[JSC] Put TypedArrays in IsoSubspace
https://bugs.webkit.org/show_bug.cgi?id=204867
Reviewed by Mark Lam.
This patch puts TypedArrays in IsoSubspace.
- JSArrayBuffer
- JSDataView
- JSInt8Array
- JSInt16Array
- JSInt32Array
- JSUint8Array
- JSUint8ClampedArray
- JSUint16Array
- JSUint32Array
- JSFloat32Array
- JSFloat64Array
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
* runtime/JSArrayBuffer.h:
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::subspaceFor):
* runtime/JSDataView.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSTypedArrays.h:
* runtime/TypedArrayAdaptors.h:
* runtime/VM.cpp:
* runtime/VM.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@253143 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index c365963..7529a31 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,38 @@
+2019-12-04 Yusuke Suzuki <ysuzuki@apple.com>
+
+ [JSC] Put TypedArrays in IsoSubspace
+ https://bugs.webkit.org/show_bug.cgi?id=204867
+
+ Reviewed by Mark Lam.
+
+ This patch puts TypedArrays in IsoSubspace.
+
+ - JSArrayBuffer
+ - JSDataView
+ - JSInt8Array
+ - JSInt16Array
+ - JSInt32Array
+ - JSUint8Array
+ - JSUint8ClampedArray
+ - JSUint16Array
+ - JSUint32Array
+ - JSFloat32Array
+ - JSFloat64Array
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+ * runtime/JSArrayBuffer.h:
+ * runtime/JSArrayBufferView.h:
+ (JSC::JSArrayBufferView::subspaceFor):
+ * runtime/JSDataView.h:
+ * runtime/JSGenericTypedArrayView.h:
+ * runtime/JSTypedArrays.h:
+ * runtime/TypedArrayAdaptors.h:
+ * runtime/VM.cpp:
+ * runtime/VM.h:
+
2019-12-04 Tadeu Zagallo <tzagallo@apple.com>
[WebAssembly] Validate and generate bytecode in one pass
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index f6a1cf5..77e9b77 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -9911,9 +9911,20 @@
#endif
auto butterfly = TrustedImmPtr(nullptr);
- emitAllocateJSObject<JSArrayBufferView>(
- resultGPR, TrustedImmPtr(structure), butterfly, scratchGPR, scratchGPR2,
- slowCases);
+ switch (typedArrayType) {
+#define TYPED_ARRAY_TYPE_CASE(name) \
+ case Type ## name: \
+ emitAllocateJSObject<JS##name##Array>(resultGPR, TrustedImmPtr(structure), butterfly, scratchGPR, scratchGPR2, slowCases); \
+ break;
+ FOR_EACH_TYPED_ARRAY_TYPE_EXCLUDING_DATA_VIEW(TYPED_ARRAY_TYPE_CASE)
+#undef TYPED_ARRAY_TYPE_CASE
+ case TypeDataView:
+ emitAllocateJSObject<JSDataView>(resultGPR, TrustedImmPtr(structure), butterfly, scratchGPR, scratchGPR2, slowCases);
+ break;
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
m_jit.storePtr(
storageGPR,
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
index 4f35043..bed3b84 100644
--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
@@ -6912,8 +6912,21 @@
ValueFromBlock haveStorage = m_out.anchor(storage);
- LValue fastResultValue =
- allocateObject<JSArrayBufferView>(structure, m_out.intPtrZero, slowCase);
+ LValue fastResultValue = nullptr;
+ switch (typedArrayType) {
+#define TYPED_ARRAY_TYPE_CASE(name) \
+ case Type ## name: \
+ fastResultValue = allocateObject<JS##name##Array>(structure, m_out.intPtrZero, slowCase); \
+ break;
+ FOR_EACH_TYPED_ARRAY_TYPE_EXCLUDING_DATA_VIEW(TYPED_ARRAY_TYPE_CASE)
+#undef TYPED_ARRAY_TYPE_CASE
+ case TypeDataView:
+ fastResultValue = allocateObject<JSDataView>(structure, m_out.intPtrZero, slowCase);
+ break;
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
m_out.storePtr(storage, fastResultValue, m_heaps.JSArrayBufferView_vector);
m_out.store32(size, fastResultValue, m_heaps.JSArrayBufferView_length);
diff --git a/Source/JavaScriptCore/runtime/JSArrayBuffer.h b/Source/JavaScriptCore/runtime/JSArrayBuffer.h
index 6dca5b5..ba2e672 100644
--- a/Source/JavaScriptCore/runtime/JSArrayBuffer.h
+++ b/Source/JavaScriptCore/runtime/JSArrayBuffer.h
@@ -34,6 +34,12 @@
public:
using Base = JSNonFinalObject;
static constexpr unsigned StructureFlags = Base::StructureFlags;
+
+ template<typename CellType, SubspaceAccess mode>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return vm.arrayBufferSpace<mode>();
+ }
protected:
JSArrayBuffer(VM&, Structure*, RefPtr<ArrayBuffer>&&);
diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferView.h b/Source/JavaScriptCore/runtime/JSArrayBufferView.h
index 6484c82..8b6fdf0 100644
--- a/Source/JavaScriptCore/runtime/JSArrayBufferView.h
+++ b/Source/JavaScriptCore/runtime/JSArrayBufferView.h
@@ -95,7 +95,15 @@
class JSArrayBufferView : public JSNonFinalObject {
public:
- typedef JSNonFinalObject Base;
+ using Base = JSNonFinalObject;
+
+ template<typename, SubspaceAccess>
+ static IsoSubspace* subspaceFor(VM&)
+ {
+ RELEASE_ASSERT_NOT_REACHED();
+ return nullptr;
+ }
+
static constexpr unsigned fastSizeLimit = 1000;
using VectorPtr = CagedBarrierPtr<Gigacage::Primitive, void, tagCagedPtr>;
diff --git a/Source/JavaScriptCore/runtime/JSDataView.h b/Source/JavaScriptCore/runtime/JSDataView.h
index 120df7f..86410e6 100644
--- a/Source/JavaScriptCore/runtime/JSDataView.h
+++ b/Source/JavaScriptCore/runtime/JSDataView.h
@@ -32,8 +32,14 @@
class JSDataView final : public JSArrayBufferView {
public:
- typedef JSArrayBufferView Base;
+ using Base = JSArrayBufferView;
static constexpr unsigned elementSize = 1;
+
+ template<typename CellType, SubspaceAccess mode>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return vm.dataViewSpace<mode>();
+ }
protected:
JSDataView(VM&, ConstructionContext&, ArrayBuffer*);
diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
index d066aec..f08f852 100644
--- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
+++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
@@ -93,7 +93,7 @@
template<typename Adaptor>
class JSGenericTypedArrayView final : public JSArrayBufferView {
public:
- typedef JSArrayBufferView Base;
+ using Base = JSArrayBufferView;
typedef typename Adaptor::Type ElementType;
static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetPropertyNames | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
@@ -258,7 +258,35 @@
return getFloat64ArrayClassInfo();
default:
RELEASE_ASSERT_NOT_REACHED();
- return 0;
+ return nullptr;
+ }
+ }
+
+ template<typename CellType, SubspaceAccess mode>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ switch (Adaptor::typeValue) {
+ case TypeInt8:
+ return vm.int8ArraySpace<mode>();
+ case TypeInt16:
+ return vm.int16ArraySpace<mode>();
+ case TypeInt32:
+ return vm.int32ArraySpace<mode>();
+ case TypeUint8:
+ return vm.uint8ArraySpace<mode>();
+ case TypeUint8Clamped:
+ return vm.uint8ClampedArraySpace<mode>();
+ case TypeUint16:
+ return vm.uint16ArraySpace<mode>();
+ case TypeUint32:
+ return vm.uint32ArraySpace<mode>();
+ case TypeFloat32:
+ return vm.float32ArraySpace<mode>();
+ case TypeFloat64:
+ return vm.float64ArraySpace<mode>();
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ return nullptr;
}
}
diff --git a/Source/JavaScriptCore/runtime/JSTypedArrays.h b/Source/JavaScriptCore/runtime/JSTypedArrays.h
index 88c5219..c381298 100644
--- a/Source/JavaScriptCore/runtime/JSTypedArrays.h
+++ b/Source/JavaScriptCore/runtime/JSTypedArrays.h
@@ -30,15 +30,15 @@
namespace JSC {
-typedef JSGenericTypedArrayView<Int8Adaptor> JSInt8Array;
-typedef JSGenericTypedArrayView<Int16Adaptor> JSInt16Array;
-typedef JSGenericTypedArrayView<Int32Adaptor> JSInt32Array;
-typedef JSGenericTypedArrayView<Uint8Adaptor> JSUint8Array;
-typedef JSGenericTypedArrayView<Uint8ClampedAdaptor> JSUint8ClampedArray;
-typedef JSGenericTypedArrayView<Uint16Adaptor> JSUint16Array;
-typedef JSGenericTypedArrayView<Uint32Adaptor> JSUint32Array;
-typedef JSGenericTypedArrayView<Float32Adaptor> JSFloat32Array;
-typedef JSGenericTypedArrayView<Float64Adaptor> JSFloat64Array;
+using JSInt8Array = JSGenericTypedArrayView<Int8Adaptor>;
+using JSInt16Array = JSGenericTypedArrayView<Int16Adaptor>;
+using JSInt32Array = JSGenericTypedArrayView<Int32Adaptor>;
+using JSUint8Array = JSGenericTypedArrayView<Uint8Adaptor>;
+using JSUint8ClampedArray = JSGenericTypedArrayView<Uint8ClampedAdaptor>;
+using JSUint16Array = JSGenericTypedArrayView<Uint16Adaptor>;
+using JSUint32Array = JSGenericTypedArrayView<Uint32Adaptor>;
+using JSFloat32Array = JSGenericTypedArrayView<Float32Adaptor>;
+using JSFloat64Array = JSGenericTypedArrayView<Float64Adaptor>;
JS_EXPORT_PRIVATE JSUint8Array* createUint8TypedArray(JSGlobalObject*, Structure*, RefPtr<ArrayBuffer>&&, unsigned byteOffset, unsigned length);
diff --git a/Source/JavaScriptCore/runtime/TypedArrayAdaptors.h b/Source/JavaScriptCore/runtime/TypedArrayAdaptors.h
index 6927c80..e324d40 100644
--- a/Source/JavaScriptCore/runtime/TypedArrayAdaptors.h
+++ b/Source/JavaScriptCore/runtime/TypedArrayAdaptors.h
@@ -194,15 +194,15 @@
typedef GenericTypedArrayView<Float64Adaptor> Float64Array;
template<typename Adaptor> class JSGenericTypedArrayView;
-typedef JSGenericTypedArrayView<Int8Adaptor> JSInt8Array;
-typedef JSGenericTypedArrayView<Int16Adaptor> JSInt16Array;
-typedef JSGenericTypedArrayView<Int32Adaptor> JSInt32Array;
-typedef JSGenericTypedArrayView<Uint8Adaptor> JSUint8Array;
-typedef JSGenericTypedArrayView<Uint8ClampedAdaptor> JSUint8ClampedArray;
-typedef JSGenericTypedArrayView<Uint16Adaptor> JSUint16Array;
-typedef JSGenericTypedArrayView<Uint32Adaptor> JSUint32Array;
-typedef JSGenericTypedArrayView<Float32Adaptor> JSFloat32Array;
-typedef JSGenericTypedArrayView<Float64Adaptor> JSFloat64Array;
+using JSInt8Array = JSGenericTypedArrayView<Int8Adaptor>;
+using JSInt16Array = JSGenericTypedArrayView<Int16Adaptor>;
+using JSInt32Array = JSGenericTypedArrayView<Int32Adaptor>;
+using JSUint8Array = JSGenericTypedArrayView<Uint8Adaptor>;
+using JSUint8ClampedArray = JSGenericTypedArrayView<Uint8ClampedAdaptor>;
+using JSUint16Array = JSGenericTypedArrayView<Uint16Adaptor>;
+using JSUint32Array = JSGenericTypedArrayView<Uint32Adaptor>;
+using JSFloat32Array = JSGenericTypedArrayView<Float32Adaptor>;
+using JSFloat64Array = JSGenericTypedArrayView<Float64Adaptor>;
struct Int8Adaptor : IntegralTypedArrayAdaptor<int8_t, Int8Array, JSInt8Array, TypeInt8> { };
struct Int16Adaptor : IntegralTypedArrayAdaptor<int16_t, Int16Array, JSInt16Array, TypeInt16> { };
diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp
index 567f672..deedc04 100644
--- a/Source/JavaScriptCore/runtime/VM.cpp
+++ b/Source/JavaScriptCore/runtime/VM.cpp
@@ -77,6 +77,7 @@
#include "JITWorklist.h"
#include "JSAPIValueWrapper.h"
#include "JSArray.h"
+#include "JSArrayBuffer.h"
#include "JSArrayBufferConstructor.h"
#include "JSAsyncFunction.h"
#include "JSBigInt.h"
@@ -101,6 +102,7 @@
#include "JSSetIterator.h"
#include "JSSourceCode.h"
#include "JSTemplateObjectDescriptor.h"
+#include "JSTypedArrays.h"
#include "JSWeakMap.h"
#include "JSWeakObjectRef.h"
#include "JSWeakSet.h"
@@ -1342,19 +1344,30 @@
}
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(arrayBufferSpace, cellHeapCellType.get(), JSArrayBuffer)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(asyncGeneratorSpace, cellHeapCellType.get(), JSAsyncGenerator)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(boundFunctionSpace, cellHeapCellType.get(), JSBoundFunction) // Hash:0xd7916d41
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(callbackFunctionSpace, cellHeapCellType.get(), JSCallbackFunction) // Hash:0xe7648ebc
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(customGetterSetterFunctionSpace, cellHeapCellType.get(), JSCustomGetterSetterFunction) // Hash:0x18091000
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(dataViewSpace, cellHeapCellType.get(), JSDataView)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(errorInstanceSpace, errorInstanceHeapCellType.get(), ErrorInstance) // Hash:0x3f40d4a
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(float32ArraySpace, cellHeapCellType.get(), JSFloat32Array)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(float64ArraySpace, cellHeapCellType.get(), JSFloat64Array)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(functionRareDataSpace, destructibleCellHeapCellType.get(), FunctionRareData)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(generatorSpace, cellHeapCellType.get(), JSGenerator)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(int8ArraySpace, cellHeapCellType.get(), JSInt8Array)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(int16ArraySpace, cellHeapCellType.get(), JSInt16Array)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(int32ArraySpace, cellHeapCellType.get(), JSInt32Array)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(mapSpace, cellHeapCellType.get(), JSMap)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(nativeStdFunctionSpace, cellHeapCellType.get(), JSNativeStdFunction) // Hash:0x70ed61e4
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(proxyObjectSpace, cellHeapCellType.get(), ProxyObject)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(proxyRevokeSpace, cellHeapCellType.get(), ProxyRevoke) // Hash:0xb506a939
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(setSpace, cellHeapCellType.get(), JSSet)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(symbolSpace, destructibleCellHeapCellType.get(), Symbol)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(uint8ArraySpace, cellHeapCellType.get(), JSUint8Array)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(uint8ClampedArraySpace, cellHeapCellType.get(), JSUint8ClampedArray)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(uint16ArraySpace, cellHeapCellType.get(), JSUint16Array)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(uint32ArraySpace, cellHeapCellType.get(), JSUint32Array)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(unlinkedEvalCodeBlockSpace, destructibleCellHeapCellType.get(), UnlinkedEvalCodeBlock)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(unlinkedFunctionCodeBlockSpace, destructibleCellHeapCellType.get(), UnlinkedFunctionCodeBlock)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(unlinkedModuleProgramCodeBlockSpace, destructibleCellHeapCellType.get(), UnlinkedModuleProgramCodeBlock)
diff --git a/Source/JavaScriptCore/runtime/VM.h b/Source/JavaScriptCore/runtime/VM.h
index bbfb832..12957ad 100644
--- a/Source/JavaScriptCore/runtime/VM.h
+++ b/Source/JavaScriptCore/runtime/VM.h
@@ -450,19 +450,30 @@
#ifdef JSC_GLIB_API_ENABLED
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(jscCallbackFunctionSpace)
#endif
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(arrayBufferSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(asyncGeneratorSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(boundFunctionSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(callbackFunctionSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(customGetterSetterFunctionSpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(dataViewSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(errorInstanceSpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(float32ArraySpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(float64ArraySpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(functionRareDataSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(generatorSpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(int8ArraySpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(int16ArraySpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(int32ArraySpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(mapSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(nativeStdFunctionSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(proxyObjectSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(proxyRevokeSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(setSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(symbolSpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(uint8ArraySpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(uint8ClampedArraySpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(uint16ArraySpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(uint32ArraySpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(unlinkedEvalCodeBlockSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(unlinkedFunctionCodeBlockSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(unlinkedModuleProgramCodeBlockSpace)
