Google Git
Sign in
webkit / WebKit / ee1796c45991b1b029489f26551fca302db4cd77 / . / Source / JavaScriptCore / ChangeLog
blob: 012f3d036759b881a760481954744018965bb730 [file] [log] [blame]
2018-03-07 Mark Lam <mark.lam@apple.com>
Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
https://bugs.webkit.org/show_bug.cgi?id=183414
<rdar://problem/38231678>
Reviewed by Michael Saboff.
* interpreter/ProtoCallFrame.cpp:
(JSC::ProtoCallFrame::init):
* interpreter/ProtoCallFrame.h:
2018-03-07 Mark Lam <mark.lam@apple.com>
Simplify the variants of FunctionPtr constructors.
https://bugs.webkit.org/show_bug.cgi?id=183399
<rdar://problem/38212980>
Reviewed by Yusuke Suzuki.
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
2018-03-06 Filip Pizlo <fpizlo@apple.com>
MarkedArgumentsBuffer should allocate from the JSValue Gigacage
https://bugs.webkit.org/show_bug.cgi?id=183377
Reviewed by Michael Saboff.
That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::expandCapacity):
2018-03-07 Mark Lam <mark.lam@apple.com>
Add support for ARM64E.
https://bugs.webkit.org/show_bug.cgi?id=183398
<rdar://problem/38212621>
Reviewed by Michael Saboff.
* assembler/MacroAssembler.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/backends.rb:
2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com>
HTML `pattern` attribute should set `u` flag for regular expressions
https://bugs.webkit.org/show_bug.cgi?id=151598
Reviewed by Chris Dumez.
Add UnicodeMode for JSC::Yarr::RegularExpression.
* yarr/RegularExpression.cpp:
(JSC::Yarr::RegularExpression::Private::create):
(JSC::Yarr::RegularExpression::Private::Private):
(JSC::Yarr::RegularExpression::Private::compile):
(JSC::Yarr::RegularExpression::RegularExpression):
* yarr/RegularExpression.h:
2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add more JSType based fast path for jsDynamicCast
https://bugs.webkit.org/show_bug.cgi?id=183403
Reviewed by Mark Lam.
We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
are used for jsDynamicCast in JSC, arguments types, and scope types.
We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/ClonedArguments.h:
(JSC::ClonedArguments::specialsMaterialized const): Deleted.
* runtime/DirectArguments.h:
(JSC::DirectArguments::subspaceFor): Deleted.
(JSC::DirectArguments::internalLength const): Deleted.
(JSC::DirectArguments::length const): Deleted.
(JSC::DirectArguments::isMappedArgument const): Deleted.
(JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
(JSC::DirectArguments::getIndexQuickly const): Deleted.
(JSC::DirectArguments::setIndexQuickly): Deleted.
(JSC::DirectArguments::callee): Deleted.
(JSC::DirectArguments::argument): Deleted.
(JSC::DirectArguments::overrodeThings const): Deleted.
(JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
(JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
(JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
(JSC::DirectArguments::offsetOfCallee): Deleted.
(JSC::DirectArguments::offsetOfLength): Deleted.
(JSC::DirectArguments::offsetOfMinCapacity): Deleted.
(JSC::DirectArguments::offsetOfMappedArguments): Deleted.
(JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
(JSC::DirectArguments::storageOffset): Deleted.
(JSC::DirectArguments::offsetOfSlot): Deleted.
(JSC::DirectArguments::allocationSize): Deleted.
(JSC::DirectArguments::storage): Deleted.
* runtime/JSCast.h:
* runtime/JSGlobalLexicalEnvironment.h:
(JSC::JSGlobalLexicalEnvironment::create): Deleted.
(JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
(JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
(JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::finishCreation):
* runtime/JSMap.h:
(JSC::isJSMap): Deleted.
* runtime/JSModuleEnvironment.h:
(JSC::JSModuleEnvironment::create): Deleted.
(JSC::JSModuleEnvironment::createStructure): Deleted.
(JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
(JSC::JSModuleEnvironment::allocationSize): Deleted.
(JSC::JSModuleEnvironment::moduleRecord): Deleted.
(JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
* runtime/JSObject.cpp:
(JSC::canDoFastPutDirectIndex):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
* runtime/JSObject.h:
(JSC::JSFinalObject::allocationSize): Deleted.
(JSC::JSFinalObject::typeInfo): Deleted.
(JSC::JSFinalObject::defaultInlineCapacity): Deleted.
(JSC::JSFinalObject::maxInlineCapacity): Deleted.
(JSC::JSFinalObject::createStructure): Deleted.
(JSC::JSFinalObject::finishCreation): Deleted.
(JSC::JSFinalObject::JSFinalObject): Deleted.
(JSC::isJSFinalObject): Deleted.
* runtime/JSScope.cpp:
* runtime/JSScope.h:
* runtime/JSSegmentedVariableObject.cpp:
* runtime/JSSegmentedVariableObject.h:
* runtime/JSSet.h:
(JSC::isJSSet): Deleted.
* runtime/JSType.h:
* runtime/JSWeakMap.h:
(JSC::isJSWeakMap): Deleted.
* runtime/JSWeakSet.h:
(JSC::isJSWeakSet): Deleted.
* runtime/JSWithScope.h:
(JSC::JSWithScope::object): Deleted.
* runtime/MapConstructor.cpp:
(JSC::constructMap):
(JSC::mapPrivateFuncMapBucketHead):
* runtime/MapPrototype.cpp:
(JSC::getMap):
* runtime/NumberObject.cpp:
(JSC::NumberObject::finishCreation):
* runtime/NumberPrototype.cpp:
(JSC::toThisNumber):
(JSC::numberProtoFuncToExponential):
(JSC::numberProtoFuncToFixed):
(JSC::numberProtoFuncToPrecision):
(JSC::numberProtoFuncToString):
(JSC::numberProtoFuncToLocaleString):
(JSC::numberProtoFuncValueOf):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::finishCreation):
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::subspaceFor): Deleted.
(JSC::ScopedArguments::internalLength const): Deleted.
(JSC::ScopedArguments::length const): Deleted.
(JSC::ScopedArguments::isMappedArgument const): Deleted.
(JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
(JSC::ScopedArguments::getIndexQuickly const): Deleted.
(JSC::ScopedArguments::setIndexQuickly): Deleted.
(JSC::ScopedArguments::callee): Deleted.
(JSC::ScopedArguments::overrodeThings const): Deleted.
(JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
(JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
(JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
(JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
(JSC::ScopedArguments::offsetOfTotalLength): Deleted.
(JSC::ScopedArguments::offsetOfTable): Deleted.
(JSC::ScopedArguments::offsetOfScope): Deleted.
(JSC::ScopedArguments::overflowStorageOffset): Deleted.
(JSC::ScopedArguments::allocationSize): Deleted.
(JSC::ScopedArguments::overflowStorage const): Deleted.
* runtime/SetConstructor.cpp:
(JSC::constructSet):
(JSC::setPrivateFuncSetBucketHead):
* runtime/SetPrototype.cpp:
(JSC::getSet):
* runtime/StrictEvalActivation.h:
(JSC::StrictEvalActivation::create): Deleted.
(JSC::StrictEvalActivation::createStructure): Deleted.
* runtime/WeakMapPrototype.cpp:
(JSC::getWeakMap):
* runtime/WeakSetPrototype.cpp:
(JSC::getWeakSet):
2018-03-07 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] offlineasm: fix indentation in armOpcodeReversedOperands
https://bugs.webkit.org/show_bug.cgi?id=183400
Reviewed by Mark Lam.
* offlineasm/arm.rb:
2018-03-06 Mark Lam <mark.lam@apple.com>
Prepare LLInt code to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183387
<rdar://problem/38199678>
Reviewed by JF Bastien.
1. Introduced PtrTag enums for supporting pointer profiling later.
2. Also introduced tagging, untagging, retagging, and tag removal placeholder
template functions for the same purpose.
3. Prepare the offlineasm for supporting pointer profiling later.
4. Tagged some pointers in LLInt asm code. Currently, these should have no
effect on behavior.
5. Removed returnToThrowForThrownException() because it is not used anywhere.
6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
easier to view and edit these files in Xcode.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::returnToThrowForThrownException): Deleted.
* llint/LLIntExceptions.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/ast.rb:
* offlineasm/instructions.rb:
* offlineasm/risc.rb:
* runtime/PtrTag.h: Added.
(JSC::uniquePtrTagID):
(JSC::ptrTag):
(JSC::tagCodePtr):
(JSC::untagCodePtr):
(JSC::retagCodePtr):
(JSC::removeCodePtrTag):
2018-03-06 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Assembler warnings: "use of r13 is deprecated"
https://bugs.webkit.org/show_bug.cgi?id=183286
Reviewed by Mark Lam.
Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
sometimes generates assembly code that triggers this warning. Prevent
this by simply switching operands.
* offlineasm/arm.rb:
2018-03-06 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix incorrect assertion after r229309
https://bugs.webkit.org/show_bug.cgi?id=182975
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::TypeProfilerLog):
2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
Fix std::make_unique / new[] using system malloc
https://bugs.webkit.org/show_bug.cgi?id=182975
Reviewed by JF Bastien.
Use Vector, FAST_ALLOCATED, or UniqueArray instead.
* API/JSStringRefCF.cpp:
(JSStringCreateWithCFString):
* bytecode/BytecodeKills.h:
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::BytecodeLivenessAnalysis::computeKills):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::dumpDisassembly):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
* jit/PolymorphicCallStubRoutine.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jsc.cpp:
(currentWorkingDirectory):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* runtime/ArgList.h:
* runtime/StructureChain.h:
* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::StructureIDTable):
(JSC::StructureIDTable::resize):
* runtime/StructureIDTable.h:
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::TypeProfilerLog):
(JSC::TypeProfilerLog::initializeLog): Deleted.
* runtime/TypeProfilerLog.h:
(JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::acquireRegExpPatternContexBuffer):
* runtime/VM.h:
* testRegExp.cpp:
(runFromFiles):
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::HeapVerifier):
* tools/HeapVerifier.h:
2018-03-05 Mark Lam <mark.lam@apple.com>
JITThunk functions should only be called when the JIT is enabled.
https://bugs.webkit.org/show_bug.cgi?id=183351
<rdar://problem/38160091>
Reviewed by Keith Miller.
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiNativeCall):
(JSC::JITThunks::ctiNativeConstruct):
(JSC::JITThunks::ctiInternalFunctionCall):
(JSC::JITThunks::ctiInternalFunctionConstruct):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getCTIInternalFunctionTrampolineFor):
2018-03-05 Mark Lam <mark.lam@apple.com>
Gardening: build fix.
Not reviewed.
* interpreter/AbstractPC.h:
(JSC::AbstractPC::AbstractPC):
2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
https://bugs.webkit.org/show_bug.cgi?id=183324
Reviewed by JF Bastien.
We have WTF::ArithmeticOperations which has operations with overflow checking.
This is suitable for CLoop's overflow checking operations. This patch emits
WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
lowered to optimized code using CPU's overflow flag.
* offlineasm/cloop.rb:
2018-03-05 Don Olmstead <don.olmstead@sony.com>
[CMake] Split JSC header copying into public and private targets
https://bugs.webkit.org/show_bug.cgi?id=183251
Reviewed by Konstantin Tokarev.
* CMakeLists.txt:
2018-03-04 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
https://bugs.webkit.org/show_bug.cgi?id=183312
Reviewed by Mark Lam.
Remove wtf/CurrentTime.h include pragma.
* API/tests/ExecutionTimeLimitTest.cpp:
(currentCPUTimeAsJSFunctionCallback):
(testExecutionTimeLimit):
* bytecode/SuperSampler.cpp:
* dfg/DFGPlan.cpp:
* heap/BlockDirectory.cpp:
* heap/Heap.cpp:
* heap/IncrementalSweeper.cpp:
* inspector/agents/InspectorConsoleAgent.cpp:
* inspector/agents/InspectorRuntimeAgent.cpp:
* profiler/ProfilerDatabase.cpp:
* runtime/CodeCache.h:
* runtime/JSDateMath.cpp:
* runtime/TypeProfilerLog.cpp:
* runtime/VM.cpp:
* runtime/Watchdog.cpp:
(JSC::Watchdog::shouldTerminate):
(JSC::Watchdog::startTimer):
* testRegExp.cpp:
* wasm/js/JSWebAssemblyCodeBlock.cpp:
2018-03-04 Tim Horton <timothy_horton@apple.com>
Make !ENABLE(DATA_DETECTION) iOS build actually succeed
https://bugs.webkit.org/show_bug.cgi?id=183283
<rdar://problem/38062148>
Reviewed by Sam Weinig.
* Configurations/FeatureDefines.xcconfig:
2018-03-02 Mark Lam <mark.lam@apple.com>
Make the LLInt probe work for ARM64.
https://bugs.webkit.org/show_bug.cgi?id=183298
<rdar://problem/38077413>
Reviewed by Filip Pizlo.
* llint/LowLevelInterpreter.asm:
2018-03-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
https://bugs.webkit.org/show_bug.cgi?id=183279
Reviewed by JF Bastien.
* bytecode/BytecodeIntrinsicRegistry.h:
* ftl/FTLThunks.h:
* heap/CodeBlockSet.h:
* heap/GCSegmentedArray.h:
* heap/MachineStackMarker.h:
* heap/MarkingConstraintSet.h:
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
Remove monotonicallyIncreasingTime
https://bugs.webkit.org/show_bug.cgi?id=182911
Reviewed by Michael Catanzaro.
* debugger/Debugger.cpp:
(JSC::Debugger::willEvaluateScript):
(JSC::Debugger::didEvaluateScript):
* debugger/Debugger.h:
* debugger/ScriptProfilingScope.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::breakpointActionProbe):
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::snapshot):
(Inspector::InspectorHeapAgent::didGarbageCollect):
(Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
* inspector/agents/InspectorHeapAgent.h:
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::startTracking):
(Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
(Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
(Inspector::InspectorScriptProfilerAgent::addEvent):
(Inspector::buildSamples):
* inspector/agents/InspectorScriptProfilerAgent.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/SamplingProfiler.h:
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
https://bugs.webkit.org/show_bug.cgi?id=183173
Reviewed by Saam Barati.
Classifier could propagate an error which does not occur at the first token
of the given expression. We should check whether the given token is "async"
instead of assertion.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseAssignmentExpression):
2018-03-01 Saam Barati <sbarati@apple.com>
We need to clear cached structures when having a bad time
https://bugs.webkit.org/show_bug.cgi?id=183256
<rdar://problem/36245022>
Reviewed by Mark Lam.
This patch makes both InternalFunctionAllocationProfile and the VM's
structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
we clear them when they'd produce an object with a bad indexing type.
For the VM's Structure cache, we conservatively clear the entire cache
since it may be housing Structures with bad indexing types.
* runtime/FunctionRareData.h:
(JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::haveABadTime):
* runtime/StructureCache.h:
(JSC::StructureCache::clear):
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix exception check for ExceptionScope
https://bugs.webkit.org/show_bug.cgi?id=183175
* jsc.cpp:
(GlobalObject::moduleLoaderFetch):
2018-02-28 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Fix compile error in debug builds by invoking unpoisoned().
Reviewed by Mark Lam.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
(JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
2018-02-28 JF Bastien <jfbastien@apple.com>
GC should sweep code block before deleting
https://bugs.webkit.org/show_bug.cgi?id=183229
<rdar://problem/32767615>
Reviewed by Saam Barati, Fil Pizlo.
Stub routines shouldn't get deleted before codeblocks have been
swept, otherwise there's a small race window where the codeblock
thinks it's still reachable.
* heap/Heap.cpp:
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
2018-02-28 Yusuke Suzuki <utatane.tea@gmail.com>
JSC crash with `import("")`
https://bugs.webkit.org/show_bug.cgi?id=183175
Reviewed by Saam Barati.
Add file existence and file type check for module loader implementation in jsc.cpp.
This is not safe for TOCTOU, but it is OK since this functionality is used for the
JSC shell (jsc.cpp): testing purpose.
* jsc.cpp:
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):
2018-02-27 Keith Miller <keith_miller@apple.com>
Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
https://bugs.webkit.org/show_bug.cgi?id=183195
Reviewed by Mark Lam.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::patchableBranchPtr):
(JSC::MacroAssembler::patchableBranchPtrWithPatch):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branchPtrWithPatch):
(JSC::MacroAssemblerARM::storePtrWithPatch):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::tailRecursiveCall):
(JSC::MacroAssemblerARM64::branchPtrWithPatch):
(JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
(JSC::MacroAssemblerARM64::storePtrWithPatch):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchPtrWithPatch):
(JSC::MacroAssemblerARMv7::patchableBranchPtr):
(JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
(JSC::MacroAssemblerARMv7::storePtrWithPatch):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchPtrWithPatch):
(JSC::MacroAssemblerMIPS::storePtrWithPatch):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::branchPtrWithPatch):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::tailRecursiveCall):
(JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
(JSC::MacroAssemblerX86_64::branchPtrWithPatch):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileToLowerCase):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::debugCall):
(JSC::AssemblyHelpers::sanitizeStackInline):
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/ScratchRegisterAllocator.cpp:
(JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::initParenContextFreeList):
(JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
(JSC::Yarr::YarrGenerator::generate):
2018-02-26 Mark Lam <mark.lam@apple.com>
Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
https://bugs.webkit.org/show_bug.cgi?id=183159
<rdar://problem/37930837>
Reviewed by Keith Miller.
* assembler/LinkBuffer.h:
* assembler/testmasm.cpp:
(JSC::compile):
* b3/B3Compile.cpp:
(JSC::B3::compile):
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::testEntrySwitchSimple):
(JSC::B3::testEntrySwitchNoEntrySwitch):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
(JSC::B3::testEntrySwitchLoop):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/ExecutableAllocator.cpp:
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
* jit/JITStubRoutine.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile):
2018-02-25 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
https://bugs.webkit.org/show_bug.cgi?id=182965
Reviewed by Saam Barati.
This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
for InBounds case, we do not have OutOfBounds check for that case.
This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
But except for SlowPutArrayStorage case, basically it is meaningless since
we do not have indexed accessors.
2018-02-26 Saam Barati <sbarati@apple.com>
validateStackAccess should not validate if the offset is within the stack bounds
https://bugs.webkit.org/show_bug.cgi?id=183067
<rdar://problem/37749988>
Reviewed by Mark Lam.
The validation rule was saying that any load from the stack must be
within the stack bounds of the frame. However, it's natural for a user
of B3 to emit code that may be outside of B3's stack bounds, but guard
such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
B3 is wrong to assert that this is a static property about all stack loads.
* b3/B3Validate.cpp:
2018-02-23 Saam Barati <sbarati@apple.com>
Make Number.isInteger an intrinsic
https://bugs.webkit.org/show_bug.cgi?id=183088
Reviewed by JF Bastien.
When profiling the ML subtest in ARES, I noticed it was spending some
time in Number.isInteger. This patch makes that operation an intrinsic
in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
it's likely not an aggregate speedup on ARES. However, it is definitely
faster than calling into a builtin function, so we might as well have
it as an intrinsic.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
(JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation):
(JSC::numberConstructorFuncIsInteger):
* runtime/NumberConstructor.h:
(JSC::NumberConstructor::isIntegerImpl):
2018-02-23 Oleksandr Skachkov <gskachkov@gmail.com>
WebAssembly: cache memory address / size on instance
https://bugs.webkit.org/show_bug.cgi?id=177305
Reviewed by JF Bastien.
Cache memory address/size in wasm:Instance to avoid load wasm:Memory
object during access to memory and memory size property in JiT
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCurrentMemory):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::cachedMemory const):
(JSC::Wasm::Instance::cachedMemorySize const):
(JSC::Wasm::Instance::createWeakPtr):
(JSC::Wasm::Instance::setMemory):
(JSC::Wasm::Instance::updateCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemorySize):
(JSC::Wasm::Instance::offsetOfCachedIndexingMask):
(JSC::Wasm::Instance::allocationSize):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::grow):
(JSC::Wasm::Memory::registerInstance):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::indexingMask):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
2018-02-23 Saam Barati <sbarati@apple.com>
ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
https://bugs.webkit.org/show_bug.cgi?id=182982
Reviewed by Yusuke Suzuki.
I don't know why this check was not always an assert. When we see
a GetByOffset on an eliminated allocation, that allocation *must*
be a PhantomClonedArguments. If it weren't, the GetByOffset would
have escaped it. Because this transformation happens by visiting
blocks in pre-order, and by visiting nodes in a block starting from
index zero to index block->size() - 1, we're guaranteed that eliminated
allocations get transformed before users of it, since we visit nodes
in dominator order.
* dfg/DFGArgumentsEliminationPhase.cpp:
2018-02-23 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement $vm.ftlTrue function for FTL testing
https://bugs.webkit.org/show_bug.cgi?id=183071
Reviewed by Mark Lam.
Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
This is useful for testing whether the caller function is compiled in FTL.
We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionFalse1):
(functionFalse2): Deleted.
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* tools/JSDollarVM.cpp:
(JSC::functionFTLTrue):
(JSC::JSDollarVM::finishCreation):
2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182792
Reviewed by Mark Lam.
This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
in web-tooling-benchmarks.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2018-02-22 Mark Lam <mark.lam@apple.com>
Refactor MacroAssembler code to improve reuse and extensibility.
https://bugs.webkit.org/show_bug.cgi?id=183054
<rdar://problem/37797337>
Reviewed by Saam Barati.
* assembler/ARM64Assembler.h:
* assembler/MacroAssembler.cpp:
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::canCompact):
(JSC::MacroAssemblerARM64::computeJumpType):
(JSC::MacroAssemblerARM64::jumpSizeDelta):
(JSC::MacroAssemblerARM64::link):
(JSC::MacroAssemblerARM64::load64):
(JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::load32):
(JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::load16):
(JSC::MacroAssemblerARM64::load16SignedExtendTo32):
(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::load8SignedExtendTo32):
(JSC::MacroAssemblerARM64::store64):
(JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::store32):
(JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::store16):
(JSC::MacroAssemblerARM64::store8):
(JSC::MacroAssemblerARM64::getEffectiveAddress):
(JSC::MacroAssemblerARM64::branchDoubleNonZero):
(JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
(JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::loadFloat):
(JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::storeDouble):
(JSC::MacroAssemblerARM64::storeFloat):
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::jump):
(JSC::MacroAssemblerARM64::tailRecursiveCall):
(JSC::MacroAssemblerARM64::setCarry):
(JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
(JSC::MacroAssemblerARM64::isBreakpoint):
(JSC::MacroAssemblerARM64::invert):
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::replaceWithVMHalt):
(JSC::MacroAssemblerARM64::replaceWithJump):
(JSC::MacroAssemblerARM64::maxJumpReplacementSize):
(JSC::MacroAssemblerARM64::patchableJumpSize):
(JSC::MacroAssemblerARM64::repatchCall):
(JSC::MacroAssemblerARM64::makeBranch):
(JSC::MacroAssemblerARM64::makeCompareAndBranch):
(JSC::MacroAssemblerARM64::makeTestBitAndBranch):
(JSC::MacroAssemblerARM64::ARM64Condition):
(JSC::MacroAssemblerARM64::moveWithFixedWidth):
(JSC::MacroAssemblerARM64::load):
(JSC::MacroAssemblerARM64::store):
(JSC::MacroAssemblerARM64::tryLoadWithOffset):
(JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
(JSC::MacroAssemblerARM64::tryStoreWithOffset):
(JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::linkCall):
* assembler/MacroAssemblerARMv7.h:
* assembler/MacroAssemblerMIPS.h:
* assembler/MacroAssemblerX86Common.h:
* assembler/ProbeStack.h:
- Removed a forward declaration of an obsolete class.
2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com>
Remove sleep(double) and sleepMS(double) interfaces
https://bugs.webkit.org/show_bug.cgi?id=183038
Reviewed by Mark Lam.
* bytecode/SuperSampler.cpp:
(JSC::initializeSuperSampler):
2018-02-21 Don Olmstead <don.olmstead@sony.com>
[CMake] Split declaration of JSC headers into public and private
https://bugs.webkit.org/show_bug.cgi?id=182980
Reviewed by Michael Catanzaro.
* CMakeLists.txt:
* PlatformGTK.cmake:
* PlatformMac.cmake:
* PlatformWPE.cmake:
* PlatformWin.cmake:
2018-02-20 Saam Barati <sbarati@apple.com>
DFG::VarargsForwardingPhase should eliminate getting argument length
https://bugs.webkit.org/show_bug.cgi?id=182959
Reviewed by Keith Miller.
This patch teaches the DFG VarargsForwardingPhase to not treat
length accesses on Cloned/Direct Arguments objects as escapes.
It teaches this phase to materialize the length in the same
way the ArgumentsEliminationPhase does.
This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
up the ML subtest by 2-4%.
This patch also extends compileGetArgumentCountIncludingThis to take
a parameter that is the inline call frame to load from (in the case
where the inline call frame is a varargs frame). This allows the
the emitCodeToGetArgumentsArrayLength helper function to just emit
a GetArgumentCountIncludingThis node instead of a GetLocal. If we
emitted a GetLocal, we'd need to rerun CPS rethreading.
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getArgumentCount):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNode.h:
(JSC::DFG::Node::argumentsInlineCallFrame):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support ArrayPush for ArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182782
Reviewed by Saam Barati.
This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support ArrayPop for ArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182783
Reviewed by Saam Barati.
This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182731
Reviewed by Saam Barati.
This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
Due to ArrayifyToStructure and CheckArray changes, necessary changes for
supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
is enough.
We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
* dfg/DFGSpeculativeJIT.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2018-02-19 Saam Barati <sbarati@apple.com>
Don't use JSFunction's allocation profile when getting the prototype can be effectful
https://bugs.webkit.org/show_bug.cgi?id=182942
<rdar://problem/37584764>
Reviewed by Mark Lam.
Prior to this patch, the create_this implementation assumed that anything
that is a JSFunction can use the object allocation profile and go down the
fast path to allocate the |this| object. Implied by this approach is that
accessing the 'prototype' property of the incoming function is not an
effectful operation. This is inherent to the ObjectAllocationProfile
data structure: it caches the prototype field. However, getting the
'prototype' property might be an effectful operation, e.g, it could
be a getter. Many variants of functions in JS have the 'prototype' property
as non-configurable. However, some functions, like bound functions, do not
have the 'prototype' field with these attributes.
This patch adds the notion of 'canUseAllocationProfile' to JSFunction
and threads it through so that we only go down the fast path and use
the allocation profile when the prototype property is non-configurable.
* bytecompiler/NodesCodegen.cpp:
(JSC::ClassExprNode::emitBytecode):
* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSFunction.cpp:
(JSC::JSFunction::prototypeForConstruction):
(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::canUseAllocationProfileNonInline):
* runtime/JSFunction.h:
(JSC::JSFunction::ensureRareDataAndAllocationProfile):
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::canUseAllocationProfile):
2018-02-19 Saam Barati <sbarati@apple.com>
Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
https://bugs.webkit.org/show_bug.cgi?id=182912
<rdar://problem/37685083>
Reviewed by Keith Miller.
In the baseline JIT and LLInt, when we loading a hole from an original array,
with the array prototype chain being normal, we end up marking the ArrayProfile
for that GetByVal as out of bounds. However, the DFG knows exactly how to
optimize this case by returning undefined when loading from a hole. Currently,
it only does this for Contiguous arrays (and sometimes Double arrays).
This patch just makes sure to not mark the ArrayProfile as out of bounds
in this scenario for Contiguous arrays, since the DFG will always optimize
this case.
However, we should extend this by profiling when a GetByVal loads a hole. By
doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
arrays. That work will happen in:
https://bugs.webkit.org/show_bug.cgi?id=182940
This patch is a 30-50% speedup on JetStream's hash-map test. This patch
speeds up JetStream by 1% when testing on my iMac.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* jit/JITOperations.cpp:
(JSC::getByVal):
(JSC::canAccessArgumentIndexQuickly): Deleted.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
2018-02-17 Filip Pizlo <fpizlo@apple.com>
GetArrayMask should support constant folding
https://bugs.webkit.org/show_bug.cgi?id=182907
Reviewed by Saam Barati.
Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was
ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been
impossible for that function to get called with a non-null value if the value was not an array view,
due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and
the fact that the other tryGetFoldableView overload made sure that the array mode was some typed
array.
This isn't a measurable progression, but it does save a register in the codegen for typed array
accesses. Hopefully these improvements add up.
* assembler/AssemblerBuffer.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetFoldableView):
2018-02-18 Dominik Inführ <dominik.infuehr@gmail.com>
Offlineasm/MIPS: immediates need to be within 16-bit signed values
https://bugs.webkit.org/show_bug.cgi?id=182890
Reviewed by Michael Catanzaro.
In Sequence.getModifiedListMIPS(), we allow immediate values within
the range -0xffff..0xffff for immediates (addresses and other
immediates), but then in Immediate.mipsOperand() and
Address.mipsOperand() we raise if immediate values are not within
-0x7fff..0x7fff. This is inconsistent, and broke compilation on mips
since r228552 made the VM structure bigger meaning we address values
with bigger offsets in llint. This change restricts the allowed range,
so that a separate load of the value is done for values outside of
that range.
* offlineasm/mips.rb:
2018-02-17 Darin Adler <darin@apple.com>
Web Inspector: get rid of remaining uses of OptOutput<T>
https://bugs.webkit.org/show_bug.cgi?id=180607
Reviewed by Brian Burg.
* inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/AsyncStackTrace.h: Ditto.
* inspector/ConsoleMessage.cpp: Ditto.
* inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
(Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
Vector instead of a unique_ptr<Vector>.
(Inspector::ContentSearchUtilities::lineEndings): Ditto.
(Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
(Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
a Vector for a fixed size array; also got rid of reinterpret_cast.
(Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
expression here since it's the only place it was used.
* inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
* inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
Removed base template for BindingTraits; we only need the specializations.
* inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/ScriptCallFrame.h: Ditto.
* inspector/ScriptCallStack.cpp: Ditto.
* inspector/ScriptCallStack.h: Ditto.
* inspector/agents/InspectorConsoleAgent.cpp: Ditto.
* inspector/agents/InspectorConsoleAgent.h: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
OptOutput* for out arguments.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
for out arguments.
* inspector/agents/InspectorHeapAgent.h: Ditto.
* inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
for out arguments.
(Inspector::InspectorRuntimeAgent::evaluate): Ditto.
(Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
(Inspector::InspectorRuntimeAgent::saveResult): Ditto.
* inspector/agents/InspectorRuntimeAgent.h: Ditto.
* inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
and removed some bogus const.
* inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
* inspector/scripts/codegen/cpp_generator.py:
(CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
(CppGenerator.cpp_type_for_type_with_name): Ditto.
(CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
Inspector::Protocol::OptOutput*.
(CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
* inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
conditional around assertion code which will now compile to nothing if ASSERT is disabled.
Build strings more simply in a few cases.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
replace OptOutput here.
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
Pass by reference instead of pointer now.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
if ASSERT is disabled.
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
(CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
more simply.
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
Rebaselined.
2018-02-16 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r228318.
The patch that this attempted to fix was rolled out already.
Reverted changeset:
"Fix build on ARMv7 traditional JSCOnly bot after r228306"
https://bugs.webkit.org/show_bug.cgi?id=182563
https://trac.webkit.org/changeset/228318
2018-02-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r228306 (custom memcpy/memset) because the bots say that it was not a
progression.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::append):
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::tryCreate):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBuffer::createInternal):
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::zeroRangeImpl):
* runtime/ArrayConventions.cpp:
(JSC::clearArrayMemset):
* runtime/ArrayConventions.h:
(JSC::clearArray):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::create):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::PropertyTable):
2018-02-16 Saam Barati <sbarati@apple.com>
Fix bugs from r228411
https://bugs.webkit.org/show_bug.cgi?id=182851
<rdar://problem/37577732>
Reviewed by JF Bastien.
There was a bug from r228411 where inside the constant folding phase,
we used an insertCheck method that didn't handle varargs. This would
lead to a crash. When thinking about the fix for that function, I realized
a made a couple of mistakes in r228411. One is probably a security bug, and
the other is a performance bug because it'll prevent CSE for certain flavors
of GetByVal nodes. Both blunders are similar in nature.
In r228411, I added code in LICM that inserted a CheckVarargs node with children
of another varargs node. However, to construct this new node's children,
I just copied the AdjacencyList. This does a shallow copy. What we needed
was a deep copy. We needed to create a new vararg AdjacencyList that points
to edges that are deep copies of the original varargs children. This patch
fixes this goof in LICM.
r228411 made it so that PureValue over a varargs node would just compare actual
AdjacencyLists structs. So, if you had two GetByVals that had equal santized
children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
have different firstChild values. Instead, we need to do a deep compare of their
adjacency lists. This patch teaches PureValue how to do that.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::copyVarargChildren):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertCheck):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGPureValue.cpp:
(JSC::DFG::PureValue::dump const):
* dfg/DFGPureValue.h:
(JSC::DFG::PureValue::PureValue):
(JSC::DFG::PureValue::op const):
(JSC::DFG::PureValue::hash const):
(JSC::DFG::PureValue::operator== const):
(JSC::DFG::PureValue::isVarargs const):
(JSC::DFG::PureValue::children const): Deleted.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2018-02-16 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r228546.
This caused a consistent crash on all macOS WK2 platforms.
Reverted changeset:
"Web Inspector: get rid of remaining uses of OptOutput<T>"
https://bugs.webkit.org/show_bug.cgi?id=180607
https://trac.webkit.org/changeset/228546
2018-02-16 Fujii Hironori <Hironori.Fujii@sony.com>
fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
https://bugs.webkit.org/show_bug.cgi?id=172952
Reviewed by Michael Catanzaro.
Null dereference of VM::topCallFrame happens in
Inspector::createScriptCallStackForConsole if the ExecState has no
call frames.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack): Do null check of topCallFrame.
(Inspector::createScriptCallStackForConsole): Ditto.
2018-02-15 Filip Pizlo <fpizlo@apple.com>
Objects that contain dangerous things should be allocated far away from objects that can do OOB
https://bugs.webkit.org/show_bug.cgi?id=182843
Reviewed by Saam Barati.
To complete our object distancing plan, we need to put objects that can contain unpoisoned data
far away from objects that cannot. Objects referenceable from JSValues cannot contain
unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for
storing mostly JSValues from data that is meant for storing anything.
This is achieved by having three SecurityKinds that are used for MarkedBlock selection and
zeroing sort of the same way SecurityOriginToken already was.
This change shouldn't make anything slower. If anything, it will be a small speed-up because it
removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of
the SecurityKinds.
* Sources.txt:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::addBlock):
* heap/BlockDirectory.h:
* heap/CellAttributes.cpp:
(JSC::CellAttributes::dump const):
* heap/CellAttributes.h:
(JSC::CellAttributes::CellAttributes):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::associateWithOrigin): Deleted.
* heap/MarkedBlock.h:
* heap/SecurityKind.cpp: Added.
(WTF::printInternal):
* heap/SecurityKind.h: Added.
* runtime/JSCellInlines.h:
(JSC::JSCell::subspaceFor):
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSObject.h:
(JSC::JSObject::subspaceFor):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/Symbol.h:
(JSC::Symbol::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-02-15 Darin Adler <darin@apple.com>
Web Inspector: get rid of remaining uses of OptOutput<T>
https://bugs.webkit.org/show_bug.cgi?id=180607
Reviewed by Brian Burg.
* inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/AsyncStackTrace.h: Ditto.
* inspector/ConsoleMessage.cpp: Ditto.
* inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
(Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
Vector instead of a unique_ptr<Vector>.
(Inspector::ContentSearchUtilities::lineEndings): Ditto.
(Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
(Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
a Vector for a fixed size array; also got rid of reinterpret_cast.
(Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
expression here since it's the only place it was used.
* inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
* inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
Removed base template for BindingTraits; we only need the specializations.
* inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/ScriptCallFrame.h: Ditto.
* inspector/ScriptCallStack.cpp: Ditto.
* inspector/ScriptCallStack.h: Ditto.
* inspector/agents/InspectorConsoleAgent.cpp: Ditto.
* inspector/agents/InspectorConsoleAgent.h: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
OptOutput* for out arguments.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
for out arguments.
* inspector/agents/InspectorHeapAgent.h: Ditto.
* inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
for out arguments.
(Inspector::InspectorRuntimeAgent::evaluate): Ditto.
(Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
(Inspector::InspectorRuntimeAgent::saveResult): Ditto.
* inspector/agents/InspectorRuntimeAgent.h: Ditto.
* inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
and removed some bogus const.
* inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
* inspector/scripts/codegen/cpp_generator.py:
(CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
(CppGenerator.cpp_type_for_type_with_name): Ditto.
(CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
Inspector::Protocol::OptOutput*.
(CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
* inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
conditional around assertion code which will now compile to nothing if ASSERT is disabled.
Build strings more simply in a few cases.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
replace OptOutput here.
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
Pass by reference instead of pointer now.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
if ASSERT is disabled.
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
(CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
more simply.
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
Rebaselined.
2018-02-15 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r228366 since it did not progress anything.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::visitChildren):
(JSC::ErrorInstance::finalizeUnconditionally): Deleted.
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::stackTrace):
(JSC::ErrorInstance::subspaceFor): Deleted.
* runtime/Exception.cpp:
(JSC::Exception::visitChildren):
(JSC::Exception::finalizeUnconditionally): Deleted.
* runtime/Exception.h:
* runtime/StackFrame.cpp:
(JSC::StackFrame::visitChildren):
(JSC::StackFrame::isFinalizationCandidate): Deleted.
(JSC::StackFrame::finalizeUnconditionally): Deleted.
* runtime/StackFrame.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-02-15 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove monotonicallyIncreasingTime and currentTime
https://bugs.webkit.org/show_bug.cgi?id=182793
Reviewed by Saam Barati.
We would like to drop monotonicallyIncreasingTime and currentTime from our tree by
replacing them with MonotonicTime and WallTime, which are well-typed alternatives,
compared to double.
This patch removes monotonicallyIncreasingTime and currentTime in JSC.
* b3/testb3.cpp:
(JSC::B3::testComplex):
* dfg/DFGPhase.h:
(JSC::DFG::runAndLog):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPlan.h:
* dynbench.cpp:
(JSC::benchmarkImpl):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::isPagedOut):
* heap/BlockDirectory.h:
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
* heap/Heap.cpp:
(JSC::Heap::isPagedOut):
(JSC::Heap::sweepSynchronously):
* heap/Heap.h:
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::isPagedOut):
* heap/MarkedSpace.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::startTiming):
(Inspector::InspectorConsoleAgent::stopTiming):
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::compileTimeStats):
* jit/JIT.h:
* jsc.cpp:
(StopWatch::start):
(StopWatch::stop):
(StopWatch::getElapsedMS):
(functionPreciseTime):
(runJSC):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::logEvent):
* profiler/ProfilerEvent.cpp:
(JSC::Profiler::Event::toJS const):
* profiler/ProfilerEvent.h:
(JSC::Profiler::Event::Event):
(JSC::Profiler::Event::time const):
* runtime/CodeCache.cpp:
(JSC::CodeCacheMap::pruneSlowCase):
* runtime/CodeCache.h:
(JSC::CodeCacheMap::CodeCacheMap):
(JSC::CodeCacheMap::prune):
* runtime/DateConstructor.cpp:
(JSC::callDate):
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::processLogEntries):
* testRegExp.cpp:
(StopWatch::start):
(StopWatch::stop):
(StopWatch::getElapsedMS):
2018-02-14 Keith Miller <keith_miller@apple.com>
We should be able to jsDynamicCast from JSType when possible
https://bugs.webkit.org/show_bug.cgi?id=182804
Reviewed by Filip Pizlo and Mark Lam.
This patch beefs up jsDynamicCast in some of the cases where we
can use the JSType to quickly determine if a cell is a subclass of
the desired type. Since all JSCells have a range of JSTypes they support,
if there is a range exclusive to a class and all subclasses we can use
that range to quickly determine if the cast should be successful.
Additionally, the JSValue versions of jsCast and jsDynamicCast now
call the JSCell version after checking the value is a cell.
Finally, the casting functions have been moved to a new header,
JSCast.h
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallVariant.h:
* bytecode/CodeBlock.h:
* bytecode/ExecutableToCodeBlockEdge.h:
* bytecode/TrackedReferences.h:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedFunctionExecutable.h:
* dfg/DFGAbstractValue.h:
* dfg/DFGCommonData.h:
* dfg/DFGFrozenValue.h:
* dfg/DFGStructureAbstractValue.h:
* heap/CellContainerInlines.h:
* heap/ConservativeRoots.cpp:
* heap/GCLogging.cpp:
* heap/HeapInlines.h:
* heap/HeapSnapshotBuilder.cpp:
* heap/MarkedBlock.cpp:
* heap/MarkedBlockInlines.h:
* heap/SubspaceInlines.h:
* heap/WeakInlines.h:
* jit/JITOpcodes.cpp:
* jit/JITOpcodes32_64.cpp:
* llint/LLIntOffsetsExtractor.cpp:
* runtime/ArrayBufferNeuteringWatchpoint.h:
* runtime/BigIntPrototype.cpp:
* runtime/ClassInfo.h:
* runtime/CustomGetterSetter.h:
* runtime/FunctionRareData.h:
* runtime/GetterSetter.h:
* runtime/InferredType.h:
* runtime/InferredTypeTable.h:
* runtime/InferredValue.h:
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::finishCreation):
* runtime/JSAPIValueWrapper.h:
* runtime/JSArray.h:
(JSC::JSArray::finishCreation):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::finishCreation):
* runtime/JSCast.h: Added.
(JSC::jsCast):
(JSC::JSCastingHelpers::jsDynamicCastGenericImpl):
(JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl):
(JSC::JSCastingHelpers::JSDynamicCastTraits::cast):
(JSC::jsDynamicCast):
* runtime/JSCell.cpp:
* runtime/JSCell.h:
(JSC::jsCast): Deleted.
(JSC::jsDynamicCast): Deleted.
* runtime/JSCellInlines.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::finishCreation):
* runtime/JSJob.h:
* runtime/JSObject.h:
(JSC::JSObject::finishCreation):
* runtime/JSPromiseDeferred.h:
* runtime/JSPropertyNameEnumerator.h:
* runtime/NativeStdFunctionCell.h:
* runtime/ScopedArgumentsTable.h:
* runtime/SparseArrayValueMap.h:
* runtime/Structure.h:
* runtime/StructureChain.h:
* runtime/StructureRareData.h:
* tools/CellProfile.h:
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-02-14 Michael Saboff <msaboff@apple.com>
Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
https://bugs.webkit.org/show_bug.cgi?id=182808
Reviewed by Keith Miller.
Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
thunk.
* wasm/WasmThunks.cpp:
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
2018-02-14 Saam Barati <sbarati@apple.com>
Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
https://bugs.webkit.org/show_bug.cgi?id=182801
Reviewed by Keith Miller.
VMTraps would sometimes install traps when it paused the JS thread when it
was in C code. This is wrong, as installing traps mallocs, and the JS thread
may have been holding the malloc lock while in C code. This could lead to a
deadlock when C code was holding the malloc lock.
This patch makes it so that we only install traps when we've proven the PC
is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that
we're not holding the malloc lock.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionMallocInALoop):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
2018-02-14 Michael Saboff <msaboff@apple.com>
REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow
https://bugs.webkit.org/show_bug.cgi?id=182705
Reviewed by Mark Lam.
Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated
buffer on the VM. Exposed when the buffer is needed to reduce likelihood that we'd allocated it.
Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a
compilation thread.
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::acquireRegExpPatternContexBuffer):
(JSC::VM::releaseRegExpPatternContexBuffer):
* runtime/VM.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generate):
(JSC::Yarr::YarrGenerator::backtrack):
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::usesPatternContextBuffer):
(JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer):
2018-02-13 Saam Barati <sbarati@apple.com>
putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>
Reviewed by Keith Miller.
putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
the object in question to a dictionary indexing mode when the index is less than
the vector length. This makes no sense. If we're defining a getter, setter, or read
only property, we must always enter the dictionary indexing mode irrespective
of the index in relation to the vector length.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2018-02-13 Saam Barati <sbarati@apple.com>
Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-02-13 Guillaume Emont <guijemont@igalia.com>
[YarrJIT][ARM] We need to save r8 as it is the initial start register
https://bugs.webkit.org/show_bug.cgi?id=182157
Reviewed by Saam Barati.
Register r8 is the initial start register since r224172, so we need to
save it. We still need to save r6 as well even though it is not the
initial start register any more, since it is used by the
MacroAssembler which we use (we get crashes in some situations if we
don't save r6). This issue was discovered because
stress/regress-174044.js crashes on a raspberry pi 2 when compiled in
-O2.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
2018-02-13 Caitlin Potter <caitp@igalia.com>
[JSC] cache TaggedTemplate arrays by callsite rather than by contents
https://bugs.webkit.org/show_bug.cgi?id=182717
Reviewed by Yusuke Suzuki.
https://github.com/tc39/ecma262/pull/890 imposes a change to template
literals, to allow template callsite arrays to be collected when the
code containing the tagged template call is collected. This spec change
has received concensus and been ratified.
This change eliminates the eternal map associating template contents
with arrays.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
2018-02-13 Yusuke Suzuki <utatane.tea@gmail.com>
Support GetArrayLength on ArrayStorage in the FTL
https://bugs.webkit.org/show_bug.cgi?id=182625
Reviewed by Saam Barati.
This patch adds GetArrayLength and CheckArray + ArrayStorage & SlowPutArrayStorage support for FTL.
The implementation is trivial; just porting one in DFG to FTL.
This fixes several FTL compilation failures in web-tooling-benchmarks while we still need to support
ArrayPush, ArrayPop, Arrayify, and PutByVal.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
2018-02-10 Filip Pizlo <fpizlo@apple.com>
Lock down JSFunction
https://bugs.webkit.org/show_bug.cgi?id=182652
Reviewed by Saam Barati.
This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
isospaces.
This is so neutral on JetStream: 0.01% slower with p = 0.969211.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileNewFunction):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::weakPointer):
(JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
* ftl/FTLOutput.h:
(JSC::FTL::Output::weakPointer):
(JSC::FTL::Output::weakPoisonedPointer):
* heap/MarkedSpace.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_this):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSAsyncFunction.h:
(JSC::JSAsyncFunction::subspaceFor):
* runtime/JSAsyncGeneratorFunction.h:
(JSC::JSAsyncGeneratorFunction::subspaceFor):
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::subspaceFor):
* runtime/JSCPoison.h:
* runtime/JSCustomGetterSetterFunction.h:
(JSC::JSCustomGetterSetterFunction::subspaceFor):
* runtime/JSFunction.h:
(JSC::JSFunction::subspaceFor):
* runtime/JSGeneratorFunction.h:
(JSC::JSGeneratorFunction::subspaceFor):
* runtime/JSNativeStdFunction.h:
(JSC::JSNativeStdFunction::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-02-12 Saam Barati <sbarati@apple.com>
Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA
https://bugs.webkit.org/show_bug.cgi?id=182633
<rdar://problem/37441037>
Reviewed by Keith Miller.
This patch introduces a GetIndexMask node to DFG SSA. This is an input to
GetByVal for the GetByVal variants that do conservative index masking.
The reason I'm adding this node is I realized there were loads of
the butterfly index mask inside loops that B3 couldn't reason about
because B3 can't arbitrarily hoist loads out of loops if those loops
have side exits (because the side exit might be protecting the safety of the
load). However, for these loops I analyzed, the DFG would be able to hoist
these loads out of loops because it knows about JS semantics to correctly
reason about the safety of hoisting the load.
This is a 1% speedup on JetStream on Mac and iOS in my testing.
This patch also adds some infrastructure for eliminating and doing CSE on
varargs nodes. Because this patch makes GetByVal a varargs node, I ran into
issues we never had before. We never had a varargs node that could be CSEd or be
hoisted out of a loop until I made GetByVal varargs. To make it all work,
I added a CheckVarargs node. This is just like Check, but it's varargs.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::AdjacencyList):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::replaceTerminal):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::findTerminal const):
* dfg/DFGBasicBlockInlines.h:
(JSC::DFG::BasicBlock::replaceTerminal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
(JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
* dfg/DFGCSEPhase.cpp:
* dfg/DFGCleanUpPhase.cpp:
(JSC::DFG::CleanUpPhase::run):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::fixUpsilons):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::fixupBlock):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::remove):
(JSC::DFG::Node::convertToIdentityOn):
* dfg/DFGNode.h:
(JSC::DFG::Node::replaceWith):
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPureValue.cpp:
(JSC::DFG::PureValue::dump const):
* dfg/DFGPureValue.h:
(JSC::DFG::PureValue::PureValue):
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierClusteringPhase.cpp:
* dfg/DFGValidate.cpp:
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
2018-02-12 Mark Lam <mark.lam@apple.com>
Miscellaneous refactoring of offlineasm.
https://bugs.webkit.org/show_bug.cgi?id=182702
<rdar://problem/37467887>
Reviewed by Filip Pizlo.
1. Refactor out the emission of $asm.comment, $asm.codeOrigin, $asm.annotation,
and $asm.debugAnnotation into a recordMetaData method. This standardizes how
we emit this metadata and makes all backends do it the same way.
2. Add the ability to include custom offlineasm scripts from WebKitAdditions in
the future.
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/ast.rb:
* offlineasm/backends.rb:
* offlineasm/cloop.rb:
* offlineasm/config.rb:
* offlineasm/mips.rb:
* offlineasm/risc.rb:
* offlineasm/x86.rb:
2018-02-12 Saam Barati <sbarati@apple.com>
DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
https://bugs.webkit.org/show_bug.cgi?id=182706
<rdar://problem/36833681>
Reviewed by Filip Pizlo.
When we added support for PhantomNewArrayBuffer, we forgot to update
the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer.
This patch adds that support. It's trivial to generate the length for
a PhantomNewArrayBuffer node since it's a constant buffer, with a constant
length.
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
2018-02-12 Mark Lam <mark.lam@apple.com>
Add more support for pointer preparations.
https://bugs.webkit.org/show_bug.cgi?id=182703
<rdar://problem/37469451>
Reviewed by Saam Barati.
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr):
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2018-02-12 Mark Lam <mark.lam@apple.com>
Fix missing exception check in RegExpObject::matchGlobal().
https://bugs.webkit.org/show_bug.cgi?id=182701
<rdar://problem/37465865>
Reviewed by Michael Saboff.
This issue was discovered when running JSC tests on an asm LLInt build with
JSC_useJIT=false.
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::matchGlobal):
2018-02-11 Guillaume Emont <guijemont@igalia.com>
[MIPS] JSC needs to be built with -latomic
https://bugs.webkit.org/show_bug.cgi?id=182610
Reviewed by Žan Doberšek.
Since r228149, on MIPS we need to link with -latomic, because
__atomic_fetch_add_8 is not available as a compiler intrinsic.
* CMakeLists.txt:
2018-02-09 Filip Pizlo <fpizlo@apple.com>
Don't waste memory for error.stack
https://bugs.webkit.org/show_bug.cgi?id=182656
Reviewed by Saam Barati.
This makes the StackFrames in ErrorInstance and Exception weak. We simply forget their
contents if we GC.
This isn't going to happen under normal operation since your callees and code blocks will
still be alive when you ask for .stack.
Bug 182650 tracks improving this so that it's not lossy. For now, I think it's worth it,
since it is likely to recover 3-5 MB on membuster.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::visitChildren):
(JSC::ErrorInstance::finalizeUnconditionally):
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::subspaceFor):
* runtime/Exception.cpp:
(JSC::Exception::visitChildren):
(JSC::Exception::finalizeUnconditionally):
* runtime/Exception.h:
(JSC::Exception::valueOffset): Deleted.
(JSC::Exception::value const): Deleted.
(JSC::Exception::stack const): Deleted.
(JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
(JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
* runtime/StackFrame.cpp:
(JSC::StackFrame::isFinalizationCandidate):
(JSC::StackFrame::finalizeUnconditionally):
(JSC::StackFrame::visitChildren): Deleted.
* runtime/StackFrame.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-02-09 Carlos Alberto Lopez Perez <clopez@igalia.com>
Fix build on ARMv7 traditional JSCOnly bot after r228306
https://bugs.webkit.org/show_bug.cgi?id=182563
Unreviewed build fix.
* assembler/AssemblerBuffer.h:
2018-02-08 Filip Pizlo <fpizlo@apple.com>
Experiment with alternative implementation of memcpy/memset
https://bugs.webkit.org/show_bug.cgi?id=182563
Reviewed by Michael Saboff and Mark Lam.
This adopts new fastCopy/fastZeroFill calls for calls to memcpy/memset that do not take a
constant size argument.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::append):
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBuffer::createInternal):
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::zeroRangeImpl):
* runtime/ArrayConventions.cpp:
* runtime/ArrayConventions.h:
(JSC::clearArray):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::create):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::PropertyTable):
2018-02-08 Don Olmstead <don.olmstead@sony.com>
Remove JavaScriptCore/ForwardingHeaders directory
https://bugs.webkit.org/show_bug.cgi?id=182594
Reviewed by Mark Lam.
* CMakeLists.txt:
* ForwardingHeaders/JavaScriptCore/APICast.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSBase.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSContextRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSObjectRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSRetainPtr.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSStringRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSStringRefCF.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSValueRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JavaScript.h: Removed.
* ForwardingHeaders/JavaScriptCore/JavaScriptCore.h: Removed.
* ForwardingHeaders/JavaScriptCore/OpaqueJSString.h: Removed.
* ForwardingHeaders/JavaScriptCore/WebKitAvailability.h: Removed.
2018-02-06 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
https://bugs.webkit.org/show_bug.cgi?id=182440
Reviewed by Darin Adler.
This patch implements Array.prototype.flatMap and Array.prototype.flatten
since they are now stage 3 [1].
[1]: https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
* builtins/ArrayPrototype.js:
(filter):
(map):
(globalPrivate.concatSlowPath):
(globalPrivate.arraySpeciesCreate):
(globalPrivate.flattenIntoArray):
(flatten):
(globalPrivate.flattenIntoArrayWithCallback):
We separate flattenIntoArray from flattenIntoArrayWithCallback due to performance reason.
We carefully keep both functions small to encourage inlining.
(flatMap):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
2018-01-13 Darin Adler <darin@apple.com>
Event improvements
https://bugs.webkit.org/show_bug.cgi?id=179591
Reviewed by Chris Dumez.
Remove all uses of ScriptValue other than in the implementation of ScriptObject.
* bindings/ScriptFunctionCall.cpp: Removed include of ScriptValue.h.
* bindings/ScriptObject.cpp: Removed unused overload of ScriptObject constructor.
* bindings/ScriptObject.h: Ditto.
* bindings/ScriptValue.cpp:
(Deprecated::ScriptValue::~ScriptValue): Deleted.
(Deprecated::ScriptValue::getString const): Deleted.
(Deprecated::ScriptValue::toString const): Deleted.
(Deprecated::ScriptValue::isEqual const): Deleted.
(Deprecated::ScriptValue::isNull const): Deleted.
(Deprecated::ScriptValue::isUndefined const): Deleted.
(Deprecated::ScriptValue::isObject const): Deleted.
(Deprecated::ScriptValue::isFunction const): Deleted.
(Deprecated::ScriptValue::toInspectorValue const): Deleted.
* bindings/ScriptValue.h: Removed many unused functions. Made the rest
protected since this is now used only in ScriptObject.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend): Stop using ScriptValue.
(Inspector::ConsoleMessage::isEqual const): Updated for change to ScriptArguments::isEqual.
* inspector/ScriptArguments.cpp:
(Inspector::ScriptArguments::create): Take a Vector of JSC::Strong, not ScriptValue,
use rvalue reference with move instead of lvalue reference with swap, and take execution
state by reference instead of pointer.
(Inspector::ScriptArguments::createEmpty): Deleted. Can now use create instead.
(Inspector::ScriptArguments::ScriptArguments): Ditto.
(Inspector::ScriptArguments::~ScriptArguments): Deleted.
(Inspector::ScriptArguments::argumentAt const): Updated to use JSC::Strong.
(Inspector::ScriptArguments::getFirstArgumentAsString): Ditto.
(Inspector::ScriptArguments::isEqual const): Ditto. Also changed to use JS internals
instead of calling through the C API.
* inspector/ScriptArguments.h: Updated for the above.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptArguments): Updated for changes to ScriptArguments.
* inspector/ScriptDebugServer.cpp: Removed include of ScriptValue.h.
* inspector/agents/InspectorAgent.cpp: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: Ditto.
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use JSC::Strong instead
of ScriptValue.
(Inspector::InspectorDebuggerAgent::currentCallFrames): Ditto.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* runtime/ConsoleClient.cpp:
(JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto.
(JSC::ConsoleClient::clear): Use ScriptArguments::create and pass an empty vector
instead of calling a separate createEmpty function.
* runtime/VM.cpp:
(JSC::VM::createLeaked): Deleted.
* runtime/VM.h: Deleted createLeaked.
2018-02-06 Brian Burg <bburg@apple.com>
Web Inspector: protocol generator should automatically deduce the correct include style to use
https://bugs.webkit.org/show_bug.cgi?id=182505
Reviewed by Timothy Hatcher.
Currently the generated imports use a mix of system header imports (powered by forwarding headers)
and framework-style includes. Since forwarding headers are going away, this patch stops
using system header includes for headers that are JavaScriptCore private headers. Instead,
use either a relative include or a framework include.
* inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
(CppAlternateBackendDispatcherHeaderGenerator.generate_output):
(CppAlternateBackendDispatcherHeaderGenerator):
(CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
(CppBackendDispatcherHeaderGenerator.generate_output):
(CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator.generate_output):
(CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
(CppFrontendDispatcherHeaderGenerator.generate_output):
(CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
(CppFrontendDispatcherImplementationGenerator.generate_output):
(CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(CppProtocolTypesHeaderGenerator.generate_output):
(CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator.generate_output):
(CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
(ObjCBackendDispatcherHeaderGenerator):
Convert existing header lists to the new entries format, which includes the
allowable target frameworks and the relative path to the header.
* inspector/scripts/codegen/generator.py:
(Generator.generate_includes_from_entries):
Copied from the same in the builtins code generator. It still works great.
* inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/domain-availability.json-result:
* inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/generic/expected/enum-values.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
* inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
* inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
* inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
Rebaseline.
2018-02-06 Keith Miller <keith_miller@apple.com>
put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
https://bugs.webkit.org/show_bug.cgi?id=182549
<rdar://problem/36189995>
Reviewed by Saam Barati.
Previously, the llint/baseline caching for put_to_scope and
get_from_scope would cache lexical environments when the
varInjectionWatchpoint had been fired for global properties. Code
in the DFG does not follow this same assumption so we could
potentially return the wrong result. Additionally, the baseline
would write barrier the global object rather than the lexical
enviroment object. This patch makes it so that we do not cache
anything other than the global object for when the resolve type is
GlobalPropertyWithVarInjectionChecks or GlobalProperty.
* assembler/MacroAssembler.cpp:
(JSC::MacroAssembler::jitAssert):
* assembler/MacroAssembler.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
(JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
* runtime/Options.h:
2018-01-28 Filip Pizlo <fpizlo@apple.com>
Global objects should be able to use TLCs to allocate from different blocks from each other
https://bugs.webkit.org/show_bug.cgi?id=182227
Reviewed by JF Bastien.
This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of
distance between objects from different origins, using the following combination of things. For
short lets refer to that constant as K.
- Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.
- Since r227718, MarkedBlock puts at least K bytes in its footer.
- Since r227617, global objects can have their own TLCs, which make them allocate from a
different set of blocks than other global objects. The TLC of a global object comes into
effect when you enter the VM via that global object.
- With this change, TLCs and blocks both have security origins. A TLC will only use blocks that
share the same security origin or empty blocks (in which case we zero the block and change
its security origin).
WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
a TLC based on their document's SecurityOrigin.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::prepareForAllocation):
* heap/BlockDirectory.h:
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/LocalAllocator.h:
(JSC::LocalAllocator::tlc const):
* heap/MarkStackMergingConstraint.cpp:
* heap/MarkStackMergingConstraint.h:
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::associateWithOrigin):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::securityOriginToken const):
* heap/SecurityOriginToken.cpp: Added.
(JSC::uniqueSecurityOriginToken):
* heap/SecurityOriginToken.h: Added.
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::installSlow):
* heap/ThreadLocalCache.h:
(JSC::ThreadLocalCache::securityOriginToken const):
* heap/ThreadLocalCacheInlines.h:
(JSC::ThreadLocalCache::install):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::createThreadLocalCache):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache):
(JSC::JSGlobalObject::threadLocalCache const): Deleted.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMEntryScope.h:
2018-02-05 Don Olmstead <don.olmstead@sony.com>
JavaScriptCore files should not be included relatively
https://bugs.webkit.org/show_bug.cgi?id=182452
Reviewed by Keith Miller.
* API/JSCallbackConstructor.h:
* CMakeLists.txt:
* disassembler/ARM64Disassembler.cpp:
* disassembler/ARMv7Disassembler.cpp:
* heap/LockDuringMarking.h:
* inspector/InjectedScriptBase.h:
* inspector/InjectedScriptHost.h:
* inspector/JavaScriptCallFrame.h:
* inspector/ScriptArguments.h:
* inspector/ScriptDebugListener.h:
* inspector/ScriptDebugServer.h:
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorHeapAgent.h:
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/agents/InspectorScriptProfilerAgent.h:
* runtime/RegExp.h:
2018-02-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r228012.
https://bugs.webkit.org/show_bug.cgi?id=182493
"It regressed ARES-6 by 2-4%" (Requested by saamyjoon on
#webkit).
Reverted changeset:
"[JSC] Clean up ArraySpeciesCreate"
https://bugs.webkit.org/show_bug.cgi?id=182434
https://trac.webkit.org/changeset/228012
2018-02-02 Ryan Haddad <ryanhaddad@apple.com>
Rebaseline bindings generator tests after r228032.
https://bugs.webkit.org/show_bug.cgi?id=182445
Unreviewed test gardening.
* Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2018-02-02 Saam Barati <sbarati@apple.com>
Make various DFG_ASSERTs provide more data to WTFCrashWithInfo
https://bugs.webkit.org/show_bug.cgi?id=182453
<rdar://problem/37174236>
Reviewed by JF Bastien and Mark Lam.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGFlowIndexing.h:
(JSC::DFG::FlowIndexing::shadowIndex const):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGLoopPreHeaderCreationPhase.cpp:
(JSC::DFG::LoopPreHeaderCreationPhase::run):
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithAbs):
(JSC::DFG::SpeculativeJIT::compileArithRounding):
(JSC::DFG::SpeculativeJIT::compileToPrimitive):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierClusteringPhase.cpp:
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
(JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
(JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
(JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
(JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
(JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::compilePutById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::compare):
(JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):
(JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2018-02-02 Don Olmstead <don.olmstead@sony.com>
JS Builtins should include JavaScriptCore headers directly
https://bugs.webkit.org/show_bug.cgi?id=182445
Reviewed by Yusuke Suzuki.
* Scripts/builtins/builtins_generator.py:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2018-02-02 Saam Barati <sbarati@apple.com>
When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
https://bugs.webkit.org/show_bug.cgi?id=182368
<rdar://problem/36932466>
Reviewed by Mark Lam.
When preserving liveness when inserting Unreachable nodes after ForceOSRExit,
we must add the VariableAccessData to the given argument position. Otherwise,
we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit.
If we end up with such a situation, it can lead to invalid IR after the
arguments elimination phase optimizes a GetByVal to a GetStack.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):
2018-02-02 Mark Lam <mark.lam@apple.com>
More ARM64_32 fixes.
https://bugs.webkit.org/show_bug.cgi?id=182441
<rdar://problem/37162310>
Reviewed by Dan Bernstein.
I also disabled more dynamicPoisoning code in ARM64_32. This code assumes a
64-bit pointer which is not applicable here.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDynamicPoison):
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
(JSC::AssemblyHelpers::emitDynamicPoisonOnType):
2018-02-02 Saam Barati <sbarati@apple.com>
MapHash should return true to doesGC in the DFG depending on useKind because it might resolve a rope
https://bugs.webkit.org/show_bug.cgi?id=182402
Reviewed by Yusuke Suzuki.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
2018-02-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Clean up ArraySpeciesCreate
https://bugs.webkit.org/show_bug.cgi?id=182434
Reviewed by Saam Barati.
We have duplicate code in filter, map, concatSlowPath.
This patch creates a new global private function @arraySpeciesCreate,
and use it.
* builtins/ArrayPrototype.js:
(globalPrivate.arraySpeciesCreate):
(filter):
(map):
(globalPrivate.concatSlowPath):
2018-02-01 Mark Lam <mark.lam@apple.com>
Fix broken bounds check in FTL's compileGetMyArgumentByVal().
https://bugs.webkit.org/show_bug.cgi?id=182419
<rdar://problem/37044945>
Reviewed by Saam Barati.
In compileGetMyArgumentByVal(), it computes:
limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
...
LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
where the original "limit" is the number of arguments passed in by the caller.
If the original limit is less than numberOfArgumentsToSkip, the resultant limit
will be a large unsigned number. As a result, this will defeat the bounds check
that follows it.
Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index
value by adding numberOfArgumentsToSkip to it, in order to determine the actual
entry in the arguments array to get.
The fix is to just add numberOfArgumentsToSkip to index upfront (instead of
subtracting it from limit), and doing an overflow speculation check on that
addition before doing the bounds check.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2018-02-01 Keith Miller <keith_miller@apple.com>
Fix crashes due to mishandling custom sections.
https://bugs.webkit.org/show_bug.cgi?id=182404
<rdar://problem/36935863>
Reviewed by Saam Barati.
This also cleans up some of our validation code. We also
mistakenly, allowed unknown (different from custom sections with
id: 0) section ids.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
* wasm/WasmModuleParser.h:
* wasm/WasmSections.h:
(JSC::Wasm::isKnownSection):
(JSC::Wasm::decodeSection):
(JSC::Wasm::validateOrder):
(JSC::Wasm::makeString):
(JSC::Wasm::isValidSection): Deleted.
2018-02-01 Michael Catanzaro <mcatanzaro@igalia.com>
-Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
https://bugs.webkit.org/show_bug.cgi?id=182389
Reviewed by Yusuke Suzuki.
Fix the warning.
As a bonus, remove a couple unreachable breaks for good measure.
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-02-01 Chris Dumez <cdumez@apple.com>
Queue a microtask when a waitUntil() promise is settled
https://bugs.webkit.org/show_bug.cgi?id=182372
<rdar://problem/37101019>
Reviewed by Mark Lam.
Export a symbol so it can be used in WebCore.
* runtime/JSGlobalObject.h:
2018-01-31 Don Olmstead <don.olmstead@sony.com>
[CMake] Make JavaScriptCore headers copies
https://bugs.webkit.org/show_bug.cgi?id=182303
Reviewed by Alex Christensen.
* CMakeLists.txt:
* PlatformGTK.cmake:
* PlatformJSCOnly.cmake:
* PlatformMac.cmake:
* PlatformWPE.cmake:
* PlatformWin.cmake:
* shell/CMakeLists.txt:
* shell/PlatformWin.cmake:
2018-01-31 Saam Barati <sbarati@apple.com>
Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
https://bugs.webkit.org/show_bug.cgi?id=182064
<rdar://problem/36840132>
Reviewed by Geoffrey Garen.
This patch switches WebAssembly Memory to always use bmalloc's
zeroed virtual allocation API. This makes it so that we don't
dirty the memory to zero it. It's a huge compile time speedup
on WasmBench on iOS.
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::create):
(JSC::Wasm::Memory::~Memory):
(JSC::Wasm::Memory::addressIsInActiveFastMemory):
(JSC::Wasm::Memory::grow):
(JSC::Wasm::commitZeroPages): Deleted.
2018-01-31 Mark Lam <mark.lam@apple.com>
Build fix for CLoop after r227874.
https://bugs.webkit.org/show_bug.cgi?id=182155
<rdar://problem/36286266>
Not reviewed.
Just needed support for lea of a LabelReference in cloop.rb (just like those
added for arm64.rb and x86.rb).
* offlineasm/cloop.rb:
2018-01-31 Keith Miller <keith_miller@apple.com>
Canonicalize aquiring the JSCell lock.
https://bugs.webkit.org/show_bug.cgi?id=182320
Reviewed by Michael Saboff.
It's currently kinda annoying to figure out where
we aquire the a JSCell's lock. This patch adds a
helper to make it easier to grep...
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildren):
(JSC::UnlinkedCodeBlock::setInstructions):
(JSC::UnlinkedCodeBlock::shrinkToFit):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
(JSC::ErrorInstance::materializeErrorInfoIfNeeded):
(JSC::ErrorInstance::visitChildren):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSCell.h:
(JSC::JSCell::cellLock):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
(JSC::JSObject::convertContiguousToArrayStorage):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::remove):
(JSC::SparseArrayValueMap::visitChildren):
2018-01-31 Saam Barati <sbarati@apple.com>
JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
https://bugs.webkit.org/show_bug.cgi?id=182074
<rdar://problem/36846261>
Reviewed by Mark Lam.
This patch teaches the JSONP evaluator about the global lexical environment.
Before, it was using the global object as the global scope, but that's wrong.
The global lexical environment is the first node in the global scope chain.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
* jsc.cpp:
(GlobalObject::finishCreation):
(shellSupportsRichSourceInfo):
(functionDisableRichSourceInfo):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::tryJSONPParse):
* runtime/LiteralParser.h:
2018-01-31 Saam Barati <sbarati@apple.com>
clean up pushToSaveImmediateWithoutTouchingRegisters a bit
https://bugs.webkit.org/show_bug.cgi?id=181774
Reviewed by JF Bastien.
This function on ARM64 was considering what to do with the scratch
register. And conditionally invalidated what was in it. This is not
relevant though, since the function always recovers what was in that
register. This patch just switches it to using dataTempRegister
directly and updates the comment to describe why it can do so safely.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2018-01-30 Mark Lam <mark.lam@apple.com>
Apply poisoning to TypedArray vector pointers.
https://bugs.webkit.org/show_bug.cgi?id=182155
<rdar://problem/36286266>
Reviewed by JF Bastien.
The TypeArray's vector pointer is now poisoned. The poison value is chosen based
on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and
LastTypedArrayType. At runtime, we enforce that the index is well-behaved by
masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is
the number of TypedArray types (10) rounded up to the next power of 2.
Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
can use index masking on the index, and be guaranteed that the masked index will
be within bounds of the poisons array.
1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
do any unnecessary work if the TypedArray vector is null.
FTL's cagedMayBeNull() is no longer needed because it is only used by
compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
in a TypedArray specific way. So, might as well do the work inline in
compileGetTypedArrayByteOffset() instead.
2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
because there's already a null check above it that ensures that sizeGPR is
never null.
3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
loading of the vector for unpoisoning and uncaging. We don't need the vector
if the length is 0.
Implementation notes on the need to null check the TypeArray vector:
1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
m_poisonedVector null check because the function is a null check.
2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
m_poisonedVector null check because it is followed by a call to
cageTypedArrayStorage() which assumes that storageReg cannot be null.
3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
m_poisonedVector null check.
4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
check because the poisoning code is preceded by a sizeGPR null check, which
ensures that the storageGPR (vector to be poisoned) is not null.
5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
check because it is followed by a call to caged() which assumes that the
vector cannot be null.
6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
7. FTL's compileNewTypedArray() does not need a vector null check because the
poisoning code is preceded by a size null check, which ensures that the
storage (vector to be poisoned) is not null.
8. FTL's speculateTypedArrayIsNotNeutered() does not need a
m_poisonedVector null check because the function is a null check.
9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
case needs a null check so that it does not try to unpoison a null vector.
10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
we already do a length check even before loading the vector.
11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
we already do a length check even before loading the vector.
12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
we already do a length check even before loading the vector.
13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
we already do a length check even before loading the vector.
14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
client will do a TypedArray length check before calling it.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::checkArray):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
(JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/x86.rb:
* runtime/CagedBarrierPtr.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::neuter):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::offsetOfPoisonedVector):
(JSC::JSArrayBufferView::poisonFor):
(JSC::JSArrayBufferView::Poison::key):
(JSC::JSArrayBufferView::offsetOfVector): Deleted.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSObject.h:
2018-01-30 Fujii Hironori <Hironori.Fujii@sony.com>
[Win] Warning fix.
https://bugs.webkit.org/show_bug.cgi?id=177007
Reviewed by Yusuke Suzuki.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::dump const):
Changed the type of locationRawBits from unsigned to uintptr_t.
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::createNumberFormat):
Initialize 'style' to avoid potentially uninitialized local variable warning.
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement trimStart and trimEnd
https://bugs.webkit.org/show_bug.cgi?id=182233
Reviewed by Mark Lam.
String.prototype.{trimStart,trimEnd} are now stage 3[1].
String.prototype.{trimLeft,trimRight} are alias to these functions.
We rename these functions to trimStart and trimEnd, and put them as
trimLeft and trimRight too.
[1]: https://tc39.github.io/proposal-string-left-right-trim/
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::trimString):
(JSC::stringProtoFuncTrim):
(JSC::stringProtoFuncTrimStart):
(JSC::stringProtoFuncTrimEnd):
(JSC::stringProtoFuncTrimLeft): Deleted.
(JSC::stringProtoFuncTrimRight): Deleted.
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Relax line terminators in String to make JSON subset of JS
https://bugs.webkit.org/show_bug.cgi?id=182232
Reviewed by Keith Miller.
"Subsume JSON" spec is now stage 3[1]. Before this spec change,
JSON can accept \u2028 / \u2029 in string while JS cannot do that.
It accidentally made JSON non subset of JS.
Now we extend our JS string to accept \u2028 / \u2029 to make JSON
subset of JS in this spec change.
[1]: https://github.com/tc39/proposal-json-superset
* parser/Lexer.cpp:
(JSC::Lexer<T>::parseStringSlowCase):
2018-01-29 Jiewen Tan <jiewen_tan@apple.com>
[WebAuthN] Add a compile-time feature flag
https://bugs.webkit.org/show_bug.cgi?id=182211
<rdar://problem/36936365>
Reviewed by Brent Fulgham.
* Configurations/FeatureDefines.xcconfig:
2018-01-29 Michael Saboff <msaboff@apple.com>
REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
https://bugs.webkit.org/show_bug.cgi?id=182249
Reviewed by Keith Miller.
Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
Untyped and Object values when compared against built in types. Such comparisons can
invoke toNumber() or other methods.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-01-29 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r227725.
This caused internal failures.
Reverted changeset:
"JSC Sampling Profiler: Detect tester and testee when sampling
in RegExp JIT"
https://bugs.webkit.org/show_bug.cgi?id=152729
https://trac.webkit.org/changeset/227725
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
https://bugs.webkit.org/show_bug.cgi?id=152729
Reviewed by Saam Barati.
This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
executing RegExp in VM so that SamplingProfiler can detect it. This is better
than the previous VM::isExecutingInRegExpJIT flag approach since
1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
if we suspend the thread just before executing this flag, or just after clearing
this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
should set such a flag before and after executing JIT RegExp code.
2. This removes VM dependency from YarrJIT which is not essential one.
We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
is done in non JS thread.
* bytecode/BytecodeDumper.cpp:
(JSC::regexpName):
(JSC::BytecodeDumper<Block>::dumpRegExps):
(JSC::regexpToSourceString): Deleted.
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::match):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::compileMatchOnly):
(JSC::RegExp::toSourceString const):
* runtime/RegExp.h:
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::SamplingProfiler):
(JSC::SamplingProfiler::timerLoop):
(JSC::SamplingProfiler::takeSample):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
(JSC::SamplingProfiler::StackFrame::displayName):
(JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
(JSC::SamplingProfiler::StackFrame::functionStartLine):
(JSC::SamplingProfiler::StackFrame::functionStartColumn):
(JSC::SamplingProfiler::StackFrame::sourceID):
(JSC::SamplingProfiler::StackFrame::url):
(WTF::printInternal):
(JSC::SamplingProfiler::~SamplingProfiler): Deleted.
* runtime/SamplingProfiler.h:
* runtime/VM.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] WeakMap#set should have DFG node
https://bugs.webkit.org/show_bug.cgi?id=180015
Reviewed by Saam Barati.
This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
the subsequent WeakMapGet if CSE allows.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addVarArgChild):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
WeakMap operations do not cause GC.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
(JSC::DFG::SpeculativeJIT::compileWeakMapSet):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
* jit/JITOperations.h:
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/WeakMapPrototype.cpp:
(JSC::WeakMapPrototype::finishCreation):
* runtime/WeakSetPrototype.cpp:
(JSC::WeakSetPrototype::finishCreation):
2018-01-28 Filip Pizlo <fpizlo@apple.com>
LargeAllocation should do the same distancing as MarkedBlock
https://bugs.webkit.org/show_bug.cgi?id=182226
Reviewed by Saam Barati.
This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
is doing:
- I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
keeps the old way just for a static_assert.
- The promised amount of distancing is now codified in HeapCell.h as
minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
as big as this. I didn't want to just use footer size for this constant because then, if
you increased the size of the footer, you'd also add padding to every large allocation.
Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
allocation. It also zeroes that slice of memory to prevent any information leaks that way.
This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
smaller objects, and diminishing overhead for larger objects. We allocate very few large
objects, so we shouldn't have any real space overhead from this.
* heap/HeapCell.h:
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::tryCreate):
* heap/MarkedBlock.h:
* heap/MarkedSpace.h:
2018-01-27 Filip Pizlo <fpizlo@apple.com>
Make MarkedBlock::Footer bigger
https://bugs.webkit.org/show_bug.cgi?id=182220
Reviewed by JF Bastien.
This makes the block footer larger by moving the newlyAllocated bits from the handle into
the footer.
It used to be profitable to put anything we could into the handle because that would free up
payload space inside the block. But now that we want to use the footer for padding, it's
profitable to put GC state information - especially data that is used by the GC itself and so
is not useful for a Spectre attack - into the footer to increase object distancing.
* heap/CellContainer.cpp:
(JSC::CellContainer::isNewlyAllocated const):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::sweepToFreeList):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::Handle):
(JSC::MarkedBlock::Footer::Footer):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::resetAllocated):
(JSC::MarkedBlock::Handle::resetAllocated): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::newlyAllocatedVersion const):
(JSC::MarkedBlock::isNewlyAllocated):
(JSC::MarkedBlock::setNewlyAllocated):
(JSC::MarkedBlock::clearNewlyAllocated):
(JSC::MarkedBlock::newlyAllocated const):
(JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
(JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::isNewlyAllocatedStale const):
(JSC::MarkedBlock::hasAnyNewlyAllocated):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::newlyAllocatedMode):
(JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
(JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::endMarking):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
2018-01-27 Filip Pizlo <fpizlo@apple.com>
MarkedBlock should have a footer instead of a header
https://bugs.webkit.org/show_bug.cgi?id=182217
Reviewed by JF Bastien.
This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
change anything except for some compile-time constants, so it should not affect performance.
This change is to help protect against Spectre attacks on structure checks, which allow for
small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
OOBs will only get to other objects in the same block or the block footer. The block footer
is not super interesting. So, if we combine this with the TLC change (r227617), this means we
can use blocks as the mechanism of achieving distance between objects from different origins.
We just need to avoid ever putting objects from different origins in the same block. That's
what bug 181636 is about.
* heap/BlockDirectory.cpp:
(JSC::blockHeaderSize): Deleted.
(JSC::BlockDirectory::blockSizeForBytes): Deleted.
* heap/BlockDirectory.h:
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::~MarkedBlock):
(JSC::MarkedBlock::Footer::Footer):
(JSC::MarkedBlock::Footer::~Footer):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::resetMarks):
(JSC::MarkedBlock::assertMarksNotStale):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::markCount):
(JSC::MarkedBlock::clearHasAnyMarked):
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::didRemoveFromDirectory):
(JSC::MarkedBlock::Handle::sweep):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::markingVersion const):
(JSC::MarkedBlock::lock):
(JSC::MarkedBlock::subspace const):
(JSC::MarkedBlock::footer):
(JSC::MarkedBlock::footer const):
(JSC::MarkedBlock::handle):
(JSC::MarkedBlock::handle const):
(JSC::MarkedBlock::Handle::blockFooter):
(JSC::MarkedBlock::isAtomAligned):
(JSC::MarkedBlock::Handle::cellAlign):
(JSC::MarkedBlock::blockFor):
(JSC::MarkedBlock::vm const):
(JSC::MarkedBlock::weakSet):
(JSC::MarkedBlock::cellSize):
(JSC::MarkedBlock::attributes const):
(JSC::MarkedBlock::atomNumber):
(JSC::MarkedBlock::areMarksStale):
(JSC::MarkedBlock::aboutToMark):
(JSC::MarkedBlock::isMarkedRaw):
(JSC::MarkedBlock::isMarked):
(JSC::MarkedBlock::testAndSetMarked):
(JSC::MarkedBlock::marks const):
(JSC::MarkedBlock::isAtom):
(JSC::MarkedBlock::Handle::forEachCell):
(JSC::MarkedBlock::hasAnyMarked const):
(JSC::MarkedBlock::noteMarked):
(WTF::MarkedBlockHash::hash):
(JSC::MarkedBlock::firstAtom): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::marksConveyLivenessDuringMarking):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::forEachLiveCell):
(JSC::MarkedBlock::Handle::forEachDeadCell):
(JSC::MarkedBlock::Handle::forEachMarkedCell):
* heap/MarkedSpace.cpp:
* heap/MarkedSpace.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-01-27 Yusuke Suzuki <utatane.tea@gmail.com>
DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
https://bugs.webkit.org/show_bug.cgi?id=182213
Reviewed by Mark Lam.
toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
* runtime/NumberPrototype.cpp:
(JSC::toStringWithRadixInternal):
2018-01-26 Saam Barati <sbarati@apple.com>
Fix emitAllocateWithNonNullAllocator to work on arm
https://bugs.webkit.org/show_bug.cgi?id=182187
<rdar://problem/36906550>
Reviewed by Filip Pizlo.
This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
register on ARM.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2018-01-26 Joseph Pecoraro <pecoraro@apple.com>
Rebaselining builtin generator tests after r227685.
Unreviewed.
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
It used to be that the builtins generator was minifying by default. That was an accident
and we now only minify on Release builds. The generator tests are now getting the
default unminified output behavior so they need to update their expectations
for some extra whitespace.
2018-01-26 Mark Lam <mark.lam@apple.com>
We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
https://bugs.webkit.org/show_bug.cgi?id=182180
<rdar://problem/36460697>
Reviewed by Michael Saboff.
Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
but not as the Node's first base class. ParserArena::m_deletableObjects is
expecting pointers to objects of the shape of ParserArenaDeletable. We ensure
this by allocating the Node subclass, and casting it to ParserArenaDeletable to
get the correct pointer to append to ParserArena::m_deletableObjects.
To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED
(analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
ParserArenaDeletable.
* parser/NodeConstructors.h:
(JSC::ParserArenaDeletable::operator new):
* parser/Nodes.h:
* parser/ParserArena.h:
(JSC::ParserArena::allocateDeletable):
2018-01-26 Joseph Pecoraro <pecoraro@apple.com>
JavaScriptCore builtins should be partially minified in Release builds not Debug builds
https://bugs.webkit.org/show_bug.cgi?id=182165
Reviewed by Keith Miller.
* Scripts/builtins/builtins_model.py:
(BuiltinFunction.fromString):
Apply minifications on Release builds instead of Debug builds.
Also eliminate leading whitespace.
2018-01-26 Filip Pizlo <fpizlo@apple.com>
Disable TLS-based TLCs
https://bugs.webkit.org/show_bug.cgi?id=182175
Reviewed by Saam Barati.
Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::~BlockDirectory):
* heap/BlockDirectory.h:
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
* heap/ThreadLocalCache.h:
* heap/ThreadLocalCacheInlines.h:
(JSC::ThreadLocalCache::getImpl):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
* runtime/VM.cpp:
(JSC::VM::~VM):
* runtime/VM.h:
2018-01-25 Yusuke Suzuki <utatane.tea@gmail.com>
imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
https://bugs.webkit.org/show_bug.cgi?id=181980
Reviewed by Ryosuke Niwa.
We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
correctly.
* builtins/ModuleLoaderPrototype.js:
(requestInstantiate):
(requestSatisfy):
2018-01-25 Mark Lam <mark.lam@apple.com>
Gardening: fix 32-bit build after r227643.
https://bugs.webkit.org/show_bug.cgi?id=182086
Not reviewed.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
2018-01-24 Filip Pizlo <fpizlo@apple.com>
DirectArguments should protect itself using dynamic poisoning and precise index masking
https://bugs.webkit.org/show_bug.cgi?id=182086
Reviewed by Saam Barati.
This implements dynamic poisoning and precise index masking in DirectArguments, using the
helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
We use dynamic poisoning for DirectArguments since this object did not have any additional
indirection inside it that could have been poisoned. So, we use the xor of the expected type
and the actual type as an additional input into the pointer.
We use precise index masking for bounds checks, because it's not worth doing index masking
unless we know that precise index masking is too slow.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::lshiftPtr):
(JSC::MacroAssembler::rshiftPtr):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
(JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
(JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitPreciseIndexMask32):
(JSC::AssemblyHelpers::emitDynamicPoison):
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
(JSC::AssemblyHelpers::emitDynamicPoisonOnType):
* jit/AssemblyHelpers.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDirectArgumentsGetByVal):
* runtime/DirectArguments.h:
(JSC::DirectArguments::getIndexQuickly const):
(JSC::DirectArguments::setIndexQuickly):
(JSC::DirectArguments::argument):
* runtime/GenericArgumentsInlines.h:
2018-01-25 Mark Lam <mark.lam@apple.com>
Rename some local vars from type to typedArrayType for greater clarity.
https://bugs.webkit.org/show_bug.cgi?id=182148
<rdar://problem/36882310>
Reviewed by Saam Barati.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2018-01-25 Filip Pizlo <fpizlo@apple.com>
JSC GC should support TLCs (thread local caches)
https://bugs.webkit.org/show_bug.cgi?id=181559
Reviewed by Mark Lam and Saam Barati.
This is a big step towards object distancing by site origin. This patch implements TLCs, or
thread-local caches, which allow each thread to allocate from its own free lists. It also
means that any given thread can context-switch TLCs. This will allow us to do separate
allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
will allow us to have a hard distancing constraint between objects from different origins.
In this new design, every "size class" is represented as a BlockDirectory (formerly known as
MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
aligned memory allocator (which roughly represents which cage you came out of), and anyone
using the same allocator can share those blocks - but so long as they are in that
BlockDirectory, they will have the size and type of that directory. Previously, each
BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
LocalAllocators, each of which has a FreeList.
To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
starts by figuring out what Allocator it wants (often we have this information at JIT time).
Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
offsets as opposed to indices to make it easy to do the math on each allocation (if
LocalAllocator had a weird size then every allocation would have to do an imul).
This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
something there, but it's not significant according to our threshold).
Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
function needs to be careful to avoid using the scratch register because the FTL will call it
in disallow-scratch-register mode.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3LowerToAir.cpp:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::admitsStack):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):
* b3/B3StackmapValue.cpp:
(JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
* b3/B3StackmapValue.h:
* b3/B3Validate.cpp:
* b3/B3ValueRep.cpp:
(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):
* b3/B3ValueRep.h:
(JSC::B3::ValueRep::ValueRep):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::clear):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* heap/Allocator.cpp: Added.
(JSC::Allocator::cellSize const):
* heap/Allocator.h: Added.
(JSC::Allocator::Allocator):
(JSC::Allocator::offset const):
(JSC::Allocator::operator== const):
(JSC::Allocator::operator!= const):
(JSC::Allocator::operator bool const):
* heap/AllocatorInlines.h: Added.
(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::isFreeListedCell):
(JSC::BlockDirectory::didConsumeFreeList): Deleted.
(JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
(JSC::BlockDirectory::allocateIn): Deleted.
(JSC::BlockDirectory::tryAllocateIn): Deleted.
(JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
(JSC::BlockDirectory::allocateSlowCase): Deleted.
* heap/BlockDirectory.h:
(JSC::BlockDirectory::cellKind const):
(JSC::BlockDirectory::allocator const):
(JSC::BlockDirectory::freeList const): Deleted.
(JSC::BlockDirectory::offsetOfFreeList): Deleted.
(JSC::BlockDirectory::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h:
(JSC::BlockDirectory::isFreeListedCell const): Deleted.
(JSC::BlockDirectory::allocate): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/FreeList.h:
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
* heap/Heap.h:
(JSC::Heap::threadLocalCacheLayout):
* heap/IsoCellSet.h:
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LocalAllocator.cpp: Added.
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::stopAllocating):
(JSC::LocalAllocator::resumeAllocating):
(JSC::LocalAllocator::prepareForAllocation):
(JSC::LocalAllocator::stopAllocatingForGood):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::didConsumeFreeList):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
(JSC::LocalAllocator::doTestCollectionsIfNeeded):
(JSC::LocalAllocator::isFreeListedCell const):
* heap/LocalAllocator.h: Added.
(JSC::LocalAllocator::offsetOfFreeList):
(JSC::LocalAllocator::offsetOfCellSize):
* heap/LocalAllocatorInlines.h: Added.
(JSC::LocalAllocator::allocate):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::stopAllocatingForGood):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
* heap/SlotVisitor.h:
* heap/Subspace.h:
* heap/ThreadLocalCache.cpp: Added.
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::~ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::destroyData):
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
(JSC::ThreadLocalCache::allocatorSlow):
(JSC::ThreadLocalCache::destructor):
* heap/ThreadLocalCache.h: Added.
(JSC::ThreadLocalCache::offsetOfSize):
(JSC::ThreadLocalCache::offsetOfFirstAllocator):
* heap/ThreadLocalCacheInlines.h: Added.
(JSC::ThreadLocalCache::getImpl):
(JSC::ThreadLocalCache::get):
(JSC::ThreadLocalCache::install):
(JSC::ThreadLocalCache::allocator):
(JSC::ThreadLocalCache::tryGetAllocator):
* heap/ThreadLocalCacheLayout.cpp: Added.
(JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::allocateOffset):
(JSC::ThreadLocalCacheLayout::snapshot):
(JSC::ThreadLocalCacheLayout::directory):
* heap/ThreadLocalCacheLayout.h: Added.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::vm):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
(JSC::AssemblyHelpers::emitAllocate): Deleted.
(JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::create):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSCellInlines.h:
(JSC::tryAllocateCellHelper):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
2018-01-25 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r227592.
https://bugs.webkit.org/show_bug.cgi?id=182110
it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
#webkit).
Reverted changeset:
"JSC GC should support TLCs (thread local caches)"
https://bugs.webkit.org/show_bug.cgi?id=181559
https://trac.webkit.org/changeset/227592
2018-01-25 Alejandro G. Castro <alex@igalia.com>
undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
https://bugs.webkit.org/show_bug.cgi?id=180637
Reviewed by Michael Catanzaro.
We need to make sure the implementation of the inline functions is
compiled when we compile the code using the function, now that the
compilation is divided, or we could end up with undefined symbols
when the declaration is not inlined, at least with some compilers
and optimizations enabled -O2.
* b3/B3SwitchValue.cpp: replace the include.
2018-01-20 Filip Pizlo <fpizlo@apple.com>
JSC GC should support TLCs (thread local caches)
https://bugs.webkit.org/show_bug.cgi?id=181559
Reviewed by Mark Lam and Saam Barati.
This is a big step towards object distancing by site origin. This patch implements TLCs, or
thread-local caches, which allow each thread to allocate from its own free lists. It also
means that any given thread can context-switch TLCs. This will allow us to do separate
allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
will allow us to have a hard distancing constraint between objects from different origins.
In this new design, every "size class" is represented as a BlockDirectory (formerly known as
MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
aligned memory allocator (which roughly represents which cage you came out of), and anyone
using the same allocator can share those blocks - but so long as they are in that
BlockDirectory, they will have the size and type of that directory. Previously, each
BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
LocalAllocators, each of which has a FreeList.
To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
starts by figuring out what Allocator it wants (often we have this information at JIT time).
Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
offsets as opposed to indices to make it easy to do the math on each allocation (if
LocalAllocator had a weird size then every allocation would have to do an imul).
This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
something there, but it's not significant according to our threshold).
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3LowerToAir.cpp:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::admitsStack):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):
* b3/B3StackmapValue.cpp:
(JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
* b3/B3StackmapValue.h:
* b3/B3Validate.cpp:
* b3/B3ValueRep.cpp:
(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):
* b3/B3ValueRep.h:
(JSC::B3::ValueRep::ValueRep):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::clear):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* heap/Allocator.cpp: Added.
(JSC::Allocator::cellSize const):
* heap/Allocator.h: Added.
(JSC::Allocator::Allocator):
(JSC::Allocator::offset const):
(JSC::Allocator::operator== const):
(JSC::Allocator::operator!= const):
(JSC::Allocator::operator bool const):
* heap/AllocatorInlines.h: Added.
(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::isFreeListedCell):
(JSC::BlockDirectory::didConsumeFreeList): Deleted.
(JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
(JSC::BlockDirectory::allocateIn): Deleted.
(JSC::BlockDirectory::tryAllocateIn): Deleted.
(JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
(JSC::BlockDirectory::allocateSlowCase): Deleted.
* heap/BlockDirectory.h:
(JSC::BlockDirectory::cellKind const):
(JSC::BlockDirectory::allocator const):
(JSC::BlockDirectory::freeList const): Deleted.
(JSC::BlockDirectory::offsetOfFreeList): Deleted.
(JSC::BlockDirectory::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h:
(JSC::BlockDirectory::isFreeListedCell const): Deleted.
(JSC::BlockDirectory::allocate): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/FreeList.h:
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
* heap/Heap.h:
(JSC::Heap::threadLocalCacheLayout):
* heap/IsoCellSet.h:
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LocalAllocator.cpp: Added.
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::stopAllocating):
(JSC::LocalAllocator::resumeAllocating):
(JSC::LocalAllocator::prepareForAllocation):
(JSC::LocalAllocator::stopAllocatingForGood):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::didConsumeFreeList):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
(JSC::LocalAllocator::doTestCollectionsIfNeeded):
(JSC::LocalAllocator::isFreeListedCell const):
* heap/LocalAllocator.h: Added.
(JSC::LocalAllocator::offsetOfFreeList):
(JSC::LocalAllocator::offsetOfCellSize):
* heap/LocalAllocatorInlines.h: Added.
(JSC::LocalAllocator::allocate):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::stopAllocatingForGood):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
* heap/SlotVisitor.h:
* heap/Subspace.h:
* heap/ThreadLocalCache.cpp: Added.
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::~ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::destroyData):
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
(JSC::ThreadLocalCache::allocatorSlow):
(JSC::ThreadLocalCache::destructor):
* heap/ThreadLocalCache.h: Added.
(JSC::ThreadLocalCache::offsetOfSize):
(JSC::ThreadLocalCache::offsetOfFirstAllocator):
* heap/ThreadLocalCacheInlines.h: Added.
(JSC::ThreadLocalCache::getImpl):
(JSC::ThreadLocalCache::get):
(JSC::ThreadLocalCache::install):
(JSC::ThreadLocalCache::allocator):
(JSC::ThreadLocalCache::tryGetAllocator):
* heap/ThreadLocalCacheLayout.cpp: Added.
(JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::allocateOffset):
(JSC::ThreadLocalCacheLayout::snapshot):
(JSC::ThreadLocalCacheLayout::directory):
* heap/ThreadLocalCacheLayout.h: Added.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::vm):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
(JSC::AssemblyHelpers::emitAllocate): Deleted.
(JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::create):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSCellInlines.h:
(JSC::tryAllocateCellHelper):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
2018-01-24 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
https://bugs.webkit.org/show_bug.cgi?id=182067
Reviewed by Brian Burg.
* inspector/scripts/codegen/models.py:
(Framework.fromString):
(Frameworks):
* inspector/scripts/generate-inspector-protocol-bindings.py:
(generate_from_specification):
Allow framework WebInspectorUI to generate just the backend commands files.
2018-01-23 Mark Lam <mark.lam@apple.com>
Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
https://bugs.webkit.org/show_bug.cgi?id=182017
<rdar://problem/36795513>
Reviewed by Filip Pizlo and JF Bastien.
Removed the POISON() macro. Now that we have Poison types, we can just use the
the Poison type instead and make the code a bit nicer to read.
* API/JSAPIWrapperObject.h:
* API/JSCallbackFunction.h:
* API/JSCallbackObject.h:
* b3/B3LowerMacros.cpp:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
* jit/JIT.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* parser/UnlinkedSourceCode.h:
* runtime/ArrayPrototype.h:
* runtime/CustomGetterSetter.h:
* runtime/DateInstance.h:
* runtime/InternalFunction.h:
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGlobalObject.h:
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/NativeExecutable.h:
* runtime/StructureTransitionTable.h:
* runtime/WriteBarrier.h:
(JSC::WriteBarrier::poison): Deleted.
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::poison):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, suppress GCC warnings
https://bugs.webkit.org/show_bug.cgi?id=181976
* runtime/TypedArrayType.h:
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
[YARR] Add diagnosis for YarrJIT failures
https://bugs.webkit.org/show_bug.cgi?id=181927
Reviewed by Sam Weinig.
It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateTerm):
(JSC::Yarr::YarrGenerator::backtrackTerm):
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::dumpCompileFailure):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::setFallBack):
(JSC::Yarr::YarrCodeBlock::fallBack):
(JSC::Yarr::YarrCodeBlock::clear):
(JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
(JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
(JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
2018-01-23 Alex Christensen <achristensen@webkit.org>
Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=182028
Reviewed by Keith Miller.
* inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::handleEvent):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
Use precise index masking for FTL GetByArgumentByVal
https://bugs.webkit.org/show_bug.cgi?id=182006
Reviewed by Keith Miller.
This protects speculative out-of-bounds on arguments[index].
Making this work right involved fixing a possible overflow situation with
numberOfArgumentsToSkip.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasNumberOfArgumentsToSkip):
(JSC::DFG::Node::numberOfArgumentsToSkip):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2018-01-23 David Kilzer <ddkilzer@apple.com>
Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
<https://webkit.org/b/181871>
<rdar://problem/36669691>
Address feedback for this change.
* CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
feedback from Konstantin Tokarev.
2018-01-23 Robin Morisset <rmorisset@apple.com>
Rollout r219636
https://bugs.webkit.org/show_bug.cgi?id=181997
<rdar://problem/35883022>
Unreviewed, as it is a rollout.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSObject.cpp:
(JSC::JSObject::ensureLengthSlow):
2018-01-23 Mark Lam <mark.lam@apple.com>
Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
https://bugs.webkit.org/show_bug.cgi?id=181976
<rdar://problem/36766936>
Reviewed by Filip Pizlo.
1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
list. I also added static asserts in TypedArrayType.h to enforce this.
Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
2. Define 4 new values:
a. FirstTypedArrayType
b. LastTypedArrayType
c. NumberOfTypedArrayTypesExcludingDataView
d. NumberOfTypedArrayTypes
Use these everywhere where we iterate or bisect the TypedArray JSTypes.
3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
4. Simplify the code that converts between TypedArrayType and JSType.
Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
instead of TypeDataView. Now, it converts to TypeDataView.
This does not result in any change of behavior because typedArrayTypeForType()
is only called in Structure::hasIndexingHeader(), and its result is passed to
isTypedView(), which handles TypeDataView correctly.
5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
If the vector is null, we can skip the rest of the checks. While the current
code does not result in incorrect behavior, it is inefficient, and communicates
wrong information to the reader i.e. implying that there's something in the
dataGPR when there's not. The dataGPR should also be null in this case.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
* ftl/FTLOSRExit.cpp:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::visitChildren):
* runtime/JSType.h:
* runtime/TypedArrayType.cpp:
(JSC::typeForTypedArrayType): Deleted.
* runtime/TypedArrayType.h:
(JSC::typedArrayTypeForType):
(JSC::typeForTypedArrayType):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
DFG should always flush `this`
https://bugs.webkit.org/show_bug.cgi?id=181999
Reviewed by Saam Barati and Mark Lam.
This is going to make it possible to use precise index masking for arguments-on-the-stack
accesses with an index adjusted so that 0 is this. Without this change, we would have no way
of masking when the argument count is 0, unless we padded the argument area so that there was
always an argument slot after `this` and it was always initialized.
This is neutral on all benchmarks.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::parse):
(JSC::DFG::flushImpl): Deleted.
(JSC::DFG::flushForTerminalImpl): Deleted.
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
JSC should use a speculation fence on VM entry/exit
https://bugs.webkit.org/show_bug.cgi?id=181991
Reviewed by JF Bastien and Mark Lam.
This adds a WTF::speculationFence on VM entry and exit.
For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
(JSC::JSLock::willReleaseLock):
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] JIT requires sizeof(bool) == 1
https://bugs.webkit.org/show_bug.cgi?id=181150
Reviewed by Saam Barati.
LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
* runtime/InitializeThreading.cpp:
2018-01-23 Robin Morisset <rmorisset@apple.com>
Update the argument count in DFGByteCodeParser::handleRecursiveCall
https://bugs.webkit.org/show_bug.cgi?id=181739
<rdar://problem/36627662>
Reviewed by Saam Barati.
When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
into a jump, we should update that stack slot as there is no guarantee that the function was originally
called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
as its first OpInfo field, and stores it to the stack at the right place.
We must be a bit careful in where we put this new node, as it ClobbersExit.
We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::argumentCountIncludingThis):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
2018-01-22 Michael Saboff <msaboff@apple.com>
DFG abstract interpreter needs to properly model effects of some Math ops
https://bugs.webkit.org/show_bug.cgi?id=181886
Reviewed by Saam Barati.
Reviewed the processing of the various ArithXXX and CompareXXX and found that
several nodes don't handle UntypedUse. Added clobberWorld() for those cases.
* dfg/DFGAbstractInterpreter.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2018-01-21 Wenson Hsieh <wenson_hsieh@apple.com>
Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
https://bugs.webkit.org/show_bug.cgi?id=181918
Reviewed by Tim Horton.
Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
* Configurations/FeatureDefines.xcconfig:
2018-01-20 Caio Lima <ticaiolima@gmail.com>
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182
Reviewed by Darin Adler.
Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size,
according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined
behavior.
[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractToStringRadixArgument):
(JSC::extractRadixFromArgs): Deleted.
* runtime/NumberPrototype.h:
2018-01-19 Saam Barati <sbarati@apple.com>
Kill ArithNegate's ArithProfile assert inside BytecodeParser
https://bugs.webkit.org/show_bug.cgi?id=181877
<rdar://problem/36630552>
Reviewed by Mark Lam.
Before this patch, we used to assert that op_negate's result ArithProfile
only produces number. It's logically true that negate only produces a number.
However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
profiling. So we'll end up profiling something that's likely the input to
negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
is entirely heuristic based, potentially leading to profiling results being imprecise.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
2018-01-19 David Kilzer <ddkilzer@apple.com>
oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
<https://webkit.org/b/181871>
Rubber-stamped by JF Bastien.
* CMakeLists.txt: Add ICU header search path to
LLIntOffsetsExtractor target by reusing
JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
2018-01-19 Saam Barati <sbarati@apple.com>
Spread's effects are modeled incorrectly both in AI and in Clobberize
https://bugs.webkit.org/show_bug.cgi?id=181867
<rdar://problem/36290415>
Reviewed by Michael Saboff.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-01-19 Keith Miller <keith_miller@apple.com>
HaveInternalSDK includes should be "#include?"
https://bugs.webkit.org/show_bug.cgi?id=179670
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
2018-01-18 JF Bastien <jfbastien@apple.com>
Set the minimum executable allocator size properly
https://bugs.webkit.org/show_bug.cgi?id=181816
<rdar://problem/36635533>
Reviewed by Saam Barati.
Executable allocator expects at least two page size's worth of
allocation in certain conditions, and that causes some tests to
now fail because they ask for less. Set that minimum correctly. We
were already rounding up to a page size, so having a minimum of 2
page sizes is fine.
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2018-01-18 Michael Saboff <msaboff@apple.com>
Unreviewed build fix for Windows
* interpreter/FrameTracers.h:
(JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
on Windows.
2018-01-18 Mark Lam <mark.lam@apple.com>
Poisons should be initialized after Options are initialized.
https://bugs.webkit.org/show_bug.cgi?id=181807
<rdar://problem/36629138>
Reviewed by Keith Miller.
This is because poison initialization may depend on options.
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
2018-01-18 Dan Bernstein <mitz@apple.com>
[Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
https://bugs.webkit.org/show_bug.cgi?id=181803
Reviewed by Tim Horton.
* Configurations/Base.xcconfig: Updated.
* Configurations/DebugRelease.xcconfig: Ditto.
* Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
* Configurations/Version.xcconfig: Updated.
* Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
useful for defining settings that depend on the target macOS version.
2018-01-18 Michael Saboff <msaboff@apple.com>
REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
https://bugs.webkit.org/show_bug.cgi?id=181802
Reviewed by Filip Pizlo.
There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
The other place was when we call into the operationOSRWriteBarrier().
Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
This helped find the other cases beyond the original problem.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
* interpreter/FrameTracers.h:
(JSC::assertStackPointerIsAligned):
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
(JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
* llint/LowLevelInterpreter32_64.asm:
2018-01-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r227096.
https://bugs.webkit.org/show_bug.cgi?id=181788
"it caused a 15% octane regression" (Requested by saamyjoon on
#webkit).
Reverted changeset:
"Support MultiGetByOffset in the DFG"
https://bugs.webkit.org/show_bug.cgi?id=181466
https://trac.webkit.org/changeset/227096
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
https://bugs.webkit.org/show_bug.cgi?id=181535
Reviewed by Saam Barati.
When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
information. So we should not create RegExpObject for this typical case.
This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
`lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
in this patch.
We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
instead of RegExpObject. This offers the chance to make NewRegExp unused.
We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
since they are the same behavior.
The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
somewhat pure execution time of our Yarr implementation.
baseline patched
regex-u.es5 34.8557+-0.5963 ^ 6.1507+-0.5526 ^ definitely 5.6670x faster
regex-u.es6 89.1919+-3.3851 ^ 32.0917+-0.4260 ^ definitely 2.7793x faster
This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
this patch right now. We should support StringReplace node in subsequent patches.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPhantomNewRegexp):
(JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::isPhantomAllocation):
(JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
(JSC::DFG::Node::ignoreLastIndexIsWritable):
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPromotedHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGPromotedHeapLocation.h:
(JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
(JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
(JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
(JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
* jit/JITOperations.h:
* runtime/RegExpObject.h:
(JSC::RegExpObject::create):
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Remove unused helper functions to convert node to PutHint
https://bugs.webkit.org/show_bug.cgi?id=181775
Reviewed by Saam Barati.
We are using PromotedHeapLocation::createHint. So they are not necessary.
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToPutHint): Deleted.
(JSC::DFG::Node::convertToPutStructureHint): Deleted.
(JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
(JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
* dfg/DFGNode.h:
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, suppress warnings on GCC
Since `length` and `p` are always positive or zero,
static_cast<unsigned>() does what we want.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
2018-01-17 Saam Barati <sbarati@apple.com>
Disable Atomics when SharedArrayBuffer isn’t enabled
https://bugs.webkit.org/show_bug.cgi?id=181572
<rdar://problem/36553206>
Reviewed by Michael Saboff.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::createAtomicsProperty): Deleted.
2018-01-17 Saam Barati <sbarati@apple.com>
Support MultiGetByOffset in the DFG
https://bugs.webkit.org/show_bug.cgi?id=181466
Reviewed by Keith Miller.
This seems to benefit Speedometer in my local testing. It seems like this
might be around a 0.5% improvement.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::supportsMultiGetByOffset):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-01-17 Saam Barati <sbarati@apple.com>
DFG::Node::convertToConstant needs to clear the varargs flags
https://bugs.webkit.org/show_bug.cgi?id=181697
<rdar://problem/36497332>
Reviewed by Yusuke Suzuki.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToConstant):
2018-01-16 JF Bastien <jfbastien@apple.com>
Allow dangerous disabling of poison
https://bugs.webkit.org/show_bug.cgi?id=181685
<rdar://problem/36546265>
Reviewed by Keith Miller.
Some tools such as leak detectors and such like to look at real
pointers, and poisoned ones confuse them. Add a JSC option to
disable poisoning, but log to the console when this is done.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/Options.h:
2018-01-16 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r226937.
Tests added with this change are failing due to a missing
exception check.
Reverted changeset:
"[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
double to int32_t"
https://bugs.webkit.org/show_bug.cgi?id=181182
https://trac.webkit.org/changeset/226937
2018-01-16 Michael Catanzaro <mcatanzaro@igalia.com>
Test programs should only be built in developer mode
https://bugs.webkit.org/show_bug.cgi?id=181653
Reviewed by Carlos Garcia Campos.
Build test programs only in developer mode, and fix code style.
* shell/CMakeLists.txt:
2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com>
Improve use of ExportMacros
https://bugs.webkit.org/show_bug.cgi?id=181652
Reviewed by Konstantin Tokarev.
* API/JSBase.h: Update a comment.
* inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
* runtime/JSExportMacros.h: Simplify the #defines in this file.
2018-01-15 JF Bastien <jfbastien@apple.com>
Remove makePoisonedUnique
https://bugs.webkit.org/show_bug.cgi?id=181630
<rdar://problem/36498623>
Reviewed by Mark Lam.
I added a conversion from std::unique_ptr, so we can just use
std::make_unique and it'll auto-poison when converted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::makePoisonedUnique): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::makePoisonedUnique): Deleted.
2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com>
REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
https://bugs.webkit.org/show_bug.cgi?id=181438
<rdar://problem/36376724>
Reviewed by Carlos Garcia Campos.
Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
cleanup, but we have to switch back to building JSC only as a shared library, and we have to
get rid of the version script.
* PlatformGTK.cmake:
* javascriptcoregtk-symbols.map: Removed.
2018-01-14 Saam Barati <sbarati@apple.com>
Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeExitSiteData):
2018-01-13 Mark Lam <mark.lam@apple.com>
Replace all use of ConstExprPoisoned with Poisoned.
https://bugs.webkit.org/show_bug.cgi?id=181542
<rdar://problem/36442138>
Reviewed by JF Bastien.
1. All JSC poisons are now defined in JSCPoison.h.
2. Change all clients to use the new poison values via the POISON() macro.
3. The LLInt code has been updated to handle CodeBlock poison. Some of this code
uses the t5 temp register, which is not available on the Windows port.
Fortunately, we don't currently do poisoning on the Windows port yet. So,
it will just work for now.
When poisoning is enabled for the Windows port, this LLInt code will need a
Windows specific implementation to workaround its lack of a t5 register.
* API/JSAPIWrapperObject.h:
* API/JSCallbackFunction.h:
* API/JSCallbackObject.h:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::emptyValue):
(JSC::MacroAssemblerCodePtr::deletedValue):
* b3/B3LowerMacros.cpp:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::makePoisonedUnique):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
* jit/JIT.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/UnlinkedSourceCode.h:
* runtime/ArrayPrototype.h:
* runtime/CustomGetterSetter.h:
* runtime/DateInstance.h:
* runtime/InternalFunction.h:
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
(JSC::initializePoison):
* runtime/JSCPoison.h:
(): Deleted.
* runtime/JSCPoisonedPtr.cpp: Removed.
* runtime/JSCPoisonedPtr.h: Removed.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::makePoisonedUnique):
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/NativeExecutable.h:
* runtime/StructureTransitionTable.h:
(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
* runtime/WriteBarrier.h:
(JSC::WriteBarrier::poison):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-13 Caio Lima <ticaiolima@gmail.com>
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182
Reviewed by Darin Adler.
Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size, according C++
spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined behavior.
[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractRadixFromArgs): Deleted.
(JSC::extractToStringRadixArgument): Added.
2018-01-12 Saam Barati <sbarati@apple.com>
Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
https://bugs.webkit.org/show_bug.cgi?id=181545
Reviewed by Michael Saboff.
This patch follows the theme of putting optimization profiling information on
UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
pulled from the code cache, making better compilation decisions, usually
resulting in fewer exits, and fewer recompilations.
This is a 1% Speedometer progression in my testing.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeDFGStatuses):
* bytecode/CallLinkStatus.h:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite const): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
* bytecode/DFGExitProfile.cpp:
(JSC::DFG::ExitProfile::add):
(JSC::DFG::QueryableExitProfile::initialize):
* bytecode/DFGExitProfile.h:
(JSC::DFG::ExitProfile::hasExitSite const):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::hasExitSite):
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::hasExitSite):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::hasExitSite const):
(JSC::UnlinkedCodeBlock::hasExitSite):
(JSC::UnlinkedCodeBlock::exitProfile):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::hasGlobalExitSite):
(JSC::DFG::Graph::hasExitSite):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGOSRExitBase.cpp:
(JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2018-01-12 JF Bastien <jfbastien@apple.com>
PoisonedWriteBarrier
https://bugs.webkit.org/show_bug.cgi?id=181599
<rdar://problem/36474351>
Reviewed by Mark Lam.
Allow poisoning of WriteBarrier objects, and use this for
WebAssembly because it is perf-neutral, at least on WasmBench on
my MBP. If it indeed is perf-neutral according to the bots, start
using it in more performance-sensitive places.
* heap/HandleTypes.h:
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::append):
(JSC::SlotVisitor::appendHidden):
* runtime/JSCJSValue.h:
* runtime/JSCPoison.h:
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::setPrototypeWithoutTransition):
(JSC::Structure::setGlobalObject):
(JSC::Structure::setPreviousID):
* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase::copyFrom):
(JSC::WriteBarrierBase::get const):
(JSC::WriteBarrierBase::operator* const):
(JSC::WriteBarrierBase::operator-> const):
(JSC::WriteBarrierBase::clear):
(JSC::WriteBarrierBase::slot):
(JSC::WriteBarrierBase::operator bool const):
(JSC::WriteBarrierBase::setWithoutWriteBarrier):
(JSC::WriteBarrierBase::unvalidatedGet const):
(JSC::operator==):
* runtime/WriteBarrierInlines.h:
(JSC::Traits>::set):
(JSC::Traits>::setMayBeNull):
(JSC::Traits>::setEarlyValue):
(JSC::DumbValueTraits<Unknown>>::set):
* wasm/WasmInstance.h:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::finishCreation):
(JSC::JSWebAssemblyInstance::visitChildren):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::clearFunction):
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::materializeImportJSCell):
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-12 Saam Barati <sbarati@apple.com>
CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
https://bugs.webkit.org/show_bug.cgi?id=181177
<rdar://problem/36205704>
Reviewed by Yusuke Suzuki.
The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
have semantic consequences when validation is turned off. However, with validation on, this trips up
our OSR exit machinery that says when an exit is allowed to happen.
Consider the following IR:
a: GetClosureVar // Or any other node that produces BytecodeTop
...
c: CheckStructure(Cell:@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
...
f: CheckStructureOrEmpty(@a, {s2})
c: CheckStructure(Cell:@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
This will cause constant folding to change the IR to:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
...
f: CheckStructureOrEmpty(@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
Our mayExit analysis determines that the PutByOffset should not exit. Note
that AI will determine the only value the PutByOffset can see in @a is
the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
when lowering the PutByOffset, we reach a contradiction in AI and emit
an OSR exit. However, because mayExit said we couldn't exit, we assert.
Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
would have determined we would OSR exit at the second CheckStructure.
This patch makes it so constant folding produces the following IR:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
g: AssertNotEmpty(@a)
...
f: CheckStructureOrEmpty(@a, {s2})
h: AssertNotEmpty(@a)
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
This modification will cause AI to know we will OSR exit before even reaching
the PutByOffset. Note that in the original IR, the GetClosureVar won't
actually produce the TDZ value. If it did, bytecode would have caused us
to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
why this bug is about IR bookkeeping and not an actual error in IR analysis.
This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
more congruous with CheckStructure's semantics of crashing on the empty value
as input (on 64 bit platforms).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2018-01-12 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
https://bugs.webkit.org/show_bug.cgi?id=181579
<rdar://problem/36193759>
Reviewed by Brian Burg.
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::clearMessages):
(Inspector::InspectorConsoleAgent::addConsoleMessage):
Switch from a raw pointer to m_consoleMessages.last().
Also move the expiration check into the if block since it can only
happen inside here when the number of console messages changes.
(Inspector::InspectorConsoleAgent::discardValues):
Also clear the expired message count when messages are cleared.
2018-01-12 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Create parallel SlotVisitors apriori
https://bugs.webkit.org/show_bug.cgi?id=180907
Reviewed by Saam Barati.
The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
Then we do not need to grab locks while iterating all the SlotVisitors.
In addition, we do not need to consider the case that the number of SlotVisitors increases
after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
does not increase any more.
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::runBeginPhase):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachSlotVisitor):
(JSC::Heap::numberOfSlotVisitors): Deleted.
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::didVisitSomething const):
2018-01-12 Saam Barati <sbarati@apple.com>
Each variant of a polymorphic inlined call should be exitOK at the top of the block
https://bugs.webkit.org/show_bug.cgi?id=181562
<rdar://problem/36445624>
Reviewed by Yusuke Suzuki.
Before this patch, the very first block in the switch for polymorphic call
inlining will have exitOK at the top. The others are not guaranteed to.
That was just a bug. They're all exitOK at the top. This will lead to crashes
in FixupPhase because we won't have a node in a block that has ExitOK, so
when we fixup various type checks, we assert out.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
2018-01-11 Keith Miller <keith_miller@apple.com>
Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
https://bugs.webkit.org/show_bug.cgi?id=181573
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig:
* runtime/Options.h:
2018-01-11 Michael Saboff <msaboff@apple.com>
REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
https://bugs.webkit.org/show_bug.cgi?id=181570
Reviewed by Keith Miller.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
Reverting these functions to use dataTempRegister and memoryTempRegister as they are
JIT release asserts that will crash the program.
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
Changed this so that it invalidates any cached dataTmpRegister contents if temp register
caching is enabled.
2018-01-11 Filip Pizlo <fpizlo@apple.com>
Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
https://bugs.webkit.org/show_bug.cgi?id=181543
Rubber stamped by Michael Saboff.
In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
really have anything to do with allocation anymore. The allocation will be done by something
in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
place to find blocks (a "block directory").
Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
attributes of the HeapCellType. So let's call them CellAttributes.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
* heap/AlignedMemoryAllocator.cpp:
(JSC::AlignedMemoryAllocator::registerDirectory):
(JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
* heap/AlignedMemoryAllocator.h:
(JSC::AlignedMemoryAllocator::firstDirectory const):
(JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
* heap/AllocatorAttributes.cpp: Removed.
* heap/AllocatorAttributes.h: Removed.
* heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::setSubspace):
(JSC::BlockDirectory::isPagedOut):
(JSC::BlockDirectory::findEmptyBlockToSteal):
(JSC::BlockDirectory::didConsumeFreeList):
(JSC::BlockDirectory::tryAllocateWithoutCollecting):
(JSC::BlockDirectory::allocateIn):
(JSC::BlockDirectory::tryAllocateIn):
(JSC::BlockDirectory::doTestCollectionsIfNeeded):
(JSC::BlockDirectory::allocateSlowCase):
(JSC::BlockDirectory::blockSizeForBytes):
(JSC::BlockDirectory::tryAllocateBlock):
(JSC::BlockDirectory::addBlock):
(JSC::BlockDirectory::removeBlock):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::lastChanceToFinalize):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::beginMarkingForFullCollection):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
(JSC::BlockDirectory::snapshotUnsweptForFullCollection):
(JSC::BlockDirectory::findBlockToSweep):
(JSC::BlockDirectory::sweep):
(JSC::BlockDirectory::shrink):
(JSC::BlockDirectory::assertNoUnswept):
(JSC::BlockDirectory::parallelNotEmptyBlockSource):
(JSC::BlockDirectory::dump const):
(JSC::BlockDirectory::dumpBits):
(JSC::BlockDirectory::markedSpace const):
(JSC::MarkedAllocator::MarkedAllocator): Deleted.
(JSC::MarkedAllocator::setSubspace): Deleted.
(JSC::MarkedAllocator::isPagedOut): Deleted.
(JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
(JSC::MarkedAllocator::didConsumeFreeList): Deleted.
(JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
(JSC::MarkedAllocator::allocateIn): Deleted.
(JSC::MarkedAllocator::tryAllocateIn): Deleted.
(JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
(JSC::MarkedAllocator::allocateSlowCase): Deleted.
(JSC::MarkedAllocator::blockSizeForBytes): Deleted.
(JSC::MarkedAllocator::tryAllocateBlock): Deleted.
(JSC::MarkedAllocator::addBlock): Deleted.
(JSC::MarkedAllocator::removeBlock): Deleted.
(JSC::MarkedAllocator::stopAllocating): Deleted.
(JSC::MarkedAllocator::prepareForAllocation): Deleted.
(JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
(JSC::MarkedAllocator::resumeAllocating): Deleted.
(JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
(JSC::MarkedAllocator::endMarking): Deleted.
(JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
(JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
(JSC::MarkedAllocator::findBlockToSweep): Deleted.
(JSC::MarkedAllocator::sweep): Deleted.
(JSC::MarkedAllocator::shrink): Deleted.
(JSC::MarkedAllocator::assertNoUnswept): Deleted.
(JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
(JSC::MarkedAllocator::dump const): Deleted.
(JSC::MarkedAllocator::dumpBits): Deleted.
(JSC::MarkedAllocator::markedSpace const): Deleted.
* heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
(JSC::BlockDirectory::attributes const):
(JSC::BlockDirectory::forEachBitVector):
(JSC::BlockDirectory::forEachBitVectorWithName):
(JSC::BlockDirectory::nextDirectory const):
(JSC::BlockDirectory::nextDirectoryInSubspace const):
(JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
(JSC::BlockDirectory::setNextDirectory):
(JSC::BlockDirectory::setNextDirectoryInSubspace):
(JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
(JSC::BlockDirectory::offsetOfFreeList):
(JSC::BlockDirectory::offsetOfCellSize):
(JSC::MarkedAllocator::cellSize const): Deleted.
(JSC::MarkedAllocator::attributes const): Deleted.
(JSC::MarkedAllocator::needsDestruction const): Deleted.
(JSC::MarkedAllocator::destruction const): Deleted.
(JSC::MarkedAllocator::cellKind const): Deleted.
(JSC::MarkedAllocator::heap): Deleted.
(JSC::MarkedAllocator::bitvectorLock): Deleted.
(JSC::MarkedAllocator::forEachBitVector): Deleted.
(JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
(JSC::MarkedAllocator::nextAllocator const): Deleted.
(JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
(JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
(JSC::MarkedAllocator::setNextAllocator): Deleted.
(JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
(JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
(JSC::MarkedAllocator::subspace const): Deleted.
(JSC::MarkedAllocator::freeList const): Deleted.
(JSC::MarkedAllocator::offsetOfFreeList): Deleted.
(JSC::MarkedAllocator::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
(JSC::BlockDirectory::isFreeListedCell const):
(JSC::BlockDirectory::allocate):
(JSC::BlockDirectory::forEachBlock):
(JSC::BlockDirectory::forEachNotEmptyBlock):
(JSC::MarkedAllocator::isFreeListedCell const): Deleted.
(JSC::MarkedAllocator::allocate): Deleted.
(JSC::MarkedAllocator::forEachBlock): Deleted.
(JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
* heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
(JSC::CellAttributes::dump const):
(JSC::AllocatorAttributes::dump const): Deleted.
* heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
(JSC::CellAttributes::CellAttributes):
(JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::updateAllocationLimits):
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::cellAttributes const):
(JSC::HeapCell::destructionMode const):
(JSC::HeapCell::cellKind const):
(JSC::HeapCell::allocatorAttributes const): Deleted.
* heap/HeapCellType.cpp:
(JSC::HeapCellType::HeapCellType):
* heap/HeapCellType.h:
(JSC::HeapCellType::attributes const):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::IncrementalSweeper):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::stopSweeping):
* heap/IncrementalSweeper.h:
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::IsoCellSet):
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
(JSC::IsoCellSet::addSlow):
(JSC::IsoCellSet::didRemoveBlock):
(JSC::IsoCellSet::sweepToFreeList):
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCell):
(JSC::IsoCellSet::forEachLiveCell):
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::attributes const):
* heap/MarkedAllocator.cpp: Removed.
* heap/MarkedAllocator.h: Removed.
* heap/MarkedAllocatorInlines.h: Removed.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::~Handle):
(JSC::MarkedBlock::Handle::setIsFreeListed):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::noteMarkedSlow):
(JSC::MarkedBlock::Handle::removeFromDirectory):
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::didRemoveFromDirectory):
(JSC::MarkedBlock::Handle::dumpState):
(JSC::MarkedBlock::Handle::subspace const):
(JSC::MarkedBlock::Handle::sweep):
(JSC::MarkedBlock::Handle::isFreeListedCell const):
(JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
(JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
(JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::directory const):
(JSC::MarkedBlock::Handle::attributes const):
(JSC::MarkedBlock::attributes const):
(JSC::MarkedBlock::Handle::allocator const): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::isAllocated):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::isEmpty):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::sweep):
(JSC::MarkedSpace::stopAllocating):
(JSC::MarkedSpace::resumeAllocating):
(JSC::MarkedSpace::isPagedOut):
(JSC::MarkedSpace::freeBlock):
(JSC::MarkedSpace::shrink):
(JSC::MarkedSpace::beginMarking):
(JSC::MarkedSpace::endMarking):
(JSC::MarkedSpace::snapshotUnswept):
(JSC::MarkedSpace::assertNoUnswept):
(JSC::MarkedSpace::dumpBits):
(JSC::MarkedSpace::addBlockDirectory):
(JSC::MarkedSpace::addMarkedAllocator): Deleted.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::firstDirectory const):
(JSC::MarkedSpace::directoryLock):
(JSC::MarkedSpace::forEachBlock):
(JSC::MarkedSpace::forEachDirectory):
(JSC::MarkedSpace::firstAllocator const): Deleted.
(JSC::MarkedSpace::allocatorLock): Deleted.
(JSC::MarkedSpace::forEachAllocator): Deleted.
* heap/MarkedSpaceInlines.h:
* heap/Subspace.cpp:
(JSC::Subspace::initialize):
(JSC::Subspace::prepareForAllocation):
(JSC::Subspace::findEmptyBlockToSteal):
(JSC::Subspace::parallelDirectorySource):
(JSC::Subspace::parallelNotEmptyMarkedBlockSource):
(JSC::Subspace::sweep):
(JSC::Subspace::parallelAllocatorSource): Deleted.
* heap/Subspace.h:
(JSC::Subspace::attributes const):
(JSC::Subspace::didCreateFirstDirectory):
(JSC::Subspace::didCreateFirstAllocator): Deleted.
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachDirectory):
(JSC::Subspace::forEachMarkedBlock):
(JSC::Subspace::forEachNotEmptyMarkedBlock):
(JSC::Subspace::forEachAllocator): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/VM.cpp:
(JSC::VM::VM):
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-01-11 Saam Barati <sbarati@apple.com>
When inserting Unreachable in byte code parser we need to flush all the right things
https://bugs.webkit.org/show_bug.cgi?id=181509
<rdar://problem/36423110>
Reviewed by Mark Lam.
I added code in r226655 that had its own mechanism for preserving liveness when
inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
I got some of these values wrong, which was leading to a crash when recovering the
callee value from an inlined frame. Instead of making the same mistake and repeating
similar code again, this patch refactors this logic to be shared with the other
liveness preservation code in the DFG bytecode parser. This is what I should have
done in my initial patch.
* bytecode/InlineCallFrame.h:
(JSC::remapOperand):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::flushImpl):
(JSC::DFG::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::parse):
2018-01-11 Saam Barati <sbarati@apple.com>
JITMathIC code in the FTL is wrong when code gets duplicated
https://bugs.webkit.org/show_bug.cgi?id=181525
<rdar://problem/36351993>
Reviewed by Michael Saboff and Keith Miller.
B3/Air may duplicate code for various reasons. Patchpoint generators inside
FTLLower must be aware that they can be called multiple times because of this.
The patchpoint for math ICs was not aware of this, and shared state amongst
all invocations of the patchpoint's generator. This patch fixes this bug so
that each invocation of the patchpoint's generator gets a unique math IC.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addMathIC):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
2018-01-11 Michael Saboff <msaboff@apple.com>
Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
https://bugs.webkit.org/show_bug.cgi?id=181512
Reviewed by Saam Barati.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
All current uses of dataTempRegister in these functions are safe, but it makes sense to
fix them in case they might be used elsewhere.
2018-01-04 Filip Pizlo <fpizlo@apple.com>
CodeBlocks should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=180884
Reviewed by Saam Barati.
This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
WeakReferenceHarvester or UnconditionalFinalizer. Instead:
- Code block sweeping is now just eager sweeping. This means that it automatically takes
advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
its eden set for.
- Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
longer has to clear the set of weakly visited code blocks. This also means that
determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
has IsoCellSets to tell us which edges have output constraints (what we used to call
CodeBlock's weak reference harvester) and which have unconditional finalizers.
- CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
- CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to
handle requests from the sampler, debugger, and other facilities. They may want to ask
if some pointer corresponds to a CodeBlock during stages of execution during which the
GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
There is no way that the GC's isLive could tell us of a CodeBlock that had already been
allocated has now been full constructed.
Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
happening before and after this change, but we misread the revision numbers at first and
thought that this was the cause.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finishCreationCommon):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
(JSC::CodeBlock::installVMTrapBreakpoints):
(JSC::CodeBlock::dumpMathICStats):
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::subspaceFor):
(JSC::CodeBlock::ownerEdge const):
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
* bytecode/EvalCodeBlock.h:
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
(JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
* bytecode/ExecutableToCodeBlockEdge.cpp: Added.
(JSC::ExecutableToCodeBlockEdge::createStructure):
(JSC::ExecutableToCodeBlockEdge::create):
(JSC::ExecutableToCodeBlockEdge::visitChildren):
(JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
(JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
(JSC::ExecutableToCodeBlockEdge::activate):
(JSC::ExecutableToCodeBlockEdge::deactivate):
(JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
(JSC::ExecutableToCodeBlockEdge::wrap):
(JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
(JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
(JSC::ExecutableToCodeBlockEdge::runConstraint):
* bytecode/ExecutableToCodeBlockEdge.h: Added.
(JSC::ExecutableToCodeBlockEdge::subspaceFor):
(JSC::ExecutableToCodeBlockEdge::codeBlock const):
(JSC::ExecutableToCodeBlockEdge::unwrap):
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor):
(JSC::FunctionCodeBlock::createStructure):
* bytecode/ModuleProgramCodeBlock.h:
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
* bytecode/ProgramCodeBlock.h:
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
* debugger/Debugger.cpp:
(JSC::Debugger::SetSteppingModeFunctor::operator() const):
(JSC::Debugger::ToggleBreakpointFunctor::operator() const):
(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
(JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
(JSC::CodeBlockSet::dump const):
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::remove):
(JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
(JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
(JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
(JSC::CodeBlockSet::iterateViaSubspaces):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
(JSC::DummyMarkHook::markKnownJSCell):
(JSC::CompositeMarkHook::mark):
(JSC::CompositeMarkHook::markKnownJSCell):
* heap/ConservativeRoots.h:
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeMarkedUnconditionalFinalizers):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::beginMarking):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
(JSC::Heap::forEachCodeBlockImpl):
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
(JSC::Heap::addCoreConstraints):
(JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::subspace const):
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
* heap/IsoCellSet.h:
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCellInParallel):
(JSC::IsoCellSet::forEachLiveCell):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::subspace const):
* heap/MarkStackMergingConstraint.cpp:
(JSC::MarkStackMergingConstraint::executeImpl):
* heap/MarkStackMergingConstraint.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::parallelNotEmptyBlockSource):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToAllocator):
(JSC::MarkedBlock::Handle::didRemoveFromAllocator):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::subspace const):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::forEachLiveCell):
* heap/MarkedSpaceInlines.h:
(JSC::MarkedSpace::forEachLiveCell):
* heap/MarkingConstraint.cpp:
(JSC::MarkingConstraint::execute):
(JSC::MarkingConstraint::doParallelWork):
(JSC::MarkingConstraint::finishParallelWork): Deleted.
(JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
(JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
* heap/MarkingConstraint.h:
* heap/MarkingConstraintSet.cpp:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSet.h:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::execute):
(JSC::MarkingConstraintSolver::addParallelTask):
(JSC::MarkingConstraintSolver::runExecutionThread):
(JSC::MarkingConstraintSolver::didExecute): Deleted.
* heap/MarkingConstraintSolver.h:
(JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
(JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
* heap/SimpleMarkingConstraint.cpp:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
(JSC::SimpleMarkingConstraint::executeImpl):
* heap/SimpleMarkingConstraint.h:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addParallelConstraintTask):
* heap/SlotVisitor.h:
* heap/Subspace.cpp:
(JSC::Subspace::sweep):
* heap/Subspace.h:
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachLiveCell):
* llint/LowLevelInterpreter.asm:
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::codeBlock):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionExecutable.h:
* runtime/JSType.h:
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/ModuleProgramExecutable.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ProgramExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
(JSC::ScriptExecutable::newReplacementCodeBlockFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
(JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
(JSC::VM::forEachCodeBlockSpace):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* tools/VMInspector.cpp:
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::VMInspector::isValidCodeBlock):
2018-01-11 Michael Saboff <msaboff@apple.com>
Add a DOM gadget for Spectre testing
https://bugs.webkit.org/show_bug.cgi?id=181351
Reviewed by Ryosuke Niwa.
* runtime/Options.h:
2018-01-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] regExpMatchFast should be handled
https://bugs.webkit.org/show_bug.cgi?id=180988
Reviewed by Mark Lam.
RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
slow path part to `@matchSlow()` private function.
It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
this regExpMatchFast function.
baseline patched
regex-u.es5 55.3835+-6.3002 ^ 36.2431+-2.0797 ^ definitely 1.5281x faster
regex-u.es6 110.4624+-6.2896 ^ 94.1012+-7.2433 ^ definitely 1.1739x faster
* builtins/RegExpPrototype.js:
(globalPrivate.matchSlow):
(overriddenName.string_appeared_here.match):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileRegExpMatch):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncMatchFast):
2018-01-11 Saam Barati <sbarati@apple.com>
Our for-in caching is wrong when we add indexed properties on things in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=181508
Reviewed by Yusuke Suzuki.
Our for-in caching would cache structure chains that had prototypes with
indexed properties. Clearly this is wrong. This caching breaks when a prototype
adds new indexed properties. We would continue to enumerate the old cached
state of properties, and not include the new indexed properties.
The old code used to prevent caching only if the base structure had
indexed properties. This patch extends it to prevent caching if the
base, or any structure in the prototype chain, has indexed properties.
* runtime/Structure.cpp:
(JSC::Structure::canCachePropertyNameEnumerator const):
2018-01-10 JF Bastien <jfbastien@apple.com>
Poison small JSObject derivatives which only contain pointers
https://bugs.webkit.org/show_bug.cgi?id=181483
<rdar://problem/36407127>
Reviewed by Mark Lam.
I wrote a script that finds interesting things to poison or
generally harden. These stood out because they derive from
JSObject and only contain a few pointer or pointer-like fields,
and could therefore just be poisoned. This also requires some
template "improvements" to our poisoning machinery. Worth noting
is that I'm making PoisonedUniquePtr move-assignable and
move-constructible from unique_ptr, which makes it a better
drop-in replacement because we don't need to use
makePoisonedUniquePtr. This means function-locals can be
unique_ptr and get the nice RAII pattern, and once the function is
done you can just move to the class' PoisonedUniquePtr without
worrying.
* API/JSAPIWrapperObject.h:
(JSC::JSAPIWrapperObject::wrappedObject):
* API/JSAPIWrapperObject.mm:
(JSC::JSAPIWrapperObject::JSAPIWrapperObject):
* API/JSCallbackObject.h:
* runtime/ArrayPrototype.h:
* runtime/DateInstance.h:
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::finishCreation):
(JSC::JSArrayBuffer::isShared const):
(JSC::JSArrayBuffer::sharingMode const):
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.h:
2018-01-10 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226667 and r226673.
https://bugs.webkit.org/show_bug.cgi?id=181488
This caused a flaky crash. (Requested by mlewis13 on #webkit).
Reverted changesets:
"CodeBlocks should be in IsoSubspaces"
https://bugs.webkit.org/show_bug.cgi?id=180884
https://trac.webkit.org/changeset/226667
"REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
https://bugs.webkit.org/show_bug.cgi?id=180884
https://trac.webkit.org/changeset/226673
2018-01-09 David Kilzer <ddkilzer@apple.com>
REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
<https://bugs.webkit.org/show_bug.cgi?id=180884>
Fixes the following build error:
heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
fix the build.
2018-01-09 Keith Miller <keith_miller@apple.com>
and32 with an Address source on ARM64 did not invalidate dataTempRegister
https://bugs.webkit.org/show_bug.cgi?id=181467
Reviewed by Michael Saboff.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::and32):
2018-01-04 Filip Pizlo <fpizlo@apple.com>
CodeBlocks should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=180884
Reviewed by Saam Barati.
This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
WeakReferenceHarvester or UnconditionalFinalizer. Instead:
- Code block sweeping is now just eager sweeping. This means that it automatically takes
advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
its eden set for.
- Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
longer has to clear the set of weakly visited code blocks. This also means that
determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
has IsoCellSets to tell us which edges have output constraints (what we used to call
CodeBlock's weak reference harvester) and which have unconditional finalizers.
- CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
- CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to
handle requests from the sampler, debugger, and other facilities. They may want to ask
if some pointer corresponds to a CodeBlock during stages of execution during which the
GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
There is no way that the GC's isLive could tell us of a CodeBlock that had already been
allocated has now been full constructed.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finishCreationCommon):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
(JSC::CodeBlock::installVMTrapBreakpoints):
(JSC::CodeBlock::dumpMathICStats):
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::subspaceFor):
(JSC::CodeBlock::ownerEdge const):
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
* bytecode/EvalCodeBlock.h:
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
(JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
* bytecode/ExecutableToCodeBlockEdge.cpp: Added.
(JSC::ExecutableToCodeBlockEdge::createStructure):
(JSC::ExecutableToCodeBlockEdge::create):
(JSC::ExecutableToCodeBlockEdge::visitChildren):
(JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
(JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
(JSC::ExecutableToCodeBlockEdge::activate):
(JSC::ExecutableToCodeBlockEdge::deactivate):
(JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
(JSC::ExecutableToCodeBlockEdge::wrap):
(JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
(JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
(JSC::ExecutableToCodeBlockEdge::runConstraint):
* bytecode/ExecutableToCodeBlockEdge.h: Added.
(JSC::ExecutableToCodeBlockEdge::subspaceFor):
(JSC::ExecutableToCodeBlockEdge::codeBlock const):
(JSC::ExecutableToCodeBlockEdge::unwrap):
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor):
(JSC::FunctionCodeBlock::createStructure):
* bytecode/ModuleProgramCodeBlock.h:
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
* bytecode/ProgramCodeBlock.h:
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
* debugger/Debugger.cpp:
(JSC::Debugger::SetSteppingModeFunctor::operator() const):
(JSC::Debugger::ToggleBreakpointFunctor::operator() const):
(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
(JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
(JSC::CodeBlockSet::dump const):
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::remove):
(JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
(JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
(JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
(JSC::CodeBlockSet::iterateViaSubspaces):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
(JSC::DummyMarkHook::markKnownJSCell):
(JSC::CompositeMarkHook::mark):
(JSC::CompositeMarkHook::markKnownJSCell):
* heap/ConservativeRoots.h:
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeMarkedUnconditionalFinalizers):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::beginMarking):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
(JSC::Heap::forEachCodeBlockImpl):
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
(JSC::Heap::addCoreConstraints):
(JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::subspace const):
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
* heap/IsoCellSet.h:
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCellInParallel):
(JSC::IsoCellSet::forEachLiveCell):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::subspace const):
* heap/MarkStackMergingConstraint.cpp:
(JSC::MarkStackMergingConstraint::executeImpl):
* heap/MarkStackMergingConstraint.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::parallelNotEmptyBlockSource):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToAllocator):
(JSC::MarkedBlock::Handle::didRemoveFromAllocator):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::subspace const):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::forEachLiveCell):
* heap/MarkedSpaceInlines.h:
(JSC::MarkedSpace::forEachLiveCell):
* heap/MarkingConstraint.cpp:
(JSC::MarkingConstraint::execute):
(JSC::MarkingConstraint::doParallelWork):
(JSC::MarkingConstraint::finishParallelWork): Deleted.
(JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
(JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
* heap/MarkingConstraint.h:
* heap/MarkingConstraintSet.cpp:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSet.h:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::execute):
(JSC::MarkingConstraintSolver::addParallelTask):
(JSC::MarkingConstraintSolver::runExecutionThread):
(JSC::MarkingConstraintSolver::didExecute): Deleted.
* heap/MarkingConstraintSolver.h:
(JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
(JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
* heap/SimpleMarkingConstraint.cpp:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
(JSC::SimpleMarkingConstraint::executeImpl):
* heap/SimpleMarkingConstraint.h:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addParallelConstraintTask):
* heap/SlotVisitor.h:
* heap/Subspace.cpp:
(JSC::Subspace::sweep):
* heap/Subspace.h:
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachLiveCell):
* llint/LowLevelInterpreter.asm:
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::codeBlock):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionExecutable.h:
* runtime/JSType.h:
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/ModuleProgramExecutable.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ProgramExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
(JSC::ScriptExecutable::newReplacementCodeBlockFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
(JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
(JSC::VM::forEachCodeBlockSpace):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* tools/VMInspector.cpp:
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::VMInspector::isValidCodeBlock):
2018-01-09 Michael Saboff <msaboff@apple.com>
Unreviewed, rolling out r226600 and r226603
https://bugs.webkit.org/show_bug.cgi?id=181351
Add a DOM gadget for Spectre testing
* runtime/Options.h:
2018-01-09 Saam Barati <sbarati@apple.com>
Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
https://bugs.webkit.org/show_bug.cgi?id=181409
Reviewed by Keith Miller.
When I was looking at profiler data for Speedometer, I noticed that one of
the hottest functions in Speedometer is around 1100 bytecode operations long.
Only about 100 of those bytecode ops ever execute. However, we ended up
spending a lot of time compiling basic blocks that never executed. We often
plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
This is the case when such a node never executes.
This patch makes it so that anytime a block has a ForceOSRExit, we replace its
terminal node with an Unreachable node (and remove all nodes after the
ForceOSRExit). This will cut down on graph size when such a block dominates
other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
in certain programs. When doing this transformation, we also insert
Flushes/PhantomLocals to ensure we can recover values that are bytecode
live-in to the ForceOSRExit.
Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
does not get rid of all the CFG that it could. If we decide it's worth
it, we could use additional inputs into this mechanism. For example, we could
profile if a basic block ever executes inside the LLInt/Baseline, and
remove parts of the CFG based on that.
When running Speedometer with the concurrent JIT turned off, this patch
improves DFG/FTL compile times by around 5%.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parse):
2018-01-09 Mark Lam <mark.lam@apple.com>
ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
https://bugs.webkit.org/show_bug.cgi?id=181388
<rdar://problem/36349351>
Reviewed by Saam Barati.
When there are duplicate setters or getters, we may end up overwriting a getter
with a setter, or vice versa. This patch adds tracking for getters/setters that
have been overwritten with duplicates and ignore them.
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitBytecode):
* parser/NodeConstructors.h:
(JSC::PropertyNode::PropertyNode):
* parser/Nodes.h:
(JSC::PropertyNode::isOverriddenByDuplicate const):
(JSC::PropertyNode::setIsOverriddenByDuplicate):
2018-01-08 Zan Dobersek <zdobersek@igalia.com>
REGRESSION(r225913): about 30 JSC test failures on ARMv7
https://bugs.webkit.org/show_bug.cgi?id=181162
<rdar://problem/36261349>
Unreviewed follow-up to r226298. Enable the fast case in
DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
assuming in good faith that enough GP registers are available on any
such configuration. The accompanying comment is adjusted to describe
this assumption.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArraySlice):
2018-01-08 JF Bastien <jfbastien@apple.com>
WebAssembly: mask indexed accesses to Table
https://bugs.webkit.org/show_bug.cgi?id=181412
<rdar://problem/36363236>
Reviewed by Saam Barati.
WebAssembly Table indexed accesses are user-controlled and
bounds-checked. Force allocations of Table data to be a
power-of-two, and explicitly mask accesses after bounds-check
branches.
Rename misleading usage of "size" when "length" of a Table was
intended.
Rename the Spectre option from "disable" to "enable".
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
* jit/JIT.cpp:
(JSC::JIT::JIT):
* runtime/Options.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::allocatedLength):
(JSC::Wasm::Table::setLength):
(JSC::Wasm::Table::create):
(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::clearFunction):
(JSC::Wasm::Table::setFunction):
* wasm/WasmTable.h:
(JSC::Wasm::Table::length const):
(JSC::Wasm::Table::offsetOfLength):
(JSC::Wasm::Table::offsetOfMask):
(JSC::Wasm::Table::mask const):
(JSC::Wasm::Table::isValidLength):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::visitChildren):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::getFunction):
(JSC::JSWebAssemblyTable::clearFunction):
(JSC::JSWebAssemblyTable::setFunction):
* wasm/js/JSWebAssemblyTable.h:
(JSC::JSWebAssemblyTable::isValidLength):
(JSC::JSWebAssemblyTable::length const):
(JSC::JSWebAssemblyTable::allocatedLength const):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::webAssemblyTableProtoFuncLength):
(JSC::webAssemblyTableProtoFuncGrow):
(JSC::webAssemblyTableProtoFuncGet):
(JSC::webAssemblyTableProtoFuncSet):
2018-01-08 Michael Saboff <msaboff@apple.com>
Add a DOM gadget for Spectre testing
https://bugs.webkit.org/show_bug.cgi?id=181351
Reviewed by Michael Saboff.
Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
Spectre mitigations.
* runtime/Options.h:
2018-01-08 Mark Lam <mark.lam@apple.com>
Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
https://bugs.webkit.org/show_bug.cgi?id=181403
<rdar://problem/36359789>
Rubber-stamped by JF Bastien.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::vm const):
(JSC::CodeBlock::addConstant):
(JSC::CodeBlock::heap const):
(JSC::CodeBlock::replaceConstant):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-01-07 Mark Lam <mark.lam@apple.com>
Apply poisoning to more pointers in JSC.
https://bugs.webkit.org/show_bug.cgi?id=181096
<rdar://problem/36182970>
Reviewed by JF Bastien.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::xorPtr):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::xor64):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::xor64):
- Add xorPtr implementation.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::inferredName const):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::visitWeakly):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::finalizeBaselineJITInlineCaches):
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
(JSC::CodeBlock::findPC):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
(JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
(JSC::CodeBlock::stubInfoBegin):
(JSC::CodeBlock::stubInfoEnd):
(JSC::CodeBlock::callLinkInfosBegin):
(JSC::CodeBlock::callLinkInfosEnd):
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::vm const):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* jit/JIT.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* parser/UnlinkedSourceCode.h:
* runtime/JSCPoison.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/StructureTransitionTable.h:
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
(JSC::JSWebAssemblyCodeBlock::visitChildren):
(JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-01-06 Yusuke Suzuki <utatane.tea@gmail.com>
Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
https://bugs.webkit.org/show_bug.cgi?id=181321
Reviewed by Saam Barati.
According to ECMA262 16.2[1], functions created using the bind method must not have
"caller" and "arguments" own properties.
[1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::finishCreation):
2018-01-05 JF Bastien <jfbastien@apple.com>
WebAssembly: poison JS object's secrets
https://bugs.webkit.org/show_bug.cgi?id=181339
<rdar://problem/36325001>
Reviewed by Mark Lam.
Separating WebAssembly's JS objects from their non-JS
implementation means that all interesting information lives
outside of the JS object itself. This patch poisons each JS
object's pointer to non-JS implementation using the poisoning
mechanism and a unique key per JS object type origin.
* runtime/JSCPoison.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
object in a stack slot when fast TLS is disabled. This requires
that we unpoison the Wasm::Instance.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
be explicit that the pointer is poisoned.
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
2018-01-05 Michael Saboff <msaboff@apple.com>
Add ability to disable indexed property masking for testing
https://bugs.webkit.org/show_bug.cgi?id=181350
Reviewed by Keith Miller.
Made the masking of indexed properties runtime controllable via a new JSC::Option
named disableSpectreMitigations. This is done to test the efficacy of that mitigation.
The new option has a generic name as it will probably be used to disable future mitigations.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
* jit/JIT.cpp:
(JSC::JIT::JIT):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
* runtime/Options.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2018-01-05 Michael Saboff <msaboff@apple.com>
Allow JSC Config Files to set Restricted Options
https://bugs.webkit.org/show_bug.cgi?id=181352
Reviewed by Mark Lam.
* runtime/ConfigFile.cpp:
(JSC::ConfigFile::parse):
2018-01-04 Keith Miller <keith_miller@apple.com>
TypedArrays and Wasm should use index masking.
https://bugs.webkit.org/show_bug.cgi?id=181313
Reviewed by Michael Saboff.
We should have index masking for our TypedArray code in the
DFG/FTL and for Wasm when doing bounds checking. Index masking for
Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
WasmBoundsCheckValues we don't need to worry about combining a
bounds check for a load and a store. I went with fusing the
pointer masking in the WasmBoundsCheckValue since it should reduce
additional compiler overhead.
* b3/B3LowerToAir.cpp:
* b3/B3Validate.cpp:
* b3/B3WasmBoundsCheckValue.cpp:
(JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
(JSC::B3::WasmBoundsCheckValue::dumpMeta const):
* b3/B3WasmBoundsCheckValue.h:
(JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
* b3/air/AirCustom.h:
(JSC::B3::Air::WasmBoundsCheckCustom::generate):
* b3/testb3.cpp:
(JSC::B3::testWasmBoundsCheck):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
* runtime/Butterfly.h:
(JSC::Butterfly::computeIndexingMask const):
(JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::load):
(JSC::Wasm::B3IRGenerator::store):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::grow):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::offsetOfIndexingMask):
* wasm/WasmMemoryInformation.cpp:
(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
* wasm/WasmMemoryInformation.h:
(JSC::Wasm::PinnedRegisterInfo::toSave const):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
2018-01-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226434.
https://bugs.webkit.org/show_bug.cgi?id=181322
32bit JSC failure in x86 (Requested by yusukesuzuki on
#webkit).
Reverted changeset:
"[DFG] Unify ToNumber implementation in 32bit and 64bit by
changing 32bit Int32Tag and LowestTag"
https://bugs.webkit.org/show_bug.cgi?id=181134
https://trac.webkit.org/changeset/226434
2018-01-04 Devin Rousso <webkit@devinrousso.com>
Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
https://bugs.webkit.org/show_bug.cgi?id=180770
Reviewed by Joseph Pecoraro.
* inspector/protocol/Canvas.json:
2018-01-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226405.
https://bugs.webkit.org/show_bug.cgi?id=181318
Speculative rollout due to Octane/SplayLatency,Octane/Splay
regressions (Requested by yusukesuzuki on #webkit).
Reverted changeset:
"[JSC] Create parallel SlotVisitors apriori"
https://bugs.webkit.org/show_bug.cgi?id=180907
https://trac.webkit.org/changeset/226405
2018-01-04 Saam Barati <sbarati@apple.com>
Do value profiling in to_this
https://bugs.webkit.org/show_bug.cgi?id=181299
Reviewed by Filip Pizlo.
This patch adds value profiling to to_this. We use the result of the value
profiling only for strict mode code when we don't predict that the input is
of a specific type. This helps when the input is SpecCellOther. Such cells
might implement a custom ToThis, which can produce an arbitrary result. Before
this patch, in prediction propagation, we were saying that a ToThis with a
SpecCellOther input also produced SpecCellOther. However, this is incorrect,
given that the input may implement ToThis that produces an arbitrary result.
This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
Interestingly, this patch only does value profiling on the slow path. The fast
path of to_this in the LLInt/baseline just perform a structure check. If it
passes, the result is the same as the input. Therefore, doing value profiling
from the fast path wouldn't actually produce new information for the ValueProfile.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitToThis):
* bytecompiler/BytecodeGenerator.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGPredictionPropagationPhase.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
https://bugs.webkit.org/show_bug.cgi?id=181134
Reviewed by Mark Lam.
We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
an additional scratch register. We do not want to allocate an unnecessary register in 64bit
implementation.
This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
`<= LowestTag(Int32Tag)`.
We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateMisc):
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
(JSC::DFG::SpeculativeJIT::compileToNumber):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfNotType):
(JSC::AssemblyHelpers::jitAssertIsJSNumber):
(JSC::AssemblyHelpers::emitConvertValueToBoolean):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfMisc):
(JSC::AssemblyHelpers::branchIfNotMisc):
(JSC::AssemblyHelpers::branchIfNumber):
(JSC::AssemblyHelpers::branchIfNotNumber):
(JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
(JSC::AssemblyHelpers::emitTypeOf):
* jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateFastPath):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emitBinaryDoubleOp):
* jit/JITDivGenerator.cpp:
(JSC::JITDivGenerator::loadOperand):
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
(JSC::JITMulGenerator::generateFastPath):
* jit/JITNegGenerator.cpp:
(JSC::JITNegGenerator::generateInline):
(JSC::JITNegGenerator::generateFastPath):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_number):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_profile_type):
* jit/JITRightShiftGenerator.cpp:
(JSC::JITRightShiftGenerator::generateFastPath):
* jit/JITSubGenerator.cpp:
(JSC::JITSubGenerator::generateInline):
(JSC::JITSubGenerator::generateFastPath):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* runtime/JSCJSValue.h:
2018-01-04 JF Bastien <jfbastien@apple.com>
Add assembler support for x86 lfence and sfence
https://bugs.webkit.org/show_bug.cgi?id=181311
<rdar://problem/36301780>
Reviewed by Michael Saboff.
Useful for testing performance of serializing instructions (hint:
it's not good).
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::lfence):
(JSC::MacroAssemblerX86Common::sfence):
* assembler/X86Assembler.h:
(JSC::X86Assembler::lfence):
(JSC::X86Assembler::sfence):
2018-01-04 Saam Barati <sbarati@apple.com>
Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
https://bugs.webkit.org/show_bug.cgi?id=181296
Reviewed by Filip Pizlo.
Inside Speedometer's Ember test, there is a recompile loop like:
a: GetByVal(..., semanticOriginX)
b: SetLocal(Cell:@a, semanticOriginX)
where the cell check always fails. For reasons I didn't investigate, the
baseline JIT's value profiling doesn't accurately capture the GetByVal's
result.
However, when compiling this cell speculation check in the DFG, we get a null
MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
this IR pattern because both @a and @b have the same semantic origin. We
should not follow the same semantic origin heuristic when dealing with
SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
For this IR pattern, we will update the value profile for the semantic origin
for @nodeWithHeapPrediction. So, for the Speedometer example above, we
will correctly update the GetByVal's value profile, which will prevent
an OSR exit loop.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2018-01-04 Keith Miller <keith_miller@apple.com>
Array Storage operations sometimes did not update the indexing mask correctly.
https://bugs.webkit.org/show_bug.cgi?id=181301
Reviewed by Mark Lam.
I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::increaseVectorLength):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Define defs for MapSet/SetAdd to participate in CSE
https://bugs.webkit.org/show_bug.cgi?id=179911
Reviewed by Saam Barati.
With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
produce added bucket as its result. Subsequent GetMapBucket will
be removed by CSE.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetAdd):
(JSC::DFG::SpeculativeJIT::compileMapSet):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
* jit/JITOperations.h:
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::addNormalized):
(JSC::HashMapImpl::addNormalizedInternal):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove LocalScope
https://bugs.webkit.org/show_bug.cgi?id=181206
Reviewed by Geoffrey Garen.
The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
and LocalScope.
We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
JSObject* directly in their fields.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/HandleStack.cpp: Removed.
* heap/HandleStack.h: Removed.
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* heap/Heap.h:
(JSC::Heap::handleSet):
(JSC::Heap::handleStack): Deleted.
* heap/Local.h: Removed.
* heap/LocalScope.h: Removed.
* runtime/JSONObject.cpp:
(JSC::Stringifier::Holder::object const):
(JSC::gap):
(JSC::Stringifier::Stringifier):
(JSC::Stringifier::stringify):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::Holder):
(JSC::Stringifier::Holder::appendNextProperty):
(JSC::Walker::Walker):
(JSC::Walker::callReviver):
(JSC::Walker::walk):
(JSC::JSONProtoFuncParse):
(JSC::JSONProtoFuncStringify):
(JSC::JSONParse):
(JSC::JSONStringify):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
https://bugs.webkit.org/show_bug.cgi?id=180238
Reviewed by Saam Barati.
We can optimize ObjectAllocationSinking a bit by using removeIf.
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Create parallel SlotVisitors apriori
https://bugs.webkit.org/show_bug.cgi?id=180907
Reviewed by Saam Barati.
The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
Then we do not need to grab locks while iterating all the SlotVisitors.
In addition, we do not need to consider the case that the number of SlotVisitors increases
after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
does not increase any more.
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::runBeginPhase):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachSlotVisitor):
(JSC::Heap::numberOfSlotVisitors): Deleted.
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::didVisitSomething const):
2018-01-03 Ting-Wei Lan <lantw44@gmail.com>
Replace hard-coded paths in shebangs with #!/usr/bin/env
https://bugs.webkit.org/show_bug.cgi?id=181040
Reviewed by Alex Christensen.
* Scripts/UpdateContents.py:
* Scripts/cssmin.py:
* Scripts/generate-combined-inspector-json.py:
* Scripts/xxd.pl:
* create_hash_table:
* generate-bytecode-files:
* wasm/generateWasm.py:
* wasm/generateWasmOpsHeader.py:
* yarr/generateYarrCanonicalizeUnicode:
2018-01-03 Michael Saboff <msaboff@apple.com>
Disable SharedArrayBuffers from Web API
https://bugs.webkit.org/show_bug.cgi?id=181266
Reviewed by Saam Barati.
Removed SharedArrayBuffer prototype and structure from GlobalObject creation
to disable.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayBufferPrototype const):
(JSC::JSGlobalObject::arrayBufferStructure const):
2018-01-03 Michael Saboff <msaboff@apple.com>
Add "noInline" to $vm
https://bugs.webkit.org/show_bug.cgi?id=181265
Reviewed by Mark Lam.
This would be useful for web based tests.
* tools/JSDollarVM.cpp:
(JSC::getExecutableForFunction):
(JSC::functionNoInline):
(JSC::JSDollarVM::finishCreation):
2018-01-03 Michael Saboff <msaboff@apple.com>
Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
https://bugs.webkit.org/show_bug.cgi?id=181263
Reviewed by Mark Lam.
Flushing the butterfly pointer provides no benefit and slows this function.
* tools/JSDollarVM.cpp:
(JSC::functionCpuClflush):
2018-01-03 Saam Barati <sbarati@apple.com>
Fix BytecodeParser op_catch assert to work with useProfiler=1
https://bugs.webkit.org/show_bug.cgi?id=181260
Reviewed by Keith Miller.
op_catch was asserting that the current block was empty. This is only true
if the profiler isn't enabled. When the profiler is enabled, we will
insert a CountExecution node before each bytecode. This patch fixes the
assert to work with the profiler.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2018-01-03 Per Arne Vollan <pvollan@apple.com>
[Win][Debug] testapi link error.
https://bugs.webkit.org/show_bug.cgi?id=181247
<rdar://problem/36166729>
Reviewed by Brent Fulgham.
Do not set the runtime library compile flag for C files, it is already set to the correct value.
* shell/PlatformWin.cmake:
2018-01-03 Robin Morisset <rmorisset@apple.com>
Inlining of a function that ends in op_unreachable crashes
https://bugs.webkit.org/show_bug.cgi?id=181027
Reviewed by Filip Pizlo.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::allocateTargetableBlock):
(JSC::DFG::ByteCodeParser::inlineCall):
2018-01-02 Saam Barati <sbarati@apple.com>
Incorrect assertion inside AccessCase
https://bugs.webkit.org/show_bug.cgi?id=181200
<rdar://problem/35494754>
Reviewed by Yusuke Suzuki.
Consider a PutById compiled to a setter in a function like so:
```
function foo(o) { o.f = o; }
```
The DFG will often assign the same registers to the baseGPR (o in o.f) and the
valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
to the same register. However, we're asserting that they're not the same register.
This patch just removes this invalid assertion.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
2018-01-02 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
https://bugs.webkit.org/show_bug.cgi?id=175359
Reviewed by Yusuke Suzuki.
This patch is implementing BigIntConstructor and BigIntPrototype
following spec[1, 2]. As addition, we are also implementing BigIntObject
warapper to handle ToObject(v) abstract operation when "v" is a BigInt
primitive. With these classes, now it's possible to syntetize
BigInt.prototype and then call "toString", "valueOf" and
"toLocaleString" when the primitive is a BigInt.
BigIntConstructor exposes an API to parse other primitives such as
Number, Boolean and String to BigInt.
We decided to skip parseInt implementation, since it was removed from
spec.
[1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
[2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* jsc.cpp:
* runtime/BigIntConstructor.cpp: Added.
(JSC::BigIntConstructor::BigIntConstructor):
(JSC::BigIntConstructor::finishCreation):
(JSC::isSafeInteger):
(JSC::toBigInt):
(JSC::callBigIntConstructor):
(JSC::bigIntConstructorFuncAsUintN):
(JSC::bigIntConstructorFuncAsIntN):
* runtime/BigIntConstructor.h: Added.
(JSC::BigIntConstructor::create):
(JSC::BigIntConstructor::createStructure):
* runtime/BigIntObject.cpp: Added.
(JSC::BigIntObject::BigIntObject):
(JSC::BigIntObject::finishCreation):
(JSC::BigIntObject::toStringName):
(JSC::BigIntObject::defaultValue):
* runtime/BigIntObject.h: Added.
(JSC::BigIntObject::create):
(JSC::BigIntObject::internalValue const):
(JSC::BigIntObject::createStructure):
* runtime/BigIntPrototype.cpp: Added.
(JSC::BigIntPrototype::BigIntPrototype):
(JSC::BigIntPrototype::finishCreation):
(JSC::toThisBigIntValue):
(JSC::bigIntProtoFuncToString):
(JSC::bigIntProtoFuncToLocaleString):
(JSC::bigIntProtoFuncValueOf):
* runtime/BigIntPrototype.h: Added.
(JSC::BigIntPrototype::create):
(JSC::BigIntPrototype::createStructure):
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::createFrom):
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::toObject const):
* runtime/JSBigInt.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::synthesizePrototype const):
* runtime/JSCPoisonedPtr.cpp:
* runtime/JSCell.cpp:
(JSC::JSCell::toObjectSlow const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::bigIntPrototype const):
(JSC::JSGlobalObject::bigIntObjectStructure const):
* runtime/StructureCache.h:
* runtime/StructureInlines.h:
(JSC::prototypeForLookupPrimitiveImpl):
2018-01-02 Tim Horton <timothy_horton@apple.com>
Fix the MathCommon build with a recent compiler
https://bugs.webkit.org/show_bug.cgi?id=181216
Reviewed by Sam Weinig.
* runtime/MathCommon.cpp:
(JSC::fdlibmPow):
This cast drops the 'const' qualifier from the pointer to 'one',
but it doesn't have to, and it makes the compiler sad.
== Rolled over to ChangeLog-2018-01-01 ==