlockImpl): |
| * runtime/CommonIdentifiers.cpp: |
| (JSC::CommonIdentifiers::CommonIdentifiers): |
| * runtime/CommonIdentifiers.h: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/Completion.cpp: |
| (JSC::checkSyntaxInternal): |
| (JSC::checkModuleSyntax): |
| (JSC::loadAndEvaluateModule): |
| (JSC::loadModule): |
| * runtime/DateConstructor.cpp: |
| (JSC::callDate): |
| * runtime/DatePrototype.cpp: |
| (JSC::formatLocaleDate): |
| (JSC::formateDateInstance): |
| (JSC::DatePrototype::finishCreation): |
| (JSC::dateProtoFuncToISOString): |
| * runtime/Error.cpp: |
| (JSC::addErrorInfo): |
| * runtime/ErrorInstance.cpp: |
| (JSC::appendSourceToError): |
| (JSC::ErrorInstance::finishCreation): |
| (JSC::ErrorInstance::materializeErrorInfoIfNeeded): |
| * runtime/ErrorPrototype.cpp: |
| (JSC::ErrorPrototype::finishCreation): |
| (JSC::errorProtoFuncToString): |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::TerminatedExecutionError::defaultValue): |
| * runtime/FunctionPrototype.cpp: |
| (JSC::functionProtoFuncToString): |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::clear): |
| * runtime/GeneratorFunctionPrototype.cpp: |
| (JSC::GeneratorFunctionPrototype::finishCreation): |
| * runtime/GeneratorPrototype.cpp: |
| (JSC::GeneratorPrototype::finishCreation): |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::getOwnPropertyNames): |
| * runtime/GetterSetter.h: |
| * runtime/Identifier.cpp: |
| (JSC::Identifier::add): |
| (JSC::Identifier::add8): |
| (JSC::Identifier::from): |
| (JSC::Identifier::checkCurrentAtomStringTable): |
| * runtime/Identifier.h: |
| (JSC::Identifier::fromString): |
| (JSC::Identifier::createLCharFromUChar): |
| (JSC::Identifier::Identifier): |
| (JSC::Identifier::add): |
| * runtime/IdentifierInlines.h: |
| (JSC::Identifier::Identifier): |
| (JSC::Identifier::add): |
| (JSC::Identifier::fromUid): |
| (JSC::Identifier::fromString): |
| (JSC::identifierToJSValue): |
| (JSC::identifierToSafePublicJSValue): |
| * runtime/InternalFunction.cpp: |
| (JSC::InternalFunction::finishCreation): |
| * runtime/IntlCollator.cpp: |
| (JSC::IntlCollator::resolvedOptions): |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototype::finishCreation): |
| * runtime/IntlDateTimeFormat.cpp: |
| (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate): |
| (JSC::IntlDateTimeFormat::resolvedOptions): |
| (JSC::IntlDateTimeFormat::format): |
| (JSC::IntlDateTimeFormat::formatToParts): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototype::finishCreation): |
| * runtime/IntlNumberFormat.cpp: |
| (JSC::IntlNumberFormat::initializeNumberFormat): |
| (JSC::IntlNumberFormat::formatNumber): |
| (JSC::IntlNumberFormat::resolvedOptions): |
| (JSC::IntlNumberFormat::formatToParts): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototype::finishCreation): |
| * runtime/IntlObject.cpp: |
| (JSC::lookupSupportedLocales): |
| (JSC::supportedLocales): |
| (JSC::intlObjectFuncGetCanonicalLocales): |
| * runtime/IntlPluralRules.cpp: |
| (JSC::IntlPluralRules::initializePluralRules): |
| (JSC::IntlPluralRules::resolvedOptions): |
| (JSC::IntlPluralRules::select): |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototype::finishCreation): |
| * runtime/JSArray.h: |
| (JSC::asArray): |
| (JSC::isJSArray): |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::JSArrayBufferPrototype::finishCreation): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::slowDownAndWasteMemory): |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::putToPrimitiveByIndex): |
| (JSC::JSValue::dumpForBacktrace const): |
| (JSC::JSValue::toStringSlowCase const): |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::toPropertyKey const): |
| (JSC::JSValue::get const): |
| * runtime/JSCast.h: |
| (JSC::jsCast): |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::dump const): |
| (JSC::JSCell::dumpToStream): |
| (JSC::JSCell::putByIndex): |
| * runtime/JSCellInlines.h: |
| (JSC::JSCell::structure const): |
| (JSC::ExecState::vm const): |
| (JSC::tryAllocateCellHelper): |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::JSDataViewPrototype::finishCreation): |
| * runtime/JSFixedArray.cpp: |
| (JSC::JSFixedArray::dumpToStream): |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::finishCreation): |
| (JSC::RetrieveCallerFunctionFunctor::operator() const): |
| (JSC::JSFunction::reifyName): |
| (JSC::JSFunction::reifyLazyBoundNameIfNeeded): |
| (JSC::JSFunction::assertTypeInfoFlagInvariants): |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex): |
| (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::exposeDollarVM): |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::encode): |
| (JSC::decode): |
| (JSC::globalFuncEscape): |
| (JSC::globalFuncUnescape): |
| (JSC::globalFuncBuiltinDescribe): |
| * runtime/JSLexicalEnvironment.cpp: |
| (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): |
| * runtime/JSModuleEnvironment.cpp: |
| (JSC::JSModuleEnvironment::getOwnPropertySlot): |
| (JSC::JSModuleEnvironment::put): |
| (JSC::JSModuleEnvironment::deleteProperty): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::JSModuleLoader::finishCreation): |
| (JSC::JSModuleLoader::requestImportModule): |
| (JSC::moduleLoaderParseModule): |
| (JSC::moduleLoaderRequestedModules): |
| * runtime/JSModuleNamespaceObject.cpp: |
| (JSC::JSModuleNamespaceObject::finishCreation): |
| (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex): |
| * runtime/JSModuleRecord.cpp: |
| (JSC::JSModuleRecord::instantiateDeclarations): |
| * runtime/JSONObject.cpp: |
| (JSC::JSONObject::finishCreation): |
| (JSC::PropertyNameForFunctionCall::value const): |
| (JSC::Stringifier::Stringifier): |
| (JSC::Stringifier::stringify): |
| (JSC::Stringifier::Holder::appendNextProperty): |
| (JSC::Walker::walk): |
| * runtime/JSObject.cpp: |
| (JSC::getClassPropertyNames): |
| (JSC::JSObject::getOwnPropertySlotByIndex): |
| (JSC::JSObject::putByIndex): |
| (JSC::JSObject::deletePropertyByIndex): |
| (JSC::JSObject::toString const): |
| (JSC::JSObject::reifyAllStaticProperties): |
| (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): |
| * runtime/JSObject.h: |
| (JSC::JSObject::putByIndexInline): |
| (JSC::JSObject::butterflyPreCapacity): |
| (JSC::JSObject::butterflyTotalSize): |
| (JSC::makeIdentifier): |
| * runtime/JSPromisePrototype.cpp: |
| (JSC::JSPromisePrototype::finishCreation): |
| * runtime/JSPropertyNameEnumerator.cpp: |
| (JSC::JSPropertyNameEnumerator::finishCreation): |
| * runtime/JSPropertyNameEnumerator.h: |
| (JSC::propertyNameEnumerator): |
| * runtime/JSRunLoopTimer.cpp: |
| (JSC::JSRunLoopTimer::JSRunLoopTimer): |
| * runtime/JSRunLoopTimer.h: |
| * runtime/JSString.cpp: |
| (JSC::JSString::dumpToStream): |
| (JSC::JSRopeString::resolveRopeWithFunction const): |
| (JSC::jsStringWithCacheSlowCase): |
| * runtime/JSString.h: |
| (JSC::jsEmptyString): |
| (JSC::jsSingleCharacterString): |
| (JSC::jsNontrivialString): |
| (JSC::JSString::toIdentifier const): |
| (JSC::JSString::toAtomString const): |
| (JSC::JSString::toExistingAtomString const): |
| (JSC::JSString::value const): |
| (JSC::JSString::tryGetValue const): |
| (JSC::JSString::getIndex): |
| (JSC::jsString): |
| (JSC::jsSubstring): |
| (JSC::jsOwnedString): |
| (JSC::jsStringWithCache): |
| (JSC::JSRopeString::unsafeView const): |
| (JSC::JSRopeString::viewWithUnderlyingString const): |
| (JSC::JSString::unsafeView const): |
| * runtime/JSStringInlines.h: |
| (JSC::jsMakeNontrivialString): |
| (JSC::repeatCharacter): |
| * runtime/JSStringJoiner.cpp: |
| (JSC::JSStringJoiner::join): |
| * runtime/JSSymbolTableObject.cpp: |
| (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): |
| * runtime/JSTemplateObjectDescriptor.cpp: |
| (JSC::JSTemplateObjectDescriptor::createTemplateObject): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::typedArrayViewProtoGetterFuncToStringTag): |
| * runtime/LazyClassStructure.cpp: |
| (JSC::LazyClassStructure::Initializer::setConstructor): |
| * runtime/LazyProperty.h: |
| (JSC::LazyProperty::Initializer::Initializer): |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::tryJSONPParse): |
| (JSC::LiteralParser<CharType>::makeIdentifier): |
| (JSC::LiteralParser<CharType>::parse): |
| * runtime/Lookup.h: |
| (JSC::reifyStaticProperties): |
| * runtime/MapIteratorPrototype.cpp: |
| (JSC::MapIteratorPrototype::finishCreation): |
| * runtime/MapPrototype.cpp: |
| (JSC::MapPrototype::finishCreation): |
| * runtime/MathObject.cpp: |
| (JSC::MathObject::finishCreation): |
| * runtime/NumberConstructor.cpp: |
| (JSC::NumberConstructor::finishCreation): |
| * runtime/NumberPrototype.cpp: |
| (JSC::numberProtoFuncToExponential): |
| (JSC::numberProtoFuncToFixed): |
| (JSC::numberProtoFuncToPrecision): |
| (JSC::int32ToStringInternal): |
| (JSC::numberToStringInternal): |
| (JSC::int52ToString): |
| * runtime/ObjectConstructor.cpp: |
| (JSC::objectConstructorGetOwnPropertyDescriptors): |
| (JSC::objectConstructorAssign): |
| (JSC::objectConstructorValues): |
| (JSC::defineProperties): |
| (JSC::setIntegrityLevel): |
| (JSC::testIntegrityLevel): |
| (JSC::ownPropertyKeys): |
| * runtime/ObjectPrototype.cpp: |
| (JSC::objectProtoFuncToString): |
| * runtime/Operations.h: |
| (JSC::jsString): |
| (JSC::jsStringFromRegisterArray): |
| (JSC::jsStringFromArguments): |
| * runtime/ProgramExecutable.cpp: |
| (JSC::ProgramExecutable::initializeGlobalProperties): |
| * runtime/PromiseDeferredTimer.cpp: |
| (JSC::PromiseDeferredTimer::PromiseDeferredTimer): |
| (JSC::PromiseDeferredTimer::hasPendingPromise): |
| (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise): |
| (JSC::PromiseDeferredTimer::cancelPendingPromise): |
| * runtime/PropertyNameArray.h: |
| (JSC::PropertyNameArray::PropertyNameArray): |
| (JSC::PropertyNameArray::vm): |
| * runtime/PropertySlot.h: |
| (JSC::PropertySlot::getValue const): |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): |
| (JSC::ProxyObject::performHasProperty): |
| (JSC::ProxyObject::getOwnPropertySlotByIndex): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::putByIndexCommon): |
| (JSC::ProxyObject::performDelete): |
| (JSC::ProxyObject::deletePropertyByIndex): |
| (JSC::ProxyObject::performDefineOwnProperty): |
| (JSC::ProxyObject::performGetOwnPropertyNames): |
| * runtime/RegExpGlobalData.cpp: |
| (JSC::RegExpGlobalData::getBackref): |
| (JSC::RegExpGlobalData::getLastParen): |
| * runtime/RegExpMatchesArray.cpp: |
| (JSC::createEmptyRegExpMatchesArray): |
| * runtime/RegExpMatchesArray.h: |
| (JSC::createRegExpMatchesArray): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::regExpProtoGetterFlags): |
| (JSC::regExpProtoGetterSourceInternal): |
| (JSC::regExpProtoGetterSource): |
| * runtime/RegExpStringIteratorPrototype.cpp: |
| (JSC::RegExpStringIteratorPrototype::finishCreation): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::SamplingProfiler::processUnverifiedStackTraces): |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::installCode): |
| (JSC::ScriptExecutable::newCodeBlockFor): |
| (JSC::ScriptExecutable::newReplacementCodeBlockFor): |
| (JSC::setupJIT): |
| * runtime/SetIteratorPrototype.cpp: |
| (JSC::SetIteratorPrototype::finishCreation): |
| * runtime/SetPrototype.cpp: |
| (JSC::SetPrototype::finishCreation): |
| * runtime/StackFrame.cpp: |
| (JSC::StackFrame::computeLineAndColumn const): |
| * runtime/StringConstructor.cpp: |
| (JSC::stringFromCharCode): |
| (JSC::stringFromCodePoint): |
| (JSC::stringConstructor): |
| (JSC::callStringConstructor): |
| * runtime/StringIteratorPrototype.cpp: |
| (JSC::StringIteratorPrototype::finishCreation): |
| * runtime/StringObject.cpp: |
| (JSC::StringObject::getOwnPropertySlotByIndex): |
| (JSC::StringObject::getOwnPropertyNames): |
| * runtime/StringObject.h: |
| (JSC::StringObject::create): |
| (JSC::jsStringWithReuse): |
| (JSC::jsSubstring): |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| (JSC::StringPrototype::create): |
| (JSC::jsSpliceSubstrings): |
| (JSC::jsSpliceSubstringsWithSeparators): |
| (JSC::replaceUsingRegExpSearch): |
| (JSC::operationStringProtoFuncReplaceRegExpEmptyStr): |
| (JSC::operationStringProtoFuncReplaceRegExpString): |
| (JSC::replaceUsingStringSearch): |
| (JSC::operationStringProtoFuncReplaceGeneric): |
| (JSC::stringProtoFuncCharAt): |
| (JSC::stringProtoFuncSplitFast): |
| (JSC::stringProtoFuncSubstr): |
| (JSC::stringProtoFuncToLowerCase): |
| (JSC::stringProtoFuncToUpperCase): |
| (JSC::toLocaleCase): |
| (JSC::trimString): |
| (JSC::normalize): |
| * runtime/StringPrototypeInlines.h: |
| (JSC::stringSlice): |
| * runtime/StringRecursionChecker.cpp: |
| (JSC::StringRecursionChecker::emptyString): |
| * runtime/Structure.cpp: |
| (JSC::Structure::didTransitionFromThisStructure const): |
| * runtime/StructureInlines.h: |
| (JSC::Structure::didReplaceProperty): |
| (JSC::Structure::shouldConvertToPolyProto): |
| * runtime/SymbolConstructor.cpp: |
| (JSC::symbolConstructorKeyFor): |
| * runtime/SymbolPrototype.cpp: |
| (JSC::SymbolPrototype::finishCreation): |
| (JSC::symbolProtoGetterDescription): |
| (JSC::symbolProtoFuncToString): |
| * runtime/SymbolTable.cpp: |
| (JSC::SymbolTable::setRareDataCodeBlock): |
| * runtime/TestRunnerUtils.cpp: |
| (JSC::getExecutableForFunction): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| (JSC::VM::getHostFunction): |
| (JSC::VM::getCTIInternalFunctionTrampolineFor): |
| (JSC::VM::shrinkFootprintWhenIdle): |
| (JSC::logSanitizeStack): |
| (JSC::sanitizeStackForVM): |
| (JSC::VM::emptyPropertyNameEnumeratorSlow): |
| * runtime/VM.h: |
| (JSC::VM::getCTIStub): |
| (JSC::WeakSet::heap const): |
| * runtime/VMTraps.cpp: |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::WeakMapPrototype::finishCreation): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::WeakObjectRefPrototype::finishCreation): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::WeakSetPrototype::finishCreation): |
| * tools/HeapVerifier.cpp: |
| (JSC::HeapVerifier::printVerificationHeader): |
| (JSC::HeapVerifier::verifyCellList): |
| (JSC::HeapVerifier::validateJSCell): |
| (JSC::HeapVerifier::reportCell): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::finishCreation): |
| (JSC::JSDollarVMCallFrame::addProperty): |
| (JSC::CustomGetter::getOwnPropertySlot): |
| (JSC::CustomGetter::customGetter): |
| (JSC::CustomGetter::customGetterAcessor): |
| (JSC::DOMJITGetter::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetter::finishCreation): |
| (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterComplex::finishCreation): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): |
| (JSC::DOMJITGetterBaseJSObject::finishCreation): |
| (JSC::customSetAccessor): |
| (JSC::customSetValue): |
| (JSC::JSTestCustomGetterSetter::finishCreation): |
| (JSC::WasmStreamingParser::finishCreation): |
| (JSC::getExecutableForFunction): |
| (JSC::functionCodeBlockFor): |
| (JSC::functionIndexingMode): |
| (JSC::functionValue): |
| (JSC::functionCreateBuiltin): |
| (JSC::functionGetPrivateProperty): |
| (JSC::JSDollarVM::finishCreation): |
| (JSC::JSDollarVM::addFunction): |
| (JSC::JSDollarVM::addConstructibleFunction): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpRegisters): |
| (JSC::VMInspector::dumpCellMemoryToStream): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::setGlobal): |
| (JSC::Wasm::Instance::setFunctionWrapper): |
| (JSC::Wasm::setWasmTableElement): |
| (JSC::Wasm::doWasmRefFunc): |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::set): |
| (JSC::Wasm::FuncRefTable::setFunction): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::resolve): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::create): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| (JSC::Wasm::wasmToJSException): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleImports): |
| (JSC::webAssemblyModuleExports): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::finishCreation): |
| (JSC::WebAssemblyModuleRecord::link): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| |
| 2019-08-27 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI |
| https://bugs.webkit.org/show_bug.cgi?id=201193 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js |
| causes inspector/debugger/tail-deleted-frames-this-value.html to fail. |
| |
| We should have a similar approach to adding command line api getters and functions, in that |
| the CommandLineAPIModuleSource.js calls a function with a callback. |
| |
| * inspector/InjectedScriptSource.js: |
| (InjectedScript.prototype.inspectObject): |
| (InjectedScript.prototype.setInspectObject): Added. |
| (InjectedScript.prototype._evaluateOn): |
| |
| 2019-08-27 Mark Lam <mark.lam@apple.com> |
| |
| constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM. |
| https://bugs.webkit.org/show_bug.cgi?id=201196 |
| <rdar://problem/54703775> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructFunctionSkippingEvalEnabledCheck): |
| |
| 2019-08-27 Keith Miller <keith_miller@apple.com> |
| |
| When dumping Air Graphs BBQ should dump patchpoints. |
| https://bugs.webkit.org/show_bug.cgi?id=201167 |
| |
| Reviewed by Filip Pizlo. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator:: const): |
| (JSC::Wasm::AirIRGenerator::addPatchpoint): |
| (JSC::Wasm::parseAndCompileAir): |
| |
| 2019-08-27 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [RemoteInspector][Socket] Restructuring the components of Socket implementation |
| https://bugs.webkit.org/show_bug.cgi?id=201079 |
| |
| Reviewed by Ross Kirsling. |
| |
| Since the change for WeakPtr on r248386, our port start assertion failure on the usage of |
| RemoteInspectorSocketEndpoint. We have to send a message to connection client, but if that |
| has to be done in the same thread which weakPtr generated, it's a little bit stronger |
| restriction for us to handle. In this restructure, we are stopping to use weakPtr to |
| resolve circular dependency, but using a reference with invalidation method because |
| everything is under our control. |
| |
| - Make SocketEndpoint a singleton. This class represents a central place to handle socket |
| connections and there's no need to instantiate more than one in a process. Once every |
| connection goes away, it just start sleeping until next connection is created. Very low |
| resource usage when it is idle. |
| - Move Socket::Connection structure from global definition to SocketEndpoint local |
| structure. It is directly used in SocketEndpoint privately. |
| - Move responsibility to handle message encoding/decoding task from SocketEndpoint to |
| ConnectionClient. Make SocketEndpoint as plain socket handling as possible to keep it |
| simple to exist long span. |
| - Extract an interface from ConnectionClient as SocketEndpoint::Client which is required |
| to work with SocketEndpoint. Now SocketEndpoint is very independent from others. |
| SocketEndpoint::Client is the required parameter to create a connection. |
| |
| Many responsibilities are moved into ConnectionClient which was a thin interface for |
| communication between RemoteInspector, RemoteInspectorServer and RemoteInspectorClient. |
| It now handles followings: |
| - life cycle of connection: create, listen and close or invalidation |
| - sending and receiving data packed in a message. |
| |
| RemoteInspector and RemoteInspectorServer are now free from creation of SocketEndpoint. |
| All communication to SocketEndpoint id now the duty of super class. |
| |
| * inspector/remote/RemoteInspector.h: |
| * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: |
| (Inspector::RemoteInspectorConnectionClient::~RemoteInspectorConnectionClient): Make all connection invalidated. |
| (Inspector::RemoteInspectorConnectionClient::connectInet): Add itself as a listener of socket. |
| (Inspector::RemoteInspectorConnectionClient::listenInet): Ditto. |
| (Inspector::RemoteInspectorConnectionClient::createClient): Ditto. |
| (Inspector::RemoteInspectorConnectionClient::send): Add message processing. |
| (Inspector::RemoteInspectorConnectionClient::didReceive): Ditto. |
| (Inspector::RemoteInspectorConnectionClient::extractEvent): Extracted from send. |
| * inspector/remote/socket/RemoteInspectorConnectionClient.h: |
| * inspector/remote/socket/RemoteInspectorMessageParser.cpp: |
| (Inspector::MessageParser::MessageParser): |
| (Inspector::MessageParser::pushReceivedData): |
| (Inspector::MessageParser::parse): |
| * inspector/remote/socket/RemoteInspectorMessageParser.h: |
| (Inspector::MessageParser::MessageParser): |
| (Inspector::MessageParser::Function<void): |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::connect): Remove direct communication to Socket Endpoint. |
| (Inspector::RemoteInspectorServer::listenForTargets): Ditto. |
| (Inspector::RemoteInspectorServer::sendWebInspectorEvent): Ditto. |
| (Inspector::RemoteInspectorServer::start): Ditto. |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| * inspector/remote/socket/RemoteInspectorSocket.cpp: |
| (Inspector::RemoteInspector::sendWebInspectorEvent): Remove direct communication to Socket Endpoint. |
| (Inspector::RemoteInspector::start): Ditto. |
| (Inspector::RemoteInspector::stopInternal): Ditto. |
| (Inspector::RemoteInspector::pushListingsNow): Change the target of validity check to ID. |
| (Inspector::RemoteInspector::pushListingsSoon): Ditto. |
| (Inspector::RemoteInspector::sendMessageToRemote): Ditto. |
| * inspector/remote/socket/RemoteInspectorSocket.h: Move Connection structure to RemoteInspectorSocketEndpoint. |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: |
| (Inspector::RemoteInspectorSocketEndpoint::singleton): Added. |
| (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): Use hard-coded thread name. |
| (Inspector::RemoteInspectorSocketEndpoint::connectInet): Accept RemoteInspectorSocketEndpoint::Client as listener. |
| (Inspector::RemoteInspectorSocketEndpoint::listenInet): Ditto. |
| (Inspector::RemoteInspectorSocketEndpoint::createClient): Ditto. |
| (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): Added. Invalidate all connection from the client. |
| (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): Remove message parser handling. |
| (Inspector::RemoteInspectorSocketEndpoint::send): Remove message packing. |
| (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: |
| (Inspector::RemoteInspectorSocketEndpoint::Connection::Connection): |
| |
| 2019-08-26 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: use more C++ keywords for defining agents |
| https://bugs.webkit.org/show_bug.cgi?id=200959 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| - make constructors `protected` when the agent isn't meant to be constructed directly |
| - add `virtual` destructors that are defined in the *.cpp so forward-declarations work |
| - use `final` wherever possible |
| - add comments to indicate where any virtual functions come from |
| |
| * inspector/agents/InspectorAgent.h: |
| * inspector/agents/InspectorAgent.cpp: |
| * inspector/agents/InspectorAuditAgent.h: |
| * inspector/agents/InspectorAuditAgent.cpp: |
| * inspector/agents/InspectorConsoleAgent.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| * inspector/agents/InspectorHeapAgent.h: |
| * inspector/agents/InspectorHeapAgent.cpp: |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/agents/InspectorScriptProfilerAgent.h: |
| * inspector/agents/InspectorScriptProfilerAgent.cpp: |
| * inspector/agents/InspectorTargetAgent.h: |
| * inspector/agents/InspectorTargetAgent.cpp: |
| * inspector/agents/JSGlobalObjectAuditAgent.h: |
| * inspector/agents/JSGlobalObjectAuditAgent.cpp: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.h: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.h: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| |
| 2019-08-26 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: unify agent command error messages |
| https://bugs.webkit.org/show_bug.cgi?id=200950 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Different agents can sometimes have different error messages for commands that have a |
| similar intended effect. We should make our error messages more similar. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| * inspector/agents/InspectorAgent.cpp: |
| * inspector/agents/InspectorAuditAgent.cpp: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| * inspector/agents/InspectorHeapAgent.cpp: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| * inspector/agents/InspectorTargetAgent.cpp: |
| * inspector/agents/JSGlobalObjectAuditAgent.cpp: |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| Elide function lists to avoid an extremely large ChangeLog entry. |
| |
| 2019-08-26 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Ensure x?.y ?? z is fast |
| https://bugs.webkit.org/show_bug.cgi?id=200875 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We anticipate `x?.y ?? z` to quickly become a common idiom in JS. With a little bytecode rearrangement, |
| we can avoid the "load undefined and check it" dance in the middle and just turn this into two jumps. |
| |
| Before: |
| (get x) |
| ----- jundefined_or_null |
| | (get y) |
| | --- jmp |
| > | (load undefined) |
| > - jnundefined_or_null |
| | (get z) |
| > end |
| |
| After: |
| (get x) |
| --- jundefined_or_null |
| | (get y) |
| | - jnundefined_or_null |
| > | (get z) |
| > end |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::popOptionalChainTarget): Added specialization. |
| * bytecompiler/BytecodeGenerator.h: |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::CoalesceNode::emitBytecode): |
| (JSC::OptionalChainNode::emitBytecode): |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::makeDeleteNode): |
| (JSC::ASTBuilder::makeCoalesceNode): Added. |
| (JSC::ASTBuilder::makeBinaryNode): |
| * parser/NodeConstructors.h: |
| (JSC::CoalesceNode::CoalesceNode): |
| * parser/Nodes.h: |
| (JSC::ExpressionNode::isDeleteNode const): Added. (Replaces OptionalChainNode::m_isDelete.) |
| |
| 2019-08-26 Carlos Alberto Lopez Perez <clopez@igalia.com> |
| |
| Missing media controls when WebKit is built with Python3 |
| https://bugs.webkit.org/show_bug.cgi?id=194367 |
| |
| Reviewed by Carlos Garcia Campos. |
| |
| The JavaScript minifier script jsmin.py expects a text stream |
| with text type as input, but the script make-js-file-arrays.py |
| was passing to it a FileIO() object. So, when the jsmin script |
| called read() over this object, python3 was returning a type of |
| bytes, but for python2 it returns type str. |
| |
| This caused two problems: first that jsmin failed to do any minifying |
| because it was comparing strings with a variable of type bytes. |
| The second major problem was in the write() function, when the |
| jsmin script tried to convert a byte character to text by calling |
| str() on it. Because what this does is not to convert from byte |
| type to string, but to simply generate a string with the format b'c'. |
| So the jsmin script was returning back as minified JS complete |
| garbage in the form of "b't'b'h'b'h'b'i" for python3. |
| |
| Therefore, when WebKit was built with python3 this broke everything |
| that depended on the embedded JS code that make-js-file-arrays.py |
| was supposed to generate, like the media controls and the WebDriver |
| atoms. |
| |
| Fix this by reworking the code in make-js-file-arrays script to |
| read the data from the file using a TextIOWrapper in python 3 |
| with decoding for 'utf-8'. This ensures that the jsmin receives |
| a text type. For python2 keep using the same FileIO class. |
| |
| On the jsmin.py script remove the problematic call to str() inside |
| the write() function when running with python3. |
| On top of that, add an extra check in jsmin.py script to make it |
| fail if the character type read is not the one expected. This |
| will cause the build to fail instead of failing silently like |
| now. I did some tests and the runtime cost of this extra check |
| is almost zero. |
| |
| * Scripts/jsmin.py: |
| (JavascriptMinify.minify.write): |
| (JavascriptMinify): |
| * Scripts/make-js-file-arrays.py: |
| (main): |
| |
| 2019-08-23 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: create additional command line api functions for other console methods |
| https://bugs.webkit.org/show_bug.cgi?id=200971 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Expose all `console.*` functions in the command line API, since they're all already able to |
| be referenced via the `console` object. |
| |
| Provide a simpler interface for other injected scripts to modify the command line API. |
| |
| * inspector/InjectedScriptModule.cpp: |
| (Inspector::InjectedScriptModule::ensureInjected): |
| |
| * inspector/InjectedScriptSource.js: |
| (InjectedScript.prototype.inspectObject): |
| (InjectedScript.prototype.addCommandLineAPIGetter): Added. |
| (InjectedScript.prototype.addCommandLineAPIMethod): Added. |
| (InjectedScript.prototype.hasInjectedModule): Added. |
| (InjectedScript.prototype.injectModule): |
| (InjectedScript.prototype._evaluateOn): |
| (InjectedScript.CommandLineAPI): Added. |
| (InjectedScript.prototype.module): Deleted. |
| (InjectedScript.prototype._savedResult): Deleted. |
| (bind): Deleted. |
| (BasicCommandLineAPI): Deleted. |
| (clear): Deleted. |
| (table): Deleted. |
| (profile): Deleted. |
| (profileEnd): Deleted. |
| (keys): Deleted. |
| (values): Deleted. |
| (queryInstances): Deleted. |
| (queryObjects): Deleted. |
| (queryHolders): Deleted. |
| |
| 2019-08-23 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Remove MaximalFlushInsertionPhase |
| https://bugs.webkit.org/show_bug.cgi?id=201036 |
| |
| Reviewed by Saam Barati. |
| |
| Maximal flush has found too many false positives recently, so we decided it's finally time |
| to remove it instead of hacking it to fix the most recent false positive. |
| |
| The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely |
| for the argument count that was being flushed in a much later block. Now, since that block was |
| the head of a loop, and there was a SetLocal in the same block to the same variable, this |
| generated a Phi of both values, which then led to the unification of their VariableAccessData |
| in the unification phase. This caused AI to assign the Int52 type to argument count, which |
| broke the AI’s assumption that it should always be an Int32. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleVarargsInlining): |
| * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed. |
| * dfg/DFGMaximalFlushInsertionPhase.h: Removed. |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| * runtime/Options.h: |
| |
| 2019-08-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed WinCairo build fix following r249058. |
| |
| * API/tests/testapi.cpp: |
| (TestAPI::callFunction): |
| WinCairo chokes on `JSValueRef args[sizeof...(arguments)]` when there are no arguments, but AppleWin does not... |
| MSVC must have changed somehow. |
| |
| 2019-08-23 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Do not overwrite argument registers in jsCallEntrypoint |
| https://bugs.webkit.org/show_bug.cgi?id=200952 |
| |
| Reviewed by Saam Barati. |
| |
| The c call that we emitted was incorrect. If we had an int argument that was supposed to be placed in GPR0 by this loop, |
| we would clobber it while making the call (among many other possible registers). To fix this, we just inline the call |
| to isWebassemblyHostFunction. |
| |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-08-23 Ross Kirsling <ross.kirsling@sony.com> |
| |
| JSC should have public API for unhandled promise rejections |
| https://bugs.webkit.org/show_bug.cgi?id=197172 |
| |
| Reviewed by Keith Miller. |
| |
| This patch makes it possible to register a unhandled promise rejection callback via the JSC API. |
| Since there is no event loop in such an environment, this callback fires off of the microtask queue. |
| The callback receives the promise and rejection reason as arguments and its return value is ignored. |
| |
| * API/JSContextRef.cpp: |
| (JSGlobalContextSetUnhandledRejectionCallback): Added. |
| * API/JSContextRefPrivate.h: |
| Add new C++ API call. |
| |
| * API/tests/testapi.cpp: |
| (TestAPI::promiseResolveTrue): Clean up test output. |
| (TestAPI::promiseRejectTrue): Clean up test output. |
| (TestAPI::promiseUnhandledRejection): Added. |
| (TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback): Added. |
| (TestAPI::promiseEarlyHandledRejections): Added. |
| (testCAPIViaCpp): |
| Add new C++ API test. |
| |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionSetUnhandledRejectionCallback): Added. |
| Add corresponding global to JSC shell. |
| |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::setUnhandledRejectionCallback): Added. |
| (JSC::JSGlobalObject::unhandledRejectionCallback const): Added. |
| Keep a strong reference to the callback. |
| |
| * runtime/JSGlobalObjectFunctions.cpp: |
| (JSC::globalFuncHostPromiseRejectionTracker): |
| Add default behavior. |
| |
| * runtime/VM.cpp: |
| (JSC::VM::callPromiseRejectionCallback): Added. |
| (JSC::VM::didExhaustMicrotaskQueue): Added. |
| (JSC::VM::promiseRejected): Added. |
| (JSC::VM::drainMicrotasks): |
| When microtask queue is exhausted, deal with any pending unhandled rejections |
| (in a manner based on RejectedPromiseTracker's reportUnhandledRejections), |
| then make sure this didn't cause any new microtasks to be added to the queue. |
| |
| * runtime/VM.h: |
| Store unhandled rejections. |
| (This collection will always be empty in the presence of WebCore.) |
| |
| 2019-08-22 Mark Lam <mark.lam@apple.com> |
| |
| VirtualRegister::dump() can use more informative CallFrame header slot names. |
| https://bugs.webkit.org/show_bug.cgi?id=201062 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| For example, it currently dumps head3 instead of callee. This patch changes the |
| dump as follows (for 64-bit addressing): |
| head0 => callerFrame |
| head1 => returnPC |
| head2 => codeBlock |
| head3 => callee |
| head4 => argumentCount |
| |
| Now, one might be wondering when would bytecode ever access callerFrame and |
| returnPC? The answer is never. However, I don't think its the role of the |
| dumper to catch a bug where these header slots are being used. The dumper's role |
| is to clearly report them so that we can see that these unexpected values are |
| being used. |
| |
| * bytecode/VirtualRegister.cpp: |
| (JSC::VirtualRegister::dump const): |
| |
| 2019-08-22 Andy Estes <aestes@apple.com> |
| |
| [watchOS] Disable Content Filtering in the simulator build |
| https://bugs.webkit.org/show_bug.cgi?id=201047 |
| |
| Reviewed by Tim Horton. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-08-22 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [GTK][WPE] Fixes for non-unified builds after r248547 |
| https://bugs.webkit.org/show_bug.cgi?id=201044 |
| |
| Reviewed by Philippe Normand. |
| |
| * b3/B3ReduceLoopStrength.cpp: Add missing inclusions of B3BasicBlockInlines.h, |
| B3InsertionSet.h, and B3NaturalLoops.h |
| * wasm/WasmOMGForOSREntryPlan.h: Include WasmCallee.h instead of forward-declaring |
| BBQCallee in order to avoid build failure due to incomplete definition on template |
| expansions. |
| |
| 2019-08-22 Justin Michaud <justin_michaud@apple.com> |
| |
| Add missing exception check in canonicalizeLocaleList |
| https://bugs.webkit.org/show_bug.cgi?id=201021 |
| |
| Reviewed by Mark Lam. |
| |
| * runtime/IntlObject.cpp: |
| (JSC::canonicalizeLocaleList): |
| |
| 2019-08-17 Darin Adler <darin@apple.com> |
| |
| Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends |
| https://bugs.webkit.org/show_bug.cgi?id=200862 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::createUndefinedVariableError): Got rid of unnecessary local variable. |
| (JSC::notAFunctionSourceAppender): Use single append instead of multiple. |
| Eliminate unneeded and unconventional use of makeString on a single string literal. |
| (JSC::invalidParameterInstanceofNotFunctionSourceAppender): Ditto. |
| (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender): Ditto. |
| (JSC::createInvalidFunctionApplyParameterError): Ditto. |
| (JSC::createInvalidInParameterError): Ditto. |
| (JSC::createInvalidInstanceofParameterErrorNotFunction): Ditto. |
| (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): Ditto. |
| |
| * runtime/FunctionConstructor.cpp: |
| (JSC::constructFunctionSkippingEvalEnabledCheck): Use single append instead of multiple. |
| * runtime/Options.cpp: |
| (JSC::Options::dumpOption): Ditto. |
| * runtime/TypeProfiler.cpp: |
| (JSC::TypeProfiler::typeInformationForExpressionAtOffset): Ditto. |
| * runtime/TypeSet.cpp: |
| (JSC::StructureShape::stringRepresentation): Ditto. Also use a modern for loop. |
| |
| 2019-08-21 Mark Lam <mark.lam@apple.com> |
| |
| Wasm::FunctionParser is failing to enforce maxFunctionLocals. |
| https://bugs.webkit.org/show_bug.cgi?id=201016 |
| <rdar://problem/54579911> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Currently, Wasm::FunctionParser is allowing |
| |
| maxFunctionParams + maxFunctionLocals * maxFunctionLocals |
| |
| ... locals, which is 0x9502FCE8. It should be enforcing max locals of |
| maxFunctionLocals instead. |
| |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parse): |
| |
| 2019-08-21 Michael Saboff <msaboff@apple.com> |
| |
| [JSC] incorrent JIT lead to StackOverflow |
| https://bugs.webkit.org/show_bug.cgi?id=197823 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Added stack overflow check to the bound function thunk generator. Added a new C++ operation |
| throwStackOverflowErrorFromThunk() to throw the error. |
| |
| * jit/JITOperations.cpp: |
| * jit/JITOperations.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::boundThisNoArgsFunctionCallGenerator): |
| |
| 2019-08-21 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Page: re-add enable/disable after r248454 |
| https://bugs.webkit.org/show_bug.cgi?id=200947 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| We shouldn't design the agent system with only Web Inspector in mind. Other clients may want |
| to have different functionality, not being told about frames creation/updates/destruction. |
| In these cases, we should have graceful error message failures for other agents that rely on |
| the Page agent. |
| |
| * inspector/protocol/Page.json: |
| |
| 2019-08-20 Justin Michaud <justin_michaud@apple.com> |
| |
| Identify memcpy loops in b3 |
| https://bugs.webkit.org/show_bug.cgi?id=200181 |
| |
| Reviewed by Saam Barati. |
| |
| Add a new pass in B3 to identify one type of forward byte copy loop and replace it with a call to a custom version of memcpy |
| that will not cause GC tearing and have the correct behaviour when overlapping regions are passed in. |
| |
| Microbenchmarks show memcpy-typed-loop-large is about 6x faster, and everything else is neutral. The optimization is disabled |
| on arm for now, until we add a memcpy implementation for it. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * b3/B3Generate.cpp: |
| (JSC::B3::generateToAir): |
| * b3/B3ReduceLoopStrength.cpp: Added. |
| (JSC::B3::fastForwardCopy32): |
| (JSC::B3::ReduceLoopStrength::AddrInfo::appendAddr): |
| (JSC::B3::ReduceLoopStrength::ReduceLoopStrength): |
| (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): |
| (JSC::B3::ReduceLoopStrength::hoistValue): |
| (JSC::B3::ReduceLoopStrength::run): |
| (JSC::B3::reduceLoopStrength): |
| * b3/B3ReduceLoopStrength.h: Added. |
| * b3/testb3.h: |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_8.cpp: |
| (testFastForwardCopy32): |
| (testByteCopyLoop): |
| (testByteCopyLoopStartIsLoopDependent): |
| (testByteCopyLoopBoundIsLoopDependent): |
| (addCopyTests): |
| |
| 2019-08-20 Devin Rousso <drousso@apple.com> |
| |
| Unreviewed, speculative build fix for High Sierra after r248925 |
| |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::HeapHolderFinder::dump): |
| |
| 2019-08-20 Mark Lam <mark.lam@apple.com> |
| |
| Remove superfluous size argument to allocateCell() for fixed size objects. |
| https://bugs.webkit.org/show_bug.cgi?id=200958 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The size is already automatically computed by the allocateCell() template's default |
| arguments. Removing these superfluous arguments will make it easier for us to |
| grep for cases where we do allocate variable size cells (for later analysis work). |
| |
| * jsc.cpp: |
| (JSC::Masquerader::create): |
| (JSCMemoryFootprint::create): |
| * tools/JSDollarVM.cpp: |
| (JSC::JSDollarVMCallFrame::create): |
| (JSC::Element::create): |
| (JSC::Root::create): |
| (JSC::SimpleObject::create): |
| (JSC::ImpureGetter::create): |
| (JSC::CustomGetter::create): |
| (JSC::DOMJITNode::create): |
| (JSC::DOMJITGetter::create): |
| (JSC::DOMJITGetterComplex::create): |
| (JSC::DOMJITFunctionObject::create): |
| (JSC::DOMJITCheckSubClassObject::create): |
| (JSC::DOMJITGetterBaseJSObject::create): |
| (JSC::JSTestCustomGetterSetter::create): |
| (JSC::WasmStreamingParser::create): |
| |
| 2019-08-20 Mark Lam <mark.lam@apple.com> |
| |
| JSBigInt::m_length should be immutable. |
| https://bugs.webkit.org/show_bug.cgi?id=200956 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| This is because the JSBigInt cell size is allocated with that length. Changing |
| the length after construction does not change the size of the cell, and hence, |
| makes no sense. |
| |
| This patch removes the setLength() method, and decorates the m_length field with |
| const to enforce that it is immutable after construction. |
| |
| * runtime/JSBigInt.h: |
| |
| 2019-08-20 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Implement `queryHolders` Command Line API |
| https://bugs.webkit.org/show_bug.cgi?id=200458 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Call `queryHolders(object)` from the Console to return an array of objects that strongly |
| reference the given `object`. This could be very useful for finding JavaScript "leaks". |
| |
| * inspector/InjectedScriptSource.js: |
| (queryHolders): Added. |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::HeapHolderFinder::HeapHolderFinder): Added. |
| (Inspector::HeapHolderFinder::holders): Added. |
| (Inspector::HeapHolderFinder::analyzeEdge): Added. |
| (Inspector::HeapHolderFinder::analyzePropertyNameEdge): Added. |
| (Inspector::HeapHolderFinder::analyzeVariableNameEdge): Added. |
| (Inspector::HeapHolderFinder::analyzeIndexEdge): Added. |
| (Inspector::HeapHolderFinder::analyzeNode): Added. |
| (Inspector::HeapHolderFinder::setOpaqueRootReachabilityReasonForCell): Added. |
| (Inspector::HeapHolderFinder::setWrappedObjectForCell): Added. |
| (Inspector::HeapHolderFinder::setLabelForCell): Added. |
| (Inspector::HeapHolderFinder::dump): Added. |
| (Inspector::JSInjectedScriptHost::queryHolders): Added. |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): Added. |
| |
| * heap/HeapAnalyzer.h: Added. |
| Create an abstract base class for analyzing the Heap during a GC. Rather than create an |
| entire `HeapSnapshot` for `queryHolders`, the `HeapHolderFinder` can just walk the Heap and |
| only save the information it needs to determine the holders of the given `object`. |
| |
| * heap/Heap.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::isAnalyzingHeap const): Added. |
| (JSC::GatherExtraHeapData::GatherExtraHeapData): Added. |
| (JSC::GatherExtraHeapData::operator() const): Added. |
| (JSC::Heap::gatherExtraHeapData): Added. |
| (JSC::Heap::didFinishCollection): Added. |
| (JSC::Heap::isHeapSnapshotting const): Deleted. |
| (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData): Deleted. |
| (JSC::GatherHeapSnapshotData::operator() const): Deleted. |
| (JSC::Heap::gatherExtraHeapSnapshotData): Deleted. |
| * heap/SlotVisitor.h: |
| (JSC::SlotVisitor::isAnalyzingHeap const): Added. |
| (JSC::SlotVisitor::heapAnalyzer const): Added. |
| (JSC::SlotVisitor::isBuildingHeapSnapshot const): Deleted. |
| (JSC::SlotVisitor::heapSnapshotBuilder const): Deleted. |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::didStartMarking): |
| (JSC::SlotVisitor::reset): |
| (JSC::SlotVisitor::appendSlow): |
| (JSC::SlotVisitor::visitChildren): |
| * heap/SlotVisitorInlines.h: |
| (JSC::SlotVisitor::appendUnbarriered): |
| * heap/WeakBlock.cpp: |
| (JSC::WeakBlock::specializedVisit): |
| * runtime/Structure.cpp: |
| (JSC::Structure::visitChildren): |
| Rename `HeapAnalyzer` functions to be less specific to building a `HeapSnapshot`. |
| |
| * heap/HeapProfiler.h: |
| (JSC::HeapProfiler::activeHeapAnalyzer const): Added. |
| (JSC::HeapProfiler::activeSnapshotBuilder const): Deleted. |
| * heap/HeapProfiler.cpp: |
| (JSC::HeapProfiler::setActiveHeapAnalyzer): Added. |
| (JSC::HeapProfiler::setActiveSnapshotBuilder): Deleted. |
| * heap/HeapSnapshotBuilder.h: |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder): |
| (JSC::HeapSnapshotBuilder::buildSnapshot): |
| (JSC::HeapSnapshotBuilder::analyzeNode): Added. |
| (JSC::HeapSnapshotBuilder::analyzeEdge): Added. |
| (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): Added. |
| (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): Added. |
| (JSC::HeapSnapshotBuilder::analyzeIndexEdge): Added. |
| (JSC::HeapSnapshotBuilder::appendNode): Deleted. |
| (JSC::HeapSnapshotBuilder::appendEdge): Deleted. |
| (JSC::HeapSnapshotBuilder::appendPropertyNameEdge): Deleted. |
| (JSC::HeapSnapshotBuilder::appendVariableNameEdge): Deleted. |
| (JSC::HeapSnapshotBuilder::appendIndexEdge): Deleted. |
| |
| * inspector/InjectedScriptManager.h: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| |
| * runtime/ClassInfo.h: |
| * runtime/JSCell.h: |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::analyzeHeap): Added. |
| (JSC::JSCell::heapSnapshot): Deleted. |
| * runtime/JSLexicalEnvironment.h: |
| * runtime/JSLexicalEnvironment.cpp: |
| (JSC::JSLexicalEnvironment::analyzeHeap): Added. |
| (JSC::JSLexicalEnvironment::heapSnapshot): Deleted. |
| * runtime/JSObject.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::analyzeHeap): Added. |
| (JSC::JSObject::heapSnapshot): Deleted. |
| * runtime/JSSegmentedVariableObject.h: |
| * runtime/JSSegmentedVariableObject.cpp: |
| (JSC::JSSegmentedVariableObject::analyzeHeap): Added. |
| (JSC::JSSegmentedVariableObject::heapSnapshot): Deleted. |
| Rename `heapSnapshot` to `analyzeHeap`. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2019-08-20 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Enable by default |
| https://bugs.webkit.org/show_bug.cgi?id=200931 |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/Options.h: |
| |
| 2019-08-20 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Array.prototype.toString should not get "join" function each time |
| https://bugs.webkit.org/show_bug.cgi?id=200905 |
| |
| Reviewed by Mark Lam. |
| |
| We avoid looking up `join` every time Array#toString is called. This patch implements the most profitable and easy |
| case first as we are doing optimization for Array#slice: non-modified original Array. Configuring watchpoint for |
| Array.prototype.join change and use this information and structure information to determine whether `join` lookup |
| in Array.prototype.toString is unnecessary. This improves JetStream2/3d-raytrace-SP score by 1.6% |
| |
| ToT: 363.56 |
| Patched: 369.26 |
| |
| This patch also renames InlineWatchpointSet fields from Watchpoint to WatchpointSet since they are not Watchpoint. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint): |
| (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::speciesWatchpointIsValid): |
| (JSC::canUseDefaultArrayJoinForToString): |
| (JSC::arrayProtoFuncToString): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::JSGlobalObject): |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet): |
| (JSC::JSGlobalObject::mapSetWatchpointSet): |
| (JSC::JSGlobalObject::setAddWatchpointSet): |
| (JSC::JSGlobalObject::arraySpeciesWatchpointSet): |
| (JSC::JSGlobalObject::arrayJoinWatchpointSet): |
| (JSC::JSGlobalObject::numberToStringWatchpointSet): |
| (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::setIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint): Deleted. |
| (JSC::JSGlobalObject::mapSetWatchpoint): Deleted. |
| (JSC::JSGlobalObject::setAddWatchpoint): Deleted. |
| (JSC::JSGlobalObject::arraySpeciesWatchpoint): Deleted. |
| (JSC::JSGlobalObject::numberToStringWatchpoint): Deleted. |
| * runtime/JSGlobalObjectInlines.h: |
| (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable): |
| (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable): |
| (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable): |
| |
| 2019-08-20 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Support for JavaScript BigInt |
| https://bugs.webkit.org/show_bug.cgi?id=180731 |
| <rdar://problem/36298748> |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/InjectedScriptSource.js: |
| (toStringDescription): |
| (isSymbol): |
| (isBigInt): |
| (let.InjectedScript.prototype._fallbackWrapper): |
| (let.RemoteObject): |
| (let.RemoteObject.subtype): |
| (let.RemoteObject.describe): |
| (let.RemoteObject.prototype._appendPropertyPreviews): |
| (let.RemoteObject.set _isPreviewableObjectInternal): |
| (let.RemoteObject.prototype._isPreviewableObject.set add): |
| * inspector/protocol/Runtime.json: |
| New RemoteObject type and preview support. |
| |
| * runtime/RuntimeType.cpp: |
| (JSC::runtimeTypeForValue): |
| (JSC::runtimeTypeAsString): |
| * runtime/RuntimeType.h: |
| * runtime/TypeSet.cpp: |
| (JSC::TypeSet::displayName const): |
| (JSC::TypeSet::inspectorTypeSet const): |
| New type for the type profiler. |
| |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::json): |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::getPreview): |
| * runtime/JSBigInt.cpp: |
| (JSC::JSBigInt::toString): |
| (JSC::JSBigInt::tryGetString): |
| (JSC::JSBigInt::toStringBasePowerOfTwo): |
| (JSC::JSBigInt::toStringGeneric): |
| * runtime/JSBigInt.h: |
| BigInts are not tied to a GlobalObject, so provide a way to get a |
| String for HeapSnapshot previews that are not tied to an ExecState. |
| |
| 2019-08-19 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: add a global breakpoint for pausing in the next microtask |
| https://bugs.webkit.org/show_bug.cgi?id=200652 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Debugger.json: |
| Add `setPauseOnMicrotasks` command. |
| |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::disable): |
| (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks): Added. |
| (Inspector::InspectorDebuggerAgent::willRunMicrotask): Added. |
| (Inspector::InspectorDebuggerAgent::didRunMicrotask): Added. |
| |
| * debugger/Debugger.h: |
| (JSC::Debugger::willRunMicrotask): Added. |
| (JSC::Debugger::didRunMicrotask): Added. |
| * inspector/ScriptDebugListener.h: |
| * inspector/ScriptDebugServer.h: |
| * inspector/ScriptDebugServer.cpp: |
| (Inspector::ScriptDebugServer::evaluateBreakpointAction): |
| (Inspector::ScriptDebugServer::sourceParsed): |
| (Inspector::ScriptDebugServer::willRunMicrotask): Added. |
| (Inspector::ScriptDebugServer::didRunMicrotask): Added. |
| (Inspector::ScriptDebugServer::canDispatchFunctionToListeners const): ADded. |
| (Inspector::ScriptDebugServer::dispatchFunctionToListeners): ADded. |
| (Inspector::ScriptDebugServer::handlePause): |
| (Inspector::ScriptDebugServer::dispatchDidPause): Deleted. |
| (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Deleted. |
| (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Deleted. |
| (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Deleted. |
| (Inspector::ScriptDebugServer::dispatchDidContinue): Deleted. |
| (Inspector::ScriptDebugServer::dispatchDidParseSource): Deleted. |
| (Inspector::ScriptDebugServer::dispatchFailedToParseSource): Deleted. |
| Unify the various `dispatch*` functions to use lambdas so state management is centralized. |
| |
| * runtime/JSMicrotask.cpp: |
| (JSC::JSMicrotask::run): |
| |
| * inspector/agents/JSGlobalObjectDebuggerAgent.h: |
| |
| 2019-08-19 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: pause on assertion failures breakpoint doesn't work when inspecting a JSContext |
| https://bugs.webkit.org/show_bug.cgi?id=200874 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): |
| |
| 2019-08-19 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Proxy constructor should throw if handler is revoked Proxy |
| https://bugs.webkit.org/show_bug.cgi?id=198755 |
| |
| Reviewed by Saam Barati. |
| |
| Reword error message and check if handler is revoked Proxy. |
| (step 4 of https://tc39.es/ecma262/#sec-proxycreate) |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::finishCreation): Add isRevoked check. |
| |
| 2019-08-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] OSR entry to Wasm OMG |
| https://bugs.webkit.org/show_bug.cgi?id=200362 |
| |
| Reviewed by Michael Saboff. |
| |
| This patch implements Wasm OSR entry mechanism from BBQ tier to OMG tier. |
| We found that one of JetStream2 test heavily relies on OSR entry feature. gcc-loops-wasm consumes |
| most of time in BBQ tier since one of the function takes significantly long time. And since we did |
| not have OSR entry feature, we cannot use OMG function until that BBQ function finishes. |
| |
| To implement Wasm OSR feature, we first capture all locals and stacks in the patchpoint to generate |
| the stackmap. Once the threshold is crossed, the patchpoint calls `MacroAssembler::probe` feature to |
| capture whole register context, and C++ runtime function reads stackmap and Probe::Context to perform |
| OSR entry. This patch intentionally makes OSR entry written in C++ runtime side as much as possible |
| to make it easily reusable for the other tiers. For example, we are planning to introduce Wasm interpreter, |
| and it can easily use this tier-up function. Because of this simplicity, this generic implementation can |
| cover both BBQ Air and BBQ B3 tier-up features. So, in the feature, it is possible that we revive BBQ B3, |
| and construct the wasm pipeline like, interpreter->BBQ B3->OMG B3. |
| |
| To generate OMG code for OSR entry, we add a new mode OMGForOSREntry, which mimics the FTLForOSREntry. |
| In FTLForOSREntry, we cut unrelated blocks including the usual entry point in DFG tier and later convert |
| graph to SSA. This is possible because DFG is not SSA. On the other hand, B3 is SSA and we cannot take the |
| same thing without a hack. |
| |
| This patch introduce a hack: making all wasm locals and stack values B3::Variable for OMGForOSREntry mode. |
| Then, we can cut blocks easily and we can generate the B3 graph without doing reachability analysis from the |
| OSR entry point. B3 will remove unreachable blocks later. |
| |
| Tier-up function mimics DFG->FTL OSR entry heuristics and threshold as much as possible. And this patch adjusts |
| the tier-up count threshold to make it close to DFG->FTL ones. Wasm tier-up is now using ExecutionCounter, which |
| is inherited from Wasm::TierUpCount. Since wasm can execute concurrently, the tier-up counter can be racily updated. |
| But this is OK in practice. Even if we see some more tier-up function calls or tier-up function calls are delayed, |
| the critical part is guarded by a lock in tier-up function. |
| |
| In iMac Pro, it shows ~4x runtime improvement for gcc-loops-wasm. On iOS device (iPhone XR), we saw ~2x improvement. |
| |
| ToT: |
| HashSet-wasm:Score: 24.6pt stdev=4.6% |
| :Time:Geometric: 204ms stdev=4.4% |
| Runtime:Time: 689ms stdev=1.0% |
| Startup:Time: 60.3ms stdev=8.4% |
| gcc-loops-wasm:Score: 8.41pt stdev=6.7% |
| :Time:Geometric: 597ms stdev=6.5% |
| Runtime:Time: 8.509s stdev=0.7% |
| Startup:Time: 42ms stdev=12.4% |
| quicksort-wasm:Score: 347pt stdev=20.9% |
| :Time:Geometric: 15ms stdev=18.6% |
| Runtime:Time: 28.2ms stdev=7.9% |
| Startup:Time: 8.2ms stdev=35.0% |
| richards-wasm:Score: 77.6pt stdev=4.5% |
| :Time:Geometric: 64.6ms stdev=4.4% |
| Runtime:Time: 544ms stdev=3.3% |
| Startup:Time: 7.67ms stdev=6.7% |
| tsf-wasm:Score: 47.9pt stdev=4.5% |
| :Time:Geometric: 104ms stdev=4.8% |
| Runtime:Time: 259ms stdev=4.4% |
| Startup:Time: 42.2ms stdev=8.5% |
| |
| Patched: |
| HashSet-wasm:Score: 24.1pt stdev=4.1% |
| :Time:Geometric: 208ms stdev=4.1% |
| Runtime:Time: 684ms stdev=1.1% |
| Startup:Time: 63.2ms stdev=8.1% |
| gcc-loops-wasm:Score: 15.7pt stdev=5.1% |
| :Time:Geometric: 319ms stdev=5.3% |
| Runtime:Time: 2.491s stdev=0.7% |
| Startup:Time: 41ms stdev=11.0% |
| quicksort-wasm:Score: 353pt stdev=13.7% |
| :Time:Geometric: 14ms stdev=12.7% |
| Runtime:Time: 26.2ms stdev=2.9% |
| Startup:Time: 8.0ms stdev=23.7% |
| richards-wasm:Score: 77.4pt stdev=5.3% |
| :Time:Geometric: 64.7ms stdev=5.3% |
| Runtime:Time: 536ms stdev=1.5% |
| Startup:Time: 7.83ms stdev=9.6% |
| tsf-wasm:Score: 47.3pt stdev=5.7% |
| :Time:Geometric: 106ms stdev=6.1% |
| Runtime:Time: 250ms stdev=3.5% |
| Startup:Time: 45ms stdev=13.8% |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::branchAdd32): |
| * b3/B3ValueRep.h: |
| * bytecode/CodeBlock.h: |
| * bytecode/ExecutionCounter.cpp: |
| (JSC::applyMemoryUsageHeuristics): |
| (JSC::ExecutionCounter<countingVariant>::setThreshold): |
| * bytecode/ExecutionCounter.h: |
| (JSC::ExecutionCounter::clippedThreshold): |
| * dfg/DFGJITCode.h: |
| * dfg/DFGOperations.cpp: |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::prologueStackPointerDelta): |
| * runtime/Options.h: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::createStack): |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| (JSC::Wasm::AirIRGenerator::outerLoopIndex const): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::AirIRGenerator::addLoop): |
| (JSC::Wasm::AirIRGenerator::addElse): |
| (JSC::Wasm::AirIRGenerator::addBranch): |
| (JSC::Wasm::AirIRGenerator::addSwitch): |
| (JSC::Wasm::AirIRGenerator::endBlock): |
| (JSC::Wasm::AirIRGenerator::addEndToUnreachable): |
| (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock): |
| (JSC::Wasm::AirIRGenerator::dump): |
| (JSC::Wasm::AirIRGenerator::emitTierUpCheck): Deleted. |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::Stack::Stack): |
| (JSC::Wasm::B3IRGenerator::Stack::append): |
| (JSC::Wasm::B3IRGenerator::Stack::takeLast): |
| (JSC::Wasm::B3IRGenerator::Stack::last): |
| (JSC::Wasm::B3IRGenerator::Stack::size const): |
| (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): |
| (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): |
| (JSC::Wasm::B3IRGenerator::Stack::at const): |
| (JSC::Wasm::B3IRGenerator::Stack::variableAt const): |
| (JSC::Wasm::B3IRGenerator::Stack::shrink): |
| (JSC::Wasm::B3IRGenerator::Stack::swap): |
| (JSC::Wasm::B3IRGenerator::Stack::dump const): |
| (JSC::Wasm::B3IRGenerator::createStack): |
| (JSC::Wasm::B3IRGenerator::outerLoopIndex const): |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): |
| (JSC::Wasm::B3IRGenerator::addLoop): |
| (JSC::Wasm::B3IRGenerator::addElse): |
| (JSC::Wasm::B3IRGenerator::addBranch): |
| (JSC::Wasm::B3IRGenerator::addSwitch): |
| (JSC::Wasm::B3IRGenerator::endBlock): |
| (JSC::Wasm::B3IRGenerator::addEndToUnreachable): |
| (JSC::Wasm::B3IRGenerator::unifyValuesWithBlock): |
| (JSC::Wasm::B3IRGenerator::dump): |
| (JSC::Wasm::parseAndCompile): |
| (JSC::Wasm::B3IRGenerator::emitTierUpCheck): Deleted. |
| (JSC::Wasm::dumpExpressionStack): Deleted. |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| * wasm/WasmBBQPlan.h: |
| * wasm/WasmBBQPlanInlines.h: |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| * wasm/WasmCallee.h: |
| * wasm/WasmCodeBlock.cpp: |
| (JSC::Wasm::CodeBlock::CodeBlock): |
| * wasm/WasmCodeBlock.h: |
| (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace): |
| (JSC::Wasm::CodeBlock::tierUpCount): Deleted. |
| * wasm/WasmCompilationMode.cpp: |
| (JSC::Wasm::makeString): |
| * wasm/WasmCompilationMode.h: |
| * wasm/WasmContext.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp. |
| (JSC::Wasm::Context::scratchBufferForSize): |
| * wasm/WasmContext.h: |
| * wasm/WasmContextInlines.h: |
| (JSC::Wasm::Context::tryLoadInstanceFromTLS): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::FunctionParser): |
| (JSC::Wasm::FunctionParser<Context>::parseBody): |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| * wasm/WasmOMGForOSREntryPlan.cpp: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.cpp. |
| (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): |
| (JSC::Wasm::OMGForOSREntryPlan::work): |
| * wasm/WasmOMGForOSREntryPlan.h: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.h. |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| (JSC::Wasm::OMGPlan::runForIndex): Deleted. |
| * wasm/WasmOMGPlan.h: |
| * wasm/WasmOSREntryData.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h. |
| (JSC::Wasm::OSREntryValue::OSREntryValue): |
| (JSC::Wasm::OSREntryValue::type const): |
| (JSC::Wasm::OSREntryData::OSREntryData): |
| (JSC::Wasm::OSREntryData::functionIndex const): |
| (JSC::Wasm::OSREntryData::loopIndex const): |
| (JSC::Wasm::OSREntryData::values): |
| * wasm/WasmOperations.cpp: Added. |
| (JSC::Wasm::shouldTriggerOMGCompile): |
| (JSC::Wasm::triggerOMGReplacementCompile): |
| (JSC::Wasm::doOSREntry): |
| (JSC::Wasm::triggerOSREntryNow): |
| (JSC::Wasm::triggerTierUpNow): |
| * wasm/WasmOperations.h: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.h. |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator): |
| (JSC::Wasm::triggerOMGTierUpThunkGenerator): Deleted. |
| * wasm/WasmThunks.h: |
| * wasm/WasmTierUpCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp. |
| (JSC::Wasm::TierUpCount::TierUpCount): |
| (JSC::Wasm::TierUpCount::addOSREntryData): |
| * wasm/WasmTierUpCount.h: |
| (JSC::Wasm::TierUpCount::loopIncrement): |
| (JSC::Wasm::TierUpCount::functionEntryIncrement): |
| (JSC::Wasm::TierUpCount::osrEntryTriggers): |
| (JSC::Wasm::TierUpCount::outerLoops): |
| (JSC::Wasm::TierUpCount::getLock): |
| (JSC::Wasm::TierUpCount::optimizeAfterWarmUp): |
| (JSC::Wasm::TierUpCount::checkIfOptimizationThresholdReached): |
| (JSC::Wasm::TierUpCount::dontOptimizeAnytimeSoon): |
| (JSC::Wasm::TierUpCount::optimizeNextInvocation): |
| (JSC::Wasm::TierUpCount::optimizeSoon): |
| (JSC::Wasm::TierUpCount::setOptimizationThresholdBasedOnCompilationResult): |
| (JSC::Wasm::TierUpCount::TierUpCount): Deleted. |
| (JSC::Wasm::TierUpCount::loopDecrement): Deleted. |
| (JSC::Wasm::TierUpCount::functionEntryDecrement): Deleted. |
| (JSC::Wasm::TierUpCount::shouldStartTierUp): Deleted. |
| (JSC::Wasm::TierUpCount::count): Deleted. |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::createStack): |
| (JSC::Wasm::Validate::addLoop): |
| (JSC::Wasm::Validate::addElse): |
| (JSC::Wasm::Validate::checkBranchTarget): |
| (JSC::Wasm::Validate::addBranch): |
| (JSC::Wasm::Validate::addSwitch): |
| (JSC::Wasm::Validate::endBlock): |
| (JSC::Wasm::Validate::unify): |
| (JSC::Wasm::dumpExpressionStack): |
| (JSC::Wasm::Validate::dump): |
| |
| 2019-08-19 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Date.prototype.toJSON throws if toISOString returns an object |
| https://bugs.webkit.org/show_bug.cgi?id=198495 |
| |
| Reviewed by Ross Kirsling. |
| |
| Don't throw TypeError if result of toISOString call is not a primitive. |
| (step 4 of https://tc39.es/ecma262/#sec-date.prototype.tojson) |
| |
| * runtime/DatePrototype.cpp: |
| (JSC::dateProtoFuncToJSON): Remove isObject check. |
| |
| 2019-08-19 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty |
| https://bugs.webkit.org/show_bug.cgi?id=200899 |
| <rdar://problem/54073341> |
| |
| Reviewed by Mark Lam. |
| |
| DFGByteCodeParser attempt to get constant flag for isLittleEndian for DataView get/set. |
| When getting a constant in DFG, we first need to check whether it is JSEmpty. But we are missing |
| this check for DataView get/set optimization. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicCall): |
| |
| 2019-08-19 Tadeu Zagallo <tzagallo@apple.com> |
| |
| JSC tool targets should unlock the keychain before codesigning |
| https://bugs.webkit.org/show_bug.cgi?id=200733 |
| <rdar://problem/54223095> |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| In r245564, we started codesigning JSC tool targets to run the datavault tests |
| in testapi, but we should unlock the keychain first so that it doesn't require |
| the password during builds. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2019-08-19 Michael Saboff <msaboff@apple.com> |
| |
| Webkit jsc Crash in RegExp::matchInline (this=<optimized out> |
| https://bugs.webkit.org/show_bug.cgi?id=197090 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Turned the debug JIT assert into falling back to the interpreter. In release builds, that is effectively what we do |
| after exhausting the loop try count. No sense of looping until we exceed the count, as we can exit immediately. |
| |
| * assembler/AbortReason.h: |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::generate): |
| |
| 2019-08-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF] Add makeUnique<T>, which ensures T is fast-allocated, makeUnique / makeUniqueWithoutFastMallocCheck part |
| https://bugs.webkit.org/show_bug.cgi?id=200620 |
| |
| Reviewed by Geoff Garen. |
| |
| * API/JSCallbackObject.h: |
| (JSC::JSCallbackObjectData::setPrivateProperty): |
| * API/JSCallbackObjectFunctions.h: |
| (JSC::JSCallbackObject<Parent>::JSCallbackObject): |
| * API/JSClassRef.cpp: |
| (OpaqueJSClassContextData::OpaqueJSClassContextData): |
| (OpaqueJSClass::contextData): |
| * API/JSMarkingConstraintPrivate.cpp: |
| (JSContextGroupAddMarkingConstraint): |
| * API/JSWrapperMap.mm: |
| (-[JSWrapperMap initWithGlobalContextRef:]): |
| * API/ObjCCallbackFunction.mm: |
| (ArgumentTypeDelegate::typeInteger): |
| (ArgumentTypeDelegate::typeDouble): |
| (ArgumentTypeDelegate::typeBool): |
| (ArgumentTypeDelegate::typeId): |
| (ArgumentTypeDelegate::typeOfClass): |
| (ArgumentTypeDelegate::typeStruct): |
| (ResultTypeDelegate::typeInteger): |
| (ResultTypeDelegate::typeDouble): |
| (ResultTypeDelegate::typeBool): |
| (ResultTypeDelegate::typeVoid): |
| (ResultTypeDelegate::typeId): |
| (ResultTypeDelegate::typeOfClass): |
| (ResultTypeDelegate::typeBlock): |
| (ResultTypeDelegate::typeStruct): |
| (objCCallbackFunctionForInvocation): |
| * API/glib/JSCContext.cpp: |
| (jscContextSetVirtualMachine): |
| * API/glib/JSCWrapperMap.cpp: |
| (JSC::WrapperMap::WrapperMap): |
| * assembler/ProbeStack.cpp: |
| (JSC::Probe::Stack::ensurePageFor): |
| * b3/B3LowerToAir.cpp: |
| * b3/B3Procedure.cpp: |
| (JSC::B3::Procedure::Procedure): |
| (JSC::B3::Procedure::dominators): |
| (JSC::B3::Procedure::naturalLoops): |
| (JSC::B3::Procedure::backwardsCFG): |
| (JSC::B3::Procedure::backwardsDominators): |
| (JSC::B3::Procedure::addDataSection): |
| * b3/air/AirCode.cpp: |
| (JSC::B3::Air::Code::cCallSpecial): |
| * b3/air/AirGenerate.cpp: |
| (JSC::B3::Air::prepareForGeneration): |
| * b3/air/testair.cpp: |
| * b3/testb3.h: |
| (compileProc): |
| * bytecode/AccessCase.cpp: |
| (JSC::AccessCase::generateImpl): |
| * bytecode/AccessCaseSnippetParams.cpp: |
| * bytecode/BytecodeBasicBlock.cpp: |
| (JSC::BytecodeBasicBlock::computeImpl): |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::setFrameShuffleData): |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::ensureJITDataSlow): |
| (JSC::CodeBlock::setCalleeSaveRegisters): |
| (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow): |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::createRareDataIfNecessary): |
| * bytecode/DFGExitProfile.cpp: |
| (JSC::DFG::ExitProfile::add): |
| * bytecode/DeferredCompilationCallback.cpp: |
| (JSC::DeferredCompilationCallback::ensureDeferredSourceDump): |
| * bytecode/GetByIdStatus.cpp: |
| (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): |
| * bytecode/GetByIdVariant.cpp: |
| (JSC::GetByIdVariant::operator=): |
| * bytecode/LazyOperandValueProfile.cpp: |
| (JSC::CompressedLazyOperandValueProfileHolder::add): |
| * bytecode/PolyProtoAccessChain.h: |
| (JSC::PolyProtoAccessChain::clone): |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PutByIdStatus.cpp: |
| (JSC::PutByIdStatus::computeForStubInfo): |
| * bytecode/PutByIdVariant.cpp: |
| (JSC::PutByIdVariant::operator=): |
| * bytecode/RecordedStatuses.cpp: |
| (JSC::RecordedStatuses::addCallLinkStatus): |
| (JSC::RecordedStatuses::addGetByIdStatus): |
| (JSC::RecordedStatuses::addPutByIdStatus): |
| (JSC::RecordedStatuses::addInByIdStatus): |
| * bytecode/StructureStubClearingWatchpoint.cpp: |
| (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::addAccessCase): |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::livenessAnalysisSlow): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::generate): |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter): |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::Graph): |
| (JSC::DFG::Graph::livenessFor): |
| (JSC::DFG::Graph::killsFor): |
| (JSC::DFG::Graph::ensureCPSCFG): |
| (JSC::DFG::Graph::ensureCPSDominators): |
| (JSC::DFG::Graph::ensureSSADominators): |
| (JSC::DFG::Graph::ensureCPSNaturalLoops): |
| (JSC::DFG::Graph::ensureSSANaturalLoops): |
| (JSC::DFG::Graph::ensureBackwardsCFG): |
| (JSC::DFG::Graph::ensureBackwardsDominators): |
| (JSC::DFG::Graph::ensureControlEquivalenceAnalysis): |
| * dfg/DFGJITCompiler.cpp: |
| (JSC::DFG::JITCompiler::JITCompiler): |
| (JSC::DFG::JITCompiler::link): |
| (JSC::DFG::JITCompiler::compile): |
| (JSC::DFG::JITCompiler::compileFunction): |
| (JSC::DFG::JITCompiler::addressOfDoubleConstant): |
| * dfg/DFGLivenessAnalysisPhase.cpp: |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * dfg/DFGSSAConversionPhase.cpp: |
| (JSC::DFG::SSAConversionPhase::run): |
| * dfg/DFGSlowPathGenerator.h: |
| (JSC::DFG::slowPathCall): |
| (JSC::DFG::slowPathMove): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): |
| (JSC::DFG::SpeculativeJIT::arrayify): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnString): |
| (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): |
| (JSC::DFG::SpeculativeJIT::compileArraySlice): |
| (JSC::DFG::SpeculativeJIT::emitStructureCheck): |
| (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): |
| * dfg/DFGStoreBarrierInsertionPhase.cpp: |
| * dfg/DFGWorklist.cpp: |
| (JSC::DFG::Worklist::createNewThread): |
| * disassembler/Disassembler.cpp: |
| (JSC::disassembleAsynchronously): |
| * ftl/FTLAbstractHeap.cpp: |
| (JSC::FTL::IndexedAbstractHeap::atSlow): |
| * ftl/FTLCompile.cpp: |
| (JSC::FTL::compile): |
| * ftl/FTLFail.cpp: |
| (JSC::FTL::fail): |
| * ftl/FTLLink.cpp: |
| (JSC::FTL::link): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): |
| * ftl/FTLState.cpp: |
| (JSC::FTL::State::State): |
| * heap/CompleteSubspace.cpp: |
| (JSC::CompleteSubspace::allocatorForSlow): |
| * heap/Heap.cpp: |
| (JSC::Heap::Heap): |
| (JSC::Heap::protectedObjectTypeCounts): |
| (JSC::Heap::objectTypeCounts): |
| (JSC::Heap::addCoreConstraints): |
| * heap/HeapInlines.h: |
| * heap/HeapSnapshotBuilder.cpp: |
| (JSC::HeapSnapshotBuilder::buildSnapshot): |
| * heap/IsoCellSet.cpp: |
| (JSC::IsoCellSet::addSlow): |
| * heap/IsoSubspace.cpp: |
| (JSC::IsoSubspace::IsoSubspace): |
| * heap/MarkingConstraintSet.cpp: |
| (JSC::MarkingConstraintSet::add): |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): |
| (Inspector::JSGlobalObjectConsoleClient::profile): |
| (Inspector::JSGlobalObjectConsoleClient::profileEnd): |
| (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented): |
| * inspector/JSGlobalObjectInspectorController.cpp: |
| (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): |
| (Inspector::JSGlobalObjectInspectorController::reportAPIException): |
| (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent): |
| (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent): |
| (Inspector::JSGlobalObjectInspectorController::createLazyAgents): |
| * inspector/agents/InspectorAgent.cpp: |
| (Inspector::InspectorAgent::InspectorAgent): |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::InspectorConsoleAgent): |
| (Inspector::InspectorConsoleAgent::startTiming): |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent): |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::InspectorHeapAgent): |
| * inspector/agents/InspectorScriptProfilerAgent.cpp: |
| (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent): |
| * inspector/agents/InspectorTargetAgent.cpp: |
| (Inspector::InspectorTargetAgent::InspectorTargetAgent): |
| * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: |
| (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): |
| * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: |
| (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: |
| (Inspector::RemoteInspectorSocketEndpoint::createClient): |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: |
| * inspector/scripts/codegen/objc_generator_templates.py: |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/domain-availability.json-result: |
| * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| * jit/JIT.cpp: |
| (JSC::JIT::compileWithoutLinking): |
| (JSC::JIT::link): |
| * jit/JITThunks.cpp: |
| (JSC::JITThunks::JITThunks): |
| * jit/Repatch.cpp: |
| (JSC::linkPolymorphicCall): |
| * jsc.cpp: |
| (runJSC): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::Parser): |
| * parser/Parser.h: |
| (JSC::Scope::pushLabel): |
| (JSC::Parser<LexerType>::parse): |
| * parser/ParserArena.h: |
| (JSC::ParserArena::identifierArena): |
| * profiler/ProfilerCompilation.cpp: |
| (JSC::Profiler::Compilation::executionCounterFor): |
| * runtime/Error.cpp: |
| (JSC::getStackTrace): |
| * runtime/FunctionExecutable.cpp: |
| (JSC::FunctionExecutable::ensureRareDataSlow): |
| * runtime/FunctionRareData.h: |
| (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::createRareDataIfNeeded): |
| * runtime/JSRunLoopTimer.cpp: |
| (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): |
| (JSC::JSRunLoopTimer::Manager::registerVM): |
| * runtime/PropertyMapHashTable.h: |
| (JSC::PropertyTable::addDeletedOffset): |
| * runtime/PropertyTable.cpp: |
| (JSC::PropertyTable::PropertyTable): |
| * runtime/RegExp.cpp: |
| (JSC::RegExp::finishCreation): |
| * runtime/RegExp.h: |
| * runtime/ScriptExecutable.cpp: |
| (JSC::ScriptExecutable::ensureTemplateObjectMapImpl): |
| * runtime/Structure.cpp: |
| (JSC::Structure::ensurePropertyReplacementWatchpointSet): |
| * runtime/StructureRareData.cpp: |
| (JSC::StructureRareData::setObjectToStringValue): |
| * runtime/SymbolTable.cpp: |
| (JSC::SymbolTable::localToEntry): |
| (JSC::SymbolTable::cloneScopePart): |
| (JSC::SymbolTable::prepareForTypeProfiling): |
| (JSC::SymbolTable::setRareDataCodeBlock): |
| * runtime/TypeSet.cpp: |
| (JSC::StructureShape::propertyHash): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| (JSC::VM::ensureHeapProfiler): |
| (JSC::VM::enableTypeProfiler): |
| (JSC::VM::enableControlFlowProfiler): |
| (JSC::VM::queueMicrotask): |
| (JSC::VM::ensureShadowChicken): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| (JSC::Wasm::AirIRGenerator::emitCheck): |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| * wasm/WasmWorklist.cpp: |
| (JSC::Wasm::Worklist::Worklist): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * yarr/YarrInterpreter.cpp: |
| (JSC::Yarr::ByteCompiler::compile): |
| (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd): |
| (JSC::Yarr::ByteCompiler::regexBegin): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::compile): |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::CharacterClassConstructor::charClass): |
| (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor): |
| (JSC::Yarr::YarrPatternConstructor::resetForReparsing): |
| (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin): |
| (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin): |
| (JSC::Yarr::YarrPatternConstructor::copyDisjunction): |
| (JSC::Yarr::anycharCreate): |
| * yarr/YarrPattern.h: |
| (JSC::Yarr::PatternDisjunction::addNewAlternative): |
| * yarr/create_regex_tables: |
| * yarr/generateYarrUnicodePropertyTables.py: |
| |
| 2019-08-18 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Correct a->an in error messages and API docblocks |
| https://bugs.webkit.org/show_bug.cgi?id=200833 |
| |
| Reviewed by Don Olmstead. |
| |
| * API/JSObjectRef.h: |
| * builtins/PromiseConstructor.js: |
| (race): |
| (reject): |
| (resolve): |
| * builtins/PromisePrototype.js: |
| (finally): |
| * jsc.cpp: |
| (functionAsyncTestStart): |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseIfStatement): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseResizableLimits): |
| |
| 2019-08-17 Darin Adler <darin@apple.com> |
| |
| Tidy up checks to see if a character is in the Latin-1 range by using isLatin1 consistently |
| https://bugs.webkit.org/show_bug.cgi?id=200861 |
| |
| Reviewed by Ross Kirsling. |
| |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::record8): Use isLatin1. |
| (JSC::assertCharIsIn8BitRange): Deleted. Can just assert isLatin1 directly. |
| (JSC::Lexer<T>::append8): Assert isLatin1 directly. |
| (JSC::characterRequiresParseStringSlowCase): Use isLatin1. |
| * parser/Lexer.h: |
| (JSC::Lexer<UChar>::isWhiteSpace): Ditto. |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::Lexer::lex): Ditto. |
| (JSC::isSafeStringCharacter): Ditto. |
| * runtime/Identifier.cpp: |
| (JSC::Identifier::add8): Ditto. |
| * runtime/LiteralParser.cpp: |
| (JSC::isSafeStringCharacter): Ditto. |
| * runtime/StringPrototype.cpp: |
| (JSC::stringProtoFuncRepeatCharacter): Ditto. |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): Ditto. |
| (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy): Ditto. |
| (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy): Ditto. |
| |
| 2019-08-17 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [ESNext] Implement optional chaining |
| https://bugs.webkit.org/show_bug.cgi?id=200199 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Implement the optional chaining proposal, which has now reached Stage 3 at TC39. |
| |
| This introduces a ?. operator which: |
| - guards member access when the LHS is nullish, i.e. `null?.foo` and `null?.['foo']` are undefined |
| - guards function calls when the LHS is nullish, i.e. `null?.()` is undefined |
| - short-circuits over a whole access/call chain, i.e. `null?.a['b'](c++)` is undefined and does not increment c |
| |
| This feature can be naively viewed as a ternary in disguise, i.e. `a?.b` is like `a == null ? undefined : a.b`. |
| However, since we must be sure not to double-evaluate the LHS, it's actually rather akin to a try block -- |
| namely, we have the bytecode generator keep an early-out label for use throughout the access and call chain. |
| |
| (Also note that document.all behaves as an object, so "nullish" means *strictly* equal to null or undefined.) |
| |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::pushOptionalChainTarget): Added. |
| (JSC::BytecodeGenerator::popOptionalChainTarget): Added. |
| (JSC::BytecodeGenerator::emitOptionalCheck): Added. |
| * bytecompiler/BytecodeGenerator.h: |
| Implement early-out logic. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::BracketAccessorNode::emitBytecode): |
| (JSC::DotAccessorNode::emitBytecode): |
| (JSC::EvalFunctionCallNode::emitBytecode): Refactor so we can emitOptionalCheck in a single location. |
| (JSC::FunctionCallValueNode::emitBytecode): |
| (JSC::FunctionCallResolveNode::emitBytecode): Refactor so we can emitOptionalCheck in a single location. |
| (JSC::FunctionCallBracketNode::emitBytecode): |
| (JSC::FunctionCallDotNode::emitBytecode): |
| (JSC::CallFunctionCallDotNode::emitBytecode): |
| (JSC::ApplyFunctionCallDotNode::emitBytecode): |
| (JSC::DeleteBracketNode::emitBytecode): |
| (JSC::DeleteDotNode::emitBytecode): |
| (JSC::CoalesceNode::emitBytecode): Clean up. |
| (JSC::OptionalChainNode::emitBytecode): Added. |
| Implement ?. node and emit checks where needed. |
| |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| Have OpIsUndefinedOrNull support constant registers. |
| |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::createOptionalChain): Added. |
| (JSC::ASTBuilder::makeDeleteNode): |
| (JSC::ASTBuilder::makeFunctionCallNode): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| * parser/NodeConstructors.h: |
| (JSC::OptionalChainNode::OptionalChainNode): Added. |
| * parser/Nodes.h: |
| (JSC::ExpressionNode::isOptionalChain const): Added. |
| (JSC::ExpressionNode::isOptionalChainBase const): Added. |
| (JSC::ExpressionNode::setIsOptionalChainBase): Added. |
| * parser/ParserTokens.h: |
| * parser/SyntaxChecker.h: |
| (JSC::SyntaxChecker::makeFunctionCallNode): |
| (JSC::SyntaxChecker::createOptionalChain): Added. |
| Introduce new token and AST node, as well as an ExpressionNode field to mark LHSes with. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseMemberExpression): |
| Parse optional chains by wrapping the access/call parse loop. |
| |
| * runtime/ExceptionHelpers.cpp: |
| (JSC::functionCallBase): |
| Ensure that TypeError messages don't include the '?.'. |
| |
| * runtime/Options.h: |
| Update feature flag, as ?. and ?? are a double feature of "nullish-aware" operators. |
| |
| 2019-08-17 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [ESNext] Support hashbang. |
| https://bugs.webkit.org/show_bug.cgi?id=200865 |
| |
| Reviewed by Mark Lam. |
| |
| Hashbang (a.k.a. shebang) support is at Stage 3 in TC39: |
| https://github.com/tc39/proposal-hashbang |
| |
| This allows `#!` to be treated like `//`, but only at the very start of the source text. |
| |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::Lexer): |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| |
| 2019-08-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] DFG ToNumber should support Boolean in fixup |
| https://bugs.webkit.org/show_bug.cgi?id=200864 |
| |
| Reviewed by Mark Lam. |
| |
| ToNumber should speculate on Boolean, or BooleanOrInt32 in fixup phase to optimize it. |
| |
| ToT Patched |
| |
| to-number-boolean 897.6430+-26.8843 ^ 87.4802+-5.2831 ^ definitely 10.2611x faster |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupToNumber): |
| |
| 2019-08-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] WebAssembly BBQ should switch compile mode for size of modules |
| https://bugs.webkit.org/show_bug.cgi?id=200807 |
| |
| Reviewed by Mark Lam. |
| |
| Some webpages use very large Wasm module, and it exhausts all executable memory in ARM64 devices since the size of executable memory region is 128MB. |
| The long term solution should be introducing Wasm interpreter. But as a short term solution, we introduce heuristics switching back to BBQ B3 at |
| the sacrifice of start-up time, since BBQ Air bloats such lengthy code, and thereby consumes a large amount of executable memory. |
| |
| Currently, I picked 10MB since the reported website is using 11MB wasm module. |
| |
| * runtime/Options.h: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::parseAndCompileAir): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::parseAndCompile): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| * wasm/WasmModuleInformation.h: |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseCode): |
| * wasm/WasmStreamingParser.cpp: |
| (JSC::Wasm::StreamingParser::parseCodeSectionSize): |
| |
| 2019-08-16 Mark Lam <mark.lam@apple.com> |
| |
| More missing exception checks in string comparison operators. |
| https://bugs.webkit.org/show_bug.cgi?id=200844 |
| <rdar://problem/54378684> |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/Operations.h: |
| (JSC::jsLess): |
| (JSC::jsLessEq): |
| |
| 2019-08-16 Mark Lam <mark.lam@apple.com> |
| |
| CodeBlock destructor should clear all of its watchpoints. |
| https://bugs.webkit.org/show_bug.cgi?id=200792 |
| <rdar://problem/53947800> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We need to clear the watchpoints explicitly (just like we do in CodeBlock::jettison()) |
| because the JITCode may outlive the CodeBlock for a while. For example, the JITCode |
| is ref'd in Interpreter::execute(JSC::CallFrameClosure&) like so: |
| |
| JSValue result = closure.functionExecutable->generatedJITCodeForCall()->execute(&vm, closure.protoCallFrame); |
| |
| The call to generatedJITCodeForCall() returns a Ref<JITCode> with the underlying |
| JITCode ref'd. Hence, while the interpreter frame is still on the stack, the |
| executing JITCode instance will have a non-zero refCount, and be kept alive even |
| though its CodeBlock may have already been destructed. |
| |
| Note: the Interpreter execute() methods aren't the only ones who would ref the JITCode: |
| ExecutableBase also holds a RefPtr<JITCode> m_jitCodeForCall and RefPtr<JITCode> |
| m_jitCodeForConstruct. But a CodeBlock will be uninstalled before it gets destructed. |
| Hence, the uninstallation will deref the JITCode before we get to the CodeBlock |
| destructor. That said, we should be aware that a JITCode's refCount is not always |
| 1 after the JIT installs it into the CodeBlock, and it should not be assumed to be so. |
| |
| For this patch, I also audited all Watchpoint subclasses to ensure that we are |
| clearing all the relevant watchpoints in the CodeBlock destructor. Here is the |
| list of audited Watchpoints: |
| |
| CodeBlockJettisoningWatchpoint |
| AdaptiveStructureWatchpoint |
| AdaptiveInferredPropertyValueWatchpoint |
| - these are held in the DFG::CommonData, and is tied to JITCode's life cycle. |
| - they need to be cleared eagerly in CodeBlock's destructor. |
| |
| LLIntPrototypeLoadAdaptiveStructureWatchpoint |
| - stored in m_llintGetByIdWatchpointMap in the CodeBlock. |
| - this will be automatically cleared on CodeBlock destruction. |
| |
| The following does not reference CodeBlock: |
| |
| FunctionRareData::AllocationProfileClearingWatchpoint |
| - stored in FunctionRareData and will be cleared automatically on |
| FunctionRareData destruction. |
| - only references the owner FunctionRareData. |
| |
| ObjectToStringAdaptiveStructureWatchpoint |
| ObjectToStringAdaptiveInferredPropertyValueWatchpoint |
| - stored in StructureRareData and will be cleared automatically on |
| StructureRareData destruction. |
| |
| ObjectPropertyChangeAdaptiveWatchpoint |
| - stored in JSGlobalObject, and will be cleared automatically on |
| JSGlobalObject destruction. |
| - only references the owner JSGlobalObject. |
| |
| StructureStubClearingWatchpoint |
| - stored in WatchpointsOnStructureStubInfo and will be cleared automatically |
| on WatchpointsOnStructureStubInfo destruction. |
| |
| PropertyWatchpoint |
| StructureWatchpoint |
| - embedded in AdaptiveInferredPropertyValueWatchpointBase, which is extended |
| as AdaptiveInferredPropertyValueWatchpoint, ObjectPropertyChangeAdaptiveWatchpoint, |
| and ObjectToStringAdaptiveInferredPropertyValueWatchpoint. |
| - life cycle is handled by those 3 subclasses. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::~CodeBlock): |
| |
| 2019-08-16 Justin Michaud <justin_michaud@apple.com> |
| |
| Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value |
| https://bugs.webkit.org/show_bug.cgi?id=200782 |
| |
| Reviewed by Saam Barati. |
| |
| Speculate that putByVals on typed arrays are in bounds initially, and add an extra rule to integer range optimization to |
| remove CheckInBounds when we are looping over two arrays. We do this by fixing a bug in the llint slow paths that marked |
| typed array accesses as out of bounds, and we also add an extra step to integer range optimization to search for equality |
| relationships on the RHS value. |
| |
| Microbenchmarks give a 40% improvement on the memcpy loop test, and neutral on the out-of-bounds typed array test. |
| |
| * dfg/DFGIntegerRangeOptimizationPhase.cpp: |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::putByVal): |
| * jit/JITOperations.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * runtime/JSGenericTypedArrayView.h: |
| * runtime/JSObject.h: |
| (JSC::JSObject::putByIndexInline): |
| (JSC::JSObject::canGetIndexQuickly const): |
| (JSC::JSObject::getIndexQuickly const): |
| (JSC::JSObject::tryGetIndexQuickly const): |
| (JSC::JSObject::canSetIndexQuickly): |
| (JSC::JSObject::setIndexQuickly): |
| * runtime/JSObjectInlines.h: |
| (JSC::JSObject::canGetIndexQuicklyForTypedArray const): |
| (JSC::JSObject::canSetIndexQuicklyForTypedArray const): |
| (JSC::JSObject::getIndexQuicklyForTypedArray const): |
| (JSC::JSObject::setIndexQuicklyForTypedArray): |
| |
| 2019-08-16 Mark Lam <mark.lam@apple.com> |
| |
| [Re-land] ProxyObject should not be allow to access its target's private properties. |
| https://bugs.webkit.org/show_bug.cgi?id=200739 |
| <rdar://problem/53972768> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Re-landing this after r200829 which resolves the test262 failure uncovered by this patch. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): |
| (JSC::ProxyObject::performHasProperty): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::performDelete): |
| (JSC::ProxyObject::performDefineOwnProperty): |
| |
| 2019-08-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Promise.prototype.finally should accept non-promise objects |
| https://bugs.webkit.org/show_bug.cgi?id=200829 |
| |
| Reviewed by Mark Lam. |
| |
| According to the Promise.prototype.finally spec step 2[1], we should check @isObject instead of @isPromise, |
| since Promise.prototype.finally should accept thenable objects that are defined by user libraries (like, bluebird for example). |
| This patch changes this check to the specified one. |
| |
| [1]: https://tc39.es/proposal-promise-finally/ |
| |
| * builtins/PromisePrototype.js: |
| (finally): |
| |
| 2019-08-16 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Promise constructor should check argument before [[Construct]] |
| https://bugs.webkit.org/show_bug.cgi?id=198976 |
| |
| Reviewed by Ross Kirsling. |
| |
| Check if argument is a function before invoking `createSubclassStructure`. |
| (step 2 of https://tc39.es/ecma262/#sec-promise-executor) |
| |
| * builtins/PromiseOperations.js: |
| (globalPrivate.initializePromise): Remove typeof check. |
| * runtime/JSPromiseConstructor.cpp: |
| (JSC::constructPromise): Add isFunction check. |
| |
| 2019-08-16 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r248709. |
| |
| Caused test/built-ins/Promise/prototype/finally/this-value- |
| non-promise.js to fail on test262 bot |
| |
| Reverted changeset: |
| |
| "ProxyObject should not be allow to access its target's |
| private properties." |
| https://bugs.webkit.org/show_bug.cgi?id=200739 |
| https://trac.webkit.org/changeset/248709 |
| |
| 2019-08-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF] Add makeUnique<T>, which ensures T is fast-allocated, WTF_MAKE_FAST_ALLOCATED annotation part |
| https://bugs.webkit.org/show_bug.cgi?id=200620 |
| |
| Reviewed by Geoffrey Garen. |
| |
| Three patches including this one were originally one patch. I split it into three pieces to make roll-out easy. |
| This part, we annotate classes / structs with WTF_MAKE_FAST_ALLOCATED and WTF_MAKE_STRUCT_FAST_ALLOCATED if |
| they are allocated from std::make_unique. The second patch will switch `std::make_unique` to `WTF::makeUnique` and |
| the third patch will insert a static_assert that makeUnique-allocated class T is FastMalloc-ed. |
| One insight from this patch is that we tend to forget adding WTF_MAKE_STRUCT_FAST_ALLOCATED if it is just a data struct. |
| |
| * debugger/Debugger.h: |
| * inspector/scripts/codegen/objc_generator_templates.py: |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/domain-availability.json-result: |
| * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result: |
| * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result: |
| * inspector/scripts/tests/generic/expected/should-strip-comments.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: |
| * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/version.json-result: |
| * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| |
| 2019-08-15 Brent Fulgham <bfulgham@apple.com> |
| |
| [FTW] Enable CoreFoundation use if building for Apple target |
| https://bugs.webkit.org/show_bug.cgi?id=200799 |
| |
| Reviewed by Alex Christensen. |
| |
| * PlatformFTW.cmake: Add missing files. |
| |
| 2019-08-15 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| DateConversion::formatDateTime incorrectly formats negative years |
| https://bugs.webkit.org/show_bug.cgi?id=199964 |
| |
| Reviewed by Ross Kirsling. |
| |
| Currently, year is always padded to max length of 4, including the minus sign "-". |
| With this change, only absolute value of year is padded to max length of 4 and |
| preceded by minus sign "-" if the year is negative. |
| (steps 6-10 of https://tc39.es/ecma262/#sec-datestring) |
| |
| * runtime/DateConversion.cpp: |
| (JSC::appendNumber): |
| |
| 2019-08-15 Mark Lam <mark.lam@apple.com> |
| |
| More missing exception checks in String.prototype. |
| https://bugs.webkit.org/show_bug.cgi?id=200762 |
| <rdar://problem/54333896> |
| |
| Reviewed by Michael Saboff. |
| |
| * runtime/StringPrototype.cpp: |
| (JSC::replaceUsingRegExpSearch): |
| (JSC::operationStringProtoFuncReplaceRegExpString): |
| (JSC::stringProtoFuncLastIndexOf): |
| (JSC::stringProtoFuncToLowerCase): |
| (JSC::stringProtoFuncToUpperCase): |
| |
| 2019-08-15 Joseph Pecoraro <pecoraro@apple.com> |
| |
| for-await-of has bad error message if used in non-async function |
| https://bugs.webkit.org/show_bug.cgi?id=200758 |
| |
| Reviewed by Ross Kirsling. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseForStatement): |
| Improve error message. |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Air does not appropriately propagate ConstFloatValue to stackmap |
| https://bugs.webkit.org/show_bug.cgi?id=200759 |
| |
| Reviewed by Saam Barati. |
| |
| In B3MoveConstant phase, we convert ConstFloatValue and ConstDoubleValue to memory access to the table |
| to avoid large immediates *except for* stackmap argument case. This is because materializing constant doubles |
| and floats as memory-access before passing it to stackmap is wasteful: the stackmap may not use it actually, or |
| stackmap can do better job if it knows the parameter is constant. |
| |
| Based on the above operation, B3LowerToAir phase strongly assumes that all ConstFloatValue and ConstDoubleValue |
| are removed except for the case used for parameter of stackmap. With r192377, B3LowerToAir catch this case, and |
| propagate constant double value as ValueRep in stackmap. While B3LowerToAir does this correctly for ConstDoubleValue, |
| we missed adding this support for ConstFloatValue. |
| |
| This patch adds r192377's support for ConstFloatValue to propagate ConstFloatValue correctly to the stackmap. |
| This issue starts appearing since Wasm BBQ-B3 OSR starts putting ConstFloatValue to OSR-tier-up patchpoint. |
| |
| * b3/B3LowerToAir.cpp: |
| * b3/B3ValueKey.h: |
| (JSC::B3::ValueKey::ValueKey): |
| (JSC::B3::ValueKey::floatValue const): |
| * b3/B3ValueRep.h: |
| (JSC::B3::ValueRep::constantFloat): |
| (JSC::B3::ValueRep::floatValue const): |
| * b3/testb3.h: |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_5.cpp: |
| (testPatchpointManyWarmAnyImms): |
| (testPatchpointManyColdAnyImms): |
| (testPatchpointManyImms): Deleted. |
| |
| 2019-08-14 Keith Rollin <krollin@apple.com> |
| |
| Remove support for macOS < 10.13 |
| https://bugs.webkit.org/show_bug.cgi?id=200694 |
| <rdar://problem/54278851> |
| |
| Reviewed by Youenn Fablet. |
| |
| Update conditionals that reference __MAC_OS_X_VERSION_MIN_REQUIRED and |
| __MAC_OS_X_VERSION_MAX_ALLOWED, assuming that they both have values >= |
| 101300. This means that expressions like |
| "__MAC_OS_X_VERSION_MIN_REQUIRED < 101300" are always False and |
| "__MAC_OS_X_VERSION_MIN_REQUIRED >= 101300" are always True. |
| |
| * API/WebKitAvailability.h: |
| |
| 2019-08-14 Mark Lam <mark.lam@apple.com> |
| |
| ProxyObject should not be allow to access its target's private properties. |
| https://bugs.webkit.org/show_bug.cgi?id=200739 |
| <rdar://problem/53972768> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyGet): |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): |
| (JSC::ProxyObject::performHasProperty): |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::performDelete): |
| (JSC::ProxyObject::performDefineOwnProperty): |
| |
| 2019-08-14 Mark Lam <mark.lam@apple.com> |
| |
| Missing exception check in string compare. |
| https://bugs.webkit.org/show_bug.cgi?id=200743 |
| <rdar://problem/53975356> |
| |
| Reviewed by Michael Saboff. |
| |
| * runtime/JSString.cpp: |
| (JSC::JSString::equalSlowCase const): |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for MacroAssemblerARM64E change |
| https://bugs.webkit.org/show_bug.cgi?id=200703 |
| |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::farJump): |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Less contended MetaAllocator |
| https://bugs.webkit.org/show_bug.cgi?id=200278 |
| |
| Reviewed by Mark Lam. |
| |
| The profiler result of JetStream2/bomb-workers shows that we are having contention under MetaAllocator::currentStatistics. |
| This function is called in ExecutableAllocator::memoryPressureMultiplier, and it is called from ExecutableCounter's threshold |
| calculation. But MetaAllocator::currentStatistics takes a global lock inside MetaAllocator and causes contention. However, |
| we do not need to have a lock actually: clients of MetaAllocator::currentStatistics typically use bytesReserved and bytesAllocated |
| information. However, since our executable allocator is fixed-sized, bytesReserved is always the fixed size. So just reading bytesAllocated |
| racily is enough. |
| |
| This patch attempts to reduce the contention by the following two things. |
| |
| 1. Read bytesAllocated racily instead of calling MetaAllocator::currentStatistics. Then ExecutableCounter does not need to take a lock. |
| 2. page lifetime management APIs of MetaAllocator should take a second `count` parameter to batch the system calls. |
| |
| * jit/ExecutableAllocator.cpp: |
| (JSC::ExecutableAllocator::underMemoryPressure): |
| (JSC::ExecutableAllocator::memoryPressureMultiplier): |
| (JSC::ExecutableAllocator::allocate): |
| (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::memoryStart): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::memoryEnd): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::isJITPC): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): Deleted. |
| (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion): Deleted. |
| |
| 2019-08-14 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make PAC jump and return more explicit |
| https://bugs.webkit.org/show_bug.cgi?id=200703 |
| |
| Reviewed by Mark Lam. |
| |
| This patch refactors our macro assembler, mainly related to PAC. |
| |
| 1. Make far-jump explicit by renaming `jump` to `farJump`. |
| 2. Remove unused makeTailRecursiveCall and tailRecursiveCall. |
| 3. Do not make `ARM64EAssembler::ret` as `retab`. MacroAssemblerARM64E should call `retab` explicitly instead. |
| |
| * assembler/ARM64EAssembler.h: |
| (JSC::ARM64EAssembler::ret): Deleted. |
| * assembler/MacroAssembler.h: |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::farJump): |
| (JSC::MacroAssemblerARM64::makeTailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerARM64::tailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::farJump): |
| (JSC::MacroAssemblerARM64E::ret): |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::farJump): |
| (JSC::MacroAssemblerARMv7::relativeTableJump): |
| (JSC::MacroAssemblerARMv7::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerARMv7::makeTailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerMIPS.h: |
| (JSC::MacroAssemblerMIPS::farJump): |
| (JSC::MacroAssemblerMIPS::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerMIPS::makeTailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerX86.h: |
| (JSC::MacroAssemblerX86::farJump): |
| (JSC::MacroAssemblerX86::jump): Deleted. |
| (JSC::MacroAssemblerX86::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerX86::makeTailRecursiveCall): Deleted. |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::farJump): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::farJump): |
| (JSC::MacroAssemblerX86_64::jump): Deleted. |
| (JSC::MacroAssemblerX86_64::tailRecursiveCall): Deleted. |
| (JSC::MacroAssemblerX86_64::makeTailRecursiveCall): Deleted. |
| * b3/B3LowerMacros.cpp: |
| * b3/testb3_6.cpp: |
| (testInterpreter): |
| * dfg/DFGOSRExitCompilerCommon.cpp: |
| (JSC::DFG::adjustAndJumpToTarget): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): |
| (JSC::DFG::SpeculativeJIT::emitSwitchImm): |
| (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGThunks.cpp: |
| (JSC::DFG::osrExitGenerationThunkGenerator): |
| (JSC::DFG::osrEntryThunkGenerator): |
| * jit/CCallHelpers.h: |
| (JSC::CCallHelpers::jumpToExceptionHandler): |
| * jit/JIT.cpp: |
| (JSC::JIT::emitEnterOptimizationCheck): |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| (JSC::JIT::emitSlow_op_loop_hint): |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_catch): |
| (JSC::JIT::emit_op_switch_imm): |
| (JSC::JIT::emit_op_switch_char): |
| (JSC::JIT::emit_op_switch_string): |
| * jit/ThunkGenerators.cpp: |
| (JSC::slowPathFor): |
| (JSC::virtualThunkFor): |
| * llint/LLIntThunks.cpp: |
| (JSC::LLInt::generateThunkWithJumpTo): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmThunks.cpp: |
| (JSC::Wasm::throwExceptionFromWasmThunkGenerator): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::emitThrowWasmToJSException): |
| * yarr/YarrJIT.cpp: |
| (JSC::Yarr::YarrGenerator::loadFromFrameAndJump): |
| |
| 2019-08-14 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Remove bad semicolon in generation of ObjC methods |
| https://bugs.webkit.org/show_bug.cgi?id=200655 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: |
| (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations): |
| Do not include a semicolon in the method implementation. |
| |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/enum-values.json-result: |
| * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| Updated results. |
| |
| 2019-08-13 Saam Barati <sbarati@apple.com> |
| |
| Add a way to opt out of kern TCSM for layout tests |
| https://bugs.webkit.org/show_bug.cgi?id=200649 |
| <rdar://problem/51304923> |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| * assembler/CPU.cpp: |
| (JSC::isKernTCSMAvailable): |
| * runtime/Options.h: |
| |
| 2019-08-13 Sam Weinig <weinig@apple.com> |
| |
| Rename StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32) to avoid accidental change in behavior when replacing append with flexibleAppend |
| https://bugs.webkit.org/show_bug.cgi?id=200675 |
| |
| Reviewed by Darin Adler. |
| |
| * yarr/YarrParser.h: |
| (JSC::Yarr::Parser::tryConsumeGroupName): |
| (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression): |
| Update for rename from StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32). |
| |
| 2019-08-13 Mark Lam <mark.lam@apple.com> |
| |
| Add phase, block, and node numbers to left margin of DFG graph dumps. |
| https://bugs.webkit.org/show_bug.cgi?id=200693 |
| |
| Reviewed by Saam Barati. |
| |
| When scrolling through the DFG graph dumps, it's easy to get lost as to which phase |
| or block one is looking at, especially if the blocks are long. This patch adds |
| node index, block number, and phase number on the left margin of the dumps. |
| Here's a sample: |
| |
| 53: %Bd:Function = 0x1079fd960:[Function, {}, NonArray, Proto:0x1079d8000, Leaf] |
| 53: %Bf:Function = 0x1079b0700:[Function, {name:100, prototype:101, length:102, stackTraceLimit:103}, NonArray, Proto:0x1079d8000, Leaf] |
| 53: %Bj:Function = 0x1079fd5e0:[Function, {name:100, length:101, toString:102, apply:103, call:104, bind:105, Symbol.hasInstance:106, caller:107, arguments:108, constructor:109}, NonArray, Proto:0x1079c0000, Leaf] |
| 53: %CV:JSGlobalLexicalEnvironment = 0x1079fd6c0:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf] |
| |
| 53: Phase liveness analysis changed the IR. |
| |
| 54: Beginning DFG phase OSR availability analysis. |
| 54: Before OSR availability analysis: |
| |
| 54: DFG for foo#DXMNag:[0x1079a4850->0x1079a4130->0x1079c7600, DFGFunctionCall, 204 (NeverInline)]: |
| 54: Fixpoint state: FixpointConverged; Form: SSA; Unification state: GloballyUnified; Ref count state: ExactRefCount |
| 54: Argument formats for entrypoint index: 0 : FlushedJSValue, FlushedCell, FlushedJSValue |
| |
| 0 54: Block #0 (bc#0): (OSR target) |
| 0 54: Execution count: 1.000000 |
| 0 54: Predecessors: |
| 0 54: Successors: |
| 0 54: Dominated by: #0 |
| 0 54: Dominates: #0 |
| 0 54: Dominance Frontier: |
| 0 54: Iterated Dominance Frontier: |
| 0 54: Backwards dominates by: #root #0 |
| 0 54: Backwards dominates: #0 |
| 0 54: Control equivalent to: #0 |
| 0 54: States: StructuresAreWatched |
| 0 54: Live: |
| 0 54: Values |
| 0 0 54: 53:< 1:-> JSConstant(JS|UseAsOther, Other, Null, bc#0, ExitValid) |
| 1 0 54: 64:< 2:-> JSConstant(JS|UseAsOther, NonBoolInt32, Int32: 10, bc#0, ExitValid) |
| 2 0 54: 3:< 5:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) |
| 3 0 54: 32:< 1:-> JSConstant(JS|UseAsOther, Bool, False, bc#0, ExitValid) |
| 4 0 54: 19:< 2:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x1079d4000 with butterfly 0x0 (Structure %CV:JSGlobalLexicalEnvironment), StructureID: 31423, bc#0, ExitValid) |
| |
| The numbers in the left margin before the ':' are node index (i.e. the index of the |
| node in the block, not to be confused with node->index() which is the node ID), block |
| number, and phase number respectively. Now, we can scroll thru the dumps quickly |
| and tell at a glance when we've scrolled passed the end of a phase, or block. |
| These sets of numbers can also serve as a positional marker that we can search for |
| to return to a node in the dump after scrolling away. |
| |
| Currently, these numbers are only added to the DFG part. The FTL (from lowering |
| to B3 onwards) does not have this feature yet. |
| |
| * dfg/DFGDesiredWatchpoints.cpp: |
| (JSC::DFG::DesiredWatchpoints::dumpInContext const): |
| * dfg/DFGDesiredWatchpoints.h: |
| * dfg/DFGGraph.cpp: |
| (JSC::DFG::Graph::dumpCodeOrigin): |
| (JSC::DFG::Graph::dump): |
| (JSC::DFG::Graph::dumpBlockHeader): |
| (JSC::DFG::Prefix::dump const): |
| * dfg/DFGGraph.h: |
| (JSC::DFG::Prefix::Prefix): |
| (JSC::DFG::Prefix::clearBlockIndex): |
| (JSC::DFG::Prefix::clearNodeIndex): |
| (JSC::DFG::Prefix::enable): |
| (JSC::DFG::Prefix::disable): |
| (JSC::DFG::Graph::prefix): |
| (JSC::DFG::Graph::nextPhase): |
| * dfg/DFGPhase.cpp: |
| (JSC::DFG::Phase::beginPhase): |
| * dfg/DFGPhase.h: |
| (JSC::DFG::runAndLog): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::compileInThreadImpl): |
| * dfg/DFGValueRepReductionPhase.cpp: |
| (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble): |
| |
| 2019-08-13 Michael Saboff <msaboff@apple.com> |
| |
| REGRESSION (r248533): JSC Command - Need to initializeMainThread() before processing config file |
| https://bugs.webkit.org/show_bug.cgi?id=200677 |
| |
| Reviewed by Mark Lam. |
| |
| We need to initialize the main thread before calling processConfigFile() since it uses RefCounted objects |
| which have "is main thread" ASSERTS. |
| |
| * jsc.cpp: |
| (jscmain): |
| |
| 2019-08-13 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Styles: show @supports CSS groupings |
| https://bugs.webkit.org/show_bug.cgi?id=200419 |
| <rdar://problem/53971948> |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/CSS.json: |
| Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated |
| and wasn't used by Web Inspector. |
| |
| * inspector/scripts/codegen/objc_generator_templates.py: |
| * inspector/scripts/codegen/generate_objc_header.py: |
| (ObjCHeaderGenerator.generate_output): |
| Add support for including files at the end of <WebInspector/RWIProtocol.h> for compatibility |
| statements so that changes to the Web Inspector protocol don't break other clients. |
| |
| 2019-08-13 Joseph Pecoraro <pecoraro@apple.com> |
| |
| JSContext Inspector: Basic CommandLineAPI doesn't work |
| https://bugs.webkit.org/show_bug.cgi?id=200659 |
| <rdar://problem/54245476> |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/InjectedScriptSource.js: |
| (BasicCommandLineAPI): |
| Use `method` directly since it already has been setup nicely and doesn't |
| need to be bound. Technically this allows someone to add properties to |
| the CommandLineAPI methods in basic mode (`dir.property = 1`) but that |
| seems harmless. |
| |
| 2019-08-12 Sam Weinig <weinig@apple.com> |
| |
| Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation |
| https://bugs.webkit.org/show_bug.cgi?id=200614 |
| |
| Reviewed by Darin Adler. |
| |
| Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and |
| StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...). |
| |
| Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to |
| StringBuilder::appendSubstring(...). |
| |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * runtime/ConfigFile.cpp: |
| (JSC::ConfigFile::parse): |
| * runtime/LiteralParser.cpp: |
| (JSC::LiteralParser<CharType>::Lexer::lexStringSlow): |
| * tools/FunctionOverrides.cpp: |
| (JSC::parseClause): |
| Update for renames. |
| |
| 2019-08-12 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [WPE][GTK] Fix building without unified sources |
| https://bugs.webkit.org/show_bug.cgi?id=200641 |
| |
| Reviewed by Žan Doberšek. |
| |
| * b3/B3PatchpointSpecial.cpp: Add missing inclusion of the B3ProcedureInlines.h header. |
| * heap/SlotVisitor.cpp: Add missing inclusion of the BlockDirectoryInlines.h header. |
| |
| 2019-08-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [WTF][JSC] Make JSC and WTF aggressively-fast-malloced |
| https://bugs.webkit.org/show_bug.cgi?id=200611 |
| |
| Reviewed by Saam Barati. |
| |
| This patch aggressively puts many classes into FastMalloc. In JSC side, we grep `std::make_unique` etc. to find potentially system-malloc-allocated classes. |
| After this patch, all the JSC related allocations in JetStream2 cli is done from bmalloc. In the future, it would be nice that we add `WTF::makeUnique<T>` helper |
| function and throw a compile error if `T` is not FastMalloc annotated[1]. |
| |
| Putting WebKit classes in FastMalloc has many benefits. |
| |
| 1. Simply, it is fast. |
| 2. vmmap can tell the amount of memory used for WebKit. |
| 3. bmalloc can isolate WebKit memory allocation from the rest of the world. This is useful since we can know more about what component is corrupting the memory |
| from the memory corruption crash. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=200620 |
| |
| * API/ObjCCallbackFunction.mm: |
| * assembler/AbstractMacroAssembler.h: |
| * b3/B3PhiChildren.h: |
| * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: |
| * b3/air/AirDisassembler.h: |
| * bytecode/AccessCaseSnippetParams.h: |
| * bytecode/CallVariant.h: |
| * bytecode/DeferredSourceDump.h: |
| * bytecode/ExecutionCounter.h: |
| * bytecode/GetByIdStatus.h: |
| * bytecode/GetByIdVariant.h: |
| * bytecode/InByIdStatus.h: |
| * bytecode/InByIdVariant.h: |
| * bytecode/InstanceOfStatus.h: |
| * bytecode/InstanceOfVariant.h: |
| * bytecode/PutByIdStatus.h: |
| * bytecode/PutByIdVariant.h: |
| * bytecode/ValueProfile.h: |
| * dfg/DFGAbstractInterpreter.h: |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::newVariableAccessData): |
| * dfg/DFGFlowIndexing.h: |
| * dfg/DFGFlowMap.h: |
| * dfg/DFGLiveCatchVariablePreservationPhase.cpp: |
| (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData): |
| * dfg/DFGMaximalFlushInsertionPhase.cpp: |
| (JSC::DFG::MaximalFlushInsertionPhase::newVariableAccessData): |
| * dfg/DFGOSRExit.h: |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGVariableAccessData.h: |
| * disassembler/ARM64/A64DOpcode.h: |
| * inspector/remote/socket/RemoteInspectorMessageParser.h: |
| * inspector/remote/socket/RemoteInspectorSocket.h: |
| * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: |
| * jit/PCToCodeOriginMap.h: |
| * runtime/BasicBlockLocation.h: |
| * runtime/DoublePredictionFuzzerAgent.h: |
| * runtime/JSRunLoopTimer.h: |
| * runtime/PromiseDeferredTimer.h: |
| (JSC::PromiseDeferredTimer::create): PromiseDeferredTimer should be allocated as `Ref<>` instead of `std::unique_ptr` since it is inheriting ThreadSafeRefCounted<>. |
| Holding such a class with std::unique_ptr could lead to potentially dangerous operations (like, someone holds it with Ref<> while it is deleted by std::unique_ptr<>). |
| * runtime/RandomizingFuzzerAgent.h: |
| * runtime/SymbolTable.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * runtime/VM.h: |
| * tools/JSDollarVM.cpp: |
| * tools/SigillCrashAnalyzer.cpp: |
| * wasm/WasmFormat.h: |
| * wasm/WasmMemory.cpp: |
| * wasm/WasmSignature.h: |
| * yarr/YarrJIT.h: |
| |
| 2019-08-12 Chris Dumez <cdumez@apple.com> |
| |
| Add threading assertions to RefCounted |
| https://bugs.webkit.org/show_bug.cgi?id=200507 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::Plan): |
| Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team |
| investigates. |
| |
| 2019-08-12 Chris Dumez <cdumez@apple.com> |
| |
| Unreviewed, rolling out r248525. |
| |
| Revert new threading assertions while I work on fixing the |
| issues they exposed |
| |
| Reverted changeset: |
| |
| "Add threading assertions to RefCounted" |
| https://bugs.webkit.org/show_bug.cgi?id=200507 |
| https://trac.webkit.org/changeset/248525 |
| |
| 2019-08-11 Chris Dumez <cdumez@apple.com> |
| |
| Add threading assertions to RefCounted |
| https://bugs.webkit.org/show_bug.cgi?id=200507 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::Plan): |
| Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team |
| investigates. |
| |
| 2019-08-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive |
| https://bugs.webkit.org/show_bug.cgi?id=199864 |
| |
| Reviewed by Saam Barati. |
| |
| Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this. |
| |
| JSObject::put(object): |
| if (can-do-fast-path(object)) |
| return fast-path(object); |
| // slow-path |
| do { |
| object-put-check-and-setter-calls(object); // (1) |
| object = object->prototype; |
| } while (is-object(object)); |
| return do-put(object); |
| |
| Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding |
| extra checks to this put. |
| |
| Derived::put(object): |
| if (do-extra-check(object)) |
| fail |
| return JSObject::put(object) |
| |
| The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in |
| JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that |
| we skip the check. |
| |
| Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to |
| perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot |
| does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and |
| Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves |
| large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot. |
| |
| To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects |
| that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject. |
| When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks. |
| |
| Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1]. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=200562 |
| |
| * runtime/ClassInfo.h: |
| * runtime/JSCJSValue.cpp: |
| (JSC::JSValue::putToPrimitive): |
| * runtime/JSCell.cpp: |
| (JSC::JSCell::doPutPropertySecurityCheck): |
| * runtime/JSCell.h: |
| * runtime/JSObject.cpp: |
| (JSC::JSObject::putInlineSlow): |
| (JSC::JSObject::getOwnPropertyDescriptor): |
| * runtime/JSObject.h: |
| (JSC::JSObject::doPutPropertySecurityCheck): |
| * runtime/JSTypeInfo.h: |
| (JSC::TypeInfo::hasPutPropertySecurityCheck const): |
| |
| 2019-08-08 Per Arne Vollan <pvollan@apple.com> |
| |
| [Win] Fix internal build |
| https://bugs.webkit.org/show_bug.cgi?id=200519 |
| |
| Reviewed by Alex Christensen. |
| |
| The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts |
| folder after building JSC. |
| |
| * JavaScriptCore.vcxproj/JavaScriptCore.proj: |
| |
| 2019-08-08 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Page: don't allow the domain to be disabled |
| https://bugs.webkit.org/show_bug.cgi?id=200109 |
| |
| Reviewed by Brian Burg. |
| |
| The `PageAgent` is relied on by many of the other agents, so much so that it doesn't make |
| sense to support the ability to "disable" (as well as "enable") the agent. |
| |
| When the first frontend connects, we should treat the `PageAgent` as active and available. |
| |
| * inspector/protocol/Page.json: |
| Remove `enable`/`disable`. |
| |
| 2019-08-08 Michael Saboff <msaboff@apple.com> |
| |
| OpenSource MemoryFootprint API for JSC command line tool |
| https://bugs.webkit.org/show_bug.cgi?id=200541 |
| |
| Reviewed by Saam Barati. |
| |
| Use wtf/spi/darwin/ProcessMemoryFootprint.h instead of WebKitAdditions/MemoryFootprint.h |
| for process memory stats. |
| |
| * jsc.cpp: |
| (MemoryFootprint::MemoryFootprint): |
| |
| 2019-08-08 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: rename `queryObjects` to `queryInstances` for clarity |
| https://bugs.webkit.org/show_bug.cgi?id=200520 |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/InjectedScriptSource.js: |
| (queryInstances): Added. |
| (queryObjects): |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::queryInstances): Added. |
| (Inspector::JSInjectedScriptHost::queryObjects): Deleted. |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): Added. |
| (Inspector::jsInjectedScriptHostPrototypeFunctionQueryObjects): Deleted. |
| |
| 2019-08-08 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [JSC] Add "jump if (not) undefined or null" bytecode ops |
| https://bugs.webkit.org/show_bug.cgi?id=200480 |
| |
| Reviewed by Saam Barati. |
| |
| This patch introduces fused jumps for op_is_undefined_or_null, which ignores "masquerade as undefined" behavior. |
| |
| This lets us fix a edge-case bug in RequireObjectCoercible (where `({ length } = document.all)` was a TypeError) |
| and moreover provides a very useful optimization for the new ?. and ?? operators, which have semantics centered |
| around op_jundefined_or_null and op_jnundefined_or_null, respectively. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/BytecodeUseDef.h: |
| (JSC::computeUsesForBytecodeOffset): |
| (JSC::computeDefsForBytecodeOffset): |
| * bytecode/Opcode.h: |
| (JSC::isBranch): |
| * bytecode/PreciseJumpTargetsInlines.h: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::Label::setLocation): |
| (JSC::BytecodeGenerator::emitJumpIfTrue): |
| (JSC::BytecodeGenerator::emitJumpIfFalse): |
| (JSC::BytecodeGenerator::emitRequireObjectCoercible): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.cpp: |
| (JSC::DFG::capabilityLevel): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| * jit/JIT.h: |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_jundefined_or_null): Added. |
| (JSC::JIT::emit_op_jnundefined_or_null): Added. |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_jundefined_or_null): Added. |
| (JSC::JIT::emit_op_jnundefined_or_null): Added. |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-08-07 Devin Rousso <drousso@apple.com> |
| |
| Rebase inspector generator tests. |
| |
| Rubber-stamped by Brian Burg. |
| |
| * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: |
| * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: |
| * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: |
| * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result: |
| * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result: |
| * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: |
| * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: |
| * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: |
| |
| 2019-08-07 Caio Lima <ticaiolima@gmail.com> |
| |
| High number of cache miss on localTimeOffset |
| https://bugs.webkit.org/show_bug.cgi?id=200444 |
| |
| Reviewed by Darin Adler. |
| |
| This patch is separating the `LocalTimeOffsetCache` for each |
| `WTF::TimeType` to avoid constant cache miss on pathological cases |
| where `gregorianDateTimeToMS` and `msToGregorianDateTime` are |
| intercaleted with `inputTimeType == WTF::LocalTime`. Such case |
| happens during execution of Facebook Messenger |
| (https://www.messenger.com). |
| |
| * runtime/JSDateMath.cpp: |
| (JSC::localTimeOffset): |
| (JSC::gregorianDateTimeToMS): |
| * runtime/VM.cpp: |
| (JSC::VM::resetDateCache): |
| * runtime/VM.h: |
| (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache): |
| (JSC::LocalTimeOffsetCache::reset): |
| |
| 2019-08-06 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values |
| https://bugs.webkit.org/show_bug.cgi?id=200494 |
| |
| Reviewed by Saam Barati. |
| |
| The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>. |
| But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm. |
| This patch filters out these values with `HashSet<Callee*>::isValidValue`. |
| |
| * wasm/WasmCalleeRegistry.h: |
| (JSC::Wasm::CalleeRegistry::isValidCallee): |
| |
| 2019-08-06 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r248289. |
| https://bugs.webkit.org/show_bug.cgi?id=200488 |
| |
| Broke internal builds (Requested by drousso on #webkit). |
| |
| Reverted changeset: |
| |
| "Web Inspector: Styles: show @supports CSS groupings" |
| https://bugs.webkit.org/show_bug.cgi?id=200419 |
| https://trac.webkit.org/changeset/248289 |
| |
| 2019-08-06 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: allow comments in protocol JSON |
| https://bugs.webkit.org/show_bug.cgi?id=200104 |
| |
| Reviewed by Brian Burg. |
| |
| * inspector/scripts/generate-inspector-protocol-bindings.py: |
| (generate_from_specification.load_specification): |
| |
| * inspector/scripts/tests/generic/should-strip-comments.json: Added. |
| * inspector/scripts/tests/generic/expected/should-strip-comments.json-result: Added. |
| |
| 2019-08-06 Per Arne Vollan <pvollan@apple.com> |
| |
| [Win] Fix AppleWin build |
| https://bugs.webkit.org/show_bug.cgi?id=200455 |
| |
| Reviewed by Alex Christensen. |
| |
| * CMakeLists.txt: |
| * shell/CMakeLists.txt: |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Styles: show @supports CSS groupings |
| https://bugs.webkit.org/show_bug.cgi?id=200419 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/CSS.json: |
| Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated |
| and wasn't used by Web Inspector. |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Can't use $0, $1 etc when inspecting Google Docs pages because the content uses these for function names |
| https://bugs.webkit.org/show_bug.cgi?id=195834 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Allow the user to alias saved results by providing a different prefix (e.g. "$") from within |
| Web Inspector. When changing the alias, all existing saved results will update to be |
| reference-able from the new alias. |
| |
| * inspector/protocol/Runtime.json: |
| Add `setSavedResultAlias` command. |
| |
| * inspector/agents/InspectorRuntimeAgent.h: |
| * inspector/agents/InspectorRuntimeAgent.cpp: |
| (Inspector::InspectorRuntimeAgent::setSavedResultAlias): Added. |
| |
| * inspector/InjectedScriptHost.h: |
| (Inspector::InjectedScriptHost::setSavedResultAlias): Added. |
| (Inspector::InjectedScriptHost::savedResultAlias const): Added. |
| * inspector/JSInjectedScriptHost.h: |
| * inspector/JSInjectedScriptHost.cpp: |
| (Inspector::JSInjectedScriptHost::savedResultAlias const): Added. |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): Added. |
| Store the saved result alias on the `InjectedScriptHost` since it is a shared object among |
| all `InjectedScript`. |
| |
| * inspector/InjectedScriptSource.js: |
| (BasicCommandLineAPI): |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Timelines: disable related agents when the tab is closed |
| https://bugs.webkit.org/show_bug.cgi?id=200118 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Rework how `enable`/`disable` is used for timeline-related agents so that events are not sent |
| and data isn't kept alive when the Timelines tab isn't enabled. |
| |
| * inspector/protocol/Timeline.json: |
| Add `enable`/`disable` commands. |
| |
| * inspector/agents/InspectorHeapAgent.cpp: |
| (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend): |
| (Inspector::InspectorHeapAgent::enable): |
| (Inspector::InspectorHeapAgent::disable): |
| |
| 2019-08-05 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: rename "Stylesheet" to "Style Sheet" to match spec text |
| https://bugs.webkit.org/show_bug.cgi?id=200422 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/protocol/Page.json: |
| |
| 2019-08-05 Michael Saboff <msaboff@apple.com> |
| |
| JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray |
| https://bugs.webkit.org/show_bug.cgi?id=199997 |
| |
| Reviewed by Saam Barati. |
| |
| No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray() |
| and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a |
| CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array |
| and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where |
| it won't be set. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): |
| (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): |
| |
| 2019-08-03 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: DOM: add a special breakpoint for "All Events" |
| https://bugs.webkit.org/show_bug.cgi?id=200285 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Similar to the existing "All Requests" breakpoint, there should be a way to set a breakpoint |
| that would pause for any DOM event, regardless of the event's name. This is useful for |
| situations where the event name isn't known, or where one simply wants to pause on the next |
| entry to the event loop. |
| |
| Along these lines, make the "requestAnimationFrame", "setTimeout", and "setInterval" |
| event breakpoints into special breakpoints that can be added/removed via the create |
| breakpoint context menu. This simplifies the process for setting these breakpoints, and also |
| makes them more discoverable (most people wouldn't consider them to be "events"). |
| |
| * inspector/protocol/Debugger.json: |
| - Rename the `EventListener` pause reason to `Listener`. |
| - Split the `Timer` pause reason into `Interval` and `Timeout`. |
| |
| * inspector/protocol/DOMDebugger.json: |
| - Split the `timer` type into `interval` and `timeout`. |
| - Make `eventName` optional for `addEventBreakpoint`/`removeEventBreakpoint`. When omitted, |
| the corresponding breakpoint that is added/removed is treated as a global breakpoint that |
| applies to all events of that type (e.g. a global `listener` breakpoint would pause for |
| any event that is fired). |
| |
| 2019-08-02 Keith Miller <keith_miller@apple.com> |
| |
| Address comments on r248178 |
| https://bugs.webkit.org/show_bug.cgi?id=200411 |
| |
| Reviewed by Saam Barati. |
| |
| * b3/B3Opcode.h: |
| * b3/B3Procedure.h: |
| (JSC::B3::Procedure::tuples const): |
| * b3/B3Validate.cpp: |
| * b3/testb3_1.cpp: |
| (main): |
| |
| 2019-08-02 Mark Lam <mark.lam@apple.com> |
| |
| [ARM64E] Harden the diversity of the DOMJIT::Signature::unsafeFunction pointer. |
| https://bugs.webkit.org/show_bug.cgi?id=200292 |
| <rdar://problem/53706881> |
| |
| Reviewed by Geoffrey Garen. |
| |
| Previously, DOMJIT::Signature::functionWithoutTypeCheck was signed as a C function |
| pointer. We can do better by signing it like a vtbl function pointer. |
| |
| No new tests needed. The DOMJIT mechanism is covered by existing tests. |
| |
| I also manually confirmed that DOMJIT::Signature::functionWithoutTypeCheck is signed |
| exactly as expected by reading its bits out of memory (not letting Clang have a |
| chance to resign it into a C function pointer) and comparing it against manually |
| signed bits with the expected diversifier. |
| |
| * assembler/MacroAssemblerCodeRef.h: |
| (JSC::CFunctionPtr::CFunctionPtr): |
| (JSC::CFunctionPtr::get const): |
| (JSC::CFunctionPtr::address const): |
| (JSC::CFunctionPtr::operator bool const): |
| (JSC::CFunctionPtr::operator! const): |
| (JSC::CFunctionPtr::operator== const): |
| (JSC::CFunctionPtr::operator!= const): |
| |
| - Introduce a CFunctionPtr abstraction that is used to hold pointers to C functions. |
| It can instantiated in 4 ways: |
| |
| 1. The default constructor. |
| 2. A constructor that takes a nullptr_t. |
| |
| These 2 forms will instantiate a CFunctionPtr with a nullptr. |
| |
| 3. A constructor that takes the name of a function. |
| 4. A constructor that takes a function pointer. |
| |
| Form 3 already knows that we're initializing with a real function, and |
| that Clang will give it to use signed as a C function pointer. So, it |
| doesn't do any assertions. This form is useful for initializing CFunctionPtrs |
| embedded in const data structures. |
| |
| Form 4 is an explicit constructor that takes an arbitrary function |
| pointer, but does not know if that pointer is already signed as a C function |
| pointer. Hence, this form will do a RELEASE_ASSERT that the given function |
| pointer is actually signed as a C function pointer. |
| |
| Once instantiated, we are guaranteed that a C function pointer is either null |
| or contains a signed C function pointer. |
| |
| * domjit/DOMJITSignature.h: |
| (JSC::DOMJIT::Signature::Signature): |
| - Sign functionWithoutTypeCheck as WTF_VTBL_FUNCPTR_PTRAUTH(DOMJITFunctionPtrTag). |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCallDOM): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| - Use the new CFunctionPtr to document that the retrieved signature->functionWithoutTypeCheck |
| is signed as a C function pointer. |
| |
| * runtime/ClassInfo.h: |
| - Update MethodTable to sign its function pointers using the new WTF_VTBL_FUNCPTR_PTRAUTH_STR |
| to be consistent. No longer need to roll its own PTRAUTH macro. |
| |
| * runtime/JSCPtrTag.h: |
| - Add DOMJITFunctionPtrTag. |
| |
| * tools/JSDollarVM.cpp: |
| - Update to work with the new DOMJIT::Signature constructor. |
| |
| 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Support WebAssembly in SamplingProfiler |
| https://bugs.webkit.org/show_bug.cgi?id=200329 |
| |
| Reviewed by Saam Barati. |
| |
| The sampling profiler support is critical to investigate what is actually time-consuming. This patch adds the sampling profiler support for Wasm functions |
| to list up hot Wasm functions with compilation mode (BBQ or OMG). This allows us to investigate the hot functions in JetStream2 wasm tests. |
| |
| In order to retrieve wasm function information from the sampling profiler safely, we need to know whether the given Wasm CalleeBits is valid in the call frame. |
| To achieve this, we start collecting valid Wasm::Callee pointers in a global hash set. Previously, each Wasm::Callee registered its code region to a hash set |
| for wasm fault signal handler to know whether the faulted program-counter is in wasm region. We reuse and change this mechanism. Instead of registering code region, |
| we register Wasm::Callee* to a hash set. The sampling profiler reuses this hash set to determine whether the given bits is a valid Wasm::Callee. |
| |
| The sampling profiler retrieves the information safely from valid Wasm::Callee* pointer. It is possible that this Wasm::Callee is about to be dead: ref-count is 0, |
| now in the middle of the destructor of Wasm::Callee. Even in that case, fields of Wasm::Callee are still valid and can be accessed since destroying these fields happens |
| after we unregister Wasm::Callee from the global hash set. |
| |
| We retrieve Wasm::IndexOrName and Wasm::CompilationMode. Copying them does not involve any allocations, locking etc. So we can safely copy them while some of threads are suspended. |
| |
| This patch also fixes the issue that we never called `unregisterCode` while every Wasm::Calllee registers its code region through `registerCode`. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * runtime/InitializeThreading.cpp: |
| (JSC::initializeThreading): |
| * runtime/SamplingProfiler.cpp: |
| (JSC::FrameWalker::FrameWalker): |
| (JSC::FrameWalker::recordJSFrame): |
| (JSC::CFrameWalker::CFrameWalker): |
| (JSC::SamplingProfiler::takeSample): |
| (JSC::SamplingProfiler::processUnverifiedStackTraces): |
| (JSC::SamplingProfiler::StackFrame::displayName): |
| (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests): |
| (JSC::SamplingProfiler::StackFrame::functionStartLine): |
| (JSC::SamplingProfiler::StackFrame::functionStartColumn): |
| (JSC::SamplingProfiler::StackFrame::sourceID): |
| (JSC::SamplingProfiler::StackFrame::url): |
| (JSC::SamplingProfiler::reportTopBytecodes): |
| (WTF::printInternal): |
| * runtime/SamplingProfiler.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::functionIsWasmSupported): |
| (JSC::JSDollarVM::finishCreation): |
| * wasm/WasmB3IRGenerator.h: |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBBQPlanInlines.h: |
| (JSC::Wasm::BBQPlan::initializeCallees): |
| * wasm/WasmCallee.cpp: |
| (JSC::Wasm::Callee::Callee): |
| (JSC::Wasm::Callee::~Callee): |
| * wasm/WasmCallee.h: |
| (JSC::Wasm::Callee::create): Deleted. |
| (JSC::Wasm::Callee::entrypoint const): Deleted. |
| (JSC::Wasm::Callee::calleeSaveRegisters): Deleted. |
| (JSC::Wasm::Callee::indexOrName const): Deleted. |
| * wasm/WasmCalleeRegistry.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h. |
| (JSC::Wasm::CalleeRegistry::initialize): |
| (JSC::Wasm::CalleeRegistry::singleton): |
| * wasm/WasmCalleeRegistry.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp. |
| (JSC::Wasm::CalleeRegistry::getLock): |
| (JSC::Wasm::CalleeRegistry::registerCallee): |
| (JSC::Wasm::CalleeRegistry::unregisterCallee): |
| (JSC::Wasm::CalleeRegistry::isValidCallee): |
| * wasm/WasmCompilationMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h. |
| (JSC::Wasm::makeString): |
| * wasm/WasmCompilationMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h. |
| * wasm/WasmFaultSignalHandler.cpp: |
| (JSC::Wasm::trapHandler): |
| (JSC::Wasm::enableFastMemory): |
| (JSC::Wasm::registerCode): Deleted. |
| (JSC::Wasm::unregisterCode): Deleted. |
| * wasm/WasmFaultSignalHandler.h: |
| * wasm/WasmIndexOrName.h: |
| * wasm/WasmOMGPlan.cpp: |
| (JSC::Wasm::OMGPlan::work): |
| |
| 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] LazyJSValue should be robust for empty JSValue |
| https://bugs.webkit.org/show_bug.cgi?id=200388 |
| |
| Reviewed by Saam Barati. |
| |
| If the Switch DFG node is preceded by ForceOSRExit or something that invalidates the basic block, |
| it can take a FrozenValue as a child which includes empty value instead of string, number etc. |
| If this Switch node is kept and we reached to DFGCFGSimplificationPhase, it will use this FrozenValue. |
| However, LazyJSValue using this FrozenValue strongly assumes that FrozenValue is never holding empty value. |
| But this assumption is wrong. This patch makes LazyJSValue robust for empty value. |
| |
| * dfg/DFGLazyJSValue.cpp: |
| (JSC::DFG::LazyJSValue::tryGetStringImpl const): |
| (JSC::DFG::LazyJSValue::tryGetString const): |
| (JSC::DFG::LazyJSValue::strictEqual const): |
| (JSC::DFG::LazyJSValue::switchLookupValue const): |
| |
| 2019-08-02 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Storage: disable related agents when the tab is closed |
| https://bugs.webkit.org/show_bug.cgi?id=200117 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Rework how `enable`/`disable` is used for storage-related agents so that events are not sent |
| and data isn't kept alive when the Storage tab isn't enabled. |
| |
| * inspector/protocol/ApplicationCache.json: |
| Add `disable` command. |
| |
| 2019-08-01 Keith Miller <keith_miller@apple.com> |
| |
| B3 should support tuple types |
| https://bugs.webkit.org/show_bug.cgi?id=200327 |
| |
| Reviewed by Filip Pizlo. |
| |
| As part of the Wasm multi-value proposal, we need to teach B3 that |
| patchpoints can return more than one value. This is done by |
| adding a new B3::Type called Tuple. Unlike, other B3 types Tuple |
| is actually an encoded index into a numeric B3::Type vector on the |
| procedure. This lets us distinguish any two tuples from each |
| other, moreover, it's possible to get the vector of types with |
| just the B3::Tuple type and the procedure. |
| |
| Since most B3 operations only expect to see a single numeric child |
| there is a new Opcode, Extract, that takes yields the some, fixed, |
| entry from a tuple value. Extract would be the only other change |
| needed to make tuples work in B3 except that some optimizations |
| expect to be able to take any non-Void value and stick it into a |
| Variable of the same type. This means both Get/Set from a variable |
| have to support Tuples as well. For simplicity and consistency, |
| the ability to accept tuples is also applied to Phi and Upsilon. |
| |
| In order to lower a Tuple, B3Lowering needs to have a Tmp for each |
| nested type in a Tuple. While we could reuse the existing |
| IndexedTables to hold the extra information we need to lower |
| Tuples, we instead use a two new HashTables for Value->Tmp(s) and |
| Phi->Tmp(s). It's expected that Tuples will be sufficiently |
| uncommon the overhead of tracking everything together would be |
| prohibitive. On the other hand, we don't worry about this for |
| Variables because we don't expect those to make it to lowering. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * b3/B3Bank.h: |
| (JSC::B3::bankForType): |
| * b3/B3CheckValue.cpp: |
| (JSC::B3::CheckValue::CheckValue): |
| * b3/B3ExtractValue.cpp: Copied from Source/JavaScriptCore/b3/B3ProcedureInlines.h. |
| (JSC::B3::ExtractValue::~ExtractValue): |
| (JSC::B3::ExtractValue::dumpMeta const): |
| * b3/B3ExtractValue.h: Copied from Source/JavaScriptCore/b3/B3FixSSA.h. |
| * b3/B3FixSSA.h: |
| * b3/B3LowerMacros.cpp: |
| * b3/B3LowerMacrosAfterOptimizations.cpp: |
| * b3/B3LowerToAir.cpp: |
| * b3/B3NativeTraits.h: |
| * b3/B3Opcode.cpp: |
| (JSC::B3::invertedCompare): |
| (WTF::printInternal): |
| * b3/B3Opcode.h: |
| (JSC::B3::opcodeForConstant): |
| * b3/B3PatchpointSpecial.cpp: |
| (JSC::B3::PatchpointSpecial::forEachArg): |
| (JSC::B3::PatchpointSpecial::isValid): |
| (JSC::B3::PatchpointSpecial::admitsStack): |
| (JSC::B3::PatchpointSpecial::generate): |
| * b3/B3PatchpointValue.cpp: |
| (JSC::B3::PatchpointValue::dumpMeta const): |
| (JSC::B3::PatchpointValue::PatchpointValue): |
| * b3/B3PatchpointValue.h: |
| * b3/B3Procedure.cpp: |
| (JSC::B3::Procedure::addTuple): |
| (JSC::B3::Procedure::isValidTuple const): |
| (JSC::B3::Procedure::tupleForType const): |
| (JSC::B3::Procedure::addIntConstant): |
| (JSC::B3::Procedure::addConstant): |
| * b3/B3Procedure.h: |
| (JSC::B3::Procedure::returnCount const): |
| * b3/B3ProcedureInlines.h: |
| (JSC::B3::Procedure::extractFromTuple const): |
| * b3/B3ReduceStrength.cpp: |
| * b3/B3StackmapSpecial.cpp: |
| (JSC::B3::StackmapSpecial::isValidImpl): |
| (JSC::B3::StackmapSpecial::isArgValidForType): |
| (JSC::B3::StackmapSpecial::isArgValidForRep): |
| (JSC::B3::StackmapSpecial::isArgValidForValue): Deleted. |
| * b3/B3StackmapSpecial.h: |
| * b3/B3StackmapValue.h: |
| * b3/B3Type.cpp: |
| (WTF::printInternal): |
| * b3/B3Type.h: |
| (JSC::B3::Type::Type): |
| (JSC::B3::Type::tupleFromIndex): |
| (JSC::B3::Type::kind const): |
| (JSC::B3::Type::tupleIndex const): |
| (JSC::B3::Type::hash const): |
| (JSC::B3::Type::operator== const): |
| (JSC::B3::Type::operator!= const): |
| (JSC::B3::Type::isInt const): |
| (JSC::B3::Type::isFloat const): |
| (JSC::B3::Type::isNumeric const): |
| (JSC::B3::Type::isTuple const): |
| (JSC::B3::sizeofType): |
| (JSC::B3::isInt): Deleted. |
| (JSC::B3::isFloat): Deleted. |
| * b3/B3TypeMap.h: |
| (JSC::B3::TypeMap::at): |
| * b3/B3Validate.cpp: |
| * b3/B3Value.cpp: |
| (JSC::B3::Value::isRounded const): |
| (JSC::B3::Value::effects const): |
| (JSC::B3::Value::typeFor): |
| * b3/B3Value.h: |
| * b3/B3ValueInlines.h: |
| * b3/B3ValueKey.cpp: |
| (JSC::B3::ValueKey::intConstant): |
| * b3/B3ValueKey.h: |
| (JSC::B3::ValueKey::hash const): |
| * b3/B3ValueRep.h: |
| * b3/B3Width.h: |
| (JSC::B3::widthForType): |
| * b3/air/AirArg.cpp: |
| (JSC::B3::Air::Arg::canRepresent const): |
| * b3/air/AirArg.h: |
| * b3/air/AirCCallingConvention.cpp: |
| (JSC::B3::Air::cCallResult): |
| * b3/air/AirLowerMacros.cpp: |
| (JSC::B3::Air::lowerMacros): |
| * b3/testb3.h: |
| (populateWithInterestingValues): |
| * b3/testb3_1.cpp: |
| (run): |
| * b3/testb3_3.cpp: |
| (testStorePartial8BitRegisterOnX86): |
| * b3/testb3_5.cpp: |
| (testPatchpointWithRegisterResult): |
| (testPatchpointWithStackArgumentResult): |
| (testPatchpointWithAnyResult): |
| * b3/testb3_6.cpp: |
| (testPatchpointDoubleRegs): |
| (testSomeEarlyRegister): |
| * b3/testb3_7.cpp: |
| (testShuffleDoesntTrashCalleeSaves): |
| (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead): |
| (testSimpleTuplePair): |
| (testSimpleTuplePairUnused): |
| (testSimpleTuplePairStack): |
| (tailDupedTuplePair): |
| (tuplePairVariableLoop): |
| (tupleNestedLoop): |
| (addTupleTests): |
| * b3/testb3_8.cpp: |
| (testLoad): |
| (addLoadTests): |
| * ftl/FTLAbbreviatedTypes.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic): |
| (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet): |
| (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::emitPatchpoint): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConvention::marshallArgument const): |
| (JSC::Wasm::CallingConvention::setupFrameInPrologue const): |
| (JSC::Wasm::CallingConvention::setupCall const): |
| (JSC::Wasm::CallingConventionAir::setupCall const): |
| |
| 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use "destroy" function directly for JSWebAssemblyCodeBlock and WebAssemblyFunction |
| https://bugs.webkit.org/show_bug.cgi?id=200385 |
| |
| Reviewed by Mark Lam. |
| |
| These CellTypes are not using classInfo stored in the cells, so we can just call JSWebAssemblyCodeBlock::destroy |
| and WebAssemblyFunction::destroy directly. |
| |
| * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: |
| (JSC::JSWebAssemblyCodeBlockDestroyFunc::operator() const): |
| * wasm/js/WebAssemblyFunctionHeapCellType.cpp: |
| (JSC::WebAssemblyFunctionDestroyFunc::operator() const): |
| |
| 2019-08-02 Mark Lam <mark.lam@apple.com> |
| |
| Gardening: build fix. |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| <rdar://problem/53570112> |
| |
| Not reviewed. |
| |
| * assembler/CPU.cpp: |
| (JSC::hwPhysicalCPUMax): |
| |
| 2019-08-01 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| GetterSetter type confusion during DFG compilation |
| https://bugs.webkit.org/show_bug.cgi?id=199903 |
| |
| Reviewed by Mark Lam. |
| |
| In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists. |
| However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding |
| CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable. |
| |
| Let's consider the following graph. |
| |
| 129:<!0:-> PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid) |
| 130:<!0:-> PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid) |
| ... |
| 158:<!0:-> GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R<Final>/FlushedCell), R:Stack(-8), bc#187, ExitValid) predicting Final |
| 210:< 1:-> DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid) |
| ... |
| 162:<!0:-> CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid) |
| 163:< 1:-> GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid) |
| 164:< 1:-> GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) |
| |
| At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value. |
| This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it |
| does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now. |
| |
| But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime, |
| @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value. |
| |
| 124:< 2:-> JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid) |
| ... |
| 126:< 2:-> GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) |
| |
| AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following. |
| |
| |
| JSValue base = forNode(node->child1()).m_value; |
| if (base) { |
| GetterSetter* getterSetter = jsCast<GetterSetter*>(base); |
| ... |
| |
| Then, jsCast casts the above object with GetterSetter accidentally. |
| |
| In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge |
| filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one. |
| But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope. |
| |
| In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met. |
| We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::castConstant): Deleted. |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): |
| |
| 2019-08-01 Mark Lam <mark.lam@apple.com> |
| |
| Add crash diagnostics for debugging unexpected zapped cells. |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| <rdar://problem/53570112> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add a check for zapped cells in SlotVisitor::appendToMarkStack() and |
| SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with |
| some diagnostic info. |
| |
| To facilitate this, we've made the following changes: |
| 1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all |
| cells are at least 16 bytes long. |
| 2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the |
| cell header info intact (including the cell JSType). |
| 3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash |
| the reason immediately after the first 8 bytes. This is the same location as |
| FreeCell::scrambledNext. However, since a cell is not expected to be zapped |
| and on the free list at the same time, it is also fine to do this. |
| 4. Added a few utility functions to MarkedBlock for checking if a cell points |
| into the block. |
| 5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes. |
| 6. Added some comments to document the hashes of known subspaces. |
| 7. Added Options::dumpZappedCellCrashData() to make this check conditional. |
| We use this option to disable this check for slower machines so that their |
| PLT5 performance is not impacted. |
| |
| * assembler/CPU.cpp: |
| (JSC::hwL3CacheSize): |
| (JSC::hwPhysicalCPUMax): |
| * assembler/CPU.h: |
| (JSC::hwL3CacheSize): |
| (JSC::hwPhysicalCPUMax): |
| * heap/FreeList.h: |
| (JSC::FreeCell::offsetOfScrambledNext): |
| * heap/HeapCell.h: |
| (JSC::HeapCell::zap): |
| (JSC::HeapCell::isZapped const): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::stopAllocating): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::start const): |
| (JSC::MarkedBlock::Handle::end const): |
| (JSC::MarkedBlock::Handle::contains const): |
| * heap/MarkedBlockInlines.h: |
| (JSC::MarkedBlock::Handle::specializedSweep): |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace::forEachSubspace): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMarkStack): |
| (JSC::SlotVisitor::visitChildren): |
| (JSC::SlotVisitor::reportZappedCellAndCrash): |
| * heap/SlotVisitor.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): |
| * runtime/Options.cpp: |
| (JSC::Options::initialize): |
| * runtime/Options.h: |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::JSDollarVM::finishCreation): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpSubspaceHashes): |
| * tools/VMInspector.h: |
| |
| 2019-08-01 Keith Miller <keith_miller@apple.com> |
| |
| Fix bug in testMulImm32SignExtend |
| https://bugs.webkit.org/show_bug.cgi?id=200358 |
| |
| Reviewed by Mark Lam. |
| |
| Also, have it run in more configurations. |
| |
| * b3/testb3_2.cpp: |
| (testMulImm32SignExtend): |
| * b3/testb3_3.cpp: |
| (addArgTests): |
| |
| 2019-07-31 Mark Lam <mark.lam@apple.com> |
| |
| Rename DOMJIT safe/unsafeFunction to functionWithTypeChecks and functionWithoutTypeChecks. |
| https://bugs.webkit.org/show_bug.cgi?id=200323 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| The DOMJIT has a notion of a safeFunction and an unsafeFunction. The safeFunction |
| is effectively the same as the unsafeFunction with added type check. The DFG/FTL |
| will emit code to call the unsafeFunction if it has already emitted the needed |
| type check or proven that it isn't needed. Otherwise, the DFG/FTL will emit |
| code to call the safeFunction (which does its own type check) instead. |
| |
| This patch renames these functions to better describe their difference. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileCallDOM): |
| * domjit/DOMJITSignature.h: |
| (JSC::DOMJIT::Signature::Signature): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): |
| * tools/JSDollarVM.cpp: |
| (JSC::DOMJITFunctionObject::functionWithTypeCheck): |
| (JSC::DOMJITFunctionObject::functionWithoutTypeCheck): |
| (JSC::DOMJITFunctionObject::finishCreation): |
| (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck): |
| (JSC::DOMJITCheckSubClassObject::finishCreation): |
| (JSC::DOMJITFunctionObject::safeFunction): Deleted. |
| (JSC::DOMJITFunctionObject::unsafeFunction): Deleted. |
| (JSC::DOMJITCheckSubClassObject::safeFunction): Deleted. |
| (JSC::DOMJITCheckSubClassObject::unsafeFunction): Deleted. |
| |
| 2019-07-31 Alex Christensen <achristensen@webkit.org> |
| |
| Begin organizing b3 tests |
| https://bugs.webkit.org/show_bug.cgi?id=200330 |
| |
| Reviewed by Keith Miller. |
| |
| * b3/testb3.h: |
| * b3/testb3_1.cpp: |
| (run): |
| (zero): Deleted. |
| (negativeZero): Deleted. |
| * b3/testb3_2.cpp: |
| (testBitXorTreeArgs): |
| (testBitXorTreeArgsEven): |
| (testBitXorTreeArgImm): |
| (testBitAndTreeArg32): |
| (testBitOrTreeArg32): |
| (testBitAndArgs): |
| (testBitAndSameArg): |
| (testBitAndNotNot): |
| (testBitAndNotImm): |
| (testBitAndImms): |
| (testBitAndArgImm): |
| (testBitAndImmArg): |
| (testBitAndBitAndArgImmImm): |
| (testBitAndImmBitAndArgImm): |
| (testBitAndArgs32): |
| (testBitAndSameArg32): |
| (testBitAndImms32): |
| (testBitAndArgImm32): |
| (testBitAndImmArg32): |
| (testBitAndBitAndArgImmImm32): |
| (testBitAndImmBitAndArgImm32): |
| (testBitAndWithMaskReturnsBooleans): |
| (testBitAndArgDouble): |
| (testBitAndArgsDouble): |
| (testBitAndArgImmDouble): |
| (testBitAndImmsDouble): |
| (testBitAndArgFloat): |
| (testBitAndArgsFloat): |
| (testBitAndArgImmFloat): |
| (testBitAndImmsFloat): |
| (testBitAndArgsFloatWithUselessDoubleConversion): |
| (testBitOrArgs): |
| (testBitOrSameArg): |
| (testBitOrAndAndArgs): |
| (testBitOrAndSameArgs): |
| (testBitOrNotNot): |
| (testBitOrNotImm): |
| (testBitOrImms): |
| (testBitOrArgImm): |
| (testBitOrImmArg): |
| (testBitOrBitOrArgImmImm): |
| (testBitOrImmBitOrArgImm): |
| (testBitOrArgs32): |
| (testBitOrSameArg32): |
| (testBitOrImms32): |
| (testBitOrArgImm32): |
| (testBitOrImmArg32): |
| (addBitTests): |
| * b3/testb3_3.cpp: |
| (testSShrArgs): |
| (testSShrImms): |
| (testSShrArgImm): |
| (testSShrArg32): |
| (testSShrArgs32): |
| (testSShrImms32): |
| (testSShrArgImm32): |
| (testZShrArgs): |
| (testZShrImms): |
| (testZShrArgImm): |
| (testZShrArg32): |
| (testZShrArgs32): |
| (testZShrImms32): |
| (testZShrArgImm32): |
| (zero): |
| (negativeZero): |
| (addArgTests): |
| (addCallTests): |
| (addShrTests): |
| * b3/testb3_4.cpp: |
| (addSExtTests): |
| * b3/testb3_6.cpp: |
| (testSShrShl32): |
| (testSShrShl64): |
| (addSShrShTests): |
| |
| 2019-07-31 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: Debugger: support emulateUserGesture parameter in Debugger.evaluateOnCallFrame |
| https://bugs.webkit.org/show_bug.cgi?id=200272 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| When paused, evaluating in the console should still respect the "Emulate User Gesture" checkbox. |
| |
| * inspector/protocol/Debugger.json: |
| * inspector/agents/InspectorDebuggerAgent.h: |
| * inspector/agents/InspectorDebuggerAgent.cpp: |
| (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): |
| |
| 2019-07-31 Alex Christensen <achristensen@webkit.org> |
| |
| Split testb3 into multiple files |
| https://bugs.webkit.org/show_bug.cgi?id=200326 |
| |
| Reviewed by Keith Miller. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * b3/testb3.cpp: Removed. |
| * b3/testb3.h: Added. |
| (hiddenTruthBecauseNoReturnIsStupid): |
| (usage): |
| (shouldBeVerbose): |
| (compileProc): |
| (invoke): |
| (compileAndRun): |
| (lowerToAirForTesting): |
| (checkDisassembly): |
| (checkUsesInstruction): |
| (checkDoesNotUseInstruction): |
| (populateWithInterestingValues): |
| (floatingPointOperands): |
| (int64Operands): |
| (int32Operands): |
| (add32): |
| (modelLoad): |
| (float>): |
| (double>): |
| * b3/testb3_1.cpp: Added. |
| (zero): |
| (negativeZero): |
| (shouldRun): |
| (testRotR): |
| (testRotL): |
| (testRotRWithImmShift): |
| (testRotLWithImmShift): |
| (testComputeDivisionMagic): |
| (run): |
| (main): |
| (dllLauncherEntryPoint): |
| * b3/testb3_2.cpp: Added. |
| (test42): |
| (testLoad42): |
| (testLoadAcq42): |
| (testLoadWithOffsetImpl): |
| (testLoadOffsetImm9Max): |
| (testLoadOffsetImm9MaxPlusOne): |
| (testLoadOffsetImm9MaxPlusTwo): |
| (testLoadOffsetImm9Min): |
| (testLoadOffsetImm9MinMinusOne): |
| (testLoadOffsetScaledUnsignedImm12Max): |
| (testLoadOffsetScaledUnsignedOverImm12Max): |
| (testBitXorTreeArgs): |
| (testBitXorTreeArgsEven): |
| (testBitXorTreeArgImm): |
| (testAddTreeArg32): |
| (testMulTreeArg32): |
| (testBitAndTreeArg32): |
| (testBitOrTreeArg32): |
| (testArg): |
| (testReturnConst64): |
| (testReturnVoid): |
| (testAddArg): |
| (testAddArgs): |
| (testAddArgImm): |
| (testAddImmArg): |
| (testAddArgMem): |
| (testAddMemArg): |
| (testAddImmMem): |
| (testAddArg32): |
| (testAddArgs32): |
| (testAddArgMem32): |
| (testAddMemArg32): |
| (testAddImmMem32): |
| (testAddNeg1): |
| (testAddNeg2): |
| (testAddArgZeroImmZDef): |
| (testAddLoadTwice): |
| (testAddArgDouble): |
| (testAddArgsDouble): |
| (testAddArgImmDouble): |
| (testAddImmArgDouble): |
| (testAddImmsDouble): |
| (testAddArgFloat): |
| (testAddArgsFloat): |
| (testAddFPRArgsFloat): |
| (testAddArgImmFloat): |
| (testAddImmArgFloat): |
| (testAddImmsFloat): |
| (testAddArgFloatWithUselessDoubleConversion): |
| (testAddArgsFloatWithUselessDoubleConversion): |
| (testAddArgsFloatWithEffectfulDoubleConversion): |
| (testAddMulMulArgs): |
| (testMulArg): |
| (testMulArgStore): |
| (testMulAddArg): |
| (testMulArgs): |
| (testMulArgNegArg): |
| (testMulNegArgArg): |
| (testMulArgImm): |
| (testMulImmArg): |
| (testMulArgs32): |
| (testMulArgs32SignExtend): |
| (testMulImm32SignExtend): |
| (testMulLoadTwice): |
| (testMulAddArgsLeft): |
| (testMulAddArgsRight): |
| (testMulAddArgsLeft32): |
| (testMulAddArgsRight32): |
| (testMulSubArgsLeft): |
| (testMulSubArgsRight): |
| (testMulSubArgsLeft32): |
| (testMulSubArgsRight32): |
| (testMulNegArgs): |
| (testMulNegArgs32): |
| (testMulArgDouble): |
| (testMulArgsDouble): |
| (testMulArgImmDouble): |
| (testMulImmArgDouble): |
| (testMulImmsDouble): |
| (testMulArgFloat): |
| (testMulArgsFloat): |
| (testMulArgImmFloat): |
| (testMulImmArgFloat): |
| (testMulImmsFloat): |
| (testMulArgFloatWithUselessDoubleConversion): |
| (testMulArgsFloatWithUselessDoubleConversion): |
| (testMulArgsFloatWithEffectfulDoubleConversion): |
| (testDivArgDouble): |
| (testDivArgsDouble): |
| (testDivArgImmDouble): |
| (testDivImmArgDouble): |
| (testDivImmsDouble): |
| (testDivArgFloat): |
| (testDivArgsFloat): |
| (testDivArgImmFloat): |
| (testDivImmArgFloat): |
| (testDivImmsFloat): |
| (testModArgDouble): |
| (testModArgsDouble): |
| (testModArgImmDouble): |
| (testModImmArgDouble): |
| (testModImmsDouble): |
| (testModArgFloat): |
| (testModArgsFloat): |
| (testModArgImmFloat): |
| (testModImmArgFloat): |
| (testModImmsFloat): |
| (testDivArgFloatWithUselessDoubleConversion): |
| (testDivArgsFloatWithUselessDoubleConversion): |
| (testDivArgsFloatWithEffectfulDoubleConversion): |
| (testUDivArgsInt32): |
| (testUDivArgsInt64): |
| (testUModArgsInt32): |
| (testUModArgsInt64): |
| (testSubArg): |
| (testSubArgs): |
| (testSubArgImm): |
| (testSubNeg): |
| (testNegSub): |
| (testNegValueSubOne): |
| (testSubSub): |
| (testSubSub2): |
| (testSubAdd): |
| (testSubFirstNeg): |
| (testSubImmArg): |
| (testSubArgMem): |
| (testSubMemArg): |
| (testSubImmMem): |
| (testSubMemImm): |
| (testSubArgs32): |
| (testSubArgImm32): |
| (testSubImmArg32): |
| (testSubMemArg32): |
| (testSubArgMem32): |
| (testSubImmMem32): |
| (testSubMemImm32): |
| (testNegValueSubOne32): |
| (testNegMulArgImm): |
| (testSubMulMulArgs): |
| (testSubArgDouble): |
| (testSubArgsDouble): |
| (testSubArgImmDouble): |
| (testSubImmArgDouble): |
| (testSubImmsDouble): |
| (testSubArgFloat): |
| (testSubArgsFloat): |
| (testSubArgImmFloat): |
| (testSubImmArgFloat): |
| (testSubImmsFloat): |
| (testSubArgFloatWithUselessDoubleConversion): |
| (testSubArgsFloatWithUselessDoubleConversion): |
| (testSubArgsFloatWithEffectfulDoubleConversion): |
| (testTernarySubInstructionSelection): |
| (testNegDouble): |
| (testNegFloat): |
| (testNegFloatWithUselessDoubleConversion): |
| (testBitAndArgs): |
| (testBitAndSameArg): |
| (testBitAndNotNot): |
| (testBitAndNotImm): |
| (testBitAndImms): |
| (testBitAndArgImm): |
| (testBitAndImmArg): |
| (testBitAndBitAndArgImmImm): |
| (testBitAndImmBitAndArgImm): |
| (testBitAndArgs32): |
| (testBitAndSameArg32): |
| (testBitAndImms32): |
| (testBitAndArgImm32): |
| (testBitAndImmArg32): |
| (testBitAndBitAndArgImmImm32): |
| (testBitAndImmBitAndArgImm32): |
| (testBitAndWithMaskReturnsBooleans): |
| (bitAndDouble): |
| (testBitAndArgDouble): |
| (testBitAndArgsDouble): |
| (testBitAndArgImmDouble): |
| (testBitAndImmsDouble): |
| (bitAndFloat): |
| (testBitAndArgFloat): |
| (testBitAndArgsFloat): |
| (testBitAndArgImmFloat): |
| (testBitAndImmsFloat): |
| (testBitAndArgsFloatWithUselessDoubleConversion): |
| (testBitOrArgs): |
| (testBitOrSameArg): |
| (testBitOrAndAndArgs): |
| (testBitOrAndSameArgs): |
| (testBitOrNotNot): |
| (testBitOrNotImm): |
| (testBitOrImms): |
| (testBitOrArgImm): |
| (testBitOrImmArg): |
| (testBitOrBitOrArgImmImm): |
| (testBitOrImmBitOrArgImm): |
| (testBitOrArgs32): |
| (testBitOrSameArg32): |
| (testBitOrImms32): |
| (testBitOrArgImm32): |
| (testBitOrImmArg32): |
| * b3/testb3_3.cpp: Added. |
| (testBitOrBitOrArgImmImm32): |
| (testBitOrImmBitOrArgImm32): |
| (bitOrDouble): |
| (testBitOrArgDouble): |
| (testBitOrArgsDouble): |
| (testBitOrArgImmDouble): |
| (testBitOrImmsDouble): |
| (bitOrFloat): |
| (testBitOrArgFloat): |
| (testBitOrArgsFloat): |
| (testBitOrArgImmFloat): |
| (testBitOrImmsFloat): |
| (testBitOrArgsFloatWithUselessDoubleConversion): |
| (testBitXorArgs): |
| (testBitXorSameArg): |
| (testBitXorAndAndArgs): |
| (testBitXorAndSameArgs): |
| (testBitXorImms): |
| (testBitXorArgImm): |
| (testBitXorImmArg): |
| (testBitXorBitXorArgImmImm): |
| (testBitXorImmBitXorArgImm): |
| (testBitXorArgs32): |
| (testBitXorSameArg32): |
| (testBitXorImms32): |
| (testBitXorArgImm32): |
| (testBitXorImmArg32): |
| (testBitXorBitXorArgImmImm32): |
| (testBitXorImmBitXorArgImm32): |
| (testBitNotArg): |
| (testBitNotImm): |
| (testBitNotMem): |
| (testBitNotArg32): |
| (testBitNotImm32): |
| (testBitNotMem32): |
| (testNotOnBooleanAndBranch32): |
| (testBitNotOnBooleanAndBranch32): |
| (testShlArgs): |
| (testShlImms): |
| (testShlArgImm): |
| (testShlSShrArgImm): |
| (testShlArg32): |
| (testShlArgs32): |
| (testShlImms32): |
| (testShlArgImm32): |
| (testShlZShrArgImm32): |
| (testSShrArgs): |
| (testSShrImms): |
| (testSShrArgImm): |
| (testSShrArg32): |
| (testSShrArgs32): |
| (testSShrImms32): |
| (testSShrArgImm32): |
| (testZShrArgs): |
| (testZShrImms): |
| (testZShrArgImm): |
| (testZShrArg32): |
| (testZShrArgs32): |
| (testZShrImms32): |
| (testZShrArgImm32): |
| (countLeadingZero): |
| (testClzArg64): |
| (testClzMem64): |
| (testClzArg32): |
| (testClzMem32): |
| (testAbsArg): |
| (testAbsImm): |
| (testAbsMem): |
| (testAbsAbsArg): |
| (testAbsNegArg): |
| (testAbsBitwiseCastArg): |
| (testBitwiseCastAbsBitwiseCastArg): |
| (testAbsArgWithUselessDoubleConversion): |
| (testAbsArgWithEffectfulDoubleConversion): |
| (testCeilArg): |
| (testCeilImm): |
| (testCeilMem): |
| (testCeilCeilArg): |
| (testFloorCeilArg): |
| (testCeilIToD64): |
| (testCeilIToD32): |
| (testCeilArgWithUselessDoubleConversion): |
| (testCeilArgWithEffectfulDoubleConversion): |
| (testFloorArg): |
| (testFloorImm): |
| (testFloorMem): |
| (testFloorFloorArg): |
| (testCeilFloorArg): |
| (testFloorIToD64): |
| (testFloorIToD32): |
| (testFloorArgWithUselessDoubleConversion): |
| (testFloorArgWithEffectfulDoubleConversion): |
| (correctSqrt): |
| (testSqrtArg): |
| (testSqrtImm): |
| (testSqrtMem): |
| (testSqrtArgWithUselessDoubleConversion): |
| (testSqrtArgWithEffectfulDoubleConversion): |
| (testCompareTwoFloatToDouble): |
| (testCompareOneFloatToDouble): |
| (testCompareFloatToDoubleThroughPhi): |
| (testDoubleToFloatThroughPhi): |
| (testReduceFloatToDoubleValidates): |
| (testDoubleProducerPhiToFloatConversion): |
| (testDoubleProducerPhiToFloatConversionWithDoubleConsumer): |
| (testDoubleProducerPhiWithNonFloatConst): |
| (testDoubleArgToInt64BitwiseCast): |
| (testDoubleImmToInt64BitwiseCast): |
| (testTwoBitwiseCastOnDouble): |
| (testBitwiseCastOnDoubleInMemory): |
| (testBitwiseCastOnDoubleInMemoryIndexed): |
| (testInt64BArgToDoubleBitwiseCast): |
| (testInt64BImmToDoubleBitwiseCast): |
| (testTwoBitwiseCastOnInt64): |
| (testBitwiseCastOnInt64InMemory): |
| (testBitwiseCastOnInt64InMemoryIndexed): |
| (testFloatImmToInt32BitwiseCast): |
| (testBitwiseCastOnFloatInMemory): |
| (testInt32BArgToFloatBitwiseCast): |
| (testInt32BImmToFloatBitwiseCast): |
| (testTwoBitwiseCastOnInt32): |
| (testBitwiseCastOnInt32InMemory): |
| (testConvertDoubleToFloatArg): |
| (testConvertDoubleToFloatImm): |
| (testConvertDoubleToFloatMem): |
| (testConvertFloatToDoubleArg): |
| (testConvertFloatToDoubleImm): |
| (testConvertFloatToDoubleMem): |
| (testConvertDoubleToFloatToDoubleToFloat): |
| (testLoadFloatConvertDoubleConvertFloatStoreFloat): |
| (testFroundArg): |
| (testFroundMem): |
| (testIToD64Arg): |
| (testIToF64Arg): |
| (testIToD32Arg): |
| (testIToF32Arg): |
| (testIToD64Mem): |
| (testIToF64Mem): |
| (testIToD32Mem): |
| (testIToF32Mem): |
| (testIToD64Imm): |
| (testIToF64Imm): |
| (testIToD32Imm): |
| (testIToF32Imm): |
| (testIToDReducedToIToF64Arg): |
| (testIToDReducedToIToF32Arg): |
| (testStore32): |
| (testStoreConstant): |
| (testStoreConstantPtr): |
| (testStore8Arg): |
| (testStore8Imm): |
| (testStorePartial8BitRegisterOnX86): |
| (testStore16Arg): |
| (testStore16Imm): |
| (testTrunc): |
| (testAdd1): |
| (testAdd1Ptr): |
| (testNeg32): |
| (testNegPtr): |
| (testStoreAddLoad32): |
| * b3/testb3_4.cpp: Added. |
| (testStoreRelAddLoadAcq32): |
| (testStoreAddLoadImm32): |
| (testStoreAddLoad8): |
| (testStoreRelAddLoadAcq8): |
| (testStoreRelAddFenceLoadAcq8): |
| (testStoreAddLoadImm8): |
| (testStoreAddLoad16): |
| (testStoreRelAddLoadAcq16): |
| (testStoreAddLoadImm16): |
| (testStoreAddLoad64): |
| (testStoreRelAddLoadAcq64): |
| (testStoreAddLoadImm64): |
| (testStoreAddLoad32Index): |
| (testStoreAddLoadImm32Index): |
| (testStoreAddLoad8Index): |
| (testStoreAddLoadImm8Index): |
| (testStoreAddLoad16Index): |
| (testStoreAddLoadImm16Index): |
| (testStoreAddLoad64Index): |
| (testStoreAddLoadImm64Index): |
| (testStoreSubLoad): |
| (testStoreAddLoadInterference): |
| (testStoreAddAndLoad): |
| (testStoreNegLoad32): |
| (testStoreNegLoadPtr): |
| (testAdd1Uncommuted): |
| (testLoadOffset): |
| (testLoadOffsetNotConstant): |
| (testLoadOffsetUsingAdd): |
| (testLoadOffsetUsingAddInterference): |
| (testLoadOffsetUsingAddNotConstant): |
| (testLoadAddrShift): |
| (testFramePointer): |
| (testOverrideFramePointer): |
| (testStackSlot): |
| (testLoadFromFramePointer): |
| (testStoreLoadStackSlot): |
| (testStoreFloat): |
| (testStoreDoubleConstantAsFloat): |
| (testSpillGP): |
| (testSpillFP): |
| (testInt32ToDoublePartialRegisterStall): |
| (testInt32ToDoublePartialRegisterWithoutStall): |
| (testBranch): |
| (testBranchPtr): |
| (testDiamond): |
| (testBranchNotEqual): |
| (testBranchNotEqualCommute): |
| (testBranchNotEqualNotEqual): |
| (testBranchEqual): |
| (testBranchEqualEqual): |
| (testBranchEqualCommute): |
| (testBranchEqualEqual1): |
| (testBranchEqualOrUnorderedArgs): |
| (testBranchNotEqualAndOrderedArgs): |
| (testBranchEqualOrUnorderedDoubleArgImm): |
| (testBranchEqualOrUnorderedFloatArgImm): |
| (testBranchEqualOrUnorderedDoubleImms): |
| (testBranchEqualOrUnorderedFloatImms): |
| (testBranchEqualOrUnorderedFloatWithUselessDoubleConversion): |
| (testBranchFold): |
| (testDiamondFold): |
| (testBranchNotEqualFoldPtr): |
| (testBranchEqualFoldPtr): |
| (testBranchLoadPtr): |
| (testBranchLoad32): |
| (testBranchLoad8S): |
| (testBranchLoad8Z): |
| (testBranchLoad16S): |
| (testBranchLoad16Z): |
| (testBranch8WithLoad8ZIndex): |
| (testComplex): |
| (testBranchBitTest32TmpImm): |
| (testBranchBitTest32AddrImm): |
| (testBranchBitTest32TmpTmp): |
| (testBranchBitTest64TmpTmp): |
| (testBranchBitTest64AddrTmp): |
| (testBranchBitTestNegation): |
| (testBranchBitTestNegation2): |
| (testSimplePatchpoint): |
| (testSimplePatchpointWithoutOuputClobbersGPArgs): |
| (testSimplePatchpointWithOuputClobbersGPArgs): |
| (testSimplePatchpointWithoutOuputClobbersFPArgs): |
| (testSimplePatchpointWithOuputClobbersFPArgs): |
| (testPatchpointWithEarlyClobber): |
| (testPatchpointCallArg): |
| (testPatchpointFixedRegister): |
| (testPatchpointAny): |
| (testPatchpointGPScratch): |
| (testPatchpointFPScratch): |
| (testPatchpointLotsOfLateAnys): |
| (testPatchpointAnyImm): |
| * b3/testb3_5.cpp: Added. |
| (testPatchpointManyImms): |
| (testPatchpointWithRegisterResult): |
| (testPatchpointWithStackArgumentResult): |
| (testPatchpointWithAnyResult): |
| (testSimpleCheck): |
| (testCheckFalse): |
| (testCheckTrue): |
| (testCheckLessThan): |
| (testCheckMegaCombo): |
| (testCheckTrickyMegaCombo): |
| (testCheckTwoMegaCombos): |
| (testCheckTwoNonRedundantMegaCombos): |
| (testCheckAddImm): |
| (testCheckAddImmCommute): |
| (testCheckAddImmSomeRegister): |
| (testCheckAdd): |
| (testCheckAdd64): |
| (testCheckAddFold): |
| (testCheckAddFoldFail): |
| (testCheckAddArgumentAliasing64): |
| (testCheckAddArgumentAliasing32): |
| (testCheckAddSelfOverflow64): |
| (testCheckAddSelfOverflow32): |
| (testCheckSubImm): |
| (testCheckSubBadImm): |
| (testCheckSub): |
| (doubleSub): |
| (testCheckSub64): |
| (testCheckSubFold): |
| (testCheckSubFoldFail): |
| (testCheckNeg): |
| (testCheckNeg64): |
| (testCheckMul): |
| (testCheckMulMemory): |
| (testCheckMul2): |
| (testCheckMul64): |
| (testCheckMulFold): |
| (testCheckMulFoldFail): |
| (testCheckMulArgumentAliasing64): |
| (testCheckMulArgumentAliasing32): |
| (testCheckMul64SShr): |
| (genericTestCompare): |
| (modelCompare): |
| (testCompareLoad): |
| (testCompareImpl): |
| (testCompare): |
| (testEqualDouble): |
| (simpleFunction): |
| (testCallSimple): |
| (testCallRare): |
| (testCallRareLive): |
| (testCallSimplePure): |
| (functionWithHellaArguments): |
| (testCallFunctionWithHellaArguments): |
| (functionWithHellaArguments2): |
| (testCallFunctionWithHellaArguments2): |
| (functionWithHellaArguments3): |
| (testCallFunctionWithHellaArguments3): |
| (testReturnDouble): |
| (testReturnFloat): |
| (simpleFunctionDouble): |
| (testCallSimpleDouble): |
| (simpleFunctionFloat): |
| (testCallSimpleFloat): |
| (functionWithHellaDoubleArguments): |
| (testCallFunctionWithHellaDoubleArguments): |
| (functionWithHellaFloatArguments): |
| (testCallFunctionWithHellaFloatArguments): |
| (testLinearScanWithCalleeOnStack): |
| (testChillDiv): |
| (testChillDivTwice): |
| (testChillDiv64): |
| (testModArg): |
| (testModArgs): |
| (testModImms): |
| (testModArg32): |
| (testModArgs32): |
| (testModImms32): |
| (testChillModArg): |
| (testChillModArgs): |
| (testChillModImms): |
| (testChillModArg32): |
| (testChillModArgs32): |
| (testChillModImms32): |
| (testLoopWithMultipleHeaderEdges): |
| (testSwitch): |
| (testSwitchSameCaseAsDefault): |
| (testSwitchChillDiv): |
| (testSwitchTargettingSameBlock): |
| (testSwitchTargettingSameBlockFoldPathConstant): |
| (testTruncFold): |
| (testZExt32): |
| (testZExt32Fold): |
| (testSExt32): |
| (testSExt32Fold): |
| (testTruncZExt32): |
| (testTruncSExt32): |
| (testSExt8): |
| (testSExt8Fold): |
| (testSExt8SExt8): |
| (testSExt8SExt16): |
| (testSExt8BitAnd): |
| (testBitAndSExt8): |
| (testSExt16): |
| (testSExt16Fold): |
| (testSExt16SExt16): |
| (testSExt16SExt8): |
| (testSExt16BitAnd): |
| (testBitAndSExt16): |
| (testSExt32BitAnd): |
| * b3/testb3_6.cpp: Added. |
| (testBitAndSExt32): |
| (testBasicSelect): |
| (testSelectTest): |
| (testSelectCompareDouble): |
| (testSelectCompareFloat): |
| (testSelectCompareFloatToDouble): |
| (testSelectDouble): |
| (testSelectDoubleTest): |
| (testSelectDoubleCompareDouble): |
| (testSelectDoubleCompareFloat): |
| (testSelectFloatCompareFloat): |
| (testSelectDoubleCompareDoubleWithAliasing): |
| (testSelectFloatCompareFloatWithAliasing): |
| (testSelectFold): |
| (testSelectInvert): |
| (testCheckSelect): |
| (testCheckSelectCheckSelect): |
| (testCheckSelectAndCSE): |
| (b3Pow): |
| (testPowDoubleByIntegerLoop): |
| (testTruncOrHigh): |
| (testTruncOrLow): |
| (testBitAndOrHigh): |
| (testBitAndOrLow): |
| (testBranch64Equal): |
| (testBranch64EqualImm): |
| (testBranch64EqualMem): |
| (testBranch64EqualMemImm): |
| (testStore8Load8Z): |
| (testStore16Load16Z): |
| (testSShrShl32): |
| (testSShrShl64): |
| (testTrivialInfiniteLoop): |
| (testFoldPathEqual): |
| (testLShiftSelf32): |
| (testRShiftSelf32): |
| (testURShiftSelf32): |
| (testLShiftSelf64): |
| (testRShiftSelf64): |
| (testURShiftSelf64): |
| (testPatchpointDoubleRegs): |
| (testSpillDefSmallerThanUse): |
| (testSpillUseLargerThanDef): |
| (testLateRegister): |
| (interpreterPrint): |
| (testInterpreter): |
| (testReduceStrengthCheckBottomUseInAnotherBlock): |
| (testResetReachabilityDanglingReference): |
| (testEntrySwitchSimple): |
| (testEntrySwitchNoEntrySwitch): |
| (testEntrySwitchWithCommonPaths): |
| (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint): |
| (testEntrySwitchLoop): |
| (testSomeEarlyRegister): |
| (testBranchBitAndImmFusion): |
| (testTerminalPatchpointThatNeedsToBeSpilled): |
| (testTerminalPatchpointThatNeedsToBeSpilled2): |
| (testPatchpointTerminalReturnValue): |
| (testMemoryFence): |
| (testStoreFence): |
| (testLoadFence): |
| (testTrappingLoad): |
| (testTrappingStore): |
| (testTrappingLoadAddStore): |
| (testTrappingLoadDCE): |
| (testTrappingStoreElimination): |
| (testMoveConstants): |
| (testPCOriginMapDoesntInsertNops): |
| * b3/testb3_7.cpp: Added. |
| (testPinRegisters): |
| (testX86LeaAddAddShlLeft): |
| (testX86LeaAddAddShlRight): |
| (testX86LeaAddAdd): |
| (testX86LeaAddShlRight): |
| (testX86LeaAddShlLeftScale1): |
| (testX86LeaAddShlLeftScale2): |
| (testX86LeaAddShlLeftScale4): |
| (testX86LeaAddShlLeftScale8): |
| (testAddShl32): |
| (testAddShl64): |
| (testAddShl65): |
| (testReduceStrengthReassociation): |
| (testLoadBaseIndexShift2): |
| (testLoadBaseIndexShift32): |
| (testOptimizeMaterialization): |
| (generateLoop): |
| (makeArrayForLoops): |
| (generateLoopNotBackwardsDominant): |
| (oneFunction): |
| (noOpFunction): |
| (testLICMPure): |
| (testLICMPureSideExits): |
| (testLICMPureWritesPinned): |
| (testLICMPureWrites): |
| (testLICMReadsLocalState): |
| (testLICMReadsPinned): |
| (testLICMReads): |
| (testLICMPureNotBackwardsDominant): |
| (testLICMPureFoiledByChild): |
| (testLICMPureNotBackwardsDominantFoiledByChild): |
| (testLICMExitsSideways): |
| (testLICMWritesLocalState): |
| (testLICMWrites): |
| (testLICMFence): |
| (testLICMWritesPinned): |
| (testLICMControlDependent): |
| (testLICMControlDependentNotBackwardsDominant): |
| (testLICMControlDependentSideExits): |
| (testLICMReadsPinnedWritesPinned): |
| (testLICMReadsWritesDifferentHeaps): |
| (testLICMReadsWritesOverlappingHeaps): |
| (testLICMDefaultCall): |
| (testDepend32): |
| (testDepend64): |
| (testWasmBoundsCheck): |
| (testWasmAddress): |
| (testFastTLSLoad): |
| (testFastTLSStore): |
| (doubleEq): |
| (doubleNeq): |
| (doubleGt): |
| (doubleGte): |
| (doubleLt): |
| (doubleLte): |
| (testDoubleLiteralComparison): |
| (testFloatEqualOrUnorderedFolding): |
| (testFloatEqualOrUnorderedFoldingNaN): |
| (testFloatEqualOrUnorderedDontFold): |
| (functionNineArgs): |
| (testShuffleDoesntTrashCalleeSaves): |
| (testDemotePatchpointTerminal): |
| (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead): |
| (testInfiniteLoopDoesntCauseBadHoisting): |
| * b3/testb3_8.cpp: Added. |
| (testAtomicWeakCAS): |
| (testAtomicStrongCAS): |
| (testAtomicXchg): |
| (addAtomicTests): |
| (testLoad): |
| (addLoadTests): |
| |
| 2019-07-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Emit write barrier after storing instead of before storing |
| https://bugs.webkit.org/show_bug.cgi?id=200193 |
| |
| Reviewed by Saam Barati. |
| |
| I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers. |
| |
| 1. Some write-barriers are emitted before stores happen |
| |
| Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this. |
| |
| 1. Cell "A" is not marked yet |
| 2. Write-barrier is emitted onto "A" |
| 3. Concurrent collector scans "A" |
| 4. Store to "A"'s field happens |
| 5. (4)'s field is not rescaned |
| |
| We should emit write-barrier after stores. This patch places write-barriers after stores happen. |
| |
| 2. Should emit write-barrier after the stored fields are reachable from the owner. |
| |
| We have code that is logically the same to the following. |
| |
| ``` |
| auto data = std::make_unique<XXX>(); |
| data->m_field.set(vm, owner, value); |
| |
| storeStoreBarrier(); |
| owner->m_data = WTFMove(data); |
| ``` |
| |
| This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored. |
| The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not |
| effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock. |
| |
| I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock. |
| But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called. |
| |
| Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/StructureStubInfo.cpp: |
| (JSC::StructureStubInfo::addAccessCase): |
| * bytecode/StructureStubInfo.h: |
| (JSC::StructureStubInfo::considerCaching): |
| * dfg/DFGPlan.cpp: |
| (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): |
| * jit/JITOperations.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| (JSC::LLInt::setupGetByIdPrototypeCache): |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/LazyPropertyInlines.h: |
| (JSC::ElementType>::setMayBeNull): |
| * runtime/RegExpCachedResult.h: |
| (JSC::RegExpCachedResult::record): |
| |
| 2019-07-30 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make StructureChain less-tricky by using Auxiliary Buffer |
| https://bugs.webkit.org/show_bug.cgi?id=200192 |
| |
| Reviewed by Saam Barati. |
| |
| StructureChain has a bit tricky write barrier / mutator fence to use UniqueArray for its underlying storage. |
| But, since the size of StructureChain is fixed at initialization, we should allocate an underlying storage from auxiliary memory and |
| set it in its constructor instead of finishCreation. We can store values in the finishCreation so that we do not need to have |
| a hacky write-barrier and mutator fence. Furthermore, we can make StructureChain non-destructible. |
| |
| This patch leverages auxiliary buffer for the implementation of StructureChain. And it also adds a test that stresses StructureChain creation. |
| |
| * runtime/StructureChain.cpp: |
| (JSC::StructureChain::StructureChain): |
| (JSC::StructureChain::create): |
| (JSC::StructureChain::finishCreation): |
| (JSC::StructureChain::visitChildren): |
| (JSC::StructureChain::destroy): Deleted. |
| * runtime/StructureChain.h: |
| |
| 2019-07-29 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Increment bytecode age only when SlotVisitor is first-visit |
| https://bugs.webkit.org/show_bug.cgi?id=200196 |
| |
| Reviewed by Robin Morisset. |
| |
| WriteBarrier can cause multiple visits for the same UnlinkedCodeBlock. But this does not mean that we are having multiple cycles of GC. |
| We should increment the age of the UnlinkedCodeBlock only when the SlotVisitor is saying that this is the first visit. |
| |
| In practice,this almost never happens. Multiple visits can happen only when the marked UnlinkedCodeBlock gets a write-barrier. But, mutation |
| of UnlinkedCodeBlock is rare or none after it is initialized. I ran all the JSTests and I cannot find any tests that get re-visiting of UnlinkedCodeBlock. |
| This patch extends JSTests/stress/reparsing-unlinked-codeblock.js to ensure that UnlinkedCodeBlockJettisoning feature is working after this change. |
| |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::visitChildren): |
| * heap/SlotVisitor.h: |
| (JSC::SlotVisitor::isFirstVisit const): |
| * parser/Parser.cpp: |
| * parser/Parser.h: |
| (JSC::parse): |
| (JSC::parseFunctionForFunctionConstructor): |
| * runtime/Options.h: |
| * tools/JSDollarVM.cpp: |
| (JSC::functionParseCount): |
| (JSC::JSDollarVM::finishCreation): |
| |
| 2019-07-28 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247886. |
| https://bugs.webkit.org/show_bug.cgi?id=200214 |
| |
| "Causes PLT5 regression on some machines" (Requested by mlam|a |
| on #webkit). |
| |
| Reverted changeset: |
| |
| "Add crash diagnostics for debugging unexpected zapped cells." |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| https://trac.webkit.org/changeset/247886 |
| |
| 2019-07-27 Justin Michaud <justin_michaud@apple.com> |
| |
| [X86] Emit BT instruction for shift + mask in B3 |
| https://bugs.webkit.org/show_bug.cgi?id=199891 |
| |
| Reviewed by Keith Miller. |
| |
| - Add a new BranchTestBit air opcode, matching the intel bt instruction |
| - Select this instruction for the following patterns: |
| if (a & (1<<b)) |
| if ((a>>b)&1) |
| if ((~a>>b)&1) |
| if (~a & (1<<b)) |
| - 15% perf progression on the nonconstant microbenchmark, neutral otherwise. |
| - Note: we cannot fuse loads when we have bitBase=Load, bitOffset=Tmp, since the X86 instruction has |
| different behaviour in this mode. It will read past the current dword/qword instead of wrapping around. |
| |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::branchTestBit32): |
| * assembler/MacroAssemblerX86_64.h: |
| (JSC::MacroAssemblerX86_64::branchTestBit64): |
| * assembler/X86Assembler.h: |
| (JSC::X86Assembler::bt_ir): |
| (JSC::X86Assembler::bt_im): |
| (JSC::X86Assembler::btw_ir): |
| (JSC::X86Assembler::btw_im): |
| * assembler/testmasm.cpp: |
| (JSC::int64Operands): |
| (JSC::testBranchTestBit32RegReg): |
| (JSC::testBranchTestBit32RegImm): |
| (JSC::testBranchTestBit32AddrImm): |
| (JSC::testBranchTestBit64RegReg): |
| (JSC::testBranchTestBit64RegImm): |
| (JSC::testBranchTestBit64AddrImm): |
| (JSC::run): |
| * b3/B3LowerToAir.cpp: |
| * b3/air/AirOpcode.opcodes: |
| * b3/testb3.cpp: |
| (JSC::B3::testBranchBitTest32TmpImm): |
| (JSC::B3::testBranchBitTest32AddrImm): |
| (JSC::B3::testBranchBitTest32TmpTmp): |
| (JSC::B3::testBranchBitTest64TmpTmp): |
| (JSC::B3::testBranchBitTest64AddrTmp): |
| (JSC::B3::run): |
| |
| 2019-07-26 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Potential GC fix for JSPropertyNameEnumerator |
| https://bugs.webkit.org/show_bug.cgi?id=200151 |
| |
| Reviewed by Mark Lam. |
| |
| We have been seeing some JSPropertyNameEnumerator::visitChildren crashes for a long time. The crash frequency itself is not high, but it has existed for a long time. |
| The crash happens when visiting m_propertyNames. It is also possible that this crash is caused by random corruption somewhere, but JSPropertyNameEnumerator |
| has some tricky (and potentially dangerous) implementations anyway. |
| |
| 1. JSPropertyNameEnumerator have Vector<WriteBarrier<JSString>> and it is extended in finishCreation with a lock. |
| We should use Auxiliary memory for this use case. And we should set this memory in the constructor so that |
| we do not extend it in finishCreation, and we do not need a lock. |
| 2. JSPropertyNameEnumerator gets StructureID before allocating JSPropertyNameEnumerator. This is potentially dangerous because the conservative scan |
| cannot find the Structure* since we could only have StructureID. Since allocation code happens after StructureID is retrieved, it is possible that |
| the allocation causes GC and Structure* is collected. |
| |
| In this patch, we align JSPropertyNameEnumerator implementation to the modern one to avoid using Vector<WriteBarrier<JSString>>. And we can make JSPropertyNameEnumerator |
| a non-destructible cell. Since JSCell's destructor is one of the cause of various issues, we should avoid it if we can. |
| |
| No behavior change. This patch adds a test stressing JSPropertyNameEnumerator. |
| |
| * dfg/DFGOperations.cpp: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| * runtime/JSPropertyNameEnumerator.cpp: |
| (JSC::JSPropertyNameEnumerator::create): |
| (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator): |
| (JSC::JSPropertyNameEnumerator::finishCreation): |
| (JSC::JSPropertyNameEnumerator::visitChildren): |
| (JSC::JSPropertyNameEnumerator::destroy): Deleted. |
| * runtime/JSPropertyNameEnumerator.h: |
| * runtime/VM.cpp: |
| (JSC::VM::emptyPropertyNameEnumeratorSlow): |
| * runtime/VM.h: |
| (JSC::VM::emptyPropertyNameEnumerator): |
| |
| 2019-07-26 Mark Lam <mark.lam@apple.com> |
| |
| Add crash diagnostics for debugging unexpected zapped cells. |
| https://bugs.webkit.org/show_bug.cgi?id=200149 |
| <rdar://problem/53570112> |
| |
| Reviewed by Yusuke Suzuki, Saam Barati, and Michael Saboff. |
| |
| Add a check for zapped cells in SlotVisitor::appendToMarkStack() and |
| SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with |
| some diagnostic info. |
| |
| To facilitate this, we've made the following changes: |
| 1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all |
| cells are at least 16 bytes long. |
| 2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the |
| cell header info intact (including the cell JSType). |
| 3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash |
| the reason immediately after the first 8 bytes. This is the same location as |
| FreeCell::scrambledNext. However, since a cell is not expected to be zapped |
| and on the free list at the same time, it is also fine to do this. |
| 4. Added a few utility functions to MarkedBlock for checking if a cell points |
| into the block. |
| 5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes. |
| 6. Added some comments to document the hashes of known subspaces. |
| |
| * heap/FreeList.h: |
| (JSC::FreeCell::offsetOfScrambledNext): |
| * heap/HeapCell.h: |
| (JSC::HeapCell::zap): |
| (JSC::HeapCell::isZapped const): |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::stopAllocating): |
| * heap/MarkedBlock.h: |
| (JSC::MarkedBlock::Handle::start const): |
| (JSC::MarkedBlock::Handle::end const): |
| (JSC::MarkedBlock::Handle::contains const): |
| * heap/MarkedBlockInlines.h: |
| (JSC::MarkedBlock::Handle::specializedSweep): |
| * heap/MarkedSpace.h: |
| (JSC::MarkedSpace::forEachSubspace): |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMarkStack): |
| (JSC::SlotVisitor::visitChildren): |
| (JSC::SlotVisitor::reportZappedCellAndCrash): |
| * heap/SlotVisitor.h: |
| * jit/AssemblyHelpers.cpp: |
| (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): |
| * runtime/VM.cpp: |
| (JSC::VM::VM): |
| * tools/JSDollarVM.cpp: |
| (JSC::functionDumpSubspaceHashes): |
| (JSC::JSDollarVM::finishCreation): |
| * tools/VMInspector.cpp: |
| (JSC::VMInspector::dumpSubspaceHashes): |
| * tools/VMInspector.h: |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use unalignedLoad for JSRopeString fiber accesses |
| https://bugs.webkit.org/show_bug.cgi?id=200148 |
| |
| Reviewed by Mark Lam. |
| |
| JSRopeString always have some subsequent bytes that can be accessible because MarkedBlock has Footer. |
| We use WTF::unalignedLoad to get fibers. And it will be converted to one load CPU instruction. |
| |
| * heap/MarkedBlock.h: |
| * runtime/JSString.h: |
| |
| 2019-07-25 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Legacy numeric literals should not permit separators or BigInt |
| https://bugs.webkit.org/show_bug.cgi?id=199984 |
| |
| Reviewed by Keith Miller. |
| |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::parseOctal): |
| (JSC::Lexer<T>::parseDecimal): |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix due to C++17's std::invoke_result_t |
| https://bugs.webkit.org/show_bug.cgi?id=200139 |
| |
| Use std::result_of for now until all the supported environments implement it. |
| |
| * heap/IsoSubspace.h: |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Ensure PackedCellPtr only takes non-large-allocation pointers |
| https://bugs.webkit.org/show_bug.cgi?id=200139 |
| |
| Reviewed by Mark Lam. |
| |
| PackedCellPtr will compact a pointer by leveraging the fact that JSCell pointers are 16byte aligned. |
| But this fact only holds when the JSCell is not large allocation. Currently, we are using PackedCellPtr |
| only for the cell types which meets the above requirement. But we would like to ensure that statically. |
| |
| In this patch, we add additional static/runtime assertions to ensure this invariant. We accept a cell |
| type of either (1) it is "final" annotated and sizeof(T) is <= MarkedSpace::largeCutoff or (2) it |
| is allocated from IsoSubspace. |
| |
| This patch does not change any behaviors. It just adds extra static/runtime assertions. |
| |
| * bytecode/CodeBlock.h: |
| (JSC::CodeBlock::subspaceFor): |
| * bytecode/CodeBlockJettisoningWatchpoint.h: |
| * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: |
| * dfg/DFGAdaptiveStructureWatchpoint.h: |
| * heap/IsoSubspace.h: |
| * heap/PackedCellPtr.h: |
| (JSC::PackedCellPtr::PackedCellPtr): |
| * runtime/FunctionRareData.h: |
| (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): |
| * runtime/ObjectToStringAdaptiveStructureWatchpoint.h: |
| |
| 2019-07-25 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make visitChildren implementation more idiomatic |
| https://bugs.webkit.org/show_bug.cgi?id=200121 |
| |
| Reviewed by Mark Lam. |
| |
| This patch makes visitChildren implementations more idiomatic: cast, assert, and calling Base::visitChildren. |
| While this does not find interesting issues, it is still nice to have consistent implementations. |
| StructureChain::visitChildren missed Base::visitChildren, but it does not have much effect since StructureChain |
| is immortal cell. |
| |
| * bytecode/ExecutableToCodeBlockEdge.cpp: |
| (JSC::ExecutableToCodeBlockEdge::visitChildren): |
| * runtime/AbstractModuleRecord.cpp: |
| (JSC::AbstractModuleRecord::visitChildren): |
| * runtime/FunctionRareData.cpp: |
| (JSC::FunctionRareData::visitChildren): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::visitChildren): |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): |
| * runtime/JSImmutableButterfly.cpp: |
| (JSC::JSImmutableButterfly::visitChildren): |
| * runtime/JSModuleEnvironment.cpp: |
| (JSC::JSModuleEnvironment::visitChildren): |
| * runtime/JSModuleRecord.cpp: |
| (JSC::JSModuleRecord::visitChildren): |
| * runtime/JSPropertyNameEnumerator.cpp: |
| (JSC::JSPropertyNameEnumerator::visitChildren): |
| * runtime/JSString.cpp: |
| (JSC::JSString::visitChildren): |
| * runtime/SparseArrayValueMap.cpp: |
| (JSC::SparseArrayValueMap::visitChildren): |
| * runtime/StructureChain.cpp: |
| (JSC::StructureChain::visitChildren): |
| * runtime/SymbolTable.cpp: |
| (JSC::SymbolTable::visitChildren): |
| * tools/JSDollarVM.cpp: |
| (JSC::Root::visitChildren): |
| (JSC::ImpureGetter::visitChildren): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::visitChildren): |
| |
| 2019-07-25 Ross Kirsling <ross.kirsling@sony.com> |
| |
| [ESNext] Implement nullish coalescing |
| https://bugs.webkit.org/show_bug.cgi?id=200072 |
| |
| Reviewed by Darin Adler. |
| |
| Implement the nullish coalescing proposal, which has now reached Stage 3 at TC39. |
| |
| This introduces a ?? operator which: |
| - acts like || but checks for nullishness instead of truthiness |
| - has a precedence lower than || (or any other binary operator) |
| - must be disambiguated with parentheses when combined with || or && |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::CoalesceNode::emitBytecode): Added. |
| Bytecode must use OpIsUndefinedOrNull and not OpNeqNull because of document.all. |
| |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::makeBinaryNode): |
| * parser/Lexer.cpp: |
| (JSC::Lexer<T>::lexWithoutClearingLineTerminator): |
| * parser/NodeConstructors.h: |
| (JSC::CoalesceNode::CoalesceNode): Added. |
| * parser/Nodes.h: |
| Introduce new token and AST node. |
| |
| * parser/Parser.cpp: |
| (JSC::Parser<LexerType>::parseBinaryExpression): |
| Implement early error. |
| |
| * parser/ParserTokens.h: |
| Since this patch needs to shift the value of every binary operator token anyway, |
| let's only bother to increment their LSBs when we actually have a precedence conflict. |
| |
| * parser/ResultType.h: |
| (JSC::ResultType::definitelyIsNull const): Added. |
| (JSC::ResultType::mightBeUndefinedOrNull const): Added. |
| (JSC::ResultType::forCoalesce): Added. |
| We can do better than forLogicalOp here; let's be as accurate as possible. |
| |
| * runtime/Options.h: |
| Add runtime feature flag. |
| |
| 2019-07-24 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Three checks are missing in Proxy internal methods |
| https://bugs.webkit.org/show_bug.cgi?id=198630 |
| |
| Reviewed by Darin Adler. |
| |
| Add three missing checks in Proxy internal methods. |
| These checks are necessary to maintain the invariants of the essential internal methods. |
| (https://github.com/tc39/ecma262/pull/666) |
| |
| 1. [[GetOwnProperty]] shouldn't return non-configurable and non-writable descriptor when the target's property is writable. |
| 2. [[Delete]] should return `false` when the target has property and is not extensible. |
| 3. [[DefineOwnProperty]] should return `true` for a non-writable input descriptor when the target's property is non-configurable and writable. |
| |
| Shipping in SpiderMonkey since https://hg.mozilla.org/integration/autoland/rev/3a06bc818bc4 (version 69) |
| Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/e846ad9fa5109428be50b1989314e0e4e7267919 |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performInternalMethodGetOwnProperty): Add writability check. |
| (JSC::ProxyObject::performDelete): Add extensibility check. |
| (JSC::ProxyObject::performDefineOwnProperty): Add writability check. |
| |
| 2019-07-24 Mark Lam <mark.lam@apple.com> |
| |
| Remove some unused code. |
| https://bugs.webkit.org/show_bug.cgi?id=200101 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * heap/MarkedBlock.cpp: |
| (JSC::MarkedBlock::Handle::zap): Deleted. |
| * heap/MarkedBlock.h: |
| * heap/SlotVisitor.cpp: |
| (JSC::SlotVisitor::appendToMutatorMarkStack): Deleted. |
| * heap/SlotVisitor.h: |
| |
| 2019-07-24 Mark Lam <mark.lam@apple.com> |
| |
| performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer. |
| https://bugs.webkit.org/show_bug.cgi?id=200100 |
| <rdar://problem/53474939> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::CopyFunction::CopyFunction): |
| (JSC::ARM64Assembler::CopyFunction::operator()): |
| - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because |
| retagCodePtr() would auth, assert, and re-pac the pointer. This is needed in |
| general because retagCodePtr() doesn't know that you will consume the pointer |
| immediately (and therefore crash imminently if a failed auth is encountered). |
| Since we know here that we will call with the auth'ed pointer immediately, we |
| can skip the assert. |
| |
| This also has the benefit of letting Clang do a peephole optimization to emit |
| a blrab instruction with the intended diversifier, instead of emitting multiple |
| instructions to auth the pointer into a C function, and then using a blraaz to |
| do a C function call. |
| |
| (JSC::ARM64Assembler::linkJumpOrCall): |
| (JSC::ARM64Assembler::linkCompareAndBranch): |
| (JSC::ARM64Assembler::linkConditionalBranch): |
| (JSC::ARM64Assembler::linkTestAndBranch): |
| * assembler/LinkBuffer.cpp: |
| (JSC::LinkBuffer::copyCompactAndLinkCode): |
| * runtime/JSCPtrTag.h: |
| |
| 2019-07-24 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: print the target of `console.screenshot` last so the target is the closest item to the image |
| https://bugs.webkit.org/show_bug.cgi?id=199308 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| * inspector/ConsoleMessage.h: |
| (Inspector::ConsoleMessage::arguments const): |
| |
| * inspector/ScriptArguments.h: |
| * inspector/ScriptArguments.cpp: |
| (Inspector::ScriptArguments::getFirstArgumentAsString const): Added. |
| (Inspector::ScriptArguments::getFirstArgumentAsString): Deleted. |
| |
| 2019-07-23 Justin Michaud <justin_michaud@apple.com> |
| |
| Sometimes we miss removable CheckInBounds |
| https://bugs.webkit.org/show_bug.cgi?id=200018 |
| |
| Reviewed by Saam Barati. |
| |
| We failed to remove the CheckInBounds bounds because we did not see that the index was nonnegative. This is because we do not see the relationship between the two |
| separate zero constants that appear in the IR for the given test case. This patch re-adds the hack to de-duplicate m_zero that was removed in |
| <https://trac.webkit.org/changeset/241228/webkit>. |
| |
| * dfg/DFGIntegerRangeOptimizationPhase.cpp: |
| |
| 2019-07-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up |
| https://bugs.webkit.org/show_bug.cgi?id=200024 |
| |
| Reviewed by Saam Barati. |
| |
| Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack. |
| |
| * interpreter/CLoopStack.cpp: |
| (JSC::CLoopStack::CLoopStack): |
| |
| 2019-07-22 Saam Barati <sbarati@apple.com> |
| |
| Turn off Wasm fast memory on iOS |
| https://bugs.webkit.org/show_bug.cgi?id=200016 |
| <rdar://problem/53417726> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We turned them on when we disabled Gigacage on iOS. However, we re-enabled |
| Gigacage on iOS, but forgot to turn wasm fast memories back off. |
| |
| * runtime/Options.h: |
| |
| 2019-07-22 Ross Kirsling <ross.kirsling@sony.com> |
| |
| Unreviewed non-unified build fix. |
| |
| * runtime/CachedTypes.h: |
| |
| 2019-07-20 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Make DFG Local CSE and AI conservative for huge basic block |
| https://bugs.webkit.org/show_bug.cgi?id=199929 |
| <rdar://problem/49309924> |
| |
| Reviewed by Filip Pizlo. |
| |
| In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior. |
| The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine! |
| DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop. |
| DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that. |
| As a result, the main thread is blocked due to this pathological compilation. |
| |
| By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block. |
| In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase. |
| We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand, |
| DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock. |
| |
| We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost |
| is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes |
| ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming. |
| Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly |
| related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem, |
| and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG. |
| |
| This patch has two changes. |
| |
| 1. DFG AI has structure transition tracking which has quadratic complexity |
| |
| Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block. |
| CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm. |
| For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000). |
| We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1]. |
| |
| 2. DFG Local CSE has quadratic complexity |
| |
| Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited, |
| each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering |
| implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in |
| JetStream2 and Speedometer2 so I'll track it in a separate bug[2]. |
| |
| This patch reduces the compilation time from ~11 seconds to ~200 ms. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=199959 |
| [2]: https://bugs.webkit.org/show_bug.cgi?id=200014 |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions): |
| * dfg/DFGCSEPhase.cpp: |
| * runtime/Options.h: |
| |
| 2019-07-22 Zhifei Fang <zhifei_fang@apple.com> |
| |
| Need to skip test cache directory data vault for non internal build |
| https://bugs.webkit.org/show_bug.cgi?id=199951 |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| * API/tests/testapi.mm: |
| (testBytecodeCacheValidation): "Cache directory `/private/tmp` is not a data vault" this error message will only be created for internal build see JSScript.mm:97 |
| |
| 2019-07-17 Antoine Quint <graouts@apple.com> |
| |
| Disable Pointer Events prior to watchOS 6 |
| https://bugs.webkit.org/show_bug.cgi?id=199890 |
| <rdar://problem/53206113> |
| |
| Reviewed by Dean Jackson. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-07-17 Keith Miller <keith_miller@apple.com> |
| |
| Force useLLInt to true on arm64_32 |
| https://bugs.webkit.org/show_bug.cgi?id=199882 |
| <rdar://problem/53207586> |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Some jsc tests set useLLInt=false but on arm64_32 we don't support the JIT. |
| This causes the option coherency checker to get angry. We should force |
| useLLInt=true on arm64_32 unless useJIT=true. |
| |
| * runtime/Options.cpp: |
| (JSC::recomputeDependentOptions): |
| |
| 2019-07-17 Christopher Reid <chris.reid@sony.com> |
| |
| Bytecode cache should use FileSystem |
| https://bugs.webkit.org/show_bug.cgi?id=199759 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Update bytecode cache to use platform generic FileSystem calls. |
| |
| * API/JSScript.mm: |
| * CMakeLists.txt: |
| * jsc.cpp: |
| * runtime/CachePayload.cpp: |
| * runtime/CachePayload.h: |
| * runtime/CachedBytecode.h: |
| * runtime/CachedTypes.cpp: |
| * runtime/CachedTypes.h: |
| * runtime/CodeCache.cpp: |
| * runtime/CodeCache.h: |
| * runtime/Completion.cpp: |
| * runtime/Completion.h: |
| |
| 2019-07-17 Mark Lam <mark.lam@apple.com> |
| |
| ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds. |
| https://bugs.webkit.org/show_bug.cgi?id=199821 |
| <rdar://problem/52452328> |
| |
| Reviewed by Filip Pizlo. |
| |
| Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal |
| nodes in the SSAConversionPhase. SetLocal nodes are always preceded by MovHint nodes, |
| and the SSAConversionPhase always inserts a KillStack node before a MovHint node. |
| Hence, a PutStack node is always preceded by a KillStack node. |
| |
| However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series |
| of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack |
| nodes. However, it neglects to prepend KillStack nodes as well. Since the |
| ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes |
| added during ArgumentsElimination will not be preceded by KillStack nodes. |
| |
| This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase |
| before it inserts a MovHint and a PutStack node. |
| |
| Consider this test case which can manifest the above issue as a crash: |
| |
| function inlinee(value) { |
| ... |
| let tmp = value + 1; |
| } |
| |
| function reflect() { |
| return inlinee.apply(undefined, arguments); |
| } |
| |
| function test(arr) { |
| let object = inlinee.apply(undefined, arr); // Uses a lot of SetArgumentMaybe nodes. |
| reflect(); // Calls with a LoadVararg, which gets converted into a PutStack of a constant. |
| } |
| |
| In this test case, we have a scenario where a SetArgumentMaybe's stack |
| slot is reused as the stack slot for a PutStack later. Here, the PutStack will |
| put a constant undefined value. Coincidentally, the SetArgumentMaybe may also |
| initialize that stack slot to a constant undefined value. Note that by the time |
| the PutStack executes, the SetArgumentMaybe's stack slot is dead. The liveness of |
| these 2 values are distinct. |
| |
| However, because we were missing a KillStack before the PutStack, OSR availability |
| analysis gets misled into thinking that the PutStack constant value is still in the |
| stack slot because the value left there by the SetArgumentMaybe hasn't been killed |
| off yet. As a result, OSR exit code will attempt to recover the PutStack's undefined |
| constant by loading from the stack slot instead of materializing it. Since |
| SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR |
| exit when we try to recover the PutStack constant value from the stack slot, and |
| end up using what ever junk value we read from there. |
| |
| Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack |
| removes this conflation of the PutStack's constant value with the SetArgumentMaybe's |
| constant value in the same stack slot. And, OSR availability analysis will no |
| longer be misled to load the PutStack's constant value from the stack, but will |
| materialize the constant instead. |
| |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| |
| 2019-07-17 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247505. |
| https://bugs.webkit.org/show_bug.cgi?id=199871 |
| |
| "Caused failed ASSERT in stress test" (Requested by creid on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "Bytecode cache should use FileSystem" |
| https://bugs.webkit.org/show_bug.cgi?id=199759 |
| https://trac.webkit.org/changeset/247505 |
| |
| 2019-07-16 Christopher Reid <chris.reid@sony.com> |
| |
| Bytecode cache should use FileSystem |
| https://bugs.webkit.org/show_bug.cgi?id=199759 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Update bytecode cache to use platform generic FileSystem calls. |
| |
| * API/JSScript.mm: |
| * CMakeLists.txt: |
| * jsc.cpp: |
| * runtime/CachePayload.cpp: |
| * runtime/CachePayload.h: |
| * runtime/CachedBytecode.h: |
| * runtime/CachedTypes.cpp: |
| * runtime/CachedTypes.h: |
| * runtime/CodeCache.cpp: |
| * runtime/CodeCache.h: |
| * runtime/Completion.cpp: |
| * runtime/Completion.h: |
| |
| 2019-07-16 Joonghun Park <pjh0718@gmail.com> |
| |
| [GTK] Fix a build warning in JavaScriptCore/API/tests/testapi.c |
| https://bugs.webkit.org/show_bug.cgi?id=199824 |
| |
| Reviewed by Alex Christensen. |
| |
| * API/tests/testapi.c: |
| (main): |
| |
| 2019-07-15 Keith Miller <keith_miller@apple.com> |
| |
| JSGlobalObject type macros should support feature flags and WeakRef should have one |
| https://bugs.webkit.org/show_bug.cgi?id=199601 |
| |
| Reviewed by Mark Lam. |
| |
| This patch refactors the various builtin type macros to have a |
| parameter, which is the feature flag enabling it. Since most |
| builtin types are enabled by default this patch adds a new global |
| bool typeExposedByDefault for clarity. Note, because static hash |
| tables have no concept of feature flags we can't use feature flags |
| with lazy properties. This is probably not a big deal as features |
| that are off by default won't be allocated anywhere we care about |
| memory usage anyway. |
| |
| * runtime/CommonIdentifiers.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| (JSC::JSGlobalObject::visitChildren): |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::stringObjectStructure const): |
| (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted. |
| * runtime/Options.h: |
| * wasm/js/JSWebAssembly.cpp: |
| |
| 2019-07-15 Keith Miller <keith_miller@apple.com> |
| |
| A Possible Issue of Object.create method |
| https://bugs.webkit.org/show_bug.cgi?id=199744 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We should call toObject on the properties argument if it was not undefined. |
| See: https://tc39.es/ecma262/#sec-object.create |
| |
| * runtime/ObjectConstructor.cpp: |
| (JSC::objectConstructorCreate): |
| |
| 2019-07-15 Saagar Jha <saagarjha@apple.com> |
| |
| Keyword lookup can use memcmp to get around unaligned load undefined behavior |
| https://bugs.webkit.org/show_bug.cgi?id=199650 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Replace KeywordLookup's hand-rolled "memcmp" with the standard version, which reduces the need to deal with |
| endianness and unaligned loads. |
| |
| * KeywordLookupGenerator.py: |
| (Trie.printSubTreeAsC): Use memcmp instead of macros to test for matches. |
| (Trie.printAsC): Unspecialize Lexer::parseKeyword as templating over the character type reduces the amount of |
| code we need to generate and moves this task out of the Python script and into the C++ compiler. |
| |
| 2019-07-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Improve wasm wpt test results by fixing miscellaneous issues |
| https://bugs.webkit.org/show_bug.cgi?id=199783 |
| |
| Reviewed by Mark Lam. |
| |
| This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score. |
| I picked trivial ones in this patch to make this easily reviewable. |
| |
| 1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly. |
| 2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change |
| is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation |
| follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage |
| some of utility functions) in our WebAssembly JS API implementation. |
| 3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to |
| WebIDL spec, and it means that [[Get]] result is not undefined. |
| 4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL. |
| 5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js. |
| * jit/Repatch.cpp: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::moduleLoaderParseModule): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::JSWebAssembly::create): |
| (JSC::JSWebAssembly::finishCreation): |
| (JSC::reject): |
| (JSC::webAssemblyModuleValidateAsyncInternal): |
| (JSC::webAssemblyCompileFunc): |
| (JSC::resolve): |
| (JSC::JSWebAssembly::webAssemblyModuleValidateAsync): |
| (JSC::instantiate): |
| (JSC::compileAndInstantiate): |
| (JSC::JSWebAssembly::instantiate): |
| (JSC::webAssemblyModuleInstantinateAsyncInternal): |
| (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyValidateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::toNonWrappingUint32): |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::WebAssemblyCompileErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::WebAssemblyInstanceConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::WebAssemblyLinkErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| (JSC::WebAssemblyMemoryConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleCustomSections): |
| (JSC::WebAssemblyModuleConstructor::finishCreation): |
| * wasm/js/WebAssemblyPrototype.cpp: Removed. |
| * wasm/js/WebAssemblyPrototype.h: Removed. |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| (JSC::WebAssemblyTableConstructor::finishCreation): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| |
| 2019-07-15 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| Unreviewed, rolling out r247440. |
| |
| Broke builds |
| |
| Reverted changeset: |
| |
| "[JSC] Improve wasm wpt test results by fixing miscellaneous |
| issues" |
| https://bugs.webkit.org/show_bug.cgi?id=199783 |
| https://trac.webkit.org/changeset/247440 |
| |
| 2019-07-15 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Improve wasm wpt test results by fixing miscellaneous issues |
| https://bugs.webkit.org/show_bug.cgi?id=199783 |
| |
| Reviewed by Mark Lam. |
| |
| This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score. |
| I picked trivial ones in this patch to make this easily reviewable. |
| |
| 1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly. |
| 2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change |
| is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation |
| follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage |
| some of utility functions) in our WebAssembly JS API implementation. |
| 3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to |
| WebIDL spec, and it means that [[Get]] result is not undefined. |
| 4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL. |
| 5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources-output.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js. |
| * jit/Repatch.cpp: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::moduleLoaderParseModule): |
| * wasm/js/JSWebAssembly.cpp: |
| (JSC::JSWebAssembly::create): |
| (JSC::JSWebAssembly::finishCreation): |
| (JSC::reject): |
| (JSC::webAssemblyModuleValidateAsyncInternal): |
| (JSC::webAssemblyCompileFunc): |
| (JSC::resolve): |
| (JSC::JSWebAssembly::webAssemblyModuleValidateAsync): |
| (JSC::instantiate): |
| (JSC::compileAndInstantiate): |
| (JSC::JSWebAssembly::instantiate): |
| (JSC::webAssemblyModuleInstantinateAsyncInternal): |
| (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync): |
| (JSC::webAssemblyInstantiateFunc): |
| (JSC::webAssemblyValidateFunc): |
| (JSC::webAssemblyCompileStreamingInternal): |
| (JSC::webAssemblyInstantiateStreamingInternal): |
| * wasm/js/JSWebAssembly.h: |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::toNonWrappingUint32): |
| * wasm/js/WebAssemblyCompileErrorConstructor.cpp: |
| (JSC::WebAssemblyCompileErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstanceConstructor.cpp: |
| (JSC::WebAssemblyInstanceConstructor::finishCreation): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| * wasm/js/WebAssemblyLinkErrorConstructor.cpp: |
| (JSC::WebAssemblyLinkErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryConstructor.cpp: |
| (JSC::constructJSWebAssemblyMemory): |
| (JSC::WebAssemblyMemoryConstructor::finishCreation): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| * wasm/js/WebAssemblyModuleConstructor.cpp: |
| (JSC::webAssemblyModuleCustomSections): |
| (JSC::WebAssemblyModuleConstructor::finishCreation): |
| * wasm/js/WebAssemblyPrototype.cpp: Removed. |
| * wasm/js/WebAssemblyPrototype.h: Removed. |
| * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: |
| (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| (JSC::WebAssemblyTableConstructor::finishCreation): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| |
| 2019-07-15 Youenn Fablet <youenn@apple.com> |
| |
| Enable a debug WebRTC mode without any encryption |
| https://bugs.webkit.org/show_bug.cgi?id=199177 |
| <rdar://problem/52074986> |
| |
| Reviewed by Eric Carlson. |
| |
| * inspector/protocol/Page.json: |
| |
| 2019-07-15 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, attempt to fix production builds after r247403. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| |
| 2019-07-15 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Concurrent GC should not rely on current phase to determine if it's safe to steal conn |
| https://bugs.webkit.org/show_bug.cgi?id=199786 |
| <rdar://problem/52505197> |
| |
| Reviewed by Saam Barati. |
| |
| In r246507, we fixed a race condition in the concurrent GC where the mutator might steal |
| the conn from the collector thread while it transitions from the End phase to NotRunning. |
| However, that fix was not sufficient. In the case that the mutator steals the conn, and the |
| execution interleaves long enough for the mutator to progress to a different collection phase, |
| the collector will resume in a phase other than NotRunning, and hence the check added to |
| NotRunning will not suffice. To fix that, we add a new variable to track whether the collector |
| thread is running (m_collectorThreadIsRunning) and use it to determine whether it's safe to |
| steal the conn, rather than relying on m_currentPhase. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::runNotRunningPhase): |
| (JSC::Heap::requestCollection): |
| * heap/Heap.h: |
| |
| 2019-07-12 Keith Miller <keith_miller@apple.com> |
| |
| Add API to get all the dependencies of a given JSScript |
| https://bugs.webkit.org/show_bug.cgi?id=199746 |
| |
| Reviewed by Saam Barati. |
| |
| The method only returns the dependencies if the module was |
| actually evaluated. Technically, we know what the dependencies are |
| at the satisfy phase but for API simplicity we only provide that |
| information if the module graph was complete enough to at least |
| run. |
| |
| This patch also fixes an issue where we would allow import |
| specifiers that didn't start "./" or "/". For reference, We have |
| this restriction to be consistent with the web/node. The |
| restriction exists in order to preserve namespace for |
| builtin-modules. |
| |
| Lastly, this patch makes it so that we copy all scripts in the |
| API/tests/testapiScripts directory so they don't have to be |
| individually added to the xcode project. |
| |
| * API/JSAPIGlobalObject.mm: |
| (JSC::computeValidImportSpecifier): |
| (JSC::JSAPIGlobalObject::moduleLoaderResolve): |
| (JSC::JSAPIGlobalObject::moduleLoaderImportModule): |
| * API/JSContext.mm: |
| (-[JSContext dependencyIdentifiersForModuleJSScript:]): |
| * API/JSContextPrivate.h: |
| * API/JSScript.h: |
| * API/tests/testapi.mm: |
| (testFetchWithTwoCycle): |
| (testFetchWithThreeCycle): |
| (testModuleBytecodeCache): |
| (+[JSContextFileLoaderDelegate newContext]): |
| (-[JSContextFileLoaderDelegate fetchModuleScript:]): |
| (-[JSContextFileLoaderDelegate findScriptForKey:]): |
| (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]): |
| (testDependenciesArray): |
| (testDependenciesEvaluationError): |
| (testDependenciesSyntaxError): |
| (testDependenciesBadImportId): |
| (testDependenciesMissingImport): |
| (testObjectiveCAPI): |
| * API/tests/testapiScripts/dependencyListTests/badModuleImportId.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/bar.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/foo.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/missingImport.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/referenceError.js: Added. |
| * API/tests/testapiScripts/dependencyListTests/syntaxError.js: Added. |
| * API/tests/testapiScripts/testapi-function-overrides.js: Renamed from Source/JavaScriptCore/API/tests/testapi-function-overrides.js. |
| * API/tests/testapiScripts/testapi.js: Renamed from Source/JavaScriptCore/API/tests/testapi.js. |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * builtins/ModuleLoader.js: |
| (dependencyKeysIfEvaluated): |
| * runtime/JSModuleLoader.cpp: |
| (JSC::JSModuleLoader::dependencyKeysIfEvaluated): |
| * runtime/JSModuleLoader.h: |
| * shell/CMakeLists.txt: |
| |
| 2019-07-12 Justin Michaud <justin_michaud@apple.com> |
| |
| B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y)) |
| https://bugs.webkit.org/show_bug.cgi?id=196371 |
| |
| Reviewed by Keith Miller. |
| |
| Adding these strength reductions gives 2x a (x86) and 3x (arm64) performance improvement |
| on the microbenchmark. |
| |
| * b3/B3ReduceStrength.cpp: |
| * b3/testb3.cpp: |
| (JSC::B3::testSubSub): |
| (JSC::B3::testSubSub2): |
| (JSC::B3::testSubAdd): |
| (JSC::B3::testSubFirstNeg): |
| (JSC::B3::run): |
| |
| 2019-07-12 Caio Lima <ticaiolima@gmail.com> |
| |
| [BigInt] Add ValueBitLShift into DFG |
| https://bugs.webkit.org/show_bug.cgi?id=192664 |
| |
| Reviewed by Saam Barati. |
| |
| This patch is splitting the `BitLShift` into `ArithBitLShift` and |
| `ValueBitLShift` to handle BigInt speculation more efficiently during |
| DFG and FTL layers. Following the same approach of other `ValueBitOps`, |
| `ValueBitLShift` handles Untyped and BigInt speculations, while |
| `ArithBitLShift` handles number and boolean operands and always results into |
| Int32. |
| |
| * bytecode/BytecodeList.rb: |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finishCreation): |
| * bytecode/Opcode.h: |
| * dfg/DFGAbstractInterpreter.h: |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp): |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| We moved `BitLShift` constant fold rules to a new method |
| `handleConstantBinaryBitwiseOp` to be reused by `ArithBitLShift` and |
| `ValueBitLShift`. This also enables support of constant folding on other |
| bitwise operations like `ValueBitAnd`, `ValueBitOr` and `ValueBitXor`, when |
| their binary use kind is UntypedUse. Such cases can happen on those |
| nodes because fixup phase is conservative. |
| |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| |
| We parse `op_lshift` as `ArithBitLShift` when its operands are numbers. |
| Otherwise, we fallback to `ValueBitLShift` and rely on fixup phase to |
| convert `ValueBitLShift` into `ArithBitLShift` when possible. |
| |
| * dfg/DFGClobberize.h: |
| (JSC::DFG::clobberize): |
| |
| `ArithBitLShift` has the same clobberize rules as former `BitLShift`. |
| `ValueBitLShift` only clobberize world when it is UntypedUse. |
| |
| * dfg/DFGDoesGC.cpp: |
| (JSC::DFG::doesGC): |
| |
| `ValueBitLShift` can GC when `BigIntUse` because it allocates new |
| JSBigInts to perform this operation. It also can GC on UntypedUse |
| because of observable user code. |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| |
| `ValueBitLShift` and `ArithBitLShift` has the same fixup rules of |
| other binary bitwise operations. In the case of `ValueBitLShift` |
| We check if we should speculate on BigInt or Untyped and fallback to |
| `ArithBitLShift` when both cheks fail. |
| |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::hasHeapPrediction): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGOperations.cpp: |
| |
| We updated `operationValueBitLShift` to handle BigInt cases. Also, we |
| added `operationBitLShiftBigInt` that is used when we compile |
| `ValueBitLValueBitLShift(BigIntUse)`. |
| |
| * dfg/DFGOperations.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| |
| `ValueBitLShift`'s prediction propagation rules differs from other |
| bitwise operations, because using only heap prediction for this node causes |
| significant performance regression on Octane's zlib and mandreel. |
| The reason is because of cases where a function is compiled but the |
| instruction `op_lshift` was never executed before. If we use |
| `getPrediction()` we will emit a `ForceOSRExit`, resulting in more OSR |
| than desired. To solve such issue, we are then using |
| `getPredictionWithoutOSR()` and falling back to `getHeapPrediction()` |
| only on cases where we can't rely on node's input types. |
| |
| * dfg/DFGSafeToExecute.h: |
| (JSC::DFG::safeToExecute): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): |
| (JSC::DFG::SpeculativeJIT::compileShiftOp): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::shiftOp): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGStrengthReductionPhase.cpp: |
| (JSC::DFG::StrengthReductionPhase::handleNode): |
| * ftl/FTLCapabilities.cpp: |
| (JSC::FTL::canCompile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNode): |
| (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): |
| (JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted. |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/CommonSlowPaths.cpp: |
| (JSC::SLOW_PATH_DECL): |
| |
| 2019-07-12 Keith Miller <keith_miller@apple.com> |
| |
| getIndexQuickly should be const |
| https://bugs.webkit.org/show_bug.cgi?id=199747 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/Butterfly.h: |
| (JSC::Butterfly::indexingPayload const): |
| (JSC::Butterfly::arrayStorage const): |
| (JSC::Butterfly::contiguousInt32 const): |
| (JSC::Butterfly::contiguousDouble const): |
| (JSC::Butterfly::contiguous const): |
| * runtime/JSObject.h: |
| (JSC::JSObject::canGetIndexQuickly const): |
| (JSC::JSObject::getIndexQuickly const): |
| (JSC::JSObject::tryGetIndexQuickly const): |
| (JSC::JSObject::canGetIndexQuickly): Deleted. |
| (JSC::JSObject::getIndexQuickly): Deleted. |
| |
| 2019-07-11 Justin Michaud <justin_michaud@apple.com> |
| |
| Add b3 macro lowering for CheckMul on arm64 |
| https://bugs.webkit.org/show_bug.cgi?id=199251 |
| |
| Reviewed by Robin Morisset. |
| |
| - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check. |
| - Add a new opcode to air on arm64 for smull (multiplySignExtend32). |
| - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). |
| - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, |
| and no change on the no-constant benchmark. |
| Also, skip some of the b3 tests that were failing before this patch so that the new tests can run |
| to completion. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::multiplySignExtend32): |
| * assembler/testmasm.cpp: |
| (JSC::testMul32SignExtend): |
| (JSC::run): |
| * b3/B3LowerMacros.cpp: |
| * b3/B3LowerToAir.cpp: |
| * b3/air/AirOpcode.opcodes: |
| * b3/testb3.cpp: |
| (JSC::B3::testMulArgs32SignExtend): |
| (JSC::B3::testMulImm32SignExtend): |
| (JSC::B3::testMemoryFence): |
| (JSC::B3::testStoreFence): |
| (JSC::B3::testLoadFence): |
| (JSC::B3::testPinRegisters): |
| (JSC::B3::run): |
| |
| 2019-07-11 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, revert r243617. |
| https://bugs.webkit.org/show_bug.cgi?id=196341 |
| |
| Mark pointed out that JSVirtualMachine can be gone in the other thread while we are executing GC constraint-solving. |
| This patch does not account that JavaScriptCore.framework is multi-thread safe: JSVirtualMachine wrapper can be destroyed, |
| and [JSVirtualMachine dealloc] can be executed in any threads while the VM is retained and used in the other thread (e.g. |
| destroyed from AutoReleasePool in some thread). |
| |
| * API/JSContext.mm: |
| (-[JSContext initWithVirtualMachine:]): |
| (-[JSContext dealloc]): |
| (-[JSContext initWithGlobalContextRef:]): |
| (-[JSContext wrapperMap]): |
| (+[JSContext contextWithJSGlobalContextRef:]): |
| * API/JSVirtualMachine.mm: |
| (initWrapperCache): |
| (wrapperCache): |
| (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): |
| (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): |
| (-[JSVirtualMachine initWithContextGroupRef:]): |
| (-[JSVirtualMachine dealloc]): |
| (+[JSVirtualMachine virtualMachineWithContextGroupRef:]): |
| (-[JSVirtualMachine contextForGlobalContextRef:]): |
| (-[JSVirtualMachine addContext:forGlobalContextRef:]): |
| (scanExternalObjectGraph): |
| (scanExternalRememberedSet): |
| * API/JSVirtualMachineInternal.h: |
| * runtime/JSGlobalObject.h: |
| (JSC::JSGlobalObject::setWrapperMap): |
| (JSC::JSGlobalObject::setAPIWrapper): Deleted. |
| (JSC::JSGlobalObject::apiWrapper const): Deleted. |
| * runtime/VM.h: |
| |
| 2019-07-10 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Optimize join of large empty arrays |
| https://bugs.webkit.org/show_bug.cgi?id=199636 |
| |
| Reviewed by Mark Lam. |
| |
| Replicate the behavior of `str.repeat(count)` when performing `new Array(count + 1).join(str)`. |
| I added two new microbenchmarks: |
| - large-empty-array-join, which does not use the result of the join and runs ~44x faster and uses ~18x less memory. |
| - large-empty-array-join-resolve-rope, which uses the result of the join and runs 2x faster. |
| |
| baseline diff |
| large-empty-array-join 2713.9698+-72.7621 ^ 61.2335+-10.4836 ^ definitely 44.3217x faster |
| large-empty-array-join-resolve-string 26.5517+-0.3995 ^ 12.9309+-0.5516 ^ definitely 2.0533x faster |
| |
| large-empty-array-join memory usage with baseline (dirty): |
| 733012 kB current_mem |
| 756824 kB lifetime_peak |
| |
| large-empty-array-join memory usage with diff (dirty): |
| 41904 kB current_mem |
| 41972 kB lifetime_peak |
| |
| Additionally, I ran JetStream2, sunspider and v8-spider and all were neutral. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::fastJoin): |
| |
| 2019-07-08 Keith Miller <keith_miller@apple.com> |
| |
| Enable Intl.PluralRules and Intl.NumberFormatToParts by default |
| https://bugs.webkit.org/show_bug.cgi?id=199288 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| These features have been around for a while. We should turn them on by default. |
| |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototype::finishCreation): |
| * runtime/IntlObject.cpp: |
| (JSC::IntlObject::finishCreation): Deleted. |
| * runtime/IntlObject.h: |
| * runtime/Options.h: |
| |
| 2019-07-08 Antoine Quint <graouts@apple.com> |
| |
| [Pointer Events] Enable only on the most recent version of the supported iOS family |
| https://bugs.webkit.org/show_bug.cgi?id=199562 |
| <rdar://problem/52766511> |
| |
| Reviewed by Dean Jackson. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-07-06 Michael Saboff <msaboff@apple.com> |
| |
| switch(String) needs to check for exceptions when resolving the string |
| https://bugs.webkit.org/show_bug.cgi?id=199541 |
| |
| Reviewed by Mark Lam. |
| |
| Added exception checks for resolved Strings in switch processing for all tiers. |
| |
| * dfg/DFGOperations.cpp: |
| * jit/JITOperations.cpp: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| |
| 2019-07-05 Mark Lam <mark.lam@apple.com> |
| |
| ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero. |
| https://bugs.webkit.org/show_bug.cgi?id=199533 |
| <rdar://problem/52669111> |
| |
| Reviewed by Filip Pizlo. |
| |
| * dfg/DFGArgumentsEliminationPhase.cpp: |
| |
| 2019-07-05 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, fix build failure on ARM64_32 |
| https://bugs.webkit.org/show_bug.cgi?id=182434 |
| |
| Implicit narrowing from uint64_t to uint32_t happens. We should explicitly narrow it because we already checked |
| the `length` is <= UINT32_MAX. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSpeciesCreate): |
| |
| 2019-07-05 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [JSC] Clean up ArraySpeciesCreate |
| https://bugs.webkit.org/show_bug.cgi?id=182434 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| We have duplicate code in arraySpeciesCreate, filter, map, concatSlowPath of ArrayPrototype.js |
| and speciesConstructArray of ArrayPrototype.cpp. This patch fixes cross-realm Array constructor |
| detection in native speciesConstructArray, upgrades `length` type to correctly handle large integers, |
| and exposes it as @arraySpeciesCreate. Also removes now unused @isArrayConstructor private function. |
| Native speciesConstructArray is preferred because it has fast path via speciesWatchpointIsValid. |
| |
| Thoroughly benchmarked: this change progresses ARES-6 by 0-1%. |
| |
| * builtins/ArrayPrototype.js: |
| (filter): |
| (map): |
| (globalPrivate.concatSlowPath): |
| (globalPrivate.arraySpeciesCreate): Deleted. |
| * builtins/BuiltinNames.h: |
| * runtime/ArrayConstructor.cpp: |
| (JSC::arrayConstructorPrivateFuncIsArrayConstructor): Deleted. |
| * runtime/ArrayConstructor.h: |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSpeciesCreate): |
| * runtime/ArrayPrototype.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2019-07-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Unreviewed, change the value used to scribble Heap::m_worldState |
| https://bugs.webkit.org/show_bug.cgi?id=199498 |
| |
| Follow-up after r247160. The value used to scribble should have the |
| conn bit set. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::~Heap): |
| |
| 2019-07-05 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r247115. |
| |
| Breaks lldbWebKitTester (and by extension, test-webkitpy) |
| |
| Reverted changeset: |
| |
| "[WHLSL] Standard library is too big to directly include in |
| WebCore" |
| https://bugs.webkit.org/show_bug.cgi?id=198186 |
| https://trac.webkit.org/changeset/247115 |
| |
| 2019-07-05 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Scribble Heap::m_worldState on destructor |
| https://bugs.webkit.org/show_bug.cgi?id=199498 |
| |
| Reviewed by Sam Weinig. |
| |
| The worldState is dumped when we crash due to a failed checkConn, and |
| this will make it clear if the heap has already been destroyed. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::~Heap): |
| |
| 2019-07-03 Sam Weinig <weinig@apple.com> |
| |
| Adopt simple structured bindings in more places |
| https://bugs.webkit.org/show_bug.cgi?id=199247 |
| |
| Reviewed by Alex Christensen. |
| |
| Replaces simple uses of std::tie() with structured bindings. Does not touch |
| uses of std::tie() that are not initial declarations, use std::ignore or in |
| case where the binding is captured by a lambda, as structured bindings don't |
| work for those cases yet. |
| |
| * runtime/PromiseDeferredTimer.cpp: |
| (JSC::PromiseDeferredTimer::doWork): |
| * wasm/WasmFaultSignalHandler.cpp: |
| (JSC::Wasm::trapHandler): |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::createSourceBufferFromValue): |
| * wasm/js/WebAssemblyPrototype.cpp: |
| (JSC::webAssemblyValidateFunc): |
| |
| 2019-07-03 Keith Miller <keith_miller@apple.com> |
| |
| PACCage should first cage leaving PAC bits intact then authenticate |
| https://bugs.webkit.org/show_bug.cgi?id=199372 |
| |
| Reviewed by Saam Barati. |
| |
| This ordering prevents someone from taking a signed pointer from |
| outside the gigacage and using it in a struct that expects a caged |
| pointer. Previously, the PACCaging just double checked that the PAC |
| bits were valid for the original pointer. |
| |
| |
| +---------------------------+ |
| | | | | |
| | "PAC" | "base" | "offset" +----+ |
| | | | | | |
| +---------------------------+ | Caging |
| | | |
| | | |
| | v |
| | +---------------------------+ |
| | | | | | |
| | Bit Merge | 00000 | base | "offset" | |
| | | | | | |
| | +---------------------------+ |
| | | |
| | | |
| v | Bit Merge |
| +---------------------------+ | |
| | | | | | |
| | "PAC" | base | "offset" +<--------+ |
| | | | | |
| +---------------------------+ |
| | |
| | |
| | Authenticate |
| | |
| v |
| +---------------------------+ |
| | | | | |
| | Auth | base | "offset" | |
| | | | | |
| +---------------------------+ |
| |
| The above ascii art graph shows how the PACCage system works. The |
| key take away is that even if someone passes in a valid, signed |
| pointer outside the cage it will still fail to authenticate as the |
| "base" bits will change before authentication. |
| |
| |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-07-03 Paulo Matos <pmatos@igalia.com> |
| |
| Refactoring of architectural Register Information |
| https://bugs.webkit.org/show_bug.cgi?id=198604 |
| |
| Reviewed by Keith Miller. |
| |
| The goal of this patch is to centralize the register information per platform |
| but access it in a platform independent way. The patch as been implemented for all |
| known platforms: ARM64, ARMv7, MIPS, X86 and X86_64. Register information has |
| been centralized in an architecture per-file: each file is called assembler/<arch>Registers.h. |
| |
| RegisterInfo.h is used as a forwarding header to choose which register information to load. |
| assembler/<arch>Assembler.h and jit/RegisterSet.cpp use this information in a platform |
| independent way. |
| |
| * CMakeLists.txt: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/ARM64Assembler.h: |
| (JSC::ARM64Assembler::gprName): Use register names from register info file. |
| (JSC::ARM64Assembler::sprName): likewise. |
| (JSC::ARM64Assembler::fprName): likewise. |
| * assembler/ARM64Registers.h: Added. |
| * assembler/ARMv7Assembler.h: |
| (JSC::ARMv7Assembler::gprName): Use register names from register info file. |
| (JSC::ARMv7Assembler::sprName): likewise. |
| (JSC::ARMv7Assembler::fprName): likewise. |
| * assembler/ARMv7Registers.h: Added. |
| * assembler/MIPSAssembler.h: |
| (JSC::MIPSAssembler::gprName): Use register names from register info file. |
| (JSC::MIPSAssembler::sprName): likewise. |
| (JSC::MIPSAssembler::fprName): likewise. |
| * assembler/MIPSRegisters.h: Added. |
| * assembler/RegisterInfo.h: Added. |
| * assembler/X86Assembler.h: |
| (JSC::X86Assembler::gprName): Use register names from register info file. |
| (JSC::X86Assembler::sprName): likewise. |
| (JSC::X86Assembler::fprName): likewise. |
| * assembler/X86Registers.h: Added. |
| * assembler/X86_64Registers.h: Added. |
| * jit/GPRInfo.h: Fix typo in comment (s/basline/baseline). |
| * jit/RegisterSet.cpp: |
| (JSC::RegisterSet::reservedHardwareRegisters): Use register properties from register info file. |
| (JSC::RegisterSet::calleeSaveRegisters): likewise. |
| |
| 2019-07-02 Michael Saboff <msaboff@apple.com> |
| |
| Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code |
| https://bugs.webkit.org/show_bug.cgi?id=199395 |
| |
| Reviewed by Filip Pizlo. |
| |
| For destructuring assignmests, the assignment might throw a reference error if |
| the RHS cannot be coerced. The current bytecode generated for such assignments |
| optimizes out the TDZ check after the coercible check. |
| |
| By saving the current state of the TDZ stack before processing the setting of |
| target destructured values and then restoring afterwards, we won't optimize out |
| later TDZ check(s). |
| |
| A similar change of saving / restoring the TDZ stack where exceptions might |
| happen was done for for..in loops in change set r232219. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ObjectPatternNode::bindValue const): |
| |
| 2019-07-02 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r247041. |
| https://bugs.webkit.org/show_bug.cgi?id=199425 |
| |
| broke some iOS arm64e tests (Requested by keith_miller on |
| #webkit). |
| |
| Reverted changeset: |
| |
| "PACCage should first cage leaving PAC bits intact then |
| authenticate" |
| https://bugs.webkit.org/show_bug.cgi?id=199372 |
| https://trac.webkit.org/changeset/247041 |
| |
| 2019-07-02 Keith Miller <keith_miller@apple.com> |
| |
| Frozen Arrays length assignment should throw in strict mode |
| https://bugs.webkit.org/show_bug.cgi?id=199365 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| * runtime/JSArray.cpp: |
| (JSC::JSArray::put): |
| |
| 2019-07-02 Paulo Matos <pmatos@linki.tools> |
| |
| Fix typo in if/else block and remove dead assignment |
| https://bugs.webkit.org/show_bug.cgi?id=199352 |
| |
| Reviewed by Alexey Proskuryakov. |
| |
| * yarr/YarrPattern.cpp: |
| (JSC::Yarr::YarrPattern::dumpPattern): Fix typo in if/else block and remove dead assignment |
| |
| 2019-07-02 Keith Miller <keith_miller@apple.com> |
| |
| PACCage should first cage leaving PAC bits intact then authenticate |
| https://bugs.webkit.org/show_bug.cgi?id=199372 |
| |
| Reviewed by Saam Barati. |
| |
| This ordering prevents someone from taking a signed pointer from |
| outside the gigacage and using it in a struct that expects a caged |
| pointer. Previously, the PACCaging just double checked that the PAC |
| bits were valid for the original pointer. |
| |
| |
| +---------------------------+ |
| | | | | |
| | "PAC" | "base" | "offset" +----+ |
| | | | | | |
| +---------------------------+ | Caging |
| | | |
| | | |
| | v |
| | +---------------------------+ |
| | | | | | |
| | Bit Merge | 00000 | base | "offset" | |
| | | | | | |
| | +---------------------------+ |
| | | |
| | | |
| v | Bit Merge |
| +---------------------------+ | |
| | | | | | |
| | "PAC" | base | "offset" +<--------+ |
| | | | | |
| +---------------------------+ |
| | |
| | |
| | Authenticate |
| | |
| v |
| +---------------------------+ |
| | | | | |
| | Auth | base | "offset" | |
| | | | | |
| +---------------------------+ |
| |
| The above ascii art graph shows how the PACCage system works. The |
| key take away is that even if someone passes in a valid, signed |
| pointer outside the cage it will still fail to authenticate as the |
| "base" bits will change before authentication. |
| |
| |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * llint/LowLevelInterpreter64.asm: |
| |
| 2019-07-01 Justin Michaud <justin_michaud@apple.com> |
| |
| [Wasm-References] Disable references by default |
| https://bugs.webkit.org/show_bug.cgi?id=199390 |
| |
| Reviewed by Saam Barati. |
| |
| * runtime/Options.h: |
| |
| 2019-07-01 Ryan Haddad <ryanhaddad@apple.com> |
| |
| Unreviewed, rolling out r246946. |
| |
| Caused JSC test crashes on arm64 |
| |
| Reverted changeset: |
| |
| "Add b3 macro lowering for CheckMul on arm64" |
| https://bugs.webkit.org/show_bug.cgi?id=199251 |
| https://trac.webkit.org/changeset/246946 |
| |
| 2019-06-28 Justin Michaud <justin_michaud@apple.com> |
| |
| Add b3 macro lowering for CheckMul on arm64 |
| https://bugs.webkit.org/show_bug.cgi?id=199251 |
| |
| Reviewed by Robin Morisset. |
| |
| - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check. |
| - Add a new opcode to air on arm64 for smull (multiplySignExtend32). |
| - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). |
| - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, |
| and no change on the no-constant benchmark. |
| Also, skip some of the b3 tests that were failing before this patch so that the new tests can run |
| to completion. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::multiplySignExtend32): |
| * assembler/testmasm.cpp: |
| (JSC::testMul32SignExtend): |
| (JSC::run): |
| * b3/B3LowerMacros.cpp: |
| * b3/B3LowerToAir.cpp: |
| * b3/air/AirOpcode.opcodes: |
| * b3/testb3.cpp: |
| (JSC::B3::testMulArgs32SignExtend): |
| (JSC::B3::testMulImm32SignExtend): |
| (JSC::B3::testMemoryFence): |
| (JSC::B3::testStoreFence): |
| (JSC::B3::testLoadFence): |
| (JSC::B3::testPinRegisters): |
| (JSC::B3::run): |
| |
| 2019-06-28 Konstantin Tokarev <annulen@yandex.ru> |
| |
| Remove traces of ENABLE_ICONDATABASE remaining after its removal in 219733 |
| https://bugs.webkit.org/show_bug.cgi?id=199317 |
| |
| Reviewed by Michael Catanzaro. |
| |
| While IconDatabase and all code using it was removed, |
| ENABLE_ICONDATABASE still exists as build option and C++ macro. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-27 Mark Lam <mark.lam@apple.com> |
| |
| FTL keepAlive()'s patchpoint should also declare that it reads HeapRange::top(). |
| https://bugs.webkit.org/show_bug.cgi?id=199291 |
| |
| Reviewed by Yusuke Suzuki and Filip Pizlo. |
| |
| The sole purpose of keepAlive() is to communicate to B3 that an LValue |
| needs to be kept alive past the last opportunity for a GC. The only way |
| we can get a GC is via a function call. Hence, what keepAlive() really |
| needs to communicate is that the LValue needs to be kept alive past the |
| last function call. Function calls read and write HeapRange::top(). |
| Currently, B3 does not shuffle writes. Hence, simply inserting the |
| keepAlive() after the calls that can GC is sufficient. |
| |
| But to be strictly correct, keepAlive() should also declare that it reads |
| HeapRange::top(). This will guarantee that the keepAlive patchpoint won't |
| ever be moved before the function call should B3 gain the ability to shuffle |
| writes in the future. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::keepAlive): |
| |
| 2019-06-27 Beth Dakin <bdakin@apple.com> |
| |
| Upstream use of MACCATALYST |
| https://bugs.webkit.org/show_bug.cgi?id=199245 |
| rdar://problem/51687723 |
| |
| Reviewed by Tim Horton. |
| |
| * Configurations/Base.xcconfig: |
| * Configurations/FeatureDefines.xcconfig: |
| * Configurations/JavaScriptCore.xcconfig: |
| * Configurations/SDKVariant.xcconfig: |
| |
| 2019-06-27 Saam Barati <sbarati@apple.com> |
| |
| Make WEBGPU enabled only on Mojave and later. |
| |
| Rubber-stamped by Myles C. Maxfield. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-27 Don Olmstead <don.olmstead@sony.com> |
| |
| [FTW] Build JavaScriptCore |
| https://bugs.webkit.org/show_bug.cgi?id=199254 |
| |
| Reviewed by Brent Fulgham. |
| |
| * PlatformFTW.cmake: Added. |
| |
| 2019-06-27 Konstantin Tokarev <annulen@yandex.ru> |
| |
| Use JSC_GLIB_API_ENABLED instead of USE(GLIB) as a compile-time check for GLib JSC API |
| https://bugs.webkit.org/show_bug.cgi?id=199270 |
| |
| Reviewed by Michael Catanzaro. |
| |
| This change allows building code with enabled USE(GLIB) but without |
| GLib JSC API. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::releaseDelayedReleasedObjects): |
| * heap/Heap.h: |
| * heap/HeapInlines.h: |
| |
| 2019-06-27 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: throw an error if console.count/console.countReset is called with an object that throws an error from toString |
| https://bugs.webkit.org/show_bug.cgi?id=199252 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Parse the arguments passed to `console.count` and `console.countReset` before sending it to |
| the `ConsoleClient` so that an error can be thrown if the first argument doesn't `toString` |
| nicely (e.g. without throwing an error). |
| |
| Generate call stacks for `console.countReset` to match other `console` methods. Also do this |
| for `console.time`, `console.timeLog`, and `console.timeEnd`. Limit the call stack to only |
| have the top frame, so no unnecessary/extra data is sent to the frontend (right now, only |
| the call location is displayed). |
| |
| Rename `title` to `label` for `console.time`, `console.timeLog`, and `console.timeEnd` to |
| better match the spec. |
| |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::valueOrDefaultLabelString): |
| (JSC::consoleProtoFuncCount): |
| (JSC::consoleProtoFuncCountReset): |
| (JSC::consoleProtoFuncTime): |
| (JSC::consoleProtoFuncTimeLog): |
| (JSC::consoleProtoFuncTimeEnd): |
| |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::count): |
| (Inspector::JSGlobalObjectConsoleClient::countReset): |
| (Inspector::JSGlobalObjectConsoleClient::time): |
| (Inspector::JSGlobalObjectConsoleClient::timeLog): |
| (Inspector::JSGlobalObjectConsoleClient::timeEnd): |
| |
| * inspector/agents/InspectorConsoleAgent.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::startTiming): |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| (Inspector::InspectorConsoleAgent::getCounterLabel): Deleted. |
| |
| * inspector/ConsoleMessage.h: |
| * inspector/ConsoleMessage.cpp: |
| (Inspector::ConsoleMessage::ConsoleMessage): |
| Allow `ConsoleMessage`s to be created with both `ScriptArguments` and a `ScriptCallStack`. |
| |
| 2019-06-27 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [CMake] Bump cmake_minimum_required version to 3.10 |
| https://bugs.webkit.org/show_bug.cgi?id=199181 |
| |
| Reviewed by Don Olmstead. |
| |
| * CMakeLists.txt: |
| |
| 2019-06-26 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [RemoteInspector] Add address argument to listen for RemoteInspectorServer Socket implementation. |
| https://bugs.webkit.org/show_bug.cgi?id=199035 |
| |
| Reviewed by Ross Kirsling. |
| |
| Added new argument `address` to start listening. |
| |
| * inspector/remote/socket/RemoteInspectorServer.cpp: |
| (Inspector::RemoteInspectorServer::start): |
| * inspector/remote/socket/RemoteInspectorServer.h: |
| * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: |
| (Inspector::Socket::listen): |
| * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: |
| (Inspector::Socket::listen): |
| |
| 2019-06-26 Keith Miller <keith_miller@apple.com> |
| |
| speciesConstruct needs to throw if the result is a DataView |
| https://bugs.webkit.org/show_bug.cgi?id=199231 |
| |
| Reviewed by Mark Lam. |
| |
| Previously, we only checked that the result was a |
| JSArrayBufferView, which can include DataViews. This is incorrect |
| as the result should be only be a TypedArray. |
| |
| * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: |
| (JSC::speciesConstruct): |
| |
| 2019-06-26 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Implement console.countReset |
| https://bugs.webkit.org/show_bug.cgi?id=199200 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::countReset): |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::getCounterLabel): |
| (Inspector::InspectorConsoleAgent::count): |
| (Inspector::InspectorConsoleAgent::countReset): |
| * inspector/agents/InspectorConsoleAgent.h: |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::ConsoleObject::finishCreation): |
| (JSC::consoleProtoFuncCountReset): |
| |
| 2019-06-26 Keith Miller <keith_miller@apple.com> |
| |
| remove unneeded didBecomePrototype() calls |
| https://bugs.webkit.org/show_bug.cgi?id=199221 |
| |
| Reviewed by Saam Barati. |
| |
| Since we now set didBecomePrototype in Structure::create we don't |
| need to set it expliticly in most of our finishCreation |
| methods. The only exception to this is object prototype, which we |
| set as the prototype of function prototype late (via |
| setPrototypeWithoutTransition). |
| |
| * inspector/JSInjectedScriptHostPrototype.cpp: |
| (Inspector::JSInjectedScriptHostPrototype::finishCreation): |
| * inspector/JSJavaScriptCallFramePrototype.cpp: |
| (Inspector::JSJavaScriptCallFramePrototype::finishCreation): |
| * runtime/ArrayIteratorPrototype.cpp: |
| (JSC::ArrayIteratorPrototype::finishCreation): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::ArrayPrototype::finishCreation): |
| * runtime/AsyncFromSyncIteratorPrototype.cpp: |
| (JSC::AsyncFromSyncIteratorPrototype::finishCreation): |
| * runtime/AsyncFunctionPrototype.cpp: |
| (JSC::AsyncFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorFunctionPrototype.cpp: |
| (JSC::AsyncGeneratorFunctionPrototype::finishCreation): |
| * runtime/AsyncGeneratorPrototype.cpp: |
| (JSC::AsyncGeneratorPrototype::finishCreation): |
| * runtime/AsyncIteratorPrototype.cpp: |
| (JSC::AsyncIteratorPrototype::finishCreation): |
| * runtime/GeneratorFunctionPrototype.cpp: |
| (JSC::GeneratorFunctionPrototype::finishCreation): |
| * runtime/GeneratorPrototype.cpp: |
| (JSC::GeneratorPrototype::finishCreation): |
| * runtime/IteratorPrototype.cpp: |
| (JSC::IteratorPrototype::finishCreation): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/MapIteratorPrototype.cpp: |
| (JSC::MapIteratorPrototype::finishCreation): |
| * runtime/MapPrototype.cpp: |
| (JSC::MapPrototype::finishCreation): |
| * runtime/ObjectPrototype.cpp: |
| (JSC::ObjectPrototype::finishCreation): |
| * runtime/RegExpStringIteratorPrototype.cpp: |
| (JSC::RegExpStringIteratorPrototype::finishCreation): |
| * runtime/SetIteratorPrototype.cpp: |
| (JSC::SetIteratorPrototype::finishCreation): |
| * runtime/SetPrototype.cpp: |
| (JSC::SetPrototype::finishCreation): |
| * runtime/StringIteratorPrototype.cpp: |
| (JSC::StringIteratorPrototype::finishCreation): |
| * runtime/WeakMapPrototype.cpp: |
| (JSC::WeakMapPrototype::finishCreation): |
| * runtime/WeakObjectRefPrototype.cpp: |
| (JSC::WeakObjectRefPrototype::finishCreation): |
| * runtime/WeakSetPrototype.cpp: |
| (JSC::WeakSetPrototype::finishCreation): |
| |
| 2019-06-25 Keith Miller <keith_miller@apple.com> |
| |
| Structure::create should call didBecomePrototype() |
| https://bugs.webkit.org/show_bug.cgi?id=196315 |
| |
| Reviewed by Filip Pizlo. |
| |
| Structure::create should also assert that the indexing type makes sense |
| for the prototype being used. |
| |
| * runtime/JSObject.h: |
| * runtime/Structure.cpp: |
| (JSC::Structure::isValidPrototype): |
| (JSC::Structure::changePrototypeTransition): |
| * runtime/Structure.h: |
| (JSC::Structure::create): Deleted. |
| * runtime/StructureInlines.h: |
| (JSC::Structure::create): |
| (JSC::Structure::setPrototypeWithoutTransition): |
| |
| 2019-06-25 Joseph Pecoraro <pecoraro@apple.com> |
| |
| Web Inspector: Implement console.timeLog |
| https://bugs.webkit.org/show_bug.cgi?id=199184 |
| |
| Reviewed by Devin Rousso. |
| |
| * inspector/JSGlobalObjectConsoleClient.cpp: |
| (Inspector::JSGlobalObjectConsoleClient::timeLog): |
| * inspector/JSGlobalObjectConsoleClient.h: |
| * inspector/agents/InspectorConsoleAgent.cpp: |
| (Inspector::InspectorConsoleAgent::logTiming): |
| (Inspector::InspectorConsoleAgent::stopTiming): |
| * inspector/agents/InspectorConsoleAgent.h: |
| * runtime/ConsoleClient.h: |
| * runtime/ConsoleObject.cpp: |
| (JSC::ConsoleObject::finishCreation): |
| (JSC::consoleProtoFuncTimeLog): |
| |
| 2019-06-25 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size |
| https://bugs.webkit.org/show_bug.cgi?id=198518 |
| |
| Reviewed by Keith Miller. |
| |
| r245586 made some bad assumptions about the size of size_t, which we can solve using the |
| CPU(ADDRESS32) guard that I didn't know about. |
| |
| This solution was developed by Mark Lam and Keith Miller. I'm just preparing the patch. |
| |
| * runtime/MatchResult.h: |
| |
| 2019-06-24 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r246714. |
| https://bugs.webkit.org/show_bug.cgi?id=199179 |
| |
| revert to do patch in a different way. (Requested by keith_mi_ |
| on #webkit). |
| |
| Reverted changeset: |
| |
| "All prototypes should call didBecomePrototype()" |
| https://bugs.webkit.org/show_bug.cgi?id=196315 |
| https://trac.webkit.org/changeset/246714 |
| |
| 2019-06-24 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Add Array.prototype.{flat,flatMap} to unscopables |
| https://bugs.webkit.org/show_bug.cgi?id=194322 |
| |
| Reviewed by Keith Miller. |
| |
| * runtime/ArrayPrototype.cpp: |
| (JSC::ArrayPrototype::finishCreation): |
| |
| 2019-06-24 Mark Lam <mark.lam@apple.com> |
| |
| ArraySlice needs to keep the source array alive. |
| https://bugs.webkit.org/show_bug.cgi?id=197374 |
| <rdar://problem/50304429> |
| |
| Reviewed by Michael Saboff and Filip Pizlo. |
| |
| The implementation of the FTL ArraySlice intrinsics may GC while allocating the |
| result array and its butterfly. Previously, ArraySlice already keeps the source |
| butterfly alive in order to copy from it to the new butterfly after the allocation. |
| Unfortunately, this is not enough. We also need to keep the source array alive |
| so that GC will scan the values in the butterfly as well. Note: the butterfly |
| does not have a visitChildren() method to do this scan. It's the parent object's |
| responsibility to do the scanning. |
| |
| This patch fixes this by introducing a keepAlive() utility method, and we use it |
| to keep the source array alive while allocating the result array and butterfly. |
| |
| keepAlive() works by using a patchpoint to communicate to B3 that a value (the |
| source array in this case) is still in use. It also uses a fence to keep B3 from |
| relocating the patchpoint, which may defeat the fix. |
| |
| For the DFG's SpeculativeJIT::compileArraySlice(), we may have lucked out and the |
| source array cell is kept alive. This patch makes it explicit that we should |
| keep its cell alive till after the result array has been allocated. |
| |
| For the Baseline JIT and LLInt, we use the arrayProtoFuncSlice() runtime function |
| and there is no issue because the source array (in "thisObj") is in the element |
| copying loop that follows the allocation of the result array. However, for |
| documentation purposes, this patch adds a call to HeapCell::use() to indicate that |
| the source array need to kept alive at least until after the allocation of the |
| result array. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileArraySlice): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): |
| (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): |
| (JSC::FTL::DFG::LowerDFGToB3::keepAlive): |
| * runtime/ArrayPrototype.cpp: |
| (JSC::arrayProtoFuncSlice): |
| |
| 2019-06-22 Robin Morisset <rmorisset@apple.com> and Yusuke Suzuki <ysuzuki@apple.com> |
| |
| All prototypes should call didBecomePrototype() |
| https://bugs.webkit.org/show_bug.cgi?id=196315 |
| |
| Reviewed by Saam Barati. |
| |
| Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor. |
| |
| I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't |
| create structures with invalid prototypes. |
| It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation(). |
| Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype. |
| |
| * runtime/BigIntPrototype.cpp: |
| (JSC::BigIntPrototype::finishCreation): |
| * runtime/BooleanPrototype.cpp: |
| (JSC::BooleanPrototype::finishCreation): |
| * runtime/DatePrototype.cpp: |
| (JSC::DatePrototype::finishCreation): |
| * runtime/ErrorConstructor.cpp: |
| (JSC::ErrorConstructor::finishCreation): |
| * runtime/ErrorPrototype.cpp: |
| (JSC::ErrorPrototype::finishCreation): |
| * runtime/FunctionConstructor.cpp: |
| (JSC::FunctionConstructor::finishCreation): |
| * runtime/FunctionPrototype.cpp: |
| (JSC::FunctionPrototype::finishCreation): |
| * runtime/IntlCollatorPrototype.cpp: |
| (JSC::IntlCollatorPrototype::finishCreation): |
| * runtime/IntlDateTimeFormatPrototype.cpp: |
| (JSC::IntlDateTimeFormatPrototype::finishCreation): |
| * runtime/IntlNumberFormatPrototype.cpp: |
| (JSC::IntlNumberFormatPrototype::finishCreation): |
| * runtime/IntlPluralRulesPrototype.cpp: |
| (JSC::IntlPluralRulesPrototype::finishCreation): |
| * runtime/JSArrayBufferPrototype.cpp: |
| (JSC::JSArrayBufferPrototype::finishCreation): |
| * runtime/JSDataViewPrototype.cpp: |
| (JSC::JSDataViewPrototype::finishCreation): |
| * runtime/JSGenericTypedArrayViewPrototypeInlines.h: |
| (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation): |
| * runtime/JSGlobalObject.cpp: |
| (JSC::createConsoleProperty): |
| * runtime/JSPromisePrototype.cpp: |
| (JSC::JSPromisePrototype::finishCreation): |
| * runtime/JSTypedArrayViewConstructor.cpp: |
| (JSC::JSTypedArrayViewConstructor::finishCreation): |
| * runtime/JSTypedArrayViewPrototype.cpp: |
| (JSC::JSTypedArrayViewPrototype::finishCreation): |
| * runtime/NumberPrototype.cpp: |
| (JSC::NumberPrototype::finishCreation): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::RegExpPrototype::finishCreation): |
| * runtime/StringPrototype.cpp: |
| (JSC::StringPrototype::finishCreation): |
| * runtime/Structure.cpp: |
| (JSC::Structure::isValidPrototype): |
| (JSC::Structure::changePrototypeTransition): |
| * runtime/Structure.h: |
| * runtime/StructureInlines.h: |
| (JSC::Structure::setPrototypeWithoutTransition): |
| * runtime/SymbolPrototype.cpp: |
| (JSC::SymbolPrototype::finishCreation): |
| * wasm/js/WebAssemblyCompileErrorPrototype.cpp: |
| (JSC::WebAssemblyCompileErrorPrototype::finishCreation): |
| * wasm/js/WebAssemblyInstancePrototype.cpp: |
| (JSC::WebAssemblyInstancePrototype::finishCreation): |
| * wasm/js/WebAssemblyLinkErrorPrototype.cpp: |
| (JSC::WebAssemblyLinkErrorPrototype::finishCreation): |
| * wasm/js/WebAssemblyMemoryPrototype.cpp: |
| (JSC::WebAssemblyMemoryPrototype::finishCreation): |
| * wasm/js/WebAssemblyModulePrototype.cpp: |
| (JSC::WebAssemblyModulePrototype::finishCreation): |
| * wasm/js/WebAssemblyPrototype.cpp: |
| (JSC::WebAssemblyPrototype::finishCreation): |
| * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: |
| (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::WebAssemblyTablePrototype::finishCreation): |
| |
| 2019-06-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Strict, Sloppy and Arrow functions should have different classInfo |
| https://bugs.webkit.org/show_bug.cgi?id=197631 |
| |
| Reviewed by Saam Barati. |
| |
| If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class. |
| This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we |
| cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked |
| by comparing classInfo of the cached structure and the given base structure. This implicitly assume that |
| each builtin class's InternalFunction creates an instance based on one structure. |
| |
| However, Function constructor is an exception: Function constructor creates an instance which has different |
| structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function |
| instance with strict function structure. |
| |
| As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code. |
| |
| class A extends Function { }; |
| let a = new A("'use strict'"); |
| let b = new A(""); |
| |
| While `a` and `b` should have different structures, `A` caches the structure for `a`, and reuse it even the given |
| code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions |
| because they have different properties. However, in the above case, a and b have the same structure while they have |
| different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache. |
| |
| In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design |
| works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each |
| structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the |
| cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL |
| optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization. |
| |
| Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array |
| structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile. |
| |
| * runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that |
| sizeof(JSAsyncFunction) == sizeof(JSFunction). |
| * runtime/JSAsyncGeneratorFunction.cpp: |
| * runtime/JSAsyncGeneratorFunction.h: Ditto. |
| * runtime/JSFunction.cpp: |
| * runtime/JSFunction.h: |
| * runtime/JSGeneratorFunction.h: Ditto. |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| |
| 2019-06-22 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] ClassExpr should not store result in the middle of evaluation |
| https://bugs.webkit.org/show_bug.cgi?id=199106 |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Let's consider the case, |
| |
| let a = class A { |
| static get[a=0x12345678]() { |
| } |
| }; |
| |
| When evaluating `class A` expression, we should not use the local register for `let a` |
| until we finally store it to that register. Otherwise, `a=0x12345678` will override it. |
| Out BytecodeGenerator does that this by using tempDestination and finalDestination, but |
| we did not do that in ClassExprNode. |
| |
| This patch leverages tempDestination and finalDestination to store `class A` result finally, |
| while we attempt to reduce mov. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::ClassExprNode::emitBytecode): |
| |
| 2019-06-21 Sihui Liu <sihui_liu@apple.com> |
| |
| openDatabase should return an empty object when WebSQL is disabled |
| https://bugs.webkit.org/show_bug.cgi?id=198805 |
| |
| Reviewed by Geoffrey Garen. |
| |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): |
| * runtime/JSFunction.h: |
| |
| 2019-06-21 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Remove extra check in RegExp @matchSlow |
| https://bugs.webkit.org/show_bug.cgi?id=198846 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| Type of RegExp `exec` result is already asserted in @regExpExec. |
| |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.matchSlow): Remove isObject check. |
| |
| 2019-06-20 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs |
| https://bugs.webkit.org/show_bug.cgi?id=199044 |
| |
| Reviewed by Saam Barati. |
| |
| Fix parsing table indices from the element section. The byte that we previously read as the table index actually tells us how to parse the table index. |
| Fix some areas where we got the isSubtype check wrong, causing funcrefs to not be considred anyrefs. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::unify): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseElement): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::unify): |
| |
| 2019-06-18 Darin Adler <darin@apple.com> |
| |
| Tidy up the remaining bits of the AtomicString to AtomString rename |
| https://bugs.webkit.org/show_bug.cgi?id=198990 |
| |
| Reviewed by Michael Catanzaro. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Use flagIsAtom. |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): Ditto. |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): Ditto. |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): Ditto. |
| (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent): Ditto. |
| |
| 2019-06-19 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Optimize `resolve` method lookup in Promise static methods |
| https://bugs.webkit.org/show_bug.cgi?id=198864 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Lookup `resolve` method only once in Promise.{all,allSettled,race}. |
| (https://github.com/tc39/ecma262/pull/1506) |
| |
| Already implemented in V8. |
| |
| * builtins/PromiseConstructor.js: |
| |
| 2019-06-19 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Some of the ASSERTs in CachedTypes.cpp should be RELEASE_ASSERTs |
| https://bugs.webkit.org/show_bug.cgi?id=199030 |
| |
| Reviewed by Mark Lam. |
| |
| These assertions represent strong assumptions that the cache makes so |
| it's not safe to keep executing if they fail. |
| |
| * runtime/CachedTypes.cpp: |
| (JSC::Encoder::malloc): |
| (JSC::Encoder::Page::alignEnd): |
| (JSC::Decoder::ptrForOffsetFromBase): |
| (JSC::Decoder::handleForEnvironment const): |
| (JSC::Decoder::setHandleForEnvironment): |
| (JSC::CachedPtr::get const): |
| (JSC::CachedOptional::encode): |
| (JSC::CachedOptional::decodeAsPtr const): Deleted. |
| |
| 2019-06-19 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [WPE][GTK] Fix build with unified sources disabled |
| https://bugs.webkit.org/show_bug.cgi?id=198752 |
| |
| Reviewed by Michael Catanzaro. |
| |
| * runtime/WeakObjectRefConstructor.h: Add missing inclusion of InternalFunction.h |
| and forward declaration of WeakObjectRefPrototype. |
| * wasm/js/WebAssemblyFunction.cpp: Add missing inclusion of JSWebAssemblyHelpers.h |
| |
| 2019-06-19 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Rename anyfunc to funcref |
| https://bugs.webkit.org/show_bug.cgi?id=198983 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Anyfunc should become funcref since it was renamed in the spec. We should also support the string 'anyfunc' in the table constructor since this is |
| the only non-binary-format place where it is exposed to users. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::gFuncref): |
| (JSC::Wasm::AirIRGenerator::tmpForType): |
| (JSC::Wasm::AirIRGenerator::emitCCall): |
| (JSC::Wasm::AirIRGenerator::moveOpForValueType): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addLocal): |
| (JSC::Wasm::AirIRGenerator::addConstant): |
| (JSC::Wasm::AirIRGenerator::addRefFunc): |
| (JSC::Wasm::AirIRGenerator::addReturn): |
| (JSC::Wasm::AirIRGenerator::gAnyfunc): Deleted. |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConventionAir::marshallArgument const): |
| (JSC::Wasm::CallingConventionAir::setupCall const): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::isValueType): |
| (JSC::Wasm::isSubtype): |
| (JSC::Wasm::TableInformation::wasmType const): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseTableHelper): |
| (JSC::Wasm::SectionParser::parseElement): |
| (JSC::Wasm::SectionParser::parseInitExpr): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addRefFunc): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::wasmToJS): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| * wasm/wasm.json: |
| |
| 2019-06-19 Fujii Hironori <Hironori.Fujii@sony.com> |
| |
| [CMake][Win] CombinedDomains.json is generated twice in JavaScriptCore_CopyPrivateHeaders and JavaScriptCore projects |
| https://bugs.webkit.org/show_bug.cgi?id=198853 |
| |
| Reviewed by Don Olmstead. |
| |
| JavaScriptCore_CopyPrivateHeaders target needs to have a direct or |
| indirect dependency of JavaScriptCore target for CMake Visual |
| Studio generator to eliminate duplicated custom commands. |
| |
| * CMakeLists.txt: Added JavaScriptCore as a dependency of JavaScriptCore_CopyPrivateHeaders. |
| |
| 2019-06-18 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] JSLock should be WebThread aware |
| https://bugs.webkit.org/show_bug.cgi?id=198911 |
| |
| Reviewed by Geoffrey Garen. |
| |
| Since WebKitLegacy content rendering is done in WebThread instead of the main thread in iOS, user of WebKitLegacy (e.g. UIWebView) needs |
| to grab the WebThread lock (which is a recursive lock) in the main thread when touching the WebKitLegacy content. |
| But, WebKitLegacy can expose JSContext for the web view. And we can interact with the JS content through JavaScriptCore APIs. However, |
| since WebThread is a concept in WebCore, JavaScriptCore APIs do not grab the WebThread lock. As a result, WebKitLegacy web content can be |
| modified from the main thread without grabbing the WebThread lock through JavaScriptCore APIs. |
| |
| This patch makes JSC aware of WebThread: JSLock grabs the WebThread lock before grabbing JS's lock. While this seems layering violation, |
| we already have many USE(WEB_THREAD) and WebThread aware code in WTF. Eventually, we should move WebThread code from WebCore to WTF since |
| JSC and WTF need to be aware of WebThread. But, for now, we just use the function pointer exposed by WebCore. |
| |
| Since both JSLock and the WebThread lock are recursive locks, nested locking is totally OK. The possible problem is the order of locking. |
| We ensure that we always grab locks in (1) the WebThread lock and (2) JSLock order. |
| |
| In JSLock, we take the WebThread lock, but we do not unlock it. This is how we use the WebThread lock: the WebThread lock is released |
| automatically when RunLoop finishes the current cycle, and in WebKitLegacy, we do not call unlocking function of the WebThread lock except |
| for some edge cases. |
| |
| * API/JSVirtualMachine.mm: |
| (-[JSVirtualMachine isWebThreadAware]): |
| * API/JSVirtualMachineInternal.h: |
| * runtime/JSLock.cpp: |
| (JSC::JSLockHolder::JSLockHolder): |
| (JSC::JSLock::lock): |
| (JSC::JSLockHolder::init): Deleted. |
| * runtime/JSLock.h: |
| (JSC::JSLock::makeWebThreadAware): |
| (JSC::JSLock::isWebThreadAware const): |
| |
| 2019-06-18 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for Table.size, grow and fill instructions |
| https://bugs.webkit.org/show_bug.cgi?id=198761 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add support for Table.size, grow and fill instructions. This also required |
| adding support for two-byte opcodes to the ops generator. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::gAnyref): |
| (JSC::Wasm::AirIRGenerator::tmpForType): |
| (JSC::Wasm::AirIRGenerator::addTableSize): |
| (JSC::Wasm::AirIRGenerator::addTableGrow): |
| (JSC::Wasm::AirIRGenerator::addTableFill): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addTableSize): |
| (JSC::Wasm::B3IRGenerator::addTableGrow): |
| (JSC::Wasm::B3IRGenerator::addTableFill): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::TableInformation::wasmType const): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::doWasmTableGrow): |
| (JSC::Wasm::doWasmTableFill): |
| * wasm/WasmInstance.h: |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::grow): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableSize): |
| (JSC::Wasm::Validate::addTableGrow): |
| (JSC::Wasm::Validate::addTableFill): |
| * wasm/generateWasmOpsHeader.py: |
| (opcodeMacroizer): |
| (ExtTableOpType): |
| * wasm/wasm.json: |
| |
| 2019-06-18 Keith Miller <keith_miller@apple.com> |
| |
| Unreviewed, fix signature of currentWeakRefVersion to return an uintptr_t. |
| |
| * runtime/VM.h: |
| (JSC::VM::currentWeakRefVersion const): |
| |
| 2019-06-18 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for multiple tables |
| https://bugs.webkit.org/show_bug.cgi?id=198760 |
| |
| Reviewed by Saam Barati. |
| |
| Support multiple wasm tables. We turn tableInformation into a tables array, and update all of the |
| existing users to give a table index. The array of Tables in Wasm::Instance is hung off the tail |
| to make it easier to use from jit code. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addTableGet): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::B3IRGenerator): |
| (JSC::Wasm::B3IRGenerator::addTableGet): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::Element::Element): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::Instance): |
| (JSC::Wasm::Instance::create): |
| (JSC::Wasm::Instance::extraMemoryAllocated const): |
| (JSC::Wasm::Instance::table): |
| (JSC::Wasm::Instance::setTable): |
| * wasm/WasmInstance.h: |
| (JSC::Wasm::Instance::updateCachedMemory): |
| (JSC::Wasm::Instance::offsetOfGlobals): |
| (JSC::Wasm::Instance::offsetOfTablePtr): |
| (JSC::Wasm::Instance::allocationSize): |
| (JSC::Wasm::Instance::table): Deleted. |
| (JSC::Wasm::Instance::setTable): Deleted. |
| (JSC::Wasm::Instance::offsetOfTable): Deleted. |
| * wasm/WasmModuleInformation.h: |
| (JSC::Wasm::ModuleInformation::tableCount const): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseImport): |
| (JSC::Wasm::SectionParser::parseTableHelper): |
| (JSC::Wasm::SectionParser::parseTable): |
| (JSC::Wasm::SectionParser::parseElement): |
| * wasm/WasmTable.h: |
| (JSC::Wasm::Table::owner const): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableSet): |
| (JSC::Wasm::Validate::addCallIndirect): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): |
| (JSC::JSWebAssemblyInstance::visitChildren): |
| * wasm/js/JSWebAssemblyInstance.h: |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| (JSC::WebAssemblyModuleRecord::evaluate): |
| * wasm/wasm.json: |
| |
| 2019-06-18 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| [ESNExt] String.prototype.matchAll |
| https://bugs.webkit.org/show_bug.cgi?id=186694 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Implement String.prototype.matchAll. |
| (https://tc39.es/ecma262/#sec-string.prototype.matchall) |
| |
| Also rename @globalPrivate @constructor functions and C++ variables holding them. |
| |
| Shipping in Chrome since version 73. |
| Shipping in Firefox since version 67. |
| |
| * CMakeLists.txt: |
| * DerivedSources-input.xcfilelist: |
| * DerivedSources.make: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Scripts/wkbuiltins/builtins_generate_combined_header.py: |
| (get_var_name): |
| (generate_section_for_global_private_code_name_macro): |
| * Sources.txt: |
| * builtins/ArrayPrototype.js: |
| (globalPrivate.ArrayIterator): |
| (values): |
| (keys): |
| (entries): |
| (globalPrivate.createArrayIterator): Deleted. |
| * builtins/AsyncFromSyncIteratorPrototype.js: |
| (globalPrivate.createAsyncFromSyncIterator): |
| (globalPrivate.AsyncFromSyncIterator): |
| (globalPrivate.AsyncFromSyncIteratorConstructor): Deleted. |
| * builtins/BuiltinNames.h: |
| * builtins/MapPrototype.js: |
| (globalPrivate.MapIterator): |
| (values): |
| (keys): |
| (entries): |
| (globalPrivate.createMapIterator): Deleted. |
| * builtins/RegExpPrototype.js: |
| (globalPrivate.RegExpStringIterator): |
| (overriddenName.string_appeared_here.matchAll): |
| * builtins/RegExpStringIteratorPrototype.js: Added. |
| (next): |
| * builtins/SetPrototype.js: |
| (globalPrivate.SetIterator): |
| (values): |
| (entries): |
| (globalPrivate.createSetIterator): Deleted. |
| * builtins/StringPrototype.js: |
| (matchAll): |
| * builtins/TypedArrayPrototype.js: |
| (values): |
| (keys): |
| (entries): |
| * runtime/CommonIdentifiers.h: |
| * runtime/JSGlobalObject.cpp: |
| (JSC::JSGlobalObject::init): |
| * runtime/RegExpPrototype.cpp: |
| (JSC::RegExpPrototype::finishCreation): |
| * runtime/RegExpStringIteratorPrototype.cpp: Added. |
| (JSC::RegExpStringIteratorPrototype::finishCreation): |
| * runtime/RegExpStringIteratorPrototype.h: Added. |
| * runtime/StringPrototype.cpp: |
| |
| 2019-06-18 Keith Miller <keith_miller@apple.com> |
| |
| Add support for WeakRef |
| https://bugs.webkit.org/show_bug.cgi?id=198710 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add support for WeakRefs which are now at stage 3 |
| (https://tc39.es/proposal-weakrefs). This patch doesn't add |
| support for FinalizationGroups, which I'll add in another patch. |
| |
| Some other things of interest. Per the spec, we cannot collect a |
| weak refs target unless it has not been dereffed (or created) in |
| the current microtask turn. i.e. WeakRefs are only allowed to be |
| collected at the end of a drain of the Microtask queue. My |
| understanding for this behavior is to reduce implementation |
| dependence on specific GC behavior in a given browser. |
| |
| We track if a WeakRef is retaining its target by using a version |
| number on each WeakRef as well as on the VM. Whenever a WeakRef is |
| derefed we update its version number to match the VM's then |
| WriteBarrier ourselves. During marking if the VM and the WeakRef |
| have the same version number, the target is visited. |
| |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * Sources.txt: |
| * heap/Heap.cpp: |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| * jsc.cpp: |
| (GlobalObject::finishCreation): |
| (functionReleaseWeakRefs): |
| * runtime/CommonIdentifiers.h: |
| * runtime/JSGlobalObject.cpp: |
| * runtime/JSGlobalObject.h: |
| * runtime/JSWeakObjectRef.cpp: Added. |
| (JSC::JSWeakObjectRef::finishCreation): |
| (JSC::JSWeakObjectRef::visitChildren): |
| (JSC::JSWeakObjectRef::finalizeUnconditionally): |
| (JSC::JSWeakObjectRef::toStringName): |
| * runtime/JSWeakObjectRef.h: Added. |
| * runtime/VM.cpp: |
| (JSC::VM::drainMicrotasks): |
| * runtime/VM.h: |
| (JSC::VM::setOnEachMicrotaskTick): |
| (JSC::VM::finalizeSynchronousJSExecution): |
| (JSC::VM::currentWeakRefVersion const): |
| * runtime/WeakObjectRefConstructor.cpp: Added. |
| (JSC::WeakObjectRefConstructor::finishCreation): |
| (JSC::WeakObjectRefConstructor::WeakObjectRefConstructor): |
| (JSC::callWeakRef): |
| (JSC::constructWeakRef): |
| * runtime/WeakObjectRefConstructor.h: Added. |
| (JSC::WeakObjectRefConstructor::create): |
| (JSC::WeakObjectRefConstructor::createStructure): |
| * runtime/WeakObjectRefPrototype.cpp: Added. |
| (JSC::WeakObjectRefPrototype::finishCreation): |
| (JSC::getWeakRef): |
| (JSC::protoFuncWeakRefDeref): |
| * runtime/WeakObjectRefPrototype.h: Added. |
| |
| 2019-06-18 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Add missing mutator fence in compileNewFunction |
| https://bugs.webkit.org/show_bug.cgi?id=198849 |
| <rdar://problem/51733890> |
| |
| Reviewed by Saam Barati. |
| |
| Follow-up after r246553. Saam pointed out that we still need a mutator |
| fence before allocating the FunctionRareData, since the allocation |
| might trigger a slow path call. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| |
| 2019-06-18 Tadeu Zagallo <tzagallo@apple.com> |
| |
| DFG code should not reify the names of builtin functions with private names |
| https://bugs.webkit.org/show_bug.cgi?id=198849 |
| <rdar://problem/51733890> |
| |
| Reviewed by Filip Pizlo. |
| |
| Builtin functions that have a private name call setHasReifiedName from finishCreation. |
| When compiled with DFG and FTL, that does not get called and the function ends up reifying |
| its name. In order to fix that, we initialize FunctionRareData and set m_hasReifiedName to |
| true from compileNewFunction in both DFG and FTL. |
| |
| * bytecode/InternalFunctionAllocationProfile.h: |
| (JSC::InternalFunctionAllocationProfile::offsetOfStructure): |
| * bytecode/ObjectAllocationProfile.h: |
| (JSC::ObjectAllocationProfileWithPrototype::offsetOfPrototype): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): |
| * ftl/FTLAbstractHeapRepository.h: |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): |
| * runtime/FunctionExecutable.h: |
| * runtime/FunctionRareData.h: |
| * runtime/JSFunction.cpp: |
| (JSC::JSFunction::finishCreation): |
| * runtime/JSFunction.h: |
| * runtime/JSFunctionInlines.h: |
| (JSC::JSFunction::isAnonymousBuiltinFunction const): |
| |
| 2019-06-18 Keith Miller <keith_miller@apple.com> |
| |
| MaybeParseAsGeneratorForScope sometimes loses track of its scope ref |
| https://bugs.webkit.org/show_bug.cgi?id=198969 |
| <rdar://problem/51620714> |
| |
| Reviewed by Tadeu Zagallo. |
| |
| Sometimes if the parser has enough nested scopes |
| MaybeParseAsGeneratorForScope can lose track of the ScopeRef it |
| should be tracking. This is because the parser sometimes relocates |
| its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should |
| hold the scope ref it's watching. |
| |
| * parser/Parser.cpp: |
| (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope): |
| (JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope): |
| |
| 2019-06-17 Justin Michaud <justin_michaud@apple.com> |
| |
| Validate that table element type is funcref if using an element section |
| https://bugs.webkit.org/show_bug.cgi?id=198910 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add missing validation when attempting to add an element section to an anyref table. |
| |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseElement): |
| |
| 2019-06-17 Tadeu Zagallo <tzagallo@apple.com> |
| |
| Concurrent GC should check the conn before starting a new collection cycle |
| https://bugs.webkit.org/show_bug.cgi?id=198913 |
| <rdar://problem/49515149> |
| |
| Reviewed by Filip Pizlo. |
| |
| Heap::requestCollection tries to steal the conn as an optimization to avoid waking up the collector |
| thread if it's idle. We determine if the collector is idle by ensuring that there are no pending collections |
| and that the current GC phase is NotRunning. However, that's not safe immediately after the concurrent |
| GC has finished processing the last pending request. The collector thread will runEndPhase and immediately |
| start runNotRunningPhase, without checking if it still has the conn. If the mutator has stolen the conn in |
| the mean time, this will lead to both threads collecting concurrently, and eventually we'll crash in checkConn, |
| since the collector is running but doesn't have the conn anymore. |
| |
| To solve this, we check if we still have the conn after holding the lock in runNotRunningPhase, in case the mutator |
| has stolen the conn. Ideally, we wouldn't let the mutator steal the conn in the first place, but that doesn't seem |
| trivial to determine. |
| |
| * heap/Heap.cpp: |
| (JSC::Heap::runNotRunningPhase): |
| |
| 2019-06-17 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Introduce DisposableCallSiteIndex to enforce type-safety |
| https://bugs.webkit.org/show_bug.cgi?id=197378 |
| |
| Reviewed by Saam Barati. |
| |
| Some of CallSiteIndex are disposable. This is because some of CallSiteIndex are allocated and freed at runtime (not DFG/FTL compile time). |
| The example is CallSiteIndex for exception handler in GCAwareJITStubRoutineWithExceptionHandler. If we do not allocate and free CallSiteIndex, |
| we will create a new CallSiteIndex continuously and leak memory. |
| |
| The other CallSiteIndex are not simply disposable because the ownership model is not unique one. They can be shared between multiple clients. |
| But not disposing them is OK because they are static one: they are allocated when compiling DFG/FTL, and we do not allocate such CallSiteIndex |
| at runtime. |
| |
| To make this difference explicit and avoid disposing non-disposable CallSiteIndex accidentally, we introduce DisposableCallSiteIndex type, and |
| enforce type-safety to some degree. |
| |
| We also correctly update the DisposableCallSiteIndex => CodeOrigin table when we are reusing the previously used DisposableCallSiteIndex. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::newExceptionHandlingCallSiteIndex): |
| (JSC::CodeBlock::removeExceptionHandlerForCallSite): |
| * bytecode/CodeBlock.h: |
| * bytecode/PolymorphicAccess.cpp: |
| (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): |
| (JSC::PolymorphicAccess::regenerate): |
| * bytecode/PolymorphicAccess.h: |
| (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): Deleted. |
| * dfg/DFGCommonData.cpp: |
| (JSC::DFG::CommonData::addUniqueCallSiteIndex): |
| (JSC::DFG::CommonData::addDisposableCallSiteIndex): |
| (JSC::DFG::CommonData::removeDisposableCallSiteIndex): |
| (JSC::DFG::CommonData::removeCallSiteIndex): Deleted. |
| * dfg/DFGCommonData.h: |
| * interpreter/CallFrame.h: |
| (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): |
| (JSC::DisposableCallSiteIndex::fromCallSiteIndex): |
| * jit/GCAwareJITStubRoutine.cpp: |
| (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): |
| (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount): |
| (JSC::createJITStubRoutine): |
| * jit/GCAwareJITStubRoutine.h: |
| * jit/JITInlineCacheGenerator.h: |
| |
| 2019-06-17 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for Funcref in parameters and return types |
| https://bugs.webkit.org/show_bug.cgi?id=198157 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to |
| a funcref (nee anyfunc), we first make sure it is an exported wasm function or null. |
| |
| We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper |
| for it so that we never need to construct JSValues when handling references. This should make threads |
| easier to implement. |
| |
| Finally, we add some missing bounds checks for table.get/set. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::tmpForType): |
| (JSC::Wasm::AirIRGenerator::moveOpForValueType): |
| (JSC::Wasm::AirIRGenerator::AirIRGenerator): |
| (JSC::Wasm::AirIRGenerator::addLocal): |
| (JSC::Wasm::AirIRGenerator::addConstant): |
| (JSC::Wasm::AirIRGenerator::addRefFunc): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::setGlobal): |
| (JSC::Wasm::AirIRGenerator::addReturn): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addLocal): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addRefFunc): |
| (JSC::Wasm::B3IRGenerator::setGlobal): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::compileFunctions): |
| * wasm/WasmCallingConvention.h: |
| (JSC::Wasm::CallingConventionAir::marshallArgument const): |
| (JSC::Wasm::CallingConventionAir::setupCall const): |
| * wasm/WasmExceptionType.h: |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::isValueType): |
| (JSC::Wasm::isSubtype): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmInstance.cpp: |
| (JSC::Wasm::Instance::Instance): |
| (JSC::Wasm::Instance::getFunctionWrapper const): |
| (JSC::Wasm::Instance::setFunctionWrapper): |
| * wasm/WasmInstance.h: |
| * wasm/WasmModuleInformation.h: |
| (JSC::Wasm::ModuleInformation::referencedFunctions const): |
| (JSC::Wasm::ModuleInformation::addReferencedFunction const): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseGlobal): |
| (JSC::Wasm::SectionParser::parseInitExpr): |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableSet): |
| (JSC::Wasm::Validate::addRefIsNull): |
| (JSC::Wasm::Validate::addRefFunc): |
| (JSC::Wasm::Validate::setLocal): |
| (JSC::Wasm::Validate::addCall): |
| (JSC::Wasm::Validate::addCallIndirect): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/JSWebAssemblyHelpers.h: |
| (JSC::isWebAssemblyHostFunction): |
| * wasm/js/JSWebAssemblyInstance.cpp: |
| (JSC::JSWebAssemblyInstance::visitChildren): |
| * wasm/js/JSWebAssemblyRuntimeError.cpp: |
| (JSC::createJSWebAssemblyRuntimeError): |
| * wasm/js/JSWebAssemblyRuntimeError.h: |
| * wasm/js/WasmToJS.cpp: |
| (JSC::Wasm::handleBadI64Use): |
| (JSC::Wasm::wasmToJS): |
| (JSC::Wasm::emitWasmToJSException): |
| * wasm/js/WasmToJS.h: |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::callWebAssemblyFunction): |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| * wasm/wasm.json: |
| |
| 2019-06-16 Darin Adler <darin@apple.com> |
| |
| Rename AtomicString to AtomString |
| https://bugs.webkit.org/show_bug.cgi?id=195276 |
| |
| Reviewed by Michael Catanzaro. |
| |
| * many files: Let do-webcore-rename do the renaming. |
| |
| 2019-06-16 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Grown region of WasmTable should be initialized with null |
| https://bugs.webkit.org/show_bug.cgi?id=198903 |
| |
| Reviewed by Saam Barati. |
| |
| Grown region of Wasmtable is now empty. We should initialize it with null. |
| We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to |
| align to the naming convention. |
| |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::grow): |
| (JSC::Wasm::Table::visitAggregate): |
| (JSC::Wasm::Table::visitChildren): Deleted. |
| * wasm/WasmTable.h: |
| * wasm/js/JSWebAssemblyTable.cpp: |
| (JSC::JSWebAssemblyTable::visitChildren): |
| |
| 2019-06-14 Keith Miller <keith_miller@apple.com> |
| |
| Restore PAC based cage. |
| https://bugs.webkit.org/show_bug.cgi?id=198872 |
| |
| Rubber-stamped by Saam Barati. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::bitFieldInsert64): |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| (JSC::run): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageWithoutUntagging): |
| (JSC::AssemblyHelpers::cageConditionally): |
| (JSC::AssemblyHelpers::cage): Deleted. |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitIntTypedArrayGetByVal): |
| (JSC::JIT::emitFloatTypedArrayGetByVal): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm64.rb: |
| * offlineasm/instructions.rb: |
| * offlineasm/registers.rb: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-06-13 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Yarr bytecode compilation failure should be gracefully handled |
| https://bugs.webkit.org/show_bug.cgi?id=198700 |
| |
| Reviewed by Michael Saboff. |
| |
| Currently, we assume that Yarr bytecode compilation does not fail. But in fact it can fail. |
| We should gracefully handle this failure as a runtime error, as we did for parse errors in [1]. |
| We also harden Yarr's consumed character calculation by using Checked. |
| |
| [1]: https://bugs.webkit.org/show_bug.cgi?id=185755 |
| |
| * inspector/ContentSearchUtilities.cpp: |
| (Inspector::ContentSearchUtilities::findMagicComment): |
| * runtime/RegExp.cpp: |
| (JSC::RegExp::byteCodeCompileIfNecessary): |
| (JSC::RegExp::compile): |
| (JSC::RegExp::compileMatchOnly): |
| * runtime/RegExpInlines.h: |
| (JSC::RegExp::matchInline): |
| * yarr/YarrErrorCode.cpp: |
| (JSC::Yarr::errorMessage): |
| (JSC::Yarr::errorToThrow): |
| * yarr/YarrErrorCode.h: |
| * yarr/YarrInterpreter.cpp: |
| (JSC::Yarr::ByteCompiler::ByteCompiler): |
| (JSC::Yarr::ByteCompiler::compile): |
| (JSC::Yarr::ByteCompiler::atomCharacterClass): |
| (JSC::Yarr::ByteCompiler::atomBackReference): |
| (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin): |
| (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin): |
| (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin): |
| (JSC::Yarr::ByteCompiler::atomParentheticalAssertionBegin): |
| (JSC::Yarr::ByteCompiler::popParenthesesStack): |
| (JSC::Yarr::ByteCompiler::closeAlternative): |
| (JSC::Yarr::ByteCompiler::closeBodyAlternative): |
| (JSC::Yarr::ByteCompiler::alternativeBodyDisjunction): |
| (JSC::Yarr::ByteCompiler::alternativeDisjunction): |
| (JSC::Yarr::ByteCompiler::emitDisjunction): |
| |
| 2019-06-12 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call |
| https://bugs.webkit.org/show_bug.cgi?id=198770 |
| |
| Reviewed by Saam Barati. |
| |
| Polymorphic call stub is a bit specially patched in JS call site. Typical JS call site for tail calls |
| are the following. |
| |
| if (callee == patchableCallee) { |
| restore callee saves for tail call |
| prepare for tail call |
| jump to the target function |
| } |
| restore callee saves for slow path |
| call the slow path function |
| |
| And linking patches patchableCallee, target function, and slow path function. But polymorphic call stub |
| patches the above `if` statement with the jump to the stub. |
| |
| jump to the polymorphic call stub |
| |
| This is because polymorphic call stub wants to use CallFrameShuffler to get scratch registers. As a result, |
| "restore callee saves for tail call" thing needs to be done in the polymorphic call stubs. While it is |
| correctly done for the major cases, we have `slowPath` skips, and that path missed restoring callee saves. |
| This skip happens if the callee is non JSCell or non JS function, so typically, InternalFunction is handled |
| in that path. |
| |
| This patch does that skips after restoring callee saves. |
| |
| * bytecode/CallLinkInfo.cpp: |
| (JSC::CallLinkInfo::CallLinkInfo): |
| * bytecode/CallLinkInfo.h: |
| (JSC::CallLinkInfo::setUpCall): |
| (JSC::CallLinkInfo::calleeGPR): |
| (JSC::CallLinkInfo::setCalleeGPR): Deleted. |
| * jit/Repatch.cpp: |
| (JSC::revertCall): |
| (JSC::linkVirtualFor): |
| (JSC::linkPolymorphicCall): |
| * jit/Repatch.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::virtualThunkFor): |
| |
| 2019-06-12 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r246322. |
| https://bugs.webkit.org/show_bug.cgi?id=198796 |
| |
| "It's a huge page load regression on iOS" (Requested by |
| saamyjoon on #webkit). |
| |
| Reverted changeset: |
| |
| "Roll out PAC cage" |
| https://bugs.webkit.org/show_bug.cgi?id=198726 |
| https://trac.webkit.org/changeset/246322 |
| |
| 2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSC should throw if proxy set returns falsish in strict mode context |
| https://bugs.webkit.org/show_bug.cgi?id=177398 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Throw TypeError exception if Proxy's `set` trap returns falsy value. |
| (step 6.c of https://tc39.es/ecma262/#sec-putvalue) |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::ProxyObject::performPut): |
| (JSC::ProxyObject::put): |
| (JSC::ProxyObject::putByIndexCommon): |
| * runtime/ProxyObject.h: |
| |
| 2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| Error message for non-callable Proxy `construct` trap is misleading |
| https://bugs.webkit.org/show_bug.cgi?id=198637 |
| |
| Reviewed by Saam Barati. |
| |
| Just like other traps, Proxy `construct` trap is invoked with [[Call]], not [[Construct]]. |
| |
| * runtime/ProxyObject.cpp: |
| (JSC::performProxyConstruct): Tweak error message. |
| |
| 2019-06-10 Tadeu Zagallo <tzagallo@apple.com> |
| |
| AI BitURShift's result should not be unsigned |
| https://bugs.webkit.org/show_bug.cgi?id=198689 |
| <rdar://problem/51550063> |
| |
| Reviewed by Saam Barati. |
| |
| Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it. |
| This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but |
| get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber, |
| all we have to do is store the result as a signed int32. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| |
| 2019-06-11 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| Unreviewed build warning fixes |
| |
| Silence -Wreturn-type warning |
| |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::tryCreate): |
| |
| 2019-06-11 Saam Barati <sbarati@apple.com> |
| |
| Roll out PAC cage |
| https://bugs.webkit.org/show_bug.cgi?id=198726 |
| |
| Reviewed by Keith Miller. |
| |
| This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. |
| |
| The resulting state we're in is we have Gigacage enabled on arm64. |
| There is no more PAC caging. |
| |
| We're doing this because there are performance issues with PAC caging |
| that we haven't resolved yet. |
| |
| * assembler/CPU.h: |
| (JSC::isARM64E): Deleted. |
| * assembler/MacroAssemblerARM64E.h: |
| (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. |
| (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. |
| (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. |
| * b3/B3LowerToAir.cpp: |
| * b3/B3PatchpointSpecial.cpp: |
| (JSC::B3::PatchpointSpecial::admitsStack): |
| * b3/B3StackmapSpecial.cpp: |
| (JSC::B3::StackmapSpecial::forEachArgImpl): |
| (JSC::B3::StackmapSpecial::isArgValidForRep): |
| * b3/B3Validate.cpp: |
| * b3/B3ValueRep.cpp: |
| (JSC::B3::ValueRep::addUsedRegistersTo const): |
| (JSC::B3::ValueRep::dump const): |
| (WTF::printInternal): |
| * b3/B3ValueRep.h: |
| (JSC::B3::ValueRep::ValueRep): |
| (JSC::B3::ValueRep::isReg const): |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::newTypedArrayWithSize): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| * dfg/DFGSpeculativeJIT.h: |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): |
| (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): |
| (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): |
| (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. |
| (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. |
| * heap/ConservativeRoots.cpp: |
| (JSC::ConservativeRoots::genericAddPointer): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageConditionally): |
| * jit/IntrinsicEmitter.cpp: |
| (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitDirectArgumentsGetByVal): |
| (JSC::JIT::emitIntTypedArrayGetByVal): |
| (JSC::JIT::emitFloatTypedArrayGetByVal): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * jit/PolymorphicCallStubRoutine.cpp: |
| (JSC::PolymorphicCallNode::clearCallLinkInfo): |
| * jit/RegisterSet.h: |
| * llint/LowLevelInterpreter64.asm: |
| * runtime/ArrayBuffer.cpp: |
| (JSC::SharedArrayBufferContents::SharedArrayBufferContents): |
| (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): |
| (JSC::ArrayBufferContents::ArrayBufferContents): |
| (JSC::ArrayBufferContents::destroy): |
| (JSC::ArrayBufferContents::tryAllocate): |
| (JSC::ArrayBufferContents::makeShared): |
| (JSC::ArrayBufferContents::copyTo): |
| * runtime/ArrayBuffer.h: |
| (JSC::SharedArrayBufferContents::data const): |
| (JSC::ArrayBufferContents::data const): |
| (JSC::ArrayBuffer::data): |
| (JSC::ArrayBuffer::data const): |
| (JSC::ArrayBuffer::byteLength const): |
| * runtime/ArrayBufferView.cpp: |
| (JSC::ArrayBufferView::ArrayBufferView): |
| * runtime/ArrayBufferView.h: |
| (JSC::ArrayBufferView::baseAddress const): |
| (JSC::ArrayBufferView::setRangeImpl): |
| (JSC::ArrayBufferView::getRangeImpl): |
| (JSC::ArrayBufferView::byteLength const): Deleted. |
| * runtime/CachedTypes.cpp: |
| (JSC::CachedScopedArgumentsTable::encode): |
| (JSC::CachedScopedArgumentsTable::decode const): |
| * runtime/CagedBarrierPtr.h: |
| (JSC::CagedBarrierPtr::CagedBarrierPtr): |
| (JSC::CagedBarrierPtr::set): |
| (JSC::CagedBarrierPtr::get const): |
| (JSC::CagedBarrierPtr::getMayBeNull const): |
| (JSC::CagedBarrierPtr::operator== const): |
| (JSC::CagedBarrierPtr::operator!= const): |
| (JSC::CagedBarrierPtr::operator bool const): |
| (JSC::CagedBarrierPtr::setWithoutBarrier): |
| (JSC::CagedBarrierPtr::operator* const): |
| (JSC::CagedBarrierPtr::operator-> const): |
| (JSC::CagedBarrierPtr::operator[] const): |
| (JSC::CagedBarrierPtr::getUnsafe const): Deleted. |
| (JSC::CagedBarrierPtr::at const): Deleted. |
| * runtime/DataView.cpp: |
| (JSC::DataView::DataView): |
| * runtime/DataView.h: |
| (JSC::DataView::get): |
| (JSC::DataView::set): |
| * runtime/DirectArguments.cpp: |
| (JSC::DirectArguments::visitChildren): |
| (JSC::DirectArguments::overrideThings): |
| (JSC::DirectArguments::unmapArgument): |
| * runtime/DirectArguments.h: |
| * runtime/GenericArguments.h: |
| * runtime/GenericArgumentsInlines.h: |
| (JSC::GenericArguments<Type>::visitChildren): |
| (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): |
| (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): |
| (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): |
| * runtime/GenericTypedArrayView.h: |
| * runtime/GenericTypedArrayViewInlines.h: |
| (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): |
| * runtime/JSArrayBufferView.cpp: |
| (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): |
| (JSC::JSArrayBufferView::JSArrayBufferView): |
| (JSC::JSArrayBufferView::finalize): |
| (JSC::JSArrayBufferView::slowDownAndWasteMemory): |
| * runtime/JSArrayBufferView.h: |
| (JSC::JSArrayBufferView::ConstructionContext::vector const): |
| (JSC::JSArrayBufferView::isNeutered): |
| (JSC::JSArrayBufferView::vector const): |
| (JSC::JSArrayBufferView::hasVector const): Deleted. |
| * runtime/JSGenericTypedArrayViewInlines.h: |
| (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): |
| (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): |
| (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): |
| * runtime/Options.h: |
| * runtime/ScopedArgumentsTable.cpp: |
| (JSC::ScopedArgumentsTable::clone): |
| (JSC::ScopedArgumentsTable::setLength): |
| * runtime/ScopedArgumentsTable.h: |
| * runtime/SymbolTable.h: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmBBQPlan.cpp: |
| (JSC::Wasm::BBQPlan::complete): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/WasmInstance.h: |
| (JSC::Wasm::Instance::cachedMemory const): |
| (JSC::Wasm::Instance::updateCachedMemory): |
| * wasm/WasmMemory.cpp: |
| (JSC::Wasm::Memory::Memory): |
| (JSC::Wasm::Memory::~Memory): |
| (JSC::Wasm::Memory::grow): |
| (JSC::Wasm::Memory::dump const): |
| * wasm/WasmMemory.h: |
| (JSC::Wasm::Memory::memory const): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-06-10 Basuke Suzuki <Basuke.Suzuki@sony.com> |
| |
| [WinCairo] Remove build warning from RemoteInspector. |
| https://bugs.webkit.org/show_bug.cgi?id=198724 |
| |
| Reviewed by Joseph Pecoraro. |
| |
| In `RemoteInspectorConnectionClient.h`, an interface was defined with empty implementation. |
| This method is to be overwritten by sub classes so that parameter name is important |
| so they are commented out rather than just removing from the definition. |
| |
| * inspector/remote/RemoteInspector.h: |
| |
| 2019-06-10 Sam Weinig <weinig@apple.com> |
| |
| Remove Dashboard support |
| https://bugs.webkit.org/show_bug.cgi?id=198615 |
| |
| Reviewed by Ryosuke Niwa. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-10 Devin Rousso <drousso@apple.com> |
| |
| Web Automation: add notifications for when remote automation is enabled/disabled |
| https://bugs.webkit.org/show_bug.cgi?id=198703 |
| <rdar://problem/50588975> |
| |
| Reviewed by Timothy Hatcher. |
| |
| * inspector/remote/RemoteInspectorConstants.h: |
| |
| 2019-06-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for non-DFG configurations, part 2 |
| https://bugs.webkit.org/show_bug.cgi?id=198023 |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeUnconditionally): |
| |
| 2019-06-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| Unreviewed, build fix for non-DFG configurations |
| https://bugs.webkit.org/show_bug.cgi?id=198023 |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeUnconditionally): |
| |
| 2019-06-10 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode |
| https://bugs.webkit.org/show_bug.cgi?id=198023 |
| |
| Reviewed by Saam Barati. |
| |
| While CodeBlock is periodically jettisoned, UnlinkedCodeBlock and UnlinkedFunctionExecutable can be retained almost forever in certain type of applications. |
| When we execute a program, which has UnlinkedProgramCodeBlock retained in CodeCache. And UnlinkedProgramCodeBlock holds array of UnlinkedFunctionExecutable. |
| And UnlinkedFunctionExecutables hold UnlinkedFunctionCodeBlocks once it is generated. So eventually, this tree gets larger and larger until we purge |
| UnlinkedProgramCodeBlock from CodeCache. This is OK in the browser case. We navigate to various other pages, and UnlinkedProgramCodeBlocks should eventually |
| be pruned from CodeCache with the new ones. So this tree won't be retained forever. But the behavior is different in the other applications that do not have |
| navigations. If they only have one program which holds all, we basically retain this tree during executing this application. The same thing can happen in |
| web applications which does not have navigation and keeps alive for a long time. Once we hit CodeCache limit by periodically executing a new script, we will |
| hit the uppermost of memory footprint. But until that, we increase our memory footprint. |
| |
| However, destroying these UnlinkedCodeBlocks and UnlinkedFunctionExecutables causes a tricky problem. In the browser environment, navigation can happen at any |
| time. So even if the given UnlinkedCodeBlock seems unused in the current page, it can be used when navigating to a new page which is under the same domain. |
| One example is initializing function in a script. It is only executed once per page. So once it is executed, it seems that this UnlinkedCodeBlock is unused. |
| But this will be used when we navigate to a new page. Pruning code blocks based on usage could cause performance regression. |
| |
| But if our VM is mini VM mode, the story is different. In mini VM mode, we focus on memory footprint rather than performance e.g. daemons. The daemon never |
| reuse these CodeCache since we do not have the navigation. |
| |
| This patch logically makes UnlinkedFunctionExecutable -> UnlinkedCodeBlock reference weak when VM is mini mode. If UnlinkedCodeBlock is used in previous GC |
| cycle, we retain it. But if it is not used, and if UnlinkedFunctionExecutable is only the cell keeping UnlinkedCodeBlock alive, we destroy it. It is a |
| heuristic. In a super pathological case, it could increase memory footprint. Consider the following example. |
| |
| UnlinkedFunctionExecutable(A1) -> UnlinkedCodeBlock(B1) -> UnlinkedFunctionExecutable(C1) -> UnlinkedCodeBlock(D1) |
| ^ |
| CodeBlock(E1) |
| |
| We could delete A1, B1, and C1 while keeping D1. But if we eventually re-execute the same code corresponding to A1, B1, C1, they will be newly created, and |
| we will create duplicate UnlinkedCodeBlock and instructions stream for D1. |
| |
| UnlinkedCodeBlock(D1) |
| ^ |
| CodeBlock(E1) |
| |
| UnlinkedFunctionExecutable(A2) -> UnlinkedCodeBlock(B2) -> UnlinkedFunctionExecutable(C2) -> UnlinkedCodeBlock(D2) |
| |
| But this does not happen in practice and even it happens, we eventually discard D1 and D2 since CodeBlock E1 will be jettisoned anyway. So in practice, we do |
| not see memory footprint increase. We tested it in Gmail and the target application, but both said memory footprint reduction (30 MB / 400 MB and 1 MB /6 MB). |
| While this affects on performance much on tests which has navigation (1-3 % regression in Speedometer2, note that JetStream2 does not show regression in x64, |
| while it is not enabling mini mode), we do not apply this to non mini mode VM until we come up with a good strategy to fasten performance of re-generation. |
| Personally I think flushing destroyed UnlinkedCodeBlock to the disk sounds promising. |
| |
| If UnlinkedCodeBlock is generated from bytecode cache, we do not make UnlinkedFunctionExecutable -> UnlinkedCodeBlock link weak because the decoder of the bytecode |
| cache assumes that generated JSCells won't be destroyed while the parent cells of that cell are live. This is true in the current implementation, and this assumption |
| will be broken with this patch. So, for now, we do not make this link weak. Currently, our target application does not use bytecode cache so it is OK. |
| |
| This patch also introduce simple heuristic. We are counting UnlinkedCodeBlock's age. And once the age becomes maximum size, we make UnlinkedFunctionExecutable -> |
| UnlinkedCodeBlock link weak. We also use execution counter information to reset this age: CodeBlock will reset undelying UnlinkedCodeBlock's age if it has executed |
| While this heuristic is quite simple, it has some effect in practice. Basically what happens with this heuristic is that UnlinkedFunctionExecutable -> |
| UnlinkedCodeBlock link strong. When GC happens, we are executing some CodeBlocks, which become live. And ScriptExecutables -> UnlinkedFunctionExecutables held |
| by this CodeBlock become also live. Then UnlinkedFunctionExecutables can mark the child UnlinkedCodeBlocks if it is not so old. |
| If some of parent UnlinkedFunctionExecutable becomes dead, child UnlinkedCodeBlocks tends to be dead unless some live CodeBlock holds it. But it is OK for a first |
| heuristics since this means that parent code block is now considered old, reachable UnlinkedCodeBlock will be used when the parent is executed again. So destroying |
| the tree is OK even if the tree may include some new UnlinkedCodeBlock. While we could make more sophisticated mechanism to manage these lifetime, I think this is a |
| good starting point. |
| |
| Based on measurement, we pick 7 as a maximum age. If we pick 0, we can get more memory reduction (1 - 1.5 MB!), while we ends up reparsing codes so many times. |
| It seems that 7 can reduce fair amount of memory while doing small # of reparsing on average (usually, 1, 2. Sometimes, 100. But not 300, which is the case in 0). |
| If we want to get more memory reduction for the sake of performance, we could decrease this age limit. |
| |
| Since we do not have an automated script right now so it is a bit difficult to measure memory footprint precisely. But manual testing shows that this patch improves |
| memory footprint of our target application from about 6.5 MB to about 5.9 MB. |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::finalizeUnconditionally): |
| * bytecode/CodeBlock.h: |
| * bytecode/UnlinkedCodeBlock.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| (JSC::UnlinkedCodeBlock::visitChildren): |
| * bytecode/UnlinkedCodeBlock.h: |
| (JSC::UnlinkedCodeBlock::age const): |
| (JSC::UnlinkedCodeBlock::resetAge): |
| * bytecode/UnlinkedFunctionExecutable.cpp: |
| (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): |
| (JSC::UnlinkedFunctionExecutable::visitChildren): |
| (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor): |
| (JSC::UnlinkedFunctionExecutable::decodeCachedCodeBlocks): |
| (JSC::UnlinkedFunctionExecutable::finalizeUnconditionally): |
| * bytecode/UnlinkedFunctionExecutable.h: |
| * heap/Heap.cpp: |
| (JSC::Heap::finalizeUnconditionalFinalizers): |
| * runtime/CachedTypes.cpp: |
| (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): |
| (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): |
| * runtime/CodeSpecializationKind.h: |
| * runtime/Options.h: |
| * runtime/VM.cpp: |
| (JSC::VM::isInMiniMode): Deleted. |
| * runtime/VM.h: |
| (JSC::VM::isInMiniMode): |
| (JSC::VM::useUnlinkedCodeBlockJettisoning): |
| |
| 2019-06-10 Timothy Hatcher <timothy@apple.com> |
| |
| Integrate dark mode support for iOS. |
| https://bugs.webkit.org/show_bug.cgi?id=198687 |
| rdar://problem/51545643 |
| |
| Reviewed by Tim Horton. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2019-06-10 Adrian Perez de Castro <aperez@igalia.com> |
| |
| [JSC] Linker fails when unified sources are not in use |
| https://bugs.webkit.org/show_bug.cgi?id=198722 |
| |
| Reviewed by Keith Miller. |
| |
| Added missing inclusions of headers in several files which make use of inline functions. |
| |
| * b3/B3AtomicValue.cpp: |
| * b3/B3BlockInsertionSet.cpp: |
| * b3/B3FenceValue.cpp: |
| * b3/B3LowerMacrosAfterOptimizations.cpp: |
| * b3/B3PureCSE.cpp: |
| * b3/B3StackmapValue.cpp: |
| * b3/B3SwitchValue.cpp: |
| * b3/B3UseCounts.cpp: |
| * b3/B3VariableValue.cpp: |
| * b3/B3WasmAddressValue.cpp: |
| * b3/B3WasmBoundsCheckValue.cpp: |
| * ftl/FTLCompile.cpp: |
| * wasm/WasmSectionParser.cpp: |
| * wasm/WasmTable.cpp: |
| * wasm/WasmValidate.cpp: |
| |
| 2019-06-10 Keith Miller <keith_miller@apple.com> |
| |
| Make new Symbol/Promise API public |
| https://bugs.webkit.org/show_bug.cgi?id=198709 |
| |
| Reviewed by Saam Barati. |
| |
| We also need to #ifdef some tests when building for older |
| platforms because the signatures for some methods are outdated on |
| those platforms. |
| |
| * API/JSObjectRef.h: |
| * API/JSObjectRefPrivate.h: |
| * API/JSValue.h: |
| * API/JSValuePrivate.h: |
| * API/JSValueRef.h: |
| * API/tests/testapi.mm: |
| (testObjectiveCAPIMain): |
| |
| 2019-06-09 Commit Queue <commit-queue@webkit.org> |
| |
| Unreviewed, rolling out r246150, r246160, and r246166. |
| https://bugs.webkit.org/show_bug.cgi?id=198698 |
| |
| Regresses page loading time on iOS 13 (Requested by keith_m__ |
| on #webkit). |
| |
| Reverted changesets: |
| |
| "Reenable Gigacage on ARM64." |
| https://bugs.webkit.org/show_bug.cgi?id=198453 |
| https://trac.webkit.org/changeset/246150 |
| |
| "Unrevied build fix for FTL without Gigacage." |
| https://trac.webkit.org/changeset/246160 |
| |
| "Fix typo in cageWithoutUntagging" |
| https://bugs.webkit.org/show_bug.cgi?id=198617 |
| https://trac.webkit.org/changeset/246166 |
| |
| 2019-06-09 Yusuke Suzuki <ysuzuki@apple.com> |
| |
| [JSC] Use mergePrediction in ValuePow prediction propagation |
| https://bugs.webkit.org/show_bug.cgi?id=198648 |
| |
| Reviewed by Saam Barati. |
| |
| We are accidentally using setPrediction. This is wrong since prediction propagation (not processInvariant) |
| must extend the speculation types to ensure we eventually reach to the fixed point. setPrediction can discard |
| previously configured predictions, can lead to oscillation potentially. Use mergePrediction instead. |
| |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| |
| 2019-06-07 Tadeu Zagallo <tzagallo@apple.com> |
| |
| AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset |
| https://bugs.webkit.org/show_bug.cgi?id=198581 |
| <rdar://problem/51099753> |
| |
| Reviewed by Saam Barati. |
| |
| For GetGetterSetterByOffset, when the abstract interpreter fails to read the property |
| from the object, it gets the GetterSetter structure from the CodeBlock's global object. |
| However, that's not correct, since the global object for the base object might differ |
| from the CodeBlock's. Instead, we try to get the global object from the base, when it's |
| a constant object. Otherwise, we can't infer the value and only set the type. |
| |
| * dfg/DFGAbstractInterpreterInlines.h: |
| (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): |
| |
| 2019-06-06 Devin Rousso <drousso@apple.com> |
| |
| Web Inspector: create CommandLineAPIHost lazily like the other agents |
| https://bugs.webkit.org/show_bug.cgi?id=196047 |
| <rdar://problem/49087835> |
| |
| Reviewed by Timothy Hatcher. |
| |
| * inspector/InjectedScriptManager.h: |
| * inspector/InjectedScriptManager.cpp: |
| (Inspector::InjectedScriptManager::connect): Added. |
| |
| 2019-06-06 Keith Miller <keith_miller@apple.com> |
| |
| Fix typo in cageWithoutUntagging |
| https://bugs.webkit.org/show_bug.cgi?id=198617 |
| |
| Reviewed by Saam Barati. |
| |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageWithoutUntagging): |
| (JSC::AssemblyHelpers::cageConditionally): |
| (JSC::AssemblyHelpers::cageWithoutUntaging): Deleted. |
| |
| 2019-06-06 Alexey Shvayka <shvaikalesh@gmail.com> |
| |
| JSON.parse throws incorrect exception when called w/o arguments |
| https://bugs.webkit.org/show_bug.cgi?id=198574 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| Always coerce first argument to string and attempt to parse it. |
| (steps 1-2 of https://tc39.github.io/ecma262/#sec-json.parse) |
| |
| * runtime/JSONObject.cpp: |
| (JSC::JSONProtoFuncParse): Remove argumentCount check. |
| |
| 2019-06-06 Keith Miller <keith_miller@apple.com> |
| |
| Unrevied build fix for FTL without Gigacage. |
| |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| |
| 2019-06-06 Michael Catanzaro <mcatanzaro@igalia.com> |
| |
| aarch64: ‘JSC::ARM64Assembler::LinkRecord::<unnamed union>::RealTypes::m_compareRegister’ is too small to hold all values of ‘JSC::ARM64Assembler::RegisterID’ {aka ‘enum JSC::ARM64Registers::RegisterID’} |
| https://bugs.webkit.org/show_bug.cgi?id=198014 |
| |
| Reviewed by Yusuke Suzuki. |
| |
| When building for aarch64, there is a huge warning spam here. It's impossible to see any |
| other warnings. This has been ongoing for so long I've begun to suspect that nobody works |
| on this architecture. |
| |
| Anyway, the problem is because we need eight bits to store all possible RegisterID values, |
| but the bitfield is only six bits wide. Fix it. The COMPILE_ASSERT checking the size of this |
| struct is still happy, so I presume the change is OK. |
| |
| * assembler/ARM64Assembler.h: |
| |
| 2019-06-06 Keith Miller <keith_miller@apple.com> |
| |
| Reenable Gigacage on ARM64. |
| https://bugs.webkit.org/show_bug.cgi?id=198453 |
| |
| Reviewed by Michael Saboff. |
| |
| This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the |
| old Gigacage however, arm64e uses both Gigacaging and PAC. In |
| order to ensure the PAC bits are not stripped in the caging |
| process we use the bit field insert instruction to take the low |
| bits from caging and the high bits from the PAC authentication. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::bitFieldInsert64): |
| * assembler/MacroAssemblerARM64E.h: |
| * assembler/testmasm.cpp: |
| (JSC::testCagePreservesPACFailureBit): |
| (JSC::run): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): |
| (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): |
| (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): |
| (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): |
| * ftl/FTLLowerDFGToB3.cpp: |
| (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): |
| (JSC::FTL::DFG::LowerDFGToB3::caged): |
| * jit/AssemblyHelpers.h: |
| (JSC::AssemblyHelpers::cageWithoutUntaging): |
| (JSC::AssemblyHelpers::cageConditionally): |
| (JSC::AssemblyHelpers::cage): Deleted. |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::emitIntTypedArrayGetByVal): |
| (JSC::JIT::emitFloatTypedArrayGetByVal): |
| (JSC::JIT::emitIntTypedArrayPutByVal): |
| (JSC::JIT::emitFloatTypedArrayPutByVal): |
| * llint/LowLevelInterpreter.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * offlineasm/arm64.rb: |
| * offlineasm/instructions.rb: |
| * offlineasm/registers.rb: |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmBinding.cpp: |
| (JSC::Wasm::wasmToWasm): |
| * wasm/js/JSToWasm.cpp: |
| (JSC::Wasm::createJSToWasmWrapper): |
| * wasm/js/WebAssemblyFunction.cpp: |
| (JSC::WebAssemblyFunction::jsCallEntrypointSlow): |
| |
| 2019-06-06 Michael Saboff <msaboff@apple.com> |
| |
| [ARM64E]: Add disassembler support for authenticated instructions |
| https://bugs.webkit.org/show_bug.cgi?id=198562 |
| |
| Reviewed by Keith Miller. |
| |
| Added support for all the instructions supported in ARM64EAssembler.h. |
| |
| * disassembler/ARM64/A64DOpcode.cpp: |
| (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format): |
| (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format): |
| (JSC::ARM64Disassembler::A64DOpcodeHint::format): |
| (JSC::ARM64Disassembler::A64DOpcodeHint::opName): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::format): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpName): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::format): |
| * disassembler/ARM64/A64DOpcode.h: |
| (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opName): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opNum): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::mBit): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::sBit): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::wBit): |
| (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::immediate10): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpCode): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op2): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op3): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op4): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::mBit): |
| (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::rm): |
| (JSC::ARM64Disassembler::A64DOpcodeHint::opName): Deleted. |
| |
| 2019-06-05 Justin Michaud <justin_michaud@apple.com> |
| |
| [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only). |
| https://bugs.webkit.org/show_bug.cgi?id=198398 |
| |
| Reviewed by Saam Barati. |
| |
| Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec). |
| Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to |
| support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because |
| we need to write barrier it (so it should not restrict how we implement threads). This patch does, however, |
| restrict the implementation of function references to require every Ref.func to have an associated wrapper. This |
| can be done statically, so this too should not restrict our threads implementation. |
| |
| * wasm/WasmAirIRGenerator.cpp: |
| (JSC::Wasm::AirIRGenerator::addTableGet): |
| (JSC::Wasm::AirIRGenerator::addTableSet): |
| (JSC::Wasm::AirIRGenerator::addCallIndirect): |
| * wasm/WasmB3IRGenerator.cpp: |
| (JSC::Wasm::B3IRGenerator::addLocal): |
| (JSC::Wasm::B3IRGenerator::addTableGet): |
| (JSC::Wasm::B3IRGenerator::addTableSet): |
| (JSC::Wasm::B3IRGenerator::addCallIndirect): |
| * wasm/WasmFormat.h: |
| (JSC::Wasm::TableInformation::TableInformation): |
| (JSC::Wasm::TableInformation::type const): |
| * wasm/WasmFunctionParser.h: |
| (JSC::Wasm::FunctionParser<Context>::parseExpression): |
| (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression): |
| * wasm/WasmSectionParser.cpp: |
| (JSC::Wasm::SectionParser::parseTableHelper): |
| * wasm/WasmTable.cpp: |
| (JSC::Wasm::Table::Table): |
| (JSC::Wasm::Table::tryCreate): |
| (JSC::Wasm::Table::grow): |
| (JSC::Wasm::Table::clear): |
| (JSC::Wasm::Table::set): |
| (JSC::Wasm::Table::get): |
| (JSC::Wasm::Table::visitChildren): |
| (JSC::Wasm::FuncRefTable::FuncRefTable): |
| (JSC::Wasm::FuncRefTable::setFunction): |
| (JSC::Wasm::Table::~Table): Deleted. |
| (JSC::Wasm::Table::clearFunction): Deleted. |
| (JSC::Wasm::Table::setFunction): Deleted. |
| * wasm/WasmTable.h: |
| (JSC::Wasm::Table::length const): |
| (JSC::Wasm::Table::type const): |
| (JSC::Wasm::Table::setOwner): |
| (JSC::Wasm::FuncRefTable::offsetOfFunctions): |
| (JSC::Wasm::FuncRefTable::offsetOfInstances): |
| (JSC::Wasm::Table::offsetOfFunctions): Deleted. |
| (JSC::Wasm::Table::offsetOfInstances): Deleted. |
| * wasm/WasmValidate.cpp: |
| (JSC::Wasm::Validate::addTableGet): |
| (JSC::Wasm::Validate::addTableSet): |
| (JSC::Wasm::Validate::addCallIndirect): |
| * wasm/js/JSWebAssemblyTable.cpp: |
| (JSC::JSWebAssemblyTable::JSWebAssemblyTable): |
| (JSC::JSWebAssemblyTable::finishCreation): |
| (JSC::JSWebAssemblyTable::visitChildren): |
| (JSC::JSWebAssemblyTable::grow): |
| (JSC::JSWebAssemblyTable::get): |
| (JSC::JSWebAssemblyTable::set): |
| (JSC::JSWebAssemblyTable::clear): |
| (JSC::JSWebAssemblyTable::getFunction): Deleted. |
| (JSC::JSWebAssemblyTable::clearFunction): Deleted. |
| (JSC::JSWebAssemblyTable::setFunction): Deleted. |
| * wasm/js/JSWebAssemblyTable.h: |
| * wasm/js/WebAssemblyModuleRecord.cpp: |
| (JSC::WebAssemblyModuleRecord::link): |
| (JSC::WebAssemblyModuleRecord::evaluate): |
| * wasm/js/WebAssemblyTableConstructor.cpp: |
| (JSC::constructJSWebAssemblyTable): |
| * wasm/js/WebAssemblyTablePrototype.cpp: |
| (JSC::webAssemblyTableProtoFuncGet): |
| (JSC::webAssemblyTableProtoFuncSet): |
| * wasm/wasm.json: |
| |
| 2019-06-05 Justin Michaud <justin_michaud@apple.com> |
| |
| WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0 |
| https://bugs.webkit.org/show_bug.cgi?id=198106 |
| |
| Reviewed by Saam Barati. |
| |
| Fix bug caused by using fcsel sX instead of fcsel dX on an f64 value in moveDoubleConditionally32. |
| |
| * assembler/MacroAssemblerARM64.h: |
| (JSC::MacroAssemblerARM64::moveDoubleConditionally32): |
| |
| 2019-06-05 Alex Christensen <achristensen@webkit.org> |
| |
| Progress towards resurrecting Mac CMake build |
| https://bugs.webkit.org/show_bug.cgi?id=197132 |
| |
| Reviewed by Don Olmstead. |
| |
| * API/JSScript.mm: |
| (-[JSScript readCache]): |
| (-[JSScript sourceCode]): |
| (-[JSScript jsSourceCode]): |
| (-[JSScript writeCache:]): |
| * CMakeLists.txt: |
| |
| == Rolled over to ChangeLog-2019-06-05 == |